Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker

Abstract

Information resources have been shared to promote the business operations of firms. However, the connection of business information sharing interfaces between firms has increased the attack surface and created opportunities for the hacker. We examine the benefits and risks of business information sharing for firms who exert security efforts against a strategic hacker that launches attacks subjectively. We show that two kinds of security efforts, security investment and security knowledge sharing, act as strategic substitutes when the business-sharing degree is low and act as strategic complements otherwise. Besides, the strategic hacker is not always aggressive, who will give up launching attack activities when the business-sharing degree is relatively low. Moreover, as a specific characteristic in the security domain, the risk interdependency first enhances and then suppresses both firms’ security investments and the hacker’s attack effort, which causes a free-riding problem for two firms. Then, two coordination mechanisms, an investment-based mechanism and liability-based mechanism, are proposed to help firms coordinate their strategies to reach socially optimal security levels. Last, we extend the main model to three cases to make our model more general. This paper provides the first evidence to assess the security risks exacerbated by business information sharing while considering a strategic hacker. Some management insights to managers for making security decisions are provided.