Information security is becoming increasingly critical as computers and the internet have become the information infrastructure of our society and of most business organizations, including those in hazardous industries. Previous research mostly focused on technology measures. Recently, research on human factors and management factors has emerged. In this study, we investigate information security issues from management using system dynamics. The model-building process employs an iterative approach with model-based interventions (include group model-building workshops, model formulation interviews, and model validation interviews) and model development. A series of increasingly more detailed models are created in stages. Given the validated model, we tested various scenarios to search policies for a safe, fast and successful operation transition. Tradeoffs, such as those between fast transition and high security risk and between short-term and long-term benefits are identified. Being aware of such tradeoffs prevents the management from pursuing one target without considering other side effects.