Managing cloud security in the presence of strategic hacker and joint responsibility
构建博弈模型研究云服务提供商与企业在IaaS、PaaS、SaaS模式下的安全投资决策,发现忽视战略黑客会导致投资错位,并提出两种基于努力的合同机制以优化社会福利。
The widespread use of cloud computing has brought cloud security to the forefront. The cloud provider and the firm assume varying degrees of joint responsibility for cloud security with cloud service models including IaaS, PaaS, and SaaS, to defend the strategic hacker. This paper builds a game-theoretical model to study cloud security management, in which we find that ignoring the strategic hacker leads to the dislocation security investment decisions (overinvestment or underinvestment) for the provider and the firm in bilateral refund contracts (BRCs). The strategic hacker’s attack effort is inverse U-shaped with cloud service models, leading to a free-riding problem between the provider and the firm. Furthermore, from the perspective of social welfare maximization, both the provider and the firm would underinvest or overinvest in cloud security. To solve the problem, we propose two new contract mechanisms: one is an internal effort-based contract, in which the provider oversees the firm internally and the compensation rate depends on the firm’s effort once the breach occurs. The other is an external effort-based contract, in which the monitoring agency supervises the efforts of the provider and the firm. We compare the two new contracts with BRCs and obtain the optimal choice for principals.