Security investment and information sharing under an alternative security breach probability function

Nowadays, in order to protect information assets, many firms have gradually realized the importance of security investment and information sharing. It is worth pointing out that security breach probability functions play a vital role in firms’ strategic choices. This paper investigates how to determine security investment and information sharing for two firms by employing an alternative well-accepted security breach probability function. In particular, assuming that both firms make their decisions individually, we analyze information sharing, aggregate attack, aggregate defense and the security breach probability at equilibrium. Then we compare these results with those in three (partially) centralized decision cases where a social planner regulates security investment, information sharing or both of them. Between the individual decision case and the partially centralized decision case with the social planner only controlling information sharing, and between the centralized decision case and the other partially centralized decision case, we demonstrate that, although aggregate attack, aggregate defense and the security breach probability remain unchanged, more intervention from the social planner would give rise to higher social welfare. Besides, it turns out that some well-known results of Hausken (Journal of Accounting and Public Policy, 26(6), 639–688, 2007) drastically change in our framework.

[1]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[2]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[3]  Kjell Hausken,et al.  The economics of terrorism against two targets , 2012 .

[4]  Andrew B. Whinston,et al.  An economic mechanism for better Internet security , 2008, Decis. Support Syst..

[5]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[6]  Rongrong Zhang The Role of Information Sharing in Trade Credit Distribution: Evidence from Thailand , 2011 .

[7]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[8]  Anindya Ghose,et al.  The Economic Consequences of Sharing Security Information , 2004, Economics of Information Security.

[9]  Richard F. Deckro,et al.  Evaluating information assurance strategies , 2005, Decis. Support Syst..

[10]  Derek J. Clark,et al.  Contest success functions: an extension , 1998 .

[11]  Daniel J. Ryan,et al.  Expected benefits of information security investments , 2006, Comput. Secur..

[12]  Tridib Bandyopadhyay,et al.  Dynamic competition in IT security: A differential games approach , 2012, Information Systems Frontiers.

[13]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[14]  Jun Zhuang,et al.  Impacts of Subsidized Security on Stability and Total Social Costs of Equilibrium Solutions in an N-Player Game with Errors , 2010 .

[15]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[16]  Christopher J. Coyne,et al.  THE ECONOMICS OF COMPUTER HACKING , 2005 .

[17]  K. Hausken Income, interdependence, and substitution effects affecting incentives for security investment , 2006 .

[18]  K. Hausken Information sharing among firms and cyber attacks , 2007 .

[19]  Hemantha S. B. Herath,et al.  Investments in Information Security: A Real Options Perspective with Bayesian Postaudit , 2008, J. Manag. Inf. Syst..

[20]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[21]  Wolfgang Leininger,et al.  More efficient rent-seeking — A Münchhausen solution , 1993 .

[22]  Mikhael Shor,et al.  The Impact of Malicious Agents on the Enterprise Software Industry , 2010, MIS Q..

[23]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[24]  S. Skaperdas Contest success functions , 1996 .

[25]  Huseyin Cavusoglu,et al.  Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches , 2004, Decis. Anal..

[26]  Lawrence A. Gordon,et al.  An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence , 2002 .

[27]  Rahul Telang,et al.  Does information security attack frequency increase with vulnerability disclosure? An empirical analysis , 2006, Inf. Syst. Frontiers.

[28]  Hideyuki Tanaka,et al.  Vulnerability and information security investment: An empirical analysis of e-local government in Japan , 2005 .

[29]  Jing Zhang,et al.  Knowledge sharing in cross-boundary information system development in the public sector , 2006, Inf. Technol. Manag..

[30]  Alain Bensoussan,et al.  When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination , 2011, Inf. Syst. Res..

[31]  Lixuan Zhang,et al.  Hacking into the Minds of Hackers , 2007, Inf. Syst. Manag..

[32]  Varghese S. Jacob,et al.  Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest , 2010, Inf. Technol. Manag..

[33]  Xing Gao,et al.  Stochastic Evolutionary Game Dynamics and Their Selection Mechanisms , 2013 .

[34]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[35]  Vijay S. Mookerjee,et al.  Knowledge sharing and investment decisions in information security , 2011, Decis. Support Syst..

[36]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[37]  Dmitri Nizovtsev,et al.  Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers , 2009, J. Manag. Inf. Syst..

[38]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[39]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[40]  N. Valev,et al.  Credit information sharing and banking crises: An empirical investigation , 2012 .

[41]  Tae-Sung Kim,et al.  An analysis on effects of information security investments: a BSC perspective , 2012, J. Intell. Manuf..

[42]  Jonathan Goldstein,et al.  The interdependent security problem in the defense industrial base: An agent-based model on a social network , 2010, Int. J. Crit. Infrastructure Prot..

[43]  Lawrence A. Gordon,et al.  Information Security Expenditures and Real Options: A Wait-and-See Approach , 2003 .

[44]  Howard Kunreuther,et al.  Modeling Interdependent Risks , 2007, Risk analysis : an official publication of the Society for Risk Analysis.

[45]  John E. Gaffney,et al.  A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems , 2004 .

[46]  Huseyin Cavusoglu,et al.  Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems , 2009, Inf. Syst. Res..

[47]  Lawrence A. Gordon,et al.  Economic aspects of information security: An emerging field of research , 2006, Inf. Syst. Frontiers.

[48]  Ivan P. L. Png,et al.  The Deterrent and Displacement Effects of Information Security Enforcement: International Evidence , 2008 .

[49]  JinKyu Lee,et al.  The impact of information security failure on customer behaviors: A study on a large-scale hacking incident on the internet , 2012, Inf. Syst. Frontiers.

[50]  Xing Gao,et al.  On local stability of Cournot models with simultaneous and sequential decisions , 2012, Math. Soc. Sci..

[51]  Vicki M. Bier,et al.  Subsidies in Interdependent Security With Heterogeneous Discount Rates , 2007 .

[52]  Nir Kshetri,et al.  The simple economics of cybercrimes , 2006, IEEE Security & Privacy Magazine.

[53]  H. Raghav Rao,et al.  Firms' information security investment decisions: Stock market evidence of investors' behavior , 2011, Decis. Support Syst..

[54]  Jarl G. Kallberg,et al.  The value of private sector business credit information sharing: The US case , 2003 .

[55]  Jingguo Wang,et al.  Research Note - A Value-at-Risk Approach to Information Security Investment , 2008, Inf. Syst. Res..

[56]  Seung-Hyun Kim,et al.  A comparative study of cyberattacks , 2012, Commun. ACM.

[57]  Ravi S. Behara,et al.  An economic analysis of the optimal information security investment in the case of a risk-averse firm , 2008 .

[58]  Nir Kshetri,et al.  Positive externality, increasing returns, and the rise in cybercrimes , 2009, Commun. ACM.

[59]  Amitava Dutta,et al.  Management's Role in Information Security in a Cyber Economy , 2002 .

[60]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[61]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[62]  Joon-Ho Hahm,et al.  Economic effects of positive credit information sharing: the case of Korea , 2011 .

[63]  Kjell Hausken,et al.  Strategic Defense and Attack of Complex Networks , 2007, WEIS.

[64]  Kjell Hausken,et al.  Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.