Cybersecurity investments in a two-echelon supply chain with third-party risk propagation

Cybersecurity presents a monumental challenge for interconnected supply chains, as an attack on one node can compromise an entire business. In this paper, we propose a game theory model to investigate cybersecurity investments with third-party risk propagation in a two-echelon supply chain consisting of one retailer and n suppliers. The optimal investments and their responses to relevant security characteristics, such as intrinsic vulnerability, propagation probability, number of suppliers, and attack probability, are analysed and discussed both theoretically and numerically considering one-stage risk propagation. It is found that there are serious prisoners' dilemma and free-riding phenomena in such a scenario. To mitigate third-party risks and improve the investment efficiency, three coordination mechanisms, joint decision, security risk compensation, and security information sharing, are presented and compared numerically. The results indicate that joint decision-making and security risk compensation perform better on stimulating firms' investments and reducing expected costs both individually and collectively relative to security information sharing. Furthermore, the case of two-stage risk propagation is also supplemented and compared with one-stage case. Based on these findings, some management insights are recommended to cybersecurity managers in supply chains for designing more efficient cybersecurity mechanisms and investment strategies.