Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain

Abstract

This paper presents economic models of cybersecurity investments by a firm, first considering the cost-benefit to the firm itself, and then to the eco-system of a supply-chain. We introduce a concept of a firm’s security knowledge set of its attack surface, relative to the universe of threats. We propose three classes of security production functions as the frontier curve of a firm’s knowledge set. We distinguish two types of security investments in acquiring data, information and expertise, vis-a-vis deploying defense measures and detection tools, and derive formula for optimal allocations. We analyze cyber breach propagations between firms in a supply-chain, and demonstrate that large firms requiring contractors to show security rating by third-parties can be an effective way of reducing information gap in a supply chain. We present a model for the reliability (sharpness) of cybersecurity rating for firms, and show how the perceived reliability of cybersecurity rating affects the incentives for firms to increase their security investments.