Information security investment for competitive firms with hacker behavior and security requirements
This paper investigates information security investment strategies under both targeted attacks and mass attacks by considering strategic interactions between two competitive firms and a hacker. We find that the more attractive firm invests more in information security, suffers more frequent attacks and enjoys a lower expected benefit, while the hacker achieves a higher expected benefit under targeted attacks than under mass attacks. We further examine the effect of security requirements on the two firms’ investment strategies in information security. We indicate that security requirements sometimes can drastically alter the comparisons of these investment strategies under the two types of cyber attacks. The hacker would balance the firms’ attractiveness in information assets and security requirements when determining its investment decisions in cyber attacks. By assuming that security requirements are endogenous, we demonstrate that under targeted attacks and mass attacks both firms would like to regulate rigorous security requirements when their degree of competition becomes fierce but would like to choose loose security requirements when the degree of competition remains mild.
KeywordsTargeted attacks Mass attacks Information security Security requirements
The authors thank the editor and anonymous referees for their feedback of valuable comments and helpful suggestions that helped substantially improve the quality and the presentation of this manuscript. This study was supported by the Fundamental Research Support Funds from Southeast University (no. 2242015S20002) and the Fundamental Research Funds for the Central Universities (no. 2242014K10019).
- Anderson, R. (2001). Why information security is hard: an economic perspective. In: Proceedings of the seventeenth computer security applications conference, (pp. 358–365). IEEE Computer Society Press.Google Scholar
- Anderson, R. (2002). Security in open versus closed systems-the dance of Boltzmann. Coase and Moore: Technical report Cambridge University England.Google Scholar
- Bandyopadhyay, T., Liu, D., Mookerjee, V. S., & Wilhite, A. W. (2014). Dynamic competition in IT security: A differential games approach. Information Systems Frontiers, 16(4), 643–661.Google Scholar
- Gao, X., Zhong, W., & Mei, S. (2014). A game-theoretic analysis of information sharing and security investment for complementary firms. Journal of the Operational Research Society, 65(11), 1682–1691.Google Scholar
- Gao, X., Zhong, W., & Mei, S. (2015). Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers, 17(2), 423–438.Google Scholar
- Hausken, K. (2006b). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5), 338–349.Google Scholar
- Wu, D. (2013b). Bargaining in supply chain with price and promotional effort dependent demand. Mathematical and Computer Modelling, 58(9–10), 1659–1669.Google Scholar