Maagg Iterdepedet Iformato Securty Rsks: Cybersurace, Maaged Securty Servces, ad Rsk Poolg Arragemets Xa Zhao Assstat Professor Departmet of Iformato Systems ad Supply Cha Maagemet Brya School of Busess ad Ecoomcs Uversty of North Carola at Greesboro Greesboro, NC 27402 Phoe: (336) 256-8588 Emal: x_zhao3@ucg.edu Lg Xue Assstat Professor Departmet of Maagemet Iformato Systems Fogelma College of Busess ad Ecoomcs Uversty of Memphs Memphs, TN 38152 Phoe: (901) 678-2000 Emal: lxue1@memphs.edu Adrew B. Whsto Hugh Roy Culle Ceteal Char, Professor McCombs School of Busess The Uversty of Texas at Aust IROM, B6500 1 Uversty Stato Aust, TX 78712 Phoe: (512) 471-7962 Emal: abw@uts.cc.utexas.edu 1
Maagg Iterdepedet Iformato Securty Rsks: Cybersurace, Maaged Securty Servces, ad Rsk Poolg Arragemets Abstract The terdepedecy of formato securty rsks ofte duces frms to vest effcetly IT securty maagemet. Cybersurace has bee proposed as a promsg soluto to help frms optmze securty spedg. However, cybersurace s effectve addressg the vestmet effcecy caused by rsk terdepedecy. I ths paper, we exame two alteratve rsk maagemet approaches: rsk poolg arragemets (RPAs) ad maaged securty servces (MSSs). We show that frms ca use a RPA as a complemet to cybersurace to address the overvestmet ssue caused by egatve exteraltes of securty vestmets; however, the adopto of a RPA s ot cetve-compatble for frms whe the securty vestmets geerate postve exteraltes. We the show that the MSS provder (MSSP) servg multple frms ca teralze the exteraltes of securty vestmets ad mtgate the securty vestmet effcecy. As a result of rsk terdepedecy, collectve outsourcg arses as a equlbrum oly whe the total umber of frms s small. Keywords: Iformato securty, terdepedet rsks, cybersurace, rsk poolg, rsk maagemet, maaged securty servces 2
Itroducto I the etwork ecoomy, product ovato ad value creato are acheved va etworks of frms, operatg o large scales. The scope of formato techology has bee expadg beyod the tradtoal orgazatoal boudares [17; 39]. As a result, formato securty rsks have become trcately terdepedet. For example, ter-orgazatoal formato systems essetally physcally coect frms' IT frastructure va the Iteret ad expose the partcpatg frms to etwork-wde securty rsks. A orgazato's etwork s at rsk f a hacker gas access to ts parter's etwork. Eve frms wthout close busess relatoshps may be logcally terdepedet: Strategc hackers ofte evaluate the securty level of frms ad select ther targets o the bass of whose systems they ca break to quckly wthout beg detected [34]. I these examples, a frm's securty rsks deped ot oly o ts ow securty practces, but also o the securty protectos of others. Frms' securty rsks ca be ether postvely terdepedet or egatvely terdepedet. The securty rsk s defed as the probablty for a frm to have a securty cdet. Postve terdepedecy occurs whe a compay has hgher securty rsks whle other compaes also have hgher securty rsks. For example, a securty threat that mpacts a frm may also fluece the frm's parters va the terorgazatoal formato systems. The hacker who breaks to the frm's etwork may steal sestve data about the parters or peetrate the parters' etworks va the trust coectos. The securty rsks of the frm ad ts parters are thus postvely terdepedet. Wth postve terdepedecy, a frm's securty vestmet ot oly stregthes ts protecto, but also reduces the lkelhood that other frms have securty breaches. The securty vestmets therefore geerate postve exteraltes [20; 31]. Negatve terdepedecy occurs whe a compay has hgher securty rsks whle other 3
compaes have lower securty rsks. A typcal example of a egatvely terdepedet securty rsk s a targeted attack. A targeted attack refers to a malware attack amed at oe or a small set of frms. Strategc hackers ofte evaluate the securty level of frms usg varous hackg techques, such as port scas or eavesdroppg, ad select as ther targets frms whose systems ca be broke to quckly wthout detecto [34]. They usually put more effort to attackg systems wth lower securty levels [6]. Accordg to the 2010 2011 CSI Computer Crme ad Securty Survey, 22% of respodets reported that ther compaes expereced targeted attacks betwee July 2009 ad Jue 2010 [5]. I ths case, a frm's self-protecto, whle reducg ts ow rsks, potetally dverts hackers to other frms ad thus creases other frms' rsks. Therefore, securty vestmets ths case geerate egatve exteraltes [6]. Because of the etwork exteraltes of securty vestmets, frms ofte vest effcetly from the perspectve of a cetral decso maker who maxmzes the total payoffs of all stakeholders. Researchers from prevous lterature have detfed both the udervestmet ad overvestmet ssues caused by the terdepedecy of securty rsks [6; 20; 31]. Whe the frms' securty vestmets geerate postve exteraltes, a frm's securty vestmets stregthe ot oly ts ow securty but also other frms' securty. Ofte, self-terested frms vest at a level lower tha the optmal level, whch maxmzes the total proft of all frms [20; 31]. Examples of securty vestmets that geerate postve exteraltes clude atvrus software ad frewalls. The stallato of at-vrus software helps prevet vruses from wdely propagatg ad therefore beefts others. However, udervestmet at-vrus protecto s prevalet. A study by McAfee Corp reported that 17% of computers aroud the world had o atvrus protecto stalled or that the at-vrus subscrptos had expred. Furthermore, the U.S. outpaced the average, wth 19 % of computers uprotected, accordg to the data [36]. 4
Whe the frms' securty vestmets geerate egatve exteraltes, self-terested frms vest at a level that s hgher tha the optmal level for all frms. Securty measures that are used to defed agast dstrbuted deal of servce (DDoS) attacks, such as cotet cachg ad redudat etwork devces, are more lkely to geerate egatve exteraltes. May e-commerce webstes, for example, prepare for 10 tmes the amout of peak traffc whe desgg ther etworks to defed the DDoS attacks. Such cost of rsk mtgato s farly hgh gve that the possblty of DDoS attack s usually very low [29; 41]. Ths paper exames rsk maagemet solutos to the vestmet effcecy caused by terdepedet formato securty rsks. Cybersurace has bee proposed as a promsg approach to maagg formato securty rsks ad optmzg securty expedtures [12; 31; 42]. Cybersurace s a rage of frst-party ad thrd-party coverage that eables frms to trasfer ther securty rsks to the commercal surace market. Wth cybersurace, frms ca balace ther expedtures betwee vestg securty protectos ad acqurg surace. However, cybersurace s effectve addressg the ssue of vestmet effcecy caused by terdepedet securty rsks [31]. It does ot teralze the exteraltes of securty vestmets ad caot mtgate frms' cetves to udervest or overvest. I addto, the cybersurace market s stll uderdeveloped: Oly a few surers offer cybersurace, ad actuaral data o formato securty, breaches, ad damages s scarce. The ever-chagg ature of securty threats also mpedes the developmet of the thrd-party cybersurace market. The defcecy of cybersurace calls for ew rsk maagemet solutos to address ssues related to formato securty rsks. We cosder two potetal rsk maagemet solutos: rsk poolg arragemets (RPAs) ad maaged securty servces (MSSs). We study whether ad how these solutos ca be used 5
to address the vestmet effcecy ad whether the self-terested frms have cetves to adopt these solutos. A RPA s a mutual form of surace orgazato whch the polcyholders are also the owers. Mutual surace was wdely adopted the surace market for medcal malpractce ad mucpal lablty durg the late 1980s [23] ad has sce also bee used other les of surace, such as employee peso ad employee health surace. The tradtoal advatages of a RPA over commercal surace clude tax beefts, reduced overhead expeses, ad flexble polcy developmet [40]. RPAs are dfferet from thrd-party cybersurace terms of rsk trasfer. RPAs ca ever completely elmate the rsks for a dvdual polcyholder. Eve though the rsk pool ca ssue full coverage for the frms' securty losses, each dvdual frm stll bears part of the rsk pool's loss through ts equty posto. Table 1 compares cybersurace ad RPAs. [Please Isert Table 1 Here.] We fd that eve though a RPA edogezes the etwork exteraltes of securty vestmets for frms, the adopto of the RPA s cetve-compatble for frms oly whe securty vestmets geerate egatve exteraltes. The key reaso s that by poolg the rsks of dvdual frms, the RPA duces moral hazard teams, whch refers to frms' reluctace to vest loss preveto whe they ca trasfer securty losses to others [15]. Ths type of moral hazard s show to be desrable whe securty vestmets geerate egatve exteraltes. However, the case of postve exteraltes, moral hazard further reduces the frms' vestmet cetves ad exacerbates the udervestmet problem. The secod soluto s MSSs, or IT securty outsourcg. MSS provders (MSSPs) provde a rage of securty servces, such as securty motorg ad vulerablty assessmets; etwork protecto ad peetrato testg; maaged spam servces; at-vrus ad cotet flterg 6
servces; cdet maagemet ad foresc aalyss; data archvg ad restorato; ad o-ste audts ad cosultg [1; 3]. The 2010-2011 CSI Computer Crme ad Securty Survey reported that as may as 36% of respodets outsourced part or all of ther computer securty fuctos to MSSPs. I addto, 14.1% of respodets dcated that ther compaes outsourced more tha 20% of ther securty fuctos [5]. The global MSS market s forecasted to more tha double betwee 2011 ad 2015, whe t wll reach $16.8 bllo [18]. We show that MSSs ca address vestmet effcecy caused by both postve ad egatve exteraltes of securty vestmets whe the total umber of frms s small. Usg MSSs wth a servce level agreemet (SLA), frms ot oly delegate the securty operatos but also trasfer ther securty rsks to MSSPs. Because the MSSP collectvely maages the terdepedet securty rsks for multple clet frms, t ca teralze the exteraltes of securty vestmets. However, collectve outsourcg may ot always arse as a equlbrum because of the terdepedet ature of securty rsks. Whe the total umber of frms s large, a dvdual frm ca leverage the MSSP's collectve operatos for others ad receve a hgher payoff by maagg securty -house. Eve f the MSSP s better able to maage securty (.e., s more cost-effcet maagg securty) tha the frms, ths result stll holds. Ths paper characterzes the codto uder whch all frms wll adopt the MSS soluto. Ths paper cotrbutes to the research o alteratve rsk trasfer (ART) solutos. RPAs, as a ART approach, have bee recogzed by practtoers as havg the advatages of reduced overhead expese ad flexble polcy developmet [40]. We fd that, addto to these advatages, RPAs ca serve as a potetal soluto to vestmet effcecy caused by terdepedet securty rsks ad ca optmze frms' securty spedg. Ths fdg helps polcy makers recogze the potetal beeft of RPAs securty maagemet ad gude the 7
developmet of polces for the mutual surace dustry. Ths paper also cotrbutes to the lterature o IT securty outsourcg. It has bee well recogzed that frms outsourcg securty servces ca beeft from cost savgs, reduced staffg eeds, broader sklls acqusto, securty awareess, dedcated facltes, lablty protecto, ad roud-the-clock servce [1]. We llustrate that the use of MSSs ca also be justfed from the perspectve of mtgatg the vestmet effcecy caused by rsk terdepedecy. The rest of the paper orgazed as follows: I the ext secto, we revew related lterature o the ecoomcs of formato securty, cybersurace, RPAs, ad MSSs. We the outle the model setup, followed by the aalyss of the cybersurace, RPAs, ad MSSs solutos. We also exted the model to accout for heterogeeous frms. Fally, we draw maageral ad polcy mplcatos ad coclude ths paper wth future extesos. Related Lterature Researchers pror studes o the ecoomcs of formato securty have examed may ssues related to formato securty vestmets [e.g., 14, 16]. Aderso ad Moore [2] dscussed how moral hazard ad adverse selecto dstort frms' cetves to vest formato securty. Gordo ad Loeb [10] developed a ecoomc model to determe the optmal level of vestmet formato securty. Gal-Or ad Ghose [9] examed frms' cetves to share securty formato ad showed that formato sharg ad securty vestmet complemet each other. Kureuther ad Heal [20] characterzed a class of terdepedet securty rsks ad demostrated that frms geerally udervest securty protectos whe ther securty rsks are terdepedet. Our paper complemets ths stream of research by explorg rsk maagemet solutos to the vestmet effcecy assocated wth terdepedet formato securty rsks. 8
There s a emergg body of lterature that has examed the use of surace formato securty maagemet. Gordo et al. [12] dscussed the advatages of usg cybersurace to maage formato securty rsks. Ogut et al. [31] used a ecoomc model to exame frms' vestmets securty protectos ad the use of cybersurace the cotext of terdepedet securty rsks. They showed that terdepedece of securty rsks reduces frms' cetves to vest securty techologes ad to buy surace coverage. All of these studes focused o thrd-party commercal cybersurace, whereas ths paper, we propose ad exame two alteratve rsk maagemet approaches to formato securty rsks: RPAs ad MSSs. Pror lterature o rsk maagemet has justfed the exstece of RPAs from varous perspectves. For example, the mutual form of surace orgazato s more effcet whe the dstrbuto of rsks prevets depedet surers from usg the law of large umbers to elmate rsks [8; 25]. The mutual form of surace ca also address the coflcts of terest betwee surers ad polcyholders because polcyholders themselves are the owers of a mutual surer [7; 26; 27]. Moreover, mutual surers ca coexst wth depedet surers as a result of the adverse selecto of rsk-averse polcyholders [23]. Ths paper complemets these studes by llustratg the use of mutual surace to edogeze etwork exteraltes of securty vestmets. Our work s also related to pror work o cotractg IT outsourcg, especally IT securty outsourcg. Rchmod et al. [33] aalytcally characterzed the codtos uder whch a orgazato outsources ts software ehacemets, cosderg formato asymmetry ad dfferet proft-sharg rules. Whag [45] proposed a cotract for outsourcg software developmet that acheves the outcome of -house developmet. Wag et al. [44] characterzed 9
the effcecy loss resultg from vestmet exteraltes for both -house software developmet ad outsourced custom software developmet. Se et al. [37] proposed a dyamc, prorty-based, prce-pealty scheme for outsourcg IT servces ad foud that t s more effectve tha a fxed-prce approach. IT securty outsourcg has ot receved adequate research atteto utl recetly. Alle et al. [1], Axelrod [3] ad McQulla [25] provded orgazatos wth geeral gudace to help them kowledgeably egage MSSPs. Gupta ad Zhdaov [13] aalytcally explaed the growth ad sustaablty of MSSP etworks ad foud that the tal vestmet s crtcal determg the sze of MSS etworks wth postve exteraltes. I ther settg, the ssue of free-rdg ever occurred. Our paper exames the use of MSSs to address terdepedet formato securty rsks that ofte lead to free-rdg. Hu et al. [16] examed both a MSSP ad ts clets' equlbrum effort decsos whe rsk terdepedecy arose amog the MSSP's clets. I our paper, frms' securty rsks are terdepedet eve though frms do ot use a MSSP. Lee et al.[17] proposed a mult-lateral cotract to solve the double moral hazard ssues betwee the clet frm ad the MSSP. Our paper complemets ths stream of research by examg the use of IT securty outsourcg to address the vestmet effcecy caused by terdepedet formato securty rsks amog frms. Model We cosder rsk-averse frms. Each frm has a tal wealth A. All frms have a detcal payoff fucto U., where U. satsfes the codtos that U. 0 ad U. 0 (.e.,. U s cocave). The assumpto of a creasg ad cocave utlty fucto s cosstet wth the lterature o rsk maagemet (e.g., [22; 24; 35; 38]). Frms vest securty protecto to safeguard ther formato assets. As we dscussed the Itroducto, 10
securty vestmets ofte geerate etwork exteraltes. The breach probablty for a dvdual frm, frm, s affected ot oly by ts ow securty vestmet, but also by the securty vestmets of others. We let x, X be frm 's breach probablty, where represets frm 's securty vestmet, ad where X x,..., x, x,..., x represets the 1 1 1 other 1 frms' securty vestmets. A frm loses L a securty breach. Frm 's expected payoff ca be represeted by x, X U A L x 1 x, X U A x. It s assumed that the vestmet cost s lear the vestmet level. I partcular, the vestmet cost s equal to the vestmet level. The qualtatve sghts stll hold f the vestmet cost s a creasg ad covex fucto of the vestmet level. A frm's securty vestmet decreases ts breach probablty ad the vestmet exhbts a dmshg margal retur reducg the breach probablty. That s, x X 2 x, X x X 2 x, 0 ad x, X x, 0. The assumpto about the declg margal retur of the securty vestmet s cosstet wth the CERT cdet data [30] ad s wdely used the lterature o securty maagemet (e.g., [4; 10; 11]). We cosder two types of etwork exteraltes: postve exteraltes ad egatve exteraltes. I the case of postve exteraltes, a frm's securty vestmet, whle decreasg ts breach probablty, also decreases the breach probablty of other frms (.e., xj, X j x, X 0, j). I the case of egatve exteraltes, a frm's securty j j x vestmet creases the breach probablty of other frms (.e., x X xj, X j, 0, j j x x j). Table 2 summarzes ad compares the features of dfferet etwork exteraltes. [Please Isert Table 2 Here.] 11
Although frms' securty rsks are terdepedet, a frm's securty vestmet geerally has a greater effect o ts ow securty tha o other frms' securty. We therefore assume that: I addto, we assume that x, X x, X, j. (1) j j j1... j xj, X j 0. (2) Codto (2) requres that the secod-order effect of a frm's securty vestmet o ts breach probablty domates the aggregate secod-order effect of other frms' vestmets o ts breach probablty. These codtos reflect the realty that, eve though securty rsks are terdepedet cyberspace, a frm's securty vestmet s stll a effectve strategy for self-protecto. Thrd-Party Cybersurace We establsh the bechmark case whch frms use cybersurace to cover ther securty rsks. We assume that frms ca buy a surace polcy from the cybersurace market to cover ther securty losses. I practce, before ssug surace polces, surace compaes ofte formally audt the clet frms to esure that frms take proper actos to protect themselves. Therefore, we assume that the securty vestmet s observable to the surers. The same assumpto has bee used the lterature [31]. The tmg of evets s as follows: (1) Each frm chooses ts securty vestmet x, 1 ; (2) each frm purchases cybersurace wth coverage I, 1 from thrd-party surers; ad (3) the securty losses are realzed ad the surace compesatos are made. I ths paper, we cosder a mature surace market whch frms are charged a 12
actuarally far premum. Whe frm purchases a surace polcy wth coverage I, the surace premum s, P x X I. Frm 's optmzato problem ca be represeted by: max x, X U A L I x, X I x 1 x, X U A x, X I x (3) I, x Accordg to the frst-order codto (FOC) w.r.t. e I, we get I L, where the superscrpt e deotes the cybersurace-oly case. Eq. (3) ca be smplfed as: max U A x, X L x. (4) x I the symmetrc case, we have e e x, X 1, where L e x represets frm 's equlbrum e e e e e securty vestmet ad X x1,..., x 1, x 1,..., x. To evaluate the vestmet effcecy, we compare the frms' vestmet levels the cybersurace-oly case wth the optmal vestmet level. The optmal vestmet level s defed as the securty vestmet level whe all frms jotly maxmze ther total payoffs. It s equvalet to the case that a cetral decso maker maxmzes the jot payoff ad determes the vestmet levels for all frms. We ext exame the cetral decso maker's problem: x X U A L I x X I x x X U A x X I x (5) max,, 1,,. s I, x 1 Aga, accordg to the frst-order codto (FOC) w.r.t. I, we get I o L, 1..., where the superscrpt o deotes the cetralzed case. Eq. (5) ca be smplfed as U A x X L x (6) max,. s I, x 1 The FOC of Eq. (6) w.r.t. x s: 13
U A x, X L x x, X L 1 U A x, X L x x, X L 0. j j j j j j1, j 1, 1,, where L o o o o I the symmetrc case, we have x X x j X j the optmal level of securty vestmet for frm the cetralzed case, ad o x represets X x,..., x, x,..., x. x o o o o o 1 1 1 e I the case of egatve exteraltes, because x X o x. I the case of postve exteraltes, because x, X 0, 0 ad xj, X j 0, we get ad xj X j, 0, we e o get x x. Therefore, the frms overvest whe the securty vestmets geerate egatve exteraltes ad udervest whe the securty vestmets geerate postve exteraltes. I the cybersurace-oly case, we fd that whe securty vestmets geerate egatve (postve) exteraltes, frms purchase full surace (.e., e I L) ad vest more (less) tha the optmal level. These results are le wth the fdgs the exstg lterature [20; 31]. Eve though commercal cybersurace ca hedge frms' rsks, t caot teralze the exteraltes of securty vestmets ad therefore s capable of resolvg ether the overvestmet or udervestmet ssues. A fe for lablty has bee proposed to address the vestmet effcecy ssues caused by the terdepedet securty rsks. Ths mechasm requres the lable frm to compesate the loss that t causes to other frms. As a result, a self-terested frm wll cosder the mpact of ts vestmet o other frms' securty [20; 31]. However, a fe for lablty betwee frms s dffcult to eforce. Because the Iteret has o clear deleato of jursdcto, the mposto of lablty across coutres by eforcemet powers (e.g., govermets, regulatory ageces, or trade assocatos) s extremely costly, f ot mpossble. We ext exame other rsk maagemet approaches RPA or MSSs that ca be 14
used to address the vestmet effcecy caused by rsk terdepedecy. Rsk Poolg Arragemets I ths secto, we exame the use of RPAs addressg terdepedet rsks. We use q 0,1 to deote the rato of loss covered by the rsk pool. Whe a frm suffers a securty loss of L, the mutual surer compesates the frm ql. Because the frms are the equty holders of the mutual surer, the total securty losses collected by the mutual surer are the shared equally amog all the frms. If q 1, the frms trasfer oly partal losses to the mutual surer. If q 1, the RPA provdes full coverage to the frms, but each frm stll retas part of the rsk because of ts equty posto. The tmg of evets s as follows. (1) frms cooperatvely choose q ; (2) gve q, each frm chooses ts securty vestmet x, 1... ; (3) each frm purchases cybersurace wth coverage I, 1..., from thrd-party surers; ad (4) the securty losses are realzed, ad the compesato stemmg from both cybersurace ad the RPA s receved. The compesato from a RPA s modeled as follows [22]. Assume that k frms out of 1 frms (excludg frm ) suffer a securty loss L. If frm also suffers a loss L, each of the other 1 k frms shares ql for frm. Cosequetly, frm bears oly a loss of 1 k ql L total. If frm does ot suffer ay loss, t shares ql for each of the k frms that suffer a loss. As a result, frm has to compesate kql total to the k frms. Whe the RPA does ot cover all the rsks, frms ca purchase thrd-party cybersurace addto to usg a RPA. The prcple of demty 1 requres that the cybersurace coverage 1 The prcple of demty s a surace prcple statg that a sured may ot be compesated by the surace compaes 15
satsfes the costrat that I ql L ; that s, the total surace compesato from both the RPA ad the cybersurace caot exceed the total loss. I the symmetrc case, frm 's expected payoff ca be represeted by: 1 1k ql max x, X b k, 1, U A L I x, X I x q, x, I k 0 1 kql 1 x, X bk, 1, U A x, X I x, k 0 s. t. I 1 q L, where x, X represets the breach probablty for frm k k k k k subscrpt k the symmetrc case. The fucto 1! k 1! 1 k!. We drop the k b k, 1, 1 deotes the bomal probablty that k out of 1 frms have securty breaches. Proposto 1 characterzes the complemetary relatoshp betwee the RPA ad the cybersurace. Proposto 1 Whe frms use both a RPA ad thrd-party cybersurace, we have k I (1 q) L. That s, f the rsk pool does ot provde full coverage, frms wll buy thrd-party surace to cover the resdual rsks. 2 Proposto 1 shows that rsk-averse frms always choose to hedge agast all rsks. If the rsk pool covers oly part of a frm's rsks (.e., q 1), the frm wll use the cybersurace to cover the resdual rsks. Thus, frm 's expected payoff ca be represeted by: a amout exceedg the sured's ecoomc loss. Therefore, a frm s ot allowed to purchase surace coverage from multple surers resultg a amout of compesato or payout that s hgher tha the total ecoomc loss [35]. 2 The proofs of lemmas ad propostos are avalable upo request. 16
1 1 k ql max x, X b k, 1, U A x, X 1qL x qx, k 0 1 kql 1 x, X b k, 1, U A x, X 1 ql x. k 0 (7) Whe a frm uses oly cybersurace, t purchases full coverage ( I L) ad completely trasfers ts rsks to the cybersurace market. However, f frms adopt a RPA, they stll reta part of the rsks because they are equty holders of the rsk pool (.e., the mutual surace etty). Presumably, a rsk-averse frm always wats to mmze ts rsk exposure ad prefers the thrd-party cybersurace to the RPA. However, the cotext of terdepedet securty rsks, cybersurace may ot be superor because t caot address etwork exteraltes of securty vestmets. The questo s whether, gve terdepedet securty rsks, frms have a cetve to use RPAs as a complemet to cybersurace. We show ext that the RPA soluto s cetve-compatble for frms the case of egatve exteraltes but ot the case of postve exteraltes. Negatve Exteraltes We frst exame how the use of a RPA addto to cybersurace flueces frms' securty vestmets ad payoffs whe egatve exteraltes exst. Proposto 2: Whe securty vestmets geerate egatve exteraltes, frms vest less securty the case wth both a RPA ad cybersurace tha the case wth cybersurace oly. The uderlyg sghts of Proposto 2 are as follows. Whe q 0, a frm uses cybersurace oly ad purchases full surace. Cosderg the margal effect of q o a x frm's vestmet at q 0, we have q q0 0. That s, a dvdual frm vests less 17
securty protectos f all frms collectvely set up a rsk pool ad allocate a very small proporto of rsk to the pool. The use of a RPA flueces a frm's vestmet cetves through two effects. The frst s the teralzato effect. Frms essetally share ther securty losses wth oe aother va the RPA. Because a dvdual frm bears other frms' losses, t takes to cosderato the egatve effect of ts securty vestmets o others ad thus vests less. The secod s the moral hazard effect. The RPA allows a frm to trasfer ts securty loss to others, whch also dampes the frm's vestmet cetves (.e., a frm would lke to free rde o other frms because of moral hazard teams [15]). I the case of egatve exteraltes, frms have excess cetves to vest securty. The moral hazard effect helps mtgate the overvestmet cetve ad hece stregthes the teralzato effect. Therefore, frms vest less securty protectos whe they partcpate a RPA. Proposto 3: Whe securty vestmets geerate egatve exteraltes, partcpatg a RPA (.e., q 0 ) s cetve-compatble for dvdual frms. Proposto 3 geerates a mportat mplcato: Whe frms overvest because of the egatve exteraltes of ther securty vestmets, they have the cetves to adopt a RPA as a complemet to the thrd-party cybersurace. I other words, dvdual frms are wllg to pool ther securty rsks usg a RPA addto to purchasg cybersurace. To better expla ths cetve compatblty, we derve the margal effect of q o frm 's expected payoff whe q 0 : 1 1 q0 U A x, X L x x, X L U A x, X L x x, X L L q (8) x, X x j U A x, X L x L j1, j xj q 18
The frst term of Eq. (8) represets the margal beeft that a frm receves from the reduced cybersurace premum. Whe the coverage of the rsk pool, q, creases, a frm ca purchase less cybersurace coverage I ad thus pay a lower premum I to the commercal surer. The secod term of Eq. (8) represets the margal loss that a frm curs 1 from beg exposed to the rsks wth the rsk pool. I partcular,, represets the x X L 1 margal loss that a frm curs from retag ts ow securty damage, ad L represets the margal loss that a frm curs from compesatg others the rsk pool. The thrd term of Eq. (8) represets the margal effect of other frms' securty vestmets o the frm's payoff. The frst two terms cacel out a symmetrc equlbrum. Because U A x, X L x 0, x, X x j x j x, X 0, ad q 0, the thrd term (cludg the egatve sg) s postve, whch meas that the frm beefts from the reduced vestmets of others. The overall margal effect of q o the frm's expected payoff s postve (.e., 0 q q0 ); thus, frms always have a cetve to set up a rsk pool whe the securty vestmets geerate egatve exteraltes. Note that the fdgs Propostos 1 through 3 do ot deped o the fuctoal forms of the utlty fucto U. ad breach probablty fucto (.), as log as U. ad (.) satsfy the codtos specfed the secto of model setup. Because the aalytcal solutos of the -frm game wth a RPA are tractable, we use umercal examples to llustrate the equlbrum pool coverage, the equlbrum vestmet, ad the frms' payoffs gve. I the umercal examples, we assume that the securty vestmets are addtve [18]. I partcular, x, X exp 2x b k1.., kxk fucto esures that x, X 0 ad x X. Ths breach probablty, 0. The degree of etwork exteraltes 19
s captured by b, wth b 0 for the case of egatve exteraltes, b 0 for the case of postve exteraltes, ad b 0 for o exteraltes. Ths fucto form of breach probablty cely captures the terdepedet ature of securty vestmets. For the case of egatve exteraltes, b. Ths value esures that xj, X j 0, j xj X j we let 1 15 x, X x, X, ( j ) j j, ad j j xj X j s less tha 15. I the umercal example, we let A 8, 6 llustrato. 3, 0, 1..., 0 whe the total umber of frms [Please Isert Fgure 1 Here.] L, ad U w ww 20 for Fgure 1(a) compares a dvdual frm's securty vestmets the cybersurace-oly case, the RPA case, ad the optmal case whe securty vestmets geerate egatve exteraltes. Whe the umber of frms creases, the securty vestmet of a dvdual frm becomes less effectve because of the hgher egatve aggregate effect of other frms' securty vestmets. A hgher level of securty vestmet s desrable to cacel out ths aggregate effect. Therefore, the securty vestmets the optmal case ad the cybersurace case are creasg. The hgher egatve effect wth larger also leads to a wder gap betwee the optmal vestmet ad the vestmet the cybersurace-oly case. Specfcally, as the umber of frms creases, each dvdual frm's securty vestmet the cybersurace-oly case further devates from the optmal level. RPAs ca effectvely mtgate frms' overvestmet cetves. A dvdual frm's securty vestmet s sgfcatly lower the RPA case tha the cybersurace-oly case. Relatve to the vestmet the cybersurace-oly case, the 3 We also examed other parameter values (A ad L ) for the payoff fucto ad other payoff fucto forms ad foud that the sghts hold qualtatvely. 20
vestmet the RPA case comes closer to the optmal level. Fgure 1(b) compares the frm's expected payoffs the cybersurace-oly case, the RPA case, ad the optmal case. The curves show that relatve to the cybersurace-oly case, the frm's expected payoff the RPA case s much closer to the optmal payoff. Fgure 1(c) llustrates the optmal rato of loss that frms allocate to the rsk pool. The proporto of the loss allocated to the rsk pool creases as the umber of frms the pool creases. Whe the umber of frms creases, frms have more cetves to overvest because of the hgher egatve aggregate effect of securty vestmets by other frms. Frms allocate more rsks to the rsk pool to better leverage the teralzato ad moral hazard effects ad to mtgate overvestmet. Fgure 1 thus llustrates that a RPA s a effectve soluto to the vestmet effcecy caused by the egatve exteraltes of securty vestmets. Postve Exteralty The precedg subsecto demostrates that whe securty vestmets geerate egatve exteraltes, frms wll set up a rsk pool ad use t to cover a postve proporto of rsks. RPAs help address frms' overvestmet cetves through the teralzato ad moral hazard effects. Whe securty vestmets geerate postve exteraltes, do frms stll have a cetve to set up a RPA? Proposto 4 provdes some sghts o the frms' vestmet cetve wth a RPA. Proposto 4: Whe securty vestmets geerate postve exteraltes, frms vest less securty the RPA case (as compared wth the cybersurace-oly case) f the rsks covered x the RPA are suffcetly small (.e., q q0 0 ). x I the case of postve exteraltes, we have q q0 0. Aga, a frm vests less securty 21
protectos f frms set up a rsk pool ad allocate a very small proporto of rsk to the pool. The postve exteraltes of securty vestmets lead to suffcet vestmet cetves for frms. Eve though the teralzato effect helps mtgate the udervestmet cetve, the moral hazard effect dampes frms' vestmet cetves ad udermes the capablty of RPAs to teralze the postve exteraltes. The moral hazard effect always domates over the teralzato effect. Therefore, whe a RPA s used addto to cybersurace, frms have eve fewer cetves to vest. Proposto 5 sheds lght o frms' cetves to set up a rsk pool for postvely terdepedet securty rsks. Proposto 5: Whe securty vestmets geerate postve exteraltes, a RPA s ot a cetve-compatble soluto for dvdual frms f t s used to cover oly a small proporto of the rsk (.e., q q0 0). To uderstad Proposto 5, we exame Eq. (8) the cotext of postve exteraltes. As the case wth egatve exteraltes, the frst two terms of Eq. (8) cacel out. Because U A x, X L x 0, x, X x 0, ad q 0, the thrd term (cludg the egatve j x j sg) s egatve. Therefore, Eq. (8) s egatve overall. Thus, usg a rsk pool to cover a small proporto of rsks decreases a dvdual frm's expected payoff. Therefore, frms have o cetve to set up a rsk pool for a small proporto of rsks. The questo, the, s whether frms have a cetve to set up a RPA wth a large coverage. Because the close-form soluto of q ths mult-player game s tractable, we used a umercal approach to search for the possblty that frms are wllg to adopt a RPA. I our search, we used a seres of expoetal breach probablty fuctos, x, X exp x b k1.., kxk. The expoetal fucto esures that the value of breach probablty s always betwee 0 ad 1 for a postve amout of 22
securty vestmets. We let 1,2,...,10, whch represets dfferet degrees of covexty of the breach probablty fucto. The total umber of frms,, rages from 2 to 30. We let b,.. 1 9 1 10 1 10 1 1, whch esures that the exteralty s postve. I addto, the aggregate mpact of others' securty vestmets s lower tha that of the frm's ow securty vestmet. Three creasg ad cocave payoff fuctos are examed. They are U w w ww 20, ad U w log w 1 U w exp 1,, whch represet dfferet degrees of cocavty of the frms' payoffs. We dd ot fd ay parameter space whch frms have a cetve to set up a rsk pool. Therefore, the cetve-compatblty of the RPA soluto s dffcult to acheve the case wth postve exteraltes of securty vestmets. Maaged Securty Servces (MSSs) I the prevous secto, we showed that the effectveess of RPAs depeds o the ature of securty rsks. The RPA soluto s effectve addressg overvestmet ssues assocated wth egatvely terdepedet rsks. However, t caot address the udervestmet ssues assocated wth postvely terdepedet rsks. I ths secto, we exame a dfferet securty maagemet soluto: MSSs (or securty maagemet outsourcg). We frst assume that the MSS provder (.e., the MSSP) has the same level of securty expertse as the frms. Ths assumpto eables us to hghlght the sght that the use of MSSs ca be justfed from the perspectve of rsk terdepedecyot o the bass that the MSSP s more cost-effcet tha the clet frms. We later exted the aalyss ad study the case that the MSSP has a cost advatage. If a frm uses MSSs, t pays a fxed fee, deoted by t, to the MSSP. We refer to the frms usg MSSs as the member frms ad the frms ot usg MSSs as o-member frms. I practce, 23
a SLA s ofte used to esure that the MSSP assumes accoutablty for the securty loss ad maages the securty for the member frms' beefts. I ths paper, we assume that the SLA specfes the compesato level that the MSSP pays to a member frm f the latter suffers a securty loss. We deote the compesato level as d. The tmg of evets s as follows. (1) The MSSP aouces the servce fee, t; (2) frms decde whether or ot to use the MSSs; (3) the MSSP vests securty protectos for the member frms, ad the o-member frms obta the expected reservato payoff, U s ; ad (4) the securty losses are realzed ad the compesatos are made accordg to the SLAs. Because frms are homogeeous, we focus o the symmetrc case whch all frms choose the same strateges. The MSSP's problem ca be formulated as: max t x, X d x m d,, t x 1 s. t. x, X U A L d t 1 x, X U A t U s (9) Costrat (9) esures that a frm has a hgher payoff whe outsourcg securty maagemet to the MSSP tha whe t maages securty -house ad acheves the reservato payoff. Lemma 1 characterzes the optmal compesato level that the MSSP wll establsh. Lemma 1: The loss compesato d satsfes that d L. Whe a member frm has a securty breach ad losses L, the MSSP compesates the frm to the level of d. Because the member frms are rsk averse but the MSSP s rsk eutral, the MSSP s wllg to provde full surace to the member frms. As a result, the member frms trasfer all securty rsks to the MSSP. I ths regard, the MSSP serves as a thrd-party surer addto to a professoal servce provder [1]. Ths s cotrast to the RPA, wth whch each member frm has to share 1 of the total loss. 24
Usg the result Lemma 1, the MSSP's problem ca be smplfed as: t x X L x (10) max, m tx, 1 s. t. U A t U Proposto 6 gves the MSSP's vestmet decsos for the member frms. Proposto 6: Whe all dvdual frms collectvely outsource ther securty maagemet to the MSSP, the MSSP makes the securty vestmet at the optmal level. Collectve outsourcg occurs whe all frms outsource ther securty maagemet to the MSSP. Proposto 6 shows that collectve outsourcg, vestmet effcecy caused by rsk terdepedecy s addressed: The MSSP makes the securty vestmet at the optmal level for all member frms. The optmal level s acheved because the vestmet decso makg s shfted to oe etty, so that etwork exteraltes are completely teralzed. As a result, the vestmet effcecy s elmated. Sustaablty of Collectve Outsourcg Although collectve outsourcg ca lead to optmal securty vestmets (made by the MSSP), whether ths soluto s cetve-compatble to dvdual frms s stll uclear. The questo s ths: Whe all other frms use MSSs, does a dvdual frm have the cetve to defect from usg the MSSs? Whe a frm defects, t has to maage securty -house, but t ca stll use cybersurace to hedge agast ts securty rsks. The payoff of the defectg frm ca be cosdered as a frm's reservato payoff (outsde opto) whe decdg o whether to use MSS s (.e., U s ). We ext exame whether collectve outsourcg s sustaable as a equlbrum for dvdual frms. For aalyss tractablty, we aga assume that the securty vestmets are addtve [18]. I partcular, x, X px b k1.., kxk, where p s a decreasg ad 25
covex fucto, p. 0, ad p. 0. Ths breach probablty fucto esures that. 0 ad. 0. I the case of egatve exteralty, let 0 I the case of postve exteralty, let 0 b. Ths esures. 0. b. Ths esures Suppose that a frm defects but that the other -1 frms stll outsource ther securty maagemet to the MSSP. The defectg frm's payoff s d U A p x d b 1 x md L x d, where. 0. d x represets the defectg frm's securty vestmet level ad md x represets the MSSP's vestmet level for a member frm whe a frm defects. Let Us d. The MSSP's problem ca be represeted as d m max t px b xk L x tx, 1 k1, k (11) d md d s. t. U At U A p x b 1 x L x (12) Costrat (12) s a dvdual ratoalty (IR) costrat esurg that a frm has a hgher payoff whe usg MSSs tha whe maagg securty -house ad purchasg cybersurace. Ths costrat requres that the MSSP establshes a fee that would ot result member frm defecto. Lemma 2 characterzes the optmal servce fee that the MSSP charges. Lemma 2: The optmal servce fee charged by the MSSP satsfes that t p x d b 1 x md L x d. The MSSP profts from the servce fee. A for-proft MSSP charges a servce fee that s as hgh as possble to maxmze ts proft, whle stll esurg that frms are wllg to use the MSS. Suppose a frm defects. The total expected cost for IT securty for the defectg frm s 26
d md d p x b 1 x L x (.e., the cybersurace premum plus the securty vestmet). The maxmum servce fee for the MSSs s therefore equal to the expected total securty cost of the defectg frm, so that ay frm s dfferet betwee defectg or ot. Accordg to Eq. (11) ad Lemma 2, the MSSP's proft s d d 1 md d 1 1 o o. m p x b x L x p b x L x For collectve outsourcg to be vable, the MSSP must charge a fee that ca cover ts servce cost. To derve addtoal sght, we use a geeral expoetal breach probablty (.e., exp y ) to compare betwee the servce fee (.e., 1 p y the servce cost (.e., 1 1 o o p b x L x d md d p x b x L x ) ad ). Proposto 7 characterzes the codto uder whch collectve outsourcg s sustaable as a equlbrum. Proposto 7: All frms are wllg to outsource ther securty maagemet f: b 1 1b b b b b 1 1 l 1 2 1 1 0. Whe the codto Proposto 7 holds, the expected securty cost curred by a defectg frm (.e., 1 d md d p x b x L x ) s hgher tha the servce cost curred by the MSSP for each member frm collectve outsourcg (.e., 1 1 o o p b x L x ). Accordg to Lemma 2, the MSSP charges a fee equal to a defectg frm's securty cost. Ths servce fee ot oly esures that all frms have cetves to use MSSs but also yelds a postve proft for the MSSP. Therefore, the equlbrum of collectve outsourcg usg MSSs s sustaable whe the codto Proposto 7 holds. The sustaablty of collectve outsourcg, although achevable wth a small umber of 27
frms, becomes creasgly dffcult to acheve as the umber of frms creases. Whe the umber of frms s larger, a dvdual defectg frm gas more from the MSSP's collectve operatos. I the case of egatve exteraltes, a larger umber of frms provdes the MSSP wth more cetves to reduce the securty vestmet to address the overvestmet ssue for each member frm, makg t easer for a defectg frm to beat the MSSP securty vestmet ad drve hackers away. I the case of postve exteraltes, a larger umber of frms duces the MSSP to crease the securty vestmet to address the udervestmet ssue for each member frm, makg t easer for a defectg frm to free-rde. Therefore, a dvdual frm s more lkely to defect, ad the reteto of all member frms s the more dffcult for the MSSP. As a result, there s a maxmum umber of frms wth whch the MSSP ca duce all frms to use the MSSs ad address the vestmet effcecy. Fgure 2 demostrates the maxmum umber of frms for whch a sustaable equlbrum exsts, gve the degree of etwork exteraltes, b. [Please Isert Fgure 2 Here.] The crease the degree of etwork exteraltes geerates two coutervalg effects o frms' cetves to defect. I the case of egatve exteraltes ( b 0), whe the degree of etwork exteraltes s hgher ( b s smaller), the advatage of the MSS soluto teralzg exteraltes of the securty vestmets s more evdet, ad a frm s more wllg to use the MSSs. O the other had, a frm also beefts more f t devates from usg the MSSs. Ths s because hgher egatve exteraltes duce the MSSP to vest less aggressvely, ad, as a result, t s easer for a defectg frm to beat the MSSP securty vestmet ad drve hackers away. A dvdual frm s thus less wllg to pay for MSSs, forcg the MSSP to lower the servce fee. The fee that the MSSP ca charge depeds o the tradeoff betwee these two effects. As a result, the maxmum umber of frms that esures a sustaable equlbrum s frst 28
creasg b ad the decreasg b. Whe the securty vestmets geerate postve exteraltes (.e., b 0), the defectg frm ca free-rde o the MSSP's collectve securty operatos for member frms. As a result, the MSSP has to keep the servce fee low to reta the member frms. Whe the umber of frms s larger, the beeft of free-rdg s hgher, ad the servce fee that the MSSP charges caot cover the expected cost of servg a frm. As a result, collectve outsourcg to the MSSP s a sustaable equlbrum oly whe 2. It s worth otg that whe securty vestmets geerate postve exteraltes ad the MSSP s more cost-effcet, the maxmum umber of frms a sustaable equlbrum may be hgher tha two, as s llustrated the ext secto. Whe b 0, the frms' securty rsks are depedet, ad securty vestmets have o exteraltes. The servce fee that the MSSP charges s equal to the securty cost that the MSSP curs to serve a member frm. As a result, the MSSP always makes zero proft (.e., the codto Proposto 7 ever holds). Ths case s a trval oe. MSSP's Cost Effcecy The prevous aalyss presets a coutertutve result: Eve though the MSSP servg all frms vests at the optmal level ad frms all beeft from securty outsourcg, collectve outsourcg to the MSSP mght ot arse as a equlbrum. Ths pheomeo occurs because a frm, eve after defectg, mght drectly beeft from the MSSP's securty operatos, resultg a hgher payoff for the frm tha actually usg the MSSs. As a result, the MSSP caot charge a fee that sustas collectve outsourcg ad results a proft. I practce, the MSSP s ofte more capable of maagg securty because of ts better techology, more expereced staff, ad hgher operatoal effcecy. A major reaso for whch dvdual frms outsource securty maagemet s to leverage the MSSP's cost effcecy [1; 3]. 29
I ths subsecto, we exame how the MSSP's cost advatage s weakeed by etwork exteraltes of securty vestmets. We assume that the MSSP curs a vestmet cost, where 0,1 captures the level of cost effcecy. Whe 1, the MSSP has the same level of cost effcecy as dvdual frms; as decreases, the MSSP becomes more cost-effcet tha dvdual frms. The MSSP's problem ca be represeted as: max t px b x L x tx, k 1 k1, k d md d s. t. U A t U A p x b 2 x L x. 30 x, Proposto 8 presets the codto uder whch collectve outsourcg arses as a equlbrum whe the MSSP s more cost-effcet tha dvdual frms. Proposto 8: Whe the MSSP s more cost-effcet tha dvdual frms 0 1, all frms decde to outsource ther securty servces f: 1 b 1 b 1 b 1 1 b l b 1 1 b b b b L l 1 2 1 1 1 1 l 0. Whe the MSSP s more cost-effcet tha dvdual frms ( 0 1), the maxmum umber of frms yeldg a collectve outsourcg equlbrum depeds o the level of cost effcecy ( ), addto to the degree of etwork exteraltes ( b ). Fgure 3 llustrates the maxmum umber of frms wth whch collectve outsourcg arses as a sustaable equlbrum, gve the level of cost effcecy. Smlar to the degree of etwork exteraltes, cost effcecy affects the frms' defecto cetves through two coutervalg effects. O the oe had, a more effcet MSSP ( s smaller) s more capable of maagg the securty rsks tha are dvdual frms. Therefore, a dvdual frm s more wllg to use the MSSs. Ths s the
cost-effcecy effect. O the other had, a defectg frm beefts more by takg advatage of the MSSP's collectve securty maagemet whe the MSSP s more cost-effcet. Ths effect decreases a frm's wllgess to pay for the MSS. Ths s the defecto effect. Fgure 3 llustrates the maxmum umber of frms a sustaable equlbrum whe the MSSP s more cost effcet. It shows that whe the securty vestmets geerate postve exteraltes ( b 0.1), the maxmum umber of frms a collectve outsourcg equlbrum s frst creasg ad the decreasg. Whe the securty vestmets geerate egatve exteraltes ( b 0.1), the cost-effcecy effect domates the defecto effect whe the MSSP's cost-effcecy s hgh ( s small). Therefore, collectve outsourcg s more lkely to arse (.e., all frms are wllg to use the MSS) whe s small. 4 However, whe s large eough (.e., the MSSP s less cost-effcet), the cost-effcecy effect s weakeed ad the maxmum umber of frms decreases to two. Heterogeeous Frms [Please Isert Fgure 3 Here.] I ths paper, we follow the classc lterature o rsk poolg ad focus o ex ate homogeeous frms. I ths secto, we exted the model ad dscuss the case that frms have heterogeeous securty losses. I partcular, we assume that there are two types of frms: type-1 frms ad type-2 frms. I a securty breach, a type-1 frm loses L 1, ad a type-2 frm loses L 2, where L L. Let the total umbers of type-1 frms ad type-2 frms be 1 ad 2, respectvely. We 1 2 have 1 2. 4 Whe b 0.1, the total umber of frms must be o more tha 10 to esure that x b x k 1.., k k 0. 31
Whe frms use cybersurace oly, we ca verfy that a frm stll overvests whe the securty vestmets geerate egatve exteraltes, ad udervests whe the securty vestmets geerate postve exteraltes. We ext exame frms' securty vestmets ad expected payoffs the RPA case. The expected payoff of a type-1 frm ca be represeted by:, 1, b j,, 11 2 k0 j0 1 2 1 1 1 x, X 1 k j q L 1 1 1 1 1 U A L1 I x X I x s t I q L 1.. 1 1 1. b k 1 1,, 1, b j,, 11 2 k0 j0b k 1 1 1 2 1 x, X, kq1 L1 jq2l2 1 1 1 1 U A x, X I x Ad, the expected payoff of a type-2 frm ca be represeted by:,, b j, 1, 1 21 k0 j0 1 2 2 2 2 x, X 1 k j q L 2 2 2 2 2 U A L2 I x X I x s t I q L 2.. 1 2 2, b k 2 2,,, b j, 1, 1 21 k0 j0b k 2 2 1 2 1 x, X, kq1l 1 jq2l2 2 2 2 2 U A x, X I x where q1 q 2 s the rato of loss covered by the rsk pool for type-1 frms (type-2 frms). Sce the RPA s a mutual surace orgazato ad the partcpatg frms equally share the loss as equty holders, the RPA covers the same amout of loss for all frms. We therefore focus o the case that q1l 1 q2l2. Dfferetatg j w.r.t. j j I, we get I 1 q j Lj where j 1,2. The expected payoffs for type-1 ad type-2 frms are, respectvely: 32
, 1, b j,,, 1 b k 11 2 k0 j0 1 1 1 1 2 x, X k j1 1 1 1 U A q1l1 x X q1 L1 x, 1, b j,,, 1 b k 11 2 k0 j0 1 1 1 2 1 x, X, k j 1 1 1 U A q1l1 x X q1 L1 x,, b j, 1,, 1 b k 1 21 k0 j0 2 2 2 1 2 x, X k j1 2 2 2 U A q1l1 x X q2 L2 x,, b j, 1,, 1 b k 1 21 k0 j0 2 2 1 2 1 x, X. k j 2 2 2 U A q1l1 x X q2 L2 x Sce the aalytcal solutos to the case wth heterogeeous frm are tractable, we use umercal examples to llustrate the equlbrum securty vestmets, the frms' payoffs, ad the equlbrum pool coverages. Smlar to the umercal examples the secto of rsk poolg arragemets, we assume x, X exp 2x b k1.., kxk ww 20 U w 1, where b ad. I addto, we let A 8, L1 6, ad L2 4. We assume that type-1 frms accout for about oe-half of the frms. I partcular, 1 2 2 whe s a eve umber ad 1 2 1 whe s a odd umber. Fgures 4(a) (c) show the securty vestmets, the frms' payoffs, ad the ratos of loss coverage for type-1 ad type-2 frms. [Please Isert Fgure 4 Here.] Fgure 4(a) shows the frms' securty vestmets the cybersurace-oly case, the RPA case, ad the optmal case whe securty vestmets geerate egatve exteraltes. The sold curves represet a type-1 frm's securty vestmets, ad the dash curves represet a type-2 frm's securty vestmets. Wth heterogeeous frms, RPAs ca stll mtgate frms' overvestmet cetves. Both the type-1 frm' ad type-2 frm's securty vestmets the 15 33
RPA case are sgfcatly lower tha ther vestmets the cybersurace-oly case. Fgure 4(b) compares the frm's expected payoffs. The curves show that the frm's expected payoffs the RPA case are hgher tha ther payoffs the cybersurace-oly case. Fgure 4(c) llustrates the optmal ratos of loss covered by the rsk pool for type-1 frms ad type-2 frms. Smlar to Fgure 1(c), the pool coverages crease as the umber of frms the pool creases. We also examed the case whch securty vestmets geerate postve etwork exteraltes ad foud that the RPA caot address the udervestmet ssues. All of the fdgs the secto of rsk poolg arragemets hold qualtatvely. We the exame frms' securty vestmets ad expected payoffs the MSS case. The MSSP's proft ca be represeted as t x, X d x m 1 s. t. x, X U A L d t 1 x, X U A t U. s As we descrbed the secto of maaged securty servces, the MSSP has extesve securty expertse ad s therefore capable of evaluatg the clets' securty. I practce, the MSSP ofte eeds to coduct a o-ste specto before servg a clet. It s reasoable to assume that the MSSP ca accurately dagose ad separate type-1 frms ad type-2 frms. Ths assumpto esures that the MSSP does ot eed to practce prce dfferetato. Dfferetatg m w.r.t. d, we have d L. The MSSP's proft ca be smplfed as max t x, X d x m d, t, x 1 s. t. U A t U. Aga, we use umercal examples to llustrate the maxmum umber of frms for whch a sustaable equlbrum exsts, gve the degree of etwork exteraltes, b. We use the same 34 s
parameter specfcatos as Fgure 4. I partcular, x, X exp 2x b k1.., kxk ww 20 U w 35,, A 8, L1 6 ad L2 4. I addto, 1 2 2 whe s a eve umber, ad 1 2 1 whe s a odd umber. [Please Isert Fgure 5 Here.] Fgure 5 shows that whe the securty vestmets geerate egatve exteraltes (.e., b 0), the maxmum umber of frms that esures a sustaable equlbrum s frst creasg b ad the decreasg b. Whe frms are heterogeeous, the coutervalg effects of etwork exteraltes o the MSSP's servce fee detfed the secto of maaged securty servces stll exst. As a result, the maxmum umber of frms for a sustaable equlbrum chages the same patter as that the homogeeous case. Whe the securty vestmets geerate postve exteraltes (.e., b 0), collectve outsourcg to the MSSP s a sustaable equlbrum oly whe 2. The aalyss ad umercal llustratos show that all fdgs the prevous sectos hold qualtatvely. It s worth otg that the use of a commo creasg ad cocave utlty fucto ths paper, although rooted the rsk maagemet lterature, could be potetally restrctve. I realty, the payoffs of heterogeeous frms may be better modeled usg dfferet fuctos. The preset study s the frst step to gag sghts usg alteratve solutos to maage terdepedet securty rsks. A thorough study of the alteratve rsk maagemet solutos for heterogeeous frms deserves further research. Dscusso ad Cocluso The objectve of securty rsk maagemet s to approprately use securty resources to reduce frms' rsk exposure. The rsk maagemet approaches cosdered ths paperthrd-party
cybersurace, MSSs, ad RPAsdffer ther effectveess reducg rsk exposure ad ducg effcet securty vestmets. Both cybersurace ad MSSs provde complete rsk trasfer. As compared wth cybersurace, MSSs duce more effcet allocato of securty resources because the MSSP, whe servg all frms, teralzes the exteraltes of securty vestmets betwee the member frms. RPAs, cotrast, do ot provde complete rsk trasfer. However, they stll help to duce more effcet securty vestmets tha cybersurace whe securty vestmets geerate egatve exteraltes. Both the teralzato effect ad the moral hazard effect assocated wth RPAs mtgate frms' overvestmet cetves. I ths paper, we focused o rsk-averse frms. Note, however, that the aalyss o the RPA ad MSS solutos ca also be appled to the case wth rsk-eutral frms, ad all fdgs stll hold. Eve though the rsk-eutral frms are dfferet to the choces of adoptg cybersurace to hedge rsks ad bearg radom losses, they mght stll be wllg to adopt the solutos that address terdepedet securty rsks. I partcular, rsk-eutral frms have cetves to use RPAs whe the securty vestmets geerate egatve exteraltes. I addto, MSSs ca be used to address the vestmet effcecy caused by terdepedet rsks; however, collectve outsourcg to a MSSP s ot sustaable whe the umber of frms s large. Rsk-lovg frms are lkely to actvely pursue rsks to maxmze ther payoffs, ad they are beyod the scope of ths research. I ths paper, we assumed that the amout of loss s fxed a securty breach. If a frm's loss s a radom amout a securty breach ad the surace compay ca specfy a complete cotget surace cotract, a rsk-eutral surace compay stll provdes full surace to the rsk-averse frm. I that case, the surace compay must be able to expect all loss cotgeces ad wrte the complete cotget cotract, whch detals the compesato level 36
for each loss level. Smlarly, the MSSP wll offer full compesato for each loss level. RPAs have tradtoally bee mplemeted the forms of self-surace, captves, rsk reteto groups, ad pools to sure a wde varety of rsks, such as medcal practces, mucpal lablty, employee peso, ad employee healthcare surace. However, they have ot bee wdely employed the area of formato securty. Iformato securty rsks have the feature of rsk terdepedecy, whch challeges tradtoal rsk maagemet solutos ad calls for alteratve solutos. RPAs make frms share rsks wth oe aother wth the pool ad hece motvate frms to cosder others' rsks whe makg vestmet decsos. They thus have the potetal to be a effectve soluto for terdepedet rsks the area of formato securty. RPAs' ablty to address terdepedet formato securty rsks also makes ther use desrable, eve whe frms are rsk-eutral. Thus, we see aother advatage of usg RPAs formato securty: They empower frms to actvely cotrol terdepedet rsks, addto to hedgg rsks for rsk-averse frms. Addtoal advatages of usg RPAs formato securty clude flexble polcy developmet ad larger capacty. Isurablty of formato securty rsks s ofte lmted the cybersurace market because of the lack of experece dealg wth ew securty rsks. RPAs allow the polcy terms to be talored to member frms ad therefore to help cover ew securty rsks. The cybersurace market s also lmted ts capacty. RPAs could substatally crease the capacty of the rsk maagemet market, helpg to sure agast vast ad ever-creasg formato securty rsks. Frms also face may operatoal challeges mplemetg RPAs. I geeral, the process of mplemetato volves detfyg the surace coverages, determg premums for the coverages, determg captve owershp ad captalzato, detfyg where the captve s 37
formed ad regulated, ssug surace polces, ad maagg clams [40]. Frms outsde the surace dustry ofte lack experece rsk uderwrtg ad clams maagemet. Eterg such a ew busess area would lkely be very costly for them. I practce, surace compaes offer ret-a-captve servces that provde frms wth access to captve facltes. Thus, frms ca use a ret-a-captve approach to establsh ad ru ther RPAs for formato securty rsks. At the tal stage of mplemetato, a frm mght start wth a sgle-paret captve (.e., a RPA wth oe frm) to maage securty rsks wth ts busess uts. Later, the frm mght expad the RPA operato to the mult-frm cotext. Regulatory restrctos pose addtoal challeges to the mplemetato of RPAs. The surace market s hghly regulated, ad the developmet of RPAs s subject to regulatory atttudes. For example, may jursdctos, certa les of surace ca be uderwrtte oly by a admtted commercal surer, ot by a mutual surer. Other factors affectg the adopto of RPAs clude restrctos o the rsk pool's uderwrtg terms, the deductblty of surace premums for corporate taxato purposes, ad the rsk pool's access to the resurace market. Cosderg the potetal that RPAs offer coordatg frms' securty vestmets, frms should actvely promote RPAs to ther regulatory ageces. Securty outsourcg eables frms to tap to the MSSP's securty resources, sklls, ad capabltes. I practce, SLAs are ofte used servce outsourcg to specfy performace expectatos, establsh accoutablty, ad detal remedes or cosequeces f performace or servce qualty stadards are ot met [1]. I securty outsourcg, SLAs eable frms to trasfer the securty rsks to exteral servce provders. I ths regard, the MSSP serves ot oly as a servce provder but also as a surer. The MSSP takes to accout the teracto betwee member frms whe makg securty decsos for them. The MSS approach, therefore, 38
teralzes the exteraltes of securty vestmets ad provdes a soluto for terdepedet securty rsks. The MSS approach also provdes a collectve soluto to create securty protectos that are dffcult for dvdual frms to mplemet. For example, servg clets over dfferet jursdctos eables the MSSP to trace ad collapse botets, whch are geographcally dstrbuted [32]. From dvdual frms' perspectves, devotg suffcet efforts to combat such dstrbuted etworks s ofte uwarrated. I ths regard, MSSs ca offer a potetal approach for maagg dstrbuted ad terdepedet rsks. The MSS soluto yelds the optmal vestmet level whe all terdepedet frms adopt ths soluto. However, executves ad securty maagers should recogze that collectve outsourcg mght ot be cetve-compatble whe the umber of frms s large. Because of rsk terdepedecy, a dvdual frm mght be better off f t maages securty -house stead of usg MSSs. Such a cetve of defecto exsts eve whe the MSSP has a cost advatage over dvdual frms securty maagemet. These fdgs help expla why frms mght ot use the MSS soluto, eve whe the MSSPs are ofte more capable of maagg securty rsks. Executves ad securty maagers should recogze the advatages ad lmtatos of the MSS approach ad choose ther rsk maagemet solutos accordg to the terdepedet ature of securty rsks. The preset study ca be exteded may drectos. Frst, we focused o the cetve-compatble solutos, ad the proposed solutos help frms address the vestmet effcecy ssues ad mprove ther securty towards the optmal outcome. The fdgs the preset study provde useful maageral mplcatos ad sghts. I the future, t would be desrable to vestgate the cetve-compatble approaches that always yeld the optmal 39
soluto the doma of formato securty. Secod, we compared RPA ad MSS solutos wth cybersurace addressg terdepedet securty rsks. Future research mght cosder the teractos amog the cybersurace, RPA, ad MSS solutos. For example, the MSSP has better securty sklls tha do the frms, addto to cost advatages, ad t may dfferetate ts servces to better compete agast the other two securty maagemet mechasms. Ths s partcularly mportat whe frms are heterogeeous. The MSSP's servce dfferetato ad compettve strateges presece of heterogeeous frms mert -depth study. Fally, future research mght also study varous mplemetato ssues of the rsk-maagemet solutos. For example, the use of SLAs securty outsourcg requres frms to deploy varous measures to motor the MSSP's performace ad eforce the cotract terms. Reputato systems for MSSPs ca be a effectve mechasm to motvate the MSSP to behave properly the log term. The desg of dverse mutual surace polces for dfferet types of IT securty rsks deserves more research atteto. Ackowledgemet Professor Adrew B. Whsto greatly ackowledges the support from NSF grat umber 0831338 for the completo of ths paper. The authors would lke to thak three aoymous revewers ad the semar partcpats at the Uversty of Utah, the Uversty of North Carola at Charlotte, ad Iteratoal Coferece o Iformato Systems(ICIS2009) for ther feedback o the early draft of ths paper. Refereces 1. Alle, J., Gabbard, D., ad May, C. Outsourcg Maaged Securty Servces. Carege Mello Software Egeerg Isttute (2003) (avalable at www.cert.org/archve/pdf/omss.pdf) 40
2. Aderso, R. ad Moore, T. The ecoomcs of formato securty, Scece, 314 (2006), 610-613. 3. Axelrod, C.W. Outsourcg Iformato Securty. Bosto: Artech House, 2004. 4. Cavusoglu, H., Raghuatha, S., ad Yue, W.T. Decso-theoretc ad game-theoretc approaches to IT securty vestmet, Joural of Maagemet Iformato Systems, 25, 2, (Fall 2008), 281-304. 5. Computer Securty Isttute. The 15th aual computer crme ad securty survey, (2011) (avalable at http://gocs.com/survey). 6. Cremo, M. ad Nzovtsev. D. Rsks ad beefts of sgalg formato system characterstcs to strategc attackers. Joural of Maagemet Iformato Systems, 26, 3, (2009-10), 241-274. 7. Cumms, J.D. ad Wess, M.A. Orgazatoal form ad effcecy: The coexstece of stock ad mutual property-lablty surers. Maagemet Scece, 45, 9, (1999), 1254-1270. 8. Doherty, N.A. ad Doe, G. Isurace wth udversfable rsk: Cotract structure ad orgazatoal form of surace frms. Joural of Rsk ad Ucertaty, 6, (1993), 187-203. 9. Gal-Or, E. ad Ghose, A. The ecoomc cetves for sharg securty formato. Iformato Systems Research, 16, 2, (2005), 186-208. 10. Gordo, L. A. ad Loeb, M.P. The ecoomcs of formato securty vestmet. ACM Trasactos o Iformato ad Systems Securty, 5, 4, (2002), 428-457. 11. Gordo, L.A., Loeb, M.P., ad Lucyshy, W. Sharg formato o computer systems securty: A ecoomc aalyss. Joural of Accoutg ad Publc Polcy, 22, (2003a), 461-485. 12. Gordo, L. A., Loeb, M. P., ad Sohal, T. A framework for usg surace for cyber-rsk 41
maagemet. Commucatos of the ACM, 46, 3, (2003b), 81-85. 13. Gupta, A. ad Zhdaov, D. Growth ad sustaablty of maaged securty servces etworks: A ecoomc perspectve. Forthcomg at Maagemet Iformato Systems Quarterly, 36, X, (2012). 14. Herath, H.S.B. ad Herath, T.C. Ivestmets formato securty: A real optos perspectve wth bayesa postaudt. Joural of Maagemet Iformato Systems, 25, 3 (2008), 337-375. 15. Holmstrom, B. Moral hazard teams. Bell Joural of Ecoomcs, 13, 2, (1982), 324-340. 16. Hu, K.L., Hu, W. ad Yue, W.T. Iformato securty outsourcg wth system terdepedecy ad madatory securty requremet. Forthcomg at Joural of Maagemet Iformato Systems, (2012). 17. Humphreys, P.K., La, M.K. ad Scull, D. A ter-orgazatoal formato system for supply cha maagemet. Iteratoal Joural of Producto Ecoomcs, 70, 3, (Aprl 2001), 245-255. 18. Ifoetcs Research. Maaged securty servces hot despte cool ecoomy due to growg threats, moble devces, move to cloud. Ifoetcs Report, (2011). 19. Kumar, R.L., Park, S., ad Subramaam, C. Uderstadg the value of coutermeasure portfolos formato systems securty. Joural of Maagemet Iformato Systems, 25, 2 (2008), 241-280. 20. Kureuther, H. ad Heal, G. Iterdepedet securty. Joural of Rsk ad Ucertaty, 26, 2/3, (2003), 231-249. 21. Lee. C.H., Geg, X., ad Raghumatha, S. Cotractg formato securty the presece of double moral hazard. Forthcomg at Iformato Systems Research (2012) 42
22. Lee, W. ad Lgo, J.A. Moral hazard rsk poolg arragemets. Joural of Rsk ad Isurace, 68,1, (2001), 175-190. 23. Lgo, J.A. ad Thstle, P.D. The formato of mutual surers markets wth adverse selecto. Joural of Busess, 78, 2, (2005), 529-555. 24. Malamud, S., Ru, H., ad Whsto, A.B. Optmal rsk sharg wth lmted lablty, Workg Paper, Natoal Ceter of Competece Research Facal Valuato ad Rsk Maagemet (2012) 25. Marshall, J.M. Isurace theory: Reserves versus mutualty. Ecoomc Iqury, 12, (1974), 476-492. 26. Mayers, D. Owershp structure across les of property-casualty surace. Joural of Law ad Ecoomcs, 31, (1988), 351-378. 27. Mayers, D. ad Smth, C.W. Cotractual provsos, orgazatoal structure ad coflct surace markets. Joural of Busess, 54, (1981), 407-434. 28. McQulla, L. H. How to work wth a maaged securty servce provder. I Tpto, H.F. ad Krause, M. (eds.) Iformato Securty Maagemet Hadbook. Boca Rato: CRC Press, (2007), 631-642. 29. Moha, R. 2010. How to defed agast DDoS attacks? Securty Week, Aprl 27, 2010 (avalable at http://www.securtyweek.com/cotet/how-defed-agast-ddos-attacks) 30. Motra, S.D., ad Koda, S.L. The survvablty of etwork systems: A emprcal aalyss. CMU/SEI-2000-TR-021, Software Egeerg Isttute/Computer Emergecy Respose Team (SEI/CERT ) Report, Carege Mello Uversty, Pttsburgh, PA, December 2000. 31. Ogut, H., Meo, N., ad Raghuatha, S. Cyber surace ad IT securty vestmet: Impact of terdepedet rsk. Workg paper, Uversty of Texas at Dallas (2005) 43
(avalable at http://foseco.et/workshop/pdf/56.pdf). 32. Ptsllds, A., Levcheko, K., Krebch, C., Kach, C., Voelker, G.M., Paxso, V., Weaver, N., ad Savage, S. Botet judo: Fghtg spam wth tself. I Proceedgs of the Network ad Dstrbuted System Securty Symposum (NDSS), Sa Dego, CA, February 2010 (avalable at http://www.soc.org/soc/cofereces/dss/10/pdf/12.pdf). 33. Rchmod, W.B., Sedma, A., ad Whsto A.B. Icomplete cotractg ssues formato systems developmet outsourcg. Decso Support Systems, 8, (1992), 459-477. 34. Rppo, A. Cyber hackers ca mess wth google---are you afrad for your busess? 2010 (avalable at http://ezeartcles.com/?cyber-hackers-ca-mess-wth-google---are-you-afrad-for-you r-busess?&d=3882184) 35. Rothschld, M., Stgltz, J. Equlbrum compettve surace markets: A essay o the ecoomcs of mperfect formato. The Quarterly Joural of Ecoomcs, 90, 4, (Nov. 1976), 629-649. 36. Scott, C. Nearly a ffth of U.S. PCs have o atvrus protecto. IDG News. May 30, 2012 (avalable at http://www.pcworld.com/artcle/256493/early_a_ffth_of_us_pcs_have_o_vrus_protecto _mcafee_fds.html) 37. Se, S., Raghu, T.S., ad Vze, A. Demad heterogeety IT frastructure servces: Modelg ad evaluato of a dyamc approach to defg servce levels. Iformato Systems Research, 20, 2, (Jue 2009), 258-276. 38. Shavell, S. O moral hazard ad surace. The Quarterly Joural of Ecoomcs, 93, 4, (Nov. 44
1979), 541-562. 39. Subramaam, C. ad Shaw, M.J. A study of the value ad Impact of B2B e-commerce: The case of web-based procuremet. Iteratoal Joural of Electroc Commerce, 6, 4, (Summer 2002), 19-40. 40. Swss Re. The pcture of ART. Sgma 1, (2003) (avalable at http://www.swssre.com/pws/research%20publcatos/sgma%20s.%20research/the%20p cture%20of%20art.html). 41. Tug, L. Fve ways to defed agast a DDos attack. IT News fo Australa Busess. October 12, 2010 (avalable at http://www.tews.com.au/news/234834,fve-ways-to-defed-agast-a-ddos-attack.aspx). 42. Vara, H.R. Maagg ole securty rsks. New York Tmes, Jue 1, (2000) (avalable at http://people.school.berkeley.edu/~hal/people/hal/nytmes/2000-06-01.html). 43. Vaugha, E.J. ad Vaugha, T.M. Fudametals of Rsk ad Isurace. 10th Edto, NJ: Joh Wley & Sos, Ic. (2008). 44. Wag, E.T.G., Barro, T. ad Sedma, A. Cotractg structures for custom software developmet: The mpacts of formatoal rets ad ucertaty o teral developmet ad outsourcg. Maagemet Scece, 43, 12, (Dec. 1997), 1726-1744. 45. Whag, S. Cotractg for software developmet. Maagemet Scece, 38, 3, (March 1992), 307-324. Table 1: Comparso betwee Cybersurace ad RPAs Cybersurace RPA Ower Thrd-party surers Polcyholders Rsk Trasfer Polcyholders ca completely trasfer rsks to surers. Polcyholders always reta some rsks. Examples AIG's NetAdvatage, Lloyd's ecomprehesve, Captves, Rsk reteto groups, 45
Chubb's CyberSecurty, Hscox's Hacker. Self-surace groups. Table 2: Characterstcs of Network Exteraltes x, X x, X Dervatves of Breach Probablty xj, X j No exteraltes 0 0 0 Postve exteraltes 0 0 0 Negatve exteraltes 0 0 0 (a) Frms securty vestmets (b) Frms payoffs (c) Rato of loss covered by a RPA Fgure 1: Frms securty vestmets, frms payoffs, ad the rato of loss covered by a RPA whe securty vestmets geerate egatve exteraltes 46
Fgure 2: Maxmum umber of frms collectve outsourcg equlbrum as a fucto of b Fgure 3: Maxmum umber of frms a collectve outsourcg equlbrum as a fucto of (a) Frms securty vestmet the heterogeeous case (b) Frms payoffs the heterogeeous case 47
(c) Rato of loss covered by a RPA the heterogeeous case Fgure 4: Frms securty vestmets, frms payoffs, ad the ratos of loss covered by a RPA whe securty vestmets geerate egatve exteraltes the heterogeeous case wth two types of frms Fgure 5: Maxmum umber of frms collectve outsourcg equlbrum as a fucto of b the heterogeeous case wth two types of frms 48