Information security investment for competitive firms with hacker behavior and security requirements

  title={Information security investment for competitive firms with hacker behavior and security requirements},
  author={Xing Gao and Weijun Zhong},
  journal={Annals of Operations Research},
This paper investigates information security investment strategies under both targeted attacks and mass attacks by considering strategic interactions between two competitive firms and a hacker. We find that the more attractive firm invests more in information security, suffers more frequent attacks and enjoys a lower expected benefit, while the hacker achieves a higher expected benefit under targeted attacks than under mass attacks. We further examine the effect of security requirements on the… 
A game-theoretical model of firm security reactions responding to a strategic hacker in a competitive industry
It is found that firms in an overly dangerous industry should consider reforming their business mode to reduce the intrinsic vulnerability rather than investing heavily in security protection, and a social planner is introduced to regulate the security decisions of competitive firms.
Managing Security Outsourcing in the Presence of Strategic Hackers
It is found that the hacker will give up less valuable information assets, and thus not all information assets are worth protecting for the MSSP, and as a result of the trade-off between the integration effect of theMSSP and the effect of MSSP-side externality, firms are still willing to outsource their security operations to the MS SP even when an MSSP devotes fewer security efforts than those of firms that manage security in-house.
Competitive information security investment under hacker knowledge dissemination
  • Xing Gao
  • Computer Science, Economics
    Journal of Industrial and Management Optimization
  • 2022
Feedback Nash equilibrium solution of information security investment rates and the resulting firm profits are derived, showing that inconsistent with common sense, firm profits may increase with hackers' evaluation rates of information assets and decrease with the law enforcement rate.
Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach
The study reveals that attackers need to exert higher effort when no agent enjoys the privilege of being a leader and the optimal breach effort exerted by each attacker is proportional to its obtained economic benefit for both sequential and simultaneous attack scenarios.
Information security decisions for two firms in a market with different types of customers
Two contracts are proposed to help firms coordinate their information security strategies when they make individual decisions and find that the loyal customer rate has different impacts on firms’ profits in Nash equilibrium and optimal solution for both the unaggressive case and the aggressive case.
When Hackers Err: The Impacts of False Positives on Information Security Games
This paper presents the first comprehensive analytical model that incorporates the false positives from both the perspective of the attacker and that of the system defender, and shows how an attacker's misestimation of a certain parameter would affect the defender's strategy and how the heterogeneity of the systems impacts the Defender's strategy to manipulate the attacker's possible misestimated.
Investment strategy analysis of information systems with different security levels
An optimal investment strategy analysis through modeling the game between the firm and the attacker and a numerical simulation is given and the conclusions can help decision-making.
Cybersecurity Strategies to Protect Information Systems in Small Financial Institutions
The findings of this study indicate that leaders of financial institutions protect their information systems from cyber threats by effectively managing information security practices; developing robust cybersecurity policies; identifying, assessing, and mitigating cybersecurity risks; and implementing a holistic organizational strategy.
Disentangling the Concept of Information Security Properties - Enabling Effective Information Security Governance
This work eliminates prevailing inconsistencies in definitions of ISPs by synthesizing the available literature and extending the most common information security concept – i.e., the Confidentiality, Integrity & Availability (CIA) Triad – to disentangle the interrelations between various ISPs.


Dynamic competition in IT security: A differential games approach
This work derives the steady state equilibrium of the duopolistic differential game, shows how implicit competition induces overspending in IT defense, and demonstrates how such overinvestment can be combated by innovatively managing the otherwise misaligned incentives for coordination.
Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment
It is shown that the sequential game results in the maximum payoff to the firm, but requires that the firm move first before the hacker, except when the firm's estimate of the hacker effort in the decision theory approach is sufficiently close to the actual hacker effort.
Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers
Analysis of the attacker-defender interaction shows that well-protected targets can use signals of their superior level of protection as a deterrence tool, and may assist security researchers in devising better defense strategies through the use of deterrence.
Information Security Investment When Hackers Disseminate Knowledge
Dynamic interactions between a firm endeavoring to protect its information assets and a hacker seeking to misappropriate them are analyzed and it is numerically shown that in equilibrium, knowledge dissemination may not necessarily benefit the hacker and harm the firm.
The Economic Incentives for Sharing Security Information
It is found that security technology investments and security information sharing act as "strategic complements" in equilibrium and suggest that information sharing is more valuable when product substitutability is higher, implying that such sharing alliances yield greater benefits in more competitive industries.
Does information security attack frequency increase with vulnerability disclosure? An empirical analysis
Using a novel data set, estimates on attack propensity and how it changes with disclosure and patching of vulnerabilities are provided and suggest that on an average both secret and published vulnerabilities attract fewer attacks than patched (published and patched) vulnerabilities.
A differential game approach to information security investment under hackers' knowledge dissemination
Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability
  • K. Hausken
  • Computer Science
    Inf. Syst. Frontiers
  • 2006
This article presents classes of all four kinds of marginal return where the optimal investment is no longer capped at 1 / e, and presents an alternative class with decreasing marginal returns where the investment increases convexly in the vulnerability until a bound is reached, investing most heavily to protect the extremely vulnerable information sets.