Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach

Purpose - This paper aims to examine optimal decisions for information security investments for a firm in a fuzzy environment. Under both sequential and simultaneous attack scenarios, optimal investment of firm, optimal efforts of attackers and their economic utilities are determined. Design/methodology/approach - Throughout the analysis, a single firm and two attackers for a "firm as a leader" in a sequential game setting and "firm versus attackers" in a simultaneous game setting are considered. While the firm makes investments to secure its information assets, the attackers spend their efforts to launch breaches. Findings - It is observed that the firm needs to invest more when it announces its security investment decisions ahead of attacks. In contrast, the firm can invest relatively less when all agents are unaware of each other's choices in advance. Further, the study reveals that attackers need to exert higher effort when no agent enjoys the privilege of being a leader. Research limitations/implications - In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon - Loeb breach function, with the help of fuzzy expectation operator. Practical implications - This study reports that the optimal breach effort exerted by each attacker is proportional to its obtained economic benefit for both sequential and simultaneous attack scenarios. A set of numerical experiments and sensitivity analyzes complement the analytical modeling. Originality/value - In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon - Loeb breach function, with the help of fuzzy expectation operator.