Swipe to navigate through the articles of this issue
Hackers evaluate potential targets to identify poorly defended firms to attack, creating competition in IT security between firms that possess similar information assets. We utilize a differential game framework to analyze the continuous time IT security investment decisions of firms in such a target group. We derive the steady state equilibrium of the duopolistic differential game, show how implicit competition induces overspending in IT defense, and then demonstrate how such overinvestment can be combated by innovatively managing the otherwise misaligned incentives for coordination. We show that in order to achieve cooperation, the firm with the higher asset value must take the lead and provide appropriate incentives to elicit participation of the other firm. Our analysis indicates that IT security planning should not remain an internal, firm-level decision, but also incorporate the actions of those firms that hackers consider as alternative targets.
Please log in to get access to this content
To get access to this content you need the following product:
Anderson, R. (2001). Why information security is hard-an economic perspective. Proceedings of the 17th Annual Computer Security Applications Conference Page: 358. Available at ACSAC archive.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2005). The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16(1), 28–46. CrossRef
Dockner, E., Jørgensen, S., Long, N. V., and Sorger, G. (2000). Differential games in economics and management science. Cambridge University Press.
Erickson, G. M. (1992). Empirical analysis of closed-loop duopoly advertising strategies. Management Science, 38, 1732–1749. CrossRef
Erickson, G. M. (1995). Differential game models of advertising competition. European Journal of Operational Research, 83(3), 431–438. CrossRef
Erickson, G. M. (1997). Dynamic Conjectural Variations in A Lanchester Oligopoly. Management Science 43(11).
Feichtinger, G., Hartel, R. F., & Sethi, S. P. (1994). Dynamic optimal control models in advertising: recent developments. Management Science, 40(2), 29–31.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457. CrossRef
Hausken, K. (2006). Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy, 25(6), 629–665. CrossRef
Hausken, K. (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy, 26(6), 639–688. CrossRef
He, X., Prasad, A., Sethi, S. P., & Gutierrez, J. (2007). A survey of Stackelberg differential game models in supply and marketing channels. Journal of System Sciences and System Engineering, 16(4), 385–413. CrossRef
Huang, C. D., Hu, Q., & Behara, R. (2005). Investment in information security by a risk averse firm. In Proceedings of the Software Conference, Las Vegas, NV. Dec. 10-11.
Ioerger, T. R., He, L., & Lord, D. (2002). Modeling capabilities and workload in intelligent agents for simulating teamwork. In the Proceedings of of the Twenty-Fourth Annual Conference of the Cognitive Science.
Isaacs, R. (1965). Differential games. New York: Wiley.
Jørgensen, S. (1982). A Survey of Some Differential Games in Advertising. Journal of Economic Dynamics and Control. Springer-Verlag, Berlin.
Kunreuther, H., & Heal, G. (2003). Interdependent security. The Journal of Risk and Uncertainty, 26(2/3), 231–249. CrossRef
Leitmann, G., & Schmitendorf, W. E. (1978). Profit maximization through advertising: A nonzero sum differential game approach. IEEE Transactions on Automatic Control, 23(4), 645–650.
Little, J. D. C. (1979). Aggregate advertising models: the state of the art. Operations Research, 27(4), 629–667.
Ogut H., Raghunathan, S., & Menon N. (2005). Cyber insurance and IT security investment: impact of interdependent risk. Proceedings of the Workshop on the Economics of Information Security. Cambridge, USA.
Richardson, R. (2008). CSI Computer Crime and Security survey. Available at http://gocsi.com/sites/default/files/uploads/CSIsurvey2008.pdf
Sethi, S., & Thompson, G. L. (2000). Optimal control theory: applications to management science and economics. Boston: Kluwer Academic Publishers.
Shao, B. B. M., & Lin, W. T. (2002). Technical efficiency analysis of information technology investments: a two-stage empirical investigation. Information & Management, 39, 391–401. CrossRef
Targeted Trojans, a New On-line Threat to Business. (2007). Message Lab Reports.
Varian, H. (2000) Managing on-line security risks. New York Times; New York, N.Y.; June 1, 2000.
Varian, H. (2002). System reliability and free riding. Working Paper, The University of California at Berkeley.
Varian, H. (2004). System reliability and free riding. In L. Jean Camp and Stephen Lewis, editors, Economics of Information Security. Springer-Verlag, May 16–17, (2004). Can be accessed at http://people.ischool.berkeley.edu/~hal/Papers/2004/reliability.
- Dynamic competition in IT security: A differential games approach
Vijay S. Mookerjee
Allen W. Wilhite
- Publication date
- Springer US
Neuer Inhalt/© ITandMEDIA