A game of information security investment considering security insurance and complementary information assets

Considering information security insurance, this paper investigates an information security investment game between two firms with complementary information assets. Each firm's information security investment and expected profit in Nash equilibrium (i.e., firms make decisions individually) and social optimum (i.e., firms make decisions jointly) are analyzed through rigorous theoretical analyses and numerical examples. We find that making decisions jointly will make the two firms as a whole obtain more profits than when they make decisions alone, whereas this does not mean that each firm will benefit from the joint decision-making process. Our results show that a firm yields a smaller expected profit in the joint decision game than the individual decision game under some conditions. In addition, the impacts of a higher insurance price and a higher investment efficiency on a firm's information security investment and expected profit are explored. The results indicate that, for a single firm, a higher insurance price does not necessarily result in smaller profit, and a higher investment efficiency does not always lead to larger profit. Then we design a compensation-based contract to coordinate the two firms' information security investments when they make decisions individually. The contract will make the two firms achieve social optimum and ensure that each firm yields more profits than firms without the contract. Finally, we extend our research by setting the insurance amount as a decision variable to verify the above analyses.