Cyber-Investment and Cyber-Information Exchange Decision Modeling

Inefficiency of addressing cybersecurity problems can be settled by the corporations if they work in a collaborative manner, exchanging security information with each other. However, without any incentive and also due to the possibility of information exploitation, the firms may not be willing to share their breach/vulnerability information with the external agencies. Hence it is crucial to understand how the firms can be encouraged, so that they become self-enforced towards sharing their threat intelligence, which will not only increase their own payoff but also their peers' too, creating a win-win situation. In this research, we study the incentives and costs behind such crucial information sharing and security investments made by the firms. Specifically, a non-cooperative game between N-firms is formulated to analyze the participating firms' decisions about the information sharing and security investments. We analyze the probability of successful cyber attack using the famous dose-response immunity model. We also design an incentive model for CYBEX, which can incentivize/punish the firms based on their sharing/free-riding nature in the framework. Using negative definite Hessian condition, we find the conditions under which the social optimal values of the coupled constraint tuple (security investment and sharing quantity) can be found, which will maximize the firms' net payoff.

[1]  Walter Bossert,et al.  Non-Deteriorating Choice , 2009 .

[2]  Vijay S. Mookerjee,et al.  Knowledge sharing and investment decisions in information security , 2011, Decis. Support Syst..

[3]  Edward C. Liu,et al.  The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress , 2013 .

[4]  K. Hausken Information sharing among firms and cyber attacks , 2007 .

[5]  Panos Kampanakis,et al.  Security Automation and Threat Information-Sharing Options , 2014, IEEE Security & Privacy.

[6]  Anindya Ghose,et al.  The Economic Consequences of Sharing Security Information , 2004, Economics of Information Security.

[7]  Samuel Bowles,et al.  Microeconomics: Behavior, Institutions, and Evolution , 2003 .

[8]  A H Havelaar,et al.  The Beta Poisson Dose‐Response Model Is Not a Single‐Hit Model , 2000, Risk analysis : an official publication of the Society for Risk Analysis.

[9]  Carlos Cid,et al.  Strategic Discovery and Sharing of Vulnerabilities in Competitive Environments , 2014, GameSec.

[10]  Youki Kadobayashi,et al.  CYBEX: the cybersecurity information exchange framework (x.1500) , 2010, CCRV.

[11]  Shamik Sengupta,et al.  An Attack-Defense Game Theoretic Analysis of Multi-Band Wireless Covert Timing Networks , 2010, 2010 Proceedings IEEE INFOCOM.

[12]  M. D. Hogan,et al.  The impact of litter effects on dose-response modeling in teratology. , 1986, Biometrics.

[13]  Eric Goldstein,et al.  Metrics for Measuring the Efficacy of Critical-Infrastructure-Centric Cybersecurity Information Sharing Efforts , 2012 .

[14]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[15]  M. Rubinstein. THE STRONG CASE FOR THE GENERALIZED LOGARITHMIC UTILITY MODEL AS THE PREMIER MODEL OF FINANCIAL MARKETS , 1976 .

[16]  Miguel A. Ballester,et al.  A Measure of Rationality and Welfare , 2015, Journal of Political Economy.

[17]  Andrew P. Martin,et al.  An evolutionary game-theoretic framework for cyber-threat information sharing , 2015, 2015 IEEE International Conference on Communications (ICC).

[18]  Mehdi Kadivar,et al.  Cyber-Attack Attributes , 2014 .