Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain

23 Pages Posted: 6 Nov 2017

See all articles by Shaun Wang

Shaun Wang

Nanyang Technological University

Date Written: November 3, 2017


This paper presents economic models of cybersecurity investments by a firm, first considering the cost-benefit to the firm itself, and then to the eco-system of a supply-chain. We introduce a concept of a firm’s security knowledge set of its attack surface, relative to the universe of threats. We propose three classes of security production functions as the frontier curve of a firm’s knowledge set. We distinguish two types of security investments in acquiring data, information and expertise, vis-à-vis deploying defense measures and detection tools, and derive formula for optimal allocations. We analyze cyber breach propagations between firms in a supply-chain, and demonstrate that large firms requiring contractors to show security rating by third-parties can be an effective way of reducing information gap in a supply chain. We present a model for the reliability (sharpness) of cybersecurity rating for firms, and show how the perceived reliability of cybersecurity rating affects the incentives for firms to increase their security investments.

Keywords: Economics of Information Security; Cybersecurity Knowledge Set; Security Production Frontier; Supply-Chain; Cybersecurity Rating

Suggested Citation

Wang, Shaun, Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain (November 3, 2017). Available at SSRN: or

Shaun Wang (Contact Author)

Nanyang Technological University ( email )

Nanyang Avenue
Singapore, Singapore 639798

Do you want regular updates from SSRN on Twitter?

Paper statistics

Abstract Views
PlumX Metrics