1 Introduction

Cyber crime refers to computer hacking done with criminal intent. The objective of the criminalized hackers is to turn stolen information assets into monetary gains (CSI survey 2008). Cybercrime combines the upstream capabilities of experience and knowledge of particular IT systems to gain access to an information asset, followed by the downstream capabilities needed to exchange the information assets for monetary gains (possibly through an organized criminal network). Criminalized hacking tends to implicitly identify and group victims, whose information assets are similar and lie at the confluence of upstream and downstream capabilities of hackers.

Consider the case where a hacker has the skill set to steal the Citrix SSO (single-sign-on) access of a medical practice and gain entry into a large healthcare provider’s network. This access would reveal private prescription data for a large number of patients. However, in order to reap financial benefit from this information, the hacker would need downstream capability to monetize this information, say, through contacts that could use the stolen information to sell cheaper, unapproved drugs to the patients in the provider’s network. Next, consider the opposite case where a white collar criminal possesses the experience, skills and contacts in pump and dump scams of stocks.Footnote 1 Such a criminal may acquire computer hacking capabilities in order to steal access to a security broker’s database that could provide him a list of active investors who could be duped into investing in the scam. Thus, the intersection of upstream and downstream skills implicitly defines the set of targets for cyber crime. Firms whose information assets correspond to this target zone are likely to find themselves competing in IT security defense. We build a model that analyzes a dynamic IT security equilibrium between such firms.

Two observations motivate this research. First, there is growing evidence of identification of such target groups by hackers. For example, in the 2008 CSI survey, close to 20 % of the survey participants who were victims of hacking attacks in the past year confirmed that these were targeted attacks aimed exclusively at their organization. Similarly, the Washington Post (2007) reported a surprising string of hacking attacks that targeted computing machineries belonging to governmental and non-governmental organizations in the transportation sector within a specific interval of time. Message Lab’s 2007 Annual Security report suggests that between January 2005 and November 2007, such targeted attacks had increased from 2 per week to 1000 per day and that such increasing trend continues. Microsoft’s 12th. SIR report (December 2011) also notes continued targeted attack by determined adversaries to be one of the most predominant threats for information assets.Footnote 2 Second, hackers further select targets in a set of identified firms. While a firm with higher value information asset promises greater returns, a less secure target may be easier to penetrate. In reality, however, hackers subjectively differentiate their trade-offs between the value of the asset and the difficulty in accessing it.Footnote 3 Bank of America is arguably the most protected bank (has the largest number of on-line accounts as well), yet it is attacked regularly—the most recent being the Summer 2011 attack which slowed down most of the bank’s on-line services for several days. On the other hand, as large US banks—each holding millions of on-line accounts—tightened their IT security defenses, attacks on the less protected and smaller community credit unions (CCU) increased over time.Footnote 4

As the target firms get implicitly grouped together, their IT security planning to defend against cyber crime moves on to a strategic plane. In this research, we present a dynamic game that captures three important attributes of today’s strategic IT security. First, we model the veiled competition in IT security defense between firms who find them in the same target group of hackers. Second, our hackers are characterized by subjective preference profiles so as to capture the criminalized nature of hacking traffic. Third, we integrate continuous time IT security decision processes for the defending firms. We develop a dynamic, infinite horizon, control theoretic model and derive equilibrium IT security for firms in the above differential game. We simplify to focus on two firms, i.e., a target group with two firms, and build a duopolistic model of the strategic defense. The duopolistic considerations keep the analytics of our model tractable, and allow us to derive insights under a variety of competitive and collaborative situations.

The analysis under competitive backdrop points out that if the hackers prefer a certain firm in the target group, then the total cost of IT security (investment plus expected loss from vulnerability) of the other firm reduces. Under generalized circumstances, this could lead to possible arms race, where firms in a target group overinvest in IT security—something that the managers must guard against. We further show that if the firms’ information asset values are widely different, then the firm with the higher asset value can lower its IT security only if the interacting IT security strategies are such that the other firm becomes the preferred target.

We also study the strategic IT security investments in a cooperative game setting. One major take away of this analysis is that cooperation in IT security can solve the overinvestment problem and be of general benefit to all the firms in a target group but that it is hard to achieve such coordination because of the misaligned incentives of the strategic defenders. We demonstrate that in order to achieve cooperation, the firm with the higher asset value must take the lead and provide appropriate incentives to ensure participation of the other firm. Overall, this research shows that managers in firms may not treat IT security solely as an internal firm decision; to be efficient, they must consider competitive IT security defense vis-à-vis other firms in the implicitly identified group of target firms, who possess similar information assets.

In what follows, we begin with a review of the relevant literature in Section 2 before presenting the background, notation and the problem formulation of our model in Section 3. We analyze the duopoly firms’ security and investments levels in the decentralized and centralized cases in Sections 4 and 5, and propose an effective scheme which can coordinate the firms’ security investments. Section 6 summarizes our findings, discusses the managerial implications and presents some future directions of research.

2 Literature review

Varian (2000) and Anderson (2001) suggest that many problems in IT security lie in the misplaced liability structure of the stakeholders rather than in the inadequacy of technological controls. This observation leads a series of insightful work on the problem of IT security investment. Gordon and Loeb (2002) analyze how asset vulnerability moderates firms’ IT security investments and show that highly vulnerable information assets may not cost-justify their full protection. Huang et al. (2005) extend Gordon’s work showing that risk-averse firms might continue to invest in IT security even as their investments approach actual expected security losses.

Since we investigate firms belonging to the same target group from hackers’ perspective, our work is related to the issue of interdependent IT security. Varian (2002, 2004) studies system reliability and provides a set of models in which different levels of coordinated and distributed efforts (including free-riding behavior) are analyzed to derive equilibrium reliability levels of the system. He shows that in some cases firms achieve appropriate levels of system reliability through shared investment. Kunreuther and Heal (2003) characterize the free-riding behavior of some stakeholders when firms’ IT security is interdependent. Ogut et al. (2005) show that certain compensation schemes designed to implement a liability structure among interdependent IT firms can lead to over-investment in security. Hausken (2006, 2007) studies how IT security investments are affected by income, substitution, and complementary effects among firms whose risks are interdependent.

This study models firms’ strategic IT security investment decisions dynamically. To our knowledge, only Cavusoglu et al. (2005) include a time dimension to the investment decision, but their work is limited to a two-stage game where the second-stage investments remain unchanged. The remaining studies in IT security investment are lump-sum, single-shot models. In those static models, firms derive optimal investment decisions after considering a variety of attributes (hacker ability, value of information assets, vulnerability, complementarities, and so forth), but if some attribute changes, say hackers adjust their activity in response to a security investment, that change is not incorporated in the firms’ updated security decision. There has been few research that explicitly considers firms’ continuous-time commitment of funds in IT security, but today’s IT security landscape suggests that hackers continuously improve their skills and exploitsFootnote 5 and in order to ensure effective IT security defense on a continued basis it is important to investigate the dynamic changes in the security investment of firms.

In order to include this dynamic dimension, we model strategic investment decisions in the form of a differential game. Differential games, which were first introduced by Isaacs (1965), can be viewed as continuous-time sequential games. Differential game methodology has been often used by researchers in various disciplines such as marketing and supply chain management. Aspects and applications of differential game models in business research can be accessed from a wide spectrum of scholarly works. For example, Dockner et. al. (2000) survey differential game models in the general area of economics and management science while Jørgensen (1982) concentrates on advertising games and He et. al. focus on Stackelberg type equilibriums in such games. Other works that provide excellent analysis of differential games include Erickson (1992, 1995, 1997) and Feichtinger et. al. (1994). Differential games have inherent advantages in investigating competitive time varying decisions, which is especially suitable for the dynamic IT security environment.

3 Model preliminaries

Consider a duopoly in which firms A and B belong to the same target group because their information assets are similar. Criminally motivated hackers desire to gain access to these information assets and misuse/abuse these assets for financial gains. Hackers are attracted by the value of the information asset, but they also consider the strengths of IT security controls protecting these assets. Facing loss from unavailability, abuse and misuse of the stolen information assets, firms attempt to protect their information assets. In the following subsections, we define the nuanced concept of value and loss associated with an information asset and state how they shape the game of IT security. Next, we present the notation utilized in this paper before we model the attacking traffic on the information assets of the duopoly firms. Finally we present our model assumptions before presenting the state equations of our dynamic model of IT security.

3.1 Information asset: Valuation and loss

Value attached to an information asset differs between the attacker and the defender of the asset. To the defending firm, the value is derived from the utilization of the information asset in its business processes. On the contrary, the hacker derives value from the unauthorized use and abuse of the information asset, which is different from the asset’s value to the owner/defender. Consider a firm that has stored credit card data of its customers. The business value of this information asset (stored credit card data points) is realized when the firm is able to facilitate its customers’ payment process during purchase transactions. On the other hand, the value gained by the hacker from the same information asset—stolen now—accrues from fraudulent purchase, identity theft, etc.

Loss incurred to the defender from a compromised information asset is nuanced. Part of the loss may arise from not being able to use the information asset in its business processes. Abuse of the stolen information asset may inflict further loss in more than one dimension. For the above example of stored credit card data, the total loss to the defending firm could be a combination of (1) the lost value from not being able to use the credit card information to facilitate the purchase process of customers, (2) the costs of reporting and containment of data breach (e.g., buying credit monitoring service for the victims), (3) cost of reparation of loss (e.g., liability payment), and (4) cost of loss in reputation, credibility, competitiveness, and so on.

The primary motivation and propensity of a hacking attack depend on the value that the hacker associates with the information asset. However, the strength and intensity of an IT security program that attempts to protect the asset depend on the expected loss that the defender faces from unavailability, misuse and abuse of the information asset. In this work we assume a simple correlation between the value and the loss associated with an information asset and model the game of IT security defense.

x A (x B )::

The vulnerability level of firm A (B), defined as the probability of breach given an attack from The hacker. (State Variables)

N(t):

The aggregate attacking traffic in the system at time t generated by the hackers.

L A (L B ):

Loss incurred to firm A (B) from a penetration

S A (t) (S B (t)):

IT security investment rate of firm A (B). (Control Variables)

r :

The discount rate

β :

The investment efficiency parameter

ρ :

The rate of increase in vulnerability of a firm due to hackers’ learning effect

Γ :

A hacker’s preference parameter which measures the hacker’s preference of attacking effort to asset value

γ :

The mean of the hackers’ preference parameter value in the hacker population

3.2 Model assumptions

  1. 1.

    Hackers’ valuation of information asset and the strength of the IT security controls guarding the information asset characterize attacking traffic.

  2. 2.

    Expected loss from a breach of information asset determines the requisite strength of IT security control guarding the asset.

  3. 3.

    Loss to the defending firm increases proportionally as the value of the information asset increases.

  4. 4.

    Hackers’ knowledge of a firm’s IT security improves over time.

  5. 5.

    Investment efficiency, which maps dollar investment to tangible increase in IT security strength, is firm specific. In other words, we define the change in the level of IT security as a multiplicative function of the change in IT security investment and the change in efficiency of IT security investment in line with the parameter technical efficiency of Shao and Lin (2002).

3.3 Attacking traffic

Standard rationality assumptions as well as anecdotal evidenceFootnote 6 suggests that a relative increase in the value, or an increase in the vulnerability attracts a greater proportion of attacking traffic to an information asset and that in practice, a tradeoff between these 2 attractive forces may be arrived. However, the valuation of an asset and the level of difficulty to overcome the IT security controls to access an information asset may not be equal across all hackers.

First, motivation of attack depends on the perceived valuation of an information asset, but a specific information asset may carry different values to different hackers. For instance, a stolen dataset may be new to certain hackers and promise a lot of value. Yet, part of the dataset may have already been possessed by other hackers and hence represent less additional value. Second, hackers’ capabilities to circumvent technology controls guarding information assets vary widely. Research suggests (e.g., Ioerger et al. 2002) when innate capabilities differ, the level of effort needed to complete a task can vary. In essence, different hackers attacking the same firm may incur different costs.

The above exposition underscores why an exact model of generalized hacking traffic is hard to achieve. We combine these two ideas, namely, the value from a successful attack and the cost of effort in attacking, into a single primitive to obtain a more concise and tractable model of hacker traffic. This single primitive (referred as hacker’s preference parameter), is denoted by Γ ∈ [0,1] in our paper. A higher value of Γ associated with a hacker implies that the hacker is more concerned about the effort put into an attack, i.e., the hacker is more effort-driven than the value. Our primitive Γ is quite similar to practicable hacker classifications.Footnote 7 For example, a low Γ hacker is likely to be a script kiddy or a hacking group whereas a high Γ hacker may likely fall in one of the more advanced categories of hackers, e.g., hactivist, black hat professional, organized criminal gang, and nation State.

Using this primitive, we assume that a firm’s attack traffic can be estimated based upon the value to the hacker, the vulnerability of the information asset and the distribution of the preference parameter (Γ) in the hacker population. In this study, we assume that Γ is uniformly distributed between [τ, ζ], where 0 ≤ τ ≤ ζ ≤ 1. At the extremes, if Γ = 1, a hacker cares solely about effort and if Γ = 0, the hacker cares only about asset value.

Let γ be the mean of hackers’ preference parameter value in the hacker population. In the rest of the paper, whenever we refer to hackers’ preference parameter value, we refer to γ. The proportion of traffic attacking firms A and B, h A (t) and h B (t), at any instant t, can be represented as follows:

$$ \matrix{ {{h_A}(t) = {{{{{1} \left/ {2} \right.} + \left( {\gamma \left( {{x_A} - {x_B}} \right) + \left( {1 - \gamma } \right)\left( {{l_A} - {l_B}} \right)} \right)}} \left/ {2} \right.}} \\ {{h_B}(t) = 1 - {h_A}(t) = {{1} \left/ {2} \right.}{{{ + \left( {\gamma \left( {{x_B} - {x_A}} \right) + \left( {1 - \gamma } \right)\left( {{l_B} - {l_A}} \right)} \right)}} \left/ {2} \right.}} \\ }<!end array> $$

Where l A and l B (l A  + l B  = 1), are the normalized ratios of the losses of firms A and B from an attack:

$$ {l_A} = {{{{L_A}}} \left/ {{\left( {{L_A} + {L_B}} \right)}} \right.}{\text{and}}\;{l_B} = {{{{L_B}}} \left/ {{\left( {{L_A} + {L_B}} \right)}} \right.} $$

We observe the following special cases of the above model of traffic. When the asset values and vulnerability levels of firms are identical (x A  = x B and l A  = l B ) , the attacking traffic is equally divided, i.e., h A  = h B  = 1/2. When hackers only care about effort (γ = 1) and x A  = 1, x B  = 0, all the attack traffic goes to firm A. Similarly, when hackers only care about asset value (γ = 0) and l A  = 1, l B  = 0, all the traffic goes to firm A. Note that the model allows for the fact that different hackers may have different assessments of a firm’s asset value and vulnerability. Therefore, it is not a sufficient condition for firm A to get the entire attack traffic if it has more vulnerability and higher asset value.

3.4 Problem formulation

Firm \( i,\;i \in \left\{ {A,B} \right\} \), invests \( {S_i}(t) \geqslant 0 \) in IT security (standard concavity assumptions on investment, including diminishing marginal utility apply) to reduce its vulnerability x i (t). The reduction in vulnerability is affected by the firm’s proficiency at turning security investments into security (denoted by β) and the ability of hackers to learn about the firm’s defenses (denoted by ρ).

The rate of change in vulnerability is defined by:

$$ {\mathop{x}\limits^{ \cdot }_A} = - {\beta_A}{S_A}(t){x_A} + \rho, \;{x_A}(0) = a $$
(1)
$$ {\mathop{x}\limits^{ \cdot }_B} = - {\beta_B}{S_B}(t){x_B} + \rho, \;{x_B}(0) = b $$
(2)

Being reflective, hacker learning (a shared, experiential knowledge of the strength of IT security of a firm) is assumed to be lower than the impact of security investment on the efficacy of security control, i.e., βS(t) > ρ

The above ensures that the upper bound of a firm’s vulnerability x is restricted to 1. Since the normalized assets in our model are effective ratios \( \left( {{l_A} + {l_B} = 1} \right) \) and 0 ≤ x ≤ 1, (a) the state equations agree to the standard optimization principles - including the concavity assumptions, and (b) the attacking traffic is a positive fraction \( 0 \leqslant h(t) \leqslant 1 \).

Firm A solves the following problem:

$$ \mathop{{Max}}\limits_{{{S_A}(t)}} \left\{ {\int_0^{\infty } {( - \frac{{N(t)}}{2}} \left( {\left. {1 + \gamma \left( {{x_A} - {x_B}} \right) + \delta } \right){x_A}{L_A} - {S_A}(t)} \right){e^{{ - rt}}}dt} \right\} $$
(3)

In the above objective function, the attack traffic directed towards firm A is given by \( \frac{{N(t)}}{2}\left( {1 + \gamma \left( {{x_A} - {x_B}} \right) + \left( {1 - \gamma } \right)\left( {{l_A} - {l_B}} \right)} \right) \), and the expected loss given an attack is x A L A . For brevity, we denote the term \( \left( {1 - \gamma } \right)\left( {{l_A} - {l_B}} \right){\text{ by }}\delta \). Finally, r is a discount factor. Similarly, firm B solves the problem:

$$ \mathop{{Max}}\limits_{{{S_B}(t)}} \left\{ {\int_0^{\infty } {( - \frac{{N(t)}}{2}} \left( {1 + \gamma \left( {{x_B} - {x_A}} \right) - \delta } \right){x_B}{L_B} - {S_B}\left. {(t)} \right){e^{{ - rt}}}dt} \right\} $$
(4)

A firm’s overall cost depends on its vulnerability level, the security investment undertaken, and the proportion of traffic it attracts. The current-value Hamiltonians of the firms, which measure the overall return (i.e., both current and future return) to Firms A and B from their security investments, based on the state Eqs. (1) and (2), and their objective functions (3) and (4) are:

$$ {H_A} = - \frac{N}{2}\left( {1 + \gamma \left( {{x_A} - {x_B}} \right) + \delta } \right){x_A}{L_A} - {S_A} + {\lambda_{{AA}}}\left( { - {\beta_A}{S_A}{x_A} + \rho } \right) + {\lambda_{{AB}}}\left( { - {\beta_B}{S_B}{x_B} + \rho } \right) $$
(5)
$$ {H_B} = - \frac{N}{2}\left. {\left( {1 + \gamma ({x_B} - {x_A}} \right) - \delta } \right){x_B}{L_B} - {S_B} + {\lambda_{{BA}}}\left( { - {\beta_A}{S_A}{x_A} + \rho } \right) + {\lambda_{{BB}}}\left( { - {\beta_B}{S_B}{x_B} + \rho } \right) $$
(6)

For example, H A in (5), the return to firm A, has two components: the first two terms measure the current return of the firm’s security investment, while the last two measure the future return of firms’ security investment. Note that both components of H A are affected by security investments: security investments are a cost in the current time and future returns are affected by the current security investments through the changes in \( {\mathop{x}\limits^{ \cdot }_A} \)and\( {\mathop{x}\limits^{ \cdot }_B} \). The return to each firm depends on the investments of each firm in this dynamic system.

λ AA, λ AB , λ BA and λ BB in (5) and (6) are the adjoint (shadow) variables, subject to the following conditions:

$$ \frac{{d{\lambda_{{AA}}}}}{{dt}} = r{\lambda_{{AA}}} - \frac{{\partial {H_A}}}{{\partial {x_A}}} = r{\lambda_{{AA}}} - \left( { - \frac{{N\left( {1 + \delta - \gamma {x_B}} \right){L_A}}}{2} - N\gamma {L_A}{x_A} - {\beta_A}{\lambda_{{AA}}}{S_A}} \right) $$
(7)
$$ \frac{{d{\lambda_{{BB}}}}}{{dt}} = r{\lambda_{{BB}}} - \frac{{\partial {H_B}}}{{\partial {x_B}}} = r{\lambda_{{BB}}} - \left( { - \frac{{N\left( {1 - \delta - \gamma {x_A}} \right){L_B}}}{2} - N\gamma {L_B}{x_B} - {\beta_B}{\lambda_{{BB}}}{S_B}} \right) $$
(8)
$$ \frac{{d{\lambda_{{AB}}}}}{{dt}} = r{\lambda_{{AB}}} - \frac{{\partial {H_A}}}{{\partial {x_B}}} = r{\lambda_{{AB}}} - \left( {\frac{{N\gamma {L_A}{x_A}}}{2} - {\lambda_{{AB}}}{\beta_B}{S_B}} \right) $$
(9)
$$ \frac{{d{\lambda_{{BA}}}}}{{dt}} = r{\lambda_{{BA}}} - \frac{{\partial {H_B}}}{{\partial {x_A}}} = r{\lambda_{{BA}}} - \left( {\frac{{N\gamma {L_B}{x_B}}}{2} - {\lambda_{{BA}}}{\beta_A}{S_A}} \right) $$
(10)

The adjoint variables in this model measure how much impact a unit change of firms’ vulnerability level has on the discounted return of the firm in the future. For example, adjoint variable λ AA calculates the amount of changes in future discounted return to firm A given a unit change in x A .

4 Equilibrium analysis of the differential game

We begin this section by formulating the dynamic competition between the duopoly firms when the firms make security investment decisions independently. We then analyze the cases where firms are symmetric and asymmetric respectively.

4.1 The trajectories in duopoly—Decentralized solutions

Using the Hamiltonians and shadow variables from Section 3 we calculate the continuous time trajectories of the duopoly firms A and B.

$$ \left\{ {\begin{array}{*{20}{c}} {} & 0 &{if\quad - (1 + {{\beta }_{A}}{{\lambda }_{{AA}}}{{x}_{A}}) < 0} &{} & 0 &{if\quad - (1 + {{\beta }_{B}}{{\lambda }_{{BB}}}{{x}_{B}}) < 0} \\ {{{S}_{A}}:} &{{\text{To be determined}}} &{if\quad - (1 + {{\beta }_{A}}{{\lambda }_{{AA}}}{{x}_{A}}) = 0} &{{{S}_{B}}:} &{{\text{To be determined}}} &{if\quad - (1 + {{\beta }_{B}}{{\lambda }_{{BB}}}{{x}_{B}}) = 0} \\ {} & 0 &{if\quad - (1 + {{\beta }_{A}}{{\lambda }_{{AA}}}{{x}_{A}}) < 0} &{} & 0 &{if\quad - (1 + {{\beta }_{B}}{{\lambda }_{{BB}}}{{x}_{B}}) < 0} \\ \end{array} } \right\} $$

From (5) and (6), the Hamiltonians are linear in the control variables (S A and S B ), leading to the above solution form for both S A and S B . This is a bang-bang (for a definition and exposition, vide Sethi and Thompson (2000)) solution with a singular region. Let the singular levels of firms’ vulnerability be \( x_A^D \) and \( x_B^D \), where the superscript D stands for the decentralized case. Similarly, let \( S_A^D \) and \( S_B^D \) denote the firms’ singular levels of security investment in the decentralized case. If the initial vulnerability level of a firm is higher than its singular level, e.g. if \( a > x_A^D \), then S A  = S max where S max stands for the maximum possible level of security investment rate of a firm. In other words, the firm ramps up its investment to the maximum possible level so as to reach the optimal investment trajectory as early as possible when its initial vulnerability level is higher than the singular level. Similarly, if the initial vulnerability level of the firm is lower than its singular level, the firm suspends its security investment completely till it reaches the singular region of its optimal trajectory; e.g., if \( a < x_A^D \), then S A  = 0. In this paper, we focus on the singular regions of the differential game since they are the steady states of the two firms.

The singular region is derived from the following conditions:

$$ {\left( {{H_i}} \right)_{{{S_i}}}} = 0,\;{\text{and}}\;{\left( {{{\mathop{H}\limits^{ \cdot } }_i}} \right)_{{{s_i}}}} = \frac{{d{{\left( {{H_i}} \right)}_{{{S_i}}}}}}{{dt}} = 0,\;i \in \left( {A,B} \right) $$
(11)
$$ \frac{{d{{({H_A})}_{{{S_A}}}}}}{{dt}} = {\beta_A}{x_A}\frac{{d{\lambda_{{AA}}}}}{{dt}} + {\beta_A}{\lambda_{{AA}}}\frac{{d{x_A}}}{{dt}} = 0 $$
(12)
$$ \frac{{d{{({H_B})}_{{{S_B}}}}}}{{dt}} = {\beta_B}{x_B}\frac{{d{\lambda_{{BB}}}}}{{dt}} + {\beta_B}{\lambda_{{BB}}}\frac{{d{x_B}}}{{dt}} = 0 $$
(13)

Solving Eqs. (7)–(13) and (1)–(2), we get

$$ - r + {\beta_A}{L_A}\gamma N{x_A}^2 + \frac{{{\beta_A}N{L_A}(1 + \delta )}}{2}{x_A} - \frac{{{\beta_A}}}{2}\gamma N{L_A}{x_A}{x_B} - \frac{\rho }{{{x_A}}} = 0 $$
(14)
$$ - r + {\beta_B}{L_B}\gamma N{x_B}^2 + \frac{{{\beta_B}N{L_B}(1 - \delta )}}{2}{x_B} - \frac{{{\beta_B}}}{2}\gamma N{L_B}{x_A}{x_B} - \frac{\rho }{{{x_B}}} = 0 $$
(15)

The singular levels of firms’ vulnerability, \( x_A^D \) and \( x_B^D \), are the solutions of Eqs. (14) and (15). However, closed form solutions for \( x_A^D \) and \( x_B^D \) cannot be obtained in general so we impose symmetric conditions between the duopoly firms. After analyzing the symmetric case we use numerical analysis to generalize to asymmetric firms.

4.2 Symmetric duopoly firms

Symmetric parameters between the firms characterize this case: L A  = L B  = L, and β A  = β B  = β. Clearly, δ = 0. We denote the equilibrium vulnerability level of each firm \( x_A^D = x_B^D = {x^D} \), which is the solution of

$$ r + \frac{\rho }{x} - \frac{{\beta NL}}{2}x = \frac{{\beta NL\gamma }}{2}{x^2} $$
(16)

Case-1—Constant attack rate N(t)

Suppose the attack rate, N(t) remains constant over time. When the attack rate in Eq. (16) is constant, so are \( x_A^D \) and \( x_B^D \), and from (1) and (2), we can conclude that in the singular region, \( S_A^D = S_B^D = {S^D} = \rho /(\beta x_A^D) \). In other words, both firms A and B have a constant rate of security investment in the singular region. Thus, if the initial vulnerability level is equal to that in the singular level, e.g., if \( a = x_A^D \) , then \( {S_A} = S_A^D \) in the pre-singular region. The pre-singular region solution for firm B can be derived in a similar fashion and is not repeated.

Proposition 1

In the singular region, under symmetric duopoly case, both firms invest equally at a constant rate. Further, the equilibrium vulnerability (IT security investment rate) of a firm increases, when the loss from a breach, L, decreases (increases), the efficiency of IT security investment, β, decreases, hackers’ learning effect, ρ, increases, or the hackers are more value-driven (effort driven).

Proof: See Appendix.

Under symmetric conditions, both firms possess equal asset values, and therefore the proportion of attacking traffic targeted at a firm depends solely on the firm’s vulnerability level. So, when hackers become more effort driven (γ increases) a firm in a duopoly must invest more to attain a higher level of security to dissuade attacks, which also means that a higher γ increases security investment at both firms. Symmetrically, as γ falls (hackers are more value-driven) firms invest less and are less secure.

The investment efficiency parameter β captures a firm’s ability to convert its IT security investment into tangible reductions in vulnerability. A higher (β) means that the firms’ security investment is more efficient and that the marginal benefits of security investments are higher. As a result, firms maintain higher equilibrium IT security level even with a lower investment rate.

Since an increasing learning effect (ρ) translates to increased capabilities of attackers, firms react by investing at a higher rate to maintain the same security level in equilibrium. However, because diminishing marginal returns accompany increased levels of security investment, the cost-benefit trade-off leads to a lower equilibrium level of IT security. In essence, as hackers learn, firms invest more but end up being less secure.

Case-2—Time varying attack rate N(t)

When the overall attacking traffic in the whole system varies over time, i.e., N(t) is not a constant, we solve for the firm’s vulnerability x(t) from (16), and then substitute \( \mathop{x}\limits^{ \cdot } (t) \) into (1) to solve for the equilibrium security investment rate S(t). These results are presented below.

\( \mathop{x}\limits^{ \cdot } (t) = \frac{{ - 1/2\beta Lx(1 + \gamma x)\mathop{N}\limits^{ \cdot } (t)}}{{\beta N(t)L\gamma x + \rho /{x^2} + \beta N(t)L/2}} \), and \( S(t) = \frac{{\rho + \frac{{1/2\beta Lx(1 + \gamma x)\mathop{N}\limits^{ \cdot } (t)}}{{\beta N(t)L\gamma x + \rho /{x^2} + \beta N(t)L/2}}}}{{\beta x}} \)

The equilibrium level of vulnerability bears an inverse relationship to attacking traffic, an intuitive outcome. Consequently the firms’ equilibrium security levels rise when the system’s overall attacking traffic is higher, i.e., \( \mathop{x}\limits^{ \cdot } < 0 \) when\( \mathop{N}\limits^{ \cdot } (t) > 0 \).

Our earlier results involving the parametric sensitivities in Proposition 1 remain valid under variable attacking traffic although unlike Case-1, the trajectory of x in the singular region is now time-dependent, no longer a constant. Further, the specificities of the time varying nature of attacking traffic may impact the comparative levels of investments under differentiated decision scenarios—a brief discussion on which is available in the conclusion section. We focus our analysis on the case where the attack rate N(t) is constant in the rest of the paper in order to achieve model tractability.

4.3 Asymmetric duopoly firms

In this section we explore asymmetric firms, firms that have different levels of assets to protect. Our primary goal is to calculate the equilibrium IT security investment of each firm and explore the sensitivity of this equilibrium to key parameters. Although we differentiate firms by the value of information assets they protect, we initially assume they are equally adept at implementing security, i.e., they possess identical security investment efficiency (β). The deliberate assumption of identical β ensures that the calculated parametric sensitivities of the equilibrium levels of investment and vulnerability are not affected by their investment efficiencies. Assuming β 1 = β 2 = β and subtracting (15) from (14), we have, at the equilibrium,

$$ \beta \gamma N\left( {{L_A}x_A^2 - {L_B}x_B^2} \right) + \frac{{\beta N}}{2}\left( {{L_A}(1 + \delta } \right){x_A} - {L_B}\left( {1 - \delta } \right){x_B}) + \frac{{\beta \gamma N{x_A}{x_B}}}{2}\left( {{L_B} - {L_A}} \right) + \rho \left( {\frac{1}{{{x_B}}} - \frac{1}{{{x_A}}}} \right) = 0 $$
(17)

Subsequently we separately illustrate the effect of the variability of investment efficiency (β) on the equilibrium levels of investment and vulnerability of the firms.

Proposition 2

When both duopoly firms have identical security investment efficiencies (β), the equilibrium vulnerability level of the higher-valued asset firm is less than the vulnerability of the other firm in the singular region.

Proof: See Appendix.

When both the firms have equal level of investment efficiency, their dollar investments become directly comparable. Under this consideration, a firm with higher asset value faces higher loss and must be relatively more careful in its IT security defense. Thus in equilibrium, the higher-valued firm maintains a higher security level compared to the other firm. However, since the hacker’s motivation is driven by not only the value of the asset but also by the level of effort needed to breach a firm, an important question is, “How do duopoly firms readjust their security levels when the hackers’ preference parameter (γ) changes?” The Corollary below answers this question and surprisingly, it depends on the relative difference between the firm’s asset values.

Corollary 2.1

When hackers are increasingly effort-driven (when γ increases), the firm with the lower asset value reduces its equilibrium level of vulnerability, while the firm with the higher asset value (i) increases its equilibrium level of vulnerability and becomes less secure when the value of the asset possessed by the other firm is significantly lower or (ii) decreases its equilibrium level of vulnerability and becomes more secure when the value of the asset possessed by the other firm is not significantly lower.

Proof: See Appendix.

The intuitive explanation of the Corollary is as follows. Proposition 2 says firms with higher-valued assets have greater security. So, as γ increases, hackers are relatively more concerned about the level of effort needed to breach a firm and less about asset value. In other words, with constant β, and increasing γ, the value of an asset begins to lose its relative attractiveness to hackers. Thus there is a reduction in the attacking traffic aimed at the firm with the higher-value information assets. As a result, the firm with lower-value information assets attracts more attacks and must increase its security. Now consider the firm with the higher-value assets. If its asset value is greatly different than the other firm, it will start with a much higher level of information security (by Proposition 2). As γ rises, hackers are increasingly concerned with effort and traffic begins to switch from the higher-valued asset firm to the lower-valued firm—to the easier target. Consequently the higher-valued firm can reduce its investment. However, when the values of the assets at the firms are similar, any increase in γ translates to a corresponding increase in the equilibrium security levels of both firms since both must compete to avoid being the preferred target. In this case as the lower-valued firm raises its security, the similar, higher-valued firm has to respond with better protection. In essence, there is an asymmetrical response for the higher-valued firm depending on the magnitude of the difference in the values of the firms’ information assets.

4.4 Numerical analysis

To investigate the effect of security investment efficiency, β, and hackers’ learning, ρ, on the security investment decisions of asymmetrical firms, we must turn to numerical analysis. We start by defining a set of baseline values for the model’s parameters and proceed by running numerical experiments altering the parameter of interest. The initial baseline values are:

$$ {\beta_A} = {\beta_B} = \beta = 1,\quad N(t) = 1,\quad {L_A} = 100,\quad {L_B} = 300,\quad \rho = 0.6,\quad \gamma = 0.5,\;and\quad r = 0.1 $$

4.4.1 Effect of investment efficiency on equilibrium security investment

First we study the impact of the security investment efficiency, β, on the IT security of two asymmetric firms. We use the baseline value for all the parameters except β which varies from 1 to 10 for both the firms simultaneously. The results of the experiment, shown in Figs. 1a and b, are consistent with our analysis in the symmetric case.

Fig. 1
figure 1

a The impact of investment efficiency (β) on the security investment levels of Firms b the impact of investment efficiency (β) on the vulnerability levels of firms

Full size image

Firm B faces a higher loss from a breach (L B  > L A ) and invest at a higher rate in the singular region to ensure a lower vulnerability in equilibrium than firm A. Thus S A  < S B holds for all β. In addition, any increase in the security investment efficiency β reduces the investment of both firms. These results mirror the symmetric case. However, in the asymmetric case we find an important dilution effect in the difference between the investments and vulnerabilities of the firms as β increases. That is, an increase in β decreases the difference between the firms’ equilibrium levels of vulnerability and security investment. Figures 1a and b illustrate this effect as the lines converge in both figures. As efficiency improves, every dollar spent on IT security investment contributes more to reducing vulnerability; so the differences in security investments or vulnerability levels between the firms diminish. Intuitively consider the limit where β → ∞. At β → ∞, negligible investment by either firm ensures complete immunity, and therefore the impact of magnitude of assets on the equilibrium vulnerability and investments levels becomes trivial.

4.4.2 Impact of hackers’ learning effect on equilibrium security

To explore the impact of hackers’ learning we return to the baseline values for all model parameters except for ρ, which varies from 0.1 to 0.9. The resulting security investment and vulnerability levels are shown in Figs. 2a and b. The effect of hacker learning, ρ, on equilibrium vulnerability and investment level is opposite to that of the investment efficiency β; as hackers learn, vulnerability and security investment rise, and the higher-valued firm invests more and is more secure. In addition, the firm with higher-value assets faces a higher expected loss for the same additional increase in vulnerability due to hackers’ learning effect and reacts with more security investment. Thus, an increase in ρ yields a divergence of the firms’ investment levels (Fig. 2a). As a result, the equilibrium vulnerability level of the firm with higher asset value increases more slowly, leading to a divergence of the two firms’ vulnerability levels when ρ increases (as shown in Fig. 2b).

Fig. 2
figure 2

a The impact of hackers’ learning effect (ρ) on the security investment levels of firms b the impact of hackers’ learning effect (ρ) on the vulnerability levels of firms

Full size image

4.4.3 Combined effect of investment efficiency and hacker preference on security

Numerical analysis also allows us to further explore the combined effect of multiple parameter changes. First, we consider the combined effect of investment efficiency and hackers’ preference on equilibrium security investment and vulnerability. Returning to the baseline values in this section, let β = 1, …, 10 and γ = 0.2, 0.5, 0.8, 1.0. We define the security level of a firm as ω (ω = 1 − x), and plot the firms’ security level (ω) against their security investment (S) in equilibrium, which yields Fig. 3. Firms A and B each generates a family of curves. Inside each family, there are 4 distinct curves, one for every level of γ and each curve has ten points indicating each level of β. The significant observations are:

Fig. 3
figure 3

Impact of investment efficiency (β) and hackers’ preference (γ) on security

Full size image
  1. 1.

    An increase in γ (i.e., hackers are more effort driven) shifts firm A’s family of curves up and to the right and firm B’s family down and to the left. As Corollary 2.1 suggests, firm B (the firm with much higher asset value), receives relatively less attacking traffic when γ increases. Since the vulnerability of each firm is conditioned on the proportion of the attacking traffic, a reprieve in traffic intensity now translates to a lower expected loss for firm B. This causes firm B to reduce its investment, which results in a lower equilibrium security level. For example, when γ increases from 0.2 to 1.0 keeping β = 1, firm B’s investment and security levels fall from 11.15 to 10.54, and from .0946 to .0943 respectively.

  2. 2.

    A higher asset value at risk induces a higher investment for the same marginal improvements in security. As a result firm B exhibits a flatter investment-security curve in comparison to firm A.

  3. 3.

    When β increases, each firm is able to achieve a higher level of security at an even lower level of investment. For example, at γ = 1, when β changes from 1 to 2, firm A’s investment decreases from 5.81 to 4.04, yet its security level rises from 0.897 to 0.93.

  4. 4.

    The dilution effect of increasing β on the differential security levels of the firms is evident. When γ = 0.2, the difference of security levels \( \left( {(1 - {x_B}) - (1 - {x_A})} \right) \) between firms B and A is (0.946 − 0.862) = 0.084 at β = 1. However, the difference in security levels is reduced to (0.96 − 0.90) = 0.06, when β increases to 2. Visually the two families of curves converge as β increases. Note that each curve, irrespective of the family to which it belongs, tends to converge at (0, 1) when β increases. This can be explained by the fact that an infinitesimally small investment could achieve theoretically complete system security for a firm irrespective of the preference parameter γ of the hackers, when β → ∞.

  5. 5.

    Finally, firm B’s curves become steeper when γ increases (Fig. 3) indicating that with reduced intensity of attacking traffic, firm B can reduce its security level with great saving in security investments. A similar argument explains why the opposite happens to firm A with lower value assets. To put it differently, as γ increases while β remains constant, the family of curves for the firm with lower asset value becomes flatter and those of the higher-valued firm get steeper causing the converging effect in Fig. 3. For instance, at β = 1, when the hackers become more effort driven (γ changes from 0.2 to 1.0), the difference between the security and investment levels of firm B and A fall from 0.084 and 6.8 to 0.04 and 3.73 respectively.

4.4.4 Combined effect of hackers’ preference parameter and hackers’ learning on security

To explore the combination of hackers’ preference and learning on security investment and security levels, we vary the value of the preference parameter as before γ = 0.2, 0.5, 0.8, 1.0 and let hackers’ learning vary as \( \rho = 0.1,\;0.2, \cdots, \;0.9 \). Again, the results, as shown in Fig. 4, are consistent with those in the symmetric case and the effects of learning are intuitively consistent with β in Fig. 3.

Fig. 4
figure 4

Impact of hackers’ preference (γ) and learning effect (ρ) on firms’ equilibrium security

Full size image

Hackers’ preference, γ, plays a similar role, shifting the family of curves towards each other, and the general similarity between Figs. 3 and 4 reflects similar effects of β and ρ on the firms’ security and investment levels, albeit in the opposite direction. In other words, we see a divergence of the curves from (0, 1) as ρ increases. The rationale for this divergence comes from Eqs. (1) and (2). They suggest that an increase in ρ directly affects the vulnerability levels of both firms, and since greater vulnerability translates into higher expected losses, both firms increase their investment in security. As in Fig. 3, the family of curves for firm B in Fig. 4 are comparatively flatter (a per unit change in investment brings a smaller change in security) because the higher valued firm maintains a higher security level and thus the marginal return of security investment in improving its security level is lower compared to the lower valued firm.

4.4.5 Combined effect of relative asset values and hacker preference on security

As shown in Corollary 2.1, the relative value of the information assets possessed by asymmetric firms has strategic impacts on their IT security investment decisions. Figure 5a and b further illustrate how the difference in asset values affects the firms’ security levels as the hackers’ preference parameter γ increases. When the asset values of firms are widely different (Fig. 5a), the firm with the higher asset value increases its vulnerability level at equilibrium. In Fig. 5b, when the magnitudes of the asset values of the firms are similar, both firms competitively decrease their vulnerability levels as γ increases.Footnote 8

Fig. 5
figure 5

a Vulnerabilities change in opposite direction. b Vulnerabilities change in same direction

Full size image

5 The equilibrium trajectories in duopoly—The centralized case

Now consider the equilibrium rates of security and investments of duopoly firms when a central planner makes a centralized investment decision for the firms. The central planner’s objective is to derive a security investment rate for each firm that minimizes the overall security cost of the duopoly system. The objective function of the central planner is:

$$ Max\left\{ {\int_0^{\infty } {( - \frac{{N(t)}}{2}} \left( {1 + \gamma \left( {{x_A} - {x_B}} \right) + \delta } \right){x_A}{L_A} - {S_A}(t) - \frac{{N(t)}}{2}\left( {1 + \gamma \left( {{x_B} - {x_A}} \right) - \delta ){x_B}{L_B} - {S_B}(t)} \right){e^{{ - rt}}}dt} \right\} $$

The current-value Hamiltonian of the central planner is

$$ \begin{array}{*{20}{c}} {{{H}_{C}} = - \frac{{N(t)}}{2}\left( {1 + \gamma \left( {{{x}_{A}} - {{x}_{B}}} \right) + \delta } \right){{x}_{A}}{{L}_{A}}} \\ { - \frac{{N(t)}}{2}\left( {1 + \gamma \left( {{{x}_{B}} - {{x}_{A}}} \right) - \delta } \right){{x}_{B}}{{L}_{B}} - {{S}_{A}} - {{S}_{B}}} \\ { + {{\lambda }_{{CA}}}\left( { - {{\beta }_{A}}{{S}_{A}}{{x}_{A}} + \rho } \right) + {{\lambda }_{{CB}}}\left( { - {{\beta }_{B}}{{S}_{B}}{{x}_{B}} + \rho } \right)} \\ \end{array} $$

where λ CA (λ CB ) represents the change in the discounted return to the central planner for a unit change in x A (x B ) since time t. The Hamiltonian of the central planner is linear in the control variables (S A and S B ) and once again we have a bang-bang and singular solution form for S A and S B . Like the decentralized case, we can obtain the following two equations for the singular region in the centralized case.

$$ - r + {\beta_A}{L_A}\gamma Nx_A^2 + \frac{{N{\beta_A}{L_A}\left( {1 + \delta } \right)}}{2}{x_A} - \frac{{N\gamma {\beta_A}\left( {{L_A} + {L_B}} \right)}}{2}{x_A}{x_B} - \frac{\rho }{{{x_A}}} = 0 $$
(18)
$$ - r + {\beta_B}{L_B}\gamma Nx_B^2 + \frac{{N{\beta_B}{L_B}\left( {1 - \delta } \right)}}{2}{x_B} - \frac{{N\gamma {\beta_B}\left( {{L_A} + {L_B}} \right)}}{2}{x_A}{x_B} - \frac{\rho }{{{x_B}}} = 0 $$
(19)

Firm A’s (B’s) vulnerability level in the singular region of the centralized case, \( x_A^C \) (\( x_B^C \)), where the superscript C stands for the centralized case, can be obtained by solving Eqs. (18) and (19) simultaneously. As we have mentioned earlier, it is hard to derive closed form solution for \( x_A^C \) and \( x_B^C \) from (18) and (19), but analytical solutions are possible with additional restrictions, so we initially impose symmetric conditions on the firms and later we examine asymmetric firms numerically.

5.1 Symmetric duopoly firms

Consider two symmetric firms, L A  = L B  = L, β A  = β B  = β and hence, δ = 0. One goal is to compare the investments of the firm under decentralized and centralized considerations. Imposing symmetric conditions on the system of Eqs. (18) and (19) yields the centralized investment level: \( x_A^C = x_B^C = {x^C} \), which is a solution of the equation below.

$$ \frac{\rho }{x} + r - \frac{{N\beta L}}{2}x = 0 $$
(20)

Comparing Eqs. (20) with (16) yields the following proposition:

Proposition 3

Under centralized considerations, symmetric firms maintain a lower security level and a lower rate of security investment compared to firms that make such decisions independently.

Proof: See Appendix.

The above proposition suggests that firms over-invest when they make independent decisions on their IT security investment. In the absence of competition, firms do not try to gain a security edge on the other player through over-investment in security. Solving Eq. (20), we have \( {x^C} = \frac{{r + \sqrt {{{r^2} + 2\rho \beta NL}} }}{{\beta NL}} \) when it holds that\( 2(\rho + r) < \beta NL \). Let S c denote the security investment at each symmetric firm in the centralized case. Facing a constant rate of attack N(t), each firm now invests \( {S^C} = \rho /(\beta {x^C}) \).

5.1.1 A coordination scheme for the symmetric firms

The centralized solution yields overall savings in IT security. Consequently, it is desirable for firms to cooperate. One way to achieve coordination is to impose a payout structure reflecting the security level of each firm. An appropriate payout can correct the over investment problem of the apparently competing defense in IT security.

Consider a scheme in which firm A provides firm B a payment \( {\varphi_A}({x_A}) \), which is a function of firm A’s vulnerability level, and firm B transfers \( {\varphi_B}({x_B}) \) to firm A, again a function of firm B’s vulnerability level. The objective functions of Firms A and B are now rewritten as:

$$ \mathop{{Max}}\limits_{{{S_A}}} \{ \int_0^{\infty } {( - \frac{{N(t)}}{2}} (1 + \gamma ({x_A} - {x_B}) + \delta ){x_A}{L_A} - {S_A}(t) - {\varphi_A}({x_A}) + {\varphi_B}({x_B})){e^{{ - rt}}}dt\} $$
(21)
$$ \mathop{{Max}}\limits_{{{S_B}}} \{ \int_0^{\infty } {( - \frac{{N(t)}}{2}} (1 + \gamma ({x_B} - {x_A}) - \delta ){x_B}{L_B} - {S_B}(t) - {\varphi_B}({x_B}) + {\varphi_A}({x_A})){e^{{ - rt}}}dt\} $$
(22)

The current-value Hamiltonians are

$$ {H_A} = - \frac{N}{2}(1 + \gamma ({x_A} - {x_B}) + \delta ){x_A}{L_A} - {S_A} - {\varphi_A}({x_A}) + {\varphi_B}({x_B}) + {\lambda_{{AA}}}( - {\beta_A}{S_A}{x_A} + \rho ) + {\lambda_{{AB}}}( - {\beta_B}{S_B}{x_B} + \rho ) $$
(23)
$$ {H_B} = - \frac{N}{2}(1 + \gamma ({x_B} - {x_A}) - \delta ){x_B}{L_B} - {S_B} - {\varphi_B}({x_B}) + {\varphi_A}({x_A}) + {\lambda_{{BA}}}( - {\beta_A}{S_A}{x_A} + \rho ) + {\lambda_{{BB}}}( - {\beta_B}{S_B}{x_B} + \rho ) $$
(24)

Again, we have similar bang-bang solution forms as before and the following equations describe the singular region solutions.

$$ - r + {\beta_A}{L_A}\gamma N{x_A}^2 + \frac{{{\beta_A}N{L_A}(1 + \delta )}}{2}{x_A} - \frac{{{\beta_A}}}{2}\gamma N{L_A}{x_A}{x_B} + {\beta_A}{x_A}\frac{{\partial {\varphi_A}}}{{\partial {x_A}}} - \frac{\rho }{{{x_A}}} = 0 $$
(25)
$$ - r + {\beta_B}{L_B}\gamma N{x_B}^2 + \frac{{{\beta_B}N{L_B}(1 - \delta )}}{2}{x_B} - \frac{{{\beta_B}}}{2}\gamma N{L_B}{x_A}{x_B} + {\beta_B}{x_B}\frac{{\partial {\varphi_B}}}{{\partial {x_B}}} - \frac{\rho }{{{x_B}}} = 0 $$
(26)

In the symmetric case, β A  = β B  = β, L A  = L B  = L, and x A  = x B  = x. Thus, the above equations are simplified as \( \beta x\frac{{\partial \varphi }}{{\partial x}} + \frac{1}{2}\beta NL\gamma {x^2} + \frac{1}{2}\beta NLx - r - \frac{\rho }{x} = 0 \) (27)

Using (20), we have

$$ \beta \,x\frac{{\partial \varphi }}{{\partial x}} + \frac{1}{2}\beta NL\gamma {x^2} = 0 $$
(28)

Solution of the above differential equation yields: \( \varphi (x) = - \frac{{NL\gamma }}{4}{x^2} + {C_0} \)

Since\( x \in [0,\,\;1] \), we choose\( {C_0} = \frac{{NL\gamma }}{4} \), and the payment transfer is \( \varphi (x) = \frac{{NL\gamma }}{4}(1 - {x^2}) \) .

The objective functions of the Firms in the symmetric case can thus be rewritten as:

$$ Max\{ \int_0^{\infty } {( - \frac{{N(t)}}{2}} (1 + \gamma ({x_A} - {x_B})){x_A}L - {S_A}(t) - \frac{{NL\gamma }}{4}(1 - x_A^2)) + \frac{{NL\gamma }}{4}(1 - x_B^2)){e^{{ - rt}}}dt\} $$
(29)
$$ Max\{ \int_0^{\infty } {( - \frac{{N(t)}}{2}} (1 + \gamma ({x_B} - {x_A})){x_B}L - {S_B}(t) - \frac{{NL\gamma }}{4}(1 - x_B^2) + \frac{{NL\gamma }}{4}(1 - x_A^2)){e^{{ - rt}}}dt\} $$
(30)

When the firms solve the above rewritten objective functions, the equilibrium of the decentralized differential game achieves the centralized results. In other words, the firms are able to avoid overinvestment in IT security, once they implement the above compensation scheme. Importantly, note that Firm A’s (B’s) compensation to firm B (A) is a function of firm A’s (B’s) own vulnerability level, which does not get communicated to firm-B (A). When Nash Equilibrium is reached, the outgoing and incoming payments at each firm cancel out and the social optimum solution is achieved. Implementation of such a payment scheme, however, may require inspection of the vulnerability levels of each firm which can be accomplished by a mutually agreed independent agency.

5.2 Asymmetric duopoly firms

As stated previously, the centralized solutions for asymmetric duopoly firms are not possible in analytically closed form. However, before we present the results of our numerical experiments, it is appropriate to confirm that the relative levels of these firms’ equilibrium investments and securities bear similar relationships in both centralized and decentralized solutions.

Proposition 4

When decisions on IT security investments are made in a centralized fashion, the equilibrium vulnerability level of the firm with higher asset value is lower than the other firm in the singular region, provided both firms have identical security investment efficiencies (β).

Proof: See Appendix.

As in the decentralized case with identical investment efficiencies (Proposition 2) the firm with higher-value assets is more secure.

The numerical experiments use the baseline values of the decentralized case, β A  = β B  = 1, N(t) = 1 L A  = 100, L B  = 300, ρ = 0.6, and r = 0.1. This allows us to compare the equilibrium levels of security and investment of the firms under centralized and decentralized solutions. The trajectories of the vulnerability and investment rates of firms A and B in the centralized case, and also the dilution and spreading out effects are quite similar to those in the decentralized case (Section 4.4), and are not repeated here.

Figures 6, 7, and 8 compare the centralized and decentralized regimes. Each firm maintains a lower level of security under the centralized solution compared to the decentralized solution (i.e., \( x_A^D < x_A^C \), and \( x_B^D < x_B^C \)) as shown in Fig. 6. However, the differences in equilibrium vulnerability decrease with β and increase with ρ. Under both decentralized and centralized solutions, the firm reduces its vulnerability in equilibrium when β increases, since every dollar investment now translates into better security controls. However, the difference in firms’ vulnerability levels declines and the curves converge as β increases. When ρ increases, the firm’s vulnerability level at equilibrium is higher under both decentralized and centralized solutions, and the difference between these elevated levels of vulnerabilities also rises causing the curves to diverge (Fig. 6).Footnote 9 Recall how the magnitude of the difference in asset value between firms affected the equilibrium level of vulnerability in the decentralized solution.

Fig. 6
figure 6

Lower vulnerability in competing defense (competitive overinvestment)

Full size image
Fig. 7
figure 7

Firms’ vulnerability levels in the centralized case

Full size image
Fig. 8
figure 8

Highly effort-driven hackers bring more reduction in the security levels of the defending firms

Full size image

Higher-value asset holding firms actually altered their security investment strategy depending on the degree of difference in asset value when the hackers become more effort-driven (Figs. 5a and b). In the centralized system this does not occur; both firms remain consistent in their investment strategy and irrespective of their relative asset values, the vulnerability of the firm with the higher (lower) asset value increases (decrease) as γ increases (Fig. 7).

Further comparison of the data of Figs. 5a and b with that of Fig. 7 confirms that the difference in vulnerability between the centralized and decentralized solutions for either firm, irrespective of their relative asset values, is always higher when γ is higher. In addition, for a particular γ, the difference in firms’ vulnerability levels is higher in the centralized case, i.e., \( x_A^D - x_B^D < x_A^C - x_B^C \). This indicates that the central planner keeps the lower-valued firm at a higher vulnerability level compared to the other firm in the centralized case in order to relieve the intensity of attacking traffic at the higher-valued firm.

Figure 8 depicts how the parameters β, ρ, and γ together impact the difference in equilibrium vulnerability between the centralized and decentralized solutions. As β rises (firms become more efficient in their security investments) the difference in vulnerability between the centralized and decentralized cases declines (left panel in Fig. 8). As γ increases (hackers become more effort driven) the difference in vulnerability grows and as ρ rises (hackers learn more about the firms’ vulnerabilities) the difference between the centralized and decentralized systems also increases (right panel in Fig. 8).

5.3 Total cost of the IT security programs of the firms

Finally, we use numerical analysis to explore the economic consequences of collaboration or coordination between the firms’ IT security programs. Let \( C_i^T \) denote the Total Security Cost of firm i, \( i \in \{ A,B\} \), which is the sum of the firm’s security investment and its expected loss from breaches. From a central planner’s perspective, a collaborative or coordinated security arrangement appears desirable (Figs. 9a, b) since the value of \( \left( {C_A^T + C_B^T} \right) \) is smaller in the centralized case. Released from competitive pressures, firms in the centralized case do not overprotect their assets.

Fig. 9
figure 9

a Cost Savings (ρ varies). b Cost Savings (β varies)

Full size image

However, the gain in the centralized solution varies with the firms’ investment efficiency, β, the hackers’ ability to learn over time, ρ, and the hackers’ preference parameter, γ. First, higher β reduces the overall gain in collaboration; as firms become more efficient in their IT security investments, the real dollars spent in their IT security programs fall, and the gain of centralization declines (Fig. 9b). Second, a higher ρ increases the overall gain from collaboration since any rise in ρ works against the efficacy of a firms’ investment in IT security, requiring an even higher level of investment to achieve a similar level of security. Thus each individual firm’s IT security cost rises proportionally, and the numerical difference rises as well (Fig. 9a).

Finally, as shown in Figs. 9a and b, when hackers are more value-driven (lower γ), the overall gain from collaboration is lower than when hackers are more effort-driven (higher γ). In the centralized case, when hackers are more effort-driven, the strategy of the firm with the lower asset value (relaxing its own perimeter security by reducing its security investment) attracts a larger volume of attacking traffic and the overall cost \( \left( {C_A^T + C_B^T} \right) \) falls. However, when hackers are driven by the value of the assets (lower γ), the above strategy of the smaller firm has a smaller impact and the overall savings \( \left( {C_A^T + C_B^T} \right) \) achieved by centralization is less.

At all levels of γ, ρ, and β, the centralized solution promises an overall savings in the Total Security Cost. However, whether an individual firm prefers the centralized IT security decision depends on its own security cost. If a firm sees a reduction in its own cost (\( C_i^T \)), then it is rational for the firm to collaborate; otherwise, the firm is better off managing its own IT security. Thus, we separately calculate the differences in each firm’s total security cost as they move from decentralized to centralized IT defense.

In a centralized system the firm with the lower asset value can be a sacrificial lamb to supplement the other firm’s IT security effort. Since the firm with higher asset value is a natural priority in a central planner’s decision on security investment, diverting attacking traffic to the less valuable firm makes sense. But, the firm with the lower asset value, firm A here, is worse off while firm B is better off (Figs. 10 and 11). As explained earlier, the differential gains or losses of the individual firms from collaboration are attenuated when investment efficiency β increases (Fig. 11), or are amplified when the hackers’ learning effect ρ increases (Fig. 10). When the hackers are increasingly effort-driven (i.e., γ increases), the firm with the lower asset value is increasingly likely to be used by the central planner as a diversion to steer the attacking traffic away from the more valuable firm.

Fig. 10
figure 10

Firms’ gains or losses in the centralized case

Full size image
Fig. 11
figure 11

Firms’ gains/losses from collaboration

Full size image

Although the additional traffic increases the expected loss of the firm with the lower asset value, the firm with the higher asset value no longer needs to maintain as much security and invest heavily, so overall security costs in the duopoly system decline.

Figures 10 and 11 illustrate that the firm with the lower asset value has no motivation to collaborate. In addition, it can be shown that a payment transfer scheme, like the one that we have proposed in the symmetric case (Section 5.1), fails to coordinate the asymmetric firms’ investments in IT security.Footnote 10 However, the firm with the higher asset value can take the lead and propose to share its benefits from coordination, should the other firm commit to collaborate in IT security defense. Suppose that the firm with the higher asset value stands to gain g and the firm with the lower asset value stands to lose l from collaboration. The firms could then sign a binding contract stating:

  1. 1.

    Both firms maintain their security levels at the socially optimal level.

  2. 2.

    The firm with higher asset value transfers an amount of 1/2(g + l) to the other firm.Footnote 11

  3. 3.

    If a firm deviates, the other firm imposes an extremely high penalty M > 0 on the deviating firm.

Note that the above scheme achieves equilibrium by imposing a large deviation penalty, M on the deviating firm. A more sophisticated coordination scheme (similar to the one proposed earlier for symmetric firms), could be conceived where there is no need for an externally imposed penalty, but in the absence of analytical solutions in the asymmetric case, a coordination scheme that does not require external penalty measures is difficult to define.

6 Conclusion and future research directions

We study IT security competition arising between firms that possess similar types of information assets. Such firms have an incentive to deflect hackers towards other firms by strategically raising their own security levels. We model this one-upmanship strategy for a duopoly, in continuous time, using a differential game. The results show: (i) this competitive strategy leads firms to overinvest in IT securityFootnote 12; (ii) a centralized or collaborative security effort can lead to savings across the industry, but (iii) such collaboration requires the presence of appropriate incentives to achieve cooperation among the firms. These basic findings are bolstered by a host of results showing how the level of overinvestment, the vulnerability of firms’ IT assets, and the potential savings from collaboration are affected by the firm’s proficiency at turning security investments into actual security, the rate at which hackers learn about a firm’s security measures, and hacker preferences between rich, well-protected targets versus less-valuable, but more poorly defended targets.

IT security managers can take away a number of insights from this study. First, firms should identify other businesses holding similar information assets because those firms make up a target set and there is likely a specialized group of criminals who will focus their attacks on that set. Second, cooperation, although not preferred voluntarily by firms, can be achieved through coordination. Consider the prior example of banks and Community Credit Unions (CCUs). The high rate of attacks on community credit unions makes sense given rational, economically motivated criminals. Our findings suggest that (a) the CCU managers should reassess their IT security initiatives and technology controls, and seek to improve their overall IT defense; and (b) the banking industry should reflect that although unintuitive, there is potential gain in seeking collaboration in IT defense with the smaller institutions like the CCUs.

In general IT managers know that as hackers acquire greater skill, the vulnerability of their IT systems could rise even as they increase their security investments. However, the level of that increased vulnerability depends on the firm’s proficiency at implementing security investments and the level of assets possessed by the firm relative to other firms. The simplest type of hacking knowledge grows most rapidly and these script-junkies tend to be “effort-driven” hackers who want to attack vulnerable targets. This means that lower asset valued firms need to increase their security investments and raise their level of protection. Higher-valued asset firms must respond, but it is the relative value of their assets that determines their optimal response. If they hold assets that are much greater than the lower valued firm, they may be able to reduce their overall security investment even though that may increase their vulnerability to a given attack because hackers will focus on the firms with greater vulnerability.

To our knowledge, this is the first work that explicitly models competing defense in IT security in a dynamic game framework and in continuous time. Simplifications used to build and analyze the model open avenues of future research. We restricted the model to a duopoly scenario for analytical tractability, which does limit our results for a target group of 2 firms only. For example, it is not clear how 3 or more firms would invest in a dynamic game of IT security defense on an infinite horizon. As a result, the impact of multiple firms in a dynamic game holds interest and could be the focus of interest for a future researcher. We also hope to return to the oligopolistic extension of the current duopoly work in future work. In addition, we assumed simple model of hacker learning, but hacker learning could occur in a more complex manner. Overall, it is becoming increasingly apparent that IT security is no longer a simple technical task of keeping one’s IT systems secure. Security decisions must not only be made in the context of the security strategies used by other similar firms, but also how hackers react to the various security strategies in a group of target firms.