Abstract
In this paper, we consider a delegated dynamic systemic cyber risk management problem between a resource owner (principal) and a risk manager (agent). The principal can only observe cyber risk outcomes of the network rather than the efforts that the agent spends on protecting the resources. Under this asymmetric information, the principal aims to minimize the systemic cyber risks by designing a dynamic contract that specifies the compensation flows and the anticipated efforts of the manager by taking into account his incentives and rational behaviors. We formulate a bi-level mechanism design problem for dynamic contract design which can be seen as a special class of differential game. We show that the principal has rational controllability of the systemic risk by designing an incentive compatible estimator of the agent's hidden efforts. We characterize the optimal mechanism design by reformulating the problem into a stochastic optimal control program and derive the solution explicitly. We further reveal a separation principle for dynamic risk management where the effort estimation and the compensation design can be achieved separately.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
