Information security investment with mandatory standards and security externality
摘要
As firms increasingly rely on interconnected information systems to carry out business activities, both firms’ security investments and hackers’ attack strategies are influenced by security externality. Meanwhile, while the government often imposes mandatory standards that require firms to meet minimum security investment thresholds, a firm’s true security investment may not be fully observable due to varying degrees of technological transparency. In this study, we develop a game-theoretic model with two firms and a strategic hacker to examine their interaction under both security externality and partially or fully verifiable regimes. First, our findings indicate that the positive externality reduces firms’ incentives for security investment, while the negative externality enhances their incentives. Next, with the tightening of mandatory standards, both firms will raise investments for the fully verifiable regime. However, regarding the partially verifiable regime, verifiable firms keep increasing security investments, whereas non-verifiable firms’ investments are motivated exclusively by the security externality. Finally, our study shows that excessively stringent mandatory standards do not necessarily enhance the aggregate information security performance of firms.