IDEAS home Printed from https://ideas.repec.org/a/spr/dyngam/v11y2021i2d10.1007_s13235-020-00363-y.html
   My bibliography  Save this article

Dynamic Contract Design for Systemic Cyber Risk Management of Interdependent Enterprise Networks

Author

Listed:
  • Juntao Chen

    (Fordham University)

  • Quanyan Zhu

    (New York University)

  • Tamer Başar

    (University of Illinois at Urbana-Champaign)

Abstract

The interconnectivity of cyber and physical systems and Internet of things has created ubiquitous concerns of cyber threats for enterprise system managers. It is common that the asset owners and enterprise network operators need to work with cybersecurity professionals to manage the risk by remunerating them for their efforts that are not directly observable. In this paper, we use a principal–agent framework to capture the service relationships between the two parties, i.e., the asset owner (principal) and the cyber risk manager (agent). Specifically, we consider a dynamic systemic risk management problem with asymmetric information where the principal can only observe cyber risk outcomes of the enterprise network rather than directly the efforts that the manager expends on protecting the resources. Under this information pattern, the principal aims to minimize the systemic cyber risks by designing a dynamic contract that specifies the compensation flows and the anticipated efforts of the manager by taking into account his incentives and rational behaviors. We formulate a bi-level mechanism design problem for dynamic contract design within the framework of a class of stochastic differential games. We show that the principal has rational controllability of the systemic risk by designing an incentive compatible estimator of the agent’s hidden efforts. We characterize the optimal solution by reformulating the problem as a stochastic optimal control program which can be solved using dynamic programming. We further investigate a benchmark scenario with complete information and identify conditions that yield zero information rent and lead to a new certainty equivalence principle for principal–agent problems. Finally, case studies over networked systems are carried out to illustrate the theoretical results obtained.

Suggested Citation

  • Juntao Chen & Quanyan Zhu & Tamer Başar, 2021. "Dynamic Contract Design for Systemic Cyber Risk Management of Interdependent Enterprise Networks," Dynamic Games and Applications, Springer, vol. 11(2), pages 294-325, June.
    • Handle: RePEc:spr:dyngam:v:11:y:2021:i:2:d:10.1007_s13235-020-00363-y
    DOI: 10.1007/s13235-020-00363-y
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s13235-020-00363-y
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1007/s13235-020-00363-y?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Matthew Elliott & Benjamin Golub & Matthew O. Jackson, 2014. "Financial Networks and Contagion," American Economic Review, American Economic Association, vol. 104(10), pages 3115-3153, October.
    2. Josef Haunschmied & Vladimir M. Veliov & Stefan Wrzaczek (ed.), 2014. "Dynamic Games in Economics," Dynamic Modeling and Econometrics in Economics and Finance, Springer, edition 127, number 978-3-642-54248-0, July-Dece.
    3. In-Koo Cho & David M. Kreps, 1987. "Signaling Games and Stable Equilibria," The Quarterly Journal of Economics, President and Fellows of Harvard College, vol. 102(2), pages 179-221.
    4. Yuliy Sannikov, 2008. "A Continuous-Time Version of the Principal-Agent Problem," The Review of Economic Studies, Review of Economic Studies Ltd, vol. 75(3), pages 957-984.
    5. Bruno Biais & Thomas Mariotti & Jean-Charles Rochet & StÈphane Villeneuve, 2010. "Large Risks, Limited Liability, and Dynamic Moral Hazard," Econometrica, Econometric Society, vol. 78(1), pages 73-118, January.
    6. Basar, Tamer, 1989. "Stochastic incentive problems with partial dynamic information and multiple levels of hierarchy," European Journal of Political Economy, Elsevier, vol. 5(2-3), pages 203-217.
    7. Daron Acemoglu & Asuman Ozdaglar & Alireza Tahbaz-Salehi, 2015. "Systemic Risk and Stability in Financial Networks," American Economic Review, American Economic Association, vol. 105(2), pages 564-608, February.
    8. Adrian Baldwin & Iffat Gheyas & Christos Ioannidis & David Pym & Julian Williams, 2017. "Contagion in cyber security attacks," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 68(7), pages 780-791, July.
    9. Williams, Noah, 2015. "A solvable continuous time dynamic principal–agent model," Journal of Economic Theory, Elsevier, vol. 159(PB), pages 989-1015.
    10. Dimitrios Bisias & Mark Flood & Andrew W. Lo & Stavros Valavanis, 2012. "A Survey of Systemic Risk Analytics," Annual Review of Financial Economics, Annual Reviews, vol. 4(1), pages 255-296, October.
    11. Knowles, William & Prince, Daniel & Hutchison, David & Disso, Jules Ferdinand Pagna & Jones, Kevin, 2015. "A survey of cyber security management in industrial control systems," International Journal of Critical Infrastructure Protection, Elsevier, vol. 9(C), pages 52-80.
    12. Susan Athey & Ilya Segal, 2013. "An Efficient Dynamic Mechanism," Econometrica, Econometric Society, vol. 81(6), pages 2463-2485, November.
    13. Robert J. Aumann, 1995. "Repeated Games with Incomplete Information," MIT Press Books, The MIT Press, edition 1, volume 1, number 0262011476, December.
    14. Basar, Tamer & Bansal, Rajesh, 1994. "Optimum design of measurement channels and control policies for linear-quadratic stochastic systems," European Journal of Operational Research, Elsevier, vol. 73(2), pages 226-236, March.
    15. Dirk Helbing, 2013. "Globally networked risks and how to respond," Nature, Nature, vol. 497(7447), pages 51-59, May.
    16. Larry Eisenberg & Thomas H. Noe, 2001. "Systemic Risk in Financial Systems," Management Science, INFORMS, vol. 47(2), pages 236-249, February.
    17. Andrew Fielder & Sandra König & Emmanouil Panaousis & Stefan Schauer & Stefan Rass, 2018. "Risk Assessment Uncertainties in Cybersecurity Investments," Games, MDPI, vol. 9(2), pages 1-14, June.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Mark Paddrik & H. Peyton Young, 2016. "Contagion in the CDS Market," Working Papers 16-12, Office of Financial Research, US Department of the Treasury.
    2. Peter Grundke, 2019. "Ranking consistency of systemic risk measures: a simulation-based analysis in a banking network model," Review of Quantitative Finance and Accounting, Springer, vol. 52(4), pages 953-990, May.
    3. Paddrick, Mark & Rajan, Sriram & Young, H. Peyton, 2020. "Contagion in derivatives markets," LSE Research Online Documents on Economics 100868, London School of Economics and Political Science, LSE Library.
    4. Mark Paddrik & Sriram Rajan & H. Peyton Young, 2020. "Contagion in Derivatives Markets," Management Science, INFORMS, vol. 66(8), pages 3603-3616, August.
    5. Katerina Ivanov & James Schulte & Weidong Tian & Kevin Tseng, 2021. "An Equilibrium-Based Measure of Systemic Risk," JRFM, MDPI, vol. 14(9), pages 1-24, September.
    6. Sullivan HUE & Yannick LUCOTTE & Sessi TOKPAVI, 2018. "Measuring Network Systemic Risk Contributions: A Leave-one-out Approach," LEO Working Papers / DR LEO 2608, Orleans Economics Laboratory / Laboratoire d'Economie d'Orleans (LEO), University of Orleans.
    7. Hué, Sullivan & Lucotte, Yannick & Tokpavi, Sessi, 2019. "Measuring network systemic risk contributions: A leave-one-out approach," Journal of Economic Dynamics and Control, Elsevier, vol. 100(C), pages 86-114.
    8. Gabrielle Demange, 2018. "Contagion in Financial Networks: A Threat Index," Management Science, INFORMS, vol. 64(2), pages 955-970, February.
    9. Li, Fei & Kang, Hao & Xu, Jingfeng, 2022. "Financial stability and network complexity: A random matrix approach," International Review of Economics & Finance, Elsevier, vol. 80(C), pages 177-185.
    10. Allouch, Nizar & Jalloul, Maya & Duncan, Alfred, 2023. "Strategic default in financial networks," Games and Economic Behavior, Elsevier, vol. 142(C), pages 941-954.
    11. in 't Veld, Daan & van der Leij, Marco & Hommes, Cars, 2020. "The formation of a core-periphery structure in heterogeneous financial networks," Journal of Economic Dynamics and Control, Elsevier, vol. 119(C).
    12. Ebrahimi Kahou, Mahdi & Lehar, Alfred, 2017. "Macroprudential policy: A review," Journal of Financial Stability, Elsevier, vol. 29(C), pages 92-105.
    13. Francesca Biagini & Andrea Mazzon & Thilo Meyer-Brandis, 2018. "Financial asset bubbles in banking networks," Papers 1806.01728, arXiv.org.
    14. Steffen Schuldenzucker & Sven Seuken & Stefano Battiston, 2017. "The Computational Complexity of Financial Networks with Credit Default Swaps," Papers 1710.01578, arXiv.org, revised May 2019.
    15. Ellis, Scott & Sharma, Satish & Brzeszczyński, Janusz, 2022. "Systemic risk measures and regulatory challenges," Journal of Financial Stability, Elsevier, vol. 61(C).
    16. Yang Deng & Chenyin Gao, 2023. "Where does the risk lie? Systemic risk and tail risk networks in the Chinese financial market," Pacific Economic Review, Wiley Blackwell, vol. 28(2), pages 167-190, May.
    17. Ms. Yu Shi & Robert M. Townsend & Wu Zhu, 2019. "Internal Capital Markets in Business Groups and the Propagation of Credit Supply Shocks," IMF Working Papers 2019/111, International Monetary Fund.
    18. Hossein Dastkhan, 2021. "Network‐based early warning system to predict financial crisis," International Journal of Finance & Economics, John Wiley & Sons, Ltd., vol. 26(1), pages 594-616, January.
    19. Michel Alexandre & Thiago Christiano Silva & Colm Connaughton & Francisco A. Rodrigues, 2021. "The Role of (non-)Topological Features as Drivers of Systemic Risk: a machine learning approach," Working Papers Series 556, Central Bank of Brazil, Research Department.
    20. Hong Fan & Chirongo Moses Keregero & Qianqian Gao, 2018. "The Application of Macroprudential Capital Requirements in Managing Systemic Risk," Complexity, Hindawi, vol. 2018, pages 1-15, January.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:dyngam:v:11:y:2021:i:2:d:10.1007_s13235-020-00363-y. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.