Abstract
This paper investigates information security investment strategies under both targeted attacks and mass attacks by considering strategic interactions between two competitive firms and a hacker. We find that the more attractive firm invests more in information security, suffers more frequent attacks and enjoys a lower expected benefit, while the hacker achieves a higher expected benefit under targeted attacks than under mass attacks. We further examine the effect of security requirements on the two firms’ investment strategies in information security. We indicate that security requirements sometimes can drastically alter the comparisons of these investment strategies under the two types of cyber attacks. The hacker would balance the firms’ attractiveness in information assets and security requirements when determining its investment decisions in cyber attacks. By assuming that security requirements are endogenous, we demonstrate that under targeted attacks and mass attacks both firms would like to regulate rigorous security requirements when their degree of competition becomes fierce but would like to choose loose security requirements when the degree of competition remains mild.
Similar content being viewed by others
Notes
In current discussions, although we assume one hacker in the model, one can refer to two types of hackers who can launch targeted attacks and mass attacks, respectively. However, if we focus on just one hacker, one can assume this hacker who launches mass attacks is able to launch targeted attacks through some costly learning to target. In this situation, depending on the comparison between the target-search cost and the expected benefit increase from mass attacks to targeted attacks, the hacker may choose a particular benefit-maximizing attack mode in equilibrium. We would like to thank one anonymous reviewer for pointing out this finding.
In fact, when security requirements for both firms are so loose that \(PR_1 >\max (P_{T,1}^{*} ,P_{M,1}^{*} )\) and \(PR_2 >\max (P_{T,2}^{*} ,P_{M,2}^{*} )\), the sums of hacker investments under targeted attacks and mass attacks are still unchanged.
We would like to thank one anonymous reviewer for providing the first three interesting model extensions.
References
Anderson, R. (2001). Why information security is hard: an economic perspective. In: Proceedings of the seventeenth computer security applications conference, (pp. 358–365). IEEE Computer Society Press.
Anderson, R. (2002). Security in open versus closed systems-the dance of Boltzmann. Coase and Moore: Technical report Cambridge University England.
Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610–613.
Arora, A., Nandkumar, A., & Telang, R. (2006). Does information security attack frequency increase with vulnerability disclosure?—An empirical analysis. Information Systems Frontiers, 8(5), 350–362.
Bandyopadhyay, T., Jacob, V., & Raghunathan, S. (2010). Information security in networked supply chains: Impact of network vulnerability and supply chain integration on incentives to invest. Information Technology and Management, 11(1), 7–23.
Bandyopadhyay, T., Liu, D., Mookerjee, V. S., & Wilhite, A. W. (2014). Dynamic competition in IT security: A differential games approach. Information Systems Frontiers, 16(4), 643–661.
Cavusoglu, H., & Raghunathan, S. (2004). Configuration of detection software: A comparison of decision and game theory approaches. Decision Analysis, 1(3), 131–148.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2005). The value of intrusion detection systems (IDSs) in information technology security. Information Systems Research, 16(1), 28–46.
Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25(2), 281–304.
Cavusoglu, H., & Raghunathan, S. (2009). Configuration of and interaction between information security technologies: The case of firewalls and intrusion detection systems. Information Systems Research, 20(2), 198–217.
Cremonini, M., & Nizovtsev, D. (2009). Risks and benefits of signaling information system characteristics to strategic attackers. Journal of Management Information Systems, 26(3), 241–274.
Gao, X., Zhong, W., & Mei, S. (2013a). Information security investment when hackers disseminate knowledge. Decision Analysis, 10(4), 352–368.
Gao, X., Zhong, W., & Mei, S. (2013b). A differential game approach to information security investment under hackers’ knowledge dissemination. Operations Research Letters, 41(5), 421–425.
Gao, X., Zhong, W., & Mei, S. (2014). A game-theoretic analysis of information sharing and security investment for complementary firms. Journal of the Operational Research Society, 65(11), 1682–1691.
Gao, X., Zhong, W., & Mei, S. (2015). Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers, 17(2), 423–438.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.
Gordon, L. A., & Loeb, M. P. (2006). Economic aspects of information security: An emerging field of research. Information Systems Frontiers, 8(5), 335–337.
Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208.
Hausken, K. (2006b). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5), 338–349.
Hausken, K. (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy, 26(6), 639–688.
Huang, C. D., Qing, H., & Ravi, B. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, 114(2), 793–804.
Huang, C. D., & Behara, R. S. (2013). Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics, 141(1), 255–268.
Hui, K. L., Hui, W., & Yue, W. T. (2012). Information security outsourcing with system interdependency and mandatory security requirement. Journal of Management Information Systems, 29(3), 117–155.
Liu, D., Ji, Y., & Mookerjee, V. (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems, 52(1), 95–107.
Png, I. P. L., & Wang, Q. H. (2009). Information security facilitating user precautions vis-a-vis enforcement against attackers. Journal of Management Information Systems, 26(2), 97–121.
Ransbotham, S., & Mitra, S. (2009). Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research, 20(1), 121–139.
Tanaka, H., Matsuura, K., & Sudoh, O. (2005). Vulnerability and information security investment: An empirical analysis of e-local government in Japan. Journal of Accounting and Public Policy, 24(1), 37–59.
Wu, D., Baron, O., & Berman, O. (2009). Bargaining in competing supply chains with uncertainty. European Journal of Operational Research, 197(2), 548–556.
Wu, D., & Olson, D. (2010a). Enterprise risk management: Coping with model risk in a large bank. Journal of the Operational Research Society, 61(2), 179–190.
Wu, D., & Olson, D. (2010b). Enterprise Risk Management: A DEA VaR approach in vendor selection. International Journal of Production Research, 48(16), 4919–4932.
Wu, D., & Olson, D. (2011). Introduction to special issue on “Enterprise risk management in operations”. International Journal of Production Economics, 134(1), 1–2.
Wu, D., Olson, D., & Birge, J. (2012). Operational research in risk management. Computers & Operations Research, 39(4), 751–752.
Wu, D. (2013a). Coordination of competing supply chains with news-vendor and buyback contract. International Journal of Production Economics, 144(1), 1–13.
Wu, D. (2013b). Bargaining in supply chain with price and promotional effort dependent demand. Mathematical and Computer Modelling, 58(9–10), 1659–1669.
Wu, D., & Olson, D. (2013). Computational simulation and risk analysis: An introduction of state of the art research. Mathematical and Computer Modelling, 58(9), 1581–1587.
Acknowledgments
The authors thank the editor and anonymous referees for their feedback of valuable comments and helpful suggestions that helped substantially improve the quality and the presentation of this manuscript. This study was supported by the Fundamental Research Support Funds from Southeast University (no. 2242015S20002) and the Fundamental Research Funds for the Central Universities (no. 2242014K10019).
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
Proof of Lemma 1
The first-order conditions of the two firms and the hacker are
One can obtain Eq. (3) by (18) and (19). Obviously, the second-order conditions of the equilibrium strategies are satisfied. \(\square \)
Proof of Lemma 2
The first-order conditions of the two firms and the hacker are
and
One can obtain by Eq. (20)
which, together with Eq. (21), yields Eq. (7). The second-order conditions for equilibrium strategies can be validated easily. \(\square \)
Proof of Proposition 1
One can get by Lemma 1 and Lemma 2
Because \(\frac{V_1 -F_1 +\Delta }{V_2 -F_2 +\Delta }\) decreases with \(\Delta \) and \(\frac{V_2 -F_2 +\Delta }{V_1 -F_1 +\Delta }\) increases with \(\Delta \), one can find that
which imply that \(c_{T,2}^{*} <c_M^{*} <c_{T,1}^{*} \).
One can obtain
Note \(V_1 -F_1 >\frac{V_1 -F_1 }{2}+\left( {\frac{V_1 -F_1 +\Delta }{V_2 -F_2 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{2}\) if and only if
which always holds because
Hence, \(z_{T,1}^{*} >z_{M,1}^{*}\).
Similarly, some calculations yield
One can find \(V_2 -F_2 <\frac{V_2 -F_2 }{2}+\left( {\frac{V_2 -F_2 +\Delta }{V_1 -F_1 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{2}\) if and only if
which always holds because
implying that \(z_{T,2}^{*} <z_{M,2}^{*} \).
Noting
one can obtain that \(P_{T,1}^{*} >P_{M,1}^{*} \) and \(P_{T,2}^{*} <P_{M,2}^{*} \). \(\square \)
Proof of Proposition 2
The difference of expected benefits of the more attractive firm between targeted attacks and mass attacks takes the form of
By Proposition 1, \(P_{T,1}^{*} >P_{M,1}^{*} \), \(P_{T,2}^{*} <P_{M,2}^{*} \), \(z_{T,1}^{*} >z_{M,1}^{*} \), implying that \(\pi _{T,1}^{*} <\pi _{M,1}^{*} \).
Similarly, the difference of expected benefits of the less attractive firm between the two types of cyber attacks is
It follows from \(P_{T,2}^{*} <P_{M,2}^{*} \),\(P_{T,1}^{*} >P_{M,1}^{*} \),\(z_{T,2}^{*} <z_{M,2}^{*} \) that \(\pi _{T,2}^{*} >\pi _{M,2}^{*} \). \(\square \)
Proof of Proposition 3
It can be obtained that
Hence,
Meanwhile,
and further
Finally, the difference of expected benefits of the hacker under targeted attacks and mass attacks is
where \(\Omega \left( {(V_1 -F_1 )(V_1 -F_1 +\Delta )^{-\frac{\beta }{1+\beta }}} \right) \) is a function of \(\omega =(V_1 -F_1 )(V_1 -F_1 +\Delta )^{-\frac{\beta }{1+\beta }}\).
Denoting \(\nu =(V_2 -F_2 )(V_2 -F_2 +\Delta )^{-\frac{\beta }{1+\beta }}\), we are able to obtain
where \(\omega >\nu \).
The derivative of \(\Omega (\omega )\) over \(\omega \) takes the form of
Hence, one can find \({\Omega }'(\omega )>0\), implying that \(\Omega (\omega )>\Omega (\nu )=0\) and further \(H_T^{*} -H_M^{*} >0\). \(\square \)
Proof of Proposition 4
Under targeted attacks, the first-order conditions of the firms and the hacker with mandatory security requirements are
and Eq. (19). Solving Eq. (19) yields
which imply the first-order conditions for the two firms
We are now in a position to derive the equilibrium strategies of the two firms (and further the equilibrium strategy of the hacker) in the following four scenarios.
-
(a)
In case of \({ PR}_1 \ge P_{T,1}^{*} ,{ PR}_2 \ge P_{T,2}^{*} \), the equilibrium strategies for the two firms are not affected by security requirements and thus remains unchanged, as given by Eq. (3).
-
(b)
In case of \({ PR}_1 \ge P_{T,1}^{*} ,{ PR}_2 <P_{T,2}^{*} \), it can be observed that the equilibrium strategy for firm 1 remains unchanged since the optimization problems of both firms are independent of each other. In contrast, the equilibrium strategy for firm 2 can be obtained by solving \(k^{\frac{1}{1-\phi }}[\phi a(V_2 -F_2 )]^{\frac{\phi }{1-\phi }}z_2^{-\frac{\beta }{1-\phi }} ={ PR}_2 \), that is,
$$\begin{aligned} \hat{{z}}_{T,2}^{*} =k^{\frac{1}{\beta }}[\phi a(V_2 -F_2 )]^{\frac{\phi }{\beta }}{ PR}_2^{-\frac{1-\phi }{\beta }} , \quad \hat{{c}}_{T,2}^{*} =\phi a(V_2 -F_2 )PR_2 , \quad \hat{{P}}_{T,2}^{*} ={ PR}_2 .\quad \end{aligned}$$(37)The first-order condition of firm 2 holds since
$$\begin{aligned} \left. {{\left. {{\partial \pi _2 }/{\partial z_2 }} \right| _{z_2 =\hat{{z}}_{T,2}^{*} } <\partial \pi _2 }/{\partial z_2 }} \right| _{z_2 =z_{T,2}^{*} } =0. \end{aligned}$$ -
(c)
In case of \({ PR}_1 <P_{T,1}^{*} ,{ PR}_2 \ge P_{T,2}^{*} \), we can similarly find that the equilibrium strategy for firm 2 remains unchanged while the equilibrium strategy for firm 1 takes the form of
$$\begin{aligned} \hat{{z}}_{T,1}^{*} =k^{\frac{1}{\beta }}[\phi a(V_1 -F_1 )]^{\frac{\phi }{\beta }}{ PR}_1^{-\frac{1-\phi }{\beta }} , \quad \hat{{c}}_{T,1}^{*} =\phi a(V_1 -F_1 ){ PR}_1 , \quad \hat{{P}}_{T,1}^{*} ={ PR}_1 .\quad \end{aligned}$$(38) -
(d)
In case of \(PR_1 <P_{T,1}^{*} ,{ PR}_2 <P_{T,2}^{*} \), the equilibrium strategies for both firms are given by Eqs. (37) and (38).
\(\square \)
Proof of Proposition 5
Under mass attacks, the first-order conditions for the two firms and the hacker are
and equitation (21). Solving Eq. (21) yields
One can get for the two firms
We now derive the equilibrium strategies for the two firms (and further the equilibrium strategy of the hacker) in the following four scenarios.
-
(a)
In case of \({ PR}_1 \ge P_{M,1}^{*} ,{ PR}_2 \ge P_{M,2}^{*} \), the equilibrium strategies for the two firms remains unchanged, as given by Eq. (7).
-
(b)
In case of \({ PR}_1 \ge P_{M,1}^{*} ,{ PR}_2 <P_{M,2}^{*} \), in order to prove that the equilibrium strategies for firm 1 and firm 2 are given by Eqs. (10) and (13), we must show that: (1) Equation (42) holds and (2) the first-order condition of Eq. (43) holds. Denote the solutions of Eqs. (10) and (13) by \(\hat{{z}}_{M,1}^{*} \) and \(\hat{{z}}_{M,2}^{*} \). By Eq. (10), we can obtain
$$\begin{aligned} z_2 ^{-\beta }=\frac{1}{V_2 -F_2 }\left\{ {z_1^{\frac{(1+\beta )(1-\phi )}{\phi }} [\beta (V_1 -F_1 +\Delta )]^{-\frac{1-\phi }{\phi }}(0.5\phi a)^{-1}k^{-\frac{1}{\phi }}-z_1 ^{-\beta }(V_1 -F_1 )} \right\} ,\quad \end{aligned}$$(45)which strictly increases with \(z_1 \). Hence, the best response function \(z_1 =R_1 (z_2 )\) exists and decreases with \(z_2 \). Hence, the security breach probability
$$\begin{aligned} P_2= & {} \frac{z_1^{1+\beta } }{\beta (V_2 -F_2 )(V_1 -F_1 +\Delta )}\nonumber \\&\left\{ {z_1^{\frac{(1+\beta )(1-\phi )}{\phi }} [\beta (V_1 -F_1 +\Delta )]^{-\frac{1-\phi }{\phi }}(0.5\phi a)^{-1}k^{-\frac{1}{\phi }}-z_1 ^{-\beta }(V_1 -F_1 )} \right\} \end{aligned}$$(46)increases with \(z_1 \) and thus decreases with \(z_2 \), which implies that \(\hat{{z}}_{M,2}^{*} >z_{M,2}^{*} \) since \(P={ PR}_2 <P_{M,2}^{*} \). Noting that
$$\begin{aligned} \frac{\partial \pi _2 }{\partial z_2 }= & {} \beta P_2 z_2 ^{-1}(V_2 -F_2 +\Delta )-1 \nonumber \\= & {} \frac{V_2 -F_2 +\Delta }{(V_2 -F_2 )(V_1 -F_1 +\Delta )}z_1^{1+\beta }\nonumber \\&\left\{ {z_1^{\frac{(1+\beta )(1-\phi )}{\phi }} [\beta (V_1 -F_1 +\Delta )]^{-\frac{1-\phi }{\phi }}(0.5\phi a)^{-1}k^{-\frac{1}{\phi }}-z_1 ^{-\beta }(V_1 -F_1 )} \right\} z_2 ^{-1}-1\nonumber \\ \end{aligned}$$(47)strictly decreases with \(z_2 \), one can obtain \(\left. {{\partial \pi _2 }/{\partial z_2 }} \right| _{z_2 =\hat{{z}}_{M,2}^{*} } <\left. {{\partial \pi _2 }/{\partial z_2 }} \right| _{z_2 =z_{M,2}^{*} } =0\), which implies that condition (ii) holds. It follows that \(\hat{{z}}_{M,1}^{*} <z_{M,1}^{*} \) from \(\hat{{z}}_{M,2}^{*} >z_{M,2}^{*} \). Substituting Eq. (10) yields
$$\begin{aligned} P_1 =[\beta (V_1 -F_1 +\Delta )]^{-1}\hat{{z}}_{M,1}^{*} <[\beta (V_1 -F_1 +\Delta )]^{-1}z_{M,1}^{*} \le { PR}_1 , \end{aligned}$$(48)and therefore condition (i) also holds.
-
(c)
In case of \({ PR}_1 <P_{M,1}^{*} \) and \({ PR}_2 \ge P_{M,2}^{*} \), in a similar fashion we can prove that the equilibrium strategies for firm 1 and firm 2 satisfy Eqs. (11) and (12).
-
(d)
In case of \({ PR}_1 <P_{M,1}^{*} \) and \({ PR}_2 <P_{M,2}^{*} \), after excluding other three situations discussed above, we can prove that the equilibrium strategies for both firms are given by Eqs. (11) and (13), namely,
$$\begin{aligned} \left\{ {\begin{array}{l} \hat{{z}}_{M,1}^{*} =k^{\frac{1}{\beta }}(0.5\phi a)^{\frac{\phi }{\beta }}[{ PR}_1 (V_1 -F_1 )+{ PR}_2 (V_2 -F_2 )]^{\frac{\phi }{\beta }}{ PR}_1^{-\frac{1}{\beta }} \\ \hat{{z}}_{M,2}^{*} =k^{\frac{1}{\beta }}(0.5\phi a)^{\frac{\phi }{\beta }}[{ PR}_1 (V_1 -F_1 )+PR_2 (V_2 -F_2 )]^{\frac{\phi }{\beta }}PR_2^{-\frac{1}{\beta }} \\ \end{array}} \right. . \end{aligned}$$
\(\square \)
Proof of Proposition 6
It follows from Propositions 4 and 5 that
and
Therefore, \(\hat{{z}}_{T,1}^{*} >\hat{{z}}_{M,1}^{*} \), \(\hat{{z}}_{T,2}^{*} <\hat{{z}}_{M,2}^{*} \), \(\hat{{c}}_{T,1}^{*} >\hat{{c}}_M^{*} >\hat{{c}}_{T,2}^{*} \) if \((V_1 -F_1 )PR_1 >(V_2 -F_2 )PR_2 \) and \(\hat{{z}}_{T,1}^{*} <\hat{{z}}_{M,1}^{*} \), \(\hat{{z}}_{T,2}^{*} >\hat{{z}}_{M,2}^{*} \), \(\hat{{c}}_{T,1}^{*} <\hat{{c}}_M^{*} <\hat{{c}}_{T,2}^{*} \) if \((V_1 -F_1 )PR_1 <(V_2 -F_2 )PR_2 \).
Because \(\hat{{P}}_{T,1}^{*} =\hat{{P}}_{M,1}^{*} =PR_1 \) and \(\hat{{P}}_{T,2}^{*} =\hat{{P}}_{M,2}^{*} =PR_2 \), the difference of expected benefits of the more attractive firm between targeted attacks and mass attacks is
implying \(\hat{{\pi }}_{T,1}^{*} >\hat{{\pi }}_{M,1}^{*} \) and \(\hat{{\pi }}_{T,2}^{*} <\hat{{\pi }}_{M,2}^{*} \) if and only if \((V_1 -F_1 )PR_1 <(V_2 -F_2 )PR_2 \). The difference of the expected benefits of the hacker under targeted attacks and mass attacks is
which implies that the expected benefits of the hacker under the two types of cyber attacks are equal. \(\square \)
Proof of Proposition 7
The expected benefits of the two firms with different security requirements can be summed in Table 2 after some calculations,
where
with \(PR_1 \in (0,P_{T,1}^{*} )\) and \(PR_2 \in (0,P_{T,2}^{*} )\).
Because
we can find that firm 1’s optimal strategy is to set a rigorous security requirement if and only if \(\Theta _1 (\Delta )>0\). Similarly, firm 2’s optimal strategy is to set a rigorous security requirement if and only if
Hence, both firms choose rigorous security requirements provided that Eq. (14) holds and choose loose security requirements provided that Eq. (15) holds.
Because
firm 1’s optimal security requirement when choosing a rigorous security requirement is given by
Similarly, firm 2’s optimal security requirement when choosing a rigorous security requirement is
\(\square \)
Rights and permissions
About this article
Cite this article
Gao, X., Zhong, W. Information security investment for competitive firms with hacker behavior and security requirements. Ann Oper Res 235, 277–300 (2015). https://doi.org/10.1007/s10479-015-1925-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10479-015-1925-2