Information security investment for competitive firms with hacker behavior and security requirements

This paper investigates information security investment strategies under both targeted attacks and mass attacks by considering strategic interactions between two competitive firms and a hacker. We find that the more attractive firm invests more in information security, suffers more frequent attacks and enjoys a lower expected benefit, while the hacker achieves a higher expected benefit under targeted attacks than under mass attacks. We further examine the effect of security requirements on the two firms' investment strategies in information security. We indicate that security requirements sometimes can drastically alter the comparisons of these investment strategies under the two types of cyber attacks. The hacker would balance the firms' attractiveness in information assets and security requirements when determining its investment decisions in cyber attacks. By assuming that security requirements are endogenous, we demonstrate that under targeted attacks and mass attacks both firms would like to regulate rigorous security requirements when their degree of competition becomes fierce but would like to choose loose security requirements when the degree of competition remains mild.