Kevin Li,John J. Liu,Jia Yan

DOI: https://doi.org/10.3233/rda-2011-0028

2010-01-01

Risk and Decision Analysis

Abstract:With empirical evidence from marine mutual insurance (MMI), an impulse feedback model is constructed to address how information sharing can help increase both the social welfare and the efficiency of operation of the MMI system. Focusing on information sharing, this paper considers the premium policy optimization of a pure (i.e., non-stock consideration) mutual insurance system with a homogeneous market of identical members. The authors' findings confirm that the principle of information sharing can be attained under equal-risk pooling, but not necessarily under unequal-risk pooling, and reveal that quantifiable differences exist in the valuation of information sharing under the two schemes of risk pooling. It indicates that the key to successful MMI is equal-risk pooling. Algorithms are developed to compute the value of information sharing by solving the HJB equations and quasi-variational inequalities. It determines that information sharing can achieve best social welfare as well as efficient operation of a P&I Club. The conclusion provides a scientific basis for both managerial strategy and competition regulation. The findings are also applicable to a wide range of reserve and inventory management problems.

Yan Li,Xinyu Wang,Yahui Wang

DOI: https://doi.org/10.1061/(ASCE)CO.1943-7862.0001249

2017-01-01

Journal of Construction Engineering and Management

Abstract:The global expansion of public-private partnerships (PPPs) has generated interest in risk allocation for PPP projects. Many previous researchers have shown that without proper risk allocation, PPP projects cannot be successful. Current research is limited to equilibrium allocation of risk. The objective of this study is to improve this situation by constructing an alternating offer bargaining game model of risk allocation between two players involved in PPP projects, i. e., the public and private sector. Risk allocation can be analyzed as a game to more fully reflect the bargaining process among the parties. Equilibrium risk allocation outcomes were analyzed for the two cases in which the bargaining process was initiated in the first round by the public or private sector, and shows that risk allocation ratio is associated with the sequence of alternating offer, discount factor, and asymmetric degree of information. The probability, severity, and impact of risk factors were considered to prioritize risk allocation. Demonstrating the proposed model using a PPP project case study validated the model as effective and practical. This study contributes to the theoretical foundation for understanding the process of bargaining risk allocation of participants and provides a practical model to aid the participants to achieve fair risk allocation rather than a crude approach with preferences and biases. It promotes participants' rational and cautious behavior. This work also proposes a new risk allocation tool based on bargaining game theory for PPP project researchers to analyze game behaviors in the construction field. (C) 2016 American Society of Civil Engineers.

Wendy Yu,Zachary A. Collier,Shital Thekdi

DOI: https://doi.org/10.1111/risa.14267

2024-01-23

Risk Analysis

Abstract:Recent history has shown both the benefits and risks of information sharing among firms. Information is shared to facilitate mutual business objectives. However, information sharing can also introduce security‐related concerns that could expose the firm to a breach of privacy, with significant economic, reputational, and safety implications. It is imperative for organizations to leverage available information to evaluate security related to information sharing when evaluating current and potential information‐sharing partnerships. The "fine print" or privacy policies of firms can provide a signal of security across a wide variety of firms being considered for new and continued information‐sharing partnerships. In this article, we develop a methodology to gauge and benchmark information security policies in the partner‐selection process that can help direct risk‐based investments in information sharing security. We develop a methodology to collect and interpret firm privacy policies, evaluate characteristics of those policies by leveraging natural language processing metrics and developing benchmarking metrics, and understand how those characteristics relate to one another in information‐sharing partnership situations. We demonstrate the methodology on 500 high‐revenue firms. The methodology and managerial insights will be of interest to risk managers, information security professionals, and individuals forming information sharing agreements across industries.

public, environmental & occupational health,mathematics, interdisciplinary applications,social sciences, mathematical methods

Dengpan Liu,Yonghua Ji,Vijay Mookerjee

DOI: https://doi.org/10.1016/j.dss.2011.05.007

IF: 6.969

2011-01-01

Decision Support Systems

Abstract:We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary or substitutable, plays a crucial role in influencing these decisions. In the complementary case, we show that the firms have a natural incentive to share security knowledge and no external influence to induce sharing is needed. However, the investment levels chosen in equilibrium are lower than optimal, an aberration that can be corrected using coordination mechanisms that reward the firms for increasing their investment levels. In the substitutable case, the firms fall into a Prisoners' Dilemma trap where they do not share security knowledge in equilibrium, despite the fact that it is beneficial for both of them to do so. Here, the beneficial role of a social planner to encourage the firms to share is indicated. However, even when the firms share in accordance to the recommendations of a social planner, the level of investment chosen by the firms is sub-optimal. The firms either enter into an ''arms race'' where they over-invest or reenact the under-investment behavior found in the complementary case. Once again, this sub-optimal behavior can be corrected using incentive mechanisms that penalize for over-investment and reward for increasing the investment level in regions of under-investment. The proposed coordination schemes, with some modifications, achieve the socially optimal outcome even when the firms are risk-averse. Implications for information security vendors, firms, and social planner are discussed.

Xing Gao,Manting Qiu,Ying Wang,Xifan Wang

DOI: https://doi.org/10.1080/01605682.2022.2096506

IF: 3.6

2022-08-04

Journal of the Operational Research Society

Abstract:Nowadays, business connection between firms becomes rather common so that one firm stores not only its information asset but also some of other firms' information asset. The management of information security is vital for these resource-sharing firms. This paper constructs a game-theoretic model between two resource-sharing firms and one hacker to examine their strategic interaction when the firms face budget constraint on security investment. We consider security information sharing between the firms, which can improve their overall security effort but meantime facilitate the hacker's learning to reduce attack costs. We find that although a tight budget constraint can help save investment cost, the firms always suffer from a poorly secure environment. It shows that although security information sharing is usually encouraged, the firms may be hurt when security information sharing is excessive so that fierce cyber-attacks are induced. We finally design an optimal compensation mechanism, in which the compensation fund is shown to increase with the degree of resource sharing.

management,operations research & management science

Alexander Kogan,Cheng Yin

DOI: https://doi.org/10.2308/isys-2020-017

2021-01-01

Abstract:ABSTRACTThis paper explores the possibility of sharing contemporaneous firm-level information within an audit firm in a privacy-preserving manner. We develop a number of sharing schemes for utilizing contemporaneous accounting information from peer companies without violating clients' confidentiality and observe significant improvements in both estimation accuracy and error detection performance. To satisfy different levels of privacy protection, we propose different sharing schemes by utilizing auditors' self-generated expectations, and the results show that the benefits to auditors from only sharing self-generated estimation residuals (errors) are comparable to that from sharing predicted or actual accounting numbers. To satisfy stricter privacy concerns, we also propose a series of schemes based on sharing categorical information derived from prediction errors. Finally, we use Borda counts to analyze how the choice of the best model changes depending on the cost of errors within different experimental settings.

Parinaz Naghizadeh,Mingyan Liu

DOI: https://doi.org/10.48550/arXiv.1503.07377

2015-03-25

Abstract:In a system of interdependent users, the security of an entity is affected not only by that user's investment in security measures, but also by the positive externality of the security decisions of (some of) the other users. The provision of security in such system is therefore modeled as a public good provision problem, and is referred to as a security game. In this paper, we compare two well-known incentive mechanisms in this context for incentivizing optimal security investments among users, namely the Pivotal and the Externality mechanisms. The taxes in a Pivotal mechanism are designed to ensure users' voluntary participation, while those in an Externality mechanism are devised to maintain a balanced budget. We first show the more general result that, due to the non-excludable nature of security, no mechanism can incentivize the socially optimal investment profile, while at the same time ensuring voluntary participation and maintaining a balanced budget for all instances of security games. To further illustrate, we apply the Pivotal and Externality mechanisms to the special case of weighted total effort interdependence models, and identify some of the effects of varying interdependency between users on the budget deficit in the Pivotal mechanism, as well as on the participation incentives in the Externality mechanism.

Computer Science and Game Theory

Konstantinos Ntemos,George Pikramenos,Nicholas Kalouptsidis

DOI: https://doi.org/10.1109/tac.2021.3087652

IF: 6.549

2022-04-01

IEEE Transactions on Automatic Control

Abstract:In this article, we study the problem of information sharing among rational self-interested agents as a dynamic game of asymmetric information. We assume that the agents imperfectly observe a Markov chain, and they are called to decide whether they will share their noisy observations or not at each time instant. We utilize the notion of conditional mutual information to evaluate the information being shared among the agents. The challenges that arise due to the interdependence of agents' information structure and decision making are exhibited. For the finite horizon game, we prove that agents do not have incentive to share information. In contrast, we show that cooperation can be sustained in the infinite-horizon case by devising appropriate punishment strategies, which are defined over the agents' beliefs on the system state. We show that these strategies are closed under the best-response mapping and that cooperation can be the optimal choice in some subsets of the state belief simplex. We characterize these equilibrium regions, prove uniqueness of a maximal equilibrium region, and devise an algorithm for its approximate computation.

automation & control systems,engineering, electrical & electronic

Sakshyam Panda,Daniel W Woods,Aron Laszka,Andrew Fielder,Emmanouil Panaousis

DOI: https://doi.org/10.48550/arXiv.1908.04867

2019-08-14

Abstract:We introduce a game-theoretic model to investigate the strategic interaction between a cyber insurance policyholder whose premium depends on her self-reported security level and an insurer with the power to audit the security level upon receiving an indemnity claim. Audits can reveal fraudulent (or simply careless) policyholders not following reported security procedures, in which case the insurer can refuse to indemnify the policyholder. However, the insurer has to bear an audit cost even when the policyholders have followed the prescribed security procedures. As audits can be expensive, a key problem insurers face is to devise an auditing strategy to deter policyholders from misrepresenting their security levels to gain a premium discount. This decision-making problem was motivated by conducting interviews with underwriters and reviewing regulatory filings in the U.S.; we discovered that premiums are determined by security posture, yet this is often self-reported and insurers are concerned by whether security procedures are practised as reported by the policyholders. To address this problem, we model this interaction as a Bayesian game of incomplete information and devise optimal auditing strategies for the insurers considering the possibility that the policyholder may misrepresent her security level. To the best of our knowledge, this work is the first theoretical consideration of post-incident claims management in cyber security. Our model captures the trade-off between the incentive to exaggerate security posture during the application process and the possibility of punishment for non-compliance with reported security policies. Simulations demonstrate that common sense techniques are not as efficient at providing effective cyber insurance audit decisions as the ones computed using game theory.

Cryptography and Security

Elaine M. Sedenberg,James X. Dempsey

DOI: https://doi.org/10.48550/arXiv.1805.12266

2018-05-31

Abstract:In recent years the cybersecurity policy debate in Washington has been dominated by calls for greater information sharing within the private sector, and between the private sector and the federal government. The passage of the Cybersecurity Information Sharing Act (CISA) (signed into law under the Cybersecurity Act of 2015) underscored federal efforts to collect information from the private sector, and assuaged some concerns regarding private sector liability in sharing activities. However, the law lacked specificity on how continued federal efforts would work with existing information sharing networks, and failed to address other challenges associated with sharing including trust building, privacy and propriety interests, reciprocation, and quality control. This paper aims to bring granularity to implementations of information sharing initiatives by creating a taxonomy of the governance and policy models within each of these organizations. The research shows how this diverse ecosystem of sharing models work together and separately, and the impact governance and policy have on key components critical to sharing infrastructure.

Computers and Society,Cryptography and Security

Weili Han,Chenguang Shen,Yuliang Yin,Yun Gu,Chen Chen

DOI: https://doi.org/10.1145/2046707.2093492

2011-01-01

Abstract:Risk and benefit are two implicit key factors to determine accesses in secure information sharing. Recent researches have shown that they can be explicitly quantified and used to improve the flexibility in information systems. This paper introduces the motivation and a technical design of Quantified riSk and Benefit adaptive Access Control (QSBAC) to strengthen the security of information sharing. The paper also introduces the key issues to design policies in QSBAC.

Mingzheng Wang,Changyan Shao

DOI: https://doi.org/10.1016/j.eswa.2011.09.001

IF: 8.5

2012-01-01

Expert Systems with Applications

Abstract:In this paper, we study how the firm share the special knowledge of two knowledge-complementarity clients by implementing a large and complex project which the firm out-sourced. Firstly, incentive mechanism for complementarity special knowledge sharing are designed for clients being risk-neutral and risk-averse respectively under the asymmetric information. Further, knowledge complementary effects and other relevant factors on the optimal incentive coefficient are analyzed. Lastly, the numerical results are reported.

Yoon Lee,Anil Aswani

DOI: https://doi.org/10.48550/arXiv.2204.06549

2022-04-13

Computer Science and Game Theory

Abstract:Though the sharing of medical data has the potential to lead to breakthroughs in health care, the sharing process itself exposes patients and health care providers to various risks. Patients face risks due to the possible loss in privacy or livelihood that can occur when medical data is stolen or used in non-permitted ways, whereas health care providers face risks due to the associated liability. For medical data, these risks persist even after anonymizing/deidentifying, according to the standards defined in existing legislation, the data sets prior to sharing, because shared medical data can often be deanonymized/reidentified using advanced artificial intelligence and machine learning methodologies. As a result, health care providers are hesitant to share medical data. One possible solution to encourage health care providers to responsibly share data is through the use of cybersecurity insurance contracts. This paper studies the problem of designing optimal cybersecurity insurance contracts, with the goal of encouraging the sharing of the medical data. We use a principal-agent model with moral hazard to model various scenarios, derive the optimal contract, discuss its implications, and perform numerical case studies. In particular, we consider two scenarios: the first scenario is where a health care provider is selling medical data to a technology firm who is developing an artificial intelligence algorithm using the shared data. The second scenario is where a group of health care providers share health data amongst themselves for the purpose of furthering medical research using the aggregated medical data.

Sanjith Gopalakrishnan,Sriram Sankaranarayanan

DOI: https://doi.org/10.48550/arXiv.2201.04308

2023-05-08

Abstract:Firms in inter-organizational networks such as supply chains or strategic alliances are exposed to interdependent risks. These are risks that are transferable across partner firms. They can be decomposed into intrinsic risks a firm faces from its own operations and extrinsic risks transferred from its partners. Firms broadly have access to two security strategies: either they can independently eliminate both intrinsic and extrinsic risks by securing their links with partners, or alternatively, firms can cooperate with partners to eliminate sources of intrinsic risk in the network. We develop a graph-theoretic model of interdependent security and demonstrate that the network-optimal security strategy can be computed in polynomial time. Then, we use cooperative game-theoretic tools to examine whether and when firms can sustain the network-optimal security strategy via cost-sharing mechanisms that are stable, fair, computable, and implementable via a series of bilateral cost-sharing arrangements. We consider different informational assumptions in the network and show that, when the players know only their own costs, firms have a clear incentive to cooperate globally whereas, in the presence of public information, there may not exist cost-sharing mechanisms that can sustain network-wide cooperation. We then design a novel cost-sharing mechanism: the agreeable allocation, that is easy to compute, bilaterally implementable, ensures stability, and is fair in a well-defined sense. However, the agreeable allocation need not always exist. We then generalize levels of agreeable allocation, with weaker implementability properties but greater existence guarantees.

Computer Science and Game Theory,Optimization and Control

Ningning Ding,Zhixuan Fang,Jianwei Huang

DOI: https://doi.org/10.48550/arXiv.2308.16320

2023-08-30

Computer Science and Game Theory

Abstract:Sharing systems have facilitated the redistribution of underused resources by providing convenient online marketplaces for individual sellers and buyers. However, sellers in these systems may not fully disclose the information of their shared commodities, due to strategic behaviors or privacy concerns. Sellers' strategic information disclosure significantly affects buyers' user experiences and systems' reputation. This paper presents the first analytical study on information disclosure and pricing of competing sellers in sharing systems. In particular, we propose a two-stage game framework to capture sellers' strategic behaviors and buyers' decisions. Although the optimization problem is challenging due to sellers' non-convex and non-monotonic objectives, we completely characterize the complex market equilibria by decomposing it into several tractable subproblems. We demonstrate that full disclosure by all sellers or non-disclosure by all sellers will both lead to intense price competition. The former all-disclosure case is never an equilibrium even when all sellers have good commodity qualities and low privacy costs, while the latter non-disclosure case can be an equilibrium under which all sellers get zero profit. We also reveal several critical factors that affect sellers' information disclosure. Interestingly, sellers' sharing capacity limitation and buyers' estimation biases encourage information disclosure as they mitigate sellers' competition.

Alireza Shojaifar,Samuel A. Fricker

DOI: https://doi.org/10.48550/arXiv.2007.06308

2020-07-13

Computers and Society

Abstract:Small and medium-sized enterprises are considered an essential part of the EU economy, however, highly vulnerable to cyberattacks. SMEs have specific characteristics which separate them from large companies and influence their adoption of good cybersecurity practices. To mitigate the SMEs' cybersecurity adoption issues and raise their awareness of cyber threats, we have designed a self-paced security assessment and capability improvement method, CYSEC. CYSEC is a security awareness and training method that utilises self-reporting questionnaires to collect companies' information about cybersecurity awareness, practices, and vulnerabilities to generate automated recommendations for counselling. However, confidentiality concerns about cybersecurity information have an impact on companies' willingness to share their information. Security information sharing decreases the risk of incidents and increases users' self-efficacy in security awareness programs. This paper presents the results of semi-structured interviews with seven chief information security officers of SMEs to evaluate the impact of online consent communication on motivation for information sharing. The results were analysed in respect of the Self Determination Theory. The findings demonstrate that online consent with multiple options for indicating a suitable level of agreement improved motivation for information sharing. This allows many SMEs to participate in security information sharing activities and supports security experts to have a better overview of common vulnerabilities. The final publication is available at Springer via https://doi.org/10.1007/978-3-030-57404-8_22

Junyu Zhang,Yao Zhang,Yaoxin Ge,Dengji Zhao,Hu Fu,Zhihao Gavin Tang,Pinyan Lu

2024-10-24

Abstract:In cooperative games, we study how values created or costs incurred by a coalition are shared among the members within it, and the players may join the coalition in a online manner such as investors invest a startup. Recently, Ge et al. [10] proposed a new property called incentives for early arrival (I4EA) in such games, which says that the online allocation of values or costs should incentivize agents to join early in order to prevent mutual strategic waiting. Ideally, the allocation should also be fair, so that agents arriving in an order uniformly at random should expect to get/pay their Shapley values. Ge et al. [10] showed that not all monotone value functions admit such mechanisms in online value sharing games. In this work, we show a sharp contrast in online cost sharing games. We construct a mechanism with all the properties mentioned above, for every monotone cost function. To achieve this, we first solve 0-1 valued cost sharing games with a novel mechanism called Shapley-fair shuffle cost sharing mechanism (SFS-CS), and then extend SFS-CS to a family called generalized Shapley-fair shuffle cost sharing mechanisms (GSFS-CS). The critical technique we invented here is a mapping from one arrival order to another order so that we can directly apply marginal cost allocation on the shuffled orders to satisfy the properties. Finally, we solve general valued cost functions, by decomposing them into 0-1 valued functions in an online fashion.

Computer Science and Game Theory

Morrakot Raweewan,William G. Ferrell

DOI: https://doi.org/10.1016/j.cie.2018.09.042

2018-12-01

Abstract:There are well-documented examples of successful, mutually beneficial collaborations in supply chains; however, the failure rate of collaborations that are initiated is surprisingly high. This research focuses on one cornerstone of a successful collaboration, information sharing. The idea is to help companies who are considering a collaborative opportunity to evaluate the value of the information that would be shared so efforts are only expended on potential collaborations that have an acceptable reward for the risk. This proposed methodology is an optimality-based approach that uses game theory and considers information sharing in both the competition-cooperation and coopetition environments. Value is first assigned to information along several dimensions that allows payoff matrices to be constructed. Using these, Nash equilibrium and Pareto optimality are used to provide insights for decision makers.

computer science, interdisciplinary applications,engineering, industrial

Xiao Fu,Shuxuan Niu,Guanghua Han

DOI: https://doi.org/10.1002/mde.4442

2024-12-04

Managerial and Decision Economics

Abstract:Due to swift shifts in market demand and variable production capacities within the chip industry, trust risks between upstream and downstream entities can readily develop, leading to challenges in information sharing. To tackle this challenge, this paper develops a two‐level evolutionary game model between vehicle manufacturers and chip suppliers. It examines the effects of government rewards and penalties, trust risks, and spillover benefits from information sharing on the strategic decisions of both parties. Furthermore, the paper investigates system evolution strategies under three distinct government policies: forced, fair, and favored. The findings show that as trust risks escalate, both entities in the supply chain tend to withhold information due to concerns over losing their unique competitive advantages. However, enhancing spillover benefits through information sharing positively impacts the mitigation of trust risks. Numerical simulations demonstrate that while a government‐forced policy with increased penalties may boost information sharing in the short term, it proves less effective over the long term. Conversely, preferred rewards and subsidies under equitable policies can significantly boost one party's readiness to share information, thus enhancing cooperation between the two parties. The paper also offers countermeasures and recommendations. For instance, it suggests that upstream and downstream enterprises should not only foster mutual trust but also vigilantly track government policy directions to develop effective information‐sharing strategies. Furthermore, government industrial policies should fully consider the actual market conditions to alleviate trust risks between upstream and downstream entities and promote information sharing among enterprises.

economics,management