A Strategic Analysis of Information Sharing Among Cyber Attackers

Kjell Hausken

Resumo


We build a game theory model where the market design is such that one firm invests in security to defend against cyber attacks by two hackers. The firm has an asset, which is allocated between the three market participants dependent on their contest success. Each hacker chooses an optimal attack, and they share information with each other about the firm’s vulnerabilities. Each hacker prefers to receive information, but delivering information gives competitive advantage to the other hacker. We find that each hacker’s attack and information sharing are strategic complements while one hacker’s attack and the other hacker’s information sharing are strategic substitutes. As the firm’s unit defense cost increases, the attack is inverse U-shaped and reaches zero, while the firm’s defense and profit decrease, and the hackers’ information sharing and profit increase. The firm’s profit increases in the hackers’ unit cost of attack, while the hackers’ information sharing and profit decrease. Our analysis also reveals the interesting result that the cumulative attack level of the hackers is not affected by the effectiveness of information sharing between them and moreover, is also unaffected by the intensity of joint information sharing. We also find that as the effectiveness of information sharing between hackers increases relative to the investment in attack, the firm’s investment in cyber security defense and profit are constant, the hackers’ investments in attacks decrease, and information sharing levels and hacker profits increase. In contrast, as the intensity of joint information sharing increases, while the firm’s investment in cyber security defense and profit remain constant, the hackers’ investments in attacks increase, and the hackers’ information sharing levels and profits decrease. Increasing the firm’s asset causes all the variables to increase linearly, except information sharing which is constant. We extend our analysis to endogenize the firm’s asset and this analysis largely confirms the preceding analysis with a fixed asset. We use the software Mathematica 10.1 (www.wolfram.com) to program the model mathematically with equilibrium constraints, and perform numerical analysis illustrated graphically.

Palavras-chave


Information sharing, security investment, asset allocation, cyber war, contest, decision analysis, game theory, numerical analysis.

Texto completo:

PDF (English)

Referências


Anderson, R. (2001). Why information security is hard: An economic perspective. Proceedings of the 17th Annual Computer Security Applications Conference, December 10-14, New Orleans,

Arora, A., R. Krishnan, R. Telang, Yang, Y., 2005. An empirical analysis of vendor response to software vulnerability disclosure. Working Paper, Carnegie Mellon University, August 2005.

Cavusoglu, H., B. Mishra, B., Raghunathan, S., 2005. The value of intrusion detection systems in information technology security architecture. Information Systems Research 16, 1, 28-46.

Choi, J., C. Fershtman, Gandal, N., 2005. The economics of internet security. Department of Economics, Michigan State University, December 6, 2005.

Gal-Or, E., 1985. Information sharing in oligopoly. Econometrica 53 (2), 329–343.

Gal-Or, E., Ghose, A., 2003. The economic consequences of sharing security information. In: Proceedings of the Second Workshop on Economics and Information Security, May 29-30, University of Maryland.

Gal-Or, E., Ghose, A., 2005. The economic incentives for sharing security information. Information Systems Research 16 (2), 186-208.

Gordon, L.A., Loeb, M., 2001. Using information security as a response to competitor analysis systems. Communications of the ACM 44, 9, 70-75.

Gordon, L.A., Loeb, M., 2003. Expenditures on competitor analysis and information security: A managerial accounting perspective. In Bhimani, A. (ed.), Management Accounting in the New Economy, Oxford University Press, 95-111.

Gordon, L.A., Loeb, M., Lucyshyn, W., 2003. Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22 (7), 461-485.

Gordon, L.A., Loeb, M., Lucyshyn, W., Richardson, R., 2004. 2004 CSI/FBI computer crime and security survey. Computer Security Journal XX (3), 33-51.

Hausken, K., 2005, Production and conflict models versus rent seeking models, Public Choice 123, 59-93.

Hausken, K. (2006), Income, Interdependence, and Substitution Effects Affecting Incentives for Security Investment, Journal of Accounting and Public Policy 25, 6, 629-665.

Hausken, K. (2007), Information Sharing among Firms and Cyber Attacks, Journal of Accounting and Public Policy 26, 6, 639-688.

Hausken, K. (2009), “Security Investment and Information Sharing for Defenders and Attackers of Information Assets and Networks,” in Rao, H.R. and Upadhyaya, S.J. (eds.), Information Assurance, Security and Privacy Services, Handbooks in Information Systems, Volume 4, Emerald Group Pub Ltd, United Kingdom, 503-534.

Howard, J., 1997. Analysis of security incidents on the Internet. Unpublished Doctoral Dissertation, Carnegie Mellon University, www.cert.org/research/JHThesis/Start.htm .

Hirshleifer, J., 1995. Anarchy and its breakdown. Journal of Political Economy 103(1), 26-52.

Kirby, A., 1988. Trade associations as information exchange mechanisms. RAND Journal of Economics 29 (1), 138-146.

Kjaerland, M., 2005. A classification of computer security incidents based on reported attack data, Journal of Investigative Psychology and Offender Profiling 2, 105-120.

Kremen, H., 1998. Apprehending the computer hacker: The collection and use of evidence. Computer Forensics Online.

Kunreuther, H., Heal, G., 2003. Interdependent security. The Journal of Risk and Uncertainty 26, 2/3, 231-249.

Lin. Y., 2003. The institutionalization of hacking practices. Ubiquity. Volume 4, Issue 4.

Nizovtsev, D., M. Thursby. 2005. Economic analysis of incentives to disclose software Vulnerabilities. Working Paper.

Novshek, W., Sonnenschein, H., 1982. Fulfilled expectations in Cournot duopoly with information acquisition and release. Bell Journal of Economics 13 (1), 214-218.

Pinker, E.J. (2007), An Analysis of Short-Term Responses to Threats of Terrorism, Management Science 53, 6, 865–880.

Png, I., C. Tang, Wang, Q., 2006. Information security: User precautions and hacker targeting. Working Paper, National University of Singapore.

Platt, C. 1996. Anarchy Online (Net Crime/Net Sex), Harper Collins, New York..

Raymond, E., 2001. The cathedral and the bazaar: Musings on linux and open source by an accidental revolutionary. Revised edition. O'Reilly.

Ritchie, C., 2000. A look at the security of the open source development model. Technical Report, Oregon State University.

Risan, L., 2000. Hackers produce more than software, they produce hackers. Version 2.1 http://folk.uio.no/lr isan/Linux/Identity_games/

Salop, S.C., Scheffman, D., 1983. Raising rivals’ costs. A.E.R. Papers and Proceedings, 73, 267-271.

Shapiro, C., 1986. Exchange of cost information in oligopoly. Review of Economic Studies 53 (3), 433–446.

Tullock, G., 1967. The welfare costs of tariffs, monopolies, and theft. Western Economic Journal 5, 224-232.

Tullock, G., 1980. Efficient rent seeking. In: J. Buchanan, R. Tollison and G. Tullock, (Eds.), Towards a Theory of the Rent-Seeking Society, College Station, Texas A&M University Press, pp. 97-112.

Vives, X., 1990. Trade association disclosure rules, incentives to share information, and welfare. RAND Journal of Economics 21 (3), 409–430.