| With the rapid development of computer and network, information systems increasingly play a key role in the operation and management for many companies. The information system security is more important. In order to reduce the probability of serious losses arising from security incidents, many firms usually focus on security technologies, such as firewalls and intrusion detection system(IDS). However, the security of one firm may depend on not only the security measures taken by itself but also the security measures taken by other firms and diversified attacking methods in the external environment. To consider company’s information security investment strategy under interdependent risk and diversified attacking methods is a key problem urgently to be solved for the operation of enterprise information system. And also with the advent of managed security services and cyber insurance, how to design the optimum incentive structions has been a important question of information security economics. This paper attempts to study information system security investment and the correlative problems.First, information system security investment strategies are studied for two interrelated firms. A game theory-based model is developed to investigate how network interconnection risk and trust risk influence the optimal strategy of firms to invest in information security. The equilibrium levels of information security investment under non-cooperative game condition are compared with socially optimal solutions. The results show that the interconnection risk often induce firms to invest inefficiently whereas trust risk lead to overinvest in information security. We also find that firm’s investment may not necessarily monotonous changes with interconnection risk and trust risk in a centralized case.Furthermore, relative to the socially efficient level, firms facing interconnection risk may invest excessively depending on whether trust risk is large enough.Second, optimizing continuous time information system security investment decisions of firms in the case of random attack or targeted attack are studying. The methodology of differential games is employed to investigate two firms’optimal investment strategies in the Nash non-cooperative game. In this general non-cooperative information system security investment game situation, the influence on the equilibrium vulnerability (security investment rate) is studied when some important elements(investment efficiency parameter,hackers’learning effect, infection rate or target substitution rate) are changed. Then the optimal action selection of two partners in the cooperative game situation is analyzed. After comparing these two game equilibrium results in the case of random attack and targeted attack, it is found that symmetric firms maintain a lower rate of security investment under random attack situation and a higher rate of security investment under targeted attack situation. The application of executing a bilateral compensation scheme is one of the measures to achieve the equilibrium which under coordination.Third, effective incentive measures to coordinate efforts of MSSP(Managed Security Service Provider) in the information system security outsourcing project in order to control the risk associated with information security is analyzed. In the first section, considering of outsourcing different security functions(prevention and detection services), three models of contractual arrangements are introduced, which includes general penalty contract, partial outsourcing contract and reward-penalty contract. Then, the equilibrium results of different outsourcing contracts are discussed respectively and compared comprehensively. The results indicate that, partial outsourcing contract is superior to penalty contract. But only the reward- penalty contract is able to induce first-best efforts from MSSP, by which the outsourcing firm can enjoy the maximum payoff as well. In the second section, the double moral hazard problem is examined using principal-agent models. It is showed that the generalized refund contract connot prevent double moral hazards. But under certain conditions,a new contract tructure termed relational incentive contract can avoid double moral hazard problem and motivate both the two parties involved to achieve first-best efforts, thereby improve social welfare and the outsourcing company can obtain the maximum payoff.Finally, the firm’s investment strategy and incentive mechanism in information system security is studied under the background of insurance by using quantify models that combine ideas from risk management theory and game theory. On the one hand, in order to solve the problem of investment inefficiency with positive interdependency, cyber insurance is designed as an incentive for information system security investment. The key result is that limiting insurance coverage through deductibles can partially internalize this externality and thereby improve individual and social welfare. On the other hand,the equilibrium levels of self-protection and insurance coverage under non-cooperative game condition are compared with socially optimal solutions,and the associated coordination mechanisms are proposed. The results show that self-protection investment increases in response to an increase in potential loss when the interdependent risk is small; the interdependent risk of security investments often induce firms to invest inefficiently relative to the socially efficient level by ignoring marginal external costs or benefits conferred on others. A subsidy on self-protection investment from the government can help coordinate a firm’s risk management decision and thereby improve individual security level and overall social welfare.
|
PDF Full Text Request