Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ISECS.2008.149

2008-01-01

Abstract:This paper analyzes information security in the E-commerce based on game theory, and this game analysis method is applied to information security for the first time. We set up the information security game model of the defender and the attacker, make the equilibrium analysis of this game model, and get the ideal strategy combination. Then we introduce the penalty parameter of the defender and the penalty parameter of the attacker to solve the problem that the restriction condition is not satisfied. The introduction of the penalty parameter of the defender promotes the defender to invest in information security, and the introduction of the penalty parameter of the attacker promotes the attacker to take no attack strategy. This paper provides good reference for information security in the E-commerce.

Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ICICIC.2008.319

2008-01-01

Abstract:The purpose of this paper is to analyze the strategy to promote the information security investment based on game theory. We use game theory to make the analysis and put forward the fruitful strategy suggestions for the defender organization to invest in information security. We set up the information security game model, and make the Nash Equilibrium analysis. The Nash Equilibrium analysis results of pure strategy and mixed strategy are consistent. By Nash Equilibrium analysis, we get the cost demand for information security investment. If this demand condition is not satisfied, we introduce the penalty parameter to the investment game. By regulating the value of the penalty parameter, we solve the hard problem of information security investment when it is difficult to reduce the investment cost. It is the first time to analyze information security investment by game theory. Our results provide fruitful strategy suggestions to promote information security investment.

孙薇,孔祥维,何德全,尤新刚

DOI: https://doi.org/10.3969/j.issn.1007-3221.2008.05.015

2008-01-01

Abstract:Based on Game theory,this paper analyzes the equilibrium of information security investment,and provides a new method to solve the investment quantity of information security.It sets up the information security investment game model of the organizations according to the strategy interdependence,and the relation parameter in the model reflects the game relationship of two organizations,so the equilibrium analysis is made based on reaction function method according to the deferent value of relation parameter.In particular,for the attacker-defender game relationship,it brings forward a proposition of information security investment and makes simulation analysis.The research result not only explains the information security investment in the world,but also provides a good direction of the information security investment quantity for organizations.

Zheng Zuo,Yong Fang,Liang Liu,Fang,Xingrong Hu

DOI: https://doi.org/10.1109/iciea.2013.6566592

2013-01-01

Abstract:This paper analyzed the interdependence of information security issues, based on the expected benefit of cost and security loss of the interdependence of information security agents in a network, a model which simulates the information security cost analysis has been built. An information security cost game model is set up based on payoff matrix, the main strategy are divided into "investment security costs" and "do not input the security cost", which using Nash equilibrium and thus support the decision of the agents' security cost.

Rong Pan,Changxin Xu

DOI: https://doi.org/10.1109/MINES.2010.110

2010-01-01

Abstract:During the cyber security construction process, how to set proper security standard and investment quota in accordance with the important degree of its information is a universal problem of enterprises. We propose a dynamic Invest-Attack Model based on Information Asymmetry between the protectors and attackers of cyber security and make RD analysis to the proposed model with Evolutionary Game Theory. Finally, we analyze motivation of decision making of players of both sides from microcosmic perspective and put forward conclusion as well as policy suggestions.

Qing Li,Yan Li,Tianlongyi Yuan,Dawei Chen

DOI: https://doi.org/10.1007/s10726-023-09839-9

IF: 2.928

2023-06-28

Group Decision and Negotiation

Abstract:The network information security regulation of information and communication technology (ICT) product supply chain is an important issue for governments globally. The whole life cycle of ICT supply chain is a complex process, comprising the design and development stage, outsourcing integration stage and service operation and maintenance stage. Each of these stages may be maliciously attacked, leading to network information security crisis. Therefore, a tripartite evolutionary game model comprising ICT product suppliers, demand customers (such as system integrators, operation and maintenance suppliers and service providers) and government regulatory authorities was constructed from the perspective of security threats and government regulation in the supply chain of ICT products based on bound rationality. The effects of each element on the tripartite strategy selection were evaluated by determining the evolutionary stability of upstream and downstream supply chains. The evolution path was simulated using Matlab2016a software and external variables were included for simulation analysis. The results showed that: (1) the costs of design development and production of high-quality ICT products directly affect the strategy choice of the producers, and determine the stable strategy time of the demanding customers, implying that excessive R&D costs negatively affect healthy development of the supply chain; (2) increase in incentives by the government within a reasonable range promotes the development of products with high security performance and ensures standardization of the implementation standards of information security acceptance of products by customers. However, the increase in incentives leads to a decrease in government supervision; (3) the initial probability of selection of product manufacturers plays an important role in the convergence rate of demand customers. The participating enterprises and government's operational decision were explored using the tripartite evolutionary game of the ICT product supply chain to formulate recommendations to enhance the construction of information security.

management,social sciences, interdisciplinary

Guang Zhu,Hu Liu,Mining Feng

DOI: https://doi.org/10.3390/math6100177

IF: 2.4

2018-01-01

Mathematics

Abstract:With the rapid development of information technologies, security violations in online social networks (OSN) have emerged as a critical issue. Traditional technical and organizational approaches do not consider economic factors, which are increasingly important to sustain information security investment. In this paper, we develop an evolutionary game model to study the sustainability of information security investment in OSN, and propose a quantitative approach to analyze and optimize security investment. Additionally, we examine a contract with an incentive mechanism to eliminate free riding, which helps sustain the security investment. Numerical examples are provided for illustration and simulation purposes, leading to several countermeasures and suggestions. Our analytical results show that the optimal strategy of information security investment not only is correlated with profit growth coefficients and investment costs, but is also influenced significantly by the profits from free riding. If the profit growth coefficients are prohibitively small, both OSN service providers and online platforms will not choose to sustain investment based on small profits. As profit growth coefficients increase, there is a higher probability that game players will invest. Another major finding is that the (Invest, Invest) profile is much less sensitive to the change of profit growth coefficients and the convergent speed of this scenario is faster than the other profiles. The government agency can use the proposed model to determine a proper incentive or penalty to help both parties reach the optimal strategies and thus improve OSN security.

Qin Wang,Jianming Zhu

DOI: https://doi.org/10.1109/INFOMAN.2016.7477542

2016-01-01

Abstract:With the development of information security and the occurrence of endless security incidents, information security economics has become a new discipline and gained great attentions in academia. This paper analyzes the issue of optimal information security facing two classic types of attacks. With the consideration of business benefits bought by security investment, we identify the different characteristics compared to the previous studies, which can give meaningful inspirations to firms in reality. In addition, we innovatively use evolutionary game theory to study how firms choose the investment strategy in the long run. At last we give a conclusion and point out some fields for future researches.

Xiaofei Qian,Xinbao Liu,Jun Pei,Panos M. Pardalos,Lin Liu

DOI: https://doi.org/10.1057/s41274-016-0134-y

IF: 3.6

2017-10-01

Journal of the Operational Research Society

Abstract:The application of Internet of Things promotes the cooperation among firms, and it also introduces some information security issues. Due to the vulnerability of the communication network, firms need to invest in information security technologies to protect their confidential information. In this paper, considering the multiple-step propagation of a security breach in a fully connected network, an information security investment game among n firms is investigated. We make meticulous theoretic and experimental analyses on both the Nash equilibrium solution and the optimal solution. The results show that a larger network size (n) or a larger one-step propagation probability (q) has a negative effect on the Nash equilibrium investment. The optimal investment does not necessarily increase in n or q, and its variation trend depends on the concrete conditions. A compensation mechanism is proposed to encourage firms to coordinate their strategies and invest a higher amount equal to the optimal investment when they make decisions individually. At last, our model is extended by considering another direct breach probability function and another network structure, respectively. We find that a higher connection density of the network will result in a greater expected cost for each firm.

management,operations research & management science

Jun-jie L(U),Wan-hua QIU,Yuan-zhuo WANG

DOI: https://doi.org/10.3321/j.issn:1003-207X.2006.03.002

2006-01-01

Abstract:Based on the interdependence,which is an important characteristic of information security and the diversity of invasions,an investment game model is presented in this paper.The paper investigates the investment risk exerted by the contagion between firms in the network.With externality representing the risk,the relationship between investment risks and the interdependent extension and the amount of firms in the network is illustrated.By use of the model,the investment risk and decision are analyzed quantitatively and then several Nash equilibrium solutions are provided further.

Meng Xianghong,Wang Xiaoli

DOI: https://doi.org/10.4028/www.scientific.net/amm.446-447.1625

2013-01-01

Applied Mechanics and Materials

Abstract:The interactions between attackers and network administrator are modeled as a non-zero-sum dynamic game with incomplete information. Strategies taken by offenders and defenders are dynamic game processes which are mutually dependable and constantly repeated. This paper uses game theory to analyze the model and process of offense and defense counterwork, and suggests that information security problems can be studied from game theory's point of view.

Xiao-tong XU,Gao-cai WANG,Jin-tian HU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2020.01.020

2020-01-01

Abstract:With the increasing complexity of network information system,people attach great importance to network security and user privacy. It is especially important to find new technologies that can maintain network security,analyze and predict the form of network attack and defense. Because the characteristics of evolutionary game theory are similar to those of network attack and defense,this pa-per analyses the network environment,constructs the network attack and defense scenarios,and introduces incentive mechanism on the basis of punishment mechanism,and proposes an evolutionary game model of attack and defense based on incentive mechanism. By giving the different problem situations of the group,the replication dynamic equation is used to analyze the evolution of the strategy se-lection of the player. In addition,on the basis of the management of players in the third-party supervision department,the evolution law of attack groups in different attack time is analyzed,which proves that the attack is time-sensitive. The feasibility of the incentive mechanism is further proved by the impact of incentive mechanisms on the selection of defense group strategies and the introduction of defense investment returns. According to the experimental verification,the attack and defense evolutionary game model proposed in this paper can achieve the steady state and obtain the optimal defense strategy under different problem situations,thus effectively reducing the loss of the defender and curbing the attack behavior of the attacker.

Hengwei Zhang,Jihong Han,Jian Zhang,Jindong Wang

DOI: https://doi.org/10.1109/ihmsc.2013.18

2013-01-01

Abstract:To ensure the security of information systems, security risk have to be accurately evaluate first. Because security risk is influenced by attackers and defenders, it is necessary to consider the costs and benefits of both sides. However, the current evaluation methods mostly focus on one side. To solve the problem, in this paper we propose a security risk evaluation model Based on complete information static game (SRE-CSG). The SRE-CSG model represents the interaction and mutual influence of both sides' strategies in the confrontation. On the basis of the SRE-CSG model, we present an improved payoff calculation method. The method takes into account the cost parameters and benefit parameters, and therefore be able to more accurately calculate the payoff. By analyzing Nash equilibrium strategy of information security game, an algorithm is designed to evaluate security risk value. The risk value derived from the algorithm is Based on equilibrium strategy of attackers and defenders, so it is more comprehensive and accurate. The SRE-CSG model and the algorithm can provide theoretical support for the efficient information systems security protection. The example analysis proves the effectiveness of the model and algorithm.

Xing Gao,Manting Qiu,Ying Wang,Xifan Wang

DOI: https://doi.org/10.1080/01605682.2022.2096506

IF: 3.6

2022-08-04

Journal of the Operational Research Society

Abstract:Nowadays, business connection between firms becomes rather common so that one firm stores not only its information asset but also some of other firms' information asset. The management of information security is vital for these resource-sharing firms. This paper constructs a game-theoretic model between two resource-sharing firms and one hacker to examine their strategic interaction when the firms face budget constraint on security investment. We consider security information sharing between the firms, which can improve their overall security effort but meantime facilitate the hacker's learning to reduce attack costs. We find that although a tight budget constraint can help save investment cost, the firms always suffer from a poorly secure environment. It shows that although security information sharing is usually encouraged, the firms may be hurt when security information sharing is excessive so that fierce cyber-attacks are induced. We finally design an optimal compensation mechanism, in which the compensation fund is shown to increase with the degree of resource sharing.

management,operations research & management science

Yong Wu,Gengzhong Feng,Nengmin Wang,Huigang Liang

DOI: https://doi.org/10.1016/j.eswa.2015.03.033

IF: 8.5

2015-01-01

Expert Systems with Applications

Abstract:The level of firms' information security investment has recently become a critical issue in the management of IT infrastructure. Prior studies have not considered attack types and firms interconnection simultaneously when investigating the optimisation of such investment. Using game theory, we demonstrate that the optimal security investment level of an interconnected firm against targeted attacks is different from that against opportunistic attacks. Our model shows that not all information security risks are worth fighting against. As the potential loss increases, it is unadvisable to increase the security investment proportionately. Firms should increase investments with intrinsic vulnerability when facing target attacks, but focus on those systems that fall into the midrange of intrinsic vulnerability when facing opportunistic attacks. Firms are unwilling to invest in security and often offload reliability problems onto others when the trusted interdependence relationship becomes tighter in the absence of economic incentives. Thus we also discuss two economic incentives to motivate firms: liability and security information sharing. We find-that if the rules are set properly, both economic incentives are effective to not only internalise the negative externality and improve a firm's security level, but also reduce the total expected cost. We show that firms' optimal investments of liability always increase with the increasing number of firms, but the optimal investments on security information sharing increase only when the number of firms is large enough. These insights draw attention to many trade-offs firms often face and the importance of accurate assessment of firms' security environment. Future research directions are discussed based on the limitations and possible extensions of this study. (C) 2015 Elsevier Ltd. All rights reserved.

WANG Xiu-li,ZHU Jian-ming,LI Yang,JIA Heng-yue

DOI: https://doi.org/10.3969/j.issn.1000-1220.2013.10.021

2013-01-01

Abstract:How to value the information security technologies is an important research issue recently. Based on game theory the evaluation model for information security technologies including firew all and intrusion detection system is proposed,and mixed strategy Nash equilibria of stage game is analyzed. Furthermore,the model analysis by repeated multi-stage dynamic game is presented. The results show that the configuration of the information security technologies impact behavior of both attacker and defender directly. Discount factor is closely associated w ith invasion probability. It is important for defender's selection about defend strategy to forecast invasion probability accurately. Therefore,the defender should record,analyze and quantify the attack,target,quantity and type actively. Then the utility is improved by optimizing configuration for information security technologies effectively.

Xiaotong Li

DOI: https://doi.org/10.1080/09537325.2020.1841158

2020-11-18

Technology Analysis and Strategic Management

Abstract:<span>With the development of information technology and the deepening of enterprise informatization, there are new challenges of enterprise information security investment decisions because of cooperative relationships among multi-enterprises. In this paper, the Gordon-Loeb model is extended to the multi-enterprise game environment, and combined with the probability of hacker invasion, which can stimulate enterprises to increase investment in information security and reduce costs, the game model of information security investment among complementary enterprises is constructed. Through this model, the impact of factors on optimal investment can be analyzed. It is found that the information security level of enterprises in cooperation situation is higher than that in the non-cooperation situation. Our research shows that the optimal investment will increase with the increase of the probability of one spread in cooperative situations, which is contrary to the changing trend of enterprises in non-cooperation situations, and there is a minimum expected cost threshold. According to the results, enterprise compensation mechanism and information sharing mechanism are designed to ensure the optimal level of social information security, it provides a new solution to deal with the information security investment decision of complementary enterprises under the characteristics of multi-enterprise and non-cooperative.</span>

management

Zhen Wang,Chaofan Li,Xing Jin,Hong Ding,Guanghai Cui,Lanping Yu

DOI: https://doi.org/10.1016/j.amc.2021.126051

IF: 4.397

2021-01-01

Applied Mathematics and Computation

Abstract:With the development of information technology, the infrastructure between enterprises and the connections between businesses show complex network characteristics. The security investment made by an enterprise in a network has an impact on its neighbors, but also bears the impact of its neighbors' security investments. Such individual interaction problems are often modeled as interdependent security games (IDS). In this paper, we study IDS models under three different attack scenarios: the total effort, the weakest link and the best shot. We use evolutionary game theory to explore the dynamics of social payoffs and the average social investments of these three models under different network topologies. The results show that under the total effort model, individuals are more inclined to increase their investments, while under the weakest link and best shot models, individuals choose to minimize their investments due to selfishness. Finally, we study the cluster effect under different network structures and find the threshold at which it exists. (C) 2021 Elsevier Inc. All rights reserved.

Jing Hou,Li Sun,Tao Shu,Husheng Li

DOI: https://doi.org/10.1007/978-3-030-37231-6_7

2019-01-01

Abstract:Ample evidence has confirmed the importance of information in security. While much research on security game has assumed the attackers' limited observation capabilities to obtain target information, few work considers the possibility that the information can be acquired from a data broker, not to mention exploring the profit-seeking behaviors of such an information service in the shrouded underground society. This paper studies the role of information in security problem when the target information is sold by a data broker to multiple competitive attackers. We formulate a novel multi-stage game model to characterize both the cooperative and competitive interactions of the data broker and attackers. Specifically, the attacker competition with correlated purchasing and attacking decisions is modeled as a two-stage stochastic model; and the bargaining process between the data broker and the attackers is analyzed in a Stackelberg game. Both the attackers' competitive equilibrium solutions and data broker's optimal pricing strategy are obtained. Our results show that with information trading, the target suffers from larger risks even when the information price is too high to benefit the attackers; and the information accuracy is more valuable when the target value is higher. Furthermore, the competition may weaken the information value to the attackers but benefit the data broker. The study contributes to the literature by characterizing the co-opetitive behaviors of the attackers with labor specialization, providing quantitative measures of information value from an economic perspective, and thus promoting a better understanding of the profit-seeking underground community.

QIAO Li-xin,YUAN Ai-ling,FENG Ying-jun

DOI: https://doi.org/10.3969/j.issn.1001-148x.2005.24.045

2005-01-01

Abstract:The paper utilizes the game theory to analyze the strategies and actions about attack and defense between commercial banks hackers.It suggests that commercial banks should play a permant game with hackers to reduce their investment for protecting the system security.This strategy can make commercial banks build up a good reputation on network system security,which,in turn,accounts for social network security.