Multifirm models of cybersecurity investment competition vs. cooperation and network vulnerability

In this paper, we develop and compare three distinct models for cybersecurity investment in competitive and cooperative situations to safeguard against potential and ongoing threats. We introduce a Nash equilibrium model of noncooperation in terms of cybersecurity levels of the firms involved, which is formulated, analyzed, and solved using variational inequality theory. The equilibrium of this model then acts as the disagreement point over which bargaining takes place in the setting of the second model, which yields a cooperative solution in which the firms are guaranteed that their expected utilities are no lower than those achieved under noncooperation. Nash bargaining theory is utilized to argue for information sharing and to quantify its monetary and security benefits in terms of reduction in network vulnerability to cyberattacks. The third model in this paper also focuses on cooperation among the firms in terms of their cybersecurity levels, but from a system-optimization perspective in which the sum of the expected utilities is maximized. Qualitative properties are provided for the models in terms of existence and uniqueness results along with numerical solutions to two cases focusing on retailers and financial service firms, since these have been subject to some of the most damaging cyberattacks. Sensitivity analysis results are also provided. We compare the solutions of the models for the cases and recommend a course of action that has both financial and policy-related implications.