Abstract
Information security outsourcing has become an emerging trend in the operations of information security, but the relation between information assets of firms and attack modes of hackers have failed to be considered. Through building a game-theoretic model, this article analyzes security outsourcing of two firms who share their information resource with each other and are confronted with opportunistic attacks and targeted attacks. We find that in the case of security decisions in-house, the firms may obtain a lower expected cost and the hacker may derive a lower expected benefit under targeted attacks than under opportunistic attacks, even though targeted attacks are widely deemed to be more harmful to the firms. When outsourcing security operations to a MSSP (Managed Security Service Provider), we reveal that under targeted attacks the MSSP can reap a higher expected benefit and the hacker can still derive a lower expected benefit. Finally, we examine the effects of key security elements and find some interesting results. In particular, the MSSP may or may not benefit from the degree of resource sharing, and the hacker may suffer from its learning ability.
Data availability statement
Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes
1 The breach probability under opportunistic attacks can be calculated as
2 The second order conditions on security investments and attack efforts naturally hold in Class I and Class II because and
at equilibrium.
3 The optimality of equilibrium solution can be guaranteed. Given
and
since
increases with
and
we have
The Hessian matrix of at the equilibrium solution
and
is
in which
It follows from that such Hessian matrix is negative definite.
4 The optimality of equilibrium solution can be guaranteed as well, similar with Class I. The Hessian matrix with
and
takes the form of
where
One can know from that this Hessian matrix is negative definite.