Cybersecurity investments with nonlinear budget constraints and conservation laws: variational equilibrium, marginal expected utilities, and Lagrange multipliers

• Published date: 01 September 2018
• DOI: http://doi.org/10.1111/itor.12502
• Author: Gabriella Colajanni,Anna Nagurney,Sofia Giuffrè,Patrizia Daniele
• Date: 01 September 2018

Intl. Trans. in Op. Res. 25 (2018) 1443–1464

DOI: 10.1111/itor.12502

INTERNATIONAL

TRANSACTIONS

IN OPERATIONAL

RESEARCH

Cybersecurity investments with nonlinear budget constraints

and conservation laws: variational equilibrium, marginal

expected utilities, and Lagrange multipliers

Gabriella Colajannia, Patrizia Danielea, Sofia Giuffr`

eband Anna Nagurneyc

aDepartment of Mathematics and Computer Science, University of Catania, Italy

bDIIES, Mediterranea University of ReggioCalabria, Italy

cDepartment of Operations and Information Management, IsenbergSchool of Management, University of Massachusetts,

Amherst, MA 01003, USA

E-mail: colajanni@dmi.unict.it [Colajanni]; daniele@dmi.unict.it [Daniele]; sofia.giuffre@unirc.it[Giuffr `

e];

nagurney@isenberg.umass.edu [Nagurney]

Received 31 January 2017; received in revised form 18 September 2017; accepted 24 November 2017

Abstract

In this paper,we propose a new cybersecurity investment supply chain game theory model, assuming that the

demands for the product are known and fixed and, hence, the conservation law of each demand market is

fulfilled. The model is a generalized Nash equilibrium model with nonlinear budget constraints for which we

define the variational equilibrium, which provides us with a variational inequality formulation.We construct

an equivalent formulation,enabling the analysis of the influence of the conservation laws and the importance

of the associated Lagrange multipliers. We find that the marginal expected transaction utility of each retailer

depends on this Lagrange multiplier and its sign. Finally, numerical exampleswith reported equilibrium prod-

uct flows, cybersecurity investment levels, and Lagrange multipliers, along with individual firm vulnerability

and network vulnerability, illustrate the obtained results.

Keywords: cybersecurity; investments; supply chains; conservation laws; game theory; generalized Nash equilibrium;

variational inequalities; Lagrange multipliers

1. Introduction

Supply chains havebecome increasingly complex as well as global and they are nowhighly dependent

on information technology to enhance effectiveness and efficiency and also to support communi-

cations and coordination among the network of suppliers, manufacturers, distributors, and even

freight service providers. At the same time, information technology, if not properly secured, can

increase the vulnerability of supply chains to cyberattacks. Many examples of cyberattacks infil-

trating supply chains exist, with a vivid example consisting of the major U.S. retailer Target cyber

C

2018 The Authors.

International Transactionsin Operational Research C

2018 International Federation of OperationalResearch Societies

Published by John Wiley & Sons Ltd, 9600 Garsington Road, Oxford OX4 2DQ, UK and 350 Main St, Malden, MA02148,

USA.

1444 G. Colajanni et al. / Intl. Trans. in Op. Res.25 (2018) 1443–1464

breach in which attackers entered the system via a third-party vendor, an HVAC (heating, venti-

lation and air conditioning) subcontractor, resulting an estimated 40 million payment cards stolen

in late 2013 and upwards of 70 million other personal records compromised (see Kirk, 2014). Not

only did Target incur financial damages but it also had an impact on its reputation. Other highly

publicized examples include breaches at the retailer Home Depot, the Sony media company, and

the financial services firm JP Morgan Chase. Energy companies, healthcare organizations as well

as defense companies have been subject to cyberattacks (cf. Nagurney et al., 2015; Nagurney and

Shukla, 2017). In addition, the Internet of Things (IoT) has expanded the possible entry points for

cyberattacks (ComputerWeekly.com, 2015).

In fact, cyberattacks are not exclusively a U.S. phenomenon. According to Verizon’s 2016 Data

Breach Investigations Report, there were 2260 confirmed data breaches in the previous year at

organizations in 82 countries. Numerous other breaches affecting small- and medium-sized busi-

nesses have gone unreported (cf. Verizon, 2016). In order to illustrate the scope of the nega-

tive impacts associated with cybercrime, it has been estimated that the world economy sustained

$445 billion losses from cyberattacks in 2014 (see Center for Strategic and International Studies,

2014).

Numerous companies and organizations have now realized that investing in cybersecurity is

imperative. Furthermore, because of the interconnectivity through supply chains and even finan-

cial networks, the decisions of an organization in terms of cybersecurity investments can affect

the cybersecurity of others. For example, according to Kaspersky Lab, a multinational gang of

cybercriminals, known as “Carbanak,” infiltrated more than 100 banks across 30 countries and

extracted as much as one billion dollars over a period of roughly two years (Lennon, 2015). Gartner

(Messmer, 2013) and Market Research (2013) report that organizations in the United States are

spending $15 billion for communications and information systems security. Hence, research on

cybersecurity investment is garnering increased attention with one of the first research studies on

the topic by Gordon and Loeb (2002).

In this paper, we consider a recently studied cybersecurity investment supply chain game theory

model consisting of retailers and consumers at demand markets with each retailer being faced with

a nonlinear budget constraint on their security investments (see Daniele et al., 2017; Nagurney

et al., 2017). We present an alternative to this model in which the demand for the product at each

demand market is known and fixed and, hence, the conservation law of each demand market must

be fulfilled. The reason for introducing such a satisfaction of the demands at demand markets is

because there are numerous products in which demand is inelastic as in the case, for example, of

infant formula, certain medicines, etc.

The supply chain game theory model with cybersecurity investments in the case of fixed, that

is, inelastic, demands, unlike the models of Nagurney et al. (2017) and Daniele et al. (2017), is

characterized by a feasible set such that the strategy of a given retailer is affected by the strategies

of the other retailers since the product can come from any (or all) of them. Hence, the governing

concept is no longer a Nash equilibrium (cf. Nash, 1950, 1951) but a generalized Nash equilibrium

(GNE; see, e.g.,von Heusinger, 2009; Fischer et al., 2014). Recall that,in classical Nash equilibrium

problems, the strategies of the players, that is, the decision makers in the noncooperative game,

affect the utility functions of other players, but the feasible set of each player depends only on their

strategies.It was Rosen (1965) who in his seminal paper studied a class of GNE problems. Facchinei

et al. (2007) show that Rosen’s class of GNE problems can be solved by finding a solution of a

C

2018 The Authors.

International Transactionsin Operational Research C

2018 International Federation of OperationalResearch Societies