Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest

Abstract

Recent supply chain reengineering efforts have focused on integrating firms’ production, inventory and replenishment activities with the help of communication networks. While communication networks and supply chain integration facilitate optimization of traditional supply chain functions, they also exacerbate the information security risk: communication networks propagate security breaches from one firm to another, and supply chain integration causes breach on one firm to affect other firms in the supply chain. We study the impact of network security vulnerability and supply chain integration on firms’ incentives to invest in information security. We find that even though an increase in either the degree of network vulnerability or the degree of supply chain integration increases the security risk, they have different impacts on firms’ incentives to invest in security. If the degree of supply chain integration is low, then an increase in network vulnerability induces firms to reduce, rather than increase, their security investments. A sufficiently high degree of supply chain integration alters the impact of network vulnerability into one in which firms have an incentive to increase their investments when the network vulnerability is higher. Though an increase in the degree of supply integration enhances firms’ incentives to invest in security, private provisioning for security always results in a less than socially optimal security level. A liability mechanism that makes the responsible party partially compensate for the other party’s loss induces each firm to invest at the socially optimal level. If firms choose the degree of integration, in addition to security investment, then firms may choose a higher degree of integration when they decide individually than when they decide jointly, suggesting an even greater security risk to the supply chain.

Appendices

Appendix

See Table 1

Table 1 Results for the numerical example

Proofs for propositions

Proposition 1

Firms’ security investment is decreasing in network vulnerability in an unintegrated supply chain.

Proof The FOC for minimization is given by \( p^{\prime } (c_{p}^{*} )\left( {1 - qp(c_{p} *)} \right) + {\frac{1}{L}} = 0 \). Therefore, \( Sign\left( {{\frac{{\partial c_{p}^{*} }}{\partial q}}} \right) = - Sign\left( {{\frac{\partial }{\partial q}}\left( {p^{\prime } (c_{p}^{*} )(1 - qp(c_{p}^{*} )) + {\frac{1}{L}}} \right)} \right) \), which is negative.

Proposition 2

In an unintegrated supply chain, firms invest less when they make investment decisions individually compared to when they make decisions jointly and the difference in the investments increases as q increases.

Proof The FOC for minimization when firms decide investments jointly is given by \( p^{\prime } (c_{s}^{*} )\left( {1 + q\left( {1 - 2p(c_{s}^{*})} \right)} \right) + {\frac{1}{L}} = 0 \). Therefore, \( Sign\left( {{\frac{{\partial c_{s}^{*} }}{\partial q}}} \right) = - Sign\left( {{\frac{\partial }{\partial q}}\left( {p^{\prime } (c_{s}^{*} )(1 + q(1 - 2p(c_{s}^{*} ))) + {\frac{1}{L}}} \right)} \right) \), which is positive. From proposition 1, we know that \( Sign\left( {{\frac{{\partial c_{p}^{*} }}{\partial q}}} \right) \) is negative. The proposition follows from these results.

Proposition 3

(i) Firms’ security investment is increasing in the network vulnerability in a tightly-integrated supply chain, and (ii) firms’ security investment is decreasing in the network vulnerability in a loosely-integrated supply chain.

Proof The FOC for minimization is given by \( p^{\prime } (c_{p}^{*} )\left( {1 + q\left( {\beta - \left( {1 + \beta } \right)p(c_{p} *)} \right)} \right) + {\frac{1}{L}} = 0 \). Following the same line of reasoning as in the proofs for Proposition 1 and Proposition 2, \( Sign\left( {{\frac{{\partial c_{p}^{*} }}{\partial q}}} \right) \) is positive iff \( \beta > {\frac{{p(c_{p} *)}}{{1 - p(c_{p} *)}}} \).

Proposition 4

In a loosely-coupled supply chain, firms invest less when they make investment decisions individually compared to when they make decisions jointly.

Proof The proof is similar to that of Proposition 2 and hence omitted.

Proposition 5

The liability mechanism with A ₁  = βL and\( A_{2} = (1 + \beta )(1 - p(c_{s}^{*} ))L \)coordinates the supply chain.

Proof Under the proposed penalty structure, the total expected losses to firm 1 is:

$$ \begin{gathered} p_{1} (1 - p_{2} )[q\{ (1 + \beta )L + A_{1} + A_{2} \} + (1 - q)\{ L + A_{1} \} ] + p_{2} (1 - p_{2} )[q\{ (1 + \beta )L - (A_{1} + A_{2} )\} + (1 - q)\{ \beta L - A_{1} \} ] \hfill \\ + p_{1} p_{2} [1 + \beta ]L = \{ p_{1} (1 - p_{2} )[q\{ A_{1} + A_{2} \} + (1 - q)\{ A_{1} \} ] - p_{2} (1 - p_{1} )[q\{ (A_{1} + A_{2} )\} + (1 - q)\{ A_{1} \} ]\} \hfill \\ + \{ p_{1} (1 - p_{2} )[q\{ (1 + \beta )L\} + (1 - q)\{ L\} ] + p_{2} (1 - p_{1} )[q\{ (1 + \beta )L\} + (1 - q)\{ \beta L\} ] + p_{1} p_{2} [1 + \beta ]L\} \hfill \\ \end{gathered} $$

which can be written as

$$ \{ (p_{1} - p_{2} )(A_{1} + qA_{2} )\} + \left( \begin{gathered} q(1 + \beta )L[p_{1} (1 - p_{2} ) + p_{2} (1 - p_{1} ) - L[p_{1} (1 - p_{2} )(1 - q)] - \hfill \\ \beta L[p_{2} (1 - p_{1} )(1 - q)] + (1 + \beta )Lp_{1} p_{2} \hfill \\ \end{gathered} \right) $$

Thus the objective of firm 1 is now

$$ \mathop {Min}\limits_{{c_{1} }} \left( \begin{gathered} c_{1} + \{ (p_{1} - p_{2} )(A_{1} + qA_{2} )\} + q(1 + \beta )L[p_{1} (1 - p_{2} ) + p_{2} (1 - p_{1} ) \hfill \\ + L\{ p_{1} (1 - p_{2} )(1 - q)] + \beta L[p_{2} (1 - p_{1} )(1 - q)] + (1 + \beta )Lp_{1} p_{2} \hfill \\ \end{gathered} \right) $$

So,

$$ c_{p}^{*} (\beta ,q) = p^{\prime - 1} \left( {{\frac{ - 1/L}{{(A_{1} /L + qA_{2} /L) + 1 + q(\beta - p(c_{p}^{*} \{ \beta + 1\} )}}}} \right) $$

Substituting the expressions for A ₁ and A₂ given in the proposition into the above expressions and simplifying we obtain \( c_{p}^{*} (\beta ,q) = c_{s}^{*} (\beta ,q) \).

Proposition 6

In an integrated supply chain, if firms choose their optimal levels of integration and security investment independently, (i) firms’ security investment is decreasing and the level of integration is increasing in the level of integration in the network vulnerability in a loosely-integrated supply chain, (ii) firms’ security investment is increasing and the level of integration is decreasing in the network vulnerability in a tightly-integrated supply chain.

Proof (i) Firm i maximizes the following.

$$ \Upphi_{i} = v_{i} - c_{i} - (1 + \beta_{i} )L\left[ {p_{i} p_{j} + q\left\{ {p_{i} (1 - p_{j} ) + p_{j} (1 - p_{i} )} \right\}} \right] - L\left[ {p_{i} (1 - p_{j} )(1 - q)} \right] - \beta_{i} L\left[ {p_{j} (1 - p_{i} )(1 - q)} \right] $$

The FOCs for the maximization problem are given by the following.

$$ p_{i}^{\prime *} \left[ {1 + q\left\{ {\beta_{i}^{*} - (1 + \beta_{i}^{*} )p_{j}^{*} } \right\}} \right] = \Upomega \left( {c_{i}^{*} ,q,\beta_{i}^{*} } \right) = 0 $$

(A1)

$$ v_{i}^{\prime } - L\left[ {p_{j} + qp_{i} (1 - p_{j} )} \right] = \Uppsi \left( {c_{i}^{*} ,q,\beta_{i}^{*} } \right) = 0 $$

(A2)

At the symmetric equilibrium, the second order conditions for the maximization are as follows.

$$ \left| {\begin{array}{*{20}c} {{\frac{{\partial^{2} \Upphi}}{{\partial c_{i}^{2} }}}}\,& {{\frac{{\partial^{2} \Upphi}}{{\partial c_{i} \beta_{i} }}}} \\ {{\frac{{\partial^{2} \Upphi}}{{\partial \beta_{i} c_{i} }}}}\, & {{\frac{{\partial^{2}\Upphi }}{{\partial \beta_{i}^{2} }}}} \\ \end{array} } \right|> 0,\;{\text{and}}\;{\frac{{\partial^{2} \Upphi }}{{\partial c_{i}^{2} }}} > 0 \Rightarrow \left[ {v_{p}^{\prime \prime * }p_{p}^{\prime \prime * } \left( {1 + qA} \right) + q^{2} L\left\{{p_{p}^{\prime * } (1 - p_{p}^{*} )} \right\}^{2} } \right] <0,\;{\text{and}}\;\left( {1 + qA^{*} } \right) > 0 $$

where \( A^{*} = \left\{ {\beta_{p}^{*} - (1 + \beta_{p}^{*} )p_{p}^{*} } \right\} \)

Using (A1), we have

$$ {\frac{d\Upomega }{dq}} = 0 = {\frac{\partial \Upomega }{\partial q}} + {\frac{\partial \Upomega }{{\partial c_{i}^{*} }}}\left( {{\frac{{dc_{i}^{*} }}{dq}}} \right) + {\frac{\partial \Upomega }{{\partial \beta_{i}^{*} }}}\left( {{\frac{{d\beta_{i}^{*} }}{dq}}} \right) \Rightarrow {\frac{{d\beta_{p}^{*} }}{dq}} = {\frac{{ - p_{p}^{\prime *} A^{*} - \left\{ {p_{p}^{\prime \prime *} \left[ {1 + qA^{*} } \right]} \right\}{\frac{{dc_{p}^{*} }}{dq}}}}{{qp_{p}^{\prime *} \left( {1 - p_{p}^{*} } \right)}}} $$

(A3)

Using (A2), we have

$$ {\frac{d\Uppsi }{dq}} = 0 = {\frac{\partial \Uppsi }{\partial q}} + {\frac{\partial \Uppsi }{{\partial c_{i}^{*} }}}\left( {{\frac{{dc_{i}^{*} }}{dq}}} \right) + {\frac{\partial \Uppsi }{{\partial \beta_{i}^{*} }}}\left( {{\frac{{d\beta_{i}^{*} }}{dq}}} \right) \Rightarrow {\frac{{d\beta_{p}^{*} }}{dq}} = {\frac{{Lp_{p}^{*} (1 - p_{p}^{*} ) + \left\{ {Lqp_{p}^{\prime * } (1 - p_{p}^{*} )} \right\}{\frac{{dc_{p}^{*} }}{dq}}}}{{v_{p}^{\prime \prime *} }}} $$

(A4)

Equating (A3) and (A4), we have

$$ \begin{aligned} & {\frac{{dc_{p}^{*} }}{dq}} = {\frac{{ - p_{p}^{\prime * } }}{{\left[ {v_{p}^{\prime \prime *} p_{p}^{\prime \prime *} \left( {1 + qA} \right) + q^{2} L\left\{ {p_{p}^{\prime * } (1 - p_{p}^{*} )} \right\}^{2} } \right]}}}.\left\{ {A^{*} v_{p}^{\prime \prime *} + qLp_{p}^{*} (1 - p_{p}^{*} )^{2} } \right\} \\ & {\text{Thus}},\;{\text{if}}\;\left\{ {A^{*} v_{p}^{\prime \prime *} + qLp_{p}^{*} (1 - p_{p}^{*} )^{2} } \right\} > 0,\;{\text{or}}\;{\text{if}}\;A^{*} < 0,\;{\text{then}}\;{\frac{{dc_{p}^{*} }}{dq}} < 0. \\ & {\text{Since}}\;\left[ {1 + qA^{*} > 0} \right] \Rightarrow \;{\text{If}}\;\beta_{p}^{*} < {\frac{{p_{p}^{*} }}{{1 - p_{p}^{*} }}},\;{\text{then}}\;{\frac{{dc_{p}^{*} }}{dq}} < 0. \\ \end{aligned} $$

Further, using (11), we have \( {\frac{{d\beta_{p}^{*} }}{{dc_{p}^{*} }}} < 0 \). So, \( if\;\beta_{p}^{*} < {\frac{{p_{p}^{*} }}{{1 - p_{p}^{*} }}},\;{\text{then}}\;{\frac{{d\beta_{p}^{*} }}{dq}} > 0. \)

(ii) The proof is similar to that of (i) and hence omitted.

Proposition 7

In an integrated supply chain, if firms choose their optimal levels of integration and it results in a loosely-integrated supply chain, then firms invest less in security and choose a higher degree of integration when they make investment decisions individually compared to when they make decisions jointly.

Proof From Proposition 6, we have the following: \( if\;\beta_{p}^{*} < {\frac{{p_{p}^{*} }}{{1 - p_{p}^{*} }}},\;then\;{\frac{{d\beta_{p}^{*} }}{dq}} > 0\;and\;{\frac{{dc_{p}^{*} }}{dq}} < 0. \) Using (12) and (13), and following the proof for Proposition 6, we have \( {\frac{{d\beta_{p}^{*} }}{dq}} < 0\;and\;{\frac{{dc_{p}^{*} }}{dq}} > 0 \). Since \( c_{p}^{*} = c_{s}^{*} \) and \( \beta_{p}^{*} = \beta_{s}^{*} \) when q = 0, the proposition directly follows.

Proposition 8

The liability mechanism with A ₁  = βL and\( A_{2} = (1 + \beta_{s}^{*} )(1 - p(c_{s}^{*} ))L \)coordinates the supply chain.

Proof Comparing (11) and (13), we observe that that if \( c_{p}^{*} = c_{s}^{*} \), then \( \beta_{p}^{*} = \beta_{s}^{*} \). Further, following the proof for Proposition 5, we obtain that the FOCs when the firms make decisions individually are identical to those when firms make decision jointly when we incorporate the liability mechanism in firms’ payoff expressions. Consequently, \( c_{p}^{*} = c_{s}^{*} \), and therefore, \( \beta_{p}^{*} = \beta_{s}^{*} \) under the proposed liability mechanism.