Abstract
Data breaches represents a major source of worries (and economic losses) for customers and service providers. We introduce a data breach model that recognizes that breaches can take place on the customer’s premises as well as on the service provider’s side, but the customer bears the economic loss. In order to induce the service provider into investing in security, a regulatory policy that apportions the money loss between the customer and the service provider is introduced. A game-theoretic formulation is given for the strategic interaction to the customer and the service provider, where the former sets the amount of personal information it releases and the latter decides how much to invest in security. The game’s outcome shows that shifting the burden of the money loss due to data breaches towards the service provider spurs its investment in security (though up to moderate levels) and leads the customer to be more confident, but the apportionment must not be too unbalanced for a Nash equilibrium to exist. On the other hand, changes in the probability of data breach of both sides do not affect significantly the service provider’s behaviour, but cause heavy consequences on the customer’s confidence.
The support of the Euro-NF Network of Excellence is gratefully acknowledged by the third author. The paper reflects the personal opinion of the authors and cannot be regarded as an official position of the Garante on the subject.
Chapter PDF
Similar content being viewed by others
References
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)
Lee, Y.J., Kauffman, R.J., Sougstad Profit-maximizing, R.: firm investments in customer information security. Decision Support Systems 51(4), 904–920 (2011)
Jiang, L., Anantharam, V., Walrand, J.C.: How bad are selfish investments in network security? IEEE/ACM Trans. Netw. 19(2), 549–560 (2011)
European Network and Information Security Agency (ENISA). Economics of Security: Facing the Challenge (2011)
Mankiw, N.G.: Principles of Microeconomics, 3rd edn. South-Western College Pub. (2003)
Varian, H.: Economic aspects of personal privacy. In: Lehr, W.H., Pupillo, L.M. (eds.) Internet Policy and Economics, pp. 101–110. Springer (2009)
Newman, M.: Power laws, Pareto distributions and Zipf’s law. Contemporary Physics 46, 323–351 (2005)
Roberts, D.C., Turcotte, D.C.: Fractality and self-organized criticality of wars. Fractals 6(4), 351–357 (1998)
Gnedenko, B., Ushakov, I.: Probabilistic Reliability Engineering. John Wiley & Sons (1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
D’Acquisto, G., Flamini, M., Naldi, M. (2012). A Game-Theoretic Formulation of Security Investment Decisions under Ex-ante Regulation. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_34
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_34
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)