IDEAS home Printed from https://ideas.repec.org/a/gam/jgames/v8y2017i2p23-d99623.html
   My bibliography  Save this article

Security Investment, Hacking, and Information Sharing between Firms and between Hackers

Author

Listed:
  • Kjell Hausken

    (Faculty of Social Sciences, University of Stavanger, 4036 Stavanger, Norway)

Abstract

A four period game between two firms and two hackers is analyzed. The firms first defend and the hackers thereafter attack and share information. Each hacker seeks financial gain, beneficial information exchange, and reputation gain. The two hackers’ attacks and the firms’ defenses are inverse U-shaped in each other. A hacker shifts from attack to information sharing when attack is costly or the firm’s defense is cheap. The two hackers share information, but a second more disadvantaged hacker receives less information, and mixed motives may exist between information sharing and own reputation gain. The second hacker’s attack is deterred by the first hacker’s reputation gain. Increasing information sharing effectiveness causes firms to substitute from defense to information sharing, which also increases in the firms’ unit defense cost, decreases in each firm’s unit cost of own information leakage, and increases in the unit benefit of joint leakage. Increasing interdependence between firms causes more information sharing between hackers caused by larger aggregate attacks, which firms should be conscious about. We consider three corner solutions. First and second, the firms deter disadvantaged hackers. When the second hacker is deterred, the first hacker does not share information. Third, the first hacker shares a maximum amount of information when certain conditions are met. Policy and managerial implications are provided for how firms should defend against hackers with various characteristics.

Suggested Citation

  • Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
  • Handle: RePEc:gam:jgames:v:8:y:2017:i:2:p:23-:d:99623
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/2073-4336/8/2/23/pdf
    Download Restriction: no

    File URL: https://www.mdpi.com/2073-4336/8/2/23/
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Kjell Hausken, 2017. "Information Sharing Among Cyber Hackers in Successive Attacks," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 19(02), pages 1-33, June.
    2. Nizovtsev, Dmitri & Thursby, Marie, 2007. "To disclose or not? An analysis of software user behavior," Information Economics and Policy, Elsevier, vol. 19(1), pages 43-64, March.
    3. Gal-Or, Esther, 1985. "Information Sharing in Oligopoly," Econometrica, Econometric Society, vol. 53(2), pages 329-343, March.
    4. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2013. "Contracting Information Security in the Presence of Double Moral Hazard," Information Systems Research, INFORMS, vol. 24(2), pages 295-311, June.
    5. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    6. Hausken, Kjell, 2006. "Income, interdependence, and substitution effects affecting incentives for security investment," Journal of Accounting and Public Policy, Elsevier, vol. 25(6), pages 629-665.
    7. Huseyin Cavusoglu & Birendra Mishra & Srinivasan Raghunathan, 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, INFORMS, vol. 16(1), pages 28-46, March.
    8. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    9. Kjell Hausken, 2005. "Production and Conflict Models Versus Rent-Seeking Models," Public Choice, Springer, vol. 123(1), pages 59-93, April.
    10. Hirshleifer, Jack, 1995. "Anarchy and Its Breakdown," Journal of Political Economy, University of Chicago Press, vol. 103(1), pages 26-52, February.
    11. Jay Pil Choi & Chaim Fershtman & Neil Gandal, 2010. "Network Security: Vulnerabilities And Disclosure Policy," Journal of Industrial Economics, Wiley Blackwell, vol. 58(4), pages 868-894, December.
    12. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    13. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    14. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    15. Salop, Steven C & Scheffman, David T, 1983. "Raising Rivals' Costs," American Economic Review, American Economic Association, vol. 73(2), pages 267-271, May.
    16. Alison J. Kirby, 1988. "Trade Associations as Information Exchange Mechanisms," RAND Journal of Economics, The RAND Corporation, vol. 19(1), pages 138-146, Spring.
    17. Tyler Moore & Richard Clayton & Ross Anderson, 2009. "The Economics of Online Crime," Journal of Economic Perspectives, American Economic Association, vol. 23(3), pages 3-20, Summer.
    18. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    19. William Novshek & Hugo Sonnenschein, 1982. "Fulfilled Expectations Cournot Duopoly with Information Acquisition and Release," Bell Journal of Economics, The RAND Corporation, vol. 13(1), pages 214-218, Spring.
    20. Hausken, Kjell, 2007. "Information sharing among firms and cyber attacks," Journal of Accounting and Public Policy, Elsevier, vol. 26(6), pages 639-688.
    21. Xavier Vives, 1990. "Trade Association Disclosure Rules, Incentives to Share Information, and Welfare," RAND Journal of Economics, The RAND Corporation, vol. 21(3), pages 409-430, Autumn.
    22. Carl Shapiro, 1986. "Exchange of Cost Information in Oligopoly," The Review of Economic Studies, Review of Economic Studies Ltd, vol. 53(3), pages 433-446.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Guizhou Wang & Jonathan W. Welburn & Kjell Hausken, 2020. "A Two-Period Game Theoretic Model of Zero-Day Attacks with Stockpiling," Games, MDPI, vol. 11(4), pages 1-26, December.
    2. Aniruddha Bagchi & Tridib Bandyopadhyay, 2018. "Role of Intelligence Inputs in Defending Against Cyber Warfare and Cyberterrorism," Decision Analysis, INFORMS, vol. 15(3), pages 174-193, September.
    3. Kjell Hausken & Jonathan W. Welburn, 2021. "Attack and Defense Strategies in Cyber War Involving Production and Stockpiling of Zero-Day Cyber Exploits," Information Systems Frontiers, Springer, vol. 23(6), pages 1609-1620, December.
    4. Rana Alabdan, 2020. "Phishing Attacks Survey: Types, Vectors, and Technical Approaches," Future Internet, MDPI, vol. 12(10), pages 1-37, September.
    5. Iaiani, Matteo & Tugnoli, Alessandro & Macini, Paolo & Cozzani, Valerio, 2021. "Outage and asset damage triggered by malicious manipulation of the control system in process plants," Reliability Engineering and System Safety, Elsevier, vol. 213(C).
    6. Zhiheng Xu & Jun Zhuang, 2019. "A Study on a Sequential One‐Defender‐N‐Attacker Game," Risk Analysis, John Wiley & Sons, vol. 39(6), pages 1414-1432, June.
    7. Ali Pala & Jun Zhuang, 2019. "Information Sharing in Cybersecurity: A Review," Decision Analysis, INFORMS, vol. 16(3), pages 172-196, September.
    8. Lin, Chen & Xiao, Hui & Peng, Rui & Xiang, Yisha, 2021. "Optimal defense-attack strategies between M defenders and N attackers: A method based on cumulative prospect theory," Reliability Engineering and System Safety, Elsevier, vol. 210(C).
    9. Kjell Hausken, 2018. "Formalizing the Precautionary Principle Accounting for Strategic Interaction, Natural Factors, and Technological Factors," Risk Analysis, John Wiley & Sons, vol. 38(10), pages 2055-2072, October.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Kjell Hausken, 2017. "Information Sharing Among Cyber Hackers in Successive Attacks," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 19(02), pages 1-33, June.
    2. Kjell Hausken, 2018. "Proactivity and Retroactivity of Firms and Information Sharing of Hackers," International Game Theory Review (IGTR), World Scientific Publishing Co. Pte. Ltd., vol. 20(01), pages 1-30, March.
    3. Levitin, Gregory & Hausken, Kjell & Taboada, Heidi A. & Coit, David W., 2012. "Data survivability vs. security in information systems," Reliability Engineering and System Safety, Elsevier, vol. 100(C), pages 19-27.
    4. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    5. Xiaotong Li, 2022. "An evolutionary game‐theoretic analysis of enterprise information security investment based on information sharing platform," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 43(3), pages 595-606, April.
    6. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    7. Yong Wu & Gengzhong Feng & Richard Y. K. Fung, 2018. "Comparison of information security decisions under different security and business environments," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 69(5), pages 747-761, May.
    8. Bacchetta, Philippe & Espinosa, Maria Paz, 1995. "Information sharing and tax competition among governments," Journal of International Economics, Elsevier, vol. 39(1-2), pages 103-121, August.
    9. António Brandão & Joana Pinho, 2015. "Asymmetric Information And Exchange Of Information About Product Differentiation," Bulletin of Economic Research, Wiley Blackwell, vol. 67(2), pages 166-185, April.
    10. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    11. Medín, J. Andrés Faíña & Rodríguez, Jesús López & Rodríguez, José López, 2003. "Information Exchanges in Cournot Duopolies," Revista Brasileira de Economia - RBE, EPGE Brazilian School of Economics and Finance - FGV EPGE (Brazil), vol. 57(1), January.
    12. Malueg, David A. & Tsutsui, Shunichi O., 1998. "Distributional assumptions in the theory of oligopoly information exchange1," International Journal of Industrial Organization, Elsevier, vol. 16(6), pages 785-797, November.
    13. Myatt, David P. & Wallace, Chris, 2015. "Cournot competition and the social value of information," Journal of Economic Theory, Elsevier, vol. 158(PB), pages 466-506.
    14. Meilin He & Laura Devine & Jun Zhuang, 2018. "Perspectives on Cybersecurity Information Sharing among Multiple Stakeholders Using a Decision‐Theoretic Approach," Risk Analysis, John Wiley & Sons, vol. 38(2), pages 215-225, February.
    15. Duarte Brito & Pedro Pereira & João Vareda, 2016. "Can More Information About Rivals' Costs Decrease Welfare?," Manchester School, University of Manchester, vol. 84(2), pages 251-269, March.
    16. Jin, Jim Y., 1996. "A test for information sharing in Cournot oligopoly," Information Economics and Policy, Elsevier, vol. 8(1), pages 75-86, March.
    17. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    18. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    19. Malueg, David A. & Tsutsui, Shunichi O., 1996. "Duopoly information exchange: The case of unknown slope," International Journal of Industrial Organization, Elsevier, vol. 14(1), pages 119-136.
    20. Hausken, Kjell, 2008. "Strategic defense and attack for series and parallel reliability systems," European Journal of Operational Research, Elsevier, vol. 186(2), pages 856-881, April.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jgames:v:8:y:2017:i:2:p:23-:d:99623. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.