Xing Gao,Manting Qiu,Ying Wang,Xifan Wang

DOI: https://doi.org/10.1080/01605682.2022.2096506

IF: 3.6

2022-08-04

Journal of the Operational Research Society

Abstract:Nowadays, business connection between firms becomes rather common so that one firm stores not only its information asset but also some of other firms' information asset. The management of information security is vital for these resource-sharing firms. This paper constructs a game-theoretic model between two resource-sharing firms and one hacker to examine their strategic interaction when the firms face budget constraint on security investment. We consider security information sharing between the firms, which can improve their overall security effort but meantime facilitate the hacker's learning to reduce attack costs. We find that although a tight budget constraint can help save investment cost, the firms always suffer from a poorly secure environment. It shows that although security information sharing is usually encouraged, the firms may be hurt when security information sharing is excessive so that fierce cyber-attacks are induced. We finally design an optimal compensation mechanism, in which the compensation fund is shown to increase with the degree of resource sharing.

management,operations research & management science

Justin Z. ZhangLakshmi GoelSteven Williamsona Department of Management,Coggin College of Business,University of North Florida,Jacksonville,FL,USAb School of Business Administration,Al Akhawayn University,Ifrane,Morocco

DOI: https://doi.org/10.1080/17517575.2024.2310844

2024-02-01

Enterprise Information Systems

Abstract:This research employs an analytical modelling approach, complemented by empirical analysis, to delve into enterprise cybersecurity information sharing strategies. Utilising a thorough cost-based analysis, we scrutinise the cybersecurity costs and security levels within enterprises, leading to the identification of three core cybersecurity strategies – risk acceptance, risk balance, and risk reduction. Additionally, we delineate four distinct information-sharing strategies: selective, balanced, extensive, and futile sharing. Supported by empirical evidence gathered from a cybersecurity forum, this investigation not only enriches scholarly discussions but also provides valuable insights. Its academic significance is accentuated by offering nuanced guidance for practitioners, facilitating the implementation of effective cybersecurity information-sharing practices.

computer science, information systems

Dengpan Liu,Yonghua Ji,Vijay Mookerjee

DOI: https://doi.org/10.1016/j.dss.2011.05.007

IF: 6.969

2011-01-01

Decision Support Systems

Abstract:We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary or substitutable, plays a crucial role in influencing these decisions. In the complementary case, we show that the firms have a natural incentive to share security knowledge and no external influence to induce sharing is needed. However, the investment levels chosen in equilibrium are lower than optimal, an aberration that can be corrected using coordination mechanisms that reward the firms for increasing their investment levels. In the substitutable case, the firms fall into a Prisoners' Dilemma trap where they do not share security knowledge in equilibrium, despite the fact that it is beneficial for both of them to do so. Here, the beneficial role of a social planner to encourage the firms to share is indicated. However, even when the firms share in accordance to the recommendations of a social planner, the level of investment chosen by the firms is sub-optimal. The firms either enter into an ''arms race'' where they over-invest or reenact the under-investment behavior found in the complementary case. Once again, this sub-optimal behavior can be corrected using incentive mechanisms that penalize for over-investment and reward for increasing the investment level in regions of under-investment. The proposed coordination schemes, with some modifications, achieve the socially optimal outcome even when the firms are risk-averse. Implications for information security vendors, firms, and social planner are discussed.

Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

Zhi-tao Du,Xin-zhou Xie

DOI: https://doi.org/10.1109/isme.2010.254

2010-01-01

Abstract:Information sharing is the base of enhancing management performance of supply chain, though it makes enterprise facing all kinds of risks, such as cost increasing, relation entangled and disclosing the secrets etc.. This article indicated that information sharing is limited in supply chain, and the investment on its establishment is boundary based on a game model. The author also indicated that enterprises must control the information sharing from the following aspects, such as the extent, content and range etc.. Only do this, can enterprises obtain the maximum benefits from information sharing. In the light of the thoughts, the authors then constructed an integrated frame of information sharing. In this frame, enterprises must consider about the needs of strategic development and economic cost restraint comprehensively to ensure the extent, content and range of information sharing, and then realize the information sharing from technical level. So that the establishment of information sharing becomes a coordinated planning and orderly interact system engineering from the levels of strategy, tactics and technology.

Bram de Witte,Paolo Frasca,Bastiaan Overvest,Judith Timmer

DOI: https://doi.org/10.48550/arXiv.1906.09486

2019-06-23

Abstract:A digital security breach, by which confidential information is leaked, does not only affect the agent whose system is infiltrated, but is also detrimental to other agents socially connected to the infiltrated system. Although it has been argued that these externalities create incentives to under-invest in security, this presumption is challenged by the possibility of strategic adversaries that attack the least protected agents. In this paper we study a new model of security games in which agents share tokens of sensitive information in a network of contacts. The agents have the opportunity to invest in security to protect against an attack that can be either strategically or randomly targeted. We show that, in the presence of random attack, under-investments always prevail at the Nash equilibrium in comparison with the social optimum. Instead, when the attack is strategic, either under-investments or over-investments are possible, depending on the network topology and on the characteristics of the process of the spreading of information. Actually, agents invest more in security than socially optimal when dependencies among agents are low (which can happen because the information network is sparsely connected or because the probability that information tokens are shared is small). These over-investments pass on to under-investments when information sharing is more likely (and therefore, when the risk brought by the attack is higher).

Social and Information Networks,Computer Science and Game Theory

Xiao Fu,Shuxuan Niu,Guanghua Han

DOI: https://doi.org/10.1002/mde.4442

2024-12-04

Managerial and Decision Economics

Abstract:Due to swift shifts in market demand and variable production capacities within the chip industry, trust risks between upstream and downstream entities can readily develop, leading to challenges in information sharing. To tackle this challenge, this paper develops a two‐level evolutionary game model between vehicle manufacturers and chip suppliers. It examines the effects of government rewards and penalties, trust risks, and spillover benefits from information sharing on the strategic decisions of both parties. Furthermore, the paper investigates system evolution strategies under three distinct government policies: forced, fair, and favored. The findings show that as trust risks escalate, both entities in the supply chain tend to withhold information due to concerns over losing their unique competitive advantages. However, enhancing spillover benefits through information sharing positively impacts the mitigation of trust risks. Numerical simulations demonstrate that while a government‐forced policy with increased penalties may boost information sharing in the short term, it proves less effective over the long term. Conversely, preferred rewards and subsidies under equitable policies can significantly boost one party's readiness to share information, thus enhancing cooperation between the two parties. The paper also offers countermeasures and recommendations. For instance, it suggests that upstream and downstream enterprises should not only foster mutual trust but also vigilantly track government policy directions to develop effective information‐sharing strategies. Furthermore, government industrial policies should fully consider the actual market conditions to alleviate trust risks between upstream and downstream entities and promote information sharing among enterprises.

economics,management

Sanjith Gopalakrishnan,Sriram Sankaranarayanan

DOI: https://doi.org/10.48550/arXiv.2201.04308

2023-05-08

Abstract:Firms in inter-organizational networks such as supply chains or strategic alliances are exposed to interdependent risks. These are risks that are transferable across partner firms. They can be decomposed into intrinsic risks a firm faces from its own operations and extrinsic risks transferred from its partners. Firms broadly have access to two security strategies: either they can independently eliminate both intrinsic and extrinsic risks by securing their links with partners, or alternatively, firms can cooperate with partners to eliminate sources of intrinsic risk in the network. We develop a graph-theoretic model of interdependent security and demonstrate that the network-optimal security strategy can be computed in polynomial time. Then, we use cooperative game-theoretic tools to examine whether and when firms can sustain the network-optimal security strategy via cost-sharing mechanisms that are stable, fair, computable, and implementable via a series of bilateral cost-sharing arrangements. We consider different informational assumptions in the network and show that, when the players know only their own costs, firms have a clear incentive to cooperate globally whereas, in the presence of public information, there may not exist cost-sharing mechanisms that can sustain network-wide cooperation. We then design a novel cost-sharing mechanism: the agreeable allocation, that is easy to compute, bilaterally implementable, ensures stability, and is fair in a well-defined sense. However, the agreeable allocation need not always exist. We then generalize levels of agreeable allocation, with weaker implementability properties but greater existence guarantees.

Computer Science and Game Theory,Optimization and Control

Wai Peng Wong,Hwee Chin Tan,Kim Hua Tan,Ming-Lang Tseng

DOI: https://doi.org/10.1108/imds-12-2018-0546

2019-07-08

Abstract:Purpose The purpose of this paper is to explore the human factors triggering information leakage and investigate how companies mitigate insider threat for information sharing integrity. Design/methodology/approach The methodology employed is multiple case studies approach with in-depth interviews with five multinational enterprises (MNEs)/multinational corporations (MNCs). Findings The findings reveal that information leakage can be approached with human governance mechanism such as organizational ethical climate and information security culture. Besides, higher frequency of leakages negatively affects information sharing integrity. Moreover, this paper also contributes to a research framework which could be a guide to overcome information leakage issue in information sharing. Research limitations/implications The current study involved MNCs/MNEs operating in Malaysia, while companies in other countries may have different ethical climate and information sharing culture. Thus, for future research, it will be good to replicate the study in a larger geographic region to verify the findings and insights of this research. Practical implications This research contributes to the industry and business that are striving toward solving the mounting problem of information leakage by raising awareness of human factors and to take appropriate mitigating governance strategies to pre-empt information leakage. This paper also contributes to a novel theoretical model that characterizes the iniquities of humans in sharing information, and suggests measures which could be a guide to avert disruptive leakages. Originality/value This paper is likely an unprecedented research in molding human governance in the domain of information sharing and its Achilles’ heel which is information leakage.

computer science, interdisciplinary applications,engineering, industrial

Junsong Bian,Xiaolei Guo,Kin Keung Lai,Zhongsheng Hua

DOI: https://doi.org/10.1016/j.ijpe.2014.07.016

IF: 11.251

2014-01-01

International Journal of Production Economics

Abstract:Conventional wisdom suggests that information sharing benefits at least one of the participants. However, we find that information sharing can be strategically detrimental to both members in a vertical-Nash supply chain. Comparative statics show that each supply chain member׳s beneficial areas are smaller when its information source becomes more variable and larger as its signal is less accurate. Furthermore, the Pareto-inferior areas in which both supply chain members get worse are non-monotonic in exogenous parameters.

Wendy Yu,Zachary A. Collier,Shital Thekdi

DOI: https://doi.org/10.1111/risa.14267

2024-01-23

Risk Analysis

Abstract:Recent history has shown both the benefits and risks of information sharing among firms. Information is shared to facilitate mutual business objectives. However, information sharing can also introduce security‐related concerns that could expose the firm to a breach of privacy, with significant economic, reputational, and safety implications. It is imperative for organizations to leverage available information to evaluate security related to information sharing when evaluating current and potential information‐sharing partnerships. The "fine print" or privacy policies of firms can provide a signal of security across a wide variety of firms being considered for new and continued information‐sharing partnerships. In this article, we develop a methodology to gauge and benchmark information security policies in the partner‐selection process that can help direct risk‐based investments in information sharing security. We develop a methodology to collect and interpret firm privacy policies, evaluate characteristics of those policies by leveraging natural language processing metrics and developing benchmarking metrics, and understand how those characteristics relate to one another in information‐sharing partnership situations. We demonstrate the methodology on 500 high‐revenue firms. The methodology and managerial insights will be of interest to risk managers, information security professionals, and individuals forming information sharing agreements across industries.

public, environmental & occupational health,mathematics, interdisciplinary applications,social sciences, mathematical methods

Dengpan Liu,Yonghua Ji,Vijay M. Mookerjee

2005-01-01

Abstract:We analyze information security investment decisions by two firms that possess imperfectly substitutable information assets. Information assets are imperfectly substitutable if information at each firm is valuable and becomes more valuable when combined. When compared to optimal investment decisions made by a central planner, we find diametrically opposite results in the case where these decisions are made independently: substitutable assets lead to an “arms race” in which both firms over-invest whereas complementary assets lead to under-provision of “public goods” in which both firms under-invest. We also find that firms with highly substitutable information assets may not necessarily increase the amount of security investment in a centralized investment environment as the intensity of the deflected cross traffic increases.

Wei T. Yue,Metin Cakanyildirim,Young U. Ryu,Dengpan Liu

DOI: https://doi.org/10.1016/j.dss.2006.08.009

IF: 6.969

2007-01-01

Decision Support Systems

Abstract:This paper considers two important issues related to security risk management. First, the presence of network externalities in security risks. Second, the distinction of general (network) and system-specific protection measures. We found the optimal allocation of security resources (investments) in protecting every system in an organization. The results show that the consideration of network externalities and layered protection changes the risk mitigation decisions significantly. In addition, accurate estimation of system risk plays a critical role in the success of risk management. Otherwise, the use of a uniform baseline protection approach may be more desirable when the misjudgment of relative system risks is likely to occur.

Waqar Ahmed,Muhammad Arif Khan,Arsalan Najmi,Sharfuddin Ahmed Khan

DOI: https://doi.org/10.1080/16258312.2022.2162321

2023-01-06

Supply Chain Forum: An International Journal

Abstract:Organisations are often reluctant and sometimes postpone sharing risk-related information with their partners. This paper aims to develop and analyse the risk-sharing model to explain the factors contributing to the timely and accurate sharing of risk-related information within the supply chain network. The data are collected from 199 supply chain experts working in different manufacturing companies through a structured questionnaire and then analysed using structural equation modelling. The result of this study reflects that strategic supply chain relationship (SCR) has a significant impact on risk information sharing (RIS) and external information integration (EII) while having an insignificant impact on internal information integration (III). On the other hand, supply chain technology internalisation (SCT) significantly impacts EII, III and risk-sharing mechanism (RSM). This study is one of the few empirical studies conducted to understand the antecedents of risk-sharing mechanisms in any supply chain network to enhance visibility and increase financial performance using the relational and integrational approaches.

Craig A. Horne,Atif Ahmad,Sean B. Maynard

DOI: https://doi.org/10.48550/arXiv.1606.03528

2016-06-11

Abstract:Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.

Computers and Society,Cryptography and Security

Tridib Bandyopadhyay,Dengpan Liu,Vijay S. Mookerjee,Allen W. Wilhite

DOI: https://doi.org/10.1007/s10796-012-9373-x

2012-01-01

Information Systems Frontiers

Abstract:Hackers evaluate potential targets to identify poorly defended firms to attack, creating competition in IT security between firms that possess similar information assets. We utilize a differential game framework to analyze the continuous time IT security investment decisions of firms in such a target group. We derive the steady state equilibrium of the duopolistic differential game, show how implicit competition induces overspending in IT defense, and then demonstrate how such overinvestment can be combated by innovatively managing the otherwise misaligned incentives for coordination. We show that in order to achieve cooperation, the firm with the higher asset value must take the lead and provide appropriate incentives to elicit participation of the other firm. Our analysis indicates that IT security planning should not remain an internal, firm-level decision, but also incorporate the actions of those firms that hackers consider as alternative targets.

Xiaotong Li

DOI: https://doi.org/10.1080/09537325.2020.1841158

2020-11-18

Technology Analysis and Strategic Management

Abstract:<span>With the development of information technology and the deepening of enterprise informatization, there are new challenges of enterprise information security investment decisions because of cooperative relationships among multi-enterprises. In this paper, the Gordon-Loeb model is extended to the multi-enterprise game environment, and combined with the probability of hacker invasion, which can stimulate enterprises to increase investment in information security and reduce costs, the game model of information security investment among complementary enterprises is constructed. Through this model, the impact of factors on optimal investment can be analyzed. It is found that the information security level of enterprises in cooperation situation is higher than that in the non-cooperation situation. Our research shows that the optimal investment will increase with the increase of the probability of one spread in cooperative situations, which is contrary to the changing trend of enterprises in non-cooperation situations, and there is a minimum expected cost threshold. According to the results, enterprise compensation mechanism and information sharing mechanism are designed to ensure the optimal level of social information security, it provides a new solution to deal with the information security investment decision of complementary enterprises under the characteristics of multi-enterprise and non-cooperative.</span>

management

Quey-Jen Yeh,Arthur Jung-Ting Chang

DOI: https://doi.org/10.1016/j.im.2007.05.003

2007-07-01

Abstract:IS security threats have increased significantly in recent years. We identified the gaps between manager perceptions of IS security threats and the security countermeasures adopted by firms by collecting empirical data from 109 Taiwanese enterprises. Industry type and organizational use of IT were seen as the two factors that affected the motivation of firms to adopt security countermeasures, but their implementation did not necessarily affect the threat perceptions of the managers. Analyses of responses suggested that the scope of the countermeasures adopted were not commensurate with the severity of the perceived threats. Among the threats, networks were rated as contributing the most severe threat and yet had the lowest level of protection, this was followed by threats due to personnel and administrative issues. We therefore addressed threat mitigation strategies, specifically in terms of the differences between industries.

information science & library science,management,computer science, information systems

Xing Gao,Manting Qiu,Siyu Gong,Ying Wang,Yanfang Zhang

DOI: https://doi.org/10.1016/j.eswa.2023.120129

IF: 8.5

2023-04-19

Expert Systems with Applications

Abstract:While technology similarity in network security aggravates breach interdependence, it can improve the efficiency of security information sharing. This paper examines the effect of technology similarity on information security investment with mandatory standards through constructing a game-theoretic model with two firms whose information assets are complementary and substitutable respectively. We show that for strict mandatory standards, while technology similarity first decreases and then increases the cost functions of complementary firms, it always decreases the cost functions of substitutable firms. We find that security information sharing always decreases the cost functions of both complementary and substitutable firms and thus should be encouraged. We reveal that when mandatory standards become much stricter, the cost functions of complementary firms always increase but the cost functions of substitutable firms increase if and only if the substitution degree remains relatively high. Finally, we demonstrate that hacker learning, as a factor to intensify breach interdependence, benefits substitutable firms and harms complementary firms in the case of strict mandatory standards.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

He Li,Sungjin Yoo,William J. Kettinger

DOI: https://doi.org/10.1080/07421222.2021.1870390

IF: 7.582

2021-01-02

Journal of Management Information Systems

Abstract:<span>This research examines the joint effects of information technology (IT) strategies and security investments on organizational security breaches. We focus on two forms of IT strategies: digitalization and embeddedness in IT outsourcing networks. Our longitudinal analysis of U.S. hospitals demonstrates that IT security investments reduce security breaches in less digitalized organizations but increase security breaches for highly digitalized organizations. Investing in technical network control security systems such as anti-virus and intrusion detection systems reduces external breaches. Implementing identity and access management security systems such as biometric scanning and user authentication decreases internal breaches but increases external breaches. However, organizations' embeddedness in IT outsourcing networks weakens the impacts of these technologies investments on external breaches but amplifies the negative relationship between identity and access management security systems and internal breaches. Our results offer an alternative understanding of organizational IT security investments and explain contrary results found in prior studies. Practical guidelines on organizational IT security strategies are discussed.</span>

information science & library science,management,computer science, information systems