Annals of Operations Research

, Volume 235, Issue 1, pp 277–300 | Cite as

Information security investment for competitive firms with hacker behavior and security requirements



This paper investigates information security investment strategies under both targeted attacks and mass attacks by considering strategic interactions between two competitive firms and a hacker. We find that the more attractive firm invests more in information security, suffers more frequent attacks and enjoys a lower expected benefit, while the hacker achieves a higher expected benefit under targeted attacks than under mass attacks. We further examine the effect of security requirements on the two firms’ investment strategies in information security. We indicate that security requirements sometimes can drastically alter the comparisons of these investment strategies under the two types of cyber attacks. The hacker would balance the firms’ attractiveness in information assets and security requirements when determining its investment decisions in cyber attacks. By assuming that security requirements are endogenous, we demonstrate that under targeted attacks and mass attacks both firms would like to regulate rigorous security requirements when their degree of competition becomes fierce but would like to choose loose security requirements when the degree of competition remains mild.


Targeted attacks Mass attacks Information security Security requirements 



The authors thank the editor and anonymous referees for their feedback of valuable comments and helpful suggestions that helped substantially improve the quality and the presentation of this manuscript. This study was supported by the Fundamental Research Support Funds from Southeast University (no. 2242015S20002) and the Fundamental Research Funds for the Central Universities (no. 2242014K10019).


  1. Anderson, R. (2001). Why information security is hard: an economic perspective. In: Proceedings of the seventeenth computer security applications conference, (pp. 358–365). IEEE Computer Society Press.Google Scholar
  2. Anderson, R. (2002). Security in open versus closed systems-the dance of Boltzmann. Coase and Moore: Technical report Cambridge University England.Google Scholar
  3. Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610–613.CrossRefGoogle Scholar
  4. Arora, A., Nandkumar, A., & Telang, R. (2006). Does information security attack frequency increase with vulnerability disclosure?—An empirical analysis. Information Systems Frontiers, 8(5), 350–362.CrossRefGoogle Scholar
  5. Bandyopadhyay, T., Jacob, V., & Raghunathan, S. (2010). Information security in networked supply chains: Impact of network vulnerability and supply chain integration on incentives to invest. Information Technology and Management, 11(1), 7–23.CrossRefGoogle Scholar
  6. Bandyopadhyay, T., Liu, D., Mookerjee, V. S., & Wilhite, A. W. (2014). Dynamic competition in IT security: A differential games approach. Information Systems Frontiers, 16(4), 643–661.Google Scholar
  7. Cavusoglu, H., & Raghunathan, S. (2004). Configuration of detection software: A comparison of decision and game theory approaches. Decision Analysis, 1(3), 131–148.CrossRefGoogle Scholar
  8. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2005). The value of intrusion detection systems (IDSs) in information technology security. Information Systems Research, 16(1), 28–46.CrossRefGoogle Scholar
  9. Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25(2), 281–304.CrossRefGoogle Scholar
  10. Cavusoglu, H., & Raghunathan, S. (2009). Configuration of and interaction between information security technologies: The case of firewalls and intrusion detection systems. Information Systems Research, 20(2), 198–217.CrossRefGoogle Scholar
  11. Cremonini, M., & Nizovtsev, D. (2009). Risks and benefits of signaling information system characteristics to strategic attackers. Journal of Management Information Systems, 26(3), 241–274.CrossRefGoogle Scholar
  12. Gao, X., Zhong, W., & Mei, S. (2013a). Information security investment when hackers disseminate knowledge. Decision Analysis, 10(4), 352–368.CrossRefGoogle Scholar
  13. Gao, X., Zhong, W., & Mei, S. (2013b). A differential game approach to information security investment under hackers’ knowledge dissemination. Operations Research Letters, 41(5), 421–425.CrossRefGoogle Scholar
  14. Gao, X., Zhong, W., & Mei, S. (2014). A game-theoretic analysis of information sharing and security investment for complementary firms. Journal of the Operational Research Society, 65(11), 1682–1691.Google Scholar
  15. Gao, X., Zhong, W., & Mei, S. (2015). Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers, 17(2), 423–438.Google Scholar
  16. Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.CrossRefGoogle Scholar
  17. Gordon, L. A., & Loeb, M. P. (2006). Economic aspects of information security: An emerging field of research. Information Systems Frontiers, 8(5), 335–337.CrossRefGoogle Scholar
  18. Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208.CrossRefGoogle Scholar
  19. Hausken, K. (2006b). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5), 338–349.Google Scholar
  20. Hausken, K. (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy, 26(6), 639–688.CrossRefGoogle Scholar
  21. Huang, C. D., Qing, H., & Ravi, B. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, 114(2), 793–804.CrossRefGoogle Scholar
  22. Huang, C. D., & Behara, R. S. (2013). Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics, 141(1), 255–268.CrossRefGoogle Scholar
  23. Hui, K. L., Hui, W., & Yue, W. T. (2012). Information security outsourcing with system interdependency and mandatory security requirement. Journal of Management Information Systems, 29(3), 117–155.CrossRefGoogle Scholar
  24. Liu, D., Ji, Y., & Mookerjee, V. (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems, 52(1), 95–107.CrossRefGoogle Scholar
  25. Png, I. P. L., & Wang, Q. H. (2009). Information security facilitating user precautions vis-a-vis enforcement against attackers. Journal of Management Information Systems, 26(2), 97–121.CrossRefGoogle Scholar
  26. Ransbotham, S., & Mitra, S. (2009). Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research, 20(1), 121–139.CrossRefGoogle Scholar
  27. Tanaka, H., Matsuura, K., & Sudoh, O. (2005). Vulnerability and information security investment: An empirical analysis of e-local government in Japan. Journal of Accounting and Public Policy, 24(1), 37–59.CrossRefGoogle Scholar
  28. Wu, D., Baron, O., & Berman, O. (2009). Bargaining in competing supply chains with uncertainty. European Journal of Operational Research, 197(2), 548–556.CrossRefGoogle Scholar
  29. Wu, D., & Olson, D. (2010a). Enterprise risk management: Coping with model risk in a large bank. Journal of the Operational Research Society, 61(2), 179–190.CrossRefGoogle Scholar
  30. Wu, D., & Olson, D. (2010b). Enterprise Risk Management: A DEA VaR approach in vendor selection. International Journal of Production Research, 48(16), 4919–4932.CrossRefGoogle Scholar
  31. Wu, D., & Olson, D. (2011). Introduction to special issue on “Enterprise risk management in operations”. International Journal of Production Economics, 134(1), 1–2.CrossRefGoogle Scholar
  32. Wu, D., Olson, D., & Birge, J. (2012). Operational research in risk management. Computers & Operations Research, 39(4), 751–752.CrossRefGoogle Scholar
  33. Wu, D. (2013a). Coordination of competing supply chains with news-vendor and buyback contract. International Journal of Production Economics, 144(1), 1–13.CrossRefGoogle Scholar
  34. Wu, D. (2013b). Bargaining in supply chain with price and promotional effort dependent demand. Mathematical and Computer Modelling, 58(9–10), 1659–1669.Google Scholar
  35. Wu, D., & Olson, D. (2013). Computational simulation and risk analysis: An introduction of state of the art research. Mathematical and Computer Modelling, 58(9), 1581–1587.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  1. 1.School of Economics and ManagementSoutheast UniversityNanjingChina

Personalised recommendations