Cybersecurity investments in a two-echelon supply chain with third-party risk propagation

Cybersecurity presents a monumental challenge for interconnected supply chains, as an attack on one node can compromise an entire business. In this paper, we propose a game theory model to investigate cybersecurity investments with third-party risk propagation in a two-echelon supply chain consisting of one retailer and n suppliers. The optimal investments and their responses to relevant security characteristics, such as intrinsic vulnerability, propagation probability, number of suppliers, and attack probability, are analysed and discussed both theoretically and numerically considering one-stage risk propagation. It is found that there are serious prisoners' dilemma and free-riding phenomena in such a scenario. To mitigate third-party risks and improve the investment efficiency, three coordination mechanisms, joint decision, security risk compensation, and security information sharing, are presented and compared numerically. The results indicate that joint decision-making and security risk compensation perform better on stimulating firms' investments and reducing expected costs both individually and collectively relative to security information sharing. Furthermore, the case of two-stage risk propagation is also supplemented and compared with one-stage case. Based on these findings, some management insights are recommended to cybersecurity managers in supply chains for designing more efficient cybersecurity mechanisms and investment strategies.

[1]  Anna Nagurney,et al.  A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints , 2016, Annals of Operations Research.

[2]  Dmitry Ivanov,et al.  Dual sourcing under supply disruption with risk-averse suppliers in the sharing economy , 2019, Int. J. Prod. Res..

[3]  Alexandre Dolgui,et al.  The impact of digital technology and Industry 4.0 on the ripple effect and supply chain risk analytics , 2018, Int. J. Prod. Res..

[4]  Yong Wu,et al.  Game of information security investment: Impact of attack types and network vulnerability , 2015, Expert Syst. Appl..

[5]  Chris Hankin,et al.  Decision support approaches for cyber security investment , 2015, Decis. Support Syst..

[6]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[7]  Xuyun Zhang,et al.  An insurance theory based optimal cyber-insurance contract against moral hazard , 2020, Inf. Sci..

[8]  Anna Nagurney,et al.  Multifirm models of cybersecurity investment competition vs. cooperation and network vulnerability , 2017, Eur. J. Oper. Res..

[9]  Alexandre Dolgui,et al.  Integrated detection of disruption scenarios, the ripple effect dispersal and recovery paths in supply chains , 2019, Ann. Oper. Res..

[10]  Xianjun Geng,et al.  Contracting Information Security in the Presence of Double Moral Hazard , 2013, Inf. Syst. Res..

[11]  Lawrence A. Gordon,et al.  The impact of information sharing on cybersecurity underinvestment: A real options perspective , 2015 .

[12]  Zhiheng Xu,et al.  A Study on a Sequential One-Defender-N-Attacker Game. , 2019, Risk analysis : an official publication of the Society for Risk Analysis.

[13]  Alexandre Dolgui,et al.  Ripple effect quantification by supplier risk exposure assessment , 2019, Int. J. Prod. Res..

[14]  Alexandre Dolgui,et al.  Ripple effect in the supply chain: an analysis and recent literature , 2018, Int. J. Prod. Res..

[15]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[16]  Dirk Helbing,et al.  Transient dynamics increasing network vulnerability to cascading failures. , 2007, Physical review letters.

[17]  Huseyin Cavusoglu,et al.  Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions , 2017 .

[18]  Alexandre Dolgui,et al.  The Ripple effect in supply chains: trade-off ‘efficiency-flexibility-resilience’ in disruption management , 2014 .

[19]  Kjell Hausken,et al.  Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.

[20]  Varghese S. Jacob,et al.  Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest , 2010, Inf. Technol. Manag..

[21]  Panos M. Pardalos,et al.  Security investment and information sharing in the market of complementary firms: impact of complementarity degree and industry size , 2018, J. Glob. Optim..

[22]  Levente Buttyán,et al.  A Survey of Interdependent Information Security Games , 2014, ACM Comput. Surv..

[23]  Ravi S. Behara,et al.  An economic analysis of the optimal information security investment in the case of a risk-averse firm , 2008 .

[24]  Dmitry Ivanov,et al.  A real-option approach to mitigate disruption risk in the supply chain , 2019, Omega.

[25]  S. Shankar Sastry,et al.  Security of interdependent and identical networked control systems , 2013, Autom..

[26]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[27]  Alexandre Dolgui,et al.  Low-Certainty-Need (LCN) supply chains: a new perspective in managing disruption risks and resilience , 2018, Int. J. Prod. Res..

[28]  Alexandre Dolgui,et al.  Does the ripple effect influence the bullwhip effect? An integrated analysis of structural and operational dynamics in the supply chain† , 2019, Int. J. Prod. Res..

[29]  D. Ivanov Revealing interfaces of supply chain resilience and sustainability: a simulation study , 2018, Int. J. Prod. Res..

[30]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[31]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[32]  Jean C. Walrand,et al.  Competitive Cyber-Insurance and Internet Security , 2009, WEIS.

[33]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[34]  J. Zhuang,et al.  Perspectives on Cybersecurity Information Sharing among Multiple Stakeholders Using a Decision‐Theoretic Approach , 2018, Risk analysis : an official publication of the Society for Risk Analysis.

[35]  Behrouz Tork Ladani,et al.  Interdependency Analysis in Security Investment against Strategic Attacks , 2020, Inf. Syst. Frontiers.

[36]  Minqiang Li,et al.  Effect of security investment strategy on the business value of managed security service providers , 2019, Electron. Commer. Res. Appl..

[37]  Seyed Alireza Hasheminasab,et al.  Security Investment in Contagious Networks , 2018, Risk analysis : an official publication of the Society for Risk Analysis.

[38]  I. Glicksberg A FURTHER GENERALIZATION OF THE KAKUTANI FIXED POINT THEOREM, WITH APPLICATION TO NASH EQUILIBRIUM POINTS , 1952 .

[39]  Kai Lung Hui,et al.  Information Security Outsourcing with System Interdependency and Mandatory Security Requirement , 2012, J. Manag. Inf. Syst..

[40]  Alexandre Dolgui,et al.  Ripple effect modelling of supplier disruption: integrated Markov chain and dynamic Bayesian network approach , 2019, Int. J. Prod. Res..

[41]  Dmitri Nizovtsev,et al.  Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers , 2009, J. Manag. Inf. Syst..

[42]  LiangHuigang,et al.  Game of information security investment , 2015 .

[43]  Panos M. Pardalos,et al.  A new game of information sharing and security investment between two allied firms , 2018, Int. J. Prod. Res..

[44]  Alexandre Dolgui,et al.  Review of quantitative methods for supply chain resilience analysis , 2019, Transportation Research Part E: Logistics and Transportation Review.