论文信息 - Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain

Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain

This paper presents economic models of cybersecurity investments by a firm, first considering the cost-benefit to the firm itself, and then to the eco-system of a supply-chain. We introduce a concept of a firm’s security knowledge set of its attack surface, relative to the universe of threats. We propose three classes of security production functions as the frontier curve of a firm’s knowledge set. We distinguish two types of security investments in acquiring data, information and expertise, vis-a-vis deploying defense measures and detection tools, and derive formula for optimal allocations. We analyze cyber breach propagations between firms in a supply-chain, and demonstrate that large firms requiring contractors to show security rating by third-parties can be an effective way of reducing information gap in a supply chain. We present a model for the reliability (sharpness) of cybersecurity rating for firms, and show how the perceived reliability of cybersecurity rating affects the incentives for firms to increase their security investments.

Shaun Wang

[1] Aroop K. Mahanty,et al. THEORY OF PRODUCTION , 1980 .

[2] Lei Zhou,et al. Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model , 2015 .

[3] L. Jean Camp,et al. Pricing Security: Vulnerabilities as Externalities , 2006 .

[4] Hideyuki Tanaka,et al. Vulnerability and information security investment: An empirical analysis of e-local government in Japan , 2005 .

[5] Jan Willemson. On the Gordon & Loeb Model for Information Security Investment , 2006, WEIS.

[6] Tyler Moore,et al. The Economics of Information Security , 2006, Science.

[7] Kanta Matsuura. Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model , 2008, WEIS.

[8] Rainer Böhme,et al. Security Metrics and Security Investment Models , 2010, IWSEC.

[9] Yuliy Baryshnikov,et al. IT Security Investment and Gordon-Loeb's 1/e Rule , 2012, WEIS.

[10] Shaun S. Wang. A CLASS OF DISTORTION OPERATORS FOR PRICING FINANCIAL AND INSURANCE RISKS , 2000 .

[11] Howard Kunreuther,et al. Self-protection and insurance with interdependencies , 2007 .

[12] Kjell Hausken,et al. Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.