Cybersecurity investments in the supply chain: Coordination and a strategic attacker

Cybersecurity poses a difficult challenge to supply chains, as a firm may be affected by an attack on another firm in the supply chain. For example, a retailer's consumer data might be compromised via an attack on a supplier. In general, individual nodes in a supply chain bear the entire cost of their own cybersecurity investments, but some of the benefits of the investments may be enjoyed by the other nodes as well. We analyze the differences between coordinated and uncoordinated cybersecurity investments, as well as the differences resulting from a strategic and a non-strategic attacker. We find that lack of coordination leads to underinvestment with a non-strategic attacker, but that this is somewhat counterbalanced by an attacker being strategic. Lack of coordination may lead to either underinvestment or overinvestment with a strategic attacker, depending on how large the indirect damages from attacks are relative to the direct damages; overinvestment is more likely if indirect damages are relatively minor. A numerical example is provided to illustrate the impacts of and relationships between coordinated investments and a strategic attacker. (C) 2019 Elsevier B.V. All rights reserved.