IDEAS home Printed from https://ideas.repec.org/a/inm/ordeca/v10y2013i4p352-368.html
   My bibliography  Save this article

Information Security Investment When Hackers Disseminate Knowledge

Author

Listed:
  • Xing Gao

    (School of Economics and Management, Southeast University, Nanjing 211189, Jiangsu, China)

  • Weijun Zhong

    (School of Economics and Management, Southeast University, Nanjing 211189, Jiangsu, China)

  • Shue Mei

    (School of Economics and Management, Southeast University, Nanjing 211189, Jiangsu, China)

Abstract

As an emerging and thriving research branch, information security economics has recently drawn significant attention from practitioners and academics. Traditionally, both decision and static game theoretical techniques are employed to characterize the strategies of firms and hackers. However, these techniques fail to capture the dynamic attribute of the risk environment, which is an increasingly important element, especially in modern distributed and complex computer and communication networks. Utilizing a differential game framework in which hackers disseminate security knowledge within a hacker population over time, this paper analyzes dynamic interactions between a firm endeavoring to protect its information assets and a hacker seeking to misappropriate them. In particular, we investigate three differential games in which the firm and the hacker move simultaneously and sequentially, respectively. We find that (a) the hacker invests the most in the simultaneous differential game, whereas the firm, as the leader, invests the most in the sequential differential game, and (b) both the firm and the hacker enjoy their highest payoffs in the sequential differential game with the hacker as the leader. Furthermore, it is numerically shown that in equilibrium, knowledge dissemination may not necessarily benefit the hacker and harm the firm. Some of our results are consistent with the findings of previous work, although the earlier results were obtained from a static game framework. Our main findings contrast with those of several previous studies that showed mixed results for comparisons between simultaneous and sequential games.

Suggested Citation

  • Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    • Handle: RePEc:inm:ordeca:v:10:y:2013:i:4:p:352-368
    DOI: 10.1287/deca.2013.0278
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/deca.2013.0278
    Download Restriction: no
    File URL: https://libkey.io/10.1287/deca.2013.0278?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Hausken, Kjell & Bier, Vicki M., 2011. "Defending against multiple different attackers," European Journal of Operational Research, Elsevier, vol. 211(2), pages 370-384, June.
    2. Cárceles-Poveda, Eva & Tauman, Yair, 2011. "A strategic analysis of the war against transnational terrorism," Games and Economic Behavior, Elsevier, vol. 71(1), pages 49-65, January.
    3. Hausken, Kjell, 2008. "Whether to attack a terrorist's resource stock today or tomorrow," Games and Economic Behavior, Elsevier, vol. 64(2), pages 548-564, November.
    4. Alnoor Bhimani & Kjell Hausken & Mthuli Ncube, 2010. "Agent takeover risk of principal in outsourcing relationships," Global Business and Economics Review, Inderscience Enterprises Ltd, vol. 12(4), pages 329-340.
    5. R. Cellini & L. Lambertini, 2005. "R&D Incentives and Market Structure: Dynamic Analysis," Journal of Optimization Theory and Applications, Springer, vol. 126(1), pages 85-96, July.
    6. Hausken, Kjell, 2008. "Strategic defense and attack for series and parallel reliability systems," European Journal of Operational Research, Elsevier, vol. 186(2), pages 856-881, April.
    7. Vicki Bier & Santiago Oliveros & Larry Samuelson, 2007. "Choosing What to Protect: Strategic Defensive Allocation against an Unknown Attacker," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 9(4), pages 563-587, August.
    8. R. Cellini & L. Lambertini, 2003. "Advertising in a Differential Oligopoly Game," Journal of Optimization Theory and Applications, Springer, vol. 116(1), pages 61-81, January.
    9. Vicki M. Bier, 2007. "Choosing What to Protect," Risk Analysis, John Wiley & Sons, vol. 27(3), pages 607-620, June.
    10. Huseyin Cavusoglu & Birendra Mishra & Srinivasan Raghunathan, 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, INFORMS, vol. 16(1), pages 28-46, March.
    11. Kjell Hausken, 2011. "Strategic defense and attack of series systems when agents move sequentially," IISE Transactions, Taylor & Francis Journals, vol. 43(7), pages 483-504.
    12. Jun Zhuang & Vicki M. Bier, 2007. "Balancing Terrorism and Natural Disasters---Defensive Strategy with Endogenous Attacker Effort," Operations Research, INFORMS, vol. 55(5), pages 976-991, October.
    13. Subhayu Bandyopadhyay & Todd Sandler, 2011. "The Interplay Between Preemptive and Defensive Counterterrorism Measures: A Two‐stage Game," Economica, London School of Economics and Political Science, vol. 78(311), pages 546-564, July.
    14. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    15. Naraphorn Haphuriwat & Vicki M. Bier & Henry H. Willis, 2011. "Deterring the Smuggling of Nuclear Weapons in Container Freight Through Detection and Retaliation," Decision Analysis, INFORMS, vol. 8(2), pages 88-102, June.
    16. Hausken, Kjell, 2006. "Income, interdependence, and substitution effects affecting incentives for security investment," Journal of Accounting and Public Policy, Elsevier, vol. 25(6), pages 629-665.
    17. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    18. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    19. Zhuang, Jun & Bier, Vicki M. & Alagoz, Oguzhan, 2010. "Modeling secrecy and deception in a multiple-period attacker-defender signaling game," European Journal of Operational Research, Elsevier, vol. 203(2), pages 409-418, June.
    20. Huseyin Cavusoglu & Young Kwark & Bin Mai & Srinivasan Raghunathan, 2013. "Passenger Profiling and Screening for Aviation Security in the Presence of Strategic Attackers," Decision Analysis, INFORMS, vol. 10(1), pages 63-81, March.
    21. A. J. Novak & G. Feichtinger & G. Leitmann, 2010. "A Differential Game Related to Terrorism: Nash and Stackelberg Strategies," Journal of Optimization Theory and Applications, Springer, vol. 144(3), pages 533-555, March.
    22. G. Feichtinger & A. J. Novak, 2008. "Terror and Counterterror Operations: Differential Game with Cyclical Nash Solution," Journal of Optimization Theory and Applications, Springer, vol. 139(3), pages 541-556, December.
    23. Gregory Levitin & Kjell Hausken, 2012. "Resource Distribution in Multiple Attacks with Imperfect Detection of the Attack Outcome," Risk Analysis, John Wiley & Sons, vol. 32(2), pages 304-318, February.
    24. Jacob W. Ulvila & John E. Gaffney, 2004. "A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems," Decision Analysis, INFORMS, vol. 1(1), pages 35-50, March.
    25. Gao, Xing & Zhong, Weijun & Mei, Shue, 2012. "On local stability of Cournot models with simultaneous and sequential decisions," Mathematical Social Sciences, Elsevier, vol. 63(3), pages 207-212.
    26. Huseyin Cavusoglu & Srinivasan Raghunathan, 2004. "Configuration of Detection Software: A Comparison of Decision and Game Theory Approaches," Decision Analysis, INFORMS, vol. 1(3), pages 131-148, September.
    27. Dockner,Engelbert J. & Jorgensen,Steffen & Long,Ngo Van & Sorger,Gerhard, 2000. "Differential Games in Economics and Management Science," Cambridge Books, Cambridge University Press, number 9780521637329.
    28. Hausken, Kjell, 2007. "Information sharing among firms and cyber attacks," Journal of Accounting and Public Policy, Elsevier, vol. 26(6), pages 639-688.
    29. F He & J Zhuang, 2012. "Modelling ‘contracts’ between a terrorist group and a government in a sequential game," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 63(6), pages 790-809, June.
    30. Andrew Samuel & Seth D. Guikema, 2012. "Resource Allocation for Homeland Defense: Dealing with the Team Effect," Decision Analysis, INFORMS, vol. 9(3), pages 238-252, September.
    31. Kjell Hausken & Jun Zhuang, 2011. "Governments' and Terrorists' Defense and Attack in a T -Period Game," Decision Analysis, INFORMS, vol. 8(1), pages 46-70, March.
    32. K Hausken & J Zhuang, 2012. "The timing and deterrence of terrorist attacks due to exogenous dynamics," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 63(6), pages 726-735, June.
    33. Kjell Hausken & Vicki M. Bier & Jun Zhuang, 2009. "Defending Against Terrorism, Natural Disaster, and All Hazards," International Series in Operations Research & Management Science, in: Vicki M. M. Bier & M. Naceur Azaiez (ed.), Game Theoretic Risk Analysis of Security Threats, chapter 4, pages 65-97, Springer.
    34. Jason R. W. Merrick & Laura A. McLay, 2010. "Is Screening Cargo Containers for Smuggled Nuclear Threats Worthwhile?," Decision Analysis, INFORMS, vol. 7(2), pages 155-171, June.
    35. Cellini, Roberto & Lambertini, Luca, 2002. "A differential game approach to investment in product differentiation," Journal of Economic Dynamics and Control, Elsevier, vol. 27(1), pages 51-62, November.
    36. Vijay Mookerjee & Radha Mookerjee & Alain Bensoussan & Wei T. Yue, 2011. "When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination," Information Systems Research, INFORMS, vol. 22(3), pages 606-623, September.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    2. Xing Gao & Siyu Gong, 2022. "An economic analysis of information security outsourcing with competitive firms," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(7), pages 2748-2758, October.
    3. Mansooreh Ezhei & Behrouz Tork Ladani, 2020. "Interdependency Analysis in Security Investment against Strategic Attacks," Information Systems Frontiers, Springer, vol. 22(1), pages 187-201, February.
    4. Talarico, Luca & Reniers, Genserik & Sörensen, Kenneth & Springael, Johan, 2015. "MISTRAL: A game-theoretical model to allocate security measures in a multi-modal chemical transportation network with adaptive adversaries," Reliability Engineering and System Safety, Elsevier, vol. 138(C), pages 105-114.
    5. Xing Gao, 2020. "Open Source or Closed Source? A Competitive Analysis with Software Security," Decision Analysis, INFORMS, vol. 17(1), pages 56-73, March.
    6. Nikhil Malik & Manmohan Aseri & Param Vir Singh & Kannan Srinivasan, 2022. "Why Bitcoin Will Fail to Scale?," Management Science, INFORMS, vol. 68(10), pages 7323-7349, October.
    7. Yong Wu & Junlin Duan & Tao Dai & Dong Cheng, 2020. "Managing Security Outsourcing in the Presence of Strategic Hackers," Decision Analysis, INFORMS, vol. 17(3), pages 235-259, September.
    8. Xiaotong Li, 2022. "An evolutionary game‐theoretic analysis of enterprise information security investment based on information sharing platform," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(3), pages 595-606, April.
    9. Xing Gao & Weijun Zhong, 2016. "Economic incentives in security information sharing: the effects of market structures," Information Technology and Management, Springer, vol. 17(4), pages 361-377, December.
    10. Ali Yekkehkhany & Timothy Murray & Rakesh Nagi, 2021. "Stochastic Superiority Equilibrium in Game Theory," Decision Analysis, INFORMS, vol. 18(2), pages 153-168, June.
    11. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    12. Theodore T. Allen & Zhenhuan Sui & Nathan L. Parker, 2017. "Timely Decision Analysis Enabled by Efficient Social Media Modeling," Decision Analysis, INFORMS, vol. 14(4), pages 250-260, December.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    2. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    3. Gao, Xing & Zhong, Weijun & Mei, Shue, 2013. "A game-theory approach to configuration of detection software with decision errors," Reliability Engineering and System Safety, Elsevier, vol. 119(C), pages 35-43.
    4. Kjell Hausken & Jun Zhuang, 2011. "Governments' and Terrorists' Defense and Attack in a T -Period Game," Decision Analysis, INFORMS, vol. 8(1), pages 46-70, March.
    5. Liang, Liang & Chen, Jingxian & Siqueira, Kevin, 2020. "Revenge or continued attack and defense in defender–attacker conflicts," European Journal of Operational Research, Elsevier, vol. 287(3), pages 1180-1190.
    6. Qingqing Zhai & Rui Peng & Jun Zhuang, 2020. "Defender–Attacker Games with Asymmetric Player Utilities," Risk Analysis, John Wiley & Sons, vol. 40(2), pages 408-420, February.
    7. Xiaojun (Gene) Shan & Jun Zhuang, 2014. "Modeling Credible Retaliation Threats in Deterring the Smuggling of Nuclear Weapons Using Partial Inspection---A Three-Stage Game," Decision Analysis, INFORMS, vol. 11(1), pages 43-62, March.
    8. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    9. Sushil Gupta & Martin K. Starr & Reza Zanjirani Farahani & Mahsa Mahboob Ghodsi, 2020. "Prevention of Terrorism–An Assessment of Prior POM Work and Future Potentials," Production and Operations Management, Production and Operations Management Society, vol. 29(7), pages 1789-1815, July.
    10. Hunt, Kyle & Agarwal, Puneet & Zhuang, Jun, 2022. "On the adoption of new technology to enhance counterterrorism measures: An attacker–defender game with risk preferences," Reliability Engineering and System Safety, Elsevier, vol. 218(PB).
    11. Rakesh K. Sarin & L. Robin Keller, 2013. "From the Editors: Probability Approximations, Anti-Terrorism Strategy, and Bull's-Eye Display for Performance Feedback," Decision Analysis, INFORMS, vol. 10(1), pages 1-5, March.
    12. Abdolmajid Yolmeh & Melike Baykal-Gürsoy, 2019. "Two-Stage Invest–Defend Game: Balancing Strategic and Operational Decisions," Decision Analysis, INFORMS, vol. 16(1), pages 46-66, March.
    13. Szidarovszky, Ferenc & Luo, Yi, 2014. "Incorporating risk seeking attitude into defense strategy," Reliability Engineering and System Safety, Elsevier, vol. 123(C), pages 104-109.
    14. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    15. Bertrand Crettez & Naila Hayek, 2014. "Terrorists’ Eradication Versus Perpetual Terror War," Journal of Optimization Theory and Applications, Springer, vol. 160(2), pages 679-702, February.
    16. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    17. Bandyopadhyay, Subhayu & Sandler, Todd, 2023. "Voluntary participation in a terror group and counterterrorism policy," Journal of Economic Behavior & Organization, Elsevier, vol. 215(C), pages 500-513.
    18. Simon, Jay & Omar, Ayman, 2020. "Cybersecurity investments in the supply chain: Coordination and a strategic attacker," European Journal of Operational Research, Elsevier, vol. 282(1), pages 161-171.
    19. Xing Gao & Weijun Zhong, 2016. "Economic incentives in security information sharing: the effects of market structures," Information Technology and Management, Springer, vol. 17(4), pages 361-377, December.
    20. Hausken, Kjell & Zhuang, Jun, 2013. "The impact of disaster on the strategic interaction between company and government," European Journal of Operational Research, Elsevier, vol. 225(2), pages 363-376.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ordeca:v:10:y:2013:i:4:p:352-368. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.