Top

Information Systems Frontiers

Published in:

01-09-2014

Dynamic competition in IT security: A differential games approach

Authors: Tridib Bandyopadhyay, Dengpan Liu, Vijay S. Mookerjee, Allen W. Wilhite

Published in: Information Systems Frontiers | Issue 4/2014

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Hackers evaluate potential targets to identify poorly defended firms to attack, creating competition in IT security between firms that possess similar information assets. We utilize a differential game framework to analyze the continuous time IT security investment decisions of firms in such a target group. We derive the steady state equilibrium of the duopolistic differential game, show how implicit competition induces overspending in IT defense, and then demonstrate how such overinvestment can be combated by innovatively managing the otherwise misaligned incentives for coordination. We show that in order to achieve cooperation, the firm with the higher asset value must take the lead and provide appropriate incentives to elicit participation of the other firm. Our analysis indicates that IT security planning should not remain an internal, firm-level decision, but also incorporate the actions of those firms that hackers consider as alternative targets.

previous article Influences of Web interactivity and social identity and bonds on the quality of online discussion in a virtual community

next article Efficient adaptation of XML data using a conceptual model

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Pump and dump is a specific type of information fraud involving publicly traded stocks (http://www.sec.gov/answers/pumpdump.htm).

http://www.microsoft.com/security/sir/default.aspx

Reasons for such variation include hackers’ a) imperfect assessment of own strengths and capabilities, b) differentiated capability to scope a target, and 3) perceived valuation of asset. Perceived value of challenge in overcoming cyber defense may add further attractiveness to elite/select hackers.

http://www.secureworks.com/media/press_releases/20060508-creditunions/

http://ecommerce-journal.com/node/26885

⁶ http://EzineArticles.com/3882184.

www.business7.co.uk/business-news/business-view-and-comment/2012/02/24/explaining-the-seven-levels-of-cyber-security-106408-23763473.

In Figs. 5a and b, and later in Fig. 7 we use two different sets of values for L _A and L _B in order to underscore the above impact.

Firm-B exhibits similar behavior and outcomes and we do not repeat the diagrams. Similarly, the investment and vulnerability levels vary inversely, changes in investment levels are intuitively clear, and those diagrams are omitted as well.

That derivation is not presented here but is available from the authors on request.

This ensures that both firms collect same amount of benefit from collaboration \( 1/2\,\left( {g - l} \right) \)

The degree of overspending may depend on the nature of attacking traffic (e.g., a suitably adjusted attacking traffic that simulates periodic zeros in the breach probability). Inductive reasoning, which extends the convergent investments at one of the extremities yield the insight.

Anderson, R. (2001). Why information security is hard-an economic perspective. Proceedings of the 17th Annual Computer Security Applications Conference Page: 358. Available at ACSAC archive.

Cavusoglu, H., Mishra, B., & Raghunathan, S. (2005). The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16(1), 28–46.CrossRef

Dockner, E., Jørgensen, S., Long, N. V., and Sorger, G. (2000). Differential games in economics and management science. Cambridge University Press.

Erickson, G. M. (1992). Empirical analysis of closed-loop duopoly advertising strategies. Management Science, 38, 1732–1749.CrossRef

Erickson, G. M. (1995). Differential game models of advertising competition. European Journal of Operational Research, 83(3), 431–438.CrossRef

Erickson, G. M. (1997). Dynamic Conjectural Variations in A Lanchester Oligopoly. Management Science 43(11).

Feichtinger, G., Hartel, R. F., & Sethi, S. P. (1994). Dynamic optimal control models in advertising: recent developments. Management Science, 40(2), 29–31.

Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.CrossRef

Hausken, K. (2006). Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy, 25(6), 629–665.CrossRef

Hausken, K. (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy, 26(6), 639–688.CrossRef

He, X., Prasad, A., Sethi, S. P., & Gutierrez, J. (2007). A survey of Stackelberg differential game models in supply and marketing channels. Journal of System Sciences and System Engineering, 16(4), 385–413.CrossRef

Huang, C. D., Hu, Q., & Behara, R. (2005). Investment in information security by a risk averse firm. In Proceedings of the Software Conference, Las Vegas, NV. Dec. 10-11.

Ioerger, T. R., He, L., & Lord, D. (2002). Modeling capabilities and workload in intelligent agents for simulating teamwork. In the Proceedings of of the Twenty-Fourth Annual Conference of the Cognitive Science.

Isaacs, R. (1965). Differential games. New York: Wiley.

Jørgensen, S. (1982). A Survey of Some Differential Games in Advertising. Journal of Economic Dynamics and Control. Springer-Verlag, Berlin.

Kunreuther, H., & Heal, G. (2003). Interdependent security. The Journal of Risk and Uncertainty, 26(2/3), 231–249.CrossRef

Leitmann, G., & Schmitendorf, W. E. (1978). Profit maximization through advertising: A nonzero sum differential game approach. IEEE Transactions on Automatic Control, 23(4), 645–650.

Little, J. D. C. (1979). Aggregate advertising models: the state of the art. Operations Research, 27(4), 629–667.

Ogut H., Raghunathan, S., & Menon N. (2005). Cyber insurance and IT security investment: impact of interdependent risk. Proceedings of the Workshop on the Economics of Information Security. Cambridge, USA.

Richardson, R. (2008). CSI Computer Crime and Security survey. Available at http://gocsi.com/sites/default/files/uploads/CSIsurvey2008.pdf

Sethi, S., & Thompson, G. L. (2000). Optimal control theory: applications to management science and economics. Boston: Kluwer Academic Publishers.

Shao, B. B. M., & Lin, W. T. (2002). Technical efficiency analysis of information technology investments: a two-stage empirical investigation. Information & Management, 39, 391–401.CrossRef

Targeted Trojans, a New On-line Threat to Business. (2007). Message Lab Reports.

Varian, H. (2000) Managing on-line security risks. New York Times; New York, N.Y.; June 1, 2000.

Varian, H. (2002). System reliability and free riding. Working Paper, The University of California at Berkeley.

Varian, H. (2004). System reliability and free riding. In L. Jean Camp and Stephen Lewis, editors, Economics of Information Security. Springer-Verlag, May 16–17, (2004). Can be accessed at http://people.ischool.berkeley.edu/~hal/Papers/2004/reliability.

Title: Dynamic competition in IT security: A differential games approach
Authors: Tridib Bandyopadhyay
Dengpan Liu
Vijay S. Mookerjee
Allen W. Wilhite
Publication date: 01-09-2014
Publisher: Springer US
Published in: Information Systems Frontiers / Issue 4/2014
Print ISSN: 1387-3326
Electronic ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-012-9373-x

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 4/2014

Cooperative game-based distributed resource allocation in horizontal dynamic cloud federation platform

Harnessing global expertise: A comparative study of expertise profiling methods for online communities

I-Competere: Using applied intelligence in search of competency gaps in software project managers

Using conceptual graphs for clinical guidelines representation and knowledge visualization

Influences of Web interactivity and social identity and bonds on the quality of online discussion in a virtual community

Efficient adaptation of XML data using a conceptual model

Premium Partner