Information sharing and security investment for substitutable firms: A game-theoretic analysis

There are several types of relations between information assets of two firms, among which substitutable relation is such that even when one of the firms is successfully breached by one hacker, both firms would incur loss and the hacker gets benefit. This paper examines security investment and information sharing of two substitutable firms through constructing a game-theoretic model between these firms and one hacker. We derive the following interesting results: (a) the firm with more efficient security investment suffers weaker cyber-attack from the hacker because the rational hacker would switch its emphasis to the less efficient firm; (b) one firm's aggregate defense increases with its unit investment cost for the positive interdependence when this cost remains high due to more shared information and enhanced security investment from the other firm; (c) although a widely-used compensation mechanism can urge the firms to invest more when security loss remains low, it increases their expected costs because of the excess investment; (d) unlike simultaneous game, each firm's aggregate defense always increases with the unit cost of cyber-attacks under sequential game since the hacker has an advantage of learning the firms' security decisions. These results give fresh managerial guidelines to security experts of firms.