Advanced search
Publication Cover
Journal of the Operational Research Society Volume 75, 2024 - Issue 4
Submit an article Journal homepage
317
Views
1
CrossRef citations to date
0
Altmetric
Research Article

Information sharing and security investment for substitutable firms: A game-theoretic analysis

Xing Gaoa Southeast University, Nanjing City, Jiangsu Province, China
,
Siyu Gonga Southeast University, Nanjing City, Jiangsu Province, China
,
Ying Wanga Southeast University, Nanjing City, Jiangsu Province, China
&
Yanfang Zhangb Nanjing University of Finance & Economics, Nanjing City, Jiangsu Province, ChinaCorrespondence[email protected]
Pages 799-820 | Received 10 May 2022, Accepted 27 Apr 2023, Published online: 10 May 2023

References

  • Allodi, L., Massacci, F., & Williams, J. (2022). The work-averse cyberattacker model: Theory and evidence from two million attack signatures. Risk Analysis: An Official Publication of the Society for Risk Analysis, 42(8), 1623–1642. https://doi.org/10.1111/risa.13732
  • Arce, D. (2022). Cybersecurity for defense economists. Defence and Peace Economics, 1–21. Advance online publication. https://doi.org/10.1080/10242694.2022.2138122
  • Bokhari, S., Hamrioui, S., & Aider, M. (2022). Cybersecurity strategy under uncertainties for an IoE environment. Journal of Network and Computer Applications, 205, 103426. https://doi.org/10.1016/j.jnca.2022.103426
  • Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25(2), 281–304. https://doi.org/10.2753/MIS0742-1222250211
  • Cremonini, M., & Nizovtsev, D. (2009). Risks and benefits of signaling information system characteristics to strategic attackers. Journal of Management Information Systems, 26(3), 241–274. https://doi.org/10.2753/MIS0742-1222260308
  • Dykstra, J., Gordon, L. A., Loeb, M. P., & Zhou, L. (2022). The economics of sharing unclassified cyber threat intelligence by government agencies and departments. Journal of Information Security, 13(03), 85–100. https://doi.org/10.4236/jis.2022.133006
  • Ezhei, M., & Ladani, B. T. (2020). Interdependency analysis in security investment against strategic attacks. Information Systems Frontiers, 22(1), 187–201. https://doi.org/10.1007/s10796-018-9845-8
  • Fedele, A., & Roner, C. (2022). Dangerous games: A literature review on cybersecurity investments. Journal of Economic Surveys, 36(1), 157–187. https://doi.org/10.1111/joes.12456
  • Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208. https://doi.org/10.1287/isre.1050.0053
  • Gao, X., & Zhong, W. J. (2016a). A differential game approach to security investment and information sharing in a competitive environment. IIE Transactions, 48(6), 511–526. https://doi.org/10.1080/0740817X.2015.1125044
  • Gao, X., & Zhong, W. J. (2016b). Economic incentives in security information sharing: The effects of market structures. Information Technology and Management, 17(4), 361–377. https://doi.org/10.1007/s10799-015-0253-1
  • Gao, X., Zhong, W. J., & Mei, S. E. (2013a). A differential game approach to information security investment under hackers’ knowledge dissemination. Operations Research Letters, 41(5), 421–425. https://doi.org/10.1016/j.orl.2013.05.002
  • Gao, X., Zhong, W. J., & Mei, S. E. (2013b). Information security investment when hackers disseminate knowledge. Decision Analysis, 10(4), 352–368. https://doi.org/10.1287/deca.2013.0278
  • Gao, X., Zhong, W. J., & Mei, S. E. (2014). A game-theoretic analysis of information sharing and security investment for complementary firms. Journal of the Operational Research Society, 65(11), 1682–1691. https://doi.org/10.1057/jors.2013.133
  • Gao, X., Zhong, W. J., & Mei, S. E. (2015). Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers, 17(2), 423–438. https://doi.org/10.1007/s10796-013-9411-3
  • Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457. https://doi.org/10.1145/581271.581274
  • Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22(6), 461–485. https://doi.org/10.1016/j.jaccpubpol.2003.09.001
  • Gordon, L. A., & Loeb, M. P. (2007). Economic aspects of information security: An emerging field of research. Information Systems Frontiers, 8(5), 335–337. https://doi.org/10.1007/s10796-006-9010-7
  • Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Zhou, L. (2015a). Externalities and the magnitude of cyber security underinvestment by private sector firms: A modification of the Gordon-Loeb model. Journal of Information Security, 06(01), 24–30. https://doi.org/10.4236/jis.2015.61003
  • Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Zhou, L. (2015b). The impact of information sharing on cybersecurity underinvestment: A real options perspective. Journal of Accounting and Public Policy, 34(5), 509–519. https://doi.org/10.1016/j.jaccpubpol.2015.05.001
  • Grean, M., & Shaw, M. J. (2002). Supply-chain partnership between P&G and Wal-Mart. In E-Business Management,1, 155–171. https://doi.org/10.1007/0-306-47548-0_8
  • Hausken, K. (2006). Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy, 25(6), 629–665. https://doi.org/10.1016/j.jaccpubpol.2006.09.001
  • Hausken, K. (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy, 26(6), 639–688. https://doi.org/10.1016/j.jaccpubpol.2007.10.001
  • Hausken, K. (2008). Whether to attack a terrorist’s resource stock today or tomorrow. Games and Economic Behavior, 64(2), 548–564. https://doi.org/10.1016/j.geb.2008.02.001
  • Hausken, K. (2015). A strategic analysis of information sharing among cyber hackers. Journal of Information Systems and Technology Management, 12(2), 245–270. https://doi.org/10.4301/S1807-17752015000200004
  • Hausken, K., & Bier, V. M. (2011). Defending against multiple different attackers. European Journal of Operational Research, 211(2), 370–384. https://doi.org/10.1016/j.ejor.2010V
  • Iliaev, D., Oren, S., & Segev, E. (2023). A Tullock-contest-based approach for cyber security investments. Annals of Operations Research, 320(1), 61–84. https://doi.org/10.1007/s10479-022-04958-z
  • Kankanhalli, A., Teo, H. H., Tan, B. C. Y., & Wei, K. K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23(2), 139–154. https://doi.org/10.1016/S0268-4012(02)00105-6
  • Kannan, K., Rahman, M. S., & Tawarmalani, M. (2016). Economic and policy implications of restricted patch distribution. Management Science, 62(11), 3161–3182. https://doi.org/10.1287/mnsc.2015.2309
  • Kolini, F., & Janczewski, L. J. (2022). Exploring incentives and challenges for cybersecurity intelligence sharing (CIS) across organizations: A systematic review. Communications of the Association for Information Systems, 50(1), 86–121. https://doi.org/10.17705/1CAIS.05004
  • Kunreuther, H., & Heal, G. (2003). Interdependent security. Journal of Risk and Uncertainty, 26(2/3), 231–249. https://doi.org/10.1023/A:1024119208153
  • Levitin, G., & Hausken, K. (2010). Resource distribution in multiple attacks against a single target. Risk Analysis: An Official Publication of the Society for Risk Analysis, 30(8), 1231–1239. https://doi.org/10.1111/j.1539-6924.2010.01410.x
  • Li, X. (2022). An evolutionary game-theoretic analysis of enterprise information security investment based on information sharing platform. Managerial and Decision Economics, 43(3), 595–606. https://doi.org/10.1002/mde.3404
  • Liu, D., Ji, Y., & Mookerjee, V. (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems, 52(1), 95–107. https://doi.org/10.1016/j.dss.2011.05.007
  • Luo, S. Y., & Choi, T. M. (2022). E-commerce supply chains with considerations of cyber-security: Should governments play a role? Production and Operations Management, 31(5), 2107–2126. https://doi.org/10.1111/poms.13666
  • Melnyk, S. A., Schoenherr, T., Speier-Pero, C., Peters, C., Chang, J. F., & Friday, D. (2022). New challenges in supply chain management: Cybersecurity across the supply chain. International Journal of Production Research, 60(1), 162–183. https://doi.org/10.1080/00207543.2021.1984606
  • Nikoofal, M. E., & Zhuang, J. (2015). On the value of exposure and secrecy of defense system: First-mover advantage vs robustness. European Journal of Operational Research, 246(1), 320–330. https://doi.org/10.1016/j.ejor.2015.04.043
  • Payyappalli, V. M., Zhuang, J., & Jose, V. R. R. (2017). Deterrence and risk preferences in sequential attacker-defender games with continuous efforts. Risk Analysis, 37(11), 2229–2245. https://doi.org/10.1111/risa.12768
  • Sawik, T. (2022). Balancing cybersecurity in a supply chain under direct and indirect cyber risks. International Journal of Production Research, 60(2), 766–782. https://doi.org/10.1080/00207543.2021.1914356
  • Skeoch, H. R. K. (2022). Expanding the Gordon-Loeb model to cyber-insurance. Computers & Security, 112, 102533. https://doi.org/10.1016/j.cose.2021.102533
  • Solak, S., & Zhuo, Y. (2020). Optimal policies for information sharing in information system security. European Journal of Operational Research, 284(3), 934–950. https://doi.org/10.1016/j.ejor.2019.12.016
  • Tosh, D., Sengupta, S., Kamhoua, C. A., & Kwiat, K. A. (2018). Establishing evolutionary game models for cyber security information exchange (cybex). Journal of Computer and System Sciences, 98, 27–52. https://doi.org/10.1016/j.jcss.2016.08.005
  • Wu, Y., Duan, J., Dai, T., & Cheng, D. (2020). Managing security outsourcing in the presence of strategic hackers. Decision Analysis, 17(3), 235–259. https://doi.org/10.1287/deca.2019.0406
  • Wu, Y., Feng, G., & Fung, R. Y. K. (2018). Comparison of information security decisions under different security and business environments. Journal of the Operational Research Society, 69(5), 747–761. https://doi.org/10.1057/s41274-017-0263-y
  • Wu, Y., Feng, G., Wang, N., & Liang, H. (2015). Game of information security investment: Impact of attack types and network vulnerability. Expert Systems with Applications, 42(15-16), 6132–6146. https://doi.org/10.1016/j.eswa.2015.03.033
  • Wu, Y., Fung, R. Y. K., Feng, G., & Wang, N. (2017). Decisions making in information security outsourcing: Impact of complementary and substitutable firms. Computers & Industrial Engineering, 110, 1–12. https://doi.org/10.1016/j.cie.2017.05.018
  • Wu, Y., Xiao, H., Dai, T., & Cheng, D. (2022a). A game-theoretical model of firm security reactions responding to a strategic hacker in a competitive industry. Journal of the Operational Research Society, 73(4), 716–740. https://doi.org/10.1080/01605682.2020.1854631
  • Wu, Y., Xu, M., Cheng, D., & Dai, T. (2022b). Information security strategies for information-sharing firms considering a strategic hacker. Decision Analysis, 19(2), 99–122. https://doi.org/10.1287/deca.2021.0442
  • Xu, L., Li, Y., & Yao, Q. (2022). Information security investment and purchase decision for personalized products. Managerial and Decision Economics, 43(6), 2619–2635. https://doi.org/10.1002/mde.3551
  • Xu, Z., & Zhuang, J. (2019). A study on a sequential one-defender-N-attacker game. Risk Analysis : An Official Publication of the Society for Risk Analysis, 39(6), 1414–1432. https://doi.org/10.1111/risa.13257
  • Zhuang, J., & Bier, V. M. (2007). Balancing terrorism and natural disasters-defensive strategy with endogenous attacker effort. Operations Research, 55(5), 976–991. https://doi.org/10.1287/opre.1070.0434

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.