Information security investment for competitive firms with hacker behavior and security requirements

Abstract

This paper investigates information security investment strategies under both targeted attacks and mass attacks by considering strategic interactions between two competitive firms and a hacker. We find that the more attractive firm invests more in information security, suffers more frequent attacks and enjoys a lower expected benefit, while the hacker achieves a higher expected benefit under targeted attacks than under mass attacks. We further examine the effect of security requirements on the two firms’ investment strategies in information security. We indicate that security requirements sometimes can drastically alter the comparisons of these investment strategies under the two types of cyber attacks. The hacker would balance the firms’ attractiveness in information assets and security requirements when determining its investment decisions in cyber attacks. By assuming that security requirements are endogenous, we demonstrate that under targeted attacks and mass attacks both firms would like to regulate rigorous security requirements when their degree of competition becomes fierce but would like to choose loose security requirements when the degree of competition remains mild.

Appendix

Proof of Lemma 1

The first-order conditions of the two firms and the hacker are

$$\begin{aligned} \frac{\partial \pi _i }{\partial z_i }= & {} \beta kc_i^\phi z_i ^{-\beta -1}(V_i -F_i +\Delta )-1=0\end{aligned}$$

(18)

$$\begin{aligned} \frac{\partial H}{\partial c_i }= & {} \phi kc_i^{\phi -1} z_i ^{-\beta }a(V_i -F_i )-1=0. \end{aligned}$$

(19)

One can obtain Eq. (3) by (18) and (19). Obviously, the second-order conditions of the equilibrium strategies are satisfied. \(\square \)

Proof of Lemma 2

The first-order conditions of the two firms and the hacker are

$$\begin{aligned} \frac{\partial \pi _i }{\partial z_i }=\beta kc^{\phi }z_i^{-\beta -1} (V_i -F_i +\Delta )-1=0 \end{aligned}$$

(20)

and

$$\begin{aligned} \frac{\partial H}{\partial c}=\phi kac^{\phi -1}[z_1^{-\beta } (V_1 -F_1 )+z_2^{-\beta } (V_2 -F_2 )]-2=0 \end{aligned}$$

(21)

One can obtain by Eq. (20)

$$\begin{aligned} z_i =[\beta k(V_i -F_i +\Delta )]^{\frac{1}{1+\beta }}c^{\frac{\phi }{1+\beta }} \end{aligned}$$

(22)

which, together with Eq. (21), yields Eq. (7). The second-order conditions for equilibrium strategies can be validated easily. \(\square \)

Proof of Proposition 1

One can get by Lemma 1 and Lemma 2

$$\begin{aligned} \left\{ {\begin{array}{l} \frac{c_{T,1}^{*} }{c_M^{*} }=\left[ {\frac{1}{2}+\left( {\frac{V_1 -F_1 +\Delta }{V_2 -F_2 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{2(V_1 -F_1 )}} \right] ^{-\frac{1+\beta }{1-\phi +\beta }} \\ \frac{c_{T,2}^{*} }{c_M^{*} }=\left[ {\frac{1}{2}+\left( {\frac{V_2 -F_2 +\Delta }{V_1 -F_1 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{2(V_2 -F_2 )}} \right] ^{-\frac{1+\beta }{1-\phi +\beta }} \\ \end{array}} \right. \quad . \end{aligned}$$

(23)

Because \(\frac{V_1 -F_1 +\Delta }{V_2 -F_2 +\Delta }\) decreases with \(\Delta \) and \(\frac{V_2 -F_2 +\Delta }{V_1 -F_1 +\Delta }\) increases with \(\Delta \), one can find that

$$\begin{aligned} \left\{ {\begin{array}{l} \frac{c_{T,1}^{*} }{c_M^{*} }>\left[ {\frac{1}{2}+\left( {\frac{V_1 -F_1 }{V_2 -F_2 }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{2(V_1 -F_1 )}} \right] ^{-\frac{1+\beta }{1-\phi +\beta }}=\left[ {\frac{1}{2}+\frac{1}{2}\left( {\frac{V_1 -F_1 }{V_2 -F_2 }} \right) ^{-\frac{1}{1+\beta }}} \right] ^{-\frac{1+\beta }{1-\phi +\beta }}>1 \\ \frac{c_{T,2}^{*} }{c_M^{*} }<\left[ {\frac{1}{2}+\left( {\frac{V_2 -F_2 }{V_1 -F_1 }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{2(V_2 -F_2 )}} \right] ^{-\frac{1+\beta }{1-\phi +\beta }}=\left[ {\frac{1}{2}+\frac{1}{2}\left( {\frac{V_2 -F_2 }{V_1 -F_1 }} \right) ^{-\frac{1}{1+\beta }}} \right] ^{-\frac{1+\beta }{1-\phi +\beta }}<1 \\ \end{array}} \right. . \end{aligned}$$

(24)

which imply that \(c_{T,2}^{*} <c_M^{*} <c_{T,1}^{*} \).

One can obtain

$$\begin{aligned}&\mathrm{sign}(z_{T,1}^{*} -z_{M,1}^{*} )\nonumber \\&\quad =\mathrm{sign} \left\{ {(V_1 -F_1 )^{\frac{\phi }{1-\phi +\beta }} -\left[ {\frac{V_1 -F_1 }{2}+\left( {\frac{V_1 -F_1 +\Delta }{V_2 -F_2 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{2}} \right] ^{\frac{\phi }{1-\phi +\beta }}} \right\} . \nonumber \\ \end{aligned}$$

(25)

Note \(V_1 -F_1 >\frac{V_1 -F_1 }{2}+\left( {\frac{V_1 -F_1 +\Delta }{V_2 -F_2 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{2}\) if and only if

$$\begin{aligned} \left( {\frac{V_1 -F_1 +\Delta }{V_2 -F_2 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{V_1 -F_1 }<1 \end{aligned}$$

which always holds because

$$\begin{aligned} \left( {\frac{V_1 -F_1 +\Delta }{V_2 -F_2 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{V_1 -F_1 }<\left( {\frac{V_1 -F_1 }{V_2 -F_2 }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{V_1 -F_1 }=\left( {\frac{V_2 -F_2 }{V_1 -F_1 }} \right) ^{\frac{1}{1+\beta }}<1.\qquad \end{aligned}$$

(26)

Hence, \(z_{T,1}^{*} >z_{M,1}^{*}\).

Similarly, some calculations yield

$$\begin{aligned}&\mathrm{sign}(z_{T,2}^{*} -z_{M,2}^{*} )\nonumber \\&\quad =\mathrm{sign}\left\{ {(V_2 -F_2 )^{\frac{\phi }{1-\phi +\beta }}-\left[ {\frac{V_2 -F_2 }{2}+\left( {\frac{V_2 -F_2 +\Delta }{V_1 -F_1 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{2}} \right] ^{\frac{\phi }{1-\phi +\beta }}} \right\} \qquad \end{aligned}$$

(27)

One can find \(V_2 -F_2 <\frac{V_2 -F_2 }{2}+\left( {\frac{V_2 -F_2 +\Delta }{V_1 -F_1 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{2}\) if and only if

$$\begin{aligned} \left( {\frac{V_2 -F_2 +\Delta }{V_1 -F_1 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{V_2 -F_2 }>1, \end{aligned}$$

which always holds because

$$\begin{aligned} \left( {\frac{V_2 -F_2 +\Delta }{V_1 -F_1 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{V_2 -F_2 }>\left( {\frac{V_2 -F_2 }{V_1 -F_1 }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{V_2 -F_2 }=\left( {\frac{V_1 -F_1 }{V_2 -F_2 }} \right) ^{\frac{1}{1+\beta }}>1,\qquad \end{aligned}$$

(28)

implying that \(z_{T,2}^{*} <z_{M,2}^{*} \).

Noting

$$\begin{aligned} \left\{ {\begin{array}{l} \frac{P_{T,1}^{*} }{P_{M,1}^{*} }=\left[ {\frac{1}{2}+\left( {\frac{V_1 -F_1 +\Delta }{V_2 -F_2 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{2(V_1 -F_1 )}} \right] ^{-\frac{\phi }{1-\phi +\beta }} \\ \frac{P_{T,2}^{*} }{P_{M,2}^{*} }=\left[ {\frac{1}{2}+\left( {\frac{V_2 -F_2 +\Delta }{V_1 -F_1 +\Delta }} \right) ^{\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{2(V_2 -F_2 )}} \right] ^{-\frac{\phi }{1-\phi +\beta }} \\ \end{array}} \right. \end{aligned}$$

(29)

one can obtain that \(P_{T,1}^{*} >P_{M,1}^{*} \) and \(P_{T,2}^{*} <P_{M,2}^{*} \). \(\square \)

Proof of Proposition 2

The difference of expected benefits of the more attractive firm between targeted attacks and mass attacks takes the form of

$$\begin{aligned} \pi _{T,1}^{*} -\pi _{M,1}^{*}= & {} (1-P_{T,1}^{*} )(V_1 -F_1 +\Delta )-(1-P_{T,2}^{*} )\Delta -z_{T,1}^{*} \nonumber \\&-\,(1-P_{M,1}^{*} )(V_1 -F_1 +\Delta )+(1-P_{M,2}^{*} )\Delta +z_{M,1}^{*}\nonumber \\= & {} (P_{M,1}^{*} -P_{T,1}^{*} )(V_1 -F_1 +\Delta )+(P_{T,2}^{*} -P_{M,2}^{*} )\Delta +z_{M,1}^{*} -z_{T,1}^{*} \end{aligned}$$

(30)

By Proposition 1, \(P_{T,1}^{*} >P_{M,1}^{*} \), \(P_{T,2}^{*} <P_{M,2}^{*} \), \(z_{T,1}^{*} >z_{M,1}^{*} \), implying that \(\pi _{T,1}^{*} <\pi _{M,1}^{*} \).

Similarly, the difference of expected benefits of the less attractive firm between the two types of cyber attacks is

$$\begin{aligned} \pi _{T,2}^{*} -\pi _{M,2}^{*} =(P_{M,2}^{*} -P_{T,2}^{*} )(V_2 -F_2 +\Delta )+(P_{T,1}^{*} -P_{M,1}^{*} )\Delta +z_{M,2}^{*} -z_{T,2}^{*} . \end{aligned}$$

(31)

It follows from \(P_{T,2}^{*} <P_{M,2}^{*} \),\(P_{T,1}^{*} >P_{M,1}^{*} \),\(z_{T,2}^{*} <z_{M,2}^{*} \) that \(\pi _{T,2}^{*} >\pi _{M,2}^{*} \). \(\square \)

Proof of Proposition 3

It can be obtained that

$$\begin{aligned}&(P_{T,i}^{*} -P_{M,i}^{*} )a(V_i -F_i )\nonumber \\&\quad =k^{\frac{1}{1-\phi +\beta }}\phi ^{\frac{\phi }{1-\phi +\beta }}a^{\frac{1+\beta }{1-\phi +\beta }}\beta ^{-\frac{\beta }{1-\phi +\beta }} \left\{ (V_i -F_i )^{\frac{1+\beta }{1-\phi +\beta }} (V_i -F_i +\Delta )^{-\frac{\beta }{1-\phi +\beta }} \right. \nonumber \\&\qquad -\,(V_i -F_i )(V_i -F_i +\Delta )^{-\frac{\beta }{1+\beta }}\nonumber \\&\qquad \left. \left[ {(V_1 -F_1 +\Delta )^{-\frac{\beta }{1+\beta }} \frac{V_1 -F_1 }{2}+(V_2 -F_2 +\Delta )^{-\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{2}} \right] ^{\frac{\phi }{1-\phi +\beta }} \right\} \end{aligned}$$

Hence,

$$\begin{aligned}&(P_{T,1}^{*} -P_{M,1}^{*} )a(V_1 -F_1 )+(P_{T,2}^{*} -P_{M,2}^{*} )a(V_2 -F_2 )=k^{\frac{1}{1-\phi +\beta }}a^{\frac{1+\beta }{1-\phi +\beta }}\beta ^{-\frac{\beta }{1-\phi +\beta }}\phi ^{\frac{\phi }{1-\phi +\beta }} \\&\quad \left\{ {(V_1 -F_1 )^{\frac{1+\beta }{1-\phi +\beta }}(V_1 -F_1 +\Delta )^{-\frac{\beta }{1-\phi +\beta }}+(V_2 -F_2 )^{\frac{1+\beta }{1-\phi +\beta }}(V_2 -F_2 +\Delta )^{-\frac{\beta }{1-\phi +\beta }}} \right. \\&\quad \left. {-\,2\left[ {(V_1 -F_1 +\Delta )^{-\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{2}+(V_2 -F_2 +\Delta )^{-\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{2}} \right] ^{\frac{1+\beta }{1-\phi +\beta }}} \right\} . \end{aligned}$$

Meanwhile,

$$\begin{aligned} c_M^{*} -c_{T,i}^{*}= & {} k^{\frac{1}{1-\phi +\beta }} a^{\frac{1+\beta }{1-\phi +\beta }}\beta ^{-\frac{\beta }{1-\phi +\beta }} \phi ^{\frac{1+\beta }{1-\phi +\beta }} \\&\times \left\{ \left[ {(V_1 -F_1 +\Delta )^{-\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{2}+(V_2 -F_2 +\Delta )^{-\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{2}} \right] ^{\frac{1+\beta }{1-\phi +\beta }}\right. \\&\left. -\,(V_i -F_i )^{\frac{1+\beta }{1-\phi +\beta }} (V_i -F_i +\Delta )^{-\frac{\beta }{1-\phi +\beta }} \right\} \end{aligned}$$

and further

$$\begin{aligned}&c_M^{*} -c_{T,1}^{*} +c_M^{*} -c_{T,2}^{*}\\&\quad =k^{\frac{1}{1-\phi +\beta }} a^{\frac{1+\beta }{1-\phi +\beta }}\beta ^{-\frac{\beta }{1-\phi +\beta }} \phi ^{\frac{1+\beta }{1-\phi +\beta }} \\&\qquad \times \left\{ {2\left[ {(V_1 -F_1 +\Delta )^{-\frac{\beta }{1+\beta }} \frac{V_1 -F_1 }{2}+(V_2 -F_2 +\Delta )^{-\frac{\beta }{1+\beta }} \frac{V_2 -F_2 }{2}} \right] ^{\frac{1+\beta }{1-\phi +\beta }}} \right. \\&\qquad \left. -(V_1 -F_1 )^{\frac{1+\beta }{1-\phi +\beta }} (V_1 -F_1 +\Delta )^{-\frac{\beta }{1-\phi +\beta }}-(V_2 -F_2 ) ^{\frac{1+\beta }{1-\phi +\beta }} (V_2 -F_2 +\Delta )^{-\frac{\beta }{1-\phi +\beta }} \right\} . \end{aligned}$$

Finally, the difference of expected benefits of the hacker under targeted attacks and mass attacks is

$$\begin{aligned} H_T^{*} -H_M^{*}= & {} (P_{T,1}^{*} -P_{M,1}^{*} )a(V_1 -F_1 )-(c_{T,1}^{*} -c_M^{*} )\\&+\,(P_{T,2}^{*} -P_{M,2}^{*} )a(V_2 -F_2 )-(c_{T,2}^{*} -c_M^{*} ) \\= & {} k^{\frac{1}{1-\phi +\beta }}a^{\frac{1+\beta }{1-\phi +\beta }}\beta ^{-\frac{\beta }{1-\phi +\beta }}\left( {\phi ^{\frac{\phi }{1-\phi +\beta }}-\phi ^{\frac{1+\beta }{1-\phi +\beta }}} \right) \\&\times \left\{ {(V_1 -F_1 )^{\frac{1+\beta }{1-\phi +\beta }}(V_1 -F_1 +\Delta )^{-\frac{\beta }{1-\phi +\beta }}+(V_2 -F_2 )^{\frac{1+\beta }{1-\phi +\beta }}(V_2 -F_2 +\Delta )^{-\frac{\beta }{1-\phi +\beta }}} \right. \\&\left. {-\,2\left[ {(V_1 -F_1 +\Delta )^{-\frac{\beta }{1+\beta }}\frac{V_1 -F_1 }{2}+(V_2 -F_2 +\Delta )^{-\frac{\beta }{1+\beta }}\frac{V_2 -F_2 }{2}} \right] ^{\frac{1+\beta }{1-\phi +\beta }}} \right\} \\= & {} k^{\frac{1}{1-\phi +\beta }}a^{\frac{1+\beta }{1-\phi +\beta }}\beta ^{-\frac{\beta }{1-\phi +\beta }}\left( {\phi ^{\frac{\phi }{1-\phi +\beta }}-\phi ^{\frac{1+\beta }{1-\phi +\beta }}} \right) \\&\times \left\{ {\left[ {(V_1 -F_1 )(V_1 -F_1 +\Delta )^{-\frac{\beta }{1+\beta }}} \right] ^{\frac{1+\beta }{1-\phi +\beta }}+ \left[ {(V_2 -F_2 )(V_2 -F_2 +\Delta )^{-\frac{\beta }{1+\beta }}} \right] ^{\frac{1+\beta }{1-\phi +\beta }}} \right. \\&\left. -\,2\left[ {\frac{V_1 -F_1 }{2}(V_1 -F_1 +\Delta ) ^{-\frac{\beta }{1+\beta }}+\frac{V_2 -F_2 }{2}(V_2 -F_2 +\Delta ) ^{-\frac{\beta }{1+\beta }}} \right] ^{\frac{1+\beta }{1-\phi +\beta }} \right\} \\:= & {} k^{\frac{1}{1-\phi +\beta }}a^{\frac{1+\beta }{1-\phi +\beta }}\beta ^{-\frac{\beta }{1-\phi +\beta }}\left( {\phi ^{\frac{\phi }{1-\phi +\beta }}-\phi ^{\frac{1+\beta }{1-\phi +\beta }}} \right) \Omega \left( {(V_1 -F_1 )(V_1 -F_1 +\Delta )^{-\frac{\beta }{1+\beta }}} \right) \end{aligned}$$

where \(\Omega \left( {(V_1 -F_1 )(V_1 -F_1 +\Delta )^{-\frac{\beta }{1+\beta }}} \right) \) is a function of \(\omega =(V_1 -F_1 )(V_1 -F_1 +\Delta )^{-\frac{\beta }{1+\beta }}\).

Denoting \(\nu =(V_2 -F_2 )(V_2 -F_2 +\Delta )^{-\frac{\beta }{1+\beta }}\), we are able to obtain

$$\begin{aligned} \Omega (\omega )=\omega ^{\frac{1+\beta }{1-\phi +\beta }}-\,2\left( {\frac{\omega }{2}+\frac{\nu }{2}} \right) ^{\frac{1+\beta }{1-\phi +\beta }}+\nu ^{\frac{1+\beta }{1-\phi +\beta }} \end{aligned}$$

(32)

where \(\omega >\nu \).

The derivative of \(\Omega (\omega )\) over \(\omega \) takes the form of

$$\begin{aligned} {\Omega }'(\omega )=\frac{1+\beta }{1-\phi +\beta }\left[ {\omega ^{\frac{\phi }{1-\phi +\beta }}-\left( {\frac{\omega }{2}+\frac{\nu }{2}} \right) ^{\frac{\phi }{1-\phi +\beta }}} \right] . \end{aligned}$$

(33)

Hence, one can find \({\Omega }'(\omega )>0\), implying that \(\Omega (\omega )>\Omega (\nu )=0\) and further \(H_T^{*} -H_M^{*} >0\). \(\square \)

Proof of Proposition 4

Under targeted attacks, the first-order conditions of the firms and the hacker with mandatory security requirements are

$$\begin{aligned} \frac{\partial \pi _i }{\partial z_i } =\beta kc_i^\phi z_i ^{-\beta -1}(V_i -F_i +\Delta )-1 \quad \hbox {s.t.}\quad P_i =kc_i^\phi z_i ^{-\beta }\le \textit{PR}_i \end{aligned}$$

(34)

and Eq. (19). Solving Eq. (19) yields

$$\begin{aligned} c_i =[\phi ka(V_i -F_i )]^{\frac{1}{1-\phi }}z_i^{-\frac{\beta }{1-\phi }} \end{aligned}$$

(35)

which imply the first-order conditions for the two firms

$$\begin{aligned} \left\{ \begin{array}{l} \frac{\partial \pi _1 }{\partial z_1 }=\beta k^{\frac{1}{1-\phi }}[\phi a(V_1 -F_1 )]^{\frac{\phi }{1-\phi }}z_1^{-\frac{1-\phi +\beta }{1-\phi }} (V_1 -F_1 +\Delta )-1 \quad \hbox {s.t.}\quad P_1 \\ \quad =k^{\frac{1}{1-\phi }}\left[ {\phi a(V_1 -F_1 )} \right] ^{\frac{\phi }{1-\phi }}z_1^{-\frac{\beta }{1-\phi }} \le PR_1 \\ \frac{\partial \pi _2 }{\partial z_2 }=\beta k^{\frac{1}{1-\phi }}[\phi a(V_2 -F_2 )]^{\frac{\phi }{1-\phi }}z_2^{-\frac{1-\phi +\beta }{1-\phi }} (V_2 -F_2 +\Delta )-1 \quad \hbox {s.t.}\quad P_2 \\ \quad =k^{\frac{1}{1-\phi }}\left[ {\phi a(V_2 -F_2 )} \right] ^{\frac{\phi }{1-\phi }}z_2^{-\frac{\beta }{1-\phi }} \le PR_2 \\ \end{array} \right. \end{aligned}$$

(36)

We are now in a position to derive the equilibrium strategies of the two firms (and further the equilibrium strategy of the hacker) in the following four scenarios.

1. (a)

   In case of \({ PR}_1 \ge P_{T,1}^{*} ,{ PR}_2 \ge P_{T,2}^{*} \), the equilibrium strategies for the two firms are not affected by security requirements and thus remains unchanged, as given by Eq. (3).

2. (b)

   In case of \({ PR}_1 \ge P_{T,1}^{*} ,{ PR}_2 <P_{T,2}^{*} \), it can be observed that the equilibrium strategy for firm 1 remains unchanged since the optimization problems of both firms are independent of each other. In contrast, the equilibrium strategy for firm 2 can be obtained by solving \(k^{\frac{1}{1-\phi }}[\phi a(V_2 -F_2 )]^{\frac{\phi }{1-\phi }}z_2^{-\frac{\beta }{1-\phi }} ={ PR}_2 \), that is,

   $$\begin{aligned} \hat{{z}}_{T,2}^{*} =k^{\frac{1}{\beta }}[\phi a(V_2 -F_2 )]^{\frac{\phi }{\beta }}{ PR}_2^{-\frac{1-\phi }{\beta }} , \quad \hat{{c}}_{T,2}^{*} =\phi a(V_2 -F_2 )PR_2 , \quad \hat{{P}}_{T,2}^{*} ={ PR}_2 .\quad \end{aligned}$$

   (37)

   The first-order condition of firm 2 holds since

   $$\begin{aligned} \left. {{\left. {{\partial \pi _2 }/{\partial z_2 }} \right| _{z_2 =\hat{{z}}_{T,2}^{*} } <\partial \pi _2 }/{\partial z_2 }} \right| _{z_2 =z_{T,2}^{*} } =0. \end{aligned}$$
3. (c)

   In case of \({ PR}_1 <P_{T,1}^{*} ,{ PR}_2 \ge P_{T,2}^{*} \), we can similarly find that the equilibrium strategy for firm 2 remains unchanged while the equilibrium strategy for firm 1 takes the form of

   $$\begin{aligned} \hat{{z}}_{T,1}^{*} =k^{\frac{1}{\beta }}[\phi a(V_1 -F_1 )]^{\frac{\phi }{\beta }}{ PR}_1^{-\frac{1-\phi }{\beta }} , \quad \hat{{c}}_{T,1}^{*} =\phi a(V_1 -F_1 ){ PR}_1 , \quad \hat{{P}}_{T,1}^{*} ={ PR}_1 .\quad \end{aligned}$$

   (38)
4. (d)

   In case of \(PR_1 <P_{T,1}^{*} ,{ PR}_2 <P_{T,2}^{*} \), the equilibrium strategies for both firms are given by Eqs. (37) and (38).

\(\square \)

Proof of Proposition 5

Under mass attacks, the first-order conditions for the two firms and the hacker are

$$\begin{aligned} \frac{\partial \pi _i }{\partial z_i }=\beta kc^{\phi }z_i ^{-\beta -1}(V_i -F_i +\Delta )-1 \quad \hbox {s.t.}\quad P_i =kc^{\phi }z_i ^{-\beta }\le { PR}_i \end{aligned}$$

(39)

and equitation (21). Solving Eq. (21) yields

$$\begin{aligned} c=\left( {0.5\phi ka} \right) ^{\frac{1}{1-\phi }}[z_1 ^{-\beta }(V_1 -F_1 ) +z_2 ^{-\beta }(V_2 -F_2 )]^{\frac{1}{1-\phi }}. \end{aligned}$$

(40)

One can get for the two firms

$$\begin{aligned} \frac{\partial \pi _1 }{\partial z_1 }=\beta k^{\frac{1}{1-\phi }}\left[ {0.5\phi a\left( {z_1 ^{-\beta }(V_1 -F_1 )+z_2 ^{-\beta }(V_2 -F_2 )} \right) } \right] ^{\frac{\phi }{1-\phi }}z_1 ^{-\beta -1}(V_1 -F_1 +\Delta )-1\qquad \end{aligned}$$

(41)

$$\begin{aligned} \hbox {s.t.}\quad P_1 \,=k^{\frac{1}{1-\phi }}\left[ {0.5\phi a\left( {z_1 ^{-\beta }(V_1 -F_1 )+z_2 ^{-\beta }(V_2 -F_2 )} \right) } \right] ^{\frac{\phi }{1-\phi }}z_1 ^{-\beta }\le { PR}_1 \qquad \end{aligned}$$

(42)

$$\begin{aligned} \frac{\partial \pi _2 }{\partial z_2 }=\beta k^{\frac{1}{1-\phi }}\left[ {0.5\phi a\left( {z_1 ^{-\beta }(V_1 -F_1 )+z_2 ^{-\beta }(V_2 -F_2 )} \right) } \right] ^{\frac{\phi }{1-\phi }}z_2 ^{-\beta -1}(V_2 -F_2 +\Delta )-1\qquad \end{aligned}$$

(43)

$$\begin{aligned} \hbox {s.t.}\quad P_2 \,=k^{\frac{1}{1-\phi }}\left[ {0.5\phi a\left( {z_1 ^{-\beta }(V_1 -F_1 )+z_2 ^{-\beta }(V_2 -F_2 )} \right) } \right] ^{\frac{\phi }{1-\phi }}z_2 ^{-\beta }\le { PR}_2 \qquad \end{aligned}$$

(44)

We now derive the equilibrium strategies for the two firms (and further the equilibrium strategy of the hacker) in the following four scenarios.

1. (a)

   In case of \({ PR}_1 \ge P_{M,1}^{*} ,{ PR}_2 \ge P_{M,2}^{*} \), the equilibrium strategies for the two firms remains unchanged, as given by Eq. (7).

2. (b)

   In case of \({ PR}_1 \ge P_{M,1}^{*} ,{ PR}_2 <P_{M,2}^{*} \), in order to prove that the equilibrium strategies for firm 1 and firm 2 are given by Eqs. (10) and (13), we must show that: (1) Equation (42) holds and (2) the first-order condition of Eq. (43) holds. Denote the solutions of Eqs. (10) and (13) by \(\hat{{z}}_{M,1}^{*} \) and \(\hat{{z}}_{M,2}^{*} \). By Eq. (10), we can obtain

   $$\begin{aligned} z_2 ^{-\beta }=\frac{1}{V_2 -F_2 }\left\{ {z_1^{\frac{(1+\beta )(1-\phi )}{\phi }} [\beta (V_1 -F_1 +\Delta )]^{-\frac{1-\phi }{\phi }}(0.5\phi a)^{-1}k^{-\frac{1}{\phi }}-z_1 ^{-\beta }(V_1 -F_1 )} \right\} ,\quad \end{aligned}$$

   (45)

   which strictly increases with \(z_1 \). Hence, the best response function \(z_1 =R_1 (z_2 )\) exists and decreases with \(z_2 \). Hence, the security breach probability

   $$\begin{aligned} P_2= & {} \frac{z_1^{1+\beta } }{\beta (V_2 -F_2 )(V_1 -F_1 +\Delta )}\nonumber \\&\left\{ {z_1^{\frac{(1+\beta )(1-\phi )}{\phi }} [\beta (V_1 -F_1 +\Delta )]^{-\frac{1-\phi }{\phi }}(0.5\phi a)^{-1}k^{-\frac{1}{\phi }}-z_1 ^{-\beta }(V_1 -F_1 )} \right\} \end{aligned}$$

   (46)

   increases with \(z_1 \) and thus decreases with \(z_2 \), which implies that \(\hat{{z}}_{M,2}^{*} >z_{M,2}^{*} \) since \(P={ PR}_2 <P_{M,2}^{*} \). Noting that

   $$\begin{aligned} \frac{\partial \pi _2 }{\partial z_2 }= & {} \beta P_2 z_2 ^{-1}(V_2 -F_2 +\Delta )-1 \nonumber \\= & {} \frac{V_2 -F_2 +\Delta }{(V_2 -F_2 )(V_1 -F_1 +\Delta )}z_1^{1+\beta }\nonumber \\&\left\{ {z_1^{\frac{(1+\beta )(1-\phi )}{\phi }} [\beta (V_1 -F_1 +\Delta )]^{-\frac{1-\phi }{\phi }}(0.5\phi a)^{-1}k^{-\frac{1}{\phi }}-z_1 ^{-\beta }(V_1 -F_1 )} \right\} z_2 ^{-1}-1\nonumber \\ \end{aligned}$$

   (47)

   strictly decreases with \(z_2 \), one can obtain \(\left. {{\partial \pi _2 }/{\partial z_2 }} \right| _{z_2 =\hat{{z}}_{M,2}^{*} } <\left. {{\partial \pi _2 }/{\partial z_2 }} \right| _{z_2 =z_{M,2}^{*} } =0\), which implies that condition (ii) holds. It follows that \(\hat{{z}}_{M,1}^{*} <z_{M,1}^{*} \) from \(\hat{{z}}_{M,2}^{*} >z_{M,2}^{*} \). Substituting Eq. (10) yields

   $$\begin{aligned} P_1 =[\beta (V_1 -F_1 +\Delta )]^{-1}\hat{{z}}_{M,1}^{*} <[\beta (V_1 -F_1 +\Delta )]^{-1}z_{M,1}^{*} \le { PR}_1 , \end{aligned}$$

   (48)

   and therefore condition (i) also holds.

3. (c)

   In case of \({ PR}_1 <P_{M,1}^{*} \) and \({ PR}_2 \ge P_{M,2}^{*} \), in a similar fashion we can prove that the equilibrium strategies for firm 1 and firm 2 satisfy Eqs. (11) and (12).

4. (d)

   In case of \({ PR}_1 <P_{M,1}^{*} \) and \({ PR}_2 <P_{M,2}^{*} \), after excluding other three situations discussed above, we can prove that the equilibrium strategies for both firms are given by Eqs. (11) and (13), namely,

   $$\begin{aligned} \left\{ {\begin{array}{l} \hat{{z}}_{M,1}^{*} =k^{\frac{1}{\beta }}(0.5\phi a)^{\frac{\phi }{\beta }}[{ PR}_1 (V_1 -F_1 )+{ PR}_2 (V_2 -F_2 )]^{\frac{\phi }{\beta }}{ PR}_1^{-\frac{1}{\beta }} \\ \hat{{z}}_{M,2}^{*} =k^{\frac{1}{\beta }}(0.5\phi a)^{\frac{\phi }{\beta }}[{ PR}_1 (V_1 -F_1 )+PR_2 (V_2 -F_2 )]^{\frac{\phi }{\beta }}PR_2^{-\frac{1}{\beta }} \\ \end{array}} \right. . \end{aligned}$$

\(\square \)

Proof of Proposition 6

It follows from Propositions 4 and 5 that

$$\begin{aligned} \left\{ {\begin{array}{l} \frac{\hat{{z}}_{T,1}^{*} }{\hat{{z}}_{M,1}^{*} }=\left[ {\frac{2(V_1 -F_1 )PR_1 }{(V_1 -F_1 )PR_1 +(V_2 -F_2 )PR_2 }} \right] ^{\frac{\phi }{\beta }} \\ \frac{\hat{{z}}_{T,2}^{*} }{\hat{{z}}_{M,2}^{*} }=\left[ {\frac{2(V_2 -F_2 )PR_2 }{(V_1 -F_1 )PR_1 +(V_2 -F_2 )PR_2 }} \right] ^{\frac{\phi }{\beta }} \\ \end{array}} \right. \end{aligned}$$

(49)

and

$$\begin{aligned} \left\{ { \begin{array}{l} \frac{\hat{{c}}_{T,1}^{*} }{\hat{{c}}_M^{*} }=\frac{2(V_1 -F_1 )PR_1 }{(V_1 -F_1 )PR_1 +(V_2 -F_2 )PR_2 } \\ \frac{\hat{{c}}_{T,2}^{*} }{\hat{{c}}_M^{*} }=\frac{2(V_2 -F_2 )PR_2 }{(V_1 -F_1 )PR_1 +(V_2 -F_2 )PR_2 } \\ \end{array}} \right. . \end{aligned}$$

(50)

Therefore, \(\hat{{z}}_{T,1}^{*} >\hat{{z}}_{M,1}^{*} \), \(\hat{{z}}_{T,2}^{*} <\hat{{z}}_{M,2}^{*} \), \(\hat{{c}}_{T,1}^{*} >\hat{{c}}_M^{*} >\hat{{c}}_{T,2}^{*} \) if \((V_1 -F_1 )PR_1 >(V_2 -F_2 )PR_2 \) and \(\hat{{z}}_{T,1}^{*} <\hat{{z}}_{M,1}^{*} \), \(\hat{{z}}_{T,2}^{*} >\hat{{z}}_{M,2}^{*} \), \(\hat{{c}}_{T,1}^{*} <\hat{{c}}_M^{*} <\hat{{c}}_{T,2}^{*} \) if \((V_1 -F_1 )PR_1 <(V_2 -F_2 )PR_2 \).

Because \(\hat{{P}}_{T,1}^{*} =\hat{{P}}_{M,1}^{*} =PR_1 \) and \(\hat{{P}}_{T,2}^{*} =\hat{{P}}_{M,2}^{*} =PR_2 \), the difference of expected benefits of the more attractive firm between targeted attacks and mass attacks is

$$\begin{aligned} \hat{{\pi }}_{T,1}^{*} -\hat{{\pi }}_{M,1}^{*}= & {} (\hat{{P}}_{M,1}^{*} -\hat{{P}}_{T,1}^{*} )(V_1 -F_1 +\Delta )\\&+\,(\hat{{P}}_{T,2}^{*} -\hat{{P}}_{M,2}^{*} )\Delta +\hat{{z}}_{M,1}^{*} -\hat{{z}}_{T,1}^{*} =\hat{{z}}_{M,1}^{*} -\hat{{z}}_{T,1}^{*}\\ \hbox {and}\qquad \qquad \qquad \qquad \hat{{\pi }}_{T,2}^{*} -\hat{{\pi }}_{M,2}^{*}= & {} \hat{{z}}_{M,2}^{*} -\hat{{z}}_{T,2}^{*} \end{aligned}$$

implying \(\hat{{\pi }}_{T,1}^{*} >\hat{{\pi }}_{M,1}^{*} \) and \(\hat{{\pi }}_{T,2}^{*} <\hat{{\pi }}_{M,2}^{*} \) if and only if \((V_1 -F_1 )PR_1 <(V_2 -F_2 )PR_2 \). The difference of the expected benefits of the hacker under targeted attacks and mass attacks is

$$\begin{aligned} \hat{{H}}_T^{*} -\hat{{H}}_M^{*}= & {} (\hat{{P}}_{T,1}^{*} -\hat{{P}}_{M,1}^{*} )a(V_1 -F_1 ) -(\hat{{c}}_{T,1}^{*} -\hat{{c}}_M^{*} )\nonumber \\&+\,(\hat{{P}}_{T,2}^{*} -\hat{{P}}_{M,2}^{*} )a(V_2 -F_2 )-(\hat{{c}}_{T,2}^{*} -\hat{{c}}_M^{*} ) \nonumber \\= & {} 2\hat{{c}}_M^{*} -\hat{{c}}_{T,1}^{*} -\hat{{c}}_{T,2}^{*} \nonumber \\= & {} 0 \end{aligned}$$

(51)

which implies that the expected benefits of the hacker under the two types of cyber attacks are equal. \(\square \)

Proof of Proposition 7

The expected benefits of the two firms with different security requirements can be summed in Table 2 after some calculations,

Table 2 Expected benefits of the two firms with different security requirements

where

$$\begin{aligned} \left\{ {\begin{array}{l} \pi _{T,1}^{LL} =(1-P_{T,1}^{*} )(V_1 -F_1 +\Delta )-k^{\frac{1}{\beta }}[\phi a(V_1 -F_1 )]^{\frac{\phi }{\beta }}(P_{T,1}^{*} )^{-\frac{1-\phi }{\beta }}-(1-P_{T,2}^{*} )\Delta +F_1 \\ \pi _{T,2}^{LL} =(1-P_{T,2}^{*} )(V_2 -F_2 +\Delta )-k^{\frac{1}{\beta }}[\phi a(V_2 -F_2 )]^{\frac{\phi }{\beta }}(P_{T,2}^{*} )^{-\frac{1-\phi }{\beta }}-(1-P_{T,1}^{*} )\Delta +F_2 \\ \pi _{T,1}^{HL} =(1-PR_1 )(V_1 -F_1 +\Delta )-k^{\frac{1}{\beta }}[\phi a(V_1 -F_1 )]^{\frac{\phi }{\beta }}PR_1^{-\frac{1-\phi }{\beta }} -(1-P_{T,2}^{*} )\Delta +F_1 \\ \pi _{T,2}^{HL} =(1-P_{T,2}^{*} )(V_2 -F_2 +\Delta )-k^{\frac{1}{\beta }}[\phi a(V_2 -F_2 )]^{\frac{\phi }{\beta }}(P_{T,2}^{*} )^{-\frac{1-\phi }{\beta }}-(1-PR_1 )\Delta +F_2 \\ \pi _{T,1}^{LH} =(1-P_{T,1}^{*} )(V_1 -F_1 +\Delta )-k^{\frac{1}{\beta }}[\phi a(V_1 -F_1 )]^{\frac{\phi }{\beta }}(P_{T,1}^{*} )^{-\frac{1-\phi }{\beta }}-(1-PR_2 )\Delta +F_1 \\ \pi _{T,2}^{LH} =(1-PR_2 )(V_2 -F_2 +\Delta )-k^{\frac{1}{\beta }}[\phi a(V_2 -F_2 )]^{\frac{\phi }{\beta }}PR_2^{-\frac{1-\phi }{\beta }} -(1-P_{T,1}^{*} )\Delta +F_2 \\ \pi _{T,1}^{HH} =(1-PR_1 )(V_1 -F_1 +\Delta )-k^{\frac{1}{\beta }}[\phi a(V_1 -F_1 )]^{\frac{\phi }{\beta }}PR_1^{-\frac{1-\phi }{\beta }} -(1-PR_2 )\Delta +F_1 \\ \pi _{T,2}^{HH} =(1-PR_2 )(V_2 -F_2 +\Delta )-k^{\frac{1}{\beta }}[\phi a(V_2 -F_2 )]^{\frac{\phi }{\beta }}PR_2^{-\frac{1-\phi }{\beta }} -(1-PR_1 )\Delta +F_2 \\ \end{array}} \right. \end{aligned}$$

(52)

with \(PR_1 \in (0,P_{T,1}^{*} )\) and \(PR_2 \in (0,P_{T,2}^{*} )\).

Because

$$\begin{aligned} \pi _{T,1}^{HL} -\pi _{T,1}^{LL}= & {} \pi _{T,1}^{HH} -\pi _{T,1}^{LH} \nonumber \\= & {} (P_{T,1}^{*} -PR_1 )(V_1 -F_1 +\Delta )-k^{\frac{1}{\beta }}[\phi a(V_1 -F_1 )]^{\frac{\phi }{\beta }}\nonumber \\&\left[ {PR_1^{-\frac{1-\phi }{\beta }} -(P_{T,1}^{*} )^{-\frac{1-\phi }{\beta }}} \right] :=\Theta _1 (\Delta ) , \end{aligned}$$

(53)

we can find that firm 1’s optimal strategy is to set a rigorous security requirement if and only if \(\Theta _1 (\Delta )>0\). Similarly, firm 2’s optimal strategy is to set a rigorous security requirement if and only if

$$\begin{aligned} \pi _{T,2}^{HL} -\pi _{T,2}^{LL}= & {} \pi _{T,2}^{HH} -\pi _{T,2}^{LH} \nonumber \\= & {} (P_{T,2}^{*} -PR_2 )(V_2 -F_2 +\Delta )-k^{\frac{1}{\beta }}[\phi a(V_2 -F_2 )]^{\frac{\phi }{\beta }}\nonumber \\&\left[ {PR_2^{-\frac{1-\phi }{\beta }} -(P_{T,2}^{*} )^{-\frac{1-\phi }{\beta }}} \right] :=\Theta _2 (\Delta )>0. \end{aligned}$$

(54)

Hence, both firms choose rigorous security requirements provided that Eq. (14) holds and choose loose security requirements provided that Eq. (15) holds.

Because

$$\begin{aligned} \frac{\partial \pi _{T,1}^{HH} }{\partial PR_1 }=\frac{1-\phi }{\beta }k^{\frac{1}{\beta }}[\phi a(V_1 -F_1 )]^{\frac{\phi }{\beta }}PR_1^{-\frac{1-\phi +\beta }{\beta }} -(V_1 -F_1 +\Delta ), \end{aligned}$$

firm 1’s optimal security requirement when choosing a rigorous security requirement is given by

$$\begin{aligned} PR_1^{op}= & {} (1-\phi )^{\frac{\beta }{1-\phi +\beta }}k^{\frac{1}{1-\phi +\beta }}[\phi a(V_1 -F_1 )]^{\frac{\phi }{1-\phi +\beta }}[\beta (V_1 -F_1 +\Delta )]^{-\frac{\beta }{1-\phi +\beta }}\nonumber \\= & {} (1-\phi )^{\frac{\beta }{1-\phi +\beta }}P_{T,1}^{*} <P_{T,1}^{*} \end{aligned}$$

(55)

Similarly, firm 2’s optimal security requirement when choosing a rigorous security requirement is

$$\begin{aligned} PR_2^{op} =(1-\phi )^{\frac{\beta }{1-\phi +\beta }}P_{T,2}^{*} . \end{aligned}$$

(56)

\(\square \)