A Strategic Analysis of Information Sharing Among Cyber Attackers
37 Pages Posted: 14 Sep 2006
Date Written: August 2006
Abstract
We build an analytical framework to model the strategic interactions between a firm and hackers. Firms invest in security to defend against cyber attacks by hackers. Hackers choose an optimal attack, and they share information with each other about the firm's vulnerabilities. Each hacker prefers to receive information, but delivering gives competitive advantage to the other hacker. We find that each hacker's attack and information sharing are strategic complements while one hacker's attack and the other hacker's information sharing are strategic substitutes. Our analysis also reveals the interesting result that the cumulative attack level of the hackers is not affected by the effectiveness of information sharing between them and moreover, is also unaffected by the intensity of joint information sharing. We also find that as the effectiveness of information sharing between hackers increases relative to the investment in attack, the firm's investment in cyber security defense and profit are constant, the hackers' investments in attacks decrease, and information sharing levels and hacker profits increase. In contrast, as the intensity of joint information sharing increases, while the firm's investment in cyber security defense and profit remain constant, the hackers' investments in attacks increase, and the hackers' information sharing levels and profits decrease. Increasing the firm's asset causes all the variables to increase linearly, except information sharing which is constant. We extend our analysis to endogenize the firm's asset and this analysis largely confirms the preceding analysis with a fixed asset.
Keywords: Cyber war, hacking, defense, conflict, contest success function, security investment, information sharing, security breaches.
JEL Classification: C6, C7, D72, D74, D78, D8
Suggested Citation: Suggested Citation
Do you have a job opening that you would like to promote on SSRN?
Recommended Papers
-
Sharing Information on Computer Systems Security: An Economic Analysis
By Lawrence A. Gordon, Martin P. Loeb, ...
-
The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities
By Lawrence A. Gordon, Martin P. Loeb, ...
-
Information Security Expenditures and Real Options: A Wait-and-See Approach
By Lawrence A. Gordon, Martin P. Loeb, ...
-
The Economic Incentives for Sharing Security Information
By Anindya Ghose and Esther Gal-or
-
By Joseph Canada, J. Randel Kuhn, ...
-
SOX: Unintended Dilemmas for Auditing
By Jonathan E. Duchac, Edward B. Douthett, ...
-
Optimal Risk Sharing with Limited Liability
By Semyon Malamud, Huaxia Rui, ...
-
Assessing the Value of Network Security Technologies
By Huseyin Cavusoglu and Hasan Cavusoglu
-
Experiences and Challenges with Using CERT Data to Analyze International Cyber Security
By Stuart Madnick, Xitong Li, ...
-
Information Disclosure and Regulatory Compliance: Economic Issues and Research Directions