Economic incentives in security information sharing: the effects of market structures

Abstract

The past few years have witnessed numerous information security incidents throughout the world, which unfortunately become increasingly tough to be completely addressed just by technology solutions such as advanced firewalls and intrusion detection systems. In addition to technology components, Internet environment can be viewed as a complex economic system consisting of firms, hackers, government sectors and other participants, whose economic incentives should be taken into account carefully when security solutions are formulated. In order to better protect information assets, information security economics as an emerging and thriving research branch emerges aiming at attempting to solve the problems of distorted incentives of such stakeholders by means of economic approaches. However, how these participants' economic incentives for information security improvement change when they evolve between different market structures has remained unknown yet. Using game theory, we develop an analytical framework to investigate the effects of market structures on security investments, information sharing, attack investments, expected profits, expected consumer surplus and expected social welfare. We demonstrate that the levels of security investments, information sharing, attack investments, and expected profits are higher while expected consumer surplus and expected social welfare are lower under Cournot competition than under Bertrand competition. In particular, we surprisingly find that under either type of competition, the demand switch ratio caused by security breaches may benefit firms, consumers, government sectors and harm hackers. Our results provide some relevant managerial insights into formulating the strategies of security investments and information sharing for the firms transforming from one type of competition to the other.