|
|
黑客参与下企业信息安全投资与定价决策研究
|
Abstract:
随着信息网络通信技术的发展,企业面临着越来越多的信息安全挑战。由于市场规模有限,商业环境的日渐复杂,企业之间往往存在一定程度的竞争。随着消费者越来越关注信息安全,企业之间的竞争也从单方面的价格竞争发展到价格和安全的双重竞争,价格和安全共同影响着企业的市场规模。在这样的背景下,本文将策略黑客作为理性参与者,构建了价格和安全双重竞争的企业和策略黑客之间的博弈理论模型,通过逆向归纳法求解得到企业在单独决策和联合决策下的均衡决策。紧接着,本文采用比较静态分析的方法,详细探讨了价格竞争、安全竞争等核心要素对于企业均衡决策和期望收益的影响。此外,通过对比两种模式下的均衡决策,发现企业在单独决策时存在安全努力扭曲问题。因此,本文提出了基于安全努力的合作机制来协调企业的安全努力,从而达到社会最优安全水平。最后,本文分析了上述核心要素对于该机制的影响并验证了该机制的有效性。
With the development of information network communication technology, firms are facing more and more information security challenges. Due to the limited size of the market and the increasing complexity of the business environment, there is often a certain degree of competition between firms. As consumers become more and more concerned about information security, the competition among firms has developed from unilateral price competition to dual competition of price and security, with price and security jointly affecting the market size of firms. In such a background, this paper takes strategic hackers as rational participants, constructs a game theoretical model between firms and strategic hackers with dual competition of price and security, and solves the equilibrium decisions of firms under individual decision and joint decision by backward induction. After that, this paper adopts the method of comparative static analysis to explore in detail the impact of core elements such as price competition and security competition on the equilibrium decision and expected payoff of firms. In addition, by comparing the equilibrium decisions under the two models, we found that there exists the distortion problem of the security effort under the In-house model. To address this problem, we propose the cooperative mechanism based on security efforts to coordinate the security efforts of firms so as to achieve the socially optimal security level. Finally, we analyze the effect of the above core elements on the mechanism and verify the effectiveness of the mechanism.
| [1] | 澎湃新闻∙澎湃号∙湃客. 2024年上半年数据泄露风险态势报告[EB/OL]. https://www.thepaper.cn/newsDetail_forward_27963751, 2024-07-05. |
| [2] | IBM发布《2024年数据泄露成本报告》: 企业数据泄露成本创新高, AI和自动化成为“数据保卫战”突破口[R]. 2024. |
| [3] | Anderson, R. and Moore, T. (2006) The Economics of Information Security. Science, 314, 610-613. https://doi.org/10.1126/science.1130992 |
| [4] | 刘雪灵, 刘祎果, 裴兰. 信息安全经济学的国际前沿研究概况[J]. 中国信息安全, 2013(10): 68-71. |
| [5] | Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457. https://doi.org/10.1145/581271.581274 |
| [6] | Cezar, A., Cavusoglu, H. and Raghunathan, S. (2017) Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions. Production and Operations Management, 26, 860-879. https://doi.org/10.1111/poms.12681 |
| [7] | Gao, X. and Zhong, W. (2016) A Differential Game Approach to Security Investment and Information Sharing in a Competitive Environment. IIE Transactions, 48, 511-526. https://doi.org/10.1080/0740817x.2015.1125044 |
| [8] | Gal-Or, E. and Ghose, A. (2005) The Economic Incentives for Sharing Security Information. Information Systems Research, 16, 186-208. https://doi.org/10.1287/isre.1050.0053 |
| [9] | Kolfal, B., Patterson, R.A. and Yeo, M.L. (2013) Market Impact on IT Security Spending. Decision Sciences, 44, 517-556. https://doi.org/10.1111/deci.12023 |
| [10] | Qian, X., Liu, X., Pei, J. and Pardalos, P.M. (2017) A New Game of Information Sharing and Security Investment between Two Allied Firms. International Journal of Production Research, 56, 4069-4086. https://doi.org/10.1080/00207543.2017.1400704 |
| [11] | Wu, Y., Feng, G. and Fung, R.Y.K. (2018) Comparison of Information Security Decisions under Different Security and Business Environments. Journal of the Operational Research Society, 69, 747-761. https://doi.org/10.1057/s41274-017-0263-y |
| [12] | 熊强, 仲伟俊, 梅姝娥. 基于Stackelberg博弈的供应链企业间信息安全决策分析[J]. 情报杂志, 2012, 31(2): 178-182, 167. |
| [13] | Wu, Y., Xiao, H., Dai, T. and Cheng, D. (2021) A Game-Theoretical Model of Firm Security Reactions Responding to a Strategic Hacker in a Competitive Industry. Journal of the Operational Research Society, 73, 716-740. https://doi.org/10.1080/01605682.2020.1854631 |
| [14] | Luo, S. and Choi, T. (2022) E‐Commerce Supply Chains with Considerations of Cyber‐Security: Should Governments Play a Role? Production and Operations Management, 31, 2107-2126. https://doi.org/10.1111/poms.13666 |
| [15] | 赵柳榕, 杨广文, 邹文轩, 刘健楠. 考虑声誉的供应链企业间信息安全共享演化博弈研究[J]. 数学的实践与认识, 2020, 50(16): 285-291. |
| [16] | 董坤祥, 谢宗晓, 甄杰. 强制性约束下企业信息安全投资与网络保险的最优决策分析[J]. 中国管理科学, 2021, 29(6): 70-81. |
| [17] | Gao, X. and Zhong, W. (2015) Information Security Investment for Competitive Firms with Hacker Behavior and Security Requirements. Annals of Operations Research, 235, 277-300. https://doi.org/10.1007/s10479-015-1925-2 |
| [18] | 潘崇霞, 仲伟俊, 梅姝娥. 不同攻击类型下风险厌恶型企业信息安全投资策略[J]. 系统工程学报, 2019, 34(4): 497-510. |
| [19] | Cavusoglu, H., Raghunathan, S. and Yue, W.T. (2008) Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment. Journal of Management Information Systems, 25, 281-304. https://doi.org/10.2753/mis0742-1222250211 |
| [20] | Gao, X., Zhong, W. and Mei, S. (2014) A Game-Theoretic Analysis of Information Sharing and Security Investment for Complementary Firms. Journal of the Operational Research Society, 65, 1682-1691. https://doi.org/10.1057/jors.2013.133 |
| [21] | Hausken, K. (2017) Information Sharing among Cyber Hackers in Successive Attacks. International Game Theory Review, 19, Article ID: 1750010. https://doi.org/10.1142/s0219198917500104 |
| [22] | Wu, Y., Feng, G., Wang, N. and Liang, H. (2015) Game of Information Security Investment: Impact of Attack Types and Network Vulnerability. Expert Systems with Applications, 42, 6132-6146. https://doi.org/10.1016/j.eswa.2015.03.033 |
| [23] | Wu, Y., Wang, L., Cheng, D., et al. (2021) Information Security Decisions of Firms Considering Security Risk Interdependency. Expert Systems with Applications, 178, Article ID: 114990. https://doi.org/10.1016/j.eswa.2021.114990 |
| [24] | 刘艺浩, 吴勇. 安全标准约束下的信息安全部分外包研究——基于外部性不对称视角[J]. 管理科学与工程, 2023, 12(1): 1-18. |
| [25] | Gao, X., Zhang, Y., Zhong, B., Wang, X. and Wang, Y. (2024) A Duopolistic Analysis of CEO Competitive Aggressiveness with R&D Investment. Production and Operations Management, 33, 1083-1098. https://doi.org/10.1177/10591478241238971 |
| [26] | Kim, B.C., Chen, P. and Mukhopadhyay, T. (2011) The Effect of Liability and Patch Release on Software Security: The Monopoly Case. Production and Operations Management, 20, 603-617. https://doi.org/10.1111/j.1937-5956.2010.01189.x |
| [27] | Nagurney, A. and Shukla, S. (2017) Multifirm Models of Cybersecurity Investment Competition vs. Cooperation and Network Vulnerability. European Journal of Operational Research, 260, 588-600. https://doi.org/10.1016/j.ejor.2016.12.034 |
| [28] | Yang, M., Jacob, V.S. and Raghunathan, S. (2021) Cloud Service Model’s Role in Provider and User Security Investment Incentives. Production and Operations Management, 30, 419-437. https://doi.org/10.1111/poms.13274 |
| [29] | Ponemon (2019) Cost of a Data Breach Report 2019. Poneomon Institute. https://doi.org/10.1016/S1361-3723(19)30081-8 |
| [30] | Qian, X., Liu, X., Pei, J., Pardalos, P.M. and Liu, L. (2017) A Game-Theoretic Analysis of Information Security Investment for Multiple Firms in a Network. Journal of the Operational Research Society, 68, 1290-1305. https://doi.org/10.1057/s41274-016-0134-y |
| [31] | Swaminathan, J.M. and Tayur, S.R. (2003) Models for Supply Chains in E-Business. Management Science, 49, 1387-1406. https://doi.org/10.1287/mnsc.49.10.1387.17309 |
| [32] | Erhun, F. and Keskinocak, P. (2011) Collaborative Supply Chain Management. Planning Production and Inventories in the Extended Enterprise: A State of the Art Handbook, 1, 233-268. https://doi.org/10.1007/978-1-4419-6485-4_11 |
| [33] | Choudhury, V. and Sabherwal, R. (2003) Portfolios of Control in Outsourced Software Development Projects. Information Systems Research, 14, 291-314. https://doi.org/10.1287/isre.14.3.291.16563 |
