Cybersecurity investments in supply chains with two-stage risk propagation

Cyber-attacks present a significant threat to supply chains as their nodes are directly or indirectly vulnerable to risk propagation at various stages. The risk level varies depending on the type of attack. A cybersecurity insurance offers a practical method to mitigate this risk, and it is crucial to determine optimal cybersecurity investments for all supply chain nodes. Previous studies have overlooked the joint impact of the attack type, two- stage risk propagation, and cybersecurity insurance in optimizing cybersecurity investments. This paper addresses this research gap by examining optimal investments under targeted and opportunistic attacks in a two- stage supply chain using game theory. The findings indicate that optimal investments differ based on the type of attack. For instance, retailers should invest more in cybersecurity under opportunistic attacks, while suppliers need to spend more under targeted attacks. Additionally, the results show that under opportunistic attacks, members should reduce their investments. Conversely, under targeted attacks, investments should initially increase and then stabilize. In the case of opportunistic attacks, suppliers and retailers should prioritize reconfiguring their systems over investing heavily in cybersecurity. The model presented in this paper demonstrates that not all cyber risks are worth defending against and that cybersecurity insurance for the entire supply chain can be more cost-effective than addressing cybersecurity risks individually. The paper also explores the impact of joint decisions on cybersecurity insurance when firms are unwilling to invest individually. The insights obtained enable supply chains to identify their optimal cybersecurity investment strategies effectively.