{"title":"Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain","authors":"Shaun S. Wang","doi":"10.2139/ssrn.3064533","DOIUrl":null,"url":null,"abstract":"This paper presents economic models of cybersecurity investments by a firm, first considering the cost-benefit to the firm itself, and then to the eco-system of a supply-chain. We introduce a concept of a firm’s security knowledge set of its attack surface, relative to the universe of threats. We propose three classes of security production functions as the frontier curve of a firm’s knowledge set. We distinguish two types of security investments in acquiring data, information and expertise, vis-a-vis deploying defense measures and detection tools, and derive formula for optimal allocations. We analyze cyber breach propagations between firms in a supply-chain, and demonstrate that large firms requiring contractors to show security rating by third-parties can be an effective way of reducing information gap in a supply chain. We present a model for the reliability (sharpness) of cybersecurity rating for firms, and show how the perceived reliability of cybersecurity rating affects the incentives for firms to increase their security investments.","PeriodicalId":416291,"journal":{"name":"IO: Firm Structure","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IO: Firm Structure","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.2139/ssrn.3064533","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3
Abstract
This paper presents economic models of cybersecurity investments by a firm, first considering the cost-benefit to the firm itself, and then to the eco-system of a supply-chain. We introduce a concept of a firm’s security knowledge set of its attack surface, relative to the universe of threats. We propose three classes of security production functions as the frontier curve of a firm’s knowledge set. We distinguish two types of security investments in acquiring data, information and expertise, vis-a-vis deploying defense measures and detection tools, and derive formula for optimal allocations. We analyze cyber breach propagations between firms in a supply-chain, and demonstrate that large firms requiring contractors to show security rating by third-parties can be an effective way of reducing information gap in a supply chain. We present a model for the reliability (sharpness) of cybersecurity rating for firms, and show how the perceived reliability of cybersecurity rating affects the incentives for firms to increase their security investments.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
