Annals of Operations Research

, Volume 248, Issue 1–2, pp 405–427 | Cite as

A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints

Original Paper


In this paper, we develop a supply chain network game theory model consisting of retailers and demand markets with retailers competing noncooperatively in order to maximize their expected profits by determining their optimal product transactions as well as cybersecurity investments subject to nonlinear budget constraints that include the cybersecurity investment cost functions. The consumers at the demand markets reflect their preferences through the demand price functions, which depend on the product demands and on the average level of cybersecurity in the supply chain network. We identify the supply chain network vulnerability to cyberattacks as well as that of the individual retailers. We demonstrate that the governing Nash equilibrium conditions can be formulated as a variational inequality problem and we provide a novel alternative formulation, along with the accompanying theory. We also propose an algorithm for the alternative formulation, which yields, at each iteration, closed form expressions in product transactions, security levels, and Lagrange multipliers associated with the budget constraints. We then apply the algorithm to compute solutions to a spectrum of numerical supply chain network cybersecurity investment examples. The examples broaden our understanding of the impacts of the addition of retailers, changes in budgets, demand price functions, and financial damages, on equilibrium product transactions and cybersecurity investments, as well as on the supply chain network vulnerability and retailer vulnerability under budget constraints.


Cybersecurity Investments Game theory Nash equilibrium Information asymmetry Variational inequalities  Supply chain network vulnerability 



This research of the first author was supported by the National Science Foundation (NSF) Grant CISE #1111276, for the NeTS: Large: Collaborative Research: Network Innovation Through Choice project awarded to the University of Massachusetts Amherst as well as by the Advanced Cyber Security Center through the Grant: Cybersecurity Risk Analysis for Enterprise Security. This support is gratefully acknowledged. The authors thank the two anonymous reviewers for their careful reading of the original manuscript and many constructive comments, which have improved the presentation of the results.


  1. Akerlof, G. A. (1970). The market for ’lemons’: Quality uncertainty and the market mechanism. Quarterly Journal of Economics, 84(3), 488–500.CrossRefGoogle Scholar
  2. Caruthers, R. (2014). JPMorgan will double cybersecurity spending but many other companies may cut costs. Fierce Financial IT, October 14.Google Scholar
  3. CBS News. (2014). Why SPSSlashDollar250 million didn’t protect JP Morgan from hackers. Retrieved from:
  4. Center for Strategic and International Studies. (2014). Net losses: Estimating the global cost of cybercrime. California: Santa Clara.Google Scholar
  5. Cournot, A. A. (1838). Researches into the mathematical principles of the theory of wealth, English translation. London: MacMillan.Google Scholar
  6. Daniele, P. (2006). Dynamic networks and evolutionary variational inequalities. Cheltenham: Edward Elgar Publishing.Google Scholar
  7. Daras, N. J., & Rassias, M. T. (Eds.). (2015). Computation, cryptography, and network security. Cham: Springer.Google Scholar
  8. Dupuis, P., & Nagurney, A. (1993). Dynamical systems and variational inequalities. Annals of Operations Research, 44, 9–42.CrossRefGoogle Scholar
  9. EY. (2013). Under cyber attack: EYs global information security report. Retrieved from:$FILE/EY-GISS-Under-cyber-attack.pdf
  10. Gabay, D., & Moulin, H. (1980). On the uniqueness and stability of Nash equilibria in noncooperatiive games. In A. Bensoussan, P. Kleindorfer, & C. S. Tapiero (Eds.), Applied stochastic control in econometrics and management science (pp. 271–294). Amsterdam: North-Holland.Google Scholar
  11. Glazer, E. (2015). J.P. Morgan to accelerate timeline for cybersecurity spending boost. The Wall Street Journal, August 3. Retrieved from:
  12. IT Security (2015). Sony spends SPSSlashDollar15 million on security industry views. Retrieved from:
  13. Kinderleher, D., & Stampacchia, G. (1980). Variational inequalities and their applications. New York: Academic Press.Google Scholar
  14. Kirk, J. (2014). Target contractor says it was victim of cyberattack. PC World, February 6. Retrieved from:
  15. Koshal, J., Nedic, A., & Shanbhag, U. V. (2011). Multiuser optimization, distributed algorithms and error analysis. SIAM Journal on Optimization, 21(3), 1046–1081.CrossRefGoogle Scholar
  16. Lewis, D. (2014). Sony Pictures data breach and the PR Nightmare. Forbes, December 16.Google Scholar
  17. Manshei, M. H., Zhu, Q., Alpcan, T., Basar, T., & Hubaux, J.-P. (2013). Game theory meets networks security and privacy. ACM Computing Surveys, 45(3), 25:1–25:39.Google Scholar
  18. Nagurney, A. (1999). Network economics: A variational inequality approach, second and (revised ed.). Boston, MA: Kluwer.CrossRefGoogle Scholar
  19. Nagurney, A. (2006). Supply chain network economics: Dynamics of prices, flows, and profits. Cheltenham: Edward Elgar.Google Scholar
  20. Nagurney, A. (2015). A multiproduct network economic model of cybercrime in financial services. Service Science, 7(1), 70–81.CrossRefGoogle Scholar
  21. Nagurney, A., Nagurney, L. S., & Shukla, S. (2015). A supply chain game theory framework for cybersecurity investments under network vulnerability. In N. Daras & M Th Rassias (Eds.), Computation, cryptography, and network security (pp. 381–398). Cham: Springer.CrossRefGoogle Scholar
  22. Nagurney, A., & Zhang, D. (1996). Projected dynamical systems and variational inequalities with applications. Boston, MA: Kluwer.CrossRefGoogle Scholar
  23. Nash, J. F. (1950). Equilibrium points in n-person games. Proceedings of the National Academy of Sciences, USA, 36, 48–49.CrossRefGoogle Scholar
  24. Nash, J. F. (1951). Noncooperative games. Annals of Mathematics, 54, 286–298.CrossRefGoogle Scholar
  25. PricewaterhouseCoopers. (2014a). Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015, September 30.Google Scholar
  26. PricewaterhouseCoopers. (2014b). US cybercrime: Rising risks, reduced readiness Key findings from the 2014 US state of cybercrime survey. Retrieved from:
  27. Purnell, N. (2015). Cyberdefense spending rises amin high profile hacks. The Wall Street Journal, April 8, 2015.Google Scholar
  28. Rue, R., Pfleeger, S.L., & Ortiz, D. (2007). A framework for classifying and comparing models of cyber security investment to support policy and decision-making. In Proceedings of the sixth workshop on the economics of information security (WEIS 2007), Pittsburgh, Pennsylvania, June 7–8.Google Scholar
  29. Shetty, N. G. (2010). Design of network architectures: Role of game theory and economics. PhD dissertation, Technical Report No. UCB/EECS-2010-91, Electrical Engineering and Computer Sciences, University of California at Berkeley, June 4.Google Scholar
  30. Shetty, N., Schwartz, G., Felegehazy, M., & Walrand, J. (2009). Competitive cyber-insurance and Internet security. In Proceedings of the eighth workshop on the economics of information security (WEIS 2009), University College London, England, June 24–25.Google Scholar
  31. Toyasaki, F., Daniele, P., & Wakolbinger, T. (2014). A variational inequality formulation of equilibrium models for end-of-life products with nonlinear constraints. European Journal of Operational Research, 236, 340–350.CrossRefGoogle Scholar
  32. Yakowicz, W. (2014). Be prepared to up your cybersecurity budget. Inc, February 26.Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  • Anna Nagurney
    • 1
  • Patrizia Daniele
    • 2
  • Shivani Shukla
    • 1
  1. 1.Isenberg School of ManagementUniversity of MassachusettsAmherstUSA
  2. 2.Department of Mathematics and Computer ScienceUniversity of CataniaCataniaItaly

Personalised recommendations