A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints
- 619 Downloads
In this paper, we develop a supply chain network game theory model consisting of retailers and demand markets with retailers competing noncooperatively in order to maximize their expected profits by determining their optimal product transactions as well as cybersecurity investments subject to nonlinear budget constraints that include the cybersecurity investment cost functions. The consumers at the demand markets reflect their preferences through the demand price functions, which depend on the product demands and on the average level of cybersecurity in the supply chain network. We identify the supply chain network vulnerability to cyberattacks as well as that of the individual retailers. We demonstrate that the governing Nash equilibrium conditions can be formulated as a variational inequality problem and we provide a novel alternative formulation, along with the accompanying theory. We also propose an algorithm for the alternative formulation, which yields, at each iteration, closed form expressions in product transactions, security levels, and Lagrange multipliers associated with the budget constraints. We then apply the algorithm to compute solutions to a spectrum of numerical supply chain network cybersecurity investment examples. The examples broaden our understanding of the impacts of the addition of retailers, changes in budgets, demand price functions, and financial damages, on equilibrium product transactions and cybersecurity investments, as well as on the supply chain network vulnerability and retailer vulnerability under budget constraints.
KeywordsCybersecurity Investments Game theory Nash equilibrium Information asymmetry Variational inequalities Supply chain network vulnerability
This research of the first author was supported by the National Science Foundation (NSF) Grant CISE #1111276, for the NeTS: Large: Collaborative Research: Network Innovation Through Choice project awarded to the University of Massachusetts Amherst as well as by the Advanced Cyber Security Center through the Grant: Cybersecurity Risk Analysis for Enterprise Security. This support is gratefully acknowledged. The authors thank the two anonymous reviewers for their careful reading of the original manuscript and many constructive comments, which have improved the presentation of the results.
- Caruthers, R. (2014). JPMorgan will double cybersecurity spending but many other companies may cut costs. Fierce Financial IT, October 14.Google Scholar
- CBS News. (2014). Why SPSSlashDollar250 million didn’t protect JP Morgan from hackers. Retrieved from: http://www.cbsnews.com/news/why-250m-didnt-protect-jp-morgan-from-hackers/.
- Center for Strategic and International Studies. (2014). Net losses: Estimating the global cost of cybercrime. California: Santa Clara.Google Scholar
- Cournot, A. A. (1838). Researches into the mathematical principles of the theory of wealth, English translation. London: MacMillan.Google Scholar
- Daniele, P. (2006). Dynamic networks and evolutionary variational inequalities. Cheltenham: Edward Elgar Publishing.Google Scholar
- Daras, N. J., & Rassias, M. T. (Eds.). (2015). Computation, cryptography, and network security. Cham: Springer.Google Scholar
- EY. (2013). Under cyber attack: EYs global information security report. Retrieved from: http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf
- Gabay, D., & Moulin, H. (1980). On the uniqueness and stability of Nash equilibria in noncooperatiive games. In A. Bensoussan, P. Kleindorfer, & C. S. Tapiero (Eds.), Applied stochastic control in econometrics and management science (pp. 271–294). Amsterdam: North-Holland.Google Scholar
- Glazer, E. (2015). J.P. Morgan to accelerate timeline for cybersecurity spending boost. The Wall Street Journal, August 3. Retrieved from: http://www.wsj.com/articles/j-p-morgan-to-accelerate-timeline-for-cybersecurity-spending-boost-1438641746.
- IT Security (2015). Sony spends SPSSlashDollar15 million on security industry views. Retrieved from: http://www.itsecurityguru.org/2015/02/04/sony-spends-15-million-security-industry-views/.
- Kinderleher, D., & Stampacchia, G. (1980). Variational inequalities and their applications. New York: Academic Press.Google Scholar
- Kirk, J. (2014). Target contractor says it was victim of cyberattack. PC World, February 6. Retrieved from: http://www.pcworld.com/article/2095560/target-contractor-says-it-was-victim-of-cyberattack.html.
- Lewis, D. (2014). Sony Pictures data breach and the PR Nightmare. Forbes, December 16.Google Scholar
- Manshei, M. H., Zhu, Q., Alpcan, T., Basar, T., & Hubaux, J.-P. (2013). Game theory meets networks security and privacy. ACM Computing Surveys, 45(3), 25:1–25:39.Google Scholar
- Nagurney, A. (2006). Supply chain network economics: Dynamics of prices, flows, and profits. Cheltenham: Edward Elgar.Google Scholar
- PricewaterhouseCoopers. (2014a). Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015, September 30.Google Scholar
- PricewaterhouseCoopers. (2014b). US cybercrime: Rising risks, reduced readiness Key findings from the 2014 US state of cybercrime survey. Retrieved from: http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.
- Purnell, N. (2015). Cyberdefense spending rises amin high profile hacks. The Wall Street Journal, April 8, 2015.Google Scholar
- Rue, R., Pfleeger, S.L., & Ortiz, D. (2007). A framework for classifying and comparing models of cyber security investment to support policy and decision-making. In Proceedings of the sixth workshop on the economics of information security (WEIS 2007), Pittsburgh, Pennsylvania, June 7–8.Google Scholar
- Shetty, N. G. (2010). Design of network architectures: Role of game theory and economics. PhD dissertation, Technical Report No. UCB/EECS-2010-91, Electrical Engineering and Computer Sciences, University of California at Berkeley, June 4.Google Scholar
- Shetty, N., Schwartz, G., Felegehazy, M., & Walrand, J. (2009). Competitive cyber-insurance and Internet security. In Proceedings of the eighth workshop on the economics of information security (WEIS 2009), University College London, England, June 24–25.Google Scholar
- Yakowicz, W. (2014). Be prepared to up your cybersecurity budget. Inc, February 26.Google Scholar