IDEAS home Printed from https://ideas.repec.org/a/eee/ejores/v282y2020i1p161-171.html
   My bibliography  Save this article

Cybersecurity investments in the supply chain: Coordination and a strategic attacker

Author

Listed:
  • Simon, Jay
  • Omar, Ayman

Abstract

Cybersecurity poses a difficult challenge to supply chains, as a firm may be affected by an attack on another firm in the supply chain. For example, a retailer’s consumer data might be compromised via an attack on a supplier. In general, individual nodes in a supply chain bear the entire cost of their own cybersecurity investments, but some of the benefits of the investments may be enjoyed by the other nodes as well. We analyze the differences between coordinated and uncoordinated cybersecurity investments, as well as the differences resulting from a strategic and a non-strategic attacker. We find that lack of coordination leads to underinvestment with a non-strategic attacker, but that this is somewhat counterbalanced by an attacker being strategic. Lack of coordination may lead to either underinvestment or overinvestment with a strategic attacker, depending on how large the indirect damages from attacks are relative to the direct damages; overinvestment is more likely if indirect damages are relatively minor. A numerical example is provided to illustrate the impacts of and relationships between coordinated investments and a strategic attacker.

Suggested Citation

  • Simon, Jay & Omar, Ayman, 2020. "Cybersecurity investments in the supply chain: Coordination and a strategic attacker," European Journal of Operational Research, Elsevier, vol. 282(1), pages 161-171.
    • Handle: RePEc:eee:ejores:v:282:y:2020:i:1:p:161-171
    DOI: 10.1016/j.ejor.2019.09.017
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S037722171930757X
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.ejor.2019.09.017?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Xiaojun Shan & Jun Zhuang, 2013. "Cost of Equity in Homeland Security Resource Allocation in the Face of a Strategic Attacker," Risk Analysis, John Wiley & Sons, vol. 33(6), pages 1083-1099, June.
    2. Cárceles-Poveda, Eva & Tauman, Yair, 2011. "A strategic analysis of the war against transnational terrorism," Games and Economic Behavior, Elsevier, vol. 71(1), pages 49-65, January.
    3. Hausken, Kjell, 2008. "Whether to attack a terrorist's resource stock today or tomorrow," Games and Economic Behavior, Elsevier, vol. 64(2), pages 548-564, November.
    4. Vicki Bier & Santiago Oliveros & Larry Samuelson, 2007. "Choosing What to Protect: Strategic Defensive Allocation against an Unknown Attacker," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 9(4), pages 563-587, August.
    5. Vicki M. Bier & Naraphorn Haphuriwat & Jaime Menoyo & Rae Zimmerman & Alison M. Culpen, 2008. "Optimal Resource Allocation for Defense of Targets Based on Differing Measures of Attractiveness," Risk Analysis, John Wiley & Sons, vol. 28(3), pages 763-770, June.
    6. Zhang, Jing & Zhuang, Jun & Jose, Victor Richmond R., 2018. "The role of risk preferences in a multi-target defender-attacker resource allocation game," Reliability Engineering and System Safety, Elsevier, vol. 169(C), pages 95-104.
    7. Jun Zhuang & Vicki M. Bier, 2007. "Balancing Terrorism and Natural Disasters---Defensive Strategy with Endogenous Attacker Effort," Operations Research, INFORMS, vol. 55(5), pages 976-991, October.
    8. Chopra, Shauhrat S. & Khanna, Vikas, 2015. "Interconnectedness and interdependencies of critical infrastructures in the US economy: Implications for resilience," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 436(C), pages 865-877.
    9. Hausken, Kjell, 2017. "Defense and attack for interdependent systems," European Journal of Operational Research, Elsevier, vol. 256(2), pages 582-591.
    10. Hausken, Kjell, 2006. "Income, interdependence, and substitution effects affecting incentives for security investment," Journal of Accounting and Public Policy, Elsevier, vol. 25(6), pages 629-665.
    11. Vicki Bier & Hoa Han & Lorna Zack, 2008. "Models of Interdependent Security along the Milk Supply Chain," American Journal of Agricultural Economics, Agricultural and Applied Economics Association, vol. 90(5), pages 1265-1271.
    12. Nicky J. Welton & Howard H. Z. Thom, 2015. "Value of Information," Medical Decision Making, , vol. 35(5), pages 564-566, July.
    13. Opher Baron & Oded Berman & Arieh Gavious, 2018. "A Game Between a Terrorist and a Passive Defender," Production and Operations Management, Production and Operations Management Society, vol. 27(3), pages 433-457, March.
    14. Kjell Hausken, 2019. "Defence and attack of complex interdependent systems," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 70(3), pages 364-376, March.
    15. Lee, Jongkuk & Palekar, Udatta S. & Qualls, William, 2011. "Supply chain efficiency and security: Coordination for collaborative investment in technology," European Journal of Operational Research, Elsevier, vol. 210(3), pages 568-578, May.
    16. Jie Xu & Jun Zhuang & Zigeng Liu, 2016. "Modeling and mitigating the effects of supply chain disruption in a defender–attacker game," Annals of Operations Research, Springer, vol. 236(1), pages 255-270, January.
    17. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    18. Peiqiu Guan & Meilin He & Jun Zhuang & Stephen C. Hora, 2017. "Modeling a Multitarget Attacker–Defender Game with Budget Constraints," Decision Analysis, INFORMS, vol. 14(2), pages 87-107, June.
    19. Kjell Hausken, 2006. "Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability," Information Systems Frontiers, Springer, vol. 8(5), pages 338-349, December.
    20. Wu, Baichao & Tang, Aiping & Wu, Jie, 2016. "Modeling cascading failures in interdependent infrastructures under terrorist attacks," Reliability Engineering and System Safety, Elsevier, vol. 147(C), pages 1-8.
    21. Hausken, Kjell & Zhuang, Jun, 2013. "The impact of disaster on the strategic interaction between company and government," European Journal of Operational Research, Elsevier, vol. 225(2), pages 363-376.
    22. Kjell Hausken, 2002. "Probabilistic Risk Analysis and Game Theory," Risk Analysis, John Wiley & Sons, vol. 22(1), pages 17-27, February.
    23. Kjell Hausken & Jun Zhuang, 2011. "Governments' and Terrorists' Defense and Attack in a T -Period Game," Decision Analysis, INFORMS, vol. 8(1), pages 46-70, March.
    24. Nagurney, Anna & Shukla, Shivani, 2017. "Multifirm models of cybersecurity investment competition vs. cooperation and network vulnerability," European Journal of Operational Research, Elsevier, vol. 260(2), pages 588-600.
    25. Shan, Xiaojun & Zhuang, Jun, 2013. "Hybrid defensive resource allocations in the face of partially strategic attackers in a sequential defender–attacker game," European Journal of Operational Research, Elsevier, vol. 228(1), pages 262-272.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Alikhani, Reza & Ranjbar, Amirhossein & Jamali, Amir & Torabi, S. Ali & Zobel, Christopher W., 2023. "Towards increasing synergistic effects of resilience strategies in supply chain network design," Omega, Elsevier, vol. 116(C).
    2. Da, Gaofeng & Xu, Maochao & Zhao, Peng, 2021. "Multivariate dependence among cyber risks based on L-hop propagation," Insurance: Mathematics and Economics, Elsevier, vol. 101(PB), pages 525-546.
    3. Suyuan Luo & Tsan‐Ming Choi, 2022. "E‐commerce supply chains with considerations of cyber‐security: Should governments play a role?," Production and Operations Management, Production and Operations Management Society, vol. 31(5), pages 2107-2126, May.
    4. Zhang, Xiaoyu & Xu, Maochao & Su, Jianxi & Zhao, Peng, 2023. "Structural models for fog computing based internet of things architectures with insurance and risk management applications," European Journal of Operational Research, Elsevier, vol. 305(3), pages 1273-1291.
    5. Lu Xu & Yanhui Li & Qi Yao, 2022. "Information security investment and purchase decision for personalized products," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(6), pages 2619-2635, September.
    6. Welburn, Jonathan & Grana, Justin & Schwindt, Karen, 2023. "Cyber deterrence with imperfect attribution and unverifiable signaling," European Journal of Operational Research, Elsevier, vol. 306(3), pages 1399-1416.
    7. Paul, Jomon A. & Zhang, Minjiao, 2021. "Decision support model for cybersecurity risk planning: A two-stage stochastic programming framework featuring firms, government, and attacker," European Journal of Operational Research, Elsevier, vol. 291(1), pages 349-364.
    8. Inna Čábelková & Wadim Strielkowski & Frank-Detlef Wende & Raisa Krayneva, 2020. "Factors Influencing the Threats for Urban Energy Networks: The Inhabitants’ Point of View," Energies, MDPI, vol. 13(21), pages 1-19, October.
    9. Cheung, Kam-Fung & Bell, Michael G.H. & Bhattacharjya, Jyotirmoyee, 2021. "Cybersecurity in logistics and supply chain management: An overview and future research directions," Transportation Research Part E: Logistics and Transportation Review, Elsevier, vol. 146(C).
    10. Chien-Hua Tsai, 2023. "Supply chain financing scheme based on blockchain technology from a business application perspective," Annals of Operations Research, Springer, vol. 320(1), pages 441-472, January.
    11. Boyson, Sandor & Corsi, Thomas M. & Paraskevas, John-Patrick, 2022. "Defending digital supply chains: Evidence from a decade-long research program," Technovation, Elsevier, vol. 118(C).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Rui Peng & Di Wu & Mengyao Sun & Shaomin Wu, 2021. "An attack-defense game on interdependent networks," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 72(10), pages 2331-2341, October.
    2. Seyed Alireza Hasheminasab & Behrouz Tork Ladani, 2018. "Security Investment in Contagious Networks," Risk Analysis, John Wiley & Sons, vol. 38(8), pages 1559-1575, August.
    3. Bose, Gautam & Konrad, Kai A., 2020. "Devil take the hindmost: Deflecting attacks to other defenders," Reliability Engineering and System Safety, Elsevier, vol. 204(C).
    4. Ghorbani-Renani, Nafiseh & González, Andrés D. & Barker, Kash & Morshedlou, Nazanin, 2020. "Protection-interdiction-restoration: Tri-level optimization for enhancing interdependent network resilience," Reliability Engineering and System Safety, Elsevier, vol. 199(C).
    5. Abdolmajid Yolmeh & Melike Baykal-Gürsoy, 2019. "Two-Stage Invest–Defend Game: Balancing Strategic and Operational Decisions," Decision Analysis, INFORMS, vol. 16(1), pages 46-66, March.
    6. Wang, Shuliang & Gu, Xifeng & Luan, Shengyang & Zhao, Mingwei, 2021. "Resilience analysis of interdependent critical infrastructure systems considering deep learning and network theory," International Journal of Critical Infrastructure Protection, Elsevier, vol. 35(C).
    7. Chen, Shun & Zhao, Xudong & Chen, Zhilong & Hou, Benwei & Wu, Yipeng, 2022. "A game-theoretic method to optimize allocation of defensive resource to protect urban water treatment plants against physical attacks," International Journal of Critical Infrastructure Protection, Elsevier, vol. 36(C).
    8. Mohammad E. Nikoofal & Mehmet Gümüs, 2015. "On the value of terrorist’s private information in a government’s defensive resource allocation problem," IISE Transactions, Taylor & Francis Journals, vol. 47(6), pages 533-555, June.
    9. Li, Qing & Li, Mingchu & Gong, Zhongqiang & Tian, Yuan & Zhang, Runfa, 2022. "Locating and protecting interdependent facilities to hedge against multiple non-cooperative limited choice attackers," Reliability Engineering and System Safety, Elsevier, vol. 223(C).
    10. Vineet M. Payyappalli & Jun Zhuang & Victor Richmond R. Jose, 2017. "Deterrence and Risk Preferences in Sequential Attacker–Defender Games with Continuous Efforts," Risk Analysis, John Wiley & Sons, vol. 37(11), pages 2229-2245, November.
    11. Zhang, Xiaoxiong & Ding, Song & Ge, Bingfeng & Xia, Boyuan & Pedrycz, Witold, 2021. "Resource allocation among multiple targets for a defender-attacker game with false targets consideration," Reliability Engineering and System Safety, Elsevier, vol. 211(C).
    12. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    13. Yan, Xihong & Ren, Xiaorong & Nie, Xiaofeng, 2022. "A budget allocation model for domestic airport network protection," Socio-Economic Planning Sciences, Elsevier, vol. 82(PB).
    14. Nikoofal, Mohammad E. & Zhuang, Jun, 2015. "On the value of exposure and secrecy of defense system: First-mover advantage vs. robustness," European Journal of Operational Research, Elsevier, vol. 246(1), pages 320-330.
    15. Zhang, Jing & Zhuang, Jun, 2019. "Modeling a multi-target attacker-defender game with multiple attack types," Reliability Engineering and System Safety, Elsevier, vol. 185(C), pages 465-475.
    16. Liang, Liang & Chen, Jingxian & Siqueira, Kevin, 2020. "Revenge or continued attack and defense in defender–attacker conflicts," European Journal of Operational Research, Elsevier, vol. 287(3), pages 1180-1190.
    17. Peiqiu Guan & Jun Zhuang, 2016. "Modeling Resources Allocation in Attacker‐Defender Games with “Warm Up” CSF," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 776-791, April.
    18. Qingqing Zhai & Rui Peng & Jun Zhuang, 2020. "Defender–Attacker Games with Asymmetric Player Utilities," Risk Analysis, John Wiley & Sons, vol. 40(2), pages 408-420, February.
    19. Sushil Gupta & Martin K. Starr & Reza Zanjirani Farahani & Mahsa Mahboob Ghodsi, 2020. "Prevention of Terrorism–An Assessment of Prior POM Work and Future Potentials," Production and Operations Management, Production and Operations Management Society, vol. 29(7), pages 1789-1815, July.
    20. Hunt, Kyle & Agarwal, Puneet & Zhuang, Jun, 2022. "On the adoption of new technology to enhance counterterrorism measures: An attacker–defender game with risk preferences," Reliability Engineering and System Safety, Elsevier, vol. 218(PB).

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ejores:v:282:y:2020:i:1:p:161-171. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: http://www.elsevier.com/locate/eor .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.