A Supply Chain Game Theory Framework for Cybersecurity Investments Under Network Vulnerability

A Supply Chai Gae Theory Fraework for Cybersecurity Ivestets Uder Network Vulerability Aa Nagurey, Ladier S. Nagurey, ad Shivai Shukla I Coputatio, Cryptography, ad Network Security, N.J. Daras ad M.T. Rassias, Editors, Spriger Iteratioal Publishig Switzerlad (205), pp 38-398. Abstract I this paper, we develop a supply chai gae theory fraework cosistig of retailers ad cosuers who egage i electroic trasactios via the Iteret ad, hece, ay be susceptible to cyberattacks. The retailers copete ocooperatively i order to axiize their expected profits by deteriig their optial product trasactios as well as cybersecurity ivestets i the presece of etwork vulerability. The cosuers reveal their prefereces via the dead price fuctios, which deped o the product deads ad o the average level of security i the supply chai etwork. We prove that the goverig Nash equilibriu coditios of this odel ca be forulated as a variatioal iequality proble, provide qualitative properties of the equilibriu product trasactio ad security ivestet patter, ad propose a algorith with ice features for ipleetatio. The algorith is the applied to two sets of uerical exaples that reveal the ipacts o the equilibriu product trasactios, the security levels, the product prices, the expected profits, ad the retailer vulerability as well as the supply chai etwork vulerability, of such issues as: icreased copetitio, chages i the dead price fuctios, ad chages i the security ivestet cost fuctios. Key words: supply chais, cybersecurity, ivestets, gae theory, Nash equilibriu, variatioal iequalities, etwork vulerability Aa Nagurey Departet of Operatios ad Iforatio Maageet, Iseberg School of Maageet, Uiversity of Massachusetts, Aherst, Massachusetts 0003, e-ail: agurey@iseberg.uass.edu Ladier S. Nagurey Departet of Electrical ad Coputer Egieerig, Uiversity of Hartford, West Hartford, Coecticut 067, e-ail: agurey@hartford.edu Shivai Shukla Departet of Operatios ad Iforatio Maageet, Iseberg School of Maageet, Uiversity of Massachusetts, Aherst, Massachusetts 0003, e-ail: sshukla@so.uass.edu

2 Aa Nagurey, Ladier S. Nagurey, ad Shivai Shukla Itroductio As supply chais have becoe icreasigly globalized ad coplex, there are ew risks ad vulerabilities associated with their IT ifrastructure due to a spectru of cyberattacks with greater exposure for both firs ad cosuers. Coupled with cyberattacks are associated costs, i the for of fiacial daages icurred by the supply chai firs, the loss of their reputatios, as well as opportuity costs, etc. Cosuers ay also be affected fiacially by cyberattacks ad suffer fro the associated disruptios. Cyberattacks ca affect uerous differet idustrial sectors fro fiacial services, eergy providers, high tech firs, ad retailers to the healthcare sector as well as goverets. As oted i [6], the Ceter for Strategic ad Iteratioal Studies [3] reports that the estiated aual cost to the global ecooy fro cybercrie is ore tha $400 billio with a coservative estiate beig $375 billio i losses, ore tha the atioal icoe of ost coutries. For exaple, the 203 breach of the ajor US-based retailer, Target, was accoplished whe the cyberattacker etered a vulerable supply chai lik by exploitig the vulerability i the reote diagostics of the HVAC syste supplier coected to the Target s IT syste. I the attack, a estiated 40 illio payet cards were stole betwee Noveber 27 ad Deceber 5, 203 ad upwards of 70 illio other persoal records coproised (cf. [0]). Target suffered ot oly fiacial daages but also reputatioal costs. Other cyber data breaches have occurred at the luxury retailer Neia Marcus, the restaurat chai P.F. Chags, ad the edia giat Soy (cf. [7]). The Poeo Istitute [22] calculates that the average aualized cost of cybercrie for 60 orgaizatios i their study is $.6 illio per year, with a rage of $.3 illio to $58 illio. Accordig to The Security Ledger [25], cyber supply chai risk escapes otice at ay firs. Madiat [] reports that 229 was the edia uber of days i 203 that threat groups were preset o a victi s etwork before detectio. Give the ipact of cybercrie o the ecooy ad society, there is great iterest i evaluatig cybersecurity ivestets. Each year $5 billio is spet by orgaizatios i the Uited States to provide security for couicatios ad iforatio systes (see [8], [3]). Nevertheless, breaches due to cyberattacks cotiue to ake huge egative ecooic ipacts o busiesses ad society at-large. There is, hece, growig iterest i the developet of rigorous scietific tools that ca help decisio-akers assess the ipacts of cybersecurity ivestets. What is essetial to ote, however, is that i ay idustries, icludig retail, ivestets by oe decisio-aker ay affect the decisios of others ad the overall supply chai etwork security (or vulerability). Hece, a holistic approach is eeded ad soe are eve callig for a ew disciplie of cyber supply chai risk aageet ([2]). I this paper, we develop a supply chai gae theory odel cosistig of two tiers: the retailers ad the cosuers. The retailers select the product trasactios ad their security levels so as to axiize their expected profits. The probability of a successful attack o a retailer depeds ot oly o that retailer s ivestet i security but also o the security ivestets of the other retailers. Hece, the retailers ad cosuers are coected. I our previous work (see [7]), we assued

A Supply Chai Gae Theory Fraework for Cybersecurity Ivestets 3 that the probability of a successful attack o a seller depeded oly o his ow security ivestets. We kow that i retail, which we cosider i a broad sese here fro cosuer goods to eve fiacial services, icludig retail baks, decisioakers iteract ad ay share coo suppliers, IT providers, etc. Hece, it is iperative to capture the etwork effects associated with security ivestets ad the associated ipacts. I our odel, retailers seek to axiize their expected profits with the prices that the cosuers are willig to pay for the product beig a fuctio ot oly of the dead but also of the average security i the supply chai which we refer to as the cybersecurity or etwork security. The retailers copete ocooperatively util a Nash equilibriu is achieved, whereby o retailer ca iprove upo his expected profit by akig a uilateral decisio i chagig his product trasactios ad security level. Our approach is ispired, i part, by the work of Shetty et al. [24], but it is sigificatly ore geeral sice the retailers, that is, the firs, are ot idetical ad we explicitly also capture the dead side of the supply chai etwork. Moreover, the retailers ay be faced with distict security ivestet cost fuctios, give their existig IT ifrastructure ad busiess scope ad size, ad they ca also be spatially separated. Our fraework ca hadle both olie retailers ad brick ad ortar oes. I additio, the retailers are faced with, possibly, differet fiacial daages i the case of a cyberattack. For siplicity of expositio ad clarity, we focus o a sigle type of attack. For a survey of gae theory, as applied to etwork security ad privacy, we refer the reader to Mashaei et al. [2]. For highlight of optiizatio odels for cybersecurity ivestets, see [9]. The supply chai gae theory odel is developed i Sectio 2. The behavior of the retailers is captured, the Nash equilibriu defied ad the variatioal iequality forulatio derived. We also provide soe qualitative properties of the equilibriu product trasactio ad security level patter. I Sectio 3, we outlie the algorith that we the utilize i Sectio 4 to copute solutios to our uerical exaples. I two sets of uerical supply chai etwork exaples, we illustrate the ipacts of a variety of chages o the equilibriu solutio, ad o the retailer ad supply chai etwork vulerability. I Sectio 5, we suarize our results ad preset the coclusios alog with suggestios for future research. 2 The Supply Chai Gae Theory Model of Cybersecurity Ivestets Uder Network Vulerability I the odel, we cosider retailers that are spatially separated ad that sell a product to cosuers. The retailers ay be olie retailers, egagig with cosuers through electroic coerce, ad/or brick ad ortar retailers. Sice our focus is o cybersecurity, that is, etwork security, we assue that the trasactios i ters of payets for the product occur electroically through credit cards ad/or debit cards. Cosuers ay also coduct searches to obtai iforatio through cyberspace. We ephasize that here we cosider retailers i a broad sese, ad they

4 Aa Nagurey, Ladier S. Nagurey, ad Shivai Shukla ay iclude cosuer goods retailers, pharacies, high techology product outlets, ad eve fiacial service firs as well as retail baks. The etwork topology of the supply chai odel, which cosists of a tier of retailers ad a tier of cosuers, is depicted i Figure. Sice the Iteret is eeded for the trasactios betwee retailers ad cosuers to take place, etwork security is relevat. Each retailer i our odel is susceptible to a cyberattack through the supply chai etwork sice retailers ay iteract with oe aother as well as with coo suppliers ad also share cosuers. The retailers ay suffer fro fiacial daage as a cosequece of a successful cyberattack, losses due to idetity theft, opportuity costs, as well as a loss i reputatio, etc. Siilarly, cosuers are sesitive as to how secure their trasactios are with the retailers. Retailers... i 7... j Cosuers Fig. The etwork structure of the supply chai gae theory odel We deote a typical retailer by i ad a typical cosuer by j. Let Q i j deote the oegative volue of the product trasacted betwee retailer i ad cosuer j. Here s i deotes the etwork security level, or, siply, the security of retailer i. The strategic variables of retailer i cosist of his product trasactios {Q i,...,q i } ad his security level s i. We group the product trasactios of all retailers ito the vector Q R + ad the security levels of all retailers ito the vector s R +. All vectors here are assued to be colu vectors, except where oted. We have s i [0,], with a value of 0 eaig o etwork security ad a value of represetig perfect security. Therefore, 0 s i, i =,...,. () The etwork security level of the retail-cosuer supply chai is deoted by s ad is defied as the average etwork security where s = i= s i. (2)

A Supply Chai Gae Theory Fraework for Cybersecurity Ivestets 5 Let p i deote the probability of a successful cyberattack o retailer i i the supply chai etwork. Associated with the successful attack is the icurred fiacial daage D i. Distict retailers ay suffer differet aouts of fiacial daage as a cosequece of a cyberattack due to their size ad their existig ifrastructure icludig cyber ifrastructure. As discussed i [23] ad [24], but for a oligopoly odel with idetical firs ad o dead side represeted i the etwork, p i depeds o the chose security level s i ad o the etwork security level s as i (2). Usig siilar arguets as therei, we also defie the probability p i of a successful cyberattack o retailer i as p i = ( s i )( s), i =,...,, (3) where the ter ( s) represets the probability of a cyberattack i the supply chai etwork ad the ter ( s i ) represets the probability of success of such a attack o retailer i. The etwork vulerability level v = s with retailer i s vulerability level v i beig s i ; i =,...,. I ters of cybersecurity ivestet, each retailer i, i order to acquire security s i, ecubers a ivestet cost h i (s i ) with the fuctio assued to be cotiuously differetiable ad covex. Note that distict retailers, because of their size ad existig cyber ifrastructure (both hardware ad software), ay be faced with differet ivestet cost fuctios. We assue that, for a give retailer i, h i (0) = 0 deotes a etirely isecure retailer ad h i () = is the ivestet cost associated with coplete security for the retailer (see [23, 24]). A exaple of a suitable h i (s i ) fuctio is h i (s i ) = α i ( ( si ) ) with α i > 0. (4) The ter α i allows for differet retailers to have distict ivestet cost fuctios based o their size ad eeds. The dead for the product by cosuer j is deoted by d j ad it ust satisfy the followig coservatio of flow equatio: where d j = i= Q i j, j =,...,, (5) Q i j 0, i =,...,; j =,...,, (6) that is, the dead for each cosuer is satisfied by the su of the product trasactios betwee all the retailers with the cosuer. We group the deads for the product for all buyers ito the vector d R +. The cosuers reveal their prefereces for the product through their dead price fuctios, with the dead price fuctio for cosuer j, ρ j, beig: ρ j = ρ j (d, s), j =,...,. (7)

6 Aa Nagurey, Ladier S. Nagurey, ad Shivai Shukla Observe that the dead price depeds, i geeral, o the quatities trasacted betwee the retailers ad the cosuers ad the etwork security level. The cosuers are oly aware of the average etwork security level of the supply chai. This is reasoable sice cosuers ay have iforatio about a retail idustry i ters of its cyber ivestets ad security but it is ulikely that idividual cosuers would have iforatio o idividual retailers security levels. Hece, as i the odel of Nagurey ad Nagurey [7], there is iforatio asyetry (cf. []). I view of (2) ad (5), we ca defie ˆρ j (Q,s) ρ j (d, s), j. These dead price fuctios are assued to be cotiuous, cotiuously differetiable, decreasig with respect to the respective cosuer s ow dead ad icreasig with respect to the etwork security level. The reveue of retailer i; i =,...,, (i the absece of a cyberattack) is: ˆρ j (Q,s)Q i j. (8) j= Each retailer i; i =,...,, is faced with a cost c i associated with the processig ad the hadlig of the product ad trasactio costs c i j (Q i j ); j =...,, i dealig with the cosuers. His total cost, hece, is give by: c i j=q i j + j= c i j (Q i j ). (9) The trasactio costs, i the case of electroic coerce, ca iclude the costs of trasportig/shippig the product to the cosuers. The trasactio costs ca also iclude the cost of usig the etwork services, taxes, etc. We assue that the trasactio cost fuctios are covex ad cotiuously differetiable. The profit f i of retailer i; i =,..., (i the absece of a cyberattack ad security ivestet) is the differece betwee the reveue ad his costs, that is, f i (Q,s) = j= ˆρ j (Q,s)Q i j c i j=q i j j= c i j (Q i j ). (0) If there is a successful cyberattack, a retailer i; i =,...,, icurs a expected fiacial daage give by D i p i, () where D i takes o a positive value. Usig expressios (3), (0), ad (), the expected utility, E(U i ), of retailer i; i =,...,, which correspods to his expected profit, is: E(U i ) = ( p i ) f i (Q,s) + p i ( f i (Q,s) D i ) h i (s i ). (2) We group the expected utilities of all the retailers ito the -diesioal vector E(U) with copoets: {E(U ),...,E(U )}.

A Supply Chai Gae Theory Fraework for Cybersecurity Ivestets 7 Let K i deote the feasible set correspodig to retailer i, where K i {(Q i,s i ) Q i 0, ad 0 s i } ad defie K i= Ki. The retailers copete ocooperatively i supplyig the product ad ivest i cybersecurity, each oe tryig to axiize his ow expected profit. We seek to deterie a oegative product trasactio ad security level patter (Q,s ) for which the retailers will be i a state of equilibriu as defied below. Nash [20, 2] geeralized Courot s cocept (see [4]) of a equilibriu for a odel of several players, that is, decisio-akers, each of which acts i his/her ow self-iterest, i what has bee coe to be called a ocooperative gae. Defiitio : A Supply Chai Nash Equilibriu i Product Trasactios ad Security Levels A product trasactio ad security level patter (Q,s ) K is said to costitute a supply chai Nash equilibriu if for each retailer i;i =,...,, where E(U i (Q i,s i, ˆ Q i,ŝ i )) E(U i (Q i,s i, ˆ Q i,ŝ i )), (Q i,s i ) K i, (3) Qˆ i (Q,...,Q i,q i+,...,q ); ad sˆ i (s,...,s i,s i+,...,s ). (4) Accordig to (3), a equilibriu is established if o retailer ca uilaterally iprove upo his expected profits by selectig a alterative vector of product trasactios ad security levels. 2. Variatioal Iequality Forulatios We ow preset alterative variatioal iequality forulatios of the above supply chai Nash equilibriu i product trasactios ad security levels. Theore Assue that, for each retailer i; i =,...,, the expected profit fuctio E(U i (Q,s)) is cocave with respect to the variables {Q i,...,q i }, ad s i, ad is cotiuous ad cotiuously differetiable. The (Q,s ) K is a supply chai Nash equilibriu accordig to Defiitio if ad oly if it satisfies the variatioal iequality i= j= E(U i (Q,s )) (Q i j Q i j) i= E(U i (Q,s )) s i (s i s i ) 0, (Q,s) K, (5) or, equivaletly, (Q,s ) K is a supply chai Nash equilibriu product trasactio ad security level patter if ad oly if it satisfies the variatioal iequality

8 Aa Nagurey, Ladier S. Nagurey, ad Shivai Shukla [ c i + c i j(q i j ) ] ˆρ j (Q,s ˆρ k (Q ) i= j=,s ) Q ik (Q i j Q i k= Q j) i j [ ] h i (s + i ) s ( i= s i j j= + s i )D ˆρ k (Q i,s ) Q ik (s i s i ) 0, k= s i (Q,s) K. (6) Proof: (5) follows directly fro Gabay ad Mouli [7] ad Daferos ad Nagurey [5]. I order to obtai variatioal iequality (6) fro variatioal iequality (5), we ote that, at the equilibriu: ad E(U i) = c i + c i j(q i j ) E(U i) = h i(s i ) ( s i s i ˆρ j (Q,s ) j= s j + s i k= )D i ˆρ k (Q,s ) Q ik ; i, j, (7) k= ˆρ k (Q,s ) Q ik ; i. (8) s i Makig the respective substitutios usig (7) ad (8) i variatioal iequality (5) yields variatioal iequality (6) We ow put the above Nash equilibriu proble ito stadard variatioal iequality for, that is: deterie X K R N, such that F(X ),X X 0, X K, (9) where F is a give cotiuous fuctio fro K to R N ad K is a closed ad covex set. We defie the ( + )-diesioal vector X (Q, s) ad the ( + )- diesioal vector F(X) = (F (X),F 2 (X)) with the (i, j)-th copoet, F i j, of F (X) give by the i-th copoet, F 2 i, of F2 (X) give by F i j(x) E(U i(q,s)), (20) F 2 i (X) E(U i(q,s)) s i, (2) ad with the feasible set K K. The, clearly, variatioal iequality (5) ca be put ito stadard for (9). I a siilar way, oe ca prove that variatioal iequality (6) ca also be put ito stadard variatioal iequality for (9).

A Supply Chai Gae Theory Fraework for Cybersecurity Ivestets 9 Additioal backgroud o the variatioal iequality proble ca be foud i the books by Nagurey [4] ad Nagurey et al. [9]. 2.2 Qualitative Properties It is reasoable to expect that the expected utility of ay seller i, E(U i (Q,s)), would decrease wheever his product volue has becoe sufficietly large, that is, whe E(U i ) is differetiable, E(U i(q,s)) is egative for sufficietly large Q i j Hece, the followig assuptio is ot ureasoable: Assuptio Suppose that i our supply chai gae theory odel there exists a sufficietly large M, such that for ay (i, j), E(U i (Q,s)) < 0, (22) for all product trasactio patters Q with Q i j M. We ow give a existece result. Propositio Ay supply chai Nash equilibriu proble i product trasactios ad security levels, as odeled above, that satisfies Assuptio possesses at least oe equilibriu product trasactio ad security level patter. Proof: The proof follows fro Propositio i Zhag ad Nagurey [26]. We ow preset the uiqueess result, the proof of which follows fro the basic theory of variatioal iequalities (cf. [4]). Propositio 2 Suppose that F is strictly ootoe at ay equilibriu poit of the variatioal iequality proble defied i (9). The it has at ost oe equilibriu poit. 3 The Algorith For coputatioal purposes, we will utilize the Euler ethod, which is iduced by the geeral iterative schee of Dupuis ad Nagurey [6]. Specifically, iteratio τ of the Euler ethod (see also [4]) is give by: X τ+ = P K (X τ a τ F(X τ )), (23) where P K is the projectio o the feasible set K ad F is the fuctio that eters the variatioal iequality proble (9).

0 Aa Nagurey, Ladier S. Nagurey, ad Shivai Shukla As prove i [6], for covergece of the geeral iterative schee, which iduces the Euler ethod, the sequece {a τ } ust satisfy: τ=0 a τ =, a τ > 0, a τ 0, as τ. Specific coditios for covergece of this schee as well as various applicatios to the solutios of other etwork-based gae theory odels ca be foud i [5], [6], ad the refereces therei. Explicit Forulae for the Euler Method Applied to the Supply Chai Gae Theory Model The elegace of this procedure for the coputatio of solutios to our odel is apparet fro the followig explicit forulae. I particular, we have the followig closed for expressio for the product trasactios i =,...,; j =,...,: Q τ+ i j = ax{0,q τ i j +a τ ( ˆρ j (Q τ,s τ )+ k= ˆρ k (Q τ,s τ ) Q τ ik c i c i j(q τ i j ) )}, (24) ad the followig closed for expressio for the security levels i =,...,: ax{0,i{,s τ i + a τ ( k= s τ+ i = ˆρ k (Q τ,s τ ) s i Q τ ik h i(s τ i ) s i + ( j= s j + s i )D i)}}. (25) We ow provide the covergece result. The proof is direct fro Theore 5.8 i [9]. Theore 2 I the supply chai gae theory odel developed above let F(X)= E(U(Q, s)) be strictly ootoe at ay equilibriu patter ad assue that Assuptio is satisfied. Also, assue that F is uiforly Lipschitz cotiuous. The there exists a uique equilibriu product trasactio ad security level patter (Q,s ) K ad ay sequece geerated by the Euler ethod as give by (23), with {a τ } satisfies τ=0 a τ =, a τ > 0, a τ 0, as τ coverges to (Q,s ). I the ext Sectio, we apply the Euler ethod to copute solutios to uerical gae theory probles. 4 Nuerical Exaples We ipleeted the Euler ethod, as discussed i Sectio 3, usig FORTRAN o a Liux syste at the Uiversity of Massachusetts Aherst. The covergece criterio was ε = 0 4. Hece, the Euler ethod was cosidered to have coverged if, at a give iteratio, the absolute value of the differece of each product trasactio ad each security level differed fro its respective value at the precedig iteratio by o ore tha ε.

A Supply Chai Gae Theory Fraework for Cybersecurity Ivestets The sequece {a τ } was:.(, 2, 2, 3, 3, 3...). We iitialized the Euler ethod by settig each product trasactio Q i j =.00, i, j, ad the security level of each retailer s i = 0.00, i. We preset two sets of uerical exaples. Each set of exaples cosists of a exaple with four variats. Exaple Set The first set of exaples cosists of two retailers ad two cosuers as depicted i Figure 2. This set of exaples begis with the baselie Exaple, followed by four variats. The equilibriu solutios are reported i Table. Fig. 2 Network Topology for Exaple Set Retailers 2 2 Cosuers The cost fuctio data for Exaple are: c = 5, c 2 = 0, c (Q ) =.5Q 2 + Q, c 2 (Q 2 ) =.25Q 2 2 + Q 2, c 2 (Q 2 ) =.5Q 2 2 + 2, c 22 (Q 22 ) =.25Q 2 22 + Q 22. The dead price fuctios are: ρ (d, s) = d +.( s + s 2 2 ) + 00, ρ 2 (d 2, s) =.5d 2 +.2( s + s 2 ) + 200. 2 The daage paraeters are: D = 50 ad D 2 = 70 with the ivestet fuctios takig the for: h (s ) = ( s ), h 2(s 2 ) = ( s2 ). As ca be see fro the results i Table for Exaple, the equilibriu dead for Cosuer 2 is over 4 ties greater tha that for Cosuer. The price that Cosuer pays is about oe half of that of Cosuer 2. Both retailers ivest i security ad achieve equilibriu security levels of.9. Hece, i Exaple the vulerability of Retailer is.09 ad that of Retailer 2 is also.09, with the etwork vulerability beig.09.

2 Aa Nagurey, Ladier S. Nagurey, ad Shivai Shukla I the first variat of Exaple, Variat., we chage the dead price fuctio of Cosuer to reflect a ehaced willigess to pay ore for the product. The ew dead price fuctio for Cosuer is: ρ (d, s) = d +.( s + s 2 ) + 200. 2 The product trasactios to Cosuer ore tha double fro their correspodig values i Exaple, whereas those to Cosuer 2 reai uchaged. The security level of Retailer 2 icreases slightly whereas that of Retailer reais uchaged. Both retailers beefit fro icreased expected profits. The vulerability of Retailer 2 is decreased slightly to.08. Variat.2 is costructed fro Variat.. Cosuer 2 o loger values the product uch so his dead price fuctio is ρ 2 (d 2, s) =.5d 2 +.2( s + s 2 ) + 20, 2 with the reaider of the data as i Variat.. The product trasactios decrease by alost a order of agitude to the secod cosuer ad the retailers experiece reduced expected profits by about 2/3 as copared to those i Variat.. The vulerability of Retailer is ow.2 ad that of Retailer 2:. with the etwork vulerability beig:.5. Variat.3 is costructed fro Exaple by icreasig both security ivestet cost fuctios so that: h (s ) = 00( ( s ) ), h 2(s 2 ) = 00( ( s2 ) ) ad havig ew daages: D = 500 ad D 2 = 700. With the icreased costs associated with cybersecurity ivestets both retailers decrease their security levels to the lowest level of all the exaples solved, thus far. The vulerability of Retailer is ow.34 ad that of Retailer 2:.28 with the etwork vulerability =.3. Variat.4 has the sae data as Variat.3, but we ow further icrease Retailer 2 s ivestet cost fuctio as follows: h 2 (s 2 ) = 000( ( s2 ) ). Retailer 2 ow has a equilibriu security level that is oe quarter of that i Variat.3. Not oly do his expected profits declie but also those of Retailer do. The vulerability of Retailer is ow:.27 ad that of Retailer 2:.82. The etwork vulerability for this exaple is:.54, the highest value i this set of exaples. The cybersecurity ivestet cost associated with Retailer 2 is so high that he greatly reduces his security level. Moreover, the etwork security is approxiately half of that obtaied i Exaple.

A Supply Chai Gae Theory Fraework for Cybersecurity Ivestets 3 Table Equilibriu Solutios for Exaples i Set Solutio Ex. Var.. Var..2 Var..3 Var..4 Q 24.27 49.27 49.27 24.27 24.26 Q 2 98.30 98.30 8.30 98.32 98.30 Q 2 2.27 46.27 46.27 2.27 2.26 Q 22 93.36 93.36 3.38 93.32 93.30 d 45.55 95.55 95.55 45.53 45.52 d2 9.66 9.66.68 9.64 9.59 s.9.9.88.66.73 s 2.9.92.89.72.8 s.9.95.885.69.46 ρ (d, s ) 54.55 04.55 04.54 54.54 54.52 ρ 2 (d2, s ) 04.35 04.35 4.34 04.32 04.30 E(U ) 836.45 0894.49 3693.56 82.93 803.09 E(U 2 ) 725.0 9748.7 329.94 794.3 699. Exaple Set 2 The secod set of uerical exaples cosists of three retailers ad two cosuers as show i Figure 3. Retailers 2 3 2 Fig. 3 Network Topology for Exaple Set 2 Cosuers I order to eable cross coparisos betwee the two exaple sets, we costruct Exaple 2, which is the baselie exaple i this set, fro Exaple i Set. Therefore, the data for Exaple 2 is idetical to that i Exaple except for the ew Retailer 3 data as give below: c 3 = 3, c 3 (Q 3 ) = Q 2 3 + 3Q 3, c 32 (Q 32 ) = Q 2 32 + 4Q 32, h 3 (s 3 ) = 3( ( s3 ) ), D 3 = 80. Also, sice there are ow 3 retailers, the dead price fuctios becoe:

4 Aa Nagurey, Ladier S. Nagurey, ad Shivai Shukla ρ (d, s) = d +.( s + s 2 + s 3 3 )+00, ρ 2 (d, s) =.5d 2 +.2( s + s 2 + s 3 )+200. 3 The equilibriu solutios for exaples i Set 2 are reported i Table 2. With the additio of Retailer 3, there is ow icreased copetitio. As a cosequece, the dead prices for the product drop for both cosuers ad there is a icrease i dead. Also, with the icreased copetitio, the expected profits drop for the two origial retailers. The dead icreases for Cosuer ad also for Cosuer 2, both at upwards of 0%. The vulerability of Retailer is.0, that of Retailer 2:.09, ad that of Retailer 3:.9 with a etwork vulerability of:.3. The etwork vulerability, with the additio of Retailer 3 is ow higher, sice Retailer 3 does ot ivest uch i security due to the higher ivestet cost. Variat 2. is costructed fro Exaple 2 with the data as therei except for the ew dead price fuctio for Cosuer, who ow is ore sesitive to the etwork security, where ρ (d, s) = d + ( s + s 2 + s 3 ) + 00. 3 The expected profit icreases for all retailers sice Cosuer is willig to pay a higher price for the product. The vulerability of Retailer is ow.08, that of Retailer 2:.08, ad that of Retailer 3:.7 with a etwork vulerability of:.. Hece, all the vulerabilities have decreased, sice the retailers have higher equilibriu security levels. Variat 2.2 is costructed fro Variat 2.. The oly chage is that ow Cosuer 2 is also ore sesitive to average security with a ew dead price fuctio give by: ρ 2 (d 2, s) =.5d 2 + ( s + s 2 + s 3 ) + 200. 3 As show i Table 2, the expected profits are ow eve higher tha for Variat 2.. The vulerability of Retailer is ow.05, which is the sae for Retailer 2, ad with Retailer 3 havig the highest vulerability at:.4. The etwork vulerability is, hece,.08. Cosuers willigess to pay for icreased etwork security reduces the retailers vulerability ad that of the supply chai etwork. Variats 2. ad 2.2 deostrate that cosuers who care about security ca also ehace the expected profits of retailers of a product through their willigess to pay for higher etwork security. Variat 2.3 has the idetical data to that i Variat 2.2 except that the dead price fuctios are ow: ρ (d, s) = 2d 2 + ( s + s 2 + s 3 3 ) + 00, ρ 2 (d 2, s) = d 2 + ( s + s 2 + s 3 ) + 00. 3 As ca be see fro Table 2, the product trasactios have all decreased substatially, as copared to the respective values for Variat 2.2. Also, the dead

A Supply Chai Gae Theory Fraework for Cybersecurity Ivestets 5 prices associated with the two cosuers have decreased substatially as have the expected profits for all the retailers. The vulerabilities of the retailers are, respectively:.07, 07, ad.6 with the etwork vulerability equal to.0. Variat 2.4 is idetical to Variat 2.3 except that ow the dead price fuctio sesitivity for the cosuers has icreased eve ore so that: ρ (d, s) = 2d 2 +0( s + s 2 + s 3 3 )+00, ρ 2 (d 2, s) = d 2 +0( s + s 2 + s 3 )+00. 3 All the equilibriu product trasactios ow icrease. The dead prices have both icreased as have the expected profits of all the retailers. I this exaple, the vulerabilities of the retailers are, respectively:.02,.02, ad.05, yieldig a etwork vulerability of.03. This is the least vulerable supply chai etwork i our uerical study. Table 2 Equilibriu Solutios for Exaples i Set 2 Solutio Ex. 2 Var. 2. Var. 2.2 Var. 2.3 Var. 2.4 Q 20.80 20.98 20.98.64 2.67 Q 2 89.45 89.45 89.82 49.62 5.84 Q 2 7.8 7.98 7.98 9.64 0.67 Q 22 84.49 84.49 84.83 46.3 48.5 Q 3 3.87 3.98 3.98 8.73 9.50 Q 32 35.4 35.4 35.53 24.50 25.59 d 52.48 52.94 52.95 30.00 32.85 d2 209.35 209.35 20.8 20.43 25.94 s.90.92.95.93.98 s 2.9.92.95.93.98 s 3.8.83.86.84.95 s.87.89.97.90.97 ρ (d, s ) 47.6 47.95 47.96 40.9 44.0 ρ 2 (d2, s ) 95.50 95.50 95.83 80.47 83.77 E(U ) 6654.73 6665.88 672.29 348.66 376.75 E(U 2 ) 5830.06 5839.65 5882.27 293.3 3226.90 E(U 3 ) 2264.39 227.25 2285.93 428.65 582.62 5 Suary ad Coclusios Cybercrie is affectig copaies as well as other orgaizatios ad establishets, icludig goverets, ad cosuers. Recet otable data breaches have icluded ajor retailers i the Uited States, resultig i both fiacial daage ad a loss i reputatio. With copaies, ay of which are icreasigly global ad depedet o their supply chais, seekig to deterie how uch they should ivest

6 Aa Nagurey, Ladier S. Nagurey, ad Shivai Shukla i cybersecurity, a geeral fraework that ca quatify the ivestets i cybersecurity i supply chai etworks is eeded. The fraework should also be able to illuiate the ipacts o profits as well as a fir s vulerability ad that of the supply chai etwork. I this paper, we develop a supply chai etwork gae theory odel cosistig of a tier of retailers ad a tier of cosuers. The retailers ay be subject to a cyberattack ad seek to axiize their expected profits by selectig their optial product trasactios ad cybersecurity levels. The firs copete ocooperatively util a Nash equilibriu is achieved, whereby o retailer ca iprove upo his expected profits. The probability of a successful attack o a retailer, i our fraework, depeds ot oly o his security level, but also o that of the other retailers. Cosuers reveal their prefereces for the product through the dead price fuctios, which deped o the dead ad o the etwork security level, which is the average security of the supply chai etwork. We derive the variatioal iequality forulatio of the goverig equilibriu coditios, discuss qualitative properties, ad deostrate that the algorith that we propose has ice features for coputatios. Specifically, it yields, at each iteratio, closed for expressios for the product trasactios betwee retailers ad cosuers ad closed for expressios for the retailer security levels. The algorith is the applied to copute solutios to two sets of uerical exaples, with a total of te exaples. The exaples illustrate the ipacts of a icrease i copetitio, chages i the dead price fuctios, chages i the daages icurred, ad chages i the cybersecurity ivestet cost fuctios o the equilibriu solutios ad o the icurred prices ad the expected profits of the retailers. We also provide the vulerability of each retailer i each exaple ad the etwork vulerability. The approach of applyig gae theory ad variatioal iequality theory with expected utilities of decisio-akers to etwork security / cybersecurity that this paper adopts is origial i itself. The results i this paper pave the way for a rage of ivestigative questios ad research aveues i this area. For istace, at preset, the odel cosiders retailers ad cosuers i the supply chai etwork. However, it ca be exteded to iclude additioal tiers, aely, suppliers, as well as trasport service providers, ad so o. The coplexity of the supply chai etwork would the ake it eve ore susceptible to cyberattacks, wherei a security lapse i oe ode ca affect ay others i successio. Moreover, to accout for the fact that the exchage of data takes place through ultiple fors, the odel could be exteded to iclude ultiple odes of trasactios. While the solutio equilibriu i the cotext of copetitio does oderate ivestets, the odel ca also be exteded to explicitly iclude costraits o cybersecurity ivestets subject to expediture budgets allocated to cybersecurity. The uerical exaples sectio dealt with ultiple retailer ad cosuer scearios ad their variats to validate the ease of adoptio ad practicality of the odel. A case study ad epirical aalysis ca further corroborate the cogecy of the odel ad assist i the process of arrivig at ivestet decisios related to cybersecurity. This could also provide isights as to how to strike a balace betwee effectiveess of service ad security. We leave the above research directios for future work.

A Supply Chai Gae Theory Fraework for Cybersecurity Ivestets 7 Ackowledgets This research of the first author was supported by the Natioal Sciece Foudatio (NSF) grat CISE #276, for the NeTS: Large: Collaborative Research: Network Iovatio Through Choice project awarded to the Uiversity of Massachusetts Aherst as well as by the Advaced Cyber Security Ceter through the grat: Cybersecurity Risk Aalysis for Eterprise Security. This support is gratefully ackowledged. Refereces. Akerlof, G.A.: The arket for leos: Quality ucertaity ad the arket echais. Quarterly Joural of Ecooics, 84(3), 488-500 (970) 2. Boyso, S.: Cyber supply chai risk aageet: Revolutioizig the strategic cotrol of critical IT systes. Techovatio 34(7), 342-353 (204) 3. Ceter for Strategic ad Iteratioal Studies: Net losses: Estiatig the global cost of cybercrie. Sata Clara, Califoria (204) 4. Courot, A. A.: Researches ito the Matheatical Priciples of the Theory of Wealth, Eglish traslatio. Lodo, Eglad: MacMilla (838) 5. Daferos S., Nagurey, A.: Oligopolistic ad copetitive behavior of spatially separated arkets. Regioal Sciece ad Urba Ecooics, 7, 245-254 (987) 6. Dupuis, P., Nagurey, A.: Dyaical systes ad variatioal iequalities. Aals of Operatios Research, 44, 9-42 (993) 7. Gabay, D., Mouli, H.: O the uiqueess ad stability of Nash equilibria i ocooperative gaes. I Besoussa, A., Kleidorfer, P., & Tapiero, C. S. (Ed.), Applied Stochastic Cotrol of Ecooetrics ad Maageet Sciece. Asterda, The Netherlads: North-Hollad (980) 8. Garter: Garter reveals Top 0 Security Myths, by Elle Messer, NetworkWorld, Jue (203) 9. Gordo, L.A., Loeb, M.P., Lucyshy, W., Zhou, L.: Exteralities ad the agitude of cyber security uderivestet by private sector firs: A odificatio of the Gordo-Loeb odel. Joural of Iforatio Security, 6, 24-30 (205) 0. Kirk, J.: Target cotractor says it was victi of cyberattack. PC World, February 6 (204). Madiat: M-treds: Beyod the breach. 204 threat report. Alexadria, Virgiia (204) 2. Mashei, M.H., Alpca, T., Basar, T., Hubaux, J.-P. Gae theory eets etworks security ad privacy. ACM Coputig Surveys, 45(3, Jue (203) 3. Market Research: Uited States Iforatio Techology Report Q2 202, April 24 (203) 4. Nagurey, A.. Network Ecooics: A Variatioal Iequality Approach, secod ad revised editio. Bosto, Massachusetts: Kluwer Acadeic Publishers (99) 5. Nagurey, A.: Supply Chai Network Ecooics: Dyaics of Prices, Flows, ad Profits. Edward Elgar Publishig. Chelteha, Eglad (2006) 6. Nagurey, A.: A ultiproduct etwork ecooic odel of cybercrie i fiacial services. Service Sciece, 7(), 70-8 (205) 7. Nagurey, A., Nagurey, L.S.: A gae theory odel of cybersecurity ivestets with iforatio asyetry. Netoics, i press (205) 8. Nagurey, A., Yu, M., Masoui, A.H., Nagurey, L.S.: Networks Agaist Tie: Supply Chai Aalytics for Perishable Products. Spriger Busiess + Sciece Media, New York (203) 9. Nagurey, A., Zhag, D.: Projected Dyaical Systes ad Variatioal Iequalities with Applicatios. Kluwer Acadeic Publishers, Bosto, Massachusetts (996) 20. Nash, J.F.: Equilibriu poits i -perso gaes. Proceedigs of the Natioal Acadey of Scieces, USA, 36, 48-49 (950) 2. Nash, J.F.: Nocooperative gaes. Aals of Matheatics, 54, 286-298 (95)

8 Aa Nagurey, Ladier S. Nagurey, ad Shivai Shukla 22. Poeo Istitute: Secod aual cost of cyber crie study: bechark study of U.S. copaies (203) 23. Shetty, N.G.: Desig of Network Architectures: Role of Gae Theory ad Ecooics. PhD dissertatio, Techical Report No. UCB/EECS-200-9, Electrical Egieerig ad Coputer Scieces, Uiversity of Califoria at Berkeley, Jue 4 (200) 24. Shetty, N., Schwartz, G., Felegehazy, M., Walrad, J.: Copetitive cyber-isurace ad Iteret security. Proceedigs of the The Eighth Workshop o the Ecooics of Iforatio Security (WEIS 2009) Uiversity College Lodo, Eglad, Jue 24-25 (2009) 25. The Security Ledger: Supply chai risk escapes otice at ay firs. Noveber 6 (204) 26. Zhag, D., Nagurey, A.: O the stability of projected dyaical systes. Joural of Optiizatio Theory ad its Applicatios, 85, 97-24 (995).