Information Systems Frontiers

, Volume 17, Issue 2, pp 423–438 | Cite as

Security investment and information sharing under an alternative security breach probability function

  • Xing Gao
  • Weijun Zhong
  • Shue Mei


Nowadays, in order to protect information assets, many firms have gradually realized the importance of security investment and information sharing. It is worth pointing out that security breach probability functions play a vital role in firms’ strategic choices. This paper investigates how to determine security investment and information sharing for two firms by employing an alternative well-accepted security breach probability function. In particular, assuming that both firms make their decisions individually, we analyze information sharing, aggregate attack, aggregate defense and the security breach probability at equilibrium. Then we compare these results with those in three (partially) centralized decision cases where a social planner regulates security investment, information sharing or both of them. Between the individual decision case and the partially centralized decision case with the social planner only controlling information sharing, and between the centralized decision case and the other partially centralized decision case, we demonstrate that, although aggregate attack, aggregate defense and the security breach probability remain unchanged, more intervention from the social planner would give rise to higher social welfare. Besides, it turns out that some well-known results of Hausken (Journal of Accounting and Public Policy, 26(6), 639–688, 2007) drastically change in our framework.


Security investment Information sharing Interdependence Social planner Security breach probability function 



We wish to thank anonymous referees for constructive and informative comments that helped substantially improve the presentation of this manuscript. Financial supports from the National Natural Science Foundation of China (71071033) and the National Pillar Program of China (2012BAH29F01) are gratefully acknowledged.


  1. Anderson, R. (2001). Why information security is hard: an economic perspective. Proceedings of the Seventeenth Computer Security Applications Conference, IEEE Computer Society Press, 358–365.Google Scholar
  2. Anderson, R. (2002). Security in open versus closed systems-the dance of Boltzmann, Coase and Moore. Technical report, Cambridge University, England.Google Scholar
  3. Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314, 610–613.CrossRefGoogle Scholar
  4. Arora, A., Nandkumar, A., & Telang, R. (2006). Does information security attack frequency increase with vulnerability disclosure?-an empirical analysis. Information Systems Frontiers, 8(5), 350–362.CrossRefGoogle Scholar
  5. Bandyopadhyay, T., Jacob, V., & Raghunathan, S. (2010). Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest. Information Technology and Management, 11(1), 7–23.CrossRefGoogle Scholar
  6. Bandyopadhyay, T., Liu, D., Mookerjee, V. S., Wilhite, A. W. (2012). Dynamic competition in IT security: a differential games approach. Information Systems Frontiers, in press, doi: 10.1007/s10796-012-9373-x.
  7. Bodin, L. D., Gordon, L. A., & Loeb, M. P. (2005). Evaluating information security investments using the analytic hierarchy process. Communications of the ACM, 48(2), 78–83.CrossRefGoogle Scholar
  8. Büyükkarabacak, B., & Valev, N. (2012). Credit information sharing and banking crises: an empirical investigation. Journal of Macroeconomics, 34(3), 788–800.CrossRefGoogle Scholar
  9. Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security, 11(3), 431–448.Google Scholar
  10. Cavusoglu, H., & Raghunathan, S. (2004). Configuration of detection software: a comparison of decision and game theory approaches. Decision Analysis, 1(3), 131–148.CrossRefGoogle Scholar
  11. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of Internet security breach announcements on market value: capital market reaction for breached firms and Internet security developers. International Journal of Electronic Commerce, 9(1), 69–105.Google Scholar
  12. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2005). The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16(1), 28–46.CrossRefGoogle Scholar
  13. Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25(2), 281–304.CrossRefGoogle Scholar
  14. Cavusoglu, H., Raghunathan, S., & Cavusoglu, H. (2009). Configuration of and interaction between information security technologies: the case of firewalls and intrusion detection systems. Information Systems Research, 20(2), 198–217.CrossRefGoogle Scholar
  15. Chai, S., Kim, M., & Rao, H. R. (2011). Firms’ information security investment decisions: stock market evidence of investors’ behavior. Decision Support Systems, 50(4), 651–661.CrossRefGoogle Scholar
  16. Clark, D. J., & Riis, C. (1998). Contest success functions: an extension. Economic Theory, 11(1), 201–204.CrossRefGoogle Scholar
  17. Cremonini, M., & Nizovtsev, D. (2009). Risks and benefits of signaling information system characteristics to strategic attackers. Journal of Management Information Systems, 26(3), 241–274.CrossRefGoogle Scholar
  18. D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98.CrossRefGoogle Scholar
  19. Dutta, A., & Mccrohan, K. (2002). Management’s role in information security in a cyber economy. California Management Review, 45(1), 67–87.CrossRefGoogle Scholar
  20. Galbreth, M. R., & Shor, M. (2010). The impact of malicious agents on the enterprise software industry. MIS Quarterly, 34(3), 595–612.Google Scholar
  21. Gal-Or, E., & Ghose, A. (2003). The economic consequences of sharing security information. Proceedings of the Second Workshop on Economics and Information Security, University of Maryland.Google Scholar
  22. Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208.CrossRefGoogle Scholar
  23. Gao, X., Zhong, W., & Mei, S. (2012a). On local stability of Cournot models with simultaneous and sequential decisions. Mathematical Social Sciences, 63(3), 207–212.CrossRefGoogle Scholar
  24. Gao, X., Zhong, W., Mei, S. (2012b). Stochastic evolutionary game dynamics and their selection mechanisms. Computational Economics, 41(2), 233–247.Google Scholar
  25. Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.CrossRefGoogle Scholar
  26. Gordon, L. A., & Loeb, M. P. (2006). Economic aspects of information security: an emerging field of research. Information Systems Frontiers, 8(5), 335–337.CrossRefGoogle Scholar
  27. Gordon, L. A., Alumni, E. Y., Loeb, M. P., Lucyshyn, W. (2002). An economics perspective on the sharing of information related to security breaches: Concepts and empirical evidence. Workshop on Economics and Information Security, University of California, Berkeley.Google Scholar
  28. Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003a). Sharing information on computer systems security: an economic analysis. Journal of Accounting and Public Policy, 22(6), 461–485.CrossRefGoogle Scholar
  29. Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003b). Information security expenditures and real options: a wait-and-see approach. Computer Security Journal, 19(2), 1–7.Google Scholar
  30. Hahm, J. H., & Lee, S. (2011). Economic effects of positive credit information sharing: the case of Korea. Applied Economics, 43(30), 4879–4890.CrossRefGoogle Scholar
  31. Hamill, J. T., Deckro, R. F., & Kloeber, J. M., Jr. (2005). Evaluating information assurance strategies. Decision Support Systems, 39(3), 463–484.CrossRefGoogle Scholar
  32. Hare, F., & Goldstein, J. (2010). The interdependent security problem in the defense industrial base: an agent-based model on a social network. International Journal of Critical Infrastructure Protection, 3(3–4), 128–139.CrossRefGoogle Scholar
  33. Hausken, K. (2006a). Income, interdependence, and substitution effects affecting incentives for security investment. Journal of Accounting and Public Policy, 25(6), 629–665.CrossRefGoogle Scholar
  34. Hausken, K. (2006b). Returns to information security investment: the effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5), 338–349.CrossRefGoogle Scholar
  35. Hausken, K. (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy, 26(6), 639–688.CrossRefGoogle Scholar
  36. Hausken, K. (2009). Strategic defense and attack of complex networks. International Journal of Performability Engineering, 5(1), 13–30.Google Scholar
  37. Hausken, K. (2012). The economics of terrorism against two targets. Applied Economics Letters, 19(12), 1135–1138.CrossRefGoogle Scholar
  38. Heal, G., & Kunreuther, H. (2007). Modeling interdependent risks. Risk Analysis, 27(3), 621–634.CrossRefGoogle Scholar
  39. Herath, H., & Harath, T. (2009). Investments in information security: a real options perspective with Bayesian postaudit. Journal of Management Information Systems, 25(3), 337–375.CrossRefGoogle Scholar
  40. Huang, D., Qing, H., & Ravi, B. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, 114(2), 793–804.CrossRefGoogle Scholar
  41. Kallberg, J. G., & Udell, G. F. (2003). The value of private sector business credit information sharing: the US case. Journal of Banking & Finance, 27(3), 449–469.CrossRefGoogle Scholar
  42. Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? think again. Management Science, 51(5), 726–740.CrossRefGoogle Scholar
  43. Kim, S. H., Wang, Q., & Ulrich, J. B. (2012). A comparative study of cyberattacks. Communications of the ACM, 55(3), 66–73.CrossRefGoogle Scholar
  44. Kong, H. K., Kim, T. S., & Kim, J. (2012). An analysis on effects of information security investments: a BSC perspective. Journal of Intelligent Manufacturing, 23(4), 941–953.CrossRefGoogle Scholar
  45. Kshetri, N. (2006). The simple economics of cybercrimes. IEEE Security & Privacy, 4(1), 33–39.CrossRefGoogle Scholar
  46. Kshetri, N. (2009). Positive externality, increasing returns and the rise in cybercrimes. Communications of the ACM, 52(12), 141–144.CrossRefGoogle Scholar
  47. Kunreuther, H., & Heal, G. (2003). Interdependent security. Journal of Risk and Uncertainty, 26(2–3), 231–249.CrossRefGoogle Scholar
  48. Lee, M., & Lee, J. (2012). The impact of information security failure on customer behaviors: a study on a large-scale hacking incident on the Internet. Information Systems Frontiers, 14(2), 375–393.CrossRefGoogle Scholar
  49. Leeson, P., & Coyne, C. J. (2006). The economics of computer hacking. Journal of Law, Economics and Policy, 1(2), 511–532.Google Scholar
  50. Leininger, W. (1993). More efficient rent-seeking: a Münchhausen solution. Public Choice, 75(1), 43–62.CrossRefGoogle Scholar
  51. Liu, D., Ji, Y., & Mookerjee, V. (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems, 52(1), 95–107.CrossRefGoogle Scholar
  52. Mookerjee, V., Mookerjee, R., Bensoussan, A., & Yue, W. T. (2011). When hackers talk: managing information security under variable attack rates and knowledge dissemination. Information Systems Research, 22(3), 606–623.CrossRefGoogle Scholar
  53. Pardo, T. A., Cresswell, A. M., Thompson, F., & Zhang, J. (2006). Knowledge sharing in cross-boundary information system development in the public sector. Information Technology and Management, 7(4), 293–313.CrossRefGoogle Scholar
  54. Png, I. P. L., Wang, C. Y., & Wang, Q. H. (2008). The deterrent and displacement effects of information security enforcement: international evidence. Journal of Management Information Systems, 25(2), 125–144.CrossRefGoogle Scholar
  55. Ryan, J. C. H., & Ryan, D. J. (2006). Expected benefits of information security investments. Computers & Security, 25(8), 579–588.CrossRefGoogle Scholar
  56. Skaperdas, S. (1996). Contest success functions. Economic Theory, 7(2), 283–290.CrossRefGoogle Scholar
  57. Tanaka, H., Matsuura, K., & Sudoh, O. (2005). Vulnerability and information security investment: an empirical analysis of e-local government in Japan. Journal of Accounting and Public Policy, 24(1), 37–59.CrossRefGoogle Scholar
  58. Telang, R., & Wattal, S. (2007). An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Transactions on Software Engineering, 33(8), 544–557.CrossRefGoogle Scholar
  59. Ulvila, J. W., & Gaffney, J. E. (2004). A decision analysis method for evaluating computer intrusion detection systems. Decision Analysis, 1(1), 35–50.CrossRefGoogle Scholar
  60. Wang, J., Chaudhury, A., & Rao, H. R. (2008). A value-at-risk approach to information security investment. Information Systems Research, 19(1), 2008.CrossRefGoogle Scholar
  61. Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46(8), 91–95.CrossRefGoogle Scholar
  62. Young, R., Zhang, L., & Prybutoka, V. R. (2007). Hacking into the minds of hackers. Information Systems Management, 24(4), 281–287.CrossRefGoogle Scholar
  63. Zhang, R. (2011). The role of information sharing in trade credit distribution: evidence from Thailand. Asian-Pacific Economic Literature, 25(1), 133–149.CrossRefGoogle Scholar
  64. Zhao, X., Fang, F., & Whinston, A. B. (2008). An economic mechanism for better Internet security. Decision Support Systems, 45(4), 811–821.CrossRefGoogle Scholar
  65. Zhuang, J. (2010). Impacts of subsidized security on stability and total social costs of equilibrium solutions in an n-player game with errors. The Engineering Economist, 55(2), 131–149.CrossRefGoogle Scholar
  66. Zhuang, J., Bier, V. M., & Gupta, A. (2007). Subsidies in interdependent security with heterogeneous discount rates. The Engineering Economist, 52(1), 1–19.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.School of Economics and ManagementSoutheast UniversityNanjingChina

Personalised recommendations