Abstract
There are several types of relations between information assets of two firms, among which substitutable relation is such that even when one of the firms is successfully breached by one hacker, both firms would incur loss and the hacker gets benefit. This paper examines security investment and information sharing of two substitutable firms through constructing a game-theoretic model between these firms and one hacker. We derive the following interesting results: (a) the firm with more efficient security investment suffers weaker cyber-attack from the hacker because the rational hacker would switch its emphasis to the less efficient firm; (b) one firm’s aggregate defense increases with its unit investment cost for the positive interdependence when this cost remains high due to more shared information and enhanced security investment from the other firm; (c) although a widely-used compensation mechanism can urge the firms to invest more when security loss remains low, it increases their expected costs because of the excess investment; (d) unlike simultaneous game, each firm’s aggregate defense always increases with the unit cost of cyber-attacks under sequential game since the hacker has an advantage of learning the firms’ security decisions. These results give fresh managerial guidelines to security experts of firms.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Data availability statement
Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.
Notes
1 Specifically, we consider such value of that satisfies
2 The sequential game with the hacker as first-mover is not of interest here, which mainly applies to real-time defensive tactics, such as apprehending an attacker during the course of an attack (Zhuang & Bier, Citation2007).
3 and consider such ranges of and respectively to guarantee available (positive) equilibrium solutions.
4 The proof is similar with Appendix B in Gao et al. (Citation2014) and is thus omitted.