Abstract
The tendency of strategic hackers to attack specific industries brings new challenges for information security management. This paper examines the interaction between firms in a specific industry and a strategic hacker by considering industry-specific characteristics including the intrinsic vulnerability, intentions of the hacker, competition between firms, and similarity of security technologies. We find that firms in an overly dangerous industry should consider reforming their business mode to reduce the intrinsic vulnerability rather than investing heavily in security protection. Moreover, we distinguish the hacker as profit-seeking and fame-seeking and find that different intentions generate different hacker’s behaviour. Furthermore, keep exerting effort is still a better strategy for the firms when the competition becomes more intense even the threat of the hacker reduces. Besides, the technical similarity enhances the hacker’s incentive to exert attack effort while induces a free-riding problem for competitive firms. Accordingly, we introduce a social planner to regulate the security decisions of competitive firms, and identify that the supervision of a social planner could partly alleviate the free-riding behaviour, but will only be accepted by competitive firms when facing a less or highly competitive environment. Our results imply that introducing a social planner to enforce security protection may not be advisable for all industries. Finally, we extend our model to discuss two additional cases, including the case of sequential game and the case of asymmetric condition.
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes
1 Although the firms may deploy defensive measures before the strategic hacker attacking their systems in practice, the hacker usually cannot know the firms’ measures in advance due to the confidentiality of information security strategies. Thus, following prior studies (such as Gao & Zhong Citation2015), we assume that all players make decisions in a single period model, that is, all decisions occur in a simultaneous instant. Despite this, we extant our model to a two-period model where the firms decide defensive measures before the hacker attacks in Section 6.1.
2 About how to estimate these parameters, in practice, three methods are usually adopted by the firms. The first is to estimate using the data from firms’ past breaches or using the data from business cases of other industry peers. The second is to evaluate by a third-party such as industry association. The third is to evaluate by other measured factors indirectly. For example, Liu et al. (Citation2007) empirically find that the intrinsic vulnerability could be gauged by the number of e-mail accounts when firms face virus-related security breach.
3 Recalling the example of the security breach at SOE, SOE suffers a total loss of in which
measures the switched consumer to its competitor Microsoft’s Xbox, and the remaining loss is measured by
which may include the loss of information asset, reputation, and market value. In some cases,
could be correlated to
and we discuss this case in Section 6.2.
4 Here the hacker’s reputation gain could be correlated to the size of the victim firm
and we discuss this situation in Section 6.2.
5 About how to determine objectively the magnitude of
and
from a security breach incident, firms can evaluate the mean of loss by using many methods such as expert evaluation and decision trees. For example, Farahmand et al. (Citation2004) use a comprehensive security risk evaluation system with five stages to identify the loss of a breached firm. Many US firms are legally required to disclose security breaches, Andoh-Baidoo and Osei-Bryson (Citation2007) use decision tree to analyse the observed cumulative abnormal stock market returns of breached firms or competitor, which is another effective measure to evaluate the loss.
6 We further discuss an asymmetric case in Section 6.2.