Managing cloud security in the presence of strategic hacker and joint responsibility

Abstract

The widespread use of cloud computing has brought cloud security to the forefront. The cloud provider and the firm assume varying degrees of joint responsibility for cloud security with cloud service models including IaaS, PaaS, and SaaS, to defend the strategic hacker. This paper builds a game-theoretical model to study cloud security management, in which we find that ignoring the strategic hacker leads to the dislocation security investment decisions (overinvestment or underinvestment) for the provider and the firm in bilateral refund contracts (BRCs). The strategic hacker’s attack effort is inverse U-shaped with cloud service models, leading to a free-riding problem between the provider and the firm. Furthermore, from the perspective of social welfare maximization, both the provider and the firm would underinvest or overinvest in cloud security. To solve the problem, we propose two new contract mechanisms: one is an internal effort-based contract, in which the provider oversees the firm internally and the compensation rate depends on the firm’s effort once the breach occurs. The other is an external effort-based contract, in which the monitoring agency supervises the efforts of the provider and the firm. We compare the two new contracts with BRCs and obtain the optimal choice for principals.

Keywords:

• Strategic hacker
• joint responsibility
• cloud security
• dislocation investment
• mechanism design

Disclosure statement

No potential conflict of interest was reported by the author(s).

Notes

1 The subscripts C, F, H, M represent the cloud provider, the firm, the hacker and the monitor agency, respectively. The superscripts I, II, III, IV, V represent the cases that the BRC, the existence of the non-strategic hacker, the benchmark, the internal effort-based contract, the external effort-based contract, respectively.

2 Source: https://www.alibabacloud.com/help/en/legal/latest/alibaba-cloud-international-website-product-terms-of-service.

3 In practice, the relationship between the monitoring cost and security effort may be ambiguous. The variable costs increase with the agent’s effort since more effort requires more monitoring cost. For simplicity, we omit the monitoring cost as $\frac{1}{2}M{e}_F{}^2.$

Additional information

Funding

The authors are extremely grateful to the anonymous referees for their valuable and helpful comments. This work was supported by the Shanghai Social Science Foundation (No. 2022ZGL009), the National Natural Science Foundation of China (No. 71801035, 71872037, 71901058, 71832001), and the Fundamental Research Funds for the Central Universities.