Information security investment for competitive firms with hacker behavior and security requirements

  title={Information security investment for competitive firms with hacker behavior and security requirements},
  author={Xing Gao and Weijun Zhong},
  journal={Annals of Operations Research},
This paper investigates information security investment strategies under both targeted attacks and mass attacks by considering strategic interactions between two competitive firms and a hacker. We find that the more attractive firm invests more in information security, suffers more frequent attacks and enjoys a lower expected benefit, while the hacker achieves a higher expected benefit under targeted attacks than under mass attacks. We further examine the effect of security requirements on the… Expand
Comparison of information security decisions under different security and business environments
It is demonstrated that a firm’s security decisions under a competitive environment differ significantly from those under an integrated environment, and social planners are recommended to enhance or attenuate the controlling level of the two security decisions based on realistic security and business environments. Expand
Managing Security Outsourcing in the Presence of Strategic Hackers
It is found that the hacker will give up less valuable information assets, and thus not all information assets are worth protecting for the MSSP, and as a result of the trade-off between the integration effect of theMSSP and the effect of MSSP-side externality, firms are still willing to outsource their security operations to the MS SP even when an MSSP devotes fewer security efforts than those of firms that manage security in-house. Expand
Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach
Purpose This paper aims to examine optimal decisions for information security investments for a firm in a fuzzy environment. Under both sequential and simultaneous attack scenarios, optimalExpand
Effect of security investment strategy on the business value of managed security service providers
It is indicated that investing in prevention has a stronger effect on the business value of an MSSP than investing in detection and response and that security investments on opportunistic attacks are more efficient than those on targeted attacks. Expand
Information security decisions for two firms in a market with different types of customers
Two contracts are proposed to help firms coordinate their information security strategies when they make individual decisions and find that the loyal customer rate has different impacts on firms’ profits in Nash equilibrium and optimal solution for both the unaggressive case and the aggressive case. Expand
When Hackers Err: The Impacts of False Positives on Information Security Games
This paper presents the first comprehensive analytical model that incorporates the false positives from both the perspective of the attacker and that of the system defender, and shows how an attacker's misestimation of a certain parameter would affect the defender's strategy and how the heterogeneity of the systems impacts the Defender's strategy to manipulate the attacker's possible misestimated. Expand
Investment strategy analysis of information systems with different security levels
An optimal investment strategy analysis through modeling the game between the firm and the attacker and a numerical simulation is given and the conclusions can help decision-making. Expand
Cybersecurity Strategies to Protect Information Systems in Small Financial Institutions
Cybersecurity Strategies to Protect Information Systems in Small Financial Institutions by Johnny Rawass MMI, University of Phoenix, 2007 BBA, Lebanese University, 1992 BBA, Lebanese University, 1990Expand
Disentangling the Concept of Information Security Properties - Enabling Effective Information Security Governance
This work eliminates prevailing inconsistencies in definitions of ISPs by synthesizing the available literature and extending the most common information security concept – i.e., the Confidentiality, Integrity & Availability (CIA) Triad – to disentangle the interrelations between various ISPs. Expand
A comprehensive model of information security factors for decision-makers
A comprehensive model of relevant management success factors (MSF) for organizational information security shows that there are key-security-indicators, which directly impact the security-status of an organization while other indicators are only indirectly connected. Expand


Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints
In this study we develop an analytic model for information security investment allocation of a fixed budget. Our model considers concurrent heterogeneous attacks with distinct characteristics andExpand
Security investment and information sharing under an alternative security breach probability function
This paper investigates how to determine security investment and information sharing for two firms by employing an alternative well-accepted security breach probability function, and demonstrates that more intervention from the social planner would give rise to higher social welfare. Expand
Dynamic competition in IT security: A differential games approach
This work derives the steady state equilibrium of the duopolistic differential game, shows how implicit competition induces overspending in IT defense, and demonstrates how such overinvestment can be combated by innovatively managing the otherwise misaligned incentives for coordination. Expand
Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment
It is shown that the sequential game results in the maximum payoff to the firm, but requires that the firm move first before the hacker, except when the firm's estimate of the hacker effort in the decision theory approach is sufficiently close to the actual hacker effort. Expand
Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers
Analysis of the attacker-defender interaction shows that well-protected targets can use signals of their superior level of protection as a deterrence tool, and may assist security researchers in devising better defense strategies through the use of deterrence. Expand
Information Security Investment When Hackers Disseminate Knowledge
Dynamic interactions between a firm endeavoring to protect its information assets and a hacker seeking to misappropriate them are analyzed and it is numerically shown that in equilibrium, knowledge dissemination may not necessarily benefit the hacker and harm the firm. Expand
The Economic Incentives for Sharing Security Information
It is found that security technology investments and security information sharing act as "strategic complements" in equilibrium and suggest that information sharing is more valuable when product substitutability is higher, implying that such sharing alliances yield greater benefits in more competitive industries. Expand
Does information security attack frequency increase with vulnerability disclosure? An empirical analysis
Using a novel data set, estimates on attack propensity and how it changes with disclosure and patching of vulnerabilities are provided and suggest that on an average both secret and published vulnerabilities attract fewer attacks than patched (published and patched) vulnerabilities. Expand
An economic analysis of the optimal information security investment in the case of a risk-averse firm
Abstract This paper presents an analysis of information security investment from the perspective of a risk-averse decision maker following common economic principles. Using the expected utilityExpand
A differential game approach to information security investment under hackers' knowledge dissemination
Abstract We investigate how firms invest in information security under Cournot and Bertrand competition, constructing a differential game where over time hackers become knowledgeable by disseminatingExpand