Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ICICIC.2008.319

2008-01-01

Abstract:The purpose of this paper is to analyze the strategy to promote the information security investment based on game theory. We use game theory to make the analysis and put forward the fruitful strategy suggestions for the defender organization to invest in information security. We set up the information security game model, and make the Nash Equilibrium analysis. The Nash Equilibrium analysis results of pure strategy and mixed strategy are consistent. By Nash Equilibrium analysis, we get the cost demand for information security investment. If this demand condition is not satisfied, we introduce the penalty parameter to the investment game. By regulating the value of the penalty parameter, we solve the hard problem of information security investment when it is difficult to reduce the investment cost. It is the first time to analyze information security investment by game theory. Our results provide fruitful strategy suggestions to promote information security investment.

Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ISECS.2008.147

2008-01-01

Abstract:The purpose of this paper is to resolve information security problem in the mobile electronic commerce industry chain. We analyze information security based on evolutionary game theory. In this paper, we set up the information security game model with penalty parameter, calculate replicator dynamics, and analyze the evolutionary stable strategy of the game model. The result reveals that reducing the investment cost is the key factor to promote information security investment. If this condition can not be satisfied, the regulation of penalty parameter will help to promote the investment. The research method in this paper provides a new thought for the solution of information security in the mobile electronic commerce chain.

孙薇,孔祥维,何德全,尤新刚

DOI: https://doi.org/10.3969/j.issn.1007-3221.2008.05.015

2008-01-01

Abstract:Based on Game theory,this paper analyzes the equilibrium of information security investment,and provides a new method to solve the investment quantity of information security.It sets up the information security investment game model of the organizations according to the strategy interdependence,and the relation parameter in the model reflects the game relationship of two organizations,so the equilibrium analysis is made based on reaction function method according to the deferent value of relation parameter.In particular,for the attacker-defender game relationship,it brings forward a proposition of information security investment and makes simulation analysis.The research result not only explains the information security investment in the world,but also provides a good direction of the information security investment quantity for organizations.

Dengpan Liu,Yonghua Ji,Vijay M. Mookerjee

2005-01-01

Abstract:We analyze information security investment decisions by two firms that possess imperfectly substitutable information assets. Information assets are imperfectly substitutable if information at each firm is valuable and becomes more valuable when combined. When compared to optimal investment decisions made by a central planner, we find diametrically opposite results in the case where these decisions are made independently: substitutable assets lead to an “arms race” in which both firms over-invest whereas complementary assets lead to under-provision of “public goods” in which both firms under-invest. We also find that firms with highly substitutable information assets may not necessarily increase the amount of security investment in a centralized investment environment as the intensity of the deflected cross traffic increases.

Wei Sun,Xiangwei Kong,Dequan He,Xingang You

DOI: https://doi.org/10.1109/ISECS.2008.149

2008-01-01

Abstract:This paper analyzes information security in the E-commerce based on game theory, and this game analysis method is applied to information security for the first time. We set up the information security game model of the defender and the attacker, make the equilibrium analysis of this game model, and get the ideal strategy combination. Then we introduce the penalty parameter of the defender and the penalty parameter of the attacker to solve the problem that the restriction condition is not satisfied. The introduction of the penalty parameter of the defender promotes the defender to invest in information security, and the introduction of the penalty parameter of the attacker promotes the attacker to take no attack strategy. This paper provides good reference for information security in the E-commerce.

Xing Gao,Manting Qiu,Ying Wang,Xifan Wang

DOI: https://doi.org/10.1080/01605682.2022.2096506

IF: 3.6

2022-08-04

Journal of the Operational Research Society

Abstract:Nowadays, business connection between firms becomes rather common so that one firm stores not only its information asset but also some of other firms' information asset. The management of information security is vital for these resource-sharing firms. This paper constructs a game-theoretic model between two resource-sharing firms and one hacker to examine their strategic interaction when the firms face budget constraint on security investment. We consider security information sharing between the firms, which can improve their overall security effort but meantime facilitate the hacker's learning to reduce attack costs. We find that although a tight budget constraint can help save investment cost, the firms always suffer from a poorly secure environment. It shows that although security information sharing is usually encouraged, the firms may be hurt when security information sharing is excessive so that fierce cyber-attacks are induced. We finally design an optimal compensation mechanism, in which the compensation fund is shown to increase with the degree of resource sharing.

management,operations research & management science

Xiaofei Qian,Xinbao Liu,Jun Pei,Panos M. Pardalos,Lin Liu

DOI: https://doi.org/10.1057/s41274-016-0134-y

IF: 3.6

2017-10-01

Journal of the Operational Research Society

Abstract:The application of Internet of Things promotes the cooperation among firms, and it also introduces some information security issues. Due to the vulnerability of the communication network, firms need to invest in information security technologies to protect their confidential information. In this paper, considering the multiple-step propagation of a security breach in a fully connected network, an information security investment game among n firms is investigated. We make meticulous theoretic and experimental analyses on both the Nash equilibrium solution and the optimal solution. The results show that a larger network size (n) or a larger one-step propagation probability (q) has a negative effect on the Nash equilibrium investment. The optimal investment does not necessarily increase in n or q, and its variation trend depends on the concrete conditions. A compensation mechanism is proposed to encourage firms to coordinate their strategies and invest a higher amount equal to the optimal investment when they make decisions individually. At last, our model is extended by considering another direct breach probability function and another network structure, respectively. We find that a higher connection density of the network will result in a greater expected cost for each firm.

management,operations research & management science

Dengpan Liu,Yonghua Ji,Vijay Mookerjee

DOI: https://doi.org/10.1016/j.dss.2011.05.007

IF: 6.969

2011-01-01

Decision Support Systems

Abstract:We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary or substitutable, plays a crucial role in influencing these decisions. In the complementary case, we show that the firms have a natural incentive to share security knowledge and no external influence to induce sharing is needed. However, the investment levels chosen in equilibrium are lower than optimal, an aberration that can be corrected using coordination mechanisms that reward the firms for increasing their investment levels. In the substitutable case, the firms fall into a Prisoners' Dilemma trap where they do not share security knowledge in equilibrium, despite the fact that it is beneficial for both of them to do so. Here, the beneficial role of a social planner to encourage the firms to share is indicated. However, even when the firms share in accordance to the recommendations of a social planner, the level of investment chosen by the firms is sub-optimal. The firms either enter into an ''arms race'' where they over-invest or reenact the under-investment behavior found in the complementary case. Once again, this sub-optimal behavior can be corrected using incentive mechanisms that penalize for over-investment and reward for increasing the investment level in regions of under-investment. The proposed coordination schemes, with some modifications, achieve the socially optimal outcome even when the firms are risk-averse. Implications for information security vendors, firms, and social planner are discussed.

Xiaotong Li

DOI: https://doi.org/10.1080/09537325.2020.1841158

2020-11-18

Technology Analysis and Strategic Management

Abstract:<span>With the development of information technology and the deepening of enterprise informatization, there are new challenges of enterprise information security investment decisions because of cooperative relationships among multi-enterprises. In this paper, the Gordon-Loeb model is extended to the multi-enterprise game environment, and combined with the probability of hacker invasion, which can stimulate enterprises to increase investment in information security and reduce costs, the game model of information security investment among complementary enterprises is constructed. Through this model, the impact of factors on optimal investment can be analyzed. It is found that the information security level of enterprises in cooperation situation is higher than that in the non-cooperation situation. Our research shows that the optimal investment will increase with the increase of the probability of one spread in cooperative situations, which is contrary to the changing trend of enterprises in non-cooperation situations, and there is a minimum expected cost threshold. According to the results, enterprise compensation mechanism and information sharing mechanism are designed to ensure the optimal level of social information security, it provides a new solution to deal with the information security investment decision of complementary enterprises under the characteristics of multi-enterprise and non-cooperative.</span>

management

Bin Hu,Ming Hu,Yi Yang

DOI: https://doi.org/10.1287/msom.2016.0598

2017-01-01

Abstract:Competing technologies in emerging industries create uncertainties that discourage supplier investments. Open technology can induce supplier investments, but may also lead to intensified future competition. In this paper, we study competing manufacturers’ open-technology strategies. We show that despite the risk of intensifying future competition, open technologies by competing manufacturers may constitute an equilibrium and can indeed induce supplier investments. In addition, we identify a technology-risk-pooling benefit; namely, by opening technologies, competing manufacturers can induce supplier investments in both technologies and later adopt the one preferred by the market. However, manufacturers may also exhibit the prisoner’s dilemma and close their technologies despite the risk-pooling benefit. In this case, there is potential for collaborative technology sharing through cross licensing. Finally, we show that manufacturers may sometimes close their technologies to force supplier investments.

Guang Zhu,Hu Liu,Mining Feng

DOI: https://doi.org/10.3390/math6100177

IF: 2.4

2018-01-01

Mathematics

Abstract:With the rapid development of information technologies, security violations in online social networks (OSN) have emerged as a critical issue. Traditional technical and organizational approaches do not consider economic factors, which are increasingly important to sustain information security investment. In this paper, we develop an evolutionary game model to study the sustainability of information security investment in OSN, and propose a quantitative approach to analyze and optimize security investment. Additionally, we examine a contract with an incentive mechanism to eliminate free riding, which helps sustain the security investment. Numerical examples are provided for illustration and simulation purposes, leading to several countermeasures and suggestions. Our analytical results show that the optimal strategy of information security investment not only is correlated with profit growth coefficients and investment costs, but is also influenced significantly by the profits from free riding. If the profit growth coefficients are prohibitively small, both OSN service providers and online platforms will not choose to sustain investment based on small profits. As profit growth coefficients increase, there is a higher probability that game players will invest. Another major finding is that the (Invest, Invest) profile is much less sensitive to the change of profit growth coefficients and the convergent speed of this scenario is faster than the other profiles. The government agency can use the proposed model to determine a proper incentive or penalty to help both parties reach the optimal strategies and thus improve OSN security.

Christina Y. Jeong,Sang-Yong Tom Lee,Jee-Hae Lim

DOI: https://doi.org/10.1016/j.im.2018.11.003

2019-07-01

Abstract:In current business climate, a firm’s information systems security is no longer independent from the industry’s broader security environment. A question arises, then, whether stock market values reflect the interdependence of security breaches and investments. In this paper, we used the event study methodology to investigate how a firm’s security breaches and IT security investments influence its competitors. We collected and reviewed 118 information security breaches and 98 IT security investment announcements from 2010 to 2017. We found substantial evidence supporting our hypothesis that information security breaches do, indeed, have a competition effect: when one firm is breached, its competitors have opportunities to absorb market power. For the IT security investment announcements, however, we observed the positive externalities, or contagion effect, in play: market investors feel that the security investments made by one firm increase the security level of the entire network, and hence, competitors also get benefits. Additionally, we found that the competition effect was higher when the breaches occurred after the preceding security investments than when there were no preceding investments before the breaches.

information science & library science,management,computer science, information systems

Ranjan Pal,Pan Hui

DOI: https://doi.org/10.48550/arXiv.1104.0594

2011-04-04

Cryptography and Security

Abstract:Modern distributed communication networks like the Internet and censorship-resistant networks (also a part of the Internet) are characterized by nodes (users) interconnected with one another via communication links. In this regard, the security of individual nodes depend not only on their own efforts, but also on the efforts and underlying connectivity structure of neighboring network nodes. By the term 'effort', we imply the amount of investments made by a user in security mechanisms like antivirus softwares, firewalls, etc., to improve its security. However, often due to the large magnitude of such networks, it is not always possible for nodes to have complete effort and connectivity structure information about all their neighbor nodes. Added to this is the fact that in many applications, the Internet users are selfish and are not willing to co-operate with other users on sharing effort information. In this paper, we adopt a non-cooperative game-theoretic approach to analyze individual user security in a communication network by accounting for both, the partial information that a network node possess about its underlying neighborhood connectivity structure, as well as the presence of positive externalities arising from efforts exerted by neighboring nodes. We investigate the equilibrium behavior of nodes and show 1) the existence of symmetric Bayesian Nash equilibria of efforts and 2) better connected nodes choose lower efforts to exert but earn higher utilities with respect to security improvement irrespective of the nature of node degree correlations amongst the neighboring nodes. Our results provide ways for Internet users to appropriately invest in security mechanisms under realistic environments of information uncertainty.

Libin Jiang,Venkat Anantharam,Jean Walrand

DOI: https://doi.org/10.1109/TNET.2010.2071397

2011-04-01

IEEE/ACM Transactions on Networking

Abstract:We study a network security game where strategic players choose their investments in security. Since a player's investment can reduce the propagation of computer viruses, a key feature of the game is the positive externality exerted by the investment. With selfish players, unfortunately, the overall network security can be far from optimum. The contributions of this paper are as follows. 1) We first characterize the price of anarchy (POA) in the strategic-form game under an "Effective-investment" model and a "Bad-traffic" model, and give insight on how the POA depends on individual players' cost functions and their mutual influence. We also introduce the concept of "weighted POA" to bound the region of payoff vectors. 2) In a repeated game, players have more incentive to cooperate for their long term interests. We consider the socially best outcome that can be supported by the repeated game, as compared to the social optimum. 3) Next, we compare the benefits of improving security technology and improving incentives, and show that improving technology alone may not offset the price of anarchy. 4) Finally, we characterize the performance of correlated equilibrium (CE). Although the paper focuses on network security, many results are generally applicable to games with positive externalities.

telecommunications,computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Bram de Witte,Paolo Frasca,Bastiaan Overvest,Judith Timmer

DOI: https://doi.org/10.48550/arXiv.1906.09486

2019-06-23

Abstract:A digital security breach, by which confidential information is leaked, does not only affect the agent whose system is infiltrated, but is also detrimental to other agents socially connected to the infiltrated system. Although it has been argued that these externalities create incentives to under-invest in security, this presumption is challenged by the possibility of strategic adversaries that attack the least protected agents. In this paper we study a new model of security games in which agents share tokens of sensitive information in a network of contacts. The agents have the opportunity to invest in security to protect against an attack that can be either strategically or randomly targeted. We show that, in the presence of random attack, under-investments always prevail at the Nash equilibrium in comparison with the social optimum. Instead, when the attack is strategic, either under-investments or over-investments are possible, depending on the network topology and on the characteristics of the process of the spreading of information. Actually, agents invest more in security than socially optimal when dependencies among agents are low (which can happen because the information network is sparsely connected or because the probability that information tokens are shared is small). These over-investments pass on to under-investments when information sharing is more likely (and therefore, when the risk brought by the attack is higher).

Social and Information Networks,Computer Science and Game Theory

Tridib Bandyopadhyay,Dengpan Liu,Vijay S. Mookerjee,Allen W. Wilhite

DOI: https://doi.org/10.1007/s10796-012-9373-x

2012-01-01

Information Systems Frontiers

Abstract:Hackers evaluate potential targets to identify poorly defended firms to attack, creating competition in IT security between firms that possess similar information assets. We utilize a differential game framework to analyze the continuous time IT security investment decisions of firms in such a target group. We derive the steady state equilibrium of the duopolistic differential game, show how implicit competition induces overspending in IT defense, and then demonstrate how such overinvestment can be combated by innovatively managing the otherwise misaligned incentives for coordination. We show that in order to achieve cooperation, the firm with the higher asset value must take the lead and provide appropriate incentives to elicit participation of the other firm. Our analysis indicates that IT security planning should not remain an internal, firm-level decision, but also incorporate the actions of those firms that hackers consider as alternative targets.

Yong Wu,Mengyao Xu,Dong Cheng,Tao Dai

DOI: https://doi.org/10.1287/deca.2021.0442

2022-03-23

Decision Analysis

Abstract:Information resources have been shared to promote the business operations of firms. However, the connection of business information sharing interfaces between firms has increased the attack surface and created opportunities for the hacker. We examine the benefits and risks of business information sharing for firms who exert security efforts against a strategic hacker that launches attacks subjectively. We show that two kinds of security efforts, security investment and security knowledge sharing, act as strategic substitutes when the business-sharing degree is low and act as strategic complements otherwise. Besides, the strategic hacker is not always aggressive, who will give up launching attack activities when the business-sharing degree is relatively low. Moreover, as a specific characteristic in the security domain, the risk interdependency first enhances and then suppresses both firms’ security investments and the hacker’s attack effort, which causes a free-riding problem for two firms. Then, two coordination mechanisms, an investment-based mechanism and liability-based mechanism, are proposed to help firms coordinate their strategies to reach socially optimal security levels. Last, we extend the main model to three cases to make our model more general. This paper provides the first evidence to assess the security risks exacerbated by business information sharing while considering a strategic hacker. Some management insights to managers for making security decisions are provided.

management

Wilson Li,Alvin Leung,Wei Yue,,,

DOI: https://doi.org/10.25300/misq/2022/15713

IF: 7.3

2023-03-01

MIS Quarterly

Abstract:Data breaches can severely damage a firm’s reputation and its customers’ confidence. Firms must therefore continuously invest in security measures to prevent such breaches. However, the effectiveness of security investment has been questioned by both practitioners and academics. We illustrate the bidirectional dynamic relationship between information technology (IT) investment and data breaches moderated by threat and countermeasure security awareness using an eight-year panel of 311 U.S.-listed firms to provide empirical evidence that threat awareness broadens firms’ scope for addressing data-breach issues by investing more in IT than in security. Countermeasure awareness equips firms with sufficient knowledge and experience to ensure effective implementation of IT, which provides more comprehensive protection than security investment alone. Our results suggest that firms should evolve beyond the reactive mindset of solely upgrading security and begin nurturing both threat awareness and countermeasure awareness to address the underlying IT system issues that are the cause of data breaches.

information science & library science,management,computer science, information systems

Wei Xing,Xudong Zhao,Tamer Baar,Weiguo Xia,Tamer Basar

DOI: https://doi.org/10.1109/tac.2021.3116093

IF: 6.549

2021-01-01

IEEE Transactions on Automatic Control

Abstract:This article considers remote state estimation in cyber-physical systems (CPSs) with multiple sensors. Each plant is modeled by a discrete-time stochastic linear system with measurements of each sensor transmitted to the corresponding remote estimator over a shared communication network when their securities are interdependent due to network-induced risks. A dynamic nonzero-sum game with asymmetric information is formulated in which each sensor subject to a resource budget constraint needs to decide whether to invest in security for sending data packets, taking the behaviors of other sensors into account. To overcome the difficulty in characterizing or computing the Nash equilibria (NE), the game with asymmetric information is transformed into another game with symmetric information such that the equilibrium of the original game can be obtained by solving the equilibrium of the new game. Under certain conditions, we devise a backward induction algorithm to obtain a subclass of NE of the original game, known as common information-based Markov perfect equilibria (CIBMPE). Finally, a numerical example is provided to illustrate the results obtained.

automation & control systems,engineering, electrical & electronic

Qing Li,Yan Li,Tianlongyi Yuan,Dawei Chen

DOI: https://doi.org/10.1007/s10726-023-09839-9

IF: 2.928

2023-06-28

Group Decision and Negotiation

Abstract:The network information security regulation of information and communication technology (ICT) product supply chain is an important issue for governments globally. The whole life cycle of ICT supply chain is a complex process, comprising the design and development stage, outsourcing integration stage and service operation and maintenance stage. Each of these stages may be maliciously attacked, leading to network information security crisis. Therefore, a tripartite evolutionary game model comprising ICT product suppliers, demand customers (such as system integrators, operation and maintenance suppliers and service providers) and government regulatory authorities was constructed from the perspective of security threats and government regulation in the supply chain of ICT products based on bound rationality. The effects of each element on the tripartite strategy selection were evaluated by determining the evolutionary stability of upstream and downstream supply chains. The evolution path was simulated using Matlab2016a software and external variables were included for simulation analysis. The results showed that: (1) the costs of design development and production of high-quality ICT products directly affect the strategy choice of the producers, and determine the stable strategy time of the demanding customers, implying that excessive R&D costs negatively affect healthy development of the supply chain; (2) increase in incentives by the government within a reasonable range promotes the development of products with high security performance and ensures standardization of the implementation standards of information security acceptance of products by customers. However, the increase in incentives leads to a decrease in government supervision; (3) the initial probability of selection of product manufacturers plays an important role in the convergence rate of demand customers. The participating enterprises and government's operational decision were explored using the tripartite evolutionary game of the ICT product supply chain to formulate recommendations to enhance the construction of information security.

management,social sciences, interdisciplinary