Methodology to analyse cybersecurity in tourism

: Nowadays hyperconnectivity provides an opportunity for tourism industry to benefit from big data analytics as determining competitive factor, for decision making, product design and assertive marketing strategies for target segments; but at the same time, having financial, organizational and personal information stored in cyberspace and available to many users makes vulnerable to security risks like phishing and hacking, both common cybercrimes that affect tourism sector. This paper, introduces representation and model design stages of our own methodology based on self-organization approach that we propose to reinforce cybersecurity in tourism, as part of a research project founded by National Council for Science and Technology postdoctoral scholarship for Mexico.


Introduction
Before pandemic, tourism industry accounted for 1.7 trillion U.S dollars in exports, the 7 % of world's total and 29% of services exports and 10% of world's GDP [1].In Mexico tourism industry contributed 8.7% of GDP [2]; in the National Survey of Occupation and Employment (ENOE from its Spanish initials) for first trimester of 2019 employed population in tourism sector reached 4 million 246 thousand direct jobs, meaning 8.7% of total employment nationwide, which confirms tourism industry is one of the driving forces of the national economy [2].According to UNWTO [1], Mexico ranked on 16th place with 22.5 billion dollars on tourism receipts and 7th place with 41.4 million tourist arrivals on 2019.These data are representative of the economic relevance of tourism sector, that with internet revolution, digital footprint behind Mexican tourism industry store tourist providers and customers valuable information as well as their financial transactions in cyberspace making them vulnerable to security risks like phishing and hacking, both common cybercrimes that affect tourism sector [3].In order to diminish such vulnerability, we introduce a model to reinforce cybersecurity in tourism based on Heylighen [4] and Hutchins [5] selfadaptation approach.

Purpose
To design a model useful to: Understand tourism data vulnerability in cyberspace.Provide solutions to diminish tourism data vulnerability in cyberspace.

Implications and expected outcomes
Nowadays after human capital, the greatest value of industries and economies relies on data and information, that's the reason why in this paper we highlight importance to reinforce cybersecurity in Mexican tourism industry.And our expected outcomes are aligned to contribute with transdisciplinary methodology to represent and support integral cybersecurity proposal.

Research design
We propose cybersecurity ecosystem to reinforce tourism in Mexico, based on Gershenson [6] self-organization approach to build system that will be able to cope with complex problem domains.
The design of our research is systemic, transdisciplinar and dynamic in order to avoid approaches that simplify and isolate effects.Our systemic design considers the relationships and interactions to support the process of comprehensive understanding of tourism cybersecurity.In that way on Table 1 we summarize recent approaches dealing with cybersecurity to compare and position our proposed solution to existing ones, indicating congruity and differences.

Conceptual framework
Because of transdisciplinary nature in this research, we propose the next conceptual-theoretical supports:

Complexity and mexican tourism digital infrastructure system
Tourism digital infrastructure system in Mexico integrates large sets of realworld data, that information quantity stand today as a preeminent challenge for modern science [10,12].That is the reason why this frontier science project is focused on the data and fingerprints of tourism activity in cyberspace.
Being digital data an important part of new technologies analytics; the theoretical framework for this research is based on complexity; since there is no more pertinent framework than transdisciplinarity for this applied research aligned to the new knowledge of frontier science in Mexico.
Our project represents tourism digital infrastructure system in Mexico, as a complex system with emergencies, conjunctures, combination of circumstances and appearance of collective properties.
We consider that the complex system behaviour of tourism digital infrastructure in Mexico is the result of the mixed effects of many parameters, variables and agents, which influence and enhance each other.
Our project aproaches complexity of the tourism digital infrastructure in Mexico in terms of functional redundancy, where diverse functions and activities are carried out in the same cyberspace.
Given growth and constant diversification of the tourism sector in cyberspace [13,14] where travel agencies, tour operators, search engines for accommodation reservations, transportation tickets, etc; work with personal data of tourists and depend on the digital infrastructure of the web and the internet.
With 71% of travelers carrying out searches from their smartphones; tourism currently ranks 3rd in the most affected industries by cyber security crimes, being the theft of tourists private financial data for use in fraudulent activities, the most frequent digital crime in tourism.
In that way, the digital infrastructure system with large volumes of personal and financial information from both tourists and tourism service providers; extremely valuable data, is exposed to the vulnerability of the digital world; when hacked, or victimized by cybercrime affects the ability of tourism companies to provide their services, negatively affects the experience of travelers and damages the Mexican tourism system, losing the confidence of travelers, harming the reputation of brands and tourist destinations with significant economic losses.This is how in our project we represent the complexity of the digital tourism infrastructure in Mexico in congruence with functional redundancy, which corresponds to the multiplicity of digital tourism transactions executed in the same cyberspace.Functional redundancy characterizes "complexity" which lead us to our next complementary theoretical support.

Law of requisite variety
In our project we recur to the concept of variety as a measure of complexity, based on William Ross Ashby's law of requisite variety: "with an increase of complexity, problem domains become non-stationary, requiring for dynamic solutions that will be able to adapt to the changes in the problem domain [15].
We analyze how the multiplicity of digital fraudulent operations executed in cyberspace such as phishing and hacking; generate vulnerability of the digital world and how we should respond to this situation.We propose integral cybersecurity as an essential element to protect and strengthen the tourism digital infrastructure system in Mexico.
We suggest cybersecurity ecosystem because we believe that fragmented approaches, partial and unilateral solutions are not enough to face the vulnerability of the digital world; that when information is hacked, or victimized by cybercrime [16], it affects the ability of tourism companies to provide their services.It negatively affects the experience of travelers and damages the Mexican tourism system, generating a loss of confidence among travelers, damaging the reputation of brands and tourist destinations with significant economic losses.
The law of requisite variety establishes that "only variety absorbs variety" [15].That is, the disturbances that a system represents to another system (variety) can only be reduced or eliminated through the same or greater variety.Beer [17] defines the variety as the number of possible states of a system, which would be considered as the measure of complexity in a system.
The principle of requisite variety, functions as a support to model how the results of fraudulent operations generate an imbalance in the cyberspace organizational system and how government, companies and tourists should respond to this situation.In that way, congruent to cybernetics of second order we propose: • Attenuators and Amplifiers.That regulate variety of the mexican tourism digital infrastructure system against cybercrime perturbations, leading the system to a certain region of viable cybersecurity according to Wiener [18].
• Feedback loops Both as indispensable tools for an integral cybersecurity to protect and reinforce mexican tourism digital infrastructure system.
We approach data of mexican tourist activity in cyberspace, as self-organizing complex system mainly because of the behavior that it presents given its derivated emergencies, conjunctures, combination of circumstances and appearance of collective properties.
But we also approach it this sense based on Gershenson [6] reasoning that there is no sharp boundary to distinguish this kind of systems, but definitely they are partially determined by the observer describing the system and its purpose.Given any dynamical system can be said to be self-organizing or not, depending partly on the observer on Gershenson and Heylighen [26]; Ashby [27], and because of our frontier science research intention we consider it is the most pertinent option.
In that way, our model design alignes to Gershenson [6] description of a selforganizing system, as one in which elements interact to achieve dynamically a global function or behavior; in this case cybersecurity not imposed by one single or a few elements, nor determined hierarchically Naqvi et al. [11], instead achieved autonomously as the elements interact with one another and these interactions produce feedbacks that regulate the system.

Cybersecurity as emergent behavior in mexican tourism cyberspace
Emergence or appearance in complex social systems is understood as a functional association of complementary and interconnected heterogeneous elements.In this research steering system into negative phishing and hacking friction reduction, synergy promotion and desired integral cybersecurity in tourism ecosystem performance.

Methodology
In this research we propose our own methodology inspired in Gershenson [6] to design and control self-organizing systems.We took it as reference because it is specialized to solve complex problems within the premise that reducing the "friction" of the interactions between the elements of a system will result in greater "satisfaction" of the system, that is, a better performance [6].Based on that, our research contributes: • With representation of how cybersecurity can reinforce tourism in Mexico • To increase our understanding of cybersecurity in tourism • Introducing integral cybersecurity ecosystem that considers amplifiers and attenuators to reinforce mexican tourism sector Our proposed Methodology is a guideline to find and develop efficient cybersecurity amplifiers and attenuators to reinforce tourism in Mexico.In general, our research provides conceptual framework and model representation to support the solution of integral cybersecurity ecosystem to reinforce tourism in Mexico.
As we took inspiration from Gershenson general methodology to design and control complex system that includes five steps allowing backtracking; we decided to sequence our own methodology on four inter-emergent stages: Definition of inter-emergent stages.The flexibility condition between methodology stages that allows backtracking with each other.
• First and second inter-emergent stages are: Representation and Model design.Dedicated to abstraction and description of the complex system under research.
• Third and fourth inter-emergent stages are: Simulation and Feedback.Dedicated to understand the behavior of the system and make evaluations and feedback recommendations for the functioning of the system within the limits imposed by certain criteria or drivers.This research paper only includes representation and model design stages.Reaching the objective to provide representation to support the solution of integral cybersecurity for tourism in Mexico.On future research paper we will introduce simulation and feedback stages.

First stage. Representation
Carlos Gershenson author of the methodology that inspires ours [6], recommends to use methaphors to speak about the system.In that way, for our system under study we use the next metaphor: a) We consider the mexican tourism digital infrastructure system, as a selforganized system, that has legitimate and organic communication derived from the interactions and transactions related to tourism generated in cyberspace.And we intend that the attenuators and amplifiers proposed in our model preserve the organic communication as social help forums do, where information on certain topics is shared between users, in order to provide other users with elements for better informed decision making.In our interest case those elements are related to cybersecurity conflicts in tourism, information shared between consumers, tourist providers, authorities and diverse implicated agents to prevent and avoid other(s) consumers and tourist providers from being victims of cybercrime.
Considering organic social communication will contribute to identify cybersecurity conflicts in tourism in order to diminish them.And at the same time, the representation we make of the complex system under study is guided by modularity principle, that says each subsystem in a complex system is generally made of modules, whose interconnections allow the global functionality of the subsystem [28].And we managed to represent our complex system with not overly constrained modularity to allow adaptiveness, as recommended by Francois [28] for the study of social systems and Gershenson [6] to increase robustness and adaptability because of the integration and solutions for each module.
As we are introducing our own methodology and knowing by Gershenson [6] that there is still no general framework for constructing self-organizing systems, modularity principle guided our research for that construction, so we did a checklist about the actors of our complex system, if the actor covers some characteristics then is agent of certain module or subsystem.
We classified agents or elements by the tasks or function expected from them, and those functions have to do with satisfaction of the module, subsystem and system that is being designed.If the functions are fulfilled, then it can be said that the system is "satisfied" or that the goal has been achieved, implicating on design stage of our model the engineering of elements that will strive to reach system satisfaction (Table 2).
Also for this first stage classification we have considered specification of levels, granularity, variables, and interactions that need to be taken into account.And we also followed Gershenson [6] idea that identification of goals is useful to measure satisfaction of elements in the system (Table 2).Table 2. Agents and elements in tourist cyberspace.

Internet search engine
The general goal of internet module is to allow the free exchange of information among all its users.For this research purpose, our interest is focused on tourist information exchange and e-tourist commerce.

Stakeholders investors, employees and suppliers of tourist enterprises
The general goal of enterprises module is to satisfy the needs of customers and all groups involved in the organization; utility creation, for shareholders, and workers.

Travel agencies
Tour operators

Hotels
Banks and financial enterprises

Travelers
The general goal of users module is communication, information exchange and service-products consumption.

Cyber incident catalog
The goal of feedback/control instruments is having resources to help overcome cyber crimes.

National registry of cyber incidents
Technological control devices Security domain standards

Second stage. Modeling design
Continuing with our inter-emergent stages, second one corresponds to modeling.For this research, we designed our model with the next characteristics: • Suitability to changing adaptative environments like cyberspace • Pertinence to cope with threats in complex environments • Providing attenuators and amplifiers to manage unexpected negative frictions between elements that diminish system satisfaction • Increasing understanding of cybersecurity to reinforce tourism in Mexico • Identifying cybercrimes that affect tourism • Increasing elements satisfaction to obtain integral system satisfaction Those characteristics congruent with selforganization of our model given: • Our complex system and environment is very dynamic and unpredictable • We want the system to solve cybersecurity problem and the "solution" is not known beforehand and is changing constantly; dynamically striven for and by the elements of the system • The observer cannot a priori conceive of all possible configurations, purposes, or problems that the system may be confronted with.Suitability that Heylighen and Gershenson [26], accentuate for complex software systems such as the Internet that is where cybersecurity tourism issues take place.Following another Gershenson [6] advice for model design we have divided the system into semi-independent modules with internal goals, dynamics and interactions.Our division obeys the next classification:

Dynamic organization of the model by modules
Our model design considers modules that integrate digital data and fingerprints of mexican tourist activity in cyberspace (Table 3).Based on complexity approach our model dynamic self-organization characteristics (Table 4), provide insights to answer below research questions.

How can we design integral cybersecurity ecosystem to reinforce tourism in Mexico? and How elements in the model will co-evolve influencing each other's development?
The integral cybersecurity proposal, from a systemic view tends to offer solutions to balance cybersecurity complexity, and to explain how elements in the model will co-evolve influencing each other's development we based on the principle of Requisite variety Law from William Ross Ashby [19].On Figure 1 we explain in a diagram this principle law.Following the requisite variety logic, to survive in the complex environment of cyberspace; the booking websites, the travel agent web pages and the tour operators web pages; must be complex enough to fit into cyberspace environment and its threats like phishing and hacking cybercrimes.If the tourist providers web pages fail to correspond to the complexity of the environment, it means that these organizations have failed to achieve what is expected of them, which basically consists of providing a safe and quality service to the consumer or tourist in cyberspace.
All booking websites, web pages that sell tour packages, travel agent web pages; face the challenge of fitting into the environmental complexity of cyberspace.The problem is that the complexity of cyberspace is theoretically infinite, so there must be selectivity to which aspects of the environment are of most concern, in this research case we consider the two types of crimes that most affect tourist sector: • Phishing tour operators and travel agencies websites to gain consumers trust to make them pay for a fictitious package or trip.
• Hacking with the purpose of stealing private financial data from travelers or tourists to use this data later in fraudulent activities.Our representation of integral cybersecurity ecosystem to reinforce tourism in Mexico seeks to reconcile the imbalances caused by phishing and hacking; the balance can only be achieved by amplifying the response of travelers, tourists, booking websites and web pages that sell tour packages; this response will attenuate the variety and threats of cyberspace.In that way, two important elements of our model are attenuators and amplifiers that are represented with electric symbols.
The attenuators (AT on Figure 2) that we propose are: • Identify booking or tour selling websites that operate hacking and phishing • Classify booking or tour selling websites that operate hacking and phishing • Make public/inform which booking or tour selling websites operate hacking and phishing The amplifiers (AM on Figure 2) that we propose are: • Awareness campaigns for tourists, to inform them how to book and buy package tours on secure internet sites • Encryption of encryption algorithms for information security using the AES standard • Multilayer with biometric data for more secure financial transactions Basically, understanding the level of complexity in cyberspace that must be absorbed give us a reference to achieve integral cybersecurity ecosystem model that considers self-organization dynamic by modules and goals.

How the mexican tourism system self-organizes in cyberspace?
The main general goal that we identified for the mexican tourism system in cyberspace is tourist information exchange, marketing, business networks, booking, purchase and sale of tourism services and products.
We can refer to all those activities in complex system terms as interrelations in cyberspace.But not all activities contribute to optimum behavior for the whole tourism system; for example, we consider for this research purpose phishing and hacking cybercrimes, as interactions or behaviors from certain actors that create negative frictions and change the optimum dynamic in the whole tourism cyber system, we made this analogy based on Kauffman [29] idea that in some cases, the behavior of the institutions, or actors for our research case; change the optimum behavior of the whole system.
Our self-organization approach for mexican tourism system precise that it is able to adapt Holland, [30] to changing situations, that it can respond to the changing demands of its environment, in this case cybercrimes like phishing and hacking.
In that way, the responses of mexican tourism cyber system, prove some new learning in environment phishing and hacking negative frictions Che Mat et al [9]; and are indeed self-organization evidence, to the need to be adaptive, extensible, and open in the interactions.Responses or moves, learning how to interact and communicate, with whom to cooperate, and how to delegate and coordinate tasks.To evolve collectively capable of reaching cybersecurity in some degree (Figure 3).So we have designed our model according to Shalizi [31] trying to keep it robust and simple to anticipate as much as possible.Considering attenuators, amplifiers and feedback to ensure system is balanced, satisfying goals doing what it is required to do; adapting or reacting quickly to unforeseen cybercrime emergencies.Moreover, promoting positive interactions (synergy) and constraints to prevent negative interactions between elements (friction), keeping variables within certain boundaries in Ashby [27]  In that way, proper interaction should produce desired performance of cybersecurity to reinforce mexican tourism, for this reason, the dynamic organization of our model preserves self-organization, dividing the problem for better understanding and integrating modules to reduce friction and promote synergy Luo and Choi, 2022 [32].According to Wiener [18] steering system into a certain region appropriate for design and control. On

Significance regarding the sustainability of the proposed model
Proposed model is aligned to sustainable development goal 9 that seeks to build resilient infrastructure and foster innovation; our cybersecurity proposal is directly related to economic growth, social development and technological progress considering that on 2022 95% of the world's population was in reach of a mobile broadband network, investment, tourist providers services competitiveness, employment and tourist income generators as well as tourist consumers need to be safe on the world wide web protected from cyberattacks, in that way our model is congruent with sustainability prospective for 2030 [34].

Cybersecurity ethical considerations
Regarding technology and tourist economic activity on cyberspace lead to ethical considerations in cybersecurity Boustead [35] from having access to financial, confidential sensitive data, to user privacy, business proprietary information and the critical challenge to reach a balance between optimal data manage and business interests priorizing defense against cyberattacks and preserving human rights.

Discussion
Our research contributes theoretically and conceptually to increase understanding of the complexity to reinforce mexican tourism with cybersecurity.The practical implications of contributing to that understanding is because nowadays mexican companies and government must invest funds and efforts to reinforce cybersecurity given the continuing growth of vulnerability derived from hacking and phishing cybercrimes represent a major challenge, that affects reputation of brands, destinations and it even can cost significant losses in the operation of the tourism business economy.Besides, how can we respond and design cybersecurity ecosystem to reinforce mexican tourism sector is still not understood very well.
In that way, we proposed cybersercurity ecosystem model to improve mexican tourism sector reliability.Since how we manage our response to cybercrimes, will have huge impact on mexican tourist competitive indicators over a long term.
Indeed, cybersecurity ecosystem approach as emergent collective intelligence or distributed cognition to reinforce tourism, put us closer to answer questions such as: What causes vulnerability in cyberspace?Can we suggest integral solutions for tourist organization needs in cyberspace based on complexity?, Is it necessary to promote attenuators and amplifiers for mexican tourism system to ensure its continued competitive functioning, or is it an unnecessary burden?This paper suggests some insights in those ways for a mexican tourism system to perform its tasks and achieve its goals in cybersecurity ecosystem.

Limitations and future work
This research paper limitates to representation and model design stages.Further research will include simulation and feeback including hacking and phishing cybercrime datasets, to track evolution and accumulation of this kind of incidents, to study their detailed dynamic.

Conclusion
Our proposal is useful to design and manage mexican tourism cybersecurity complexity, based on scientific and engineering understanding of world wide web space to provide inferences and possible solutions.Not surprisingly, much research effort worldwide is now devoted to understanding the drivers and dynamics of complex challenges in cyberspace.
At this point of our study we have developed our own methodology based on complexity principles, resulting in a flexible model that is already a technological development in frontier science that can be replicated and scalable into different economic sectors that also have presence in cyberspace and that at the same time are vulnerable to cybercrime.Helpful for further cybersecurity develops, suggestions and concepts from distinct application scopes.
We found cybersecurity in tourism is a major challenge that must be tackled from a complex organizational perspective, that considers integral cybersecurity ecosystem aimed to reinforce mexican tourism in multi-faceted, variable and competitive environment; to induce optimal interactions that reduce vulnerability and negative frictions.Variety attenuators (AT) and amplifiers (AM) are necessary and essential, across mexican tourist activity in cyberspace.
The model we have proposed and its self-organization intends to reflect distinct features of interactions between elements, it is our contribution to approach the underlying structure of mexican tourist activity in cyberspace, that is notoriously complex, representing both significant challenges and opportunities; given tourism plays a key role in economic growth and development, so it must be reinforced with cybersecurity a high-priority in this digital era.
Our model is replicable because it can be successfully reproduced on different scales and economic sectors that have activity in cyberspace.
We have identified and represented linkages between elements, clusters that are connected to each other, that exhibit consistent objectives in cyberspace.
We have also provided little frontier science example applying complexity concepts and principles to analyze cybersecurity in tourism.We therefore conclude our suggested methodology can be useful for social complexity issues.

Figure 1 .
Figure 1.Diagram explanation of Requisite Variety law.

Figure 2 .
Figure 2. Cybersecurity ecosystem to reinforce tourism in Mexico.

Figure 3 .
Figure 3. Cybersecurity ecosystem self-organization to reinforce tourism in Mexico.

Figure 4 ,
we present an example showing the application of representation and modeling with data of PROFECO Mexican federal consumer attorney from december 2018 to february 2022 SSP[33].

Figure 4 .
Figure 4. Example showing application of representation and modeling.

Table 1 .
Existing approaches dealing with cybersecurity.
The general goal of government module is to create, apply, and enforce laws.Mediate in conflicts, develop policies regarding economy and social systems.For this research purpose, our interest is regarding tourist socioeconomic implications.

Table 3 .
Interactions by module.

Table 4 .
Dynamic and self-organization characteristics of our model. sense.