IDEAS home Printed from https://ideas.repec.org/a/inm/ordeca/v22y2025i1p70-86.html

Decision Making in Information Security Investments: Impact of System Vulnerability and Investment Timing on Resource-Sharing Platforms

Author

Listed:
  • Hui Zhao

    (Donghua University Library, Shanghai 200051, China)

  • Yong Wu

    (Glorious Sun School of Business and Management, Donghua University, Shanghai 200051, China)

  • Zhijie Jin

    (Glorious Sun School of Business and Management, Donghua University, Shanghai 200051, China)

Abstract

This study distinguishes enterprises into high- and low-type categories based on enterprise value and cost efficiency, examining their strategic behaviors in three investment timing games: move simultaneously, the high-type enterprise moves first, and the low-type enterprise moves first. By comparing the three games, we find that both types of enterprises would always exert more effort in the sequential game than in the simultaneous game, and the later-move advantage makes both types of enterprises prefer to become the follower in the game. We also find that the enhanced cost efficiency advantage or enterprise value gap possessed by the high-type enterprise would widen the effort gap between the two types of enterprises, and enhance the low-type enterprise’s incentive to be the follower. Moreover, the existence of system vulnerability not only causes both types of enterprises to reduce their security effort that generates free-riding behaviors but also can first discourage and then encourage enterprises from moving in advance. We further propose a liability-based mechanism to tackle the free-riding problem. We reveal an exact optimal liability coefficient, whether in the simultaneous or sequential game and find that the high-type enterprise should undertake more compensation when its dominant position becomes more obvious and the low-type enterprise could therefore undertake decreased liability. Last, we extend the model to multiple enterprises and show that the results are robust.

Suggested Citation

  • Hui Zhao & Yong Wu & Zhijie Jin, 2025. "Decision Making in Information Security Investments: Impact of System Vulnerability and Investment Timing on Resource-Sharing Platforms," Decision Analysis, INFORMS, vol. 22(1), pages 70-86, March.
    • Handle: RePEc:inm:ordeca:v:22:y:2025:i:1:p:70-86
    DOI: 10.1287/deca.2024.0190
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/deca.2024.0190
    Download Restriction: no
    File URL: https://libkey.io/10.1287/deca.2024.0190?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    2. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    3. Zhu, Wenge & He, Yuanjie, 2017. "Green product design in supply chains under competition," European Journal of Operational Research, Elsevier, vol. 258(1), pages 165-180.
    4. Didem Demirhan & Varghese S. Jacob & Srinivasan Raghunathan, 2007. "Strategic IT Investments: The Impact of Switching Cost and Declining IT Cost," Management Science, INFORMS, vol. 53(2), pages 208-226, February.
    5. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    6. Xiaofei Qian & Xinbao Liu & Jun Pei & Panos M. Pardalos & Lin Liu, 2017. "A game-theoretic analysis of information security investment for multiple firms in a network," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 68(10), pages 1290-1305, October.
    7. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    8. Danqin Yang & Tiaojun Xiao, 2017. "Coordination of a supply chain with loss-averse consumers in service quality," International Journal of Production Research, Taylor & Francis Journals, vol. 55(12), pages 3411-3430, June.
    9. Xiaojun Shan & Jun Zhuang, 2014. "Subsidizing to disrupt a terrorism supply chain—a four-player game," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(7), pages 1108-1119, July.
    10. Cheung, Kam-Fung & Bell, Michael G.H., 2021. "Attacker–defender model against quantal response adversaries for cyber security in logistics management: An introductory study," European Journal of Operational Research, Elsevier, vol. 291(2), pages 471-481.
    11. Suyuan Luo & Tsan‐Ming Choi, 2022. "E‐commerce supply chains with considerations of cyber‐security: Should governments play a role?," Production and Operations Management, Production and Operations Management Society, vol. 31(5), pages 2107-2126, May.
    12. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    13. Lu Xu & Yanhui Li & Yanwei Lin & Chaofeng Tang & Qi Yao, 2024. "Supply chain cybersecurity investments with interdependent risks under different information exchange modes," International Journal of Production Research, Taylor & Francis Journals, vol. 62(6), pages 2034-2059, March.
    14. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2013. "Contracting Information Security in the Presence of Double Moral Hazard," Information Systems Research, INFORMS, vol. 24(2), pages 295-311, June.
    15. Kjell Hausken & Jun Zhuang, 2016. "The strategic interaction between a company and the government surrounding disasters," Annals of Operations Research, Springer, vol. 237(1), pages 27-40, February.
    16. Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2017. "Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions," Production and Operations Management, Production and Operations Management Society, vol. 26(5), pages 860-879, May.
    17. Ali Pala & Jun Zhuang, 2019. "Information Sharing in Cybersecurity: A Review," Decision Analysis, INFORMS, vol. 16(3), pages 172-196, September.
    18. Xiaofei Qian & Xinbao Liu & Jun Pei & Panos M. Pardalos, 2018. "A new game of information sharing and security investment between two allied firms," International Journal of Production Research, Taylor & Francis Journals, vol. 56(12), pages 4069-4086, June.
    19. Fuqiang Zhang, 2006. "Competition, Cooperation, and Information Sharing in a Two-Echelon Assembly System," Manufacturing & Service Operations Management, INFORMS, vol. 8(3), pages 273-291, March.
    20. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    21. Shan, Xiaojun & Zhuang, Jun, 2013. "Hybrid defensive resource allocations in the face of partially strategic attackers in a sequential defender–attacker game," European Journal of Operational Research, Elsevier, vol. 228(1), pages 262-272.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Yong Wu & Junlin Duan & Tao Dai & Dong Cheng, 2020. "Managing Security Outsourcing in the Presence of Strategic Hackers," Decision Analysis, INFORMS, vol. 17(3), pages 235-259, September.
    2. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    3. Xing Gao & Siyu Gong, 2022. "An economic analysis of information security outsourcing with competitive firms," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(7), pages 2748-2758, October.
    4. Hausken, Kjell, 2024. "Fifty Years of Operations Research in Defense," European Journal of Operational Research, Elsevier, vol. 318(2), pages 355-368.
    5. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    6. Xing Gao, 2023. "A competitive analysis of software quality investment with technology diversification and security concern," Electronic Commerce Research, Springer, vol. 23(4), pages 2691-2712, December.
    7. Xiaotong Li, 2022. "An evolutionary game‐theoretic analysis of enterprise information security investment based on information sharing platform," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(3), pages 595-606, April.
    8. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    9. Arisian, Sobhan & Halat, Kourosh & Hafezalkotob, Ashkan & Maskey, Reenu, 2025. "Coopetitive Resilience: Integrating Cyber Threat Intelligence Platforms in Critical Supply Chains," Transportation Research Part E: Logistics and Transportation Review, Elsevier, vol. 197(C).
    10. Sushil Gupta & Martin K. Starr & Reza Zanjirani Farahani & Mahsa Mahboob Ghodsi, 2020. "Prevention of Terrorism–An Assessment of Prior POM Work and Future Potentials," Production and Operations Management, Production and Operations Management Society, vol. 29(7), pages 1789-1815, July.
    11. Xing Gao & Weijun Zhong, 2016. "Economic incentives in security information sharing: the effects of market structures," Information Technology and Management, Springer, vol. 17(4), pages 361-377, December.
    12. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    13. Hausken, Kjell & Welburn, Jonathan W. & Zhuang, Jun, 2025. "A Review of Game Theory and Risk and Reliability Analysis in Infrastructures and Networks," Reliability Engineering and System Safety, Elsevier, vol. 261(C).
    14. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    15. Xiaofei Qian & Jun Pei & Xinbao Liu & Mi Zhou & Panos M. Pardalos, 2019. "Information security decisions for two firms in a market with different types of customers," Journal of Combinatorial Optimization, Springer, vol. 38(4), pages 1263-1285, November.
    16. Kai-Lung Hui & Ping Fan Ke & Yuxi Yao & Wei T. Yue, 2019. "Bilateral Liability-Based Contracts in Information Security Outsourcing," Information Systems Research, INFORMS, vol. 30(2), pages 411-429, June.
    17. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.
    18. Bose, Gautam & Konrad, Kai A., 2020. "Devil take the hindmost: Deflecting attacks to other defenders," Reliability Engineering and System Safety, Elsevier, vol. 204(C).
    19. Liying Mu & Milind Dawande & Xianjun Geng & Vijay Mookerjee, 2016. "Milking the Quality Test: Improving the Milk Supply Chain Under Competing Collection Intermediaries," Management Science, INFORMS, vol. 62(5), pages 1259-1277, May.
    20. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.

    More about this item

    Keywords

    ;
    ;
    ;
    ;
    ;

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ordeca:v:22:y:2025:i:1:p:70-86. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.