<p>As firms increasingly rely on interconnected information systems to carry out business activities, both firms’ security investments and hackers’ attack strategies are influenced by security externality. Meanwhile, while the government often imposes mandatory standards that require firms to meet minimum security investment thresholds, a firm’s true security investment may not be fully observable due to varying degrees of technological transparency. In this study, we develop a game-theoretic model with two firms and a strategic hacker to examine their interaction under both security externality and partially or fully verifiable regimes. First, our findings indicate that the positive externality reduces firms’ incentives for security investment, while the negative externality enhances their incentives. Next, with the tightening of mandatory standards, both firms will raise investments for the fully verifiable regime. However, regarding the partially verifiable regime, verifiable firms keep increasing security investments, whereas non-verifiable firms’ investments are motivated exclusively by the security externality. Finally, our study shows that excessively stringent mandatory standards do not necessarily enhance the aggregate information security performance of firms.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Information security investment with mandatory standards and security externality

  • Tingliao Li,
  • Xing Gao,
  • Yujie Zhang,
  • Sen Zheng,
  • Zhenyu Ni

摘要

As firms increasingly rely on interconnected information systems to carry out business activities, both firms’ security investments and hackers’ attack strategies are influenced by security externality. Meanwhile, while the government often imposes mandatory standards that require firms to meet minimum security investment thresholds, a firm’s true security investment may not be fully observable due to varying degrees of technological transparency. In this study, we develop a game-theoretic model with two firms and a strategic hacker to examine their interaction under both security externality and partially or fully verifiable regimes. First, our findings indicate that the positive externality reduces firms’ incentives for security investment, while the negative externality enhances their incentives. Next, with the tightening of mandatory standards, both firms will raise investments for the fully verifiable regime. However, regarding the partially verifiable regime, verifiable firms keep increasing security investments, whereas non-verifiable firms’ investments are motivated exclusively by the security externality. Finally, our study shows that excessively stringent mandatory standards do not necessarily enhance the aggregate information security performance of firms.