Information Security Decision-making of Firms under Security Externality


Student thesis: Doctoral Thesis

View graph of relations



Awarding Institution
Award date16 Nov 2017


Information security economics has become a fast-growing discipline in recent times. This thesis attempts to address the problems of distorted incentives for information security stakeholders, including firms, hackers, consumers, Managed Security Service Providers (MSSPs), and social planners. As an important factor in information security economics, security externality means one firm’s security decisions may affect those of other firms. Therefore, bearing in mind the stakeholders involved, this thesis discusses issues of decision-making in information security under security externality when firms face various realistic circumstances, such as being attacked by hackers of different types, facing consumers who are sensitive to security quality, and outsourcing security services to MSSPs, etc. The key work and innovations tackled in this thesis are as follows.

Firms continually face targeted and opportunistic attacks. Prior literature seldom studies the topic of security decisions when firms encounter different hacker types under security externality. This research adopts game theory to model two interconnected firms subjected to targeted and opportunistic attacks. Results show that firms should increase investments with intrinsic vulnerability when facing targeted attacks, but focus on those systems that fall into the mid-range of intrinsic vulnerability when facing opportunistic attacks. Firms are unwilling to invest in security and often off-load reliability problems onto others when security externality is high. Thus, this research also consdiers two economic incentives, i.e. liability and security information sharing, to tackle the problem of free ride. These findings draw attentions to the trade-offs that many firms often encounter and the importance of accurately assessing their security levels.

When firms have consumers who are sensitive to security quality, they need to consider not only the types of hackers but also the reactions of the consumers. Prior literature seldom studies how consumer reactions of firms would affect their security decisions. This research formulates a game between two competing or integrated firms, whose consumer size can be determined by their own security status as well as that of others. Results show that a competitive firm tends to shift its emphasis toward more security investment in order to maintain its competitive advantage while an integrated firm inclines to shift its emphasis towards more security information sharing. To tackle these possible distorted decisions, this research studies the effectiveness of a social planner’s measure towards control of security decisions, and recommends the security decisions that should be controlled under different security and business environments. It can be shown that the findings are valid for firms under different hacker types.

The frequent incidence of cyber-attacks and sophisticated technologies of information security have pushed many firms to outsource security protections to MSSPs. This research investigates how an MSSP’s four operating characteristics, i.e. cost efficiency, multiple clients, security externality, and firms’ information nature (complementary and substitutable) would affect its security decisions. Using a contract model, this research shows that firms’ information nature, either complementary or substitutable, plays a crucial role in affecting an MSSP’s decisions. In addition, there are variations with respect to how security externality affects the decisions of MSSP serving complementary firms as compared to those serving substitutable firms. Serving a smaller number of substitutable firms is more economical for an MSSP while it is more profitable to serve more complementary firms. The findings could guide an MSSP in determining an optimum contract and security investment level for firms.

In practice, the project of improving security quality is a collaboration between firms and MSSPs, requiring both parties to make their appropriate security decisions. This research investigates the dynamic collaborative decision-making process under security externality between an MSSP and firms. Using a differential game framework, this research derives an optimal bilateral refund contract between an MSSP and firms. It can be observed that as security externality increases, the MSSP’s security investment first decreases and then increases, while the firm’s investment and the refund first increases and then decreases. This research also studies the severity of the double moral hazard (DMH) problem, and proposes a new contract model, named liability contract, to tackle the issues. Results show that a liability contract can also be adopted when the MSSP benefits from self-learning experience or serves multiple clients.