Abstract
Cybersecurity presents a monumental challenge for interconnected supply chains, as an attack on one node can compromise an entire business. In this paper, we propose a game theory model to investigate cybersecurity investments with third-party risk propagation in a two-echelon supply chain consisting of one retailer and n suppliers. The optimal investments and their responses to relevant security characteristics, such as intrinsic vulnerability, propagation probability, number of suppliers, and attack probability, are analysed and discussed both theoretically and numerically considering one-stage risk propagation. It is found that there are serious prisoners' dilemma and free-riding phenomena in such a scenario. To mitigate third-party risks and improve the investment efficiency, three coordination mechanisms, joint decision, security risk compensation, and security information sharing, are presented and compared numerically. The results indicate that joint decision-making and security risk compensation perform better on stimulating firms' investments and reducing expected costs both individually and collectively relative to security information sharing. Furthermore, the case of two-stage risk propagation is also supplemented and compared with one-stage case. Based on these findings, some management insights are recommended to cybersecurity managers in supply chains for designing more efficient cybersecurity mechanisms and investment strategies.
Acknowledgments
Special thanks to Dr. Yidong Hou from Wuhan University for his guidance and polishing of this article and Dr. Rona Luo from the University of Auckland for her kind suggestions.
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes
1 To simplify the analysis, the types of security attacks are not considered in this paper, such as random attacks and target attacks.
2 The supply chain consists of a retailer and 10 suppliers. Here, s = 1 is set, namely, the breach loss of retailer is about five times that of one supplier. This is a conservative estimate, because once the retailer leaks information, it will face huge losses from all aspects, such as competitors, compensation for consumer damage, and government fines. Other parameters are taken as intermediate values, which ensure the accuracy of numerical simulation.
3 Noted that in the following sections, subscripts , and S represent the cases of joint decision, security risk compensation, and security information sharing, respectively.