Economics of Cybersecurity Investment and Information Sharing: Firm Decision Making Under Policy Constraints

Abstract

With an increasing number of firms in cybersecurity information-sharing platforms, the potential cyber risks become a critical challenge during the exchanging of information. How to balance economic benefits and security requirements is an important topic for both firms and the government. By developing a game-theoretic model, the firms’ optimal strategies are discussed considering their absorptive capacity for security information under different policy constrains. The results show that the value of security information, intrusion loss, the level of cybersecurity vulnerability, the negative impact coefficient of platform security information disclosure, and the absorptive capacity for security information are key factors impacting firms’ decisions. The value of security information and intrusion loss are constrained by the marginal utility of cybersecurity investment and security information sharing. Firms prefer to increase their security investment or security information sharing only if the value of security information and intrusion loss are positively related to the marginal utility of cybersecurity investment or cybersecurity information sharing. Specifically, in the case without policy constrains, the optimal strategies of n firms are discussed, and it is found that they are consistent with those of two firms and that the utility of any firm in the platform decreases as the number of firms increases.

1. Introduction

In recent years, despite the increasing frequency and sophistication of cyber-attacks, firms’ cybersecurity practices have not demonstrated substantial improvements. Governments have advocated for the concept of “collaboration, participation, and common interests”, encouraging firms to take social responsibility by rapidly identifying and responding to similar attack risks through cybersecurity information sharing [1], facilitating the flow of cybersecurity information from government to firms and from firms to firms. Cybersecurity information sharing refers to the process by which entities exchange vulnerability information and threat intelligence related to cybersecurity. The goal is to enhance capabilities for comprehensive threat identification and response, thereby strengthening defense and response mechanisms in cybersecurity. For instance, the U.S. government enacted the “Cybersecurity Information Sharing Act” to enhance cybersecurity through improved information sharing and collaboration while also offering legal protection for participating entities. In 2023, the European Commission introduced the “EU Directive on High Standards of Cybersecurity Measures (NIS 2 Regulation)” [2], which delineates firms’ responsibilities, planning structures, and cybersecurity information resources in response to large-scale cybersecurity incidents. Similarly, China released the “Information Security Technology: Guidelines for Cybersecurity Information Sharing”, aimed at strengthening national and organizational cybersecurity defenses. This initiative promotes information sharing and collaboration by establishing unified guiding principles and standards to address the increasingly complex nature of cybersecurity threats.

Cybersecurity information sharing can enhance a firm’s cybersecurity capabilities. In the absence of effective cybersecurity information management policies, the value of security information sharing may still contribute to improved overall management. However, some firms continue to adopt a wait-and-see approach. On one hand, assessing the economic value of security information sharing is challenging, as is quantifying the relationship between cybersecurity investment and the benefits accrued from cybersecurity information sharing. These cybersecurity threats, such as Denial of Service (DoS), Distributed Denial of Service (DDoS) attacks, or Man-in-the-Middle (MITM) attacks, often reduce firms’ motivation to engage in such activities [3]. On the other hand, joining a cybersecurity information-sharing platform may increase the risk of security information leakage. In practice, firms join these platforms with similar cybersecurity information systems. If one firm is attacked by hackers, the vulnerabilities of related firms may be exposed, resulting in risk interdependence. This scenario can cause firms to be reluctant to share their cybersecurity information [4].

In addition, when faced with cybersecurity challenges, firms also consider social responsibility to be fulfilled on behalf of the State, which influences their decision to engage in sharing actions. First, a firm’s organizational structure significantly influences the efficiency of security information transmission and processing. Different structures result in varying levels of security information creation value and absorptive capacity for security information [5]. Moreover, a firm’s cybersecurity risk response capabilities are constrained by its available security technologies and employee expertise. The diversity in security operations arises from the varying risk response capabilities among firms [6]. Insufficient cybersecurity capabilities can increase risks such as hacking and revenue loss [7].

However, despite the importance of a firm’s own cybersecurity capabilities in the decision-making process regarding participation in a cybersecurity information-sharing platform, the current research landscape reveals certain gaps that need to be addressed. A review of existing research reveals that most studies on cybersecurity information sharing focus on a single perspective, such as economics, risk, or capability. Few studies have explored the influence of policy constraints on firm decision making. Furthermore, firms consider national policies regarding social responsibility when facing cybersecurity challenges, which subsequently affects their decisions to engage in information-sharing activities. These problems urgently need to be solved to help firms to make the right choice, aiming to leverage the strengths of policy and safeguard the economic and security interests of firms. This paper aims to explore the impact of a firm’s value of security information, cybersecurity capability, platform security information disclosure, and the hacking probability by constructing a game-theoretic model that addresses firms’ decisions related to cybersecurity investment and information sharing. Based on differential game theory and policy constraints, this study analyzes the optimal level of cybersecurity investment and information sharing in two scenarios: with and without policy constraints. This approach offers a novel framework for understanding firms’ behaviors during the decision-making processes associated with cybersecurity investment and information sharing.

The key findings of this research are as follows: First, this study advances the understanding of the complex relationship between the value of security information and sharing benefits. By analyzing the impact mechanisms of these factors, it provides a more accurate foundation for firms to make decisions in different contexts. Second, this research study comprehensively examines how firms adjust their decisions in two scenarios: “without policy constraints” and “with policy constraints”. This study introduces innovative adaptive strategies for firms responding to policy constraints. Finally, previous studies rarely provide a theoretical basis for government policy making from the perspective of firms’ responses to policy changes. This study fills this gap by analyzing how firms adjust cybersecurity investment and information-sharing decisions based on factors such as the value of security information and intrusion loss when facing policy constraints.

The structure of this paper is as follows: Section 2 presents a literature review, Section 3 outlines the model description, and Section 4 provides the model analysis. Section 5 details the experimental results, Section 6 is the discussion, and Section 7 is a model extension. Finally, Section 8 concludes the paper and suggests directions for future research.

2. Literature Review

This paper focuses on how the value of security information and firms’ cybersecurity capabilities impact their decisions regarding cybersecurity information sharing under varying policy constraints. We providing an overview of the existing research in these three areas.

Some scholars have studied the role of cybersecurity information sharing, highlighting how firms benefit from this practice. Gal and Ghose argued that information sharing becomes more valuable as product sustainability increases, enabling firms within information-sharing alliances to obtain greater competitive advantages within their respective industries [8]. Additionally, a classification system for a firm’s cybersecurity information sharing can help identify and mitigate operational risks, thereby enhancing overall security levels [9]. He et al. and Gordon et al. summarized that cybersecurity information sharing reduces defense costs and decreases the likelihood of cybersecurity incidents [10,11]. Despite these potential benefits, some studies found that firms are often unwilling to participate in sharing activities when engaged in single-shot games. Repeated interactions are necessary to determine whether they will engage in future information-sharing activities [12]. Moreover, several studies have explored the factors influencing cybersecurity information sharing. Hausken argued that cybersecurity information sharing depends on inter-firm interdependence, the attributes of the shared information, and the unit costs of cybersecurity investments [13]. Building on this, Liu found that the nature of information assets—whether sustainable or complementary—is a key determinant of firms’ cybersecurity information-sharing decisions [14]. The optimal strategies regarding cybersecurity investment and information sharing have also been studied [15].

Cybersecurity capability is a crucial determinant of a firm’s sharing decisions, encompassing absorptive capacity for security information, cybersecurity information exchange, and risk management. Regarding absorptive capacity for security information, Goodwin et al. suggested that firms can prevent cybersecurity incidents by effectively absorbing valuable cybersecurity information [16]. With their knowledge, expertise, and ability to analyze threat information during sharing activities, firms can better anticipate and understand potential cybersecurity risks in advance [17]. In terms of cybersecurity information exchange, Choraś defined the concept of cybersecurity information sharing and proposed both online and offline mechanisms to enhance security operational capabilities [18]. Fransen et al. also found that various methods for exchanging threat information are essential to addressing the growing cybersecurity threats [19]. Thanh and Hung demonstrated that combining deep learning with differential privacy can achieve a balance between data privacy protection and the usability of information exchange [20]. To enhance cybersecurity information exchange capabilities and improve cybersecurity defense levels, Jones et al. and Sujatha et al. found that multiple encryption algorithms can be utilized to process data, ensuring the security of information sharing [21,22]. Additionally, other scholars have established a hierarchical model to evaluate existing cybersecurity information-sharing resources [23]. Regarding cybersecurity risk management, research on avoiding free riding, preventing privacy breaches, and designing incentive mechanisms has gained attention. This is supported by studies showing that integrating cybersecurity information sharing with insurance can improve management effectiveness [24].

Another focus of our research is cybersecurity information sharing under policy constraints. In policy development, the United States has implemented risk-based policies to enhance cybersecurity information sharing by collaborating with critical infrastructure owners and operators. Harwood and Dahl proposed that future policy making should eliminate ambiguity, provide robust safeguards for information sharers, and foster public–private partnerships to improve cybersecurity information sharing [25]. By integrating economics with cybersecurity information-sharing policies, non-cooperation and free-rider behaviors can be mitigated [26]. Regarding policy content, Prieto emphasized the importance of establishing mechanisms, rules, and measures to facilitate information sharing between the government and firms [27]. Zheng and Lewis suggested that legislation should establish a standardized process for cooperation between firms and governments in the context of cybersecurity information sharing [28]. Concerning the effects of policy enforcement, Tosh et al. clarified that appropriate incentive measures could encourage firms to share cybersecurity information, thereby increasing returns through effective countermeasures in cybersecurity investment [29]. Amini and Bozorgasl demonstrated that effective policy promotes information sharing and enhances cloud computing security [30]. However, some scholars argued that voluntary sharing policies may not be effective and that policy constraints are necessary to increase incentives for cybersecurity information sharing [31].

Despite the abundant research in the field of cybersecurity information sharing, particularly concerning cybersecurity information-sharing platforms, there remains a notable scarcity of studies focusing on how to make informed cybersecurity investment decisions and effectively share varying values of security information within the constraints imposed by policy. Specifically, there is a lack of research on the impact of cybersecurity capability and the value of security information on firms’ cybersecurity investment and information-sharing decisions. In light of this gap, our research contributes in the following ways: First, we study optimization based on the relationship between the value of security information and sharing benefits. Second, from an adaptive strategy perspective, we consider firms’ decisions under policy constraints. Third, in practical application, our research provides theoretical support for government policy making.

This study has two main limitations: Firstly, in terms of entity types in game theory, it mainly focuses on the interactions among social planners, cybersecurity information platforms, and firms, while individual security awareness, habits, and feedback, which can affect firms’ information-sharing strategies, are not covered by the current game model. Secondly, from the research perspective, when analyzing the hacking probability, the study refers to the Gordon–Loeb model but does not consider the influence of different attack types on firms’ cybersecurity information-sharing strategies. Future research could explore the specific impacts of various attack types on such strategies.

3. Model Description

The game model of cybersecurity information sharing consists of firms on the platform, with each aiming to maximize their utilities. To facilitate differentiation and discussion, in the subsequent model construction and equilibrium analysis, parameters related to firm i are denoted with the subscript i, while parameters associated with other member firms of the platform are denoted with the subscript j. It is assumed that the two firms are homogeneous, with both serving as cybersecurity service providers on the cybersecurity information-sharing platform. The model considers cybersecurity information sharing from firm j to firm i, where $s_j$ represents the cybersecurity information shared by firm j with the platform, as this paper only considers a scenario with two firms on the platform participating in the game [32,33].

To assess the impact of differentiated values of cybersecurity information, it is essential to measure the variation in value provided by firms. Compared with low-value cybersecurity information, high-value cybersecurity information has a more significant impact on enhancing a firm’s self-security investment and generates greater economic benefits. In this paper, $q_j$$(0<q_j<1)$ represents the value of security information sharing from firm j to firm i, $q_j$$s_j$ denotes that firm j shares the value of security information with firm i.

Firms possess varying levels of cybersecurity capabilities, necessitating a thorough assessment of their vulnerabilities prior to any potential attacks. On one hand, differences in firms’ absorptive capacities for security information lead to varying benefits from information sharing. According to the law of diminishing marginal utility, as a firm’s absorptive capacity increases, the additional benefits it gains from shared cybersecurity information decrease. Thus, ${\alpha }_j$ represents firm i’s absorptive capacity for security information. On the other hand, once firms identify vulnerabilities, they must install repair patches within a set time frame. However, they may face operational challenges, such as high patching costs, which could lead to abandoning the repairs. Additionally, after disclosing vulnerability information on the platform, firms may face adverse consequences, such as being targeted by hackers or incurring reputational damage during the patching process. We define ${\varphi }_i$$\left({\varphi }_i>0\right)$ as the coefficient that represents the negative impact of platform security information disclosure on firm i. The level of firm i’s cybersecurity can be defined as $T_i=t_i+q_j{s}_j$ [34]. The formula suggests that the total cybersecurity capability of firm i (denoted by $T_i$) is the sum of two components: the firm’s own cybersecurity investment $t_i$, which directly impacts its defensive capabilities, and $q_j{s}_j$, which represents the security information provided by firm j to firm i. This external information serves as an enhancement to firm i’s cybersecurity efforts, increasing its overall ability to prevent, detect, and respond to security threats.

Given the uncertainty of intrusion loss, it is crucial to evaluate the impact of hacker intrusions based on different behavioral decisions made by firms. When hackers initially invade firm i without cybersecurity investment or information sharing, the probability is $v_i$. In order to accurately calculate the hacking probability in the process of cybersecurity investment and information sharing, the probability formula is

$$p_i(T)=v_i^{\lambda T_i+1}=v_i^{\lambda (t_i+q_j{s}_j)+1}.$$

Above, $\lambda$ is a constant, and we have $(\lambda >0)$, satisfying the condition $(0<p_i(T)<{\displaystyle \frac{1}{2}})$ [6,35]. $p_i(T)$ represents firm i’s probability of being hacked after implementing cybersecurity investment and cybersecurity information sharing. $\lambda$ denotes that the probability of firm i being hacked is a non-negative constant between 0 and ${\displaystyle \frac{1}{2}}$. v represents the initial intrusion probability (level of cybersecurity vulnerability) of firm i. $T_i$ is the total cybersecurity capability of firm i. The intrusion loss incurred by firm i is $L_i$. It is assumed that $L_i$ is sufficiently large to ensure that firms have the motivation for cybersecurity investment and information sharing.

For a detailed explanation of the parameter meanings, refer to

Table 1. Parameter description.

Parameter	Description
$q_j$	The value of security information shared by firm j with firm i $(0<q<1)$
${\alpha }_i$	The absorptive capacity for security information for firm i
${\varphi }_i$	The negative impact coefficient of platform security information disclosure on firm i $(\varphi >0)$
$t_i$	The cybersecurity investment of firm i
$T_i$	The overall cybersecurity level of firm i
$p_i(T)$	The hacking probability of firm i after implementing cybersecurity decisions $(0<p_i(T)<{\displaystyle \frac{1}{2}})$
$v_i$	The initial probability of intrusion for firm i $(0<v<{\displaystyle \frac{1}{2}})$
$L_i$	The intrusion loss of firm i
$s_j$	The amount of cybersecurity information shared by firm j with firm i on the platform
$\lambda$	The limitation on firm i’s hacking probability, which lies between 0 and ${\displaystyle \frac{1}{2}}(0<\lambda <{\displaystyle \frac{1}{2}})$

.

3.1. Model Construction from Perspective of Firms’ Benefit Maximization

Firm i receives cybersecurity information from firm j on the cybersecurity information-sharing platform. The benefits obtained from cybersecurity information sharing are $f_i=\left(2{\alpha }_i-{\alpha }_i^2\right)q_j{s}_j$. The costs incurred by firm i, denoted by $c_i$, include three aspects: cybersecurity investment $t_i$, direct loss $p_i{L}_i$ caused by hacker intrusions, and intrusion loss arising from sharing cybersecurity information with j and the platform. We define the loss of information resulting from sharing cybersecurity information as $q_i\left(1-p_i\right)p_j{L}_i.$ On the other hand, intrusion loss can stem from platform information disclosure behaviors. If firms fail to complete patching during the vulnerability protection period, cybersecurity information may be exposed to hackers, potentially leading to significant intrusion loss. We define the security information leakage loss by the platform as ${\Phi }_i{(q_i{s}_i)}^2$. The utility function of firm j is

$$\begin{array}{cc}\hfill & {\pi }_i=f_i-c_i\hfill \\ \hfill & =\left(2{\alpha }_i-{\alpha }_i^2\right)\left(q_j{s}_j\right)-\left[t_i+p_i{L}_i+q_i\left(1-p_i\right)p_j{L}_i+\varphi {\left(q_i{s}_i\right)}^2\right]\hfill \\ \hfill & =\left(2{\alpha }_i-{\alpha }_i^2\right)\left(q_j{s}_j\right)-\left[t_i+v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}{L}_i+q_i\left(1-v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}\right)v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}{L}_i+\varphi {\left(q_i{s}_i\right)}^2\right].\hfill \end{array}$$

(1)

Similarly, the utility function of firm j is

$$\begin{array}{cc}\hfill & {\pi }_j=f_j-c_j\hfill \\ \hfill & =\left(2{\alpha }_j-{\alpha }_j^2\right)\left(q_i{s}_i\right)-\left[t_j+p_j{L}_j+q_j\left(1-p_j\right)p_i{L}_j+\varphi {\left(q_j{s}_j\right)}^2\right]\hfill \\ \hfill & =\left(2{\alpha }_j-{\alpha }_j^2\right)\left(q_i{s}_i\right)-\left[t_j+v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}{L}_j+q_j\left(1-v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}\right)v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}{L}_j+\varphi {\left(q_j{s}_j\right)}^2\right].\hfill \end{array}$$

(2)

3.2. Model Construction from Perspective of Social Welfare Maximization

Against the background of increasingly severe cybersecurity threats, policy constraints are placed on firms’ cybersecurity investment and information sharing to maximize overall societal cybersecurity benefits. We consider three policy constraints for the two firms: cybersecurity investment only, cybersecurity information sharing only, or both of them. Therefore, the overall utility function of firm j and firm j is given by

$$\begin{array}{cc}\hfill & {\pi }_s=f_i-c_i+f_j-c_j\hfill \\ \hfill & =\left(2{\alpha }_i-{\alpha }_i^2\right)\left(q_j{s}_j\right)-\left[t_i+p_i{L}_i+q_i\left(1-p_i\right)p_j{L}_i+\varphi {\left(q_i{s}_i\right)}^2\right]\hfill \\ \hfill & +\left(2{\alpha }_j-{\alpha }_j^2\right)\left(q_i{s}_i\right)-\left[t_j+p_j{L}_j+q_j\left(1-p_j\right)p_i{L}_j+\varphi {\left(q_j{s}_j\right)}^2\right]\hfill \\ \hfill & =\left(2{\alpha }_i-{\alpha }_i^2\right)\left(q_j{s}_j\right)-\left[t_i+v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}{L}_i+q_i\left(1-v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}\right)v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}{L}_i+\varphi {\left(q_i{s}_i\right)}^2\right]\hfill \\ \hfill & +\left(2{\alpha }_j-{\alpha }_j^2\right)\left(q_i{s}_i\right)-\left[t_j+v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}{L}_j+q_j\left(1-v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}\right)v_j^{\lambda \left(t_i+q_j{s}_j\right)+1}{L}_j+\varphi {\left(q_j{s}_j\right)}^2\right].\hfill \end{array}$$

(3)

4. Model Analysis

In this section, we analyze firms’ decision-making processes regarding cybersecurity investment and information sharing, both with or without policy constraints. First, we examine the optimal strategies for cybersecurity investment and information sharing from the perspective of firms’ individual interests, assuming no policy constraints. Second, we evaluate the optimal strategies from a social welfare perspective, considering the outcomes under three different policy scenarios.

4.1. Model Analysis of a Firm’s Profit Maximization Perspective

Without policy constraints, the expected utility function of cybersecurity information sharing for firm i is as follows:

$$\begin{array}{cc}\hfill & Max{\pi }_i=\left(2{\alpha }_i-{\alpha }_i^2\right)\left(q_j{s}_j\right)-\left[t_i+p_i{L}_i+q_i\left(1-p_i\right)p_j{L}_i+\varphi {\left(q_i{s}_i\right)}^2\right]\hfill \\ \hfill & =\left(2{\alpha }_i-{\alpha }_i^2\right)\left(q_j{s}_j\right)-\left[t_i+v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}{L}_i+q_i\left(1-v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}\right)v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}{L}_i+\varphi {\left(q_i{s}_i\right)}^2\right]\hfill \end{array}$$

(4)

Equations (5) and (6) can be obtained from Equation (4):

$${\displaystyle \frac{\partial {\pi }_i}{\partial t_i}}=-1-\lambda ln\left(v_i\right)L_i{v}_i^{\lambda \left(t_i+q_j{s}_j\right)+1}+q_i{L}_i\lambda ln\left(v_i\right)v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}{v}_i^{\lambda \left(t_i+q_j{s}_j\right)+1}$$

(5)

$${\displaystyle \frac{\partial {\pi }_i}{\partial s_i}}=-L_i\lambda {q_i}^{2}In\left(v_j\right)\left(1-{\mathit{v}}_i^{\lambda \left(t_i+q_j{s}_j\right)+1}\right)v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}-2\varphi {q_i}^2{s}_i$$

(6)

We assume that firms are homogeneous and focus on the symmetric case, so there are $t_i=t_j=t_N,s_i=s_j=s_N,p_i=p_j=p_N,L_i=L_j=L_N,q_i=q_j=q_N,v_i=v_j=v_N$.

The equilibrium dynamic equations for two firms are

$$-1-\lambda ln\left(v_N\right)L_N{p}_N+q_N{L}_N\lambda ln\left(v_N\right){p_N}^2=0$$

(7)

$$-L_N\lambda {q_N}^{2}ln\left(v_N\right)\left(1-p_N\right)p_N-2\varphi {q_N}^2{s}_N=0$$

(8)

Thus, the dynamic replication equations of firms are

$${\displaystyle \frac{d{t}_N}{d{q}_N}}={\displaystyle \frac{2\varphi p_N+L_N{\lambda }^2{ln}^2\left(v_N\right){p_N}^2{q}_N\left(1-2p_N\right)-2\lambda ln\left(v_N\right)\varphi s_N\left(1-2p_N{q}_N\right)}{2\lambda ln\left(v_N\right)\varphi \left(1-2p_N{q}_N\right)}}$$

(9)

$${\displaystyle \frac{d{s}_N}{d{q}_N}}={\displaystyle \frac{\lambda L_N{p_N}^{2}ln\left(v_N\right)\left(1-2p_N\right)}{2\varphi \left(2p_N{q}_N-1\right)}}$$

(10)

$${\displaystyle \frac{d{t}_N}{d{L}_N}}={\displaystyle \frac{2\varphi \left(1-p_N{q}_N\right)-\lambda ln\left(v_N\right)L_N{p}_N{q}_N\left(1-q_N\right)}{2\varphi \lambda ln\left(v_N\right)L_N\left(2p_N{q}_N-1\right)}}$$

(11)

$${\displaystyle \frac{d{s}_N}{d{L}_N}}={\displaystyle \frac{p_N\left(q_N-1\right)}{2\varphi \left(1-2p_N{q}_N\right)}}$$

(12)

From this, Proposition 1 can be obtained.

Proposition 1. 

(1) When the value of security information rises, firms tend to decrease their optimal cybersecurity investment and increase cybersecurity information sharing: ${\displaystyle \frac{\partial t}{\partial q}}<0,{\displaystyle \frac{\partial s}{\partial q}}>0$.

(2) With the increase in intrusion loss, firms’ optimal cybersecurity investment tends to increase, while cybersecurity information sharing tends to decrease: ${\displaystyle \frac{\partial t}{\partial L}}>0,{\displaystyle \frac{\partial s}{\partial L}}<0$.

Proposition 1 demonstrates that as the value of security information increases, firms tend to reduce their cybersecurity investment. A high value of security information significantly enhances firms’ cybersecurity capabilities, enabling them to meet cybersecurity requirements more effectively while simultaneously lowering their need for substantial cybersecurity investment. Moreover, the value of security information is positively correlated with cybersecurity information sharing. Consequently, firms with a high value of security information should increase their information-sharing practices to strengthen overall cybersecurity and optimize their investment in cybersecurity measures.

Moreover, as intrusion loss increases, firms should increase their cybersecurity investment. The escalating negative impact of cybersecurity incidents prompts firms to prioritize cybersecurity measures over information sharing. Consequently, firms increase their cybersecurity investment to achieve the desired security level. Additionally, there is a negative correlation between intrusion loss and cybersecurity information sharing. In such scenarios, firms tend to reduce their information-sharing activities to mitigate potential indirect losses that may arise from other firms on the platform. This analysis aligns with the findings of Qian [36].

4.2. Model Analysis of the Model from the Perspective of Social Welfare Maximization

First, we examine the case where there are policy constraints on cybersecurity investment. The expected utility function for firm i with cybersecurity information sharing can be derived from Equation (3). The policy constraints on a firm’s cybersecurity investment aim to maximize the total utility functions for both firm i and firm j, as expressed in the following equation:

$$\begin{array}{cc}\hfill M\alpha x{\pi }_s& =\left(2{\alpha }_i-{\alpha }_i^2\right)\left(q_j{s}_j\right)-\left[t_i+v_i^{\left(\lambda \left(t_i+q_j{s}_j\right)+1\right)}{L}_i\right.\hfill \\ \hfill & +q_i\left(1-v_i^{\left(\lambda \left(t_i+q_j{s}_j\right)+1\right)}\right)v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}{L}_i+\left.\varphi {\left(q_i{s}_i\right)}^2\right]\hfill \\ \hfill & +\left(2{\alpha }_j-{\alpha }_j^2\right)\left(q_i{s}_i\right)-\left[t_j+v_j^{\left(\lambda \left(t_j+q_i{s}_i\right)+1\right)}{L}_j\right.\hfill \\ \hfill & +q_j\left(1-v_j^{\left(\lambda \left(t_j+q_i{s}_i\right)+1\right)}\right)v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}{L}_j+\left.\varphi {\left(q_j{s}_j\right)}^2\right]\hfill \end{array}$$

(13)

Equation (14) can be obtained based on Equation (13):

$$\begin{array}{cc}\hfill {\displaystyle \frac{\partial {\pi }_s}{\partial t_i}}& =-1-\lambda ln\left(v_i\right)L_i{v}_i^{\lambda \left(t_i+q_j{s}_j\right)+1}+q_i{L}_i\lambda ln\left(v_i\right)v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}{v}_i^{\lambda \left(t_i+q_j{s}_j\right)+1}\hfill \\ & -q_j{L}_j\lambda ln\left(v_i\right)\left(1-v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}\right)v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}\hfill \end{array}$$

(14)

We assume that firms are homogeneous and focus on the symmetric case, so there are $t_i=t_j=t_I,s_i=s_j=s_I,p_i=p_j=p_I,L_i=L_j=L_I,q_i=q_j=q_I,v_i=v_j=v_I.$

The equilibrium dynamic equations for two firms are listed as follows:

$$\begin{array}{c}\hfill -1+\lambda ln\left(v_I\right)L_I{p}_I\left(2p_I{q}_I-q_I-1\right)=0\end{array}$$

(15)

$$\begin{array}{c}\hfill -L_I\lambda {q_I}^{2}ln\left(v_I\right)\left(1-p_I\right)p_I-2\varphi {q_I}^2{s}_I=0\end{array}$$

(16)

Thus, the dynamic replication equations of firms are

$$\begin{array}{c}\hfill {\displaystyle \frac{d{t}_I}{d{q}_I}}={\displaystyle \frac{2\varphi \left(1-2p_I\right)+L_I{\lambda }^2{ln}^2\left(v_I\right)p_I{q}_I{\left(1-2p_I\right)}^2-2\lambda ln\left(v_I\right)\varphi s_I\left(4p_I{q}_I-q_I-1\right)}{2\varphi \lambda ln\left(v_I\right)\left(4p_I{q}_I-q_I-1\right)}}\end{array}$$

(17)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{s}_I}{d{q}_I}}={\displaystyle \frac{-\lambda L_I{p}_{I}ln\left(v_I\right){\left(2p_I-1\right)}^2}{2\varphi \left(4p_I{q}_I-q_I-1\right)}}\end{array}$$

(18)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{t}_I}{d{L}_I}}={\displaystyle \frac{2\varphi \left(1-q_I-2p_I{q}_I\right)-L_I{\lambda }^2{ln}^2\left(v_I\right){p_I}^2{q}_I\left(1-q_I\right)}{2\varphi \lambda L_{I}ln\left(v_I\right)\left(4p_I{q}_I-q_I-1\right)}}\end{array}$$

(19)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{s}_I}{d{L}_I}}={\displaystyle \frac{\lambda ln\left(v_I\right){p_I}^2\left(1-q_I\right)}{2\varphi \left(4p_I{q}_I-q_I-1\right)}}\end{array}$$

(20)

Based on the above analysis, Propositions 2 and 3 can be obtained.

Proposition 2. 

The effects of the value of security information on cybersecurity investment and information sharing decisions are as follows:

(1) When the hacking probability is $0<p<{\displaystyle \frac{1}{4}}$ and the negative impact coefficient of platform security information disclosure is $0<\varphi <{\displaystyle \frac{L\lambda ln(v)p{(1-2p)}^2}{2s(4p-1)}}$, there is a critical value of security information $q^{*}={\displaystyle \frac{-2\varphi s\lambda ln(v)}{\lambda ln(v)p{(1-2p)}^2-2\varphi s(4p-1)}}$; if $q\in (0,q^{*})$, the optimal cybersecurity investment ${t_I}^{*}$ increases: ${\displaystyle \frac{\partial t}{\partial q}}>0$; if $q\in (q^{*},1)$, the optimal cybersecurity investment ${t_I}^{*}$ decreases: ${\displaystyle \frac{\partial t}{\partial q}}<0$.

(2) The optimal cybersecurity investment ${t_I}^{*}$ increases when the hacking probability is $0<p<{\displaystyle \frac{1}{4}}$ and the negative impact coefficient of platform security information disclosure is ${\displaystyle \frac{L\lambda ln(v)p{(1-2p)}^2}{2s(4p-1)}}<\varphi <1$, ${\displaystyle \frac{\partial t}{\partial q}}>0$.

(3) When the hacking probability is ${\displaystyle \frac{1}{4}}<p<{\displaystyle \frac{1}{2}}$, there exists a critical value of security information $q^{*}={\displaystyle \frac{-2\varphi s\lambda ln(v)}{\lambda ln(v)p{(1-2p)}^2-2\varphi s(4p-1)}}$; if $q\in (0,q^{*})$, the optimal cybersecurity investment ${t_I}^{*}$ increases: ${\displaystyle \frac{\partial t}{\partial q}}>0$; if $q\in (q^{*},1)$, the optimal cybersecurity investment ${t_I}^{*}$ decreases: ${\displaystyle \frac{\partial t}{\partial q}}<0$.

(4) Regardless of the value of security information q, the optimal cybersecurity information sharing ${s_I}^{*}$ decreases: ${\displaystyle \frac{\partial s}{\partial q}}<0$.

Proposition 2 demonstrates that when both the hacking probability and the negative impact coefficient of platform security information disclosure are minimized, firms initially increase their cybersecurity investment as the value of security information rises. However, cybersecurity investment begins to decline after reaching an optimal level. In this scenario, firms achieve their cybersecurity objectives, with investment decisions being primarily driven by the competitive advantages gained through cybersecurity information sharing. When the value of security information is low, the improvements in cybersecurity capabilities through information sharing are insufficient to meet firms’ requirements, necessitating increased cybersecurity investment. Conversely, when the value of security information is high, effective cybersecurity information sharing significantly enhances cybersecurity capabilities, allowing firms to reduce their cybersecurity investments and achieve cost savings.

Second, when the hacking probability is low but the negative impact coefficient of platform security information disclosure is high, firms should increase their cybersecurity investment as the value of security information rises. In this scenario, cybersecurity investment decisions are primarily driven by the potential intrusion losses resulting from the heightened risk of information leakage, which is directly correlated with the value of security information. As the value of security information increases, the risk of information leakage intensifies, leading to greater exposure to indirect loss and diminished efficiency in cybersecurity information sharing. As a result, firms are increasingly compelled to augment their cybersecurity investments in order to strengthen their comprehensive cybersecurity capabilities.

Third, as the hacking probability increases, cybersecurity investment initially rises with the value of security information but eventually declines. This suggests that the parameter is positively correlated with the marginal utility of cybersecurity investment at higher value of security information and negatively correlated at lower value. A higher hacking probability signifies a more challenging security environment, necessitating enhanced cybersecurity measures. When the value of security information is low, the improvements in cybersecurity capabilities achieved through information sharing are insufficient to meet security objectives, thus requiring additional investment. Conversely, when the value of security information is high, effective information sharing significantly enhances cybersecurity capabilities, allowing firms to leverage the benefits of sharing, reduce cybersecurity investments, and achieve both stronger security and cost efficiency.

Finally, as the value of security information increases, cybersecurity information sharing decreases. In this scenario, the marginal utility of information sharing is negatively correlated with the value of security information. Sharing decisions are primarily driven by the heightened risk of security information leakage, which intensifies as the value of security information rises. Consequently, firms should reduce their cybersecurity information sharing to mitigate these risks and minimize potential loss costs.

Proposition 3. 

In this case, the impacts of a firm’s hacking losses on decisions for any firm intrusion loss L are as follows:

(1) The optimal cybersecurity investment ${t_I}^{*}$ increases when the value of security information satisfies $0<q<{\displaystyle \frac{1}{1+2p}}$, which means that ${\displaystyle \frac{\partial t}{\partial L}}>0$. When the value of security information satisfies ${\displaystyle \frac{1}{1+2p}}<q<1$, the optimal cybersecurity investment ${t_I}^{*}$ decreases, i.e., ${\displaystyle \frac{\partial t}{\partial L}}<0$.

(2) The optimal cybersecurity information sharing ${s_I}^{*}$ increases, which means that ${\displaystyle \frac{\partial s}{\partial L}}>0$.

Proposition 3 asserts that when the value of security information is low, firms should consider increasing their cybersecurity investment, as potential intrusion losses tend to increase. Conversely, when intrusion loss decreases, it may be prudent for firms to reduce their cybersecurity investments. The utility derived from cybersecurity investment is positively correlated with intrusion loss when the value of security information is low and negatively correlated when the value is high. Increased intrusion loss signals a greater need for cybersecurity measures, thus driving firms to invest more in cybersecurity. However, when the value of security information is sufficiently high, cybersecurity information sharing becomes more effective, enabling firms to enhance their cybersecurity capabilities. As a result, firms can reduce their cybersecurity investment and achieve cost savings.

Additionally, as intrusion loss rises, firms tend to increase their cybersecurity information sharing, as the marginal utility of information sharing is positively correlated with intrusion loss. As intrusion loss increases, the cybersecurity capabilities strengthened by information sharing are further enhanced, allowing firms to more effectively address their cybersecurity needs and achieve their cybersecurity objectives.

This analysis contrasts with the conclusion drawn by Qian [35], whose study did not account for the influence of the value of security information on cybersecurity investment decisions or the impact of cybersecurity information sharing among firms. In contrast, the present study incorporates these factors, providing a more comprehensive and realistic description of firms’ economic decisions.

Second, we discuss the case that with policy constraints on cybersecurity information sharing, i’s goal is to maximize its own utility function by deciding cybersecurity investment as in Equation (4). Maximizing the total utility function of firm i and firm j is performed according to Equation (13).

The partial derivative of firm i’s ${s_i}^{*}$ is

$$\begin{array}{cc}\hfill {\displaystyle \frac{\partial {\pi }_s}{\partial s_i}}& =-q_i\lambda ln\left(v_j\right)L_i{v}_j^{\lambda \left(t_j+q_i{s}_i\right)+1}\left(1-v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}\right)-2\varphi {q_i}^2{s}_i+\left(2{\alpha }_j-{\alpha }_j^2\right)q_i\hfill \\ & -L_j\lambda ln\left(v_j\right)v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}+L_j{q}_j\lambda ln\left(v_j\right)v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}{v}_j^{\lambda \left(t_j+q_i{s}_i\right)+1}\hfill \\ & -q_j{L}_j\lambda ln\left(v_i\right)\left(1-v_j^{\lambda \left(t_j+q_i{s}_i\right)+1}\right)v_i^{\lambda \left(t_i+q_j{s}_j\right)+1}\hfill \end{array}$$

(21)

We assume that firms are homogeneous and focus on the symmetric case, so there are $t_i=t_j=t_S,s_i=s_j=s_S,p_i=p_j=p_S,L_i=L_j=L_S,q_i=q_j=q_S,v_i=v_j=v_S.$

The equilibrium dynamic equations for two firms are

$$\begin{array}{c}\hfill -1-\lambda ln\left(v_S\right)L_S{p}_S+\lambda ln\left(v_S\right)q_S{p_S}^2=0\end{array}$$

(22)

$$\begin{array}{c}\hfill \lambda ln\left(v_S\right)L_S{p}_S{q}_S\left(2p_S{q}_S-q_S-1\right)-2\varphi {q_S}^2{s}_S+\left(2\alpha -{\alpha }^2\right)q_S=0\end{array}$$

(23)

Thus, the dynamic replication equations of firms are

$$\begin{array}{c}\hfill {\displaystyle \frac{d{t}_S}{d{q}_S}}={\displaystyle \frac{2\varphi p_S-L_S{\lambda }^2{ln}^2\left(v_S\right)p_S\left(p_S{q}_S+p_S-1\right)}{2\varphi \lambda ln\left(v_S\right)\left(1-2q_S\right)}}\end{array}$$

(24)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{s}_s}{d{q}_s}}={\displaystyle \frac{\lambda L_s{p}_{s}ln\left(v_s\right)\left(p_s{q}_s+p_s-1\right)-2\varphi s_s\left(1-2p_s{q}_s\right)}{2\varphi q_s\left(1-2p_{s}q\right)}}\end{array}$$

(25)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{t}_S}{d{L}_S}}={\displaystyle \frac{2\varphi \left(1-p_S{q}_S\right)-L_S{\lambda }^2{ln}^2\left(v_S\right){p_S}^2{q}_S\left(1-q_S\right)}{2\varphi \lambda L_{S}ln\left(v_S\right)\left(2p_S{q}_S-1\right)}}\end{array}$$

(26)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{s}_S}{d{L}_S}}={\displaystyle \frac{\lambda ln\left(v_S\right)p_S^2\left(1-p_S\right)}{2\varphi \left(2p_S{q}_S-1\right)}}\end{array}$$

(27)

Based on the above analysis, we obtain Propositions 4 and 5.

Proposition 4. 

Under policy constraints on cybersecurity information sharing between two firms, the impacts of the value of security information on their decisions are as follows:

(1) For any value of security information q, the optimal cybersecurity investment $S_s^{*}$ monotonically increases, which means that ${\displaystyle \frac{\partial t}{\partial q}}<0$;

(2) When the negative impact coefficient of platform security information disclosure on a firm is $0<\varphi <{\displaystyle \frac{L\lambda ln(v)p}{-4s}}$, there is a critical value of security information $q^{*}={\displaystyle \frac{Lln(v)\lambda p(1-p)+2\varphi s}{p(L\lambda ln(v)p+4\varphi s)}}$, and if $q\in \left(0,q^{*}\right)$, the optimal cybersecurity information sharing $S_s^{*}$ increases, which means that ${\displaystyle \frac{\partial s}{\partial q}}>0$; if $q\in \left(q^{*},1\right)$, the optimal cybersecurity information sharing $S_s^{*}$ monotonically decreases, which means that ${\displaystyle \frac{\partial s}{\partial q}}<0.$

(3) For any value of security information q, the optimal cybersecurity information sharing $S_s^{*}$ monotonically increases; when the negative impact coefficient of platform security information disclosure on a firm is ${\displaystyle \frac{L\lambda ln(v)p}{-4s}}<\varphi <{\displaystyle \frac{L\lambda ln(v)p(1-p)}{-2s}}$, it means ${\displaystyle \frac{\partial s}{\partial q}}>0$.

(4) When the negative impact coefficient of platform security information disclosure on a firm is ${\displaystyle \frac{L\lambda ln(v)p(1-p)}{-2s}}<\varphi <1$, there exists a critical value of $q^{*}={\displaystyle \frac{Lln(v)\lambda p(1-p)+2\varphi s}{p(L\lambda ln(v)p+4\varphi s)}}$, and if $q\in \left(0,q^{*}\right)$, the optimal cybersecurity information sharing $S_s^{*}$ monotonically decreases, which means that ${\displaystyle \frac{\partial s}{\partial q}}<0$; if $q\in \left(q^{*},1\right)$, the optimal cybersecurity information sharing $S_s^{*}$ monotonically increases, which means that ${\displaystyle \frac{\partial s}{\partial q}}>0.$

First, by comparing Propositions 2 and 4, it becomes evident that under policy constraints on cybersecurity information sharing, the optimal cybersecurity investment for firms consistently exhibits a negative correlation with the value of security information. In contrast, under policy constraints on cybersecurity investment, firms’ optimal investment decisions become more complex. If the negative impact of platform security information disclosure is negligible, the optimal cybersecurity investment follows an inverted U-shaped curve, peaking at a specific value of security information. However, if the negative impact is substantial, the optimal cybersecurity investment maintains a positive correlation with the value of security information.

Second, firms’ optimal cybersecurity information sharing consistently exhibits a negative correlation with the value of security information. However, under policy constraints on cybersecurity information sharing, firms’ optimal sharing decisions become more complex. When the negative impact of platform security information disclosure is minimal, the optimal information sharing follows an inverted U-shaped curve, peaking at a specific value of security information. Conversely, when the negative impact is significant, the optimal information sharing follows a U-shaped curve, reaching its minimum at a particular value of security information.

Proposition 5. 

Under policy constraints on cybersecurity information sharing between two firms, the intrusion loss on their decisions are as follows:

(1) For intrusion loss L, there exists a critical value $L^{*}={\displaystyle \frac{2\varphi (1-pq)}{{\lambda }^2{ln}^2(v)p^{2}q(1-q)}}$. If $L\in \left(0,L^{*}\right)$, the optimal cybersecurity investment $t_s^{*}$ monotonically increases, which means that ${\displaystyle \frac{\partial s}{\partial L}}>0$; if $L\in (L^{*},+\infty )$, the optimal cybersecurity investment $t_s^{*}$ monotonically decreases, which means that ${\displaystyle \frac{\partial s}{\partial L}}<0$.

(2) The optimum of cybersecurity information sharing $s_s^{*}$ monotonically increases for any intrusion loss L: ${\displaystyle \frac{\partial s}{\partial L}}>0$.

The comparison of Propositions 3 and 5 reveals the following insights: First, when there are policy constraints on both cybersecurity investment and information sharing, the optimal cybersecurity information sharing by firms consistently correlates positively with intrusion loss. Moreover, the optimal cybersecurity investment invariably follows an inverted U-shaped curve in relation to the value of security information. The key difference is that under policy constraints on cybersecurity investment, firms’ optimal investment decisions are influenced by the value of security information. Conversely, under policy constraints on cybersecurity information sharing, firms’ optimal investment decisions are determined by the magnitude of intrusion loss.

Lastly, we discuss policy constraints on cybersecurity information sharing and cybersecurity investment to maximize the firm i and firm j aggregate utility function (Equation (13)).

We assume that firms are homogeneous and focus on the symmetric case, so there are $t_i=t_j=t_O,s_i=s_j=s_O,p_i=p_j=p_O,L_i=L_j=L_O,q_i=q_j=q_O,v_i=v_j=v_O.$

The equilibrium dynamic equations for two firms are as follows:

$$\begin{array}{c}\hfill -1+\lambda ln\left(v_O\right)L_O{p}_O\left(2q_O{p}_O-q_O-1\right)=0\end{array}$$

(28)

$$\begin{array}{c}\hfill \lambda ln\left(v_O\right)L_O{p}_O{q}_O\left(2p_O{q}_O-q_O-1\right)-2\varphi {q_O}^2{s}_O+\left(2\alpha -{\alpha }^2\right)q_O=0\end{array}$$

(29)

Thus, the dynamic replication equations of firms are

$$\begin{array}{c}\hfill {\displaystyle \frac{d{t}_O}{d{q}_O}}={\displaystyle \frac{1-2p_O}{\lambda ln\left(v_O\right)\left(4p_O{q}_O-q_O-1\right)}}\end{array}$$

(30)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{s}_O}{d{q}_O}}={\displaystyle \frac{-s_O}{q_O}}\end{array}$$

(31)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{t}_O}{d{L}_O}}={\displaystyle \frac{\left(1+q_O-2p_O{q}_O\right)}{\lambda L_{O}ln\left(v_O\right)\left(4p_O{q}_O-q_O-1\right)}}\end{array}$$

(32)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{s}_O}{d{L}_O}}=0\end{array}$$

(33)

From this, Proposition 6 can be obtained.

Proposition 6. 

The impacts on the value of security information and intrusion loss are as follows:

(1) For any value of security information q, the optimal cybersecurity investment $t_o^{*}$ monotonically increases, and the optimal cybersecurity information sharing $s_o^{*}$ monotonically decreases, which means that ${\displaystyle \frac{\partial t}{\partial q}}>0,{\displaystyle \frac{\partial s}{\partial q}}<0.$

(2) For intrusion loss L that are compromised, the optimal cybersecurity investment $t_o^{*}$ monotonically increases, and the optimal cybersecurity information sharing $s_o^{*}$ is constant, which means that ${\displaystyle \frac{\partial t}{\partial L}}>0,{\displaystyle \frac{\partial s}{\partial L}}=0.$

First, Proposition 6 states that an increase in the value of security information should lead firms to increase cybersecurity investment while reducing cybersecurity information sharing. In practice, regulations such as China’s “Cybersecurity Law” impose constraints on cybersecurity investment, with a primary focus on ensuring that firms meet their cybersecurity objectives. Cybersecurity information sharing is generally encouraged to enhance overall defense and governance. In this context, firms balance mandated levels of cybersecurity investment and information sharing, taking into account the value of security information. As the value of security information rises, the risk of information leakage also increases, prompting firms to prioritize their own cybersecurity over the benefits of sharing. Consequently, firms will increase cybersecurity investment and reduce cybersecurity information sharing to achieve their cybersecurity defense goals.

Second, with policy constraints on both cybersecurity investment and information sharing, firms’ cybersecurity investment increases with greater intrusion losses, while cybersecurity information sharing remains unaffected by intrusion loss. The rise in intrusion loss reflects a heightened demand for cybersecurity, as improvements in cybersecurity capabilities through information sharing are insufficient to mitigate these attacks. As a result, additional cybersecurity investment is required to strengthen the firm’s security posture, which aligns with the findings of Qian [36]. Consequently, intrusion loss not influences firms’ decisions regarding cybersecurity information sharing. In determining what cybersecurity information to share, firms prioritize economic benefits and the risks associated with information leakage over the impact on their cybersecurity investment.

Propositions 1–6 prove that whether firms make decisions or comply with policy constraints, the relationships among cybersecurity investment, cybersecurity information sharing, the value of security information, and intrusion loss are influenced by the marginal utility of both cybersecurity investment and cybersecurity information sharing.

5. Experimental Results

With reference to the parameter-setting method by Wu et al. [34], the parameter values in this study are mainly determined by two methods. Firstly, based on real cases and literature references, we refer to parameter values and research results from Li et al. [37], setting $v=0.008,0.015,0.05,0.1,0.2,0.3$. According to the data report from FreeBuf [38], we set $\lambda =0.08,0.15,0.16,0.1,0.2,0.25,0.3$. Based on the policy text analysis of the “Cyber Security Law of the People’s Republic of China”, we set $L=40,100,50$. Secondly, we take the annual data reports of firms and the equilibrium above the condition requirements, setting $q=0.3,0.4,0.6,0.7,0.75$, $\varphi =0.01,0.02,0.1,0.2,0.25$, $\alpha =0.6,0.8$. The parameter ranges are obtained as shown in

Table 2. Parameter scope.

Parameter	Scope
$p_i$	0.001–0.35
$L_i$	35–100
${\alpha }_i$	0.6–0.8
$q_i$	0.25–0.8
$\varphi$	0.01–0.25
$\lambda$	0.08–0.315

.

First, we use numerical simulation to analyze the perspective of firms’ profit maximization.

The parameter settings are as follows: $\mathrm{v}=0.1,\mathrm{L}=40,\varphi =0.2,$ and $\lambda =0.3$. We analyze how firm cybersecurity investment and information sharing change under the influence of the value of security information shown in Figure 1a,b.

Figure 1 illustrates the change trends of firms’ cybersecurity investment and information sharing in relation to the value of security information without policy constraints. Specifically, Figure 1a depicts the variation in cybersecurity investment as the value of security information changes, while Figure 1b shows how information sharing evolves in relation to the value of security information. As shown in Figure 1a,b, as the value of security information provided by the platform increases, firms are encouraged to leverage the positive effects of information sharing on investment effectiveness. This results in an upward trend in cybersecurity information sharing and a corresponding downward trend in cybersecurity investment. Without policy constraints, there is a negative correlation between cybersecurity investment and the value of security information, while information sharing exhibits a positive correlation with the value of security information.

When we set $\mathrm{v}=0.05,\mathrm{q}=0.6,\varphi =0.1,$ and $\lambda =0.1$, as intrusion losses change, the variations in cybersecurity investment and information sharing are as shown in Figure 2a,b.

Figure 2 illustrates the changes in firms’ cybersecurity investment and information sharing in response to variations in intrusion losses, without policy constraints. Specifically, Figure 2a depicts the relationship between cybersecurity investment and intrusion loss, while Figure 2b shows the correlation between information sharing and intrusion loss.

From Figure 2a,b, it is clear that as intrusion loss increases, firms can bolster their cybersecurity protection by increasing investment, which in turn reduces the hacking probability of future intrusion loss. At the same time, to mitigate the risk of significant indirect loss, firms should decrease their cybersecurity information sharing. This suggests that when facing the threat of intrusion loss, firms prioritize strengthening their own cybersecurity capabilities and carefully assessing the trade-offs of information sharing.

Second, we use numerical simulation to analyze the perspective of social welfare maximization.

Under policy constraints on cybersecurity investment and with the parameters being set to $\mathrm{v}=0.3$, $\mathrm{L}=100$, $\varphi =0.01$, and $\lambda =0.16$, we analyze how cybersecurity investment changes with the value of security information, as shown in Figure 3a. In practice, firms routinely implement cybersecurity training programs, which not only enhance the professional competence of their employees but also effectively mitigate cybersecurity risks. Simultaneously, firms may share diverse types of cybersecurity threat information on the platform, including data on computer malware. The negative impact coefficient of platform security information disclosure on firms’ cybersecurity posture and reputation can vary substantially. Therefore, we set $\mathrm{v}=0.008$, $\mathrm{L}=100$, $\varphi =0.1$, and $\lambda =0.08$, and as parameters such as the level of cybersecurity vulnerability and the negative impact coefficient of platform disclosure behavior change, firms’ cybersecurity investment varies with the value of security information, as shown in Figure 3b. Additionally, Figure 3c illustrates how firms’ cybersecurity information sharing changes with the value of security information.

From Figure 3a, it is evident that for firms with a high level of cybersecurity vulnerability, when the value of security information is below 0.4, cybersecurity investment increases as the value of security information rises. However, when the value exceeds 0.4, cybersecurity investment decreases as the value of security information continues to increase. Figure 3b illustrates that for firms with a low level of cybersecurity vulnerability, where platform disclosure has a significant negative impact, cybersecurity investment should increase as the value of security information rises. Figure 3c shows that as the value of security information increases, firms tend to reduce their cybersecurity information sharing.

We set $\mathrm{v}=0.1,\mathrm{q}=0.75,\varphi =0.1,$ and $\lambda =0.08$, and we analyze how cybersecurity investment changes with intrusion loss. Figure 4a shows the relationship between cybersecurity investment and intrusion loss when the value of security information varies. In reality, the cybersecurity environment faced by other firms on the platform is complex and changeable, and security information uploaded to the platform is constantly changing, and the value of the security information obtained by firms will also change. Therefore, we set q = 0.3. Figure 4b presents the relationship between information sharing and intrusion loss when the value of security information is 0.3, while Figure 4c shows the relationship between information sharing and intrusion loss. Figure 4a indicates that when the value of security information is high (e.g., 0.75), cybersecurity investment decreases as intrusion loss increases. Conversely, Figure 4b shows that when the value of security information is low (e.g., 0.3), cybersecurity investment increases as intrusion losse rises. Figure 4c demonstrates that cybersecurity information sharing increases with intrusion loss, which impacts firms’ cybersecurity decisions differently depending on the value of security information in response to intrusion loss.

Under policy constraints on cybersecurity information sharing, we set $\mathrm{v}=0.015$, $\mathrm{L}=100$, $\alpha =0.6$, $\varphi =0.02$, and $\lambda =0.25$.

When cybersecurity information sharing is subject to policy constraints, Figure 5 illustrates the dynamics of firms’ cybersecurity investment and information sharing relative to the value of security information, as well as the impact of changes in the negative impact coefficients of platform disclosure on information sharing. Figure 5a depicts the relationship between cybersecurity investment and the value of security information. Figure 5b focuses on scenarios where the negative impact coefficient of platform disclosure on firms is relatively small. In practice, when firms upload various types of cybersecurity threat information to a platform, the negative impact coefficient of platform security information disclosure can differ. Therefore, by keeping factors such as cybersecurity vulnerability, intrusion loss, and the absorptive capability for security information within a limited range and setting $\varphi =0.1$ and $\varphi =0.2$, we analyze the variation in the negative impact coefficient of platform disclosure behaviors, as well as the differences in firms’ cybersecurity information sharing with various values of security information, as shown in Figure 5c,d.

From Figure 5a, it can be observed that cybersecurity investment decreases as the value of security information increases. Figure 5b–d reveal that when the negative impact coefficient of platform disclosure is small (e.g., 0.02), cybersecurity information sharing follows an inverted U-shaped curve, with the highest inflection point at the value security information is 0.3. When the negative impact coefficient is moderate (e.g., 0.1), firms tend to increase cybersecurity information sharing. When the negative impact coefficient is large (e.g., 0.2), cybersecurity information sharing follows a U-shaped curve, with the lowest inflection point at the value of security information is 0.6.

When we set $v=0.1,q=0.4,\varphi =0.1,\lambda =0.2,$ and $\alpha =0.8$, Figure 6 illustrates the changes in firms’ cybersecurity investment and information sharing in response to intrusion loss, when policy constraints are applied to cybersecurity information sharing. Figure 6a depicts the relationship between cybersecurity investment and intrusion loss, while Figure 6b shows the relationship between information sharing and intrusion loss. From Figure 6a, it is clear that firms increase cybersecurity investment when intrusion losses are below 52. However, when intrusion losses exceed 52, firms may reassess their investment strategies, taking into account factors such as cost-effectiveness. Figure 6b demonstrates that as intrusion loss increases, firms are more likely to increase cybersecurity information sharing.

Finally, under dual policy constraints, we set $v=0.2$, $L=50$, $\varphi =0.2$, $\lambda =0.3$, and $\alpha =0.6$. The policy constraints on cybersecurity investment and information sharing lead to changes in firms’ cybersecurity investment and information sharing as a function of the value of security information, as shown in Figure 7. Figure 7a illustrates the relationship between cybersecurity investment and the value of security information, while Figure 7b shows the relationship between cybersecurity information sharing and the value of security information.

From Figure 7a,b, it is evident that as the value of security information increases, firms tend to increase their cybersecurity investment while decreasing their cybersecurity information sharing. This behavior reflects the trade-off between securing valuable information and the risks associated with sharing it. A higher value of security information signals greater potential losses if compromised, prompting firms to allocate more investment to safeguard it. As a result, firms become more cautious and decrease the amount of information they share in order to mitigate these risks.

When we set $v=0.2,q=0.7,\varphi =0.25,\lambda =0.3,$ and $\alpha =0.6$, the changes in cybersecurity investment and information sharing can be observed under policy constraints as intrusion losses vary. These variations are illustrated in Figure 8.

Under dual policy constraints, the changes in firms’ cybersecurity investment and cybersecurity information sharing in response to intrusion loss are shown in Figure 8. From Figure 8a, it is evident that as intrusion loss increases, firms are prompted to increase their cybersecurity investment. As the magnitude of intrusion loss rises, firms recognize the escalating risks and respond by proactively enhancing their cybersecurity measures. Figure 8b reveals that cybersecurity information sharing by firms remains unaffected by intrusion loss. Despite fluctuations in intrusion loss, the extent of information sharing remains relatively stable, suggesting that firms’ decisions to share information are not directly influenced by the level of intrusion loss.

Sensitivity is denoted by $S={\displaystyle \frac{\Delta Y}{\Delta X}}$. Here, S represents sensitivity, $\Delta Y$ indicates the change in the dependent variable Y, and $\Delta X$ represents the change in the independent variable X.

Based on the theoretical analysis presented above, we analyze the impact of two key factors, the value of security information and intrusion losses, on firms’ decision-making behavior regarding cybersecurity investment and information sharing from the perspective of firm benefit maximization. First, our sensitivity analysis studied the trend characteristics of $\Delta S$ with the increase in q under different values of t and s. The corresponding results are presented in Figure 9.

As the value of security information increases, cybersecurity investment exhibits a downward trend, indicating a negative relationship between the two: as cybersecurity investment increases, the rate of decline accelerates. This can be explained by the fact that when the value of security information is high, firms are able to leverage this information more effectively to prevent and response to cybersecurity threats, thus reducing the need for additional cybersecurity investment. Conversely, there is a positive correlation between the value of security information and cybersecurity information sharing. As cybersecurity information sharing increases, the upward trend becomes slower. Specifically, as the value of security information increases, firms are more inclined to share it. This is because firms recognize the higher value of information and are more willing to share it. On one hand, cybersecurity information sharing helps firms enhance their cybersecurity capabilities, contributing to a stronger overall cybersecurity environment and, indirectly, mitigating the cybersecurity risks they face. On the other hand, firms may also benefit from receiving complementary information shared by other firms, which further increases their own value of security information.

Then, our sensitivity analysis studied the trend characteristics of $\Delta S$ with the increase in L under different values of t and s, as shown in Figure 10.

Figure 10 clearly illustrates the significant impact of rising intrusion loss on firms’ cybersecurity investment and information-sharing decisions. As intrusion loss increases, cybersecurity investment exhibits an upward trend, indicating a positive correlation between the two, and this upward trend slows down after rising. This is because when firms face a higher risk of intrusion losses, they have to invest more in cybersecurity to reduce these potentially huge loss. In contrast, the relationship between intrusion loss and cybersecurity information sharing shows a downward trend, reflecting a negative correlation, and the trend drops more rapidly. When faced with substantial intrusion loss, firms tend to reduce their information sharing, prioritizing enhanced cybersecurity investment to address emerging threats more effectively.

In conclusion, the impact of an increase in the value of security information and intrusion loss on firms’ cybersecurity investment and information sharing aligns with the theoretical analysis presented. Therefore, when formulating cybersecurity strategies, firms should account for fluctuations in the value of security information and intrusion losses. By doing so, they can make informed adjustments to their cybersecurity investment and information-sharing decisions, thereby effectively managing varying levels of cybersecurity risks and maximizing the overall benefits of their cybersecurity initiatives.

6. Discussion

6.1. Discussion for Firms

Based on the above analysis, the following recommendations can be made to optimize firms’ cybersecurity information sharing and investment decisions.

First, without policy constraints, as the value of security information increases, firms should consider reducing cybersecurity investment and increasing cybersecurity information sharing. Conversely, when intrusion loss rises, firms should prioritize increasing their cybersecurity investment while decreasing cybersecurity information sharing.

Second, under policy constraints on cybersecurity investment, if the value of security information increases, $L_I\lambda ln(v_I)p_I{(1-2p_I)}^2$ and $2\varphi s_I(4p_I-1)$ need to be compared. If $L_I$$\lambda ln(v_I)p_I{(1-2p_I)}^2<2\varphi s_I(4p_I-1)$, the value of ${\mathrm{q}}^{*}={\displaystyle \frac{-2\varphi {\mathrm{s}}_{\mathrm{I}}\lambda ln\left({\mathrm{v}}_{\mathrm{I}}\right)}{\left(\lambda ln\left({\mathrm{v}}_{\mathrm{I}}\right)\left({\mathrm{L}}_{\mathrm{I}}\lambda ln\left({\mathrm{v}}_{\mathrm{I}}\right){\mathrm{p}}_{\mathrm{I}}{\left(1-2{\mathrm{p}}_{\mathrm{I}}\right)}^2-2\varphi {\mathrm{s}}_{\mathrm{I}}\left(4{\mathrm{p}}_{\mathrm{I}}-1\right)\right)\right)}}$ needs to be calculated. If the value of security information $q^{*}$ decreases, firms should reduce cybersecurity investment, and if the value of security information $q^{*}$ increases, firms should increase cybersecurity investment. If ${\mathrm{L}}_{\mathrm{I}}\lambda ln\left({\mathrm{v}}_{\mathrm{I}}\right){\mathrm{p}}_{\mathrm{I}}{\left(1-2{\mathrm{p}}_{\mathrm{I}}\right)}^2>2\varphi {\mathrm{s}}_{\mathrm{I}}\left(4{\mathrm{p}}_{\mathrm{I}}-1\right)$, cybersecurity investment should be reduced. When the value of security information increases, firms should reduce cybersecurity information sharing. If intrusion loss increases, $q<{\displaystyle \frac{1}{1+2p}}$ needs to be determined. If it is valid, firms should increase their cybersecurity investment; if it is not valid, firms should reduce their cybersecurity investment. When intrusion loss increases, firms should reduce cybersecurity information sharing.

Third, under policy constraints on cybersecurity information sharing, when the value of security information increases, firms should increase their cybersecurity investment; when the value of security information increases, $q^{*}={\displaystyle \frac{L_S\lambda ln\left(v_S\right)p_S\left(1-p_S\right)+2\varphi s_S}{p_S\left(L_S\lambda ln\left(v_S\right)p_S+4\varphi s_S\right)}}$ needs to be calculated. Then, if ${\displaystyle \frac{-2\varphi s}{L\lambda ln(v)(1-p)}}<p<{\displaystyle \frac{1}{2}}$, firms should increase cybersecurity information sharing and decrease it when it is more than $q^{*}$. If $\mathrm{p}<{\displaystyle \frac{-2\varphi \mathrm{s}}{\mathrm{L}\lambda ln(\mathrm{v})(1-\mathrm{p})}}$, cybersecurity information sharing should be reduced if the value of security information is less than $q^{*}$ and increased if it is greater than $q^{*}$. If ${\displaystyle \frac{-2\varphi s}{L\lambda ln(v)(1-p)}}<p<{\displaystyle \frac{-4\varphi s}{L\lambda ln(v)}}$, firms should increase cybersecurity information sharing. When intrusion loss increases, $L^{*}={\displaystyle \frac{2\varphi \left(1-p_S{q}_S\right)}{{\lambda }^2{ln}^2\left(v_S\right)p_S^2{q}_S\left(1-q_S\right)}}$ needs to be calculated. When the intrusion loss is less than $L^{*}$, firms should increase cybersecurity investment; when intrusion loss is greater than $L^{*}$, cybersecurity investment should be reduced. When intrusion loss increases, firms should reduce cybersecurity information sharing.

Finally, with policy constraints on cybersecurity investment and information sharing, an increase in the value of security information should prompt firms to enhance their cybersecurity investment while simultaneously reducing their engagement in information sharing. Conversely, when intrusion loss rises, firms should increase their cybersecurity investment; however, the decision regarding the sharing of cybersecurity information should remain unaffected by these changes in intrusion loss.

6.2. Discussion for Social Planners

First, under policy constraints on cybersecurity information sharing only, as firms adjust their information-sharing strategy in accordance with the changes in the value of cybersecurity information, data islands may be a critical problem when the government builds a cybersecurity information-sharing platform; thus, the policy constraint on cybersecurity information sharing tends to be ineffective. The government incentivizes private entities to participate in cybersecurity information sharing by providing them with exemptions from liability. For instance, the “Cybersecurity Information Sharing Act (CISA)” of the United States points out that when firms share cybersecurity information in compliance with mandatory legal standards and the required compliance, they may be partially or wholly exempted from legal liabilities arising from sharing behaviors.

Second, under policy constraints on cybersecurity investment only, due to hacker attacks, vulnerabilities, and other network threats, firms are willing to increase their cybersecurity investment to avoid loss. Therefore, multiple options, such as cybersecurity insurance and information security technology, are part of what the government needs to offer when guiding firms’ cybersecurity investment. Additionally, some countries, like China, make it mandatory for firms to meet cybersecurity risk assessment standards identifiable through third-party organizations, which constrain firms to a certain level of cybersecurity investment to ensure investment effectiveness.

Third, under policy constraints on both cybersecurity investment and information sharing, when firms are confronted with multiple factors, such as the value of security information, intrusion loss, the information disclosure problems of information-sharing platforms, and the absorptive capacity for security information, their strategies of cybersecurity investment and information sharing become more cautious. To ease the burden of firms’ concern, tax measures, White List, or honored businesses can be utilized as a regulatory tool to encourage compliance by firms, so that cybersecurity investments and information-sharing policies can be effectively enacted.

7. Extension

In this section, the model is extended from two firms to any finite number, n ($n>2$), of firms. In practice, there are multiple firms on the cybersecurity information-sharing platform to fulfill their responsibility. Hence, we try to answer two questions: (1) Will the optimal strategies of n firms change when the other conditions remain unchanged? (2) If the firm number is enlarged, will firm utility also change? The assumptions in Section 3 are introduced here. Therefore, the total utility function of n homogenous firms is

$$\begin{array}{cc}\hfill \mathrm{Max}{\pi }_{i^{’}}& =\sum _{i=1}^n\left[\left(2{\alpha }_i-{\alpha }_i^2\right)(q_j{s}_j)-\left(t_i+p_i{L}_i+q_i(1-p_i)p_j{L}_i+\varphi {(q_i{s}_i)}^2\right)\right]\hfill \\ \hfill & =\sum _{i=1}^n\left[\left(2{\alpha }_i-{\alpha }_i^2\right)(q_j{s}_j)\right.\left(t_i+v_i^{\lambda (t_i+q_j{s}_j)+1}{L}_i+q_i(1-v_i^{\lambda (t_i+q_j{s}_j)+1})\right.\hfill \\ \hfill & \left.v_j^{\lambda (t_j+q_i{s}_i)+1}{L}_i+\varphi {(q_i{s}_i)}^2\right)]\hfill \\ & =n[(2{\alpha }_N-{\alpha }_N^2)(q_N{s}_N)-(t_N+v_N^{\lambda (t_N+q_N{s}_N)+1}{L}_N\hfill \\ \hfill & +q_N(1-v_N^{\lambda (t_N+q_N{s}_N)+1})v_N^{\lambda (t_N+q_N{s}_N)+1}{L}_N+\varphi {(q_N{s}_N)}^2)]\hfill \end{array}$$

(34)

Hereafter, in comparing n firms with two firms, the case without policy constraints is taken as an example to illustrate the above two questions. The proof process of question (1) is similar to that of two firms. From Equation (34), we can obtain

$$\begin{array}{c}\hfill {\displaystyle \frac{d{t}_N}{d{q}_N}}=\sum _{i=1}^n{\displaystyle \frac{2\varphi p_N+L_N{\lambda }^2{ln}^2(v_N){p_N}^2{q}_N(1-2p_N)-2\lambda ln(v_N)\varphi s_N(1-2p_N{q}_N)}{2\lambda ln(v_N)\varphi (1-2p_N{q}_N)}}\end{array}$$

(35)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{s}_N}{d{q}_N}}=\sum _{i=1}^n{\displaystyle \frac{\lambda L_N{p_N}^{2}ln(v_N)(1-2p_N)}{2\varphi (2p_N{q}_N-1)}}\end{array}$$

(36)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{t}_N}{d{L}_N}}=\sum _{i=1}^n{\displaystyle \frac{2\varphi (1-p_N{q}_N)-L_N\lambda ln(v_N)p_N{q}_N(1-q_N)}{2\lambda ln(v_N)L_N\varphi (2p_N{q}_N-1)}}\end{array}$$

(37)

$$\begin{array}{c}\hfill {\displaystyle \frac{d{s}_N}{d{L}_N}}=\sum _{i=1}^n{\displaystyle \frac{p_N(q_N-1)}{2\varphi (1-2p_N{q}_N)}}\end{array}$$

(38)

Then, the optimal “investment-sharing” strategies of n firms is shown in Proposition 7.

Proposition 7. 

Without policy constraints, the optimal "investment-sharing" strategies for any finite number n ($n>2$) of firms follows the same trend as that of two firms.

By Proposition 7, the optimal strategies of n firms are consistent with those of two firms in the case of no policy constraint. By computing the derivative of $q_N$ with respect to $t_N$ and $s_N$, as well as the derivative of $L_N$ with respect to $t_N$ and $s_N$, the partial derivative expressions of n firms are the same as those of two firms.

In addition, by judging the condition ${\displaystyle \frac{d_{\pi }}{d_n}}$, ${\displaystyle \frac{d_{\pi }}{d_n}}<0$ is derived. The utility of firm i with trends in n is shown in Proposition 8.

Proposition 8. 

Without policy constraints, for any firm i, its utility decreases as n increases.

By Proposition 8, cybersecurity information sharing does not yield a scale effect in the case of no policy constraint, which seems to go against common sense. The reason is that if there is no constrain on the investment or sharing threshold, some firms may reduce their cybersecurity investments as a result of over-reliance on cybersecurity information sharing. This “free-riding” behavior would damage those firms that actively engage in sharing actives, even causing the result of blame shifting. As a result, more and more firms choose to avoid sharing especially when the firm number increases, as the benefit of the firm that shares its cybersecurity information would be shared by the others and subsequently lose strength.

8. Conclusions

This paper constructs a game theory model to analyze firms’ decision making regarding cybersecurity investment and information sharing. This study examines scenarios both with and without policy constraints, exploring the interactions among key factors such as the value of security information, intrusion loss, and the negative impact coefficient of platform security information disclosure. Through this model, the influencing factors and interrelationships of the cybersecurity information-sharing strategy are elucidated. Subsequently, a cybersecurity information-sharing strategy model for firms is developed, followed by equilibrium analysis. Empirical analysis is conducted on firms, and targeted recommendations are proposed.

Our key findings are as follows: First, firms should balance the interconnected effects of cybersecurity information sharing, investment, economic benefits, and intrusion loss to maximize their utility. Second, cybersecurity investment and information sharing are influenced by changes in the value of security information and intrusion loss and are constrained by their respective marginal utilities. The increase in the value of security information will make firms pay more attention to cybersecurity, thus increasing their willingness to invest and share information. However, as the value of security information continues to increase, its marginal utility may gradually decrease. Third, firms will only increase their cybersecurity investment or information sharing if the marginal utility of security information is positively correlated with these factors. This means that firms will have an incentive to increase cybersecurity investment or share more information only if the additional benefits from acquiring more security information outweigh its costs. Fourth, firms will increase their cybersecurity investments or information sharing if the marginal utility of intrusion loss is positively correlated with these factors. When the marginal utility of intrusion loss is positive, it means that each additional unit of intrusion loss will prompt firms to pay more attention to cybersecurity and increase investment or information sharing.

In examining intrusion loss, our research builds on the classical Gordon–Loeb model from the field of cybersecurity economics. However, the analysis does not consider the impact of different types of hacker attacks on firms’ decisions regarding cybersecurity information sharing. Future research could delve into how various attack types, such as random and targeted attacks, influence these decisions, particularly given their differing effects on intrusion probabilities.