Information security investment with budget constraint and security information sharing in resource-sharing environments
研究了两个资源共享企业在预算约束下与黑客的博弈,发现预算紧张虽节省投资但恶化安全环境,过度安全信息共享可能引发更激烈网络攻击,并设计了最优补偿机制。
Nowadays, business connection between firms becomes rather common so that one firm stores not only its information asset but also some of other firms’ information asset. The management of information security is vital for these resource-sharing firms. This paper constructs a game-theoretic model between two resource-sharing firms and one hacker to examine their strategic interaction when the firms face budget constraint on security investment. We consider security information sharing between the firms, which can improve their overall security effort but meantime facilitate the hacker’s learning to reduce attack costs. We find that although a tight budget constraint can help save investment cost, the firms always suffer from a poorly secure environment. It shows that although security information sharing is usually encouraged, the firms may be hurt when security information sharing is excessive so that fierce cyber-attacks are induced. We finally design an optimal compensation mechanism, in which the compensation fund is shown to increase with the degree of resource sharing.