Comparison of information security decisions under different security and business environments

Serious information security breaches have caused firms to suffer from customer churns directly or indirectly. To prevent customer churns, firms usually enhance their security protection through two measures, i.e. security investment and security information sharing. Prior studies seldom consider security environment and business environment simultaneously when making a firm’s optimal security decisions. Using game theory, this paper purports to demonstrate that a firm’s security decisions under a competitive environment differ significantly from those under an integrated environment. Moreover, distortions may surface if firms do not cooperate on security practices. Thus, this paper further analyses the measures that a social planner such as the government or industry association controls firms’ security decisions, and results show that these measures may not always be effective. Instead, social planners are recommended to enhance or attenuate the controlling level of the two security decisions based on realistic security and business environments.

[1]  Xing Gao,et al.  A game-theoretic analysis of information sharing and security investment for complementary firms , 2014, J. Oper. Res. Soc..

[2]  Kjell Hausken Production, safety, exchange, and risk , 2011 .

[3]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[4]  Kjell Hausken Returns to information security investment: Endogenizing the expected loss , 2014, Inf. Syst. Frontiers.

[5]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[6]  Varghese S. Jacob,et al.  Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest , 2010, Inf. Technol. Manag..

[7]  Hideyuki Tanaka,et al.  Vulnerability and information security investment: An empirical analysis of e-local government in Japan , 2005 .

[8]  Xing Gao,et al.  Information security investment for competitive firms with hacker behavior and security requirements , 2015, Ann. Oper. Res..

[9]  Xianjun Geng,et al.  Mandatory Standards and Organizational Information Security , 2016, Inf. Syst. Res..

[10]  H. Sonnenschein,et al.  Fulfilled Expectations Cournot Duopoly with Information Acquisition and Release , 1982 .

[11]  Kjell Hausken,et al.  Production versus safety in a risky competitive industry , 2012 .

[12]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[13]  Jarl G. Kallberg,et al.  The value of private sector business credit information sharing: The US case , 2003 .

[14]  Ann E. Schlosser,et al.  Converting Web Site Visitors into Buyers: How Web Site Investment Increases Consumer Trusting Beliefs and Online Purchase Intentions , 2006 .

[15]  Ravi S. Behara,et al.  An economic analysis of the optimal information security investment in the case of a risk-averse firm , 2008 .

[16]  Kjell Hausken,et al.  Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.

[17]  Xing Gao,et al.  A differential game approach to security investment and information sharing in a competitive environment , 2016 .

[18]  Xing Gao,et al.  Security investment and information sharing under an alternative security breach probability function , 2015, Inf. Syst. Frontiers.

[19]  Kjell Hausken,et al.  Risk, production and conflict when utilities are as if certain , 2010 .

[20]  K. Hausken Information sharing among firms and cyber attacks , 2007 .

[21]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[22]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[23]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[24]  Alision Joyce Kirby Trade associations as information exchange mechanisms , 1985 .

[25]  Xianjun Geng,et al.  Contracting Information Security in the Presence of Double Moral Hazard , 2013, Inf. Syst. Res..