Information Systems Frontiers

, Volume 16, Issue 4, pp 643–661 | Cite as

Dynamic competition in IT security: A differential games approach

  • Tridib BandyopadhyayEmail author
  • Dengpan Liu
  • Vijay S. Mookerjee
  • Allen W. Wilhite


Hackers evaluate potential targets to identify poorly defended firms to attack, creating competition in IT security between firms that possess similar information assets. We utilize a differential game framework to analyze the continuous time IT security investment decisions of firms in such a target group. We derive the steady state equilibrium of the duopolistic differential game, show how implicit competition induces overspending in IT defense, and then demonstrate how such overinvestment can be combated by innovatively managing the otherwise misaligned incentives for coordination. We show that in order to achieve cooperation, the firm with the higher asset value must take the lead and provide appropriate incentives to elicit participation of the other firm. Our analysis indicates that IT security planning should not remain an internal, firm-level decision, but also incorporate the actions of those firms that hackers consider as alternative targets.


IT security Dynamic games Competing defense Cyber defense Investment in IT security 


  1. Anderson, R. (2001). Why information security is hard-an economic perspective. Proceedings of the 17th Annual Computer Security Applications Conference Page: 358. Available at ACSAC archive.Google Scholar
  2. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2005). The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16(1), 28–46.CrossRefGoogle Scholar
  3. Dockner, E., Jørgensen, S., Long, N. V., and Sorger, G. (2000). Differential games in economics and management science. Cambridge University Press.Google Scholar
  4. Erickson, G. M. (1992). Empirical analysis of closed-loop duopoly advertising strategies. Management Science, 38, 1732–1749.CrossRefGoogle Scholar
  5. Erickson, G. M. (1995). Differential game models of advertising competition. European Journal of Operational Research, 83(3), 431–438.CrossRefGoogle Scholar
  6. Erickson, G. M. (1997). Dynamic Conjectural Variations in A Lanchester Oligopoly. Management Science 43(11).Google Scholar
  7. Feichtinger, G., Hartel, R. F., & Sethi, S. P. (1994). Dynamic optimal control models in advertising: recent developments. Management Science, 40(2), 29–31.Google Scholar
  8. Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.CrossRefGoogle Scholar
  9. Hausken, K. (2006). Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy, 25(6), 629–665.CrossRefGoogle Scholar
  10. Hausken, K. (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy, 26(6), 639–688.CrossRefGoogle Scholar
  11. He, X., Prasad, A., Sethi, S. P., & Gutierrez, J. (2007). A survey of Stackelberg differential game models in supply and marketing channels. Journal of System Sciences and System Engineering, 16(4), 385–413.CrossRefGoogle Scholar
  12. Huang, C. D., Hu, Q., & Behara, R. (2005). Investment in information security by a risk averse firm. In Proceedings of the Software Conference, Las Vegas, NV. Dec. 10-11.Google Scholar
  13. Ioerger, T. R., He, L., & Lord, D. (2002). Modeling capabilities and workload in intelligent agents for simulating teamwork. In the Proceedings of of the Twenty-Fourth Annual Conference of the Cognitive Science.Google Scholar
  14. Isaacs, R. (1965). Differential games. New York: Wiley.Google Scholar
  15. Jørgensen, S. (1982). A Survey of Some Differential Games in Advertising. Journal of Economic Dynamics and Control. Springer-Verlag, Berlin.Google Scholar
  16. Kunreuther, H., & Heal, G. (2003). Interdependent security. The Journal of Risk and Uncertainty, 26(2/3), 231–249.CrossRefGoogle Scholar
  17. Leitmann, G., & Schmitendorf, W. E. (1978). Profit maximization through advertising: A nonzero sum differential game approach. IEEE Transactions on Automatic Control, 23(4), 645–650.Google Scholar
  18. Little, J. D. C. (1979). Aggregate advertising models: the state of the art. Operations Research, 27(4), 629–667.Google Scholar
  19. Ogut H., Raghunathan, S., & Menon N. (2005). Cyber insurance and IT security investment: impact of interdependent risk. Proceedings of the Workshop on the Economics of Information Security. Cambridge, USA.Google Scholar
  20. Richardson, R. (2008). CSI Computer Crime and Security survey. Available at
  21. Sethi, S., & Thompson, G. L. (2000). Optimal control theory: applications to management science and economics. Boston: Kluwer Academic Publishers.Google Scholar
  22. Shao, B. B. M., & Lin, W. T. (2002). Technical efficiency analysis of information technology investments: a two-stage empirical investigation. Information & Management, 39, 391–401.CrossRefGoogle Scholar
  23. Targeted Trojans, a New On-line Threat to Business. (2007). Message Lab Reports.Google Scholar
  24. Varian, H. (2000) Managing on-line security risks. New York Times; New York, N.Y.; June 1, 2000.Google Scholar
  25. Varian, H. (2002). System reliability and free riding. Working Paper, The University of California at Berkeley.Google Scholar
  26. Varian, H. (2004). System reliability and free riding. In L. Jean Camp and Stephen Lewis, editors, Economics of Information Security. Springer-Verlag, May 16–17, (2004). Can be accessed at

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  • Tridib Bandyopadhyay
    • 3
    Email author
  • Dengpan Liu
    • 1
  • Vijay S. Mookerjee
    • 2
  • Allen W. Wilhite
    • 4
  1. 1.Iowa State UniversityAmesUSA
  2. 2.The University of Texas at DallasRichardsonUSA
  3. 3.Kennesaw State UniversityKennesawUSA
  4. 4.University of Alabama at HuntsvilleHuntsvilleUSA

Personalised recommendations