Economics of Cybersecurity Investment and Information Sharing: Firm Decision Making Under Policy Constraints
Abstract
:1. Introduction
2. Literature Review
3. Model Description
3.1. Model Construction from Perspective of Firms’ Benefit Maximization
3.2. Model Construction from Perspective of Social Welfare Maximization
4. Model Analysis
4.1. Model Analysis of a Firm’s Profit Maximization Perspective
4.2. Model Analysis of the Model from the Perspective of Social Welfare Maximization
5. Experimental Results
6. Discussion
6.1. Discussion for Firms
6.2. Discussion for Social Planners
7. Extension
8. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- NIST Technical Note 2111; An Empirical Study on Flow-Based Botnet Attacks Prediction. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020; pp. 1–18. [CrossRef]
- European Union (EU). The NIS2 Directive A High Common Level of Cybersecurity in the EU: EU Legislation in Progress. 2023. Available online: https://cn.overleaf.com/project/679849c8c118b5046c722ba3 (accessed on 8 February 2023).
- Rashid, Z.; Noor, U.; Altmann, J. Economic model for evaluating the value creation through information sharing within the cybersecurity information sharing ecosystem. Future Gener. Comput. Syst. 2021, 124, 436–466. [Google Scholar] [CrossRef]
- Gao, X.; Gong, S.; Wang, Y.; Zhang, Y. Information sharing and security investment for substitutable firms: A game-theoretic analysis. J. Oper. Res. Soc. 2024, 75, 799–820. [Google Scholar] [CrossRef]
- Hall, J.H.; Sarkani, S.; Mazzuchi, T.A. Impacts of organizational capabilities in information security. Inf. Manag. Comput. Secur. 2011, 19, 155–176. [Google Scholar] [CrossRef]
- Gordon, L.A.; Loeb, M.P.; Lucyshyn, W. Sharing information on computer systems security: An economic analysis. J. Account. Public Policy 2003, 22, 461–485. [Google Scholar] [CrossRef]
- Stine, K.; Quinn, S.; Witte, G.; Gardner, R. NIST IR 8286; Integrating Cybersecurity and Firm Risk Management (erm). National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020; p. 10. [CrossRef]
- Gal-Or, E.; Ghose, A. The economic incentives for sharing security information. Inf. Syst. Res. 2005, 16, 186–208. [Google Scholar] [CrossRef]
- Lewis, R.; Louvieris, P.; Abbott, P.; Clewley, N.; Jones, K. Cybersecurity information sharing: A framework for sustainable information. In Proceedings of the Twenty Second European Conference on Information Systems, Tel Aviv, Israel, 9–11 June 2014. [Google Scholar]
- He, M.; Devine, L.; Zhuang, J. Perspectives on cybersecurity information sharing among multiple stakeholders using a decision-theoretic approach. Risk Anal. 2018, 38, 215–225. [Google Scholar] [CrossRef] [PubMed]
- Gordon, L.A.; Loeb, M.P.; Lucyshyn, W.; Zhou, L. The impact of information sharing on cybersecurity underinvestment: A real options perspective. J. Account. Public Policy 2015, 34, 509–519. [Google Scholar] [CrossRef]
- Naghizadeh, P.; Liu, M. Inter-temporal incentives in security information sharing agreements. In Proceedings of the 2016 Information Theory and Applications Workshop (ITA), La Jolla, CA, USA, 31 January–5 February 2016; IEEE: Piscataway, NJ, USA, 2016; pp. 1–8. [Google Scholar] [CrossRef]
- Hausken, K. Information sharing among firms and cyber attacks. J. Account. Public Policy 2007, 26, 639–688. [Google Scholar] [CrossRef]
- Liu, D.; Ji, Y.; Mookerjee, V. Knowledge sharing and investment decisions in information security. Decis. Support. 2011, 52, 95–107. [Google Scholar] [CrossRef]
- Gao, X.; Zhong, W.; Mei, S. Security investment and information sharing under an alternative security breach probability function. Inf. Syst. Front. 2015, 17, 423–438. [Google Scholar] [CrossRef]
- Goodwin, C.; Nicholas, J.P.; Bryant, J.; McKay, A.; Ciglic, K.; McKitrick, P.; Kleiner, A.; Neutze, J.; Kutterer, C.; Storch, T.; et al. A Framework for Cybersecurity Information Sharing and Risk Reduction; Microsoft: Redmond, WA, USA, 2015. [Google Scholar]
- Johnson, C.; Badger, L.; Waltermire, D.; Snyder, J.; Skorupka, C. NIST Special Publication 800-150; Guide to Cyber Threat Information Sharing; NIST: Gaithersburg, MD, USA, 2016; p. 35. [CrossRef]
- Chora’s, M. Comprehensive approach to information sharing for increased network security and survivability. Cybern. Syst. 2013, 44, 550–568. [Google Scholar] [CrossRef]
- Fransen, F.; Smulders, A.; Kerkdijk, R. Cyber security information exchange to gain insight into the effects of cyber threats and incidents. Elektrotech. Informationstechnik 2015, 132, 106–112. [Google Scholar] [CrossRef]
- Phan, T.C.; Tran, H.C. Consideration of Data Security and Privacy Using Machine Learning Techniques. Int. J. Data Inform. Intell. Comput. 2023, 2, 20–32. [Google Scholar] [CrossRef]
- Jones, K.I.; Suchithra, R. Information Security: A Coordinated Strategy to Guarantee Data Security in Cloud Computing. Int. J. Data Inform. Intell. Comput. 2023, 2, 11–31. [Google Scholar] [CrossRef]
- Krishna, S.; Paryati. Advancing Cyber Resilience for Autonomous Systems with Novel AI-based Intrusion Prevention Model. Int. J. Data Inform. Intell. Comput. 2024, 3, 1–7. [Google Scholar] [CrossRef]
- Rantos, K.; Spyros, A.; Papanikolaou, A.; Kritsas, A.; Ilioudis, C.; Katos, V. Interoperability challenges in the cybersecurity information sharing ecosystem. Computers 2020, 9, 18. [Google Scholar] [CrossRef]
- Tosh, D.K.; Shetty, S.; Sengupta, S.; Kesan, J.P.; Kamhoua, C.A. Risk management using cyber-threat information sharing and cyber-insurance. In Game Theory for Networks, Proceedings of the 7th International EAI Conference, GameNets 2017, Knoxville, TN, USA, 9 May 2017; Springer: Cham, Switzerland, 2017; pp. 154–164. [Google Scholar] [CrossRef]
- Harwood, D.I.; Dahl, E. Barriers to Cyber Information Sharing. Master’s Thesis, Naval Postgraduate School, Monterey, CA, USA, 2014. Available online: https://core.ac.uk/download/pdf/36736706.pdf (accessed on 1 December 2014).
- Kollars, N.A.; Sellers, A. Trust and information sharing: Isacs and us policy. J. Cyber Policy 2016, 1, 265–277. [Google Scholar] [CrossRef]
- Prieto, D.B. Information sharing with the private sector. History, challenges, innovation, and prospects. In Seeds of Disaster, Roots of Response: How Private Action Can Reduce Public Vulnerability; Cambridge University Press: London, UK, 2016; pp. 404–428. [Google Scholar] [CrossRef]
- Zheng, D.E.; Lewis, J.A. Cyber Threat Information Sharing: Recommendations for Congress and the Administration; Center for Strategic and International Studies: Washington, DC, USA, 2015. [Google Scholar]
- Tosh, D.K.; Sengupta, S.; Mukhopadhyay, S.; Kamhoua, C.A.; Kwiat, K.A. Game theoretic modeling to enforce security information sharing among firms. In Proceedings of the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing, New York, NY, USA, 3–5 November 2015; pp. 7–12. [Google Scholar] [CrossRef]
- Amini, M.; Bozorgasl, Z. A game theory method to cyber-threat information sharing in cloud computing technology. Int. J. Inf. Syst. Manag. Syst. 2023, 11, 45–60. [Google Scholar]
- Gyenes, R. A voluntary cybersecurity framework is unworkable-government must crack the whip. Pittsburgh J. Technol. Law Policy 2013, 14, 293. [Google Scholar] [CrossRef]
- Wu, Y.; Fung, R.Y.K.; Feng, G.; Wang, N. Decisions making in information security outsourcing: Impact of complementary and substitutable firms. Comput. Ind. Eng. 2017, 110, 1–12. [Google Scholar] [CrossRef]
- Qian, X.; Yang, W.; Pei, J.; Liu, X.; Pardalos, P.M. A game of information security investment considering security insurance and complementary information assets. Int. Trans. Oper. Res. 2021, 29, 1791–1824. [Google Scholar] [CrossRef]
- Wu, Y.; Feng, G.; Fung, R.Y. Comparison of information security decisions under different security and business environments. J. Oper. Res. Soc. 2018, 69, 747–761. [Google Scholar] [CrossRef]
- Zhao, L.; Liu, J.; Zhu, X. Information security strategy choices of competing firms: Autonomous defence or outsourcing. Inf. Stud. Theory Appl. 2019, 42, 94–100. [Google Scholar] [CrossRef]
- Qian, X.; Liu, X.; Pei, J.; Pardalos, P.M. A new game of information sharing and security investment between two allied firms. Int. J. Prod. Res. 2018, 56, 4069–4086. [Google Scholar] [CrossRef]
- Li, X.; Xue, Q. An economic analysis of information security investment decision making for substitutable firms. Manag. Decis. Econ. 2021, 42, 1306–1316. [Google Scholar] [CrossRef]
- Freebuf. 2024 China Data Security Enterprise Panorama. 2024. Available online: https://www.freebuf.com/consult/415083.html (accessed on 12 November 2024).
Parameter | Description |
---|---|
The value of security information shared by firm j with firm i | |
The absorptive capacity for security information for firm i | |
The negative impact coefficient of platform security information disclosure on firm i | |
The cybersecurity investment of firm i | |
The overall cybersecurity level of firm i | |
The hacking probability of firm i after implementing cybersecurity decisions | |
The initial probability of intrusion for firm i | |
The intrusion loss of firm i | |
The amount of cybersecurity information shared by firm j with firm i on the platform | |
The limitation on firm i’s hacking probability, which lies between 0 and |
Parameter | Scope |
---|---|
0.001–0.35 | |
35–100 | |
0.6–0.8 | |
0.25–0.8 | |
0.01–0.25 | |
0.08–0.315 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Zhao, L.; Wu, X.; Li, J.; Tong, H. Economics of Cybersecurity Investment and Information Sharing: Firm Decision Making Under Policy Constraints. Systems 2025, 13, 83. https://doi.org/10.3390/systems13020083
Zhao L, Wu X, Li J, Tong H. Economics of Cybersecurity Investment and Information Sharing: Firm Decision Making Under Policy Constraints. Systems. 2025; 13(2):83. https://doi.org/10.3390/systems13020083
Chicago/Turabian StyleZhao, Liurong, Xinshuo Wu, Jiao Li, and Huagang Tong. 2025. "Economics of Cybersecurity Investment and Information Sharing: Firm Decision Making Under Policy Constraints" Systems 13, no. 2: 83. https://doi.org/10.3390/systems13020083
APA StyleZhao, L., Wu, X., Li, J., & Tong, H. (2025). Economics of Cybersecurity Investment and Information Sharing: Firm Decision Making Under Policy Constraints. Systems, 13(2), 83. https://doi.org/10.3390/systems13020083