A game-theoretical model of firm security reactions responding to a strategic hacker in a competitive industry

The tendency of strategic hackers to attack specific industries brings new challenges for information security management. This paper examines the interaction between firms in a specific industry and a strategic hacker by considering industry-specific characteristics including the intrinsic vulnerability, intentions of the hacker, competition between firms, and similarity of security technologies. We find that firms in an overly dangerous industry should consider reforming their business mode to reduce the intrinsic vulnerability rather than investing heavily in security protection. Moreover, we distinguish the hacker as profit-seeking and fame-seeking and find that different intentions generate different hacker's behaviour. Furthermore, keep exerting effort is still a better strategy for the firms when the competition becomes more intense even the threat of the hacker reduces. Besides, the technical similarity enhances the hacker's incentive to exert attack effort while induces a free-riding problem for competitive firms. Accordingly, we introduce a social planner to regulate the security decisions of competitive firms, and identify that the supervision of a social planner could partly alleviate the free-riding behaviour, but will only be accepted by competitive firms when facing a less or highly competitive environment. Our results imply that introducing a social planner to enforce security protection may not be advisable for all industries. Finally, we extend our model to discuss two additional cases, including the case of sequential game and the case of asymmetric condition.