Journal of the Operational Research Society

, Volume 65, Issue 11, pp 1682–1691 | Cite as

A game-theoretic analysis of information sharing and security investment for complementary firms

  • Xing Gao
  • Weijun Zhong
  • Shue Mei
General Paper

Abstract

This paper investigates information sharing and security investments by two firms provided that their information assets are complementary in the sense that their combined information assets are of significant value, whereas the information asset of a single firm is no value to an attacker. In particular, assuming that each firm chooses its security investment and information sharing individually, we obtain some insights about the optimal choices for the firms and the attacker, which form sharp comparisons with those derived from common (substitutive) firms. We further analyse the effect of a social planner on social total costs by assuming that it can control security investments, information sharing and both of them respectively. We demonstrate that an increase in intervention by the social planner may not necessarily be preferable.

Keywords

complementary firm contest success function security investment information sharing interdependence leakage cost 

Notes

Acknowledgements

We would like to thank anonymous referees for constructive comments and suggestions that helped substantially improve the presentation of this manuscript. Financial supports from the National Natural Science Foundation of China (71071033) and the National Pillar Program of China (2012BAH29F01) are gratefully acknowledged.

References

  1. Cavusoglu H, Raghunathan S and Yue WT (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems 25 (2): 281–304.CrossRefGoogle Scholar
  2. Cremonini M and Nizovtsev D (2009). Risks and benefits of signaling information system characteristics to strategic attackers. Journal of Management Information Systems 26 (3): 241–274.CrossRefGoogle Scholar
  3. Fudenberg D and Tirole J (1993). Game Theory. MIT Press: Cambridge.Google Scholar
  4. Gal-Or E and Ghose A (2005). The economic incentives for sharing security information. Information Systems Research 16 (2): 186–208.CrossRefGoogle Scholar
  5. Gao X, Zhong W and Mei S (2013a). Stochastic evolutionary game dynamics and their selection mechanisms. Computational Economics 41 (2): 233–247.CrossRefGoogle Scholar
  6. Gao X, Zhong W and Mei S (2013b). Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers, advance online publication 23 February, doi:10.1007/s10796-013-9411-3.Google Scholar
  7. Gordon LA, Loeb MP and Lucyshyn W (2003). Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22 (6): 461–485.CrossRefGoogle Scholar
  8. Hausken K (2006). Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy 25 (6): 629–665.CrossRefGoogle Scholar
  9. Hausken K (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy 26 (6): 639–688.CrossRefGoogle Scholar
  10. Hausken K (2008). Whether to attack a terrorist’s resource stock today or tomorrow. Games and Economic Behavior 64 (2): 548–564.CrossRefGoogle Scholar
  11. Hausken K and Bier VM (2011). Defending against multiple different attackers. European Journal of Operational Research 211 (2): 370–384.CrossRefGoogle Scholar
  12. Hausken K and Zhuang J (2011). Defending against a stockpiling terrorist. The Engineering Economist 56 (4): 321–353.Google Scholar
  13. Huang D and Behara RS (2013). Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics 141 (1): 255–268.CrossRefGoogle Scholar
  14. Levitin G and Hausken K (2010). Defence and attack of systems with variable attacker system structure detection probability. Journal of the Operational Research Society 61 (1): 124–133.CrossRefGoogle Scholar
  15. Liu D, Ji Y and Mookerjee V (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems 52 (1): 95–107.CrossRefGoogle Scholar
  16. Png I and Wang QH (2009). Information security: Facilitating user precautions vis-à-vis enforcement against attackers. Journal of Management Information Systems 26 (2): 97–121.CrossRefGoogle Scholar
  17. Ransbotham S and Mitra S (2009). Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research 20 (1): 121–139.CrossRefGoogle Scholar
  18. Skaperdas S (1996). Contest success functions. Economic Theory 7 (2): 283–290.CrossRefGoogle Scholar
  19. Zhuang J, Bier VM and Gupta A (2007). Subsidies in interdependent security with heterogeneous discount rates. The Engineering Economist 52 (1): 1–19.CrossRefGoogle Scholar

Copyright information

© Operational Research Society Ltd. 2013

Authors and Affiliations

  • Xing Gao
    • 1
  • Weijun Zhong
    • 1
  • Shue Mei
    • 1
  1. 1.Southeast UniversityJiangsuChina

Personalised recommendations