Abstract
Hackers evaluate potential targets to identify poorly defended firms to attack, creating competition in IT security between firms that possess similar information assets. We utilize a differential game framework to analyze the continuous time IT security investment decisions of firms in such a target group. We derive the steady state equilibrium of the duopolistic differential game, show how implicit competition induces overspending in IT defense, and then demonstrate how such overinvestment can be combated by innovatively managing the otherwise misaligned incentives for coordination. We show that in order to achieve cooperation, the firm with the higher asset value must take the lead and provide appropriate incentives to elicit participation of the other firm. Our analysis indicates that IT security planning should not remain an internal, firm-level decision, but also incorporate the actions of those firms that hackers consider as alternative targets.
Similar content being viewed by others
Notes
Pump and dump is a specific type of information fraud involving publicly traded stocks (http://www.sec.gov/answers/pumpdump.htm).
Reasons for such variation include hackers’ a) imperfect assessment of own strengths and capabilities, b) differentiated capability to scope a target, and 3) perceived valuation of asset. Perceived value of challenge in overcoming cyber defense may add further attractiveness to elite/select hackers.
Firm-B exhibits similar behavior and outcomes and we do not repeat the diagrams. Similarly, the investment and vulnerability levels vary inversely, changes in investment levels are intuitively clear, and those diagrams are omitted as well.
That derivation is not presented here but is available from the authors on request.
This ensures that both firms collect same amount of benefit from collaboration \( 1/2\,\left( {g - l} \right) \)
The degree of overspending may depend on the nature of attacking traffic (e.g., a suitably adjusted attacking traffic that simulates periodic zeros in the breach probability). Inductive reasoning, which extends the convergent investments at one of the extremities yield the insight.
References
Anderson, R. (2001). Why information security is hard-an economic perspective. Proceedings of the 17th Annual Computer Security Applications Conference Page: 358. Available at ACSAC archive.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2005). The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16(1), 28–46.
Dockner, E., Jørgensen, S., Long, N. V., and Sorger, G. (2000). Differential games in economics and management science. Cambridge University Press.
Erickson, G. M. (1992). Empirical analysis of closed-loop duopoly advertising strategies. Management Science, 38, 1732–1749.
Erickson, G. M. (1995). Differential game models of advertising competition. European Journal of Operational Research, 83(3), 431–438.
Erickson, G. M. (1997). Dynamic Conjectural Variations in A Lanchester Oligopoly. Management Science 43(11).
Feichtinger, G., Hartel, R. F., & Sethi, S. P. (1994). Dynamic optimal control models in advertising: recent developments. Management Science, 40(2), 29–31.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.
Hausken, K. (2006). Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy, 25(6), 629–665.
Hausken, K. (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy, 26(6), 639–688.
He, X., Prasad, A., Sethi, S. P., & Gutierrez, J. (2007). A survey of Stackelberg differential game models in supply and marketing channels. Journal of System Sciences and System Engineering, 16(4), 385–413.
Huang, C. D., Hu, Q., & Behara, R. (2005). Investment in information security by a risk averse firm. In Proceedings of the Software Conference, Las Vegas, NV. Dec. 10-11.
Ioerger, T. R., He, L., & Lord, D. (2002). Modeling capabilities and workload in intelligent agents for simulating teamwork. In the Proceedings of of the Twenty-Fourth Annual Conference of the Cognitive Science.
Isaacs, R. (1965). Differential games. New York: Wiley.
Jørgensen, S. (1982). A Survey of Some Differential Games in Advertising. Journal of Economic Dynamics and Control. Springer-Verlag, Berlin.
Kunreuther, H., & Heal, G. (2003). Interdependent security. The Journal of Risk and Uncertainty, 26(2/3), 231–249.
Leitmann, G., & Schmitendorf, W. E. (1978). Profit maximization through advertising: A nonzero sum differential game approach. IEEE Transactions on Automatic Control, 23(4), 645–650.
Little, J. D. C. (1979). Aggregate advertising models: the state of the art. Operations Research, 27(4), 629–667.
Ogut H., Raghunathan, S., & Menon N. (2005). Cyber insurance and IT security investment: impact of interdependent risk. Proceedings of the Workshop on the Economics of Information Security. Cambridge, USA.
Richardson, R. (2008). CSI Computer Crime and Security survey. Available at http://gocsi.com/sites/default/files/uploads/CSIsurvey2008.pdf
Sethi, S., & Thompson, G. L. (2000). Optimal control theory: applications to management science and economics. Boston: Kluwer Academic Publishers.
Shao, B. B. M., & Lin, W. T. (2002). Technical efficiency analysis of information technology investments: a two-stage empirical investigation. Information & Management, 39, 391–401.
Targeted Trojans, a New On-line Threat to Business. (2007). Message Lab Reports.
Varian, H. (2000) Managing on-line security risks. New York Times; New York, N.Y.; June 1, 2000.
Varian, H. (2002). System reliability and free riding. Working Paper, The University of California at Berkeley.
Varian, H. (2004). System reliability and free riding. In L. Jean Camp and Stephen Lewis, editors, Economics of Information Security. Springer-Verlag, May 16–17, (2004). Can be accessed at http://people.ischool.berkeley.edu/~hal/Papers/2004/reliability.
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
1.1 Proof for proposition 1
Proof : in the symmetric case, we can rewrite (14) as
Let \( K = \frac{{\beta NL\gamma }}{2}{x^2} + \frac{{\beta NL}}{2}x - \frac{\rho }{2} - r \) . We have the results of comparative statistics as follows.
Since \( {S_A} = {S_B} = S = \rho /\left( {\beta X} \right) \) from (1) and (2), we have dS/dx < 0. Therefore, it holds that \( dS/dL = \left( {dS/dx} \right)\left( {dx/dL} \right) > 0 \), and \( dS/d\gamma = \left( {dS/dx} \right)\left( {dx/d\gamma } \right) > 0 \).
1.2 Proof for proposition 2
Proof: We are required to show: if L A < L B , then x A > x B . We exhibit this by contradiction.
Suppose it holds that if L A < L B , then x A < x B . Note that, under this situation, \( δ < 0 \).
Clearly, \( \beta \gamma N\left( {{L_A}x_A^2 - {L_B}x_B^2} \right) < 0 \), \( \frac{{\beta N}}{2}\left( {{L_A}\left( {1 + \delta } \right){x_A} - {L_B}\left( {1 - \delta } \right){x_B}} \right) < 0 \), \( \frac{{\beta \gamma N{x_A}{x_B}}}{2}\left( {{L_B} - {L_A}} \right) > 0 \), \( \rho \left( {\frac{1}{{{x_B}}} - \frac{1}{{{x_A}}}} \right) < 0 \). However, also note that,
Thus, the left hand of (17) is negative, which contradicts the fact that Eq. (17) holds.
1.3 Proof for corollary 2.1
Proof : From Eq. (14), we have
Solving (A-1) further, we have
Similarly, from Eq. (15), we have
where D A =\( 2\gamma {x_A} + (1 + \delta )/2 - \gamma {x_B}/2 + \rho /(\beta {L_A}Nx_A^2) \), \( {D_B} = 2\gamma {x_B} + (1 - \delta )/2 - \gamma {x_A}/2 + \rho /(\beta {L_B}Nx_B^2) \).
From (A-2) and (A-3), we have
and
Note that, for L B > L A , \( 1 > {x_A} > {x_B} > 0 \), and -1 < δ < 0. Thus, we have D A > 0 and D B > 0.
Note that: \( \frac{\rho }{{2\beta {L_A}N{x_A}^2}}\left\{ {(1 - \delta ) - \gamma {x_A}} \right\} > 0 \), \( \frac{{\rho \gamma }}{{\beta {L_B}N{x_B}^2}}\left\{ {2{x_A} - \frac{{{x_B}}}{2}} \right\} > 0 \), \( \frac{\rho }{{\beta {L_B}N{x_B}^2}}\left\{ {\frac{{(1 + \delta )}}{2} + \frac{\rho }{{\beta {L_A}N{x_A}^2}}} \right\} > 0 \), and \( \gamma {x_B}\left[ {\gamma \left( {4{x_A} - {x_B}} \right) + \frac{{2\rho }}{{\beta {L_A}N{x_A}^2}}} \right] > 0 \). Now, we prove \( \Psi (\gamma ) > 0 \) to show \( {D_A}{D_B} - {\gamma^2}{x_A}{x_B}/4 > 0 \).
Let δ = (1–γ).k, where \( k = \frac{{{L_A} - {L_B}}}{{{L_A} + {L_B}}} < 0 \).
First, see that \( { }\frac{1}{4} + \frac{3}{4}\gamma {x_B} \geqslant \frac{1}{4} \) and \( \left\{ {\frac{{5\gamma (1 - \gamma )\left( {{x_A}^{*} - {x_B}^{*}} \right)}}{4}} \right\}\theta \geqslant 0 \). Now, let \( {\text P}{(}\gamma {)} = \left[ {\gamma {x_A}\left( {\frac{3}{4} - \gamma {x_A}} \right)} \right] - \left\{ {\frac{{{{(1 - \gamma )}^2}}}{4}} \right\}\theta \)
Since 0 ≤ x A ≤ 1, and 0 ≤ θ ≤ 1, we have that
For 0 ≤ γx A ≤ 1, we thus have: \( {\text P}\left( \gamma \right) \geqslant - \frac{5}{4}{\left( {\gamma {x_A} - \frac{1}{2}} \right)^2} + \frac{1}{{16}} \geqslant - \frac{1}{4} \)
In other words, \( \Psi \left( \gamma \right) \geqslant \left[ {\left( {\frac{3}{4}\gamma {x_B}} \right)} \right] + \left\{ {\frac{{5\gamma \left( {1 - \gamma } \right)\left( {{x_A}^{*} - {x_B}^{*}} \right)}}{4}} \right\}\theta \geqslant 0 \)
Now that Ψ(γ)>0; Hence, \( \forall \;0 \leqslant \gamma \leqslant 1, \) and L B >L A , the denominators of \( \frac{{\partial {{\text{x}}_{\text{A}}}}}{{\partial \gamma }}{\text{and }}\frac{{\partial {{\text{x}}_{\text{B}}}}}{{\partial \gamma }}:4\left[ {{D_A}{D_B} - \frac{1}{4}{\gamma^2}{x_A}{x_B}} \right] > 0 \)
The numerator of \( \begin{array}{*{20}{c}} {\frac{{\partial {{{\text{x}}}_{{\text{A}}}}}}{{\partial \gamma }}\,{\text{is}}\,\frac{{\partial {{{\text{x}}}_{{\text{A}}}}}}{{\partial \gamma }}2{{{\text{x}}}_{{\text{A}}}}\left( {2\gamma {{x}_{B}} + \frac{{1 - \delta }}{2} - \frac{{\gamma {{x}_{A}}}}{2} + \frac{\rho }{{\beta {{L}_{B}}Nx_{B}^{2}}}} \right)\left( {{{x}_{B}} - 2{{x}_{A}}} \right) + \gamma {{x}_{A}}{{x}_{B}}\left( {{{x}_{A}} - 2{{x}_{B}}} \right),} \hfill \\ { = 2{{{\text{x}}}_{{\text{A}}}}\left( {\frac{{1 - \delta }}{2} - \frac{{\gamma {{x}_{A}}}}{2} + \frac{\rho }{{\beta {{L}_{B}}Nx_{B}^{2}}}} \right)\left( {{{x}_{B}} - 2{{x}_{A}}} \right) + 2\gamma {{x}_{A}}{{x}_{B}}\left( {{{x}_{B}} - {{x}_{A}}} \right) - 5\gamma x_{A}^{2}{{x}_{B}} < 0\,{\text{since }}{{{\text{x}}}_{{\text{A}}}} > {{x}_{B}}.} \hfill \\ \end{array} \)
Thus, we could conclude that \( \frac{{\partial {{\text{x}}_{\text{A}}}}}{{\partial \gamma }} < 0. \)
The numerator of \( \frac{{\partial {{\text{x}}_{\text{B}}}}}{{\partial \gamma }} \) is: \( \begin{array}{*{20}{c}} {2{{{\text{x}}}_{{\text{B}}}}\left( {2\gamma {{x}_{A}} + \frac{{1 + \delta }}{2} - \frac{{\gamma {{x}_{B}}}}{2} + \frac{\rho }{{\beta {{L}_{A}}Nx_{A}^{2}}}} \right)\left( {{{x}_{A}} - 2{{x}_{B}}} \right) + \gamma {{x}_{A}}{{x}_{B}}\left( {{{x}_{B}} - 2{{x}_{A}}} \right)} \hfill \\ { = 2{{{\text{x}}}_{{\text{B}}}}\left( {\frac{{\gamma {{x}_{A}}}}{2} + \frac{{1 + \delta }}{2} - \frac{{\gamma {{x}_{B}}}}{2} + \frac{\rho }{{\beta {{L}_{A}}Nx_{A}^{2}}}} \right)\left( {{{x}_{A}} - 2{{x}_{B}}} \right) + \gamma {{x}_{A}}{{x}_{B}}\left( {{{x}_{A}} - 5{{x}_{B}}} \right)} \hfill \\ \end{array} \)
Thus when \( {x_A} < 2{x_B} \), the numerator is negative, and \( \frac{{\partial {x_B}}}{{\partial \gamma }} < 0 \) ; when \( {x_A} > 5{x_B} \) the numerator is positive, and \( \frac{{\partial {x_B}}}{{\partial \gamma }} > 0 \).
1.3.1 Proof for proposition 3
Proof : The equilibrium vulnerability level x D is a solution to (16), and the equilibrium vulnerability level x C is a solution to (20). Note that, (16) and (20) are only different in the right hand of the equations. Letting \( \chi (x) = r + \frac{\rho }{x} - \frac{{\beta NL}}{2}x \), we have \( \chi ({x^D}) = \frac{{\beta NL\gamma }}{2}{x^D} \)and \( \chi ({x^C}) = 0 \). Since \( \chi '(x)< 0 \) and \( \frac{{\beta NL\gamma }}{2}{x^D} > 0 \), we have x D < x C. We can further conclude that S D > S C.
1.3.2 Proof for proposition 4
Proof : Deducting (19) from (18), we have
We prove the statement that “if L A < L B , then x A > x B ” by using a contradiction argument.
Suppose if L A < L B , then x A < x B . Obviously,\( \beta \gamma N\left( {{L_A}x_A^2 - {L_B}x_B^2} \right) < 0 \), \( \frac{{N\beta }}{2}\left( {{L_A}{x_A}\left( {1 + \delta } \right) - {L_B}{x_B}\left( {1 - \delta } \right)} \right) < 0 \), and \( \rho \left( {\frac{1}{{{x_B}}} - \frac{1}{{{x_A}}}} \right) < 0 \), so the left hand side of (1) is negative, which contradicts with the fact that the left hand side of (1) should equal 0.
Rights and permissions
About this article
Cite this article
Bandyopadhyay, T., Liu, D., Mookerjee, V.S. et al. Dynamic competition in IT security: A differential games approach. Inf Syst Front 16, 643–661 (2014). https://doi.org/10.1007/s10796-012-9373-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-012-9373-x