Information security outsourcing in a resource-sharing environment: The impacts of attack modes

Abstract

Information security outsourcing has become an emerging trend in the operations of information security, but the relation between information assets of firms and attack modes of hackers have failed to be considered. Through building a game-theoretic model, this article analyzes security outsourcing of two firms who share their information resource with each other and are confronted with opportunistic attacks and targeted attacks. We find that in the case of security decisions in-house, the firms may obtain a lower expected cost and the hacker may derive a lower expected benefit under targeted attacks than under opportunistic attacks, even though targeted attacks are widely deemed to be more harmful to the firms. When outsourcing security operations to a MSSP (Managed Security Service Provider), we reveal that under targeted attacks the MSSP can reap a higher expected benefit and the hacker can still derive a lower expected benefit. Finally, we examine the effects of key security elements and find some interesting results. In particular, the MSSP may or may not benefit from the degree of resource sharing, and the hacker may suffer from its learning ability.

Keywords:

• Information security outsourcing
• resource sharing
• opportunistic attacks
• targeted attacks

Data availability statement

Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.

Disclosure statement

No potential conflict of interest was reported by the authors.

Notes

1 The breach probability under opportunistic attacks can be calculated as $p^I=1/(-\hspace{0.17em}\mathrm{\text{ln}}\hspace{0.17em}v{k}_{F}L).$

2 The second order conditions on security investments and attack efforts naturally hold in Class I and Class II because ${\partial }^2{C}_i^F/\partial z_i^2>0$ and ${\partial }^2{\pi }^H/\partial h_i^2<0$ at equilibrium.

3 The optimality of equilibrium solution $t_i,t_j,d_i,d_j$ can be guaranteed. Given $C_i^F\le C_I^F$ and $C_j^F\le C_I^F,$ since ${\pi }^M(t_i,t_j,d_i,d_j)$ increases with $t_i$ and $t_j,$ we have

${\pi }^M(t_i,t_j,d_i,d_j)\le {\pi }^M(p_i(d_i-L)-p_j\alpha L+C_I^F,p_j(d_j-L)-p_i\alpha L+C_I^F,d_i,d_j)={\pi }_L^M(d_i,d_j).$

The Hessian matrix of ${\pi }_L^M(d_i,d_j)$ at the equilibrium solution $d_i$ and $d_j$ is

$(\begin{array}{cc}{\partial }^2{\pi }_L^M(d_i,d_j)/\partial d_i^2& {\partial }^2{\pi }_L^M(d_i,d_j)/\partial d_i\partial d_j\\ {\partial }^2{\pi }_L^M(d_i,d_j)/\partial d_j\partial d_i& {\partial }^2{\pi }_L^M(d_i,d_j)/\partial d_j^2\end{array})$

in which

$\frac{{\partial }^2{\pi }^M}{\partial d_i^2}=\frac{2L(1+\alpha )}{k_M{d}_i{}^3\hspace{0.17em}\mathrm{\text{ln}}\hspace{0.17em}v(1+\beta )}-\frac{(1-\varphi )}{k_M{d}_i{}^2\hspace{0.17em}\mathrm{\text{ln}}\hspace{0.17em}v(1+\beta )}=\frac{{(1-\varphi )}^3}{k_M{(L(1+\alpha ))}^2\hspace{0.17em}\mathrm{\text{ln}}\hspace{0.17em}v(1+\beta )}<0$

$\frac{{\partial }^2{\pi }^M}{\partial d_i\partial d_j}=\frac{{\partial }^2{\pi }^M}{\partial d_j\partial d_i}=0$

$\frac{{\partial }^2{\pi }^M}{\partial d_j^2}=\frac{2L(1+\alpha )}{k_M{d}_j{}^3\hspace{0.17em}\mathrm{\text{ln}}\hspace{0.17em}v(1+\beta )}-\frac{(1-\varphi )}{k_M{d}_j{}^2\hspace{0.17em}\mathrm{\text{ln}}\hspace{0.17em}v(1+\beta )}=\frac{{(1-\varphi )}^3}{k_M{(L(1+\alpha ))}^2\hspace{0.17em}\mathrm{\text{ln}}\hspace{0.17em}v(1+\beta )}<0.$

It follows from $\mathrm{\text{det}}(\begin{array}{cc}{\partial }^2{\pi }_L^M(d_i,d_j)/\partial d_i^2& {\partial }^2{\pi }_L^M(d_i,d_j)/\partial d_i\partial d_j\\ {\partial }^2{\pi }_L^M(d_i,d_j)/\partial d_j\partial d_i& {\partial }^2{\pi }_L^M(d_i,d_j)/\partial d_j^2\end{array})>0$ that such Hessian matrix is negative definite.

4 The optimality of equilibrium solution $t_i,t_j,d_i,d_j$ can be guaranteed as well, similar with Class I. The Hessian matrix with $d_i$ and $d_j$ takes the form of

$(\begin{array}{cc}{\partial }^2{\pi }^M(d_i,d_j)/\partial d_i^2& {\partial }^2{\pi }^M(d_i,d_j)/\partial d_i\partial d_j\\ {\partial }^2{\pi }^M(d_i,d_j)/\partial d_j\partial d_i& {\partial }^2{\pi }^M(d_i,d_j)/\partial d_j^2\end{array})$

where $\frac{{\partial }^2{\pi }^M}{\partial d_i^2}=-\frac{v^{\frac{1}{2-\varphi }}{(1-\varphi )}^{\frac{5-2\varphi }{2-\varphi }}{(\varphi a(1+\mu \beta ))}^{\frac{\varphi }{2-\varphi }}}{(2-\varphi ){(k_M(1+\beta ))}^{\frac{1}{2-\varphi }}{(L(1+\alpha ))}^{\frac{3-2\varphi }{2-\varphi }}}<0$

$\frac{{\partial }^2{\pi }^M}{\partial d_i\partial d_j}=\frac{{\partial }^2{\pi }^M}{\partial d_j\partial d_i}=0$

$\frac{{\partial }^2{\pi }^M}{\partial d_i^2}=-\frac{v^{\frac{1}{2-\varphi }}{(1-\varphi )}^{\frac{5-2\varphi }{2-\varphi }}{(\varphi a(1+\mu \beta ))}^{\frac{\varphi }{2-\varphi }}}{(2-\varphi ){(k_M(1+\beta ))}^{\frac{1}{2-\varphi }}{(L(1+\alpha ))}^{\frac{3-2\varphi }{2-\varphi }}}<0.$

One can know from $\mathrm{\text{det}}(\begin{array}{cc}{\partial }^2{\pi }^M(d_i,d_j)/\partial d_i^2& {\partial }^2{\pi }^M(d_i,d_j)/\partial d_i\partial d_j\\ {\partial }^2{\pi }^M(d_i,d_j)/\partial d_j\partial d_i& {\partial }^2{\pi }^M(d_i,d_j)/\partial d_j^2\end{array})>0$ that this Hessian matrix is negative definite.