Criminal-hacker nexus leads to a 2 step target selection process, which begins with a short list of firms with similar information assets from which the hacker finally picks up that firm which has the weakest defense. This translates into a scenario where firms with similar information assets engage in a veiled race so as not to appear as the soft target in the focus group. In this work we propose a duopolistic model and utilize a differential game framework to analyze the IT security investment decisions of two firms who find themselves in such a short list of hacking targets and must compete dynamically on their IT security investments to reduce the risk of being breached. We provide the steady state (singular region) analysis of the differential game for two firms with symmetric and asymmetric parameters. Our model exhibits that hacker learning and firms’ security investment efficiency have opposite effects on the two equilibrium outcomes of interest, namely, the security level and the security investment ate. As hacker learning improves (security investment efficiency increases), the security levels and security investment rate of the two firms move apart (closer).
Liu, Deng Pan and Bandyopadhyay, Tridib, "Modelging IT Security Investment in Target Group of Similar Firms: A Control Theoretic Approach" (2010). SAIS 2010 Proceedings. 12.