Cyber-Investment and Cyber-Information Exchange Decision Modeling

Inefficiency of addressing cybersecurity problems can be settled by the corporations if they work in a collaborative manner, exchanging security information with each other. However, without any incentive and also due to the possibility of information exploitation, the firms may not be willing to share their breach/vulnerability information with the external agencies. Hence it is crucial to understand how the firms can be encouraged, so that they become self-enforced towards sharing their threat intelligence, which will not only increase their own payoff but also their peers´ too, creating a win-win situation. In this research, we study the incentives and costs behind such crucial information sharing and security investments made by the firms. Specifically, a non-cooperative game between N-firms is formulated to analyze the participating firms´ decisions about the information sharing and security investments. We analyze the probability of successful cyber attack using the famous dose-response immunity model. We also design an incentive model for CYBEX, which can incentivize/punish the firms based on their sharing/free-riding nature in the framework. Using negative definite Hessian condition, we find the conditions under which the social optimal values of the coupled constraint tuple (security investment and sharing quantity) can be found, which will maximize the firms´ net payoff.