Information security investment for competitive firms with hacker behavior and security requirements

This paper investigates information security investment strategies under both targeted attacks and mass attacks by considering strategic interactions between two competitive firms and a hacker. We find that the more attractive firm invests more in information security, suffers more frequent attacks and enjoys a lower expected benefit, while the hacker achieves a higher expected benefit under targeted attacks than under mass attacks. We further examine the effect of security requirements on the two firms’ investment strategies in information security. We indicate that security requirements sometimes can drastically alter the comparisons of these investment strategies under the two types of cyber attacks. The hacker would balance the firms’ attractiveness in information assets and security requirements when determining its investment decisions in cyber attacks. By assuming that security requirements are endogenous, we demonstrate that under targeted attacks and mass attacks both firms would like to regulate rigorous security requirements when their degree of competition becomes fierce but would like to choose loose security requirements when the degree of competition remains mild.

[1]  Desheng Dash Wu,et al.  Bargaining in competing supply chains with uncertainty , 2009, Eur. J. Oper. Res..

[2]  Lawrence A. Gordon,et al.  Economic aspects of information security: An emerging field of research , 2006, Inf. Syst. Frontiers.

[3]  Varghese S. Jacob,et al.  Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest , 2010, Inf. Technol. Manag..

[4]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[5]  Tridib Bandyopadhyay,et al.  Dynamic competition in IT security: A differential games approach , 2012, Information Systems Frontiers.

[6]  Desheng Dash Wu,et al.  Enterprise risk management: coping with model risk in a large bank , 2010, J. Oper. Res. Soc..

[7]  Ravi S. Behara,et al.  An economic analysis of the optimal information security investment in the case of a risk-averse firm , 2008 .

[8]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[9]  Kai Lung Hui,et al.  Information Security Outsourcing with System Interdependency and Mandatory Security Requirement , 2012, J. Manag. Inf. Syst..

[10]  Huseyin Cavusoglu,et al.  Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches , 2004, Decis. Anal..

[11]  Ivan P. L. Png,et al.  Information Security: Facilitating User Precautions Vis-à-Vis Enforcement Against Attackers , 2009, J. Manag. Inf. Syst..

[12]  Desheng Dash Wu,et al.  Computational simulation and risk analysis: An introduction of state of the art research , 2013, Math. Comput. Model..

[13]  Jan Teorell,et al.  An Introduction to Special Issue , 2017 .

[14]  Rahul Telang,et al.  Does information security attack frequency increase with vulnerability disclosure? An empirical analysis , 2006, Inf. Syst. Frontiers.

[15]  Hideyuki Tanaka,et al.  Vulnerability and information security investment: An empirical analysis of e-local government in Japan , 2005 .

[16]  Kjell Hausken,et al.  Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability , 2006, Inf. Syst. Frontiers.

[17]  Sam Ransbotham,et al.  Choice and Chance: A Conceptual Model of Paths to Information Security Compromise , 2009, Inf. Syst. Res..

[18]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[19]  Xing Gao,et al.  Information Security Investment When Hackers Disseminate Knowledge , 2013, Decis. Anal..

[20]  K. Hausken Information sharing among firms and cyber attacks , 2007 .

[21]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[22]  Desheng Dash Wu,et al.  Enterprise risk management: a DEA VaR approach in vendor selection , 2010 .

[23]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[24]  Xing Gao,et al.  Security investment and information sharing under an alternative security breach probability function , 2015, Inf. Syst. Frontiers.

[25]  Desheng Dash Wu,et al.  Introduction to special issue on “Enterprise risk management in operations” , 2011 .

[26]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[27]  Huseyin Cavusoglu,et al.  Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems , 2009, Inf. Syst. Res..

[28]  Weijun Zhong,et al.  A differential game approach to information security investment under hackers' knowledge dissemination , 2013, Oper. Res. Lett..

[29]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[30]  Dmitri Nizovtsev,et al.  Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers , 2009, J. Manag. Inf. Syst..

[31]  Desheng Wu,et al.  Coordination of competing supply chains with news-vendor and buyback contract , 2013 .

[32]  Ravi S. Behara,et al.  Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints , 2013 .

[33]  Vijay S. Mookerjee,et al.  Knowledge sharing and investment decisions in information security , 2011, Decis. Support Syst..

[34]  Xing Gao,et al.  A game-theoretic analysis of information sharing and security investment for complementary firms , 2014, J. Oper. Res. Soc..

[35]  Desheng Dash Wu,et al.  Bargaining in supply chain with price and promotional effort dependent demand , 2013, Math. Comput. Model..