Optimal Policies for Information Sharing in Information System Security

Optimal Policies for Information Sharing in Information System Security

Journal Pre-proof

Optimal Policies for Information Sharing in Information System Security Yueran Zhuo, Senay Solak PII: DOI: Reference:

S0377-2217(19)31019-7 https://doi.org/10.1016/j.ejor.2019.12.016 EOR 16224

To appear in:

European Journal of Operational Research

Received date: Accepted date:

22 October 2018 9 December 2019

Please cite this article as: Yueran Zhuo, Senay Solak, Optimal Policies for Information Sharing in Information System Security, European Journal of Operational Research (2019), doi: https://doi.org/10.1016/j.ejor.2019.12.016

This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2019 Published by Elsevier B.V.

Optimal Policies for Information Sharing in Information System Security Yueran Zhuo and Senay Solak Isenberg School of Management, University of Massachusetts Amherst, [email protected], [email protected]

Information sharing has become a significant part of information system security endeavor, as many firms have come to realize that it is difficult to defend against the increasingly sophisticated information security attacks with the limited resources of one single firm. The sharing of information security related knowledge and experience helps firms better prepare for the upcoming information security challenges. However, the practice of information sharing is far less prevalent when compared with other information security methods. In this paper, we develop a framework for information sharing decisions of a firm in the context of information system security. We find through analytical and numerical analyses that the optimal level information sharing is a function of the cost, budget and expected cost of perfect protection for a given firm. We also examine the value of information sharing in information security, and identify how such value varies over different investment environments. Key words : information system security, technology investments, information sharing, stochastic programming

1

1.

Introduction

Information system security, also commonly referred to as cybersecurity, is a vital operational component for almost all organizations. Companies make significant investments to protect their information systems from all kinds of malicious attacks that can disrupt their operations. While firms strive to improve information system security by investing in different technologies, the increasing sophistication of information system attacks has also resulted in the need for joint information sharing endeavors among firms. A major difficulty for firms in defending against advanced information security attacks is the time gap between the attack and the corresponding response, which can be especially long when the firm has no previous knowledge of the kind of attack they are facing (Verizon 2015). Information sharing, i.e. the practice of passing on experiences and knowledge of security information among firms, can be an effective approach for firms to alleviate the impact of this problem. Synthesizing the knowledge and experience of a larger community allows all parties to defend their assets more effectively against cyber attacks. It is evident through some past major breaches that such information sharing could have helped avoid major losses if it had been implemented successfully. Two such examples involve the Target data breach of December 2013 which cost the company direct losses of around $1 billion, and the Home Depot breach in September 2014, which resulted in losses of more than $140 million due to exposure of payment card data. It was later found that these two breaches were actually caused by the same malware attack, indicating the potential that the latter Home Depot breach could have been avoided if relevant information had been shared and proper protective actions had been taken accordingly. In current practice, information sharing among firms for cybersecurity is mostly realized by forming alliances within a given industry. Some of these alliances are formed as Information Sharing and Analysis Centers (ISACs), which are specific to each industry, such as the Financial Services-ISAC, Information Technology-ISAC, Healthcare and Public HealthISAC and the Electric Sector-ISAC. Within each ISAC, member firms are encouraged to

2

share information on any cyber attack, regardless of whether an attack was successful or not. The shared information usually includes methods/countermeasures a firm uses to defend against the attacks, vulnerabilities in these countermeasures, and methods that a firm applies to minimize the economic impact after a breach occurs (Gordon et al. 2003). All such information is collected and summarized by a centralized council within the ISAC and sent to the members in the form of alerts, guidance and recommendation reports. These reports would then help ISAC members provide better defense mechanisms against cyber threats, and reduce overall information security related costs. Despite the benefits of information sharing in improving information system security, participation in ISACs and other similar alliances is still quite limited among firms. Some key reasons for this include: (1) the potential risk of losing competitive advantage due to the information shared with other firms; and (2) lack of economic incentive due to the difficulties in assessing the monetary value of information sharing, especially since the cost of sharing information in information system security practice is not negligible. These costs primarily include the fixed cost of joining information sharing alliances, personnel costs spent on security information gathering, and other relevant costs on information processing to ensure confidentiality in the information shared. The first issue noted above is being addressed by standardizing information sharing procedures through legislative efforts, such as the U.S. Cybersecurity Information Sharing Acts of 2014 and 2015, which aim at creating a trustworthy environment for firms and other organizations participating in information sharing. The second issue, however, requires the development of procedures and measures in assessing the effectiveness of information sharing, especially when considered together with the technology investment decisions on information system security. More specifically, since information sharing and technology investments are two major aspects of information system security practice, there exists an interplay between these two types of investments. Naturally, information sharing would

3

boost the effectiveness of security countermeasures. However, as both information sharing and security countermeasures are costly to the firms, there must be a balance as to how much information to share and how much to invest in technology so that the overall expenditure is minimized. To this end, in this study we seek to answer the following research questions: (1) What is the optimal level of information sharing for a firm as a function of the firm’s technology investments?

(2) What is the value of information

sharing in information security? (3) How do these findings vary over different operating environments?

2.

Literature Review

The information sharing problem is first discussed in the economics literature. Clarke (1983) and Gal-Or (1985) study information sharing behaviors by oligopoly firms and derive similar conclusions that the mutual sharing of information does not happen spontaneously among firms despite the maximization of joint welfare. However, some studies focus on certain natural incentives for sharing information, and show that sharing information would be easily implementable under certain conditions. For example, Li (1985) finds that if all the firms have access to equally accurate information, then a firm would be willing to share some firm-specific information. Also, Shapiro (1986) suggests that the sharing of cost information can be made possible by firms joining an association with an information-sharing agreement. These studies from the economics literature, although not directly related to information security, provide important insights that can be applied to information sharing in cybersecurity, and we use these insights to help develop the modeling framework in this paper. As part of the operations research literature, the topic of information sharing is widely studied within supply chain management. Initially motivated by the bullwhip effect in supply chains, Lee et al. (1997) propose the sharing of information between supply chain partners in order to improve efficiency and reduce costs. Assuming a coordinated structure

4

across the supply chain, the value of information sharing within the supply chain is investigated by some follow-on studies such as Gavirneni et al. (1999), Lee et al. (2000), and Yu et al. (2001). Considering the competitive environment among the supply chain members, some studies further explore the incentives for information sharing. It is generally recognized that firms tend not to share information voluntarily, but rather seek for cooperation or trade for shared information from other firms (Li 2002, Chen 2003, Shang et al. 2015). The findings on the supply chain information sharing problem also shed light on the problem of security information sharing. In this paper, we focus on the motivation, value and incentives of information sharing in the context of information security, while also noting that there exist clear differences between these two types of information sharing. Information sharing in information security has been rarely discussed in detail in the literature. The study by Gordon and Loeb (2002) is among the earliest studies about information sharing in cybersecurity. The paper compares the sharing of information for information security purposes and for general commercial purposes, and points out the necessity of a central coordinator in the practice of security information sharing. While it is unanimously agreed in the literature that a central coordinator is needed for cybersecurity information sharing among the firms, Hausken (2007) and Gao et al. (2014) discuss the role of the central coordinator further by considering a situation where the central coordinator has control over information security investments and information sharing at the same time. They conclude that higher levels of intervention by the central coordinator does not always lead to better joint welfare. Therefore, in our study, we design the role of the central coordinator to be flexible with moderate level of power such that it intervenes only for information sharing purposes. Gordon et al. (2003) study the impact of information sharing on information security investments using a game-theoretic model, and determine the conditions under which information sharing promotes or hinders information security investments. The authors in that study assume that there is a relationship between information sharing level and the effectiveness of information security investments. This key

5

assumption lays the foundation for the modeling of information security investment and information sharing, and is adopted in several other studies including this paper. Inspired by the rising trend of promoting information security information sharing, Gal-Or and Ghose (2005) and Gao and Zhong (2016) conduct studies on the incentives for sharing security information in a competitive environment. Using similar game-theoretical approaches, these papers analyze the information sharing and investment behaviors of a specific industry, namely the information technology industry, where product demand and revenue are directly affected by information security performance. Conclusions are drawn about the benefits of security information sharing to the firms, and it is noted that joint value is maximized with the firms sharing information in a coordinated manner. These findings, although valuable from public policy perspective, have their applications limited to the information technology industry. In our work, we develop a generic model that can be used by a wide spectrum of industries whose core business does not necessarily relate to the marketing of information technology products.

3.

A Framework for Information Sharing in Information System Security

Information sharing within the context of information system security has been seldom modeled through an optimization based approach. This is mainly due to the challenges involving (i) the quantification of information sharing levels; (ii) the characterization of the regulatory drive for sharing information; (iii) the modeling of the cost and return structures; and (iv) the modeling of the role of technology investments in this context. In this section, we introduce the framework for information sharing by explaining how these key aspects of the modeling characteristics are captured in our model. 3.1.

Quantification of Information Sharing Level

There is a variety of information that can be shared by firms to exchange knowledge on information security practice (Gordon et al., 2003, Gal-Or and Ghose, 2005, Weiss, 2015).

6

In general, the information being shared includes: (1) breach information on cyber-attacks, and whether these attacks are successful or not, (2) vulnerabilities in information security countermeasures, (3) methods used to defend against cyber-attacks to protect a company’s assets, and (4) methods to minimize the economic impact of a security breach once it has been detected. As all these types of information are gathered in different formats and transferred via different channels, it is difficult to quantify the amount of information being shared in absolute terms. In order to resolve this issue, several studies in the literature have adopted a quantification method for information sharing by scaling the sharing level to a fractional value between 0 and 1. From a practical perspective, we assume that information security experts of a firm would standardize all the information that is being collected by their firm, and a decision will be made on the portion of such information that is going to be shared with other firms. Moreover, as various types of information can serve distinct purposes with different levels of importance, this assumption also implies that different kinds of information can be assigned different weights according to their relative significance. In the remainder of this study, we assume the collection and weighing of information is already done by the firm, and information sharing level is denoted by i ∈ [0, 1], where i = 0 means the firm does not participate in any information sharing, and i = 1 means the firm is willing to share complete information with other firms. 3.2.

Information Sharing under a Centralized Coordinator

Despite the potential benefits of information sharing in the cybersecurity practice, spontaneous and voluntary sharing of information does not typically happen among firms. As analyzed in the game-theoretical studies of Gordon et al. (2003), Gal-Or and Ghose (2005), and Hausken (2007), when the firms act independently, the situation eventually leads to a Bertrand-Nash equilibrium where no information is shared among the firms. There are also several realistic concerns of the firms that prevent their participation in information

7

sharing, such as protecting the privacy of the business, losing competitiveness in the industry, and the potential for being taken advantage of by free-riders. However, studies point out that when a centralized coordinator exists and manages the information sharing of the firms, both the social welfare and firms’ returns are likely to be maximized (Gal-Or and Ghose 2005). To this end, we assume in this study that the firms are managed under the control of a central coordinator. In practice, information sharing alliances act as a central coordinator, where their roles include gathering of information on vulnerability and threats, providing two-way information sharing among firms, managing rapid response communications between firms in the event of an attack, and conducting education and training programs. In addition, the responsibilities of the central coordinator also includes monitoring and balancing the information sharing levels of each firm to ensure fairness. In other words, each firm participating in an ISAC is required to share information no less than a common minimum level, which can be decided based on negotiation and mutual agreement. Building upon the discussion above, we propose a structural setup for security information sharing that is aimed to reflect the practical environment in the current practice. In this setup, a firm that joins a member-based information sharing alliance agrees on a desired information sharing level i∗ with other member firms. The firm then gives out the corresponding portion of collected information to the central coordinator, and then obtains the same level of shared information i∗ collected and synthesized from other firms. This setup ensures that the firm would always receive the same level of shared information as its own information sharing level. 3.3.

Modeling the Cost of Information Sharing

Another challenge in modeling information sharing in cybersecurity is the definition and calculation of related costs. While many industries have well-developed metrics for technology investment costs and returns, such metrics do not exist for information sharing.

8

As a result, it is difficult for information system security practitioners to come up with a monetary value for specific information sharing levels, which further impedes the firms’ participation in information sharing activities. To overcome this challenge, in this study we describe a cost modeling process that we use in developing a cost function as part of our framework. As mentioned in the legislative documents and literature (Gordon et al., 2003, Gal-Or and Ghose, 2005, Weiss, 2015), the cost of security information sharing has two main aspects. The first aspect deals with the routine costs of data collection and administrative interactions with the information sharing alliance. The second aspect is related to the risk of information leakage to hackers, which may increase the likelihood of customized cyber attacks towards the firm. We refer to these two types of costs as direct and indirect costs of information sharing, respectively. In addition, many firms are also concerned that sharing security related information may weaken their competitiveness in business. While that is the case, the sharing of information is conducted anonymously under the management of a centralized coordinator, ensuring a layer of protection on any confidential information. Such protection mechanism is also required by the Cybersecurity Information Sharing Act, which serves as a legislative support for the firms. Overall, the concern for losing competitiveness may hinder a firm’s incentives for sharing information, but it typically does not constitute a practical problem when a centralized coordinator is involved. Concepts related to the direct cost of information sharing has been discussed in several studies, specifically as it applies to business information disclosure (Edmans et al. 2013, Elliott and Jacobson 1994). It is explicitly stated in these studies that the cost of sharing information is positively correlated with the level of information being disclosed. For the cost of information sharing in information system security, empirical studies have suggested a linear cost function with a fixed rate per unit of shared information (Berg et al. 2013). It can also be interpreted intuitively that the total workload of information sharing is

9

proportional to the quantity of information being shared, resulting in a linear relationship between the direct costs and the information sharing level. To this end, we define κd i as the total direct cost of sharing information at a level i, where κd is the unit cost. The parameter κd can be assessed by considering the required workload for information collection and the hourly rates of personnel involved. The indirect costs of information sharing, on the other hand, need to be assessed based on expert opinions. These costs can be measured by the expected value of losses due to an advanced attack resulting from any potentially leaked information. While the cost of a customized attack due to information leakage can be estimated as a fixed value based on the content of the shared information, the likelihood of information leakage is positively related to the level of information shared. Specifically, by assuming that each unit of shared information has the same chance of exposure to potential attackers, it can be concluded that the likelihood of information leakage is a linear function of the information sharing level, which in turn implies a similar relationship between the total indirect costs and the level of information shared. Therefore, we denote the indirect costs of information sharing as κl i, where κl is the unit indirect cost, which also equals to the expected losses due to information leakage under complete information sharing, i.e. when i = 1. Eventually, the overall cost of information sharing at level i is the summation of direct costs κd i and indirect costs κl i. Since both cost components are linear functions of information sharing level i, in the remainder of the discussion we no longer distinguish between direct costs and indirect costs, but use a general cost parameter κ = κd + κl to build our modeling framework. 3.4.

Modeling Returns from Information Sharing

While it is typically accepted that information system security can be improved at lower cost levels by sharing information (Weiss 2015), the returns from information sharing are still unclear to most practitioners, as a quantitative measure is not clearly applicable.

10

To address this issue, we consider approaches discussed in the literature and some actual observations from the information sharing practice, and propose a metric to model returns from information sharing. Previous studies on information sharing in information system security consider information sharing as a direct addition to a firm’s investment on information security technologies. A simplistic method of modeling information sharing is to add a certain level of “virtual investment” on top of the actual technology investment level. While several studies on information sharing in information system security have adopted this modeling structure (Gordon et al., 2003, Gal-Or and Ghose, 2005, Hausken, 2006, 2007), this simple linear relationship does not fully capture the two key effects between a virtual investment level and the information sharing level, namely the learning and saturation effects, which are based on observations from the practice of information sharing in information system security. The learning effect corresponds to the phenomenon that the firm does not benefit as much when information sharing level is very low, but gains increase when the firms increase their mutual information sharing level to a certain extent. The saturation effect, on the other hand, refers to the fact that when information sharing level reaches to a certain value, there exist diminishing marginal returns. A graphical illustration of these learning and saturation effects is shown in Figure 1. To model the learning and saturation effects in information sharing, we introduce a return function φ(i) to define the returns from sharing information at level i. φ(i) corresponds to the percent additive effect on a firm’s technology investments due to sharing of information, and is defined to have the following properties: (1) (2) 0 ≤ φ(i) ≤ 1, and (3) there exists a value iz ∈ [0, 1] such that and

∂ 2 φ(i) ∂i2

∂φ(i) ∂i

∂ 2 φ(i) ∂i2

≥ 0 for i ∈ [0, 1],

≥ 0 for 0 ≤ i ≤ iz

≤ 0 for iz ≤ i ≤ 1. Property (1) defines φ(i) as a non-decreasing function, while

property (2) depicts the range of the function. Property (3) implies the learning effects by defining φ(i) as a convex increasing function until some level iz , and then as a concave increasing function for i > iz .

Returns from information sharing

11

Information sharing level

Learning and saturation effects in information sharing

Returns from information sharing

Figure 1

z=0.25, h=10

z=0.50, h=10 z=0.75, h=10 Information sharing level

Figure 2

Examples of φ(i) for different parameter z values

Given these definitions, we adopt the logistic function representation for φ(i), such that φ(i) =

1 . 1+e−h(i−z)

In this representation, parameter h controls the steepness of the curve,

and can be set to a value such that φ(0) is close enough to 0 and φ(1) is close enough to 1. Parameter z is referred to as the sigmoid midpoint, and is an indicator of the relative lengths of the learning and saturation periods on the curve. More specifically, a smaller z value would indicate fast learning and slow saturation, while large z values would imply the opposite. A few examples of φ(i) for different z values are shown in Figure 2. As suggested by Gordon et al. (2003), the returns from information sharing for a firm

12

are proportional to the technology investment levels of the other firms in an information sharing alliance. To model this effect, a scaling factor γ ∈ [0, 1] is introduced to represent the aggregate investment level by the other firms, where the lower bound 0 implies no technology investments by other firms, and the upper bound 1 corresponds to the case of other firms investing at least as much as the decision-making firm. In our study, we adopt this scaling factor to describe the “virtual investment” through information sharing. Hence, if x is the original technology investment level and φ(i) is the percent additive effect on technology investments for sharing information at level i, then this implies an additional “virtual investment” of xγφ(i) by the firm. Given this, we define the variable  to represent the cumulative investment effects, i.e. the actual investment plus the “virtual” investment effect generated by information sharing, where this cumulative investment effect is expressed as:  = x + xγφ(i). 3.5.

(1)

Modeling the Relationship between Technology Investments and Information Sharing

Information sharing and technology investment have been considered as strategic counterparts of information system security (Gal-Or and Ghose 2005), as these two major components intervene with each other in practice: the sharing of information among firms has a positive impact on the technology investments, and technology investments fund the eventual sources of the shared information. In order to capture a holistic picture of the information system security practice, it is important that a modeling framework includes both of these aspects. We achieve this by integrating the information sharing component into an Information Security Technology Investment (ISTI) model as initially introduced by Zhuo and Solak (2014). This integrated model can be described as follows. 3.5.1.

The Information Security Technology Investment Model The modeling

framework for ISTI captures all three major components in information security, namely

13

technology countermeasures, attacks and assets. The set of technology countermeasures is denoted by O, where the set is composed of two categories of countermeasures: detective countermeasures (od ) and preventive countermeasures (op ). While the set O has two elements in this setup, for generalization purposes we keep the notation generic and do not directly refer to od and op in our discussions, as the model applies even when there are more elements in O. The set of security attacks is denoted as A, where A contains both basic and advanced attack types. Similarly, the assets are denoted by set S, where confidential and non-confidential assets form the types of assets in the set. The effectiveness of the information security system against attacks is represented by a function of technology investment levels xo for o ∈ O. More specifically, the model uses the function eo (xo ) = βo − βo e−αo xo to denote the effectiveness of countermeasure o ∈ O, where αo is a cost rate constant that defines the difficulty of achieving the maximum effectiveness of the countermeasure. This rate also defines the expected cost for perfect protection (ECOPPo ) for countermeasure o, which represents the cost of the maximum attainable protection by deploying countermeasure type o. The parameter βo ∈ [0, 1) is the highest achievable effectiveness of countermeasure o. To model the synergy effects between two types of countermeasures, i.e., the positive influence of one countermeasure over another in boosting their highest achievable effectiveness, a joint effectiveness term eoo0 (xo , xo0 ) is introduced in the framework to capture the dependencies between any pairs of technology countermeasures (o, o0 ) ∈ O. As part of the functional representation of eoo0 (xo , xo0 ), it is natural to assume that the technology countermeasures serve as layers of protection, which filter and weaken the attacks as they try to breach the assets. As illustrated in Figure 1, joint effectiveness of the countermeasures can be envisioned as a ‘virtual’ layer that is added to the individual layers of protection by the countermeasures. To capture this virtual effectiveness, a synergy factor ρoo0 is defined to describe the dependence between the two countermeasure types. This synergy effect is represented as:

14

Attacks

Effectiveness of countermeasure 1 Figure 3

Effectiveness of Joint effectiveness of countermeasure two countermeasures 2

Countermeasure effectiveness as layers of protection

eoo0 (xo , xo0 ) = ρoo0 eo (xo ) + ρoo0 eo0 (xo0 ) − ρ2oo0 eo (xo )eo0 (xo0 )

(2)

Specifically, ρoo0 takes a value from 0 to min{ β1oa , β 10 }, where when ρoo0 = 0 implies no o a

synergy effect at all, and ρoo0 =

min{ β1oa , β 10 } o a

when the synergy effects are the greatest.

These bounds are based on the definition of the effectiveness function eoo0 (xo , xo0 ), as also described by Zhuo and Solak (2014). Our use of this modeling structure is inspired by the analysis in Chen (2012), where the author describes the underlying mechanisms linking the synergistic effects of information technology resources to organizational capabilities and firm performances. In that study, the synergistic effects are modeled as a weighted sum of the effectiveness of the individual countermeasures. In our modeling framework, we consider this additive effect concept, but improve it further by adding the last multiplicative term on the right hand side of equation (2) through the use of ρoo0 . This allows for a consistent representation of individual and joint effectiveness expressions within the formulation of the optimization model. The dependencies between any two countermeasure types are considered to be symmetrical, i.e. ρoo0 = ρo0 o . Consequently, eoo0 (xo , xo0 ) = eo0 o (xo0 , xo ). Given that O = {od , op } in our problem setup, there is only one dependency factor ρod op = ρop od that applies. Moreover, we note that we only consider two-way interactions between different countermeasure categories, and such interactions are assumed to be independent. Hence, the corresponding dependency measures can be consistently defined under the independence assumption

15

of these two-way interactions. While multi-way interactions may exist in the case of a larger set of countermeasure categories, we assume that the impact of such higher level interactions are negligible. In addition, the incidence rates of the security attacks can vary over time, and we use the notation fat to denote the frequency of attack a ∈ A over a unit period of time t ∈ T . Letting las be the expected loss incurred by an attack a ∈ A on asset s ∈ S, the potential P P P total loss over T can be calculated as t∈T s∈S a∈A fat las .

The adopted model also captures the uncertainty in information security technology

investments, which is reflected in the realization of the uncertain life-cycle curves for the countermeasures used by a firm. To this end, the decision-making process is split into two stages denoted by k = 1, 2. If the first-stage technology investment level x1o exceeds a threshold θo , then the firm acquires certain attack related information, and adjusts the investment levels in the second stage accordingly. Otherwise, the decision-making firm makes investments based on the expected life-cycle curve for both stages, defined by probability distributions over parameters βo . Our notation in this paper follows the notation used for the ISTI model, for which a complete formulation is provided in Appendix A. 3.5.2.

Integration of Information Sharing into Technology Investment As intro-

duced in Section 3.4, information sharing would generate an additive “virtual investment” effect on the actual technology investment in information system security. Given equation (1) and the definition of φ(i) for information sharing level i, we have for a given countermeao γo sure o ∈ O that o = xo + xo γo φ(i) = xo + 1+exh(i−z) . Since the technology investment level is

differentiated between countermeasure categories, we note that the aggregated technology investment factor γo is defined separately for each countermeasure. The effectiveness of technology countermeasures is one of the most important terms within the framework of the technology investment problem. As a function of the technology investment level xo , this term is subject to reformulation with the adjusted technology

16

investment level o . By replacing variable xo with o , the effectiveness of countermeasure protection under information sharing is expressed as eo (o ) = βo − βo e−αo o . The joint effectiveness of two countermeasure categories can then be rewritten as: eoo0 (o , o0 ) = ρoo0 eo (o ) + ρoo0 eo0 (o0 ) − ρ2oo0 eo (o )eo0 (o0 )

(3)

In addition, the endogenous uncertainty structure described in Section 3.5.1 is also dependent upon the adjusted technology investment level. In the ISTI model, it is defined that if original technology investment for a certain countermeasure category falls below a threshold θo , then the exact realization of the life-cycle curve for that countermeasure will not be known in the second phase of planning. However, with the contribution of information sharing, such threshold is reached more easily due to the additive virtual investments, reflecting the fact that the firm learns about countermeasure maturity though shared knowledge and experience by other firms. To capture this, a set of constraints are defined as follows to determine whether the equivalent investment level reaches the threshold θo : o ≤ θo + Mσo

;

o ≥ θo + M(σo − 1)

(4)

where M is an arbitrarily large number and σo is a binary variable indicating whether the adjusted investment level exceeds or does not exceed the threshold. 3.5.3.

Modeling the Total Cost of Information System Security Investments under

Information Sharing The total cost of information system security investments consists of

two parts: the loss due to attacks and investment expenditures. The inclusion of information sharing into the problem framework would affect both parts of the overall cost function. Without information sharing, the actual loss due to attacks is defined as the potential total loss discounted by the overall countermeasure effectiveness, which includes any joint p P P P Q effects. Namely, we have this cost term as t∈T s∈S a∈A fat las o,o0 ∈O 1 − eoo0 a (xo , xo0 ), P P P where term t∈T s∈S a∈A fat las represents the summation of potential total losses over

17

all assets s ∈ S caused by all types of attacks a ∈ A over the planning period T . Here, the definition of the effectiveness function eoo0 is appended by the attack index a to show the dependence of this function on the type of attack faced by the countermeasures. The motivation for the multiplicative form is based on the layer based structure described in Figure 3. As an attack is assumed to proceed through these layers, it becomes subject to the effectiveness of the countermeasure in each layer, and in a way, gets filtered before it reaches the next layer. This implies a multiplicative structure for the overall countermeasure effectiveness. Note that when including the joint effectiveness term in the loss p reduction formulation, we also take the square root and use 1 − eoo0 a (xo , xo0 ). There are

two reasons for this algebraic manipulation. First, the joint effectiveness term in equation (2) involves the product of two individual effectiveness measures eo (xo ) and eo0 (xo0 ). Hence, the square root operation brings back the power of this term to be the same as individual effectiveness level eo (xo ). Moreover, the square root allows for individual effectiveness levels p of countermeasures to be expressed as 1 − eooa (xo , xo ), which reduces to the form eoa (xo )

when simplified. Given that there are only two types of countermeasure considered in our p p Q model setup, the product term o,o0 ∈O 1 − eoo0 a (xo , xo0 ) becomes 1 − eod op a (xod , xop ).

However, we keep the representation generic for any potential inclusion of more countermeasure categories. Based on the reformulation of joint effectiveness, the formulation of actual loss would utilize the adjusted investment levels o as opposed to the original technology investment p P P P Q levels xo , such that it becomes t∈T s∈S a∈A fat las o,o0 ∈O 1 − eoo0 a (o , o0 ). With the inclusion of information sharing, eoo0 a (o , o0 ) implies a stronger countermeasure effective-

ness, hence further reducing the actual losses in comparison with the original model without information sharing. On the other hand, the investment expenditure must also include the cost of information sharing κi, indicating an increase in the overall cost of information system security. The complete formulation for the total cost of information system security investments under information sharing can then be expressed as:

18

XXX t∈T s∈S a∈A

4.

fat las

! Y p X 1 − eoo0 a (o , o0 ) + xo + κi

o,o0 ∈O

(5)

o∈O

Optimal Information Sharing under Fixed Technology Investment

Having included information sharing in the modeling of effectiveness and cost structures as discussed in the previous section, in this section we perform some structural analyses for security information sharing. For tractability of our analysis in this section, we apply some reasonable simplifications to the original modeling framework. We develop a comprehensive numerical optimization model later in Section 5. The modifications in this section assume a deterministic situation where a firm wants to participate in information sharing with its technology investment level being fixed beforehand, and where countermeasure categories are aggregated into a single category. In information system security practice, it is not unusual that information sharing is planned and administered after technology investment is made. In many cases, the management of a firm might consider information sharing as a secondary priority, and can make the decision on how much information to share separately from the technology investment decisions. Therefore, the findings in this section can provide insightful guidance to practitioners who may decide on information sharing after already having decided on technology investments. As noted above, we consider a model where technology investment level

P

o∈O

xo = x

is fixed and information sharing level i is treated as the sole decision variable. Given that we consider only one countermeasure category o for this simplified model, the joint p Q effectiveness term o,o0 ∈O 1 − eoo0 a (xo , xo0 ) can be expressed as: p ( 1 − eooa (xo , xo ))2 = 1 − eooa (xo , xo ) = 1 − 2ρoo eo (o ) + ρ2oo eo (o ).

Based on the fact that ρoo = 1, it follows that: 1 − 2ρoo eo (o ) + ρ2oo eo (o ) = 1 − eo (o ) = 1 − βo + βo e

−αo (x+

γo x ) 1+e−h(i−z)

.

19

For simplicity in notation, we drop the subscript o in the formulation, and express the overall objective function as: min

i∈[0,1]

XXX t∈T a∈A s∈S

−α(x+

fat las (1 − β + βe

γx ) 1+e−h(i−z)

) + x + κi

(6)

We start by a convexity analysis of the cost function (6) through the following: ln

Lemma 1. The cost function (6) is concave in i for i ∈ [0, z − q α2 γ 2 x 2 +1+ αγx 4 2

ln

convex in i for i ∈ [z − Proof.

h

q

α2 γ 2 x 2 +1+ αγx 4 2

h



] and

, 1].

All proofs are included in Appendix B. 

This result allows us to determine the following conclusion on as to when it is beneficial for a firm to share information with other firms. An intuitive thought is that firms can avoid sharing information if the marginal cost of sharing information is very high. To this end, we have the following result: Theorem 1. Leti∗ be the solution to the first order condition of function (6). If i∗ ≥ q ln

z−

κ ¯=

P

α2 γ 2 x 2 +1+ αγx 4 2

a∈A

P

h

s∈S

P

t∈T

, then for a fixed technology investment level x, there exists a threshold ! −α(x+

fat las βe−αx 1−e

γx ) ∗ 1+e−h(i −z)

i∗

, such that if κ ≥ κ ¯ , the firm is better off

by not sharing any information at all. Theorem 1 specifies that sometimes the firm is better off by not participating in information sharing if their information system security situation meets certain conditions. Due to the complexity of cost function (6), the closed form solution for this marginal cost threshold κ ¯ cannot be derived analytically, but has to be obtained numerically according to the parameter setup for the cost function. However, we are able to derive an upper bound for κ ¯ which can be applied as a quick screening condition. This upper bound is given through Corollary 1 as follows: Corollary 1. If marginal information sharing cost κ is such that

20 

κ ≥

P

a∈A

P

s∈S

 −α x+

q  α2 γ 2 x 2 fat las αγxh +1+ αγx e 4 2 2  q 2 2 2 1+ α γ4 x +1+ αγx 2



 γx  r  α2 γ 2 x 2 αγx +1+ 1+ 4 2

, then the firm should not

share any information.

As introduced in Section 3.3, information sharing costs include both direct operational costs and indirect costs due to potential information leakage. We note that while the direct cost of routine information sharing activities tend to be manageable, the indirect costs of potential information leakage could be quite high for a firm, resulting in the marginal cost κ of information sharing exceeding the allowable threshold κ ¯ . Given that situation, a firm should either decrease the expected cost of information leakage by reinforcing its privacy protection methods or by not participating in information sharing to avoid any potential losses. As the last set of analysis in this section, we study how optimal information sharing level reacts to changes in the marginal cost of information sharing. The finding is given through the following proposition: Proposition 1. For κ < κ ¯ , the optimal information sharing level i∗ decreases as marginal information sharing cost κ increases. This result in Proposition 1 implies that the firms are encouraged to share more information if the marginal cost of information sharing is lower, given that such marginal cost is already below the limiting threshold κ ¯ . While confirming the intuition of many practitioners about information sharing, it can be interpreted that when information sharing becomes expensive, the returns that a firm would receive from sharing a high level of information cannot offset the extra costs. This finding could serve as a motivation for firms to collaborate and reinforce better protection mechanisms on information, so that the marginal cost of information sharing can stay within a reasonable range. As an additional analysis, we also make observations related to the relative roles of learning versus saturation effects, which are depicted in Figure 1. These effects are controlled by

21

the sigmoid midpoint z, where a high z value implies slow learning and fast saturation, and vice versa for a low z value. Based on the results of Lemma 1, we note that the objective function (6) can have its minimum at one of the three values of information sharing level i; namely at i = 0, at the local minimum of the convex portion of the function, or at i = 1. While in general different values of z can result in different optimal information levels, it is also possible that such changes do not impact i∗ . If the optimal level of information sharing is at the local minimum of the convex portion of the objective function, then any change in the learning versus saturation effects would directly impact the optimal level of information sharing. In such a case, higher z values, i.e., slower learning, would shift the convex portion, and thus the local minimum, to higher values of i. Thus, slower learning would imply more information sharing, and faster learning would imply less information sharing. On the other hand, in the case that i∗ = 0 or i∗ = 1, it is possible that the optimal level of information sharing remains the same, such that i∗ would be the same no matter what the learning versus saturation effects are. In general, we can conclude that firms can potentially benefit from more information sharing if learning effects due to information sharing is slow. While analytical results in this section provide some high-level managerial insights for information security practice, we note that there exist more complex situations in information system security, specifically when the technology investment level and information sharing level are both treated as decision variables. In those situations, the simplifications made in the analytical analyses in this section will no longer apply. Therefore, we introduce a stochastic optimization model and conduct numerical analyses accordingly. The results from analytical and numerical analyses together are aimed to provide a comprehensive view as how to manage integrated information sharing with technology investment in information security.

22

5.

Two-stage Stochastic Model of Information System Security Investment under Information Sharing

In this section, we formally present the stochastic optimization model formulation for information system security investments under information sharing by including the new information sharing related constraints discussed in Section 3. The complete formulation of the two-stage stochastic model, where the goal is to identify optimal levels of investments xo and information sharing level i, is given as follows: " ! X XXXX Y q kω kω min pω fat last 1 − ekω oo0 at (o , o0 ) + x,e,,b,i∈R ,σ∈{0,1}

ω∈Ω

+

k∈K s∈S a∈A t∈T

XX

xkω o +

k∈K o∈O

kω Subject to kω o = xo (1 +

X

κikω

k∈K

o,o0 ∈O

#

(7)

γ

1 + e−h(ikω −z)

)

(8)

∀k∈K,o∈O,ω∈Ω

kω kω kω kω kω kω 2 kω kω kω kω ekω oo0 at (o , o0 ) = ρoo0 eoat (o ) + ρoo0 eo0 at (o0 ) − ρoo0 eoat (o )eo0 at (o0 ) ∀o,o0 ∈O,a∈A,t∈T ,k∈K,ω∈Ω 1ω

1ω −αo o e1ω oat (o ) = βoat − βoat e

∀o∈O,a∈A,t∈T 1 ,ω∈Ω

2ω

2ω ω ω −αo o e2ω oat (o ) = boat − boat e

∀o∈O,a∈A,t∈T 2 ,ω∈Ω

bωoat = βoat (1 − σo ) + βoatω σo

∀o∈O,a∈A,t∈T 2 ,ω∈Ω

1ω , 1ω o ≤ θo + Mσo o ≥ θo + M(σo − 1) XX X
xkω κ ikω ≤ B ∀ω∈Ω o + k∈K o∈O

(10) (11) (12) (13) (14)

k∈K

1ω x1ω o = xo

i1ω = i1ω

∀o∈O,ω∈Ω

(9)

0

0

0 ≤ ikω ≤ 1

∀ω,ω 0 ∈Ω,o∈O ∀ω,ω 0 ∈Ω,o∈O ∀k∈K,ω∈Ω

(15) (16) (17)

In the formulation above, the subscript ω ∈ Ω indicates the scenarios within the second stage of the stochastic model, where the set of all scenarios is denoted by Ω. The notation pω represents the probability of scenario ω ∈ Ω, where the definition of the scenarios is based on

23

the life-cycle status of the countermeasures in the second stage. All second stage variables and parameters are hence appended with the notation ω to distinguish the scenario they belong to. Related to this distinction, we use the term βoat to refer to the known value of the effectiveness for countermeasure o against attack type a in the first stage, while βoatω is used to refer to the effectiveness value to be realized in the second stage under scenario ω. Note that the realizations βoatω depend on the level of the investments in the first stage, as denoted by the threshold investment levels θo . If the investment is lower than this threshold, no learning or realization will take place, and the presumed value βoat from the first stage will be used for decision making in the second stage. A more detailed discussion of the formulation is presented in Appendix A. The objective of the two-stage stochastic model above is to minimize the expected overall cost of information system security, which includes the expected losses due to attacks, as well as expenditures x on technology investment and information sharing i. Recall that variables  are the original and adjusted technology investment levels as discussed in Section  Q p P P P P kω kω , kω ) is based on 1 − e ( 3.5.2. The loss term k∈K s∈S a∈A t∈T fat las 0 0 oo at o o o,o0 ∈O the discussion in Section 3.5.3, with the summation of losses over the decision stages k ∈ K

and time periods t ∈ T . The time periods in T are divided into two subsets T 1 and T 2 , with T 1 = {1, 2, . . . |T 1 |} belonging to the first decision stage k = 1 and T 2 = {T 1 + 1, T 1 + 2, . . . |T |} belonging to the second decision stage k = 2. In our numerical implementation, the first stage corresponded to a 6-month period, thus involving 6 periods, while the second stage consisted of 18 time periods. The expenditure terms of technology and information sharing investment are also calculated over the decision stages by summing them over k ∈ K. In the two-stage stochastic setting, the second stage total cost is dependent on the scenario realization, and hence the objective is defined as an expectation over the scenario probabilities. Note that all the decision variables, except for the binary variable σ, are defined separately for each stage of the two stage modeling structure.Variables with

24

superscript k = 1 correspond to the first stage variables, while variables with superscript k = 2 are the second stage variables which depend on the scenario ω ∈ Ω. The binary variable σ is a first stage variable, which determines whether sufficient investment (denoted by the level θo ) exists to learn updated information on the highest achievable effectiveness level β for each countermeasure category o ∈ O. This new information is denoted by βoatω . If the investment is less than the threshold defined by θo , then there is no new information, and the decisions in the second period are made based on the original estimates of βoat from the first period. A more detailed discussion of the formulation is included as part of Appendix A, while some relevant background information is described by Zhuo and Solak (2014). As introduced in Section 3.5, constraint (8) defines the “virtual investment” generated by information sharing for each technology countermeasure o ∈ O. Constraint (9) is the joint effectiveness of countermeasures with adjusted technology investment levels, which is defined over all possible countermeasure pairs o, o0 ∈ O. Note that the joint effectiveness of countermeasures is expressed as a function of individual countermeasure effectiveness, which is given by constraints (10) and (11). The variable bωoat in constraint (11) defines the value of maximum attainable effectiveness of countermeasure o ∈ O against attack a ∈ A to be realized at each time period in the second stage. These realizations are defined by the stochastic parameter βoatω and the threshold variable σo in constraint set (12). Constraints (13) define the threshold structure for life-cycle curve realizations. Constraint (14) is the budget constraint, which limits the total expenditure on technology investment and information sharing for each scenario ω ∈ Ω. Constraints (15) and (16) are the nonanticipativity constraints for the two-stage stochastic model. Similar to the definition of constraint (15), constraint (16) fixes the information sharing level to be the same value in every scenario in the first stage, and allows the optimal information sharing level to vary in the second stage as technology investment levels change according to different life-cycle development realizations. Finally, constraints (17) describe the range of the information sharing measure to be between 0 and 1.

25

5.1.

Solution Methodology

The information system security investment model under information sharing as introduced above is a non-convex nonlinear optimization problem as the cost function contains complex products of multiple decision variables with some non-linear constraints. In this section, we improve the computational tractability by reformulating the model through a series of steps that involve piecewise linearization including bilinear terms. First, we note that the non-linear terms in (7), (9), (10), and (11) can be approximated using piece-wise linearization similar to the discussion by Zhuo and Solak (2014). kω kω kω kω kω kω kω kω To start, we define new variables Eoo 0 at (o , o0 ) and Ioo0 at (o ) such that Eoo0 at (o , o0 ) =
kω kω kω kω kω kω ln 1 − ekω oo0 at (o , o0 ) and Ioo0 at (o ) = ln(1 − ρoo0 eoat (o )). Constraint (9) can then be

expressed in a simple linear form as:

kω kω kω kω kω kω kω Eoo 0 at (o , o0 ) = Ioo0 at (o ) + Io0 oat (o0 )

∀o,o0 ∈O,a∈A,t∈T ,k∈K,ω∈Ω

(18)

kω kω The new variable Ioo 0 at (o ) can be approximated in a piecewise linear fashion by a series kω kω of M constraints. Specifically, constraint (10) can be viewed as a special case of Ioo 0 at (o )

where k = 1 as: 1ω 1ω 1ω 1ω 1ω Ioo 0 at,m (o ) ≥ uoo0 at,m o + voo0 at,m

∀o,o0 ∈O,a∈A,t∈T 1 ,ω∈Ω,m=1,...,M

(19)

Following the same approach, constraint (11) can be replaced by the design of two sets of kω kω switching constraints using the binary variable σo and piecewise approximation of Ioo 0 at (o )

for k = 2: 2ω 2ω 2ω 2ω 2ω Ioo 0 at,m (o ) ≥ uoo0 at,m o + voo0 at,m − Mσo

∀o,o0 ∈O,a∈A,t∈T 2 ,ω∈Ω,m=1,...,M

2ω 2ω 2ω 2ω 2ω Ioo 0 at,m (o ) ≥ uoo0 at,m o + voo0 at,m − M(1 − σo )

∀o,o0 ∈O,a∈A,t∈T 2 ,ω∈Ω,m=1,...,M

kω kω kω The product term in the objective function is reformulated using Eoo 0 at (o , o0 ) as:

√ Y q Q ln o,o0 ∈O 1−ekω (kω ,kω ) kω kω kω oo0 at o o0 1 − eoo0 at (o , o0 ) = e

o,o0 ∈O

(20) (21)

26 1

= e2 1

with the term e 2

P

o,o0 ∈O

P

o,o0 ∈O

ln(1−ekω (kω ,kω ) oo0 at o o0 )

kω (kω ,xkω ) Eoo 0 at o o0

Yatkω ≥ hkω at,m

X

1

= e2

P

o,o0 ∈O

kω (xkω ,xkω ) Eoo 0 at o o0

(22)

approximated by a set of linear constraints as follows:

kω kω kω kω Eoo 0 at (o , o0 ) + gat,m

o,o0 ∈O

∀a∈A,t∈T ,k∈K,ω∈Ω,m=1,...,M

(23)

As the next step, we transform the non-linear term in constraint (8) as product of xkω o and 1 +

1 kω 1+e−h(i −z)

kω to a bilinear term Xokω P kω , with new variables Xokω = xkω o and P

1 defined as P kω = 1 + 1+e−h(i kω −z) . The following set of constraints is then added to the model 1 to approximate P kω = 1 + 1+e−h(i kω −z) as linear terms:

Plkω = τlkω ikω + υlkω

∀k∈K,o∈O,ω∈Ω,l=1,...,L

(24)

For the linear approximation of the bilinear term Xokω P kω , we utilize a two dimensional grid where the axes correspond to the values of Xokω and P kω . Let the upper and lower bounds of Xokω and P kω be Xokω , Xokω , P kω , and P kω , respectively. We discretize Xokω and P kω into S and T intervals respectively to form the grid. Furthermore, we introduce auxiliary kω , m = 1, . . . , S, n = 1, . . . , T and two specially ordered set of type 2 (SOS2) variables πo,m,n kω kω correspond to an approximation of the variables µkω o,m and νo,n . Letting the variable XPo kω value of xkω , we can approximate the bilinear term Xokω P kω through the following set o P

of constraints: X

kω πo,m,n =1

m,n

P

kω

=

X

(P

m,n

kω

(25)

∀k∈K,o∈O,ω∈Ω

+



P kω

−P

kω

 m−1 S

kω )πo,m,n

∀k∈K,o∈O,ω∈Ω

  n−1 kω (Xokω + Xokω − Xokω )πo,m,n ∀k∈K,o∈O,ω∈Ω T m,n   m−1   n−1 X kω XPokω = (P kω + P kω − P kω )(Xokω + Xokω − Xokω )πo,m,n S T m,n Xokω =

X

∀k∈K,o∈O,ω∈Ω

(26) (27)

(28)

27

µkω o,m =

X

kω πo,m,n

n

kω = νo,n

X

(29)

∀m,k∈K,o∈O,ω∈Ω

kω πo,m,n

(30)

∀n,k∈K,o∈O,ω∈Ω

m

kω µkω o,m , νo,n ∈ SOS2

(31)

∀m,n,k∈K,o∈O,ω∈Ω

kω πo,m,n ≥0

(32)

∀m,n,k∈K,o∈O,ω∈Ω

We refer to the set of constraints (25) - (32) as X P kω o . After transforming the objective function (7), constraints (8), (9), (10), and (11) as described above, we can express the overall convex reformulation of the information system security investment under information sharing model as follows: min

X

x,i,E,I,Y∈R+ ,σ∈{0,1} ω∈Ω

pω

"

XXXX

fat las Yatkω +

k∈K s∈S a∈A t∈T

XX k∈K o∈O

xkω o +

X

κi ikω

k∈K

#

(33)

s.t. (12) − (17), (18) − (24) kω kω kω P kω , Xokω , XPokω , µkω o,m , νo,n , πo,m,n ∈ X P o

∀m,n,k∈K,o∈O,ω∈Ω

(34)

The above formulation is a linear stochastic integer programming model, and can be solved directly to obtain the optimal information sharing and technology investment levels for both stages, where the first stage solutions are of interest to a decision maker. We note that while it is not possible to define theoretical bounds on the quality of the linear approximations used in the model, detailed numerical analyses were conducted to estimate the error rates within the practical ranges of variable values. These analyses indicate that the average error for each linear approximation remains below 1%, when 10 or more linear pieces are utilized as part of the approximation procedures. In Appendix C we display the details of the experiments performed and the observed approximation error values.

6.

Numerical Analysis and Policy Results

In this section, we perform numerical analyses to identify some policy results for information sharing in information security. More specifically, we numerically study the two-stage

28 Figure 4

Demonstration of different realizations of βoatω in the second period, after initial investment and learning in the first period.

Effectiveness

Large forward shift Small forward shift No shift Small backward shift Large backward shift

First stage

Second stage boa( t ) estimation revealed Time (Years)

stochastic model described in Section 5, where the technology investment levels xo and information sharing level i are simultaneously considered as decision variables. Managerial insights are provided by analyzing the problem with real data. In the remainder of this section, we first introduce the data that we utilize for our findings, and then present a set of policy analyses. We specifically focus on optimal information sharing levels and value of information sharing under different operating environments. 6.1.

Description of Data

As part of the data gathering process, surveys were performed at a partner organization, where the proposed framework was observed from a practical perspective. These surveys included questions aimed at identifying the distinct categorizations of information system assets, attacks, and countermeasures. In addition to the survey data, we also utilized data obtained from the literature for our analyses. The parameter values obtained through these means are listed in Table 1. As part of the uncertainty structure, five possible realizations were considered for βoatω values over time t for each combination of countermeasure o ∈ O and attack a ∈ A. The realizations, which are depicted in Figure 4, define the potential deviations in assumed life-cycle curves after learning takes place at the end of the first stage. Based on the input gathered through industry surveys, we assume that the probability distribution for the five realizations follow a discretized, truncated normal distribution, for which the parameter values were also estimated according to the survey results. The

29 Table 1

Description of data used to represent parameters of the decision framework

Notation maxt {β11t }

Value Used 0.5091a

maxt {β12t }

0.5788

maxt {β21t }

0.7646

maxt {β22t }

0.5277

l11 + l12

$205

l21 + l22

$236

α1

2.0098 × 10−10

α2

3.1230 × 10−10

θ1

5.526 × 10−2 P T Lb

θ2

6.404 × 10−2 P T L

Description Maximum effectiveness of detective countermeasures on basic attacks Maximum effectiveness of detective countermeasures on advanced attacks Maximum effectiveness of preventive countermeasures on basic attacks Maximum effectiveness of preventive countermeasures on advanced attacks Expected loss in both asset categories caused by a basic attack Expected loss in both asset categories caused by an advanced attack Cost effectiveness parameter for achieving maximum protection for preventive countermeasures Cost effectiveness parameter for achieving maximum protection for detective countermeasures Investment threshold for observing life cycle curve trend for preventive countermeasures Investment threshold for observing life cycle curve trend for detective countermeasures

Data Source Survey data Survey data Survey data Survey data Ponemon (2016) Ponemon (2016) Survey data Survey data Survey data Survey data

a

βoat values vary over time, and only the maximum value is shown in the table.

b

All monetary values are defined as a multiple of potential total loss, which is denoted by P T L in this table.

probability values for the five possible realizations are provided in Appendix A. Given that the sets O and A each contain two elements in our model setup, this resulted in a total of 54 = 625 scenarios for the implementation. Note that the top four entries in Table 1 correspond to the maximum effectiveness levels estimated in the first stage, i.e., before any learning takes place. We also note that while our input structure is based on real life data collected through surveys, we have also tested some deviations from this structure, and observed the sensitivity of the model results to such relatively minor deviations. These observations were in line with our overall findings and conclusions in this section. Other parameters related to information sharing are the marginal cost of information sharing, κd , indirect unit cost κl , parameters h and z in return function φ(i), and γ, the aggregate investment level on information system security by other firms. The direct cost information obtained through our surveys include billable work hours of associated

30 Table 2

Summary of the parameter values related to information sharing costs, where each value implies a multiple of potential total loss Notation Value Description and details Data source κd 0.095 Direct marginal cost of information sharing 0.053 Expenses on billable work hours of related personnel Survey data 0.015 Expenses on holding business meetings 0.027 Membership fees of information sharing organization κl 0.175 Indirect marginal cost of information sharing 0.75 Estimated cost of cyber attack due to information leakage Ponemon (2016) 0.24 Probability of cyber attack due to information leakage

personnel, cost of holding business meetings with partner firm representatives and the membership fees of joining information sharing associations. For the indirect costs due to information leakage, we adopt the published data by Ponemon (2016) and estimate the expected cost of an advanced cyber attack due to information leakage. A summary of these parameter values is listed in Table 2. For parameters of return function φ(i), we take the sigmoid mid-point value z to be 0.5 by assuming the learning effects and saturation effects in information sharing as being equally strong.q The steepness parameter h is set to ln

be h = 13.81, such that the point of inflection z −

α2 γ 2 x 2 +1+ αγx 4 2

h

is always between 0

and 1 under different technology investment levels within the budget. As the aggregated investment level of other firms varies according to different information security technology investment environment levels, we set the initial value of γ to be 1, and then conduct a sensitivity analysis around this value to study its impact on information sharing levels. The first problem we study through numerical analysis is the optimal information sharing level in information system security. While in Section 4 we describe some structural properties about optimal information sharing level from a static sense, in this section we are able to obtain the optimal information sharing level numerically based on the stochastic model, and observe how it varies as other parameters in information system security change. 6.2.

Optimal Level of Information Sharing under Different Budget Sizes

We first study how the budget level affects information sharing in information system security. To further discuss the findings, here we introduce the concept of most effective

31

budget (MEB) under the information sharing context. As one of the results by Zhuo and Solak (2014), the overall expected total costs decrease in a convex manner as investment level increases, but converges to an asymptotical level, which we refer to as the MEB, after a certain point. Such a leveling point also exists when information sharing is considered, where this leveling point in expected total costs corresponds to a budget size covering both technology investment and information sharing costs. This MEB value typically depends on the potential total losses without protection, marginal ratio αo of investment effectiveness of technology countermeasures, and information sharing cost κ. Ideally, a firm would set the budget size equivalent to MEB so that the maximum extend of protection is achieved without potential waste of funds. However, MEB may not always be achievable in practice, especially by small to medium sized firms which may have limited information system security budgets. In that case, technology investment and information sharing would compete for the available budget, and how much information to share becomes a key strategic problem. We perform numerical analyses over the budget size from 0 to the level of MEB to observe how the optimal information sharing level varies according to different budget sizes. The results are shown in Figure 5. As can be observed in Figure 5, the optimal information sharing level i∗ increases with the budget size in a non-linear manner. When the budget size is less than one third of MEB, the optimal information sharing level i∗ stays below 0.6, and increases rapidly as the budget grows from 30% to 40% of MEB. When the budget size is higher than one half of MEB, the information sharing level remains at a relatively high level. This indicates that firms with budgets above half of MEB should share about 25% more information. The fact that optimal information sharing level i∗ is never zero indicates that under the given assumptions the firms would always benefit from information sharing when the marginal cost of information sharing κ is below the threshold κ ¯ , even at lower budget

Optimal information sharing level (𝒊∗ )

32

0.75

0.7

0.65

0.6

0.55 0

0.2

0.4

0.6

0.8

1

Budget measured as percentage of most effective budget (MEB)

Figure 5

Optimal information sharing level under different budget sizes

levels. Generally, firms with larger security budgets, which typically corresponds to larger companies, should share more information to take advantage of the virtual investment effect. For smaller to medium size companies, for which the optimal information sharing level is lower, increasing the information system security budget to levels near MEB would benefit the firm in two ways. More specifically, returns from technology investments will increase, and also the company will be able to do more information sharing, resulting in further improvements in returns. 6.3.

Optimal Level of Information Sharing under Different Expected Cost of Perfect Protection

In this section, we study the relationship between the optimal information sharing level i∗ and overall ECOPP values, as introduced in Section 3.5.1, by running sensitivity analysis over a set of different ECOPPo values and solving the problem for optimal information sharing levels i∗ . As part of this analysis, the budget size for information system security is assumed to be equal to MEB in order to eliminate the influence of the budget constraint. The results are illustrated in Figure 6, where the overall ECOPP values are measured as a multiple of the potential total losses of a firm. As can be observed in Figure 6, the information sharing level first increases as ECOPP

Optimal information sharing level

33 0.75 0.74 0.73 0.72 0.71 0.7 0

0.5

1

1.5

2

2.5

3

Expected cost for perfect protection (ECOPP) as a multiple of potential total loss

Figure 6

Optimal information sharing level under different ECOPP values

increases, but slightly decreases from a maximum point when ECOPP is measured as 1.5 times of potential total losses. Since ECOPP is a measure reflecting the affordability of technology countermeasures for a firm, the drop in information sharing level can potentially be explained by the ineffectiveness of general information security investments due to higher costs. However, for firms that have a limited budget but are more prone to information system security attacks, the ECOPP value is likely to fall into the range between 1-1.5 times of potential total losses. Such businesses should place more emphasis in information sharing, with potential optimal information sharing levels being about 5% higher than those firms with ECOPP values less than their potential total losses. 6.4.

Value of Information Sharing

To further study the economic incentives of information sharing in information system security investments, in this section we present two sets of analysis on the value of information sharing. The value of information sharing is calculated as the percentage difference between the expected total cost of information security investments with information sharing and the costs without information sharing. We first show the value of information sharing under different budget sizes measured as multiples of MEB, and then compare the value of information sharing for firms with different ECOPP values. It is also worthwhile noting that the information sharing alliances often consist of companies with different

Value of information sharing as percentage of total cost

34

20%

15%

10%

5%

0% 0.0

0.2

0.4

0.6

0.8

1.0

Budget measured as percentage of most efficient budget (MEB)

Figure 7

Value of information sharing under different budget sizes

technology investment levels, resulting a variety of information sharing environments for different firms. To address this operational factor, in the latter part of the analysis we compare the value of information sharing for firms under different information sharing environments, which is defined by the aggregated technology investment level of the firms that mutually share information. 6.4.1.

Value of Information Sharing under Different Budget Sizes The change in the

value of information sharing as a function of budget size is shown in Figure 7. As shown in the figure, the value of information sharing is always increasing as the budget size gets closer to MEB. Similar to the findings discussed for the optimal information sharing level, the best value for information sharing is attained at higher levels of information security investments. Therefore, firms of large sizes or with relatively higher security budgets should be more motivated in participating in information sharing. In addition, the value of information sharing concavely increases as a function of budget size, which is different from the S-shaped curve observed for the optimal information sharing level in Figure 5. This result serves as another motivation for firms to further push for higher levels of information security budgets, as return rates increase as a function of the budget size. This is in contrast with the case in Figure 5, where there is not a significant need to increase the information sharing level as long as the budget size is smaller than MEB.

35

6.4.2.

Value of Information Sharing under Different ECOPP and Investment Envi-

ronments As a final analysis, we study the impact of ECOPP on the value of information

sharing for different firms. Since ECOPP reflects the affordability of information security technology, an increase in ECOPP would indicate a more challenging information security environment. Figure 8 shows the value of information sharing under different ECOPP values. Comparing with the increasing information sharing level i∗ as a function of ECOPP in Section 6.3, Figure 8 shows that the value of information sharing decreases as the information security technology becomes more expensive, which can be seen as a reflection of the declining cost-effectiveness of overall information system security investments in tougher investment environments. Moreover, as discussed earlier in Section 3.4, technology investments by other firms in an information sharing alliance can play an important role on the value of information sharing, as represented through the value of the parameter γ. To further study this impact, we compare the value of information sharing as a function of ECOPP for different levels of aggregated technology investment factor γ. This comparison is presented in Figure 8 by showing the trend in value of information sharing as a function of ECOPP for different settings of γ values. As shown in Figure 8, while the value of information sharing as a function of ECOPP follows a decreasing trend, it is obvious that aggregated technology investment factor γ of the other firms is positively correlated with the value of information sharing, under same ECOPP levels. This result is in line with the intuition that when the partner firms allocate more resources to information security technology investments, the experience and knowledge they gather would be more informative. Consequently, information shared by such firms is of more value to the other firms who learn through their shared information. On the other hand, if all the other partner firms have lower information security technology investments, the value of information sharing for the decision-making firm will be negatively impacted.

36

Value of information sharing as percentage of total loss

0.4 𝛾=1

0.35

𝛾 = 0.8

0.3

𝛾 = 0.6

0.25

𝛾 = 0.4

0.2 0.15 0.1 0.05 0 0

0.5

1

1.5

2

2.5

3

Expected cost for perfect protection (ECOPP) as a multiple of potential total loss

Figure 8

Value of information sharing under different ECOPP and investment environments

As a managerial insight for forming alliances for information sharing, the findings of this analysis suggest that firms would benefit from building alliances with other firms that have similar information security technology investment levels. In this way, all the firms would achieve a relatively high value out of information sharing in a fair manner without any concerns for free-riding effects. Meanwhile, small to medium size firms might be motivated to cooperate with larger-sized firms to take advantage of their information security technology investments.

7.

Conclusion

With the need for joint efforts on information system security by all types of firms under an increasingly challenging cyber environment, information sharing has been encouraged by both the U.S. legislation and business practice. Therefore, how much information to share and the value of information sharing have become key practical questions for information security practitioners. To answer these questions, in this study, we design a framework which includes technology investments and information sharing as two intertwining components of information system security. The framework also includes quantification metrics to measure information sharing levels and corresponding returns. The dynamics of information system security investments are captured through a two-stage stochastic programming

37

structure. We take into consideration different operational situations and perform policy analyses involving structural and numerical results. More specifically, we first study a simplified analytical model where technology investment level is fixed in advance of the firm participating in information sharing. We find that there exists a threshold in marginal cost of information sharing such that a firm is better off by not sharing any information if the marginal cost exceeds this threshold. Next, we study the optimization problem of minimizing total information security costs where information sharing and technology investment decisions are made simultaneously. For the optimal level of information sharing, we show that the optimal information sharing level increases slowly with the budget size for firms with very low or very high budgets, but at a faster rate for budget sizes around one half of the most effective budget. As a result, large firms with sufficient information security budgets should typically share 25% more information when compared with small to medium sized firms with budgets less than half of MEB. We also find that the optimal information sharing level is concavely increasing with the expected cost of perfect protection of a firm, indicating that firms prone to cyber attacks are encouraged to participate more in information sharing. Furthermore, we examine the value of information sharing under different operational conditions including budget sizes, expected costs of perfect protection, and aggregate levels of technology investments by other firms. The results show that the value of information sharing is increasing with the budget size, and decreasing with expected cost of perfect protection. Moreover, the value of information sharing is highest when all firms in an information alliance have similar levels of technology investment. As one of the few studies on information sharing of information system security, our work adds to the literature by providing a framework of information system security investment problems that captures both aspects of technology investment and information sharing. While in this study we assume a fair information sharing environment under the management of a centralized coordinator, the framework can also be extended to accommodate more complex situations where asymmetric information sharing is unavoidable.

38

References Berg, N., Chen, C. and Kantarcioglu, M. [2013], ‘Experiments in information sharing’, arXiv preprint: 1305.5176. Chen, F. [2003], ‘Information sharing and supply chain coordination’, Handbooks in Operations Research and Management Science 11(2), 341–421. Chen, J.-L. [2012], ‘The synergistic effects of it-enabled resources on organizational capabilities and firm performance’, Information & Management 49(1), 142–150. Clarke, R. [1983], ‘Collusion and the incentives for information sharing’, The Bell Journal of Economics 14(2), 383–394. Edmans, A., Heinle, M. and Huang, C. [2013], The real costs of disclosure, Technical report, National Bureau of Economic Research, Cambridge, MA. Elliott, R. and Jacobson, P. [1994], ‘Costs and benefits of business information disclosure’, Accounting Horizons 8(4), 80. Gal-Or, E. [1985], ‘Information sharing in oligopoly’, Econometrica: Journal of the Econometric Society 53(2), 329–343. Gal-Or, E. and Ghose, A. [2005], ‘The economic incentives for sharing security information’, Information Systems Research 16(2), 186–208. Gao, X. and Zhong, W. [2016], ‘A differential game approach to security investment and information sharing in a competitive environment’, IIE Transactions 48(6), 511–526. Gao, X., Zhong, W. and Mei, S. [2014], ‘A game-theoretic analysis of information sharing and security investment for complementary firms’, Journal of the Operational Research Society 65(11), 1682–1691. Gavirneni, S., Kapuscinski, R. and Tayur, S. [1999], ‘Value of information in capacitated supply chains’, Management Science 45(1), 16–24. Gordon, L. and Loeb, M. [2002], ‘The economics of information security investment’, ACM Transactions on Information and System Security 5(4), 438–457. Gordon, L., Loeb, M. and Lucyshyn, W. [2003], ‘Sharing information on computer systems security: An economic analysis’, Journal of Accounting and Public Policy 22(6), 461–485. Hausken, K. [2007], ‘Information sharing among firms and cyber attacks’, Journal of Accounting and Public Policy 26(6), 639–688. Lee, H., Padmanabhan, V. and Whang, S. [1997], ‘Information distortion in a supply chain: The bullwhip effect’, Management Science 43(4), 546–558. Lee, H., So, K. and Tang, C. [2000], ‘The value of information sharing in a two-level supply chain’, Management Science 46(5), 626–643. Li, L. [1985], ‘Cournot oligopoly with information sharing’, The RAND Journal of Economics 16(4), 521–536. Li, L. [2002], ‘Information sharing in a supply chain with horizontal competition’, Management Science 48(9), 1196–1212. Ponemon, L. [2016], 2016 ponemon cost of data breach study, Technical report, Ponemon Institute, Traverse City, MI. Shang, W., Ha, A. and Tong, S. [2015], ‘Information sharing in a supply chain with a common retailer’, Management Science 62(1), 245–263.

39 Shapiro, C. [1986], ‘Exchange of cost information in oligopoly’, The review of economic studies 53(3), 433– 446. Verizon [2015], 2015 data breach investigations report, Technical report, Verizon RISK Lab, New York, NY. Weiss, N. [2015], ‘Legislation to facilitate cybersecurity information sharing: Economic analysis’, Congressional Research service . Yu, Z., Yan, H. and Edwin, T. [2001], ‘Benefits of information sharing with supply chain partnerships’, Industrial Management & Data Systems 101(3), 114–121. Zhuo, Y. and Solak, S. [2014], Measuring and optimizing cybersecurity investments: A quantitative portfolio approach, in ‘Proceedings of the IISE Annual Conference’, p. 1620.

40

Appendix A. Nomenclature, ISTI Formulation and Two-stage Stochastic Model Structure A.1 Nomenclature Table

i: The desired information sharing level agreed within the member-based information sharing alliance κl : The unit indirect cost of information sharing κd : The unit direct cost of information sharing κ: The general unit cost of information sharing φ(i): Return function to define the returns from sharing information at level i for a firm h: Parameter of function φ(i) that controls the steepness of the curve z: The sigmoid midpoint of function φ(i) indicating the relative lengths of the learning and saturation periods on the curve γ: Scaling factor representing the aggregate investment level by the other firms O: The set of technology countermeasures od , op ∈ O: Elements of technology countermeasures set O, where od is detective countermeasure and op is preventive countermeasures A: The set of security attacks eo (xo ): Effectiveness of countermeasure o at investment level xo xo : Technology investment level on countermeasure o αo : Cost rate constant that defines the difficulty of achieving the maximum effectiveness of the countermeasure o βo : Highest achievable effectiveness of countermeasure o eoo0 (xo , xo0 ): Joint effectiveness of o and o0 at their technology investment levels xo and xo0 , which includes their individual effectiveness and the synergy effect

41

ρoo0 : Synergy factor describing the dependence between the two countermeasure types of o and o0 o : The cumulative investment in countermeasure o, including the actual technology investment and the “virtual” investment effect generated by information sharing θo : A threshold value for investment in countermeasure o such that the exact realization of countermeasure o’s life-cycle curve will be realized only if technology investment in o exceeds this threshold M : An arbitrarily large number that will surpass any possible adjusted technology investment level o σo : Binary variable indicating whether the adjusted investment o exceeds information revealing threshold θo T : Set of all time periods, including the first and second decision stages fat : Frequency of attack a during time period t T 1 ⊂ T : Set of time periods in the first decision stage, subset of T T 2 ⊂ T : Set of time periods in the second decision stage, subset of T t ∈ T : Time period, elements of set T K: Set of decision stages where K = {1, 2} Ω: Set of scenarios in the two-stage stochastic model ω ∈ Ω: Scenarios in the two-stage stochastic model, elements of set Ω A.2 Complete Formulation for the Information Security Technology Investment (ISTI) Model

min

x,e,b∈R+ ,σ∈{0,1}

X

ω∈Ω

pω

"

XXXX

fat last

! # Y q XX kω kω 1 − ekω xkω o oo0 at (xo , xo0 ) +

o,o0 ∈O

k∈K s∈S a∈A t∈T

k∈K o∈O

(A.1) s.t.

2 kω kω kω kω kω kω kω kω kω kω ekω oo0 at (xo , xo0 ) = ρoo0 eoat (xo ) + ρoo0 eo0 at (xo0 ) − ρoo0 eoat (xo )eo0 at (xo0 ) ∀o,o0 ∈O,a∈A,t∈T ,k∈K,ω∈Ω 1ω

1ω −αo xo e1ω oat (xo ) = βoat − βoat e

∀o∈O,a∈A,t∈T 1 ,ω∈Ω

(A.2) (A.3)

42 2ω

ω ω −αo xo eωoat (x2ω o ) = boat − boat e

bωoat = βoat (1 − σo ) + βoatω σo kω k ekω oat (xo ) > eoa

;

x1ω ; o ≤ θo + Mσo XX xkω o ≤B k∈K o∈O

1ω x1ω o = xo

0

k xkω o > xo

∀o∈O,a∈A,t∈T 2 ,ω∈Ω ∀o∈O,a∈A,t∈T 2 ,ω∈Ω ∀o∈O,a∈A,t∈T ,k∈K,ω∈Ω

x1ω o ≥ θo + M(σo − 1)

∀o∈O,ω∈Ω

∀ω∈Ω

∀ω,ω 0 ∈Ω,o∈O

(A.4) (A.5) (A.6) (A.7) (A.8) (A.9)

A.3 Two-stage stochastic model structure

In this part we discuss the two-stage stochastic model structure and life-cycle curves of countermeasure effectiveness adapted from Zhuo and Solak [2014]. The uncertainty within the modeling structure is considered to lie in the countermeasure life-cycle realizations. Given that attack patterns might evolve over time, a time dimension is introduced into the attack frequency as fa (t) which allows for non-homogeneity in attack frequencies over time. In response, countermeasures are also designed to be updated frequently in order to adapt to the evolution of the attacks, resulting in a life cycle based variation in a countermeasure’s maximum attainable effectiveness βoa over time as βoat 1 . However, the exact nature of this countermeasure effectiveness life cycle curve is not known to a firm, which can only be estimated probabilistically for use as part of the information security investment planning process. Specifically, the exact status of a countermeasure as which part of the life-cycle curve is being experienced at the time of implementation is not known due to the uncertainties associated with technological performance. As a product is put to use and its performance over time is observed, the firm will gain knowledge about this information. The firm can then readjust budget allocations over different countermeasure types. 1

Note that the life-cycle curve is defined for a countermeasure-attack relationship, rather than the countermeasure itself, as two countermeasure types are not necessarily equally sensitive to different attacks

43 Table 3

Probability distribution of five possible levels of shift in assumed countermeasure performance after the initial investment period. Shift Probability

6 month backward shift

3 month backward shift

no shift

3 month forward shift

6 month forward shift

0.035

0.239

0.452

0.239

0.035

The above effects can be captured through a two-stage process, where the firm makes an initial investment over a set of countermeasure categories, and then can readjust these investments based on endogenous information about the performance of the measures invested in. This process is depicted in Figure 4 in the manuscript. As depicted in the figure, the decision maker assumes that the countermeasure effectiveness curve follows the segments of an “expected” effectiveness function in the first stage. The five possible realizations at the second stage can be either a large forward shift, a small forward shift, a no shift case, a small backward shift, or a large backward shift. In this two-stage stochastic setup, the four countermeasure-attack pairs 2 can each follow a distinctive life-cycle curve. A scenario is then defined as one combination of four lifecycle curve realizations, with each of them being either a large forward shift, a small forward shift, a no shift case,a small backward shift, or a large backward shift. Consider the life-cycle curves behave independent of each other, there ends up being 54 scenarios in the model. The probability distribution of the potential life-cycle realizations used in the analysis for characterization of such uncertainty is shown in Table 3. To fit the two-stage stochastic structure, the time horizon is broken into two subsets: T 1 and T 2 . The second stage decisions occur at the end of the last time period in T 1 . The set of scenarios in the second stage is denoted by ω ∈ Ω. All second stage variables in the problem are indexed by the scenario notation ω as they correspond to decisions that will be implemented after the realization of the scenario outcome. For example, technology 2

These pairs are: detective countermeasure – basic attack, detective countermeasure – advanced attack, preventive countermeasure – basic attack, and preventive countermeasure – advanced attack.

44

investment on countermeasure o of the first stage reads as x1o and for the second stage as x2ω o The uncertain parameter βoat is also appended with a scenario index to read as βoatω . The model captures the learning effects on technology investments by setting a first-stage investment threshold θo for countermeasure o. If the initial investment in a countermeasure category is less than the threshold θo , the true life-cycle curve realization will not be revealed. The firm will then has to make second stage investment based on the life cycle structure initially assumed. This implies a setting with endogenous uncertainty.

45

B. Proofs of Analytical Results Proof of Lemma 1

To begin, the second order derivative of objective (6) as a function of i can be written as: XXX

−α(x+

fat las αβγh2 xe−h(i−z) e

γx ) 1+e−h(i−z)

a∈A s∈S t∈T


−e−2h(i−z) + αγxe−h(i−z) + 1

(B.1)

after collecting the common term. Because the parameters fas , las , α, β, γ, h, x are all posiγx P P P −α(x+ ) 1+e−h(i−z) tive, the term a∈A s∈S t∈T fat las αβγh2 xe−h(i−z) e is positive as well. Denoting y = e−h(i−z) , the second term −e−2h(i−z) + αγxe−h(i−z) + 1 from the second order

derivative above can be treated as a quadratic function of e−h(i−z) as G(y) = −y 2 +αγxy +1. Note that y = e−h(i−z) is a monotonically decreasing function when i ∈ [0, 1], with lower bound y|i=1 = e−h(1−z) being a value that is very close to 0, and upper bound y|i=0 = ehz is an arbitrarily large value according to the value setting of parameter h and z. By setting the quadratic function equal to zero and solving for the positive root of G(y) = −y 2 + αγxy + 1 = 0, it can be shown easily that function G(y) ≥ 0 when y ∈ q q 2 2 2 α 2 γ 2 x2 αγx −h(1−z) [e , + 1 + 2 ] and G(y) < 0 when y ∈ ( α γ4 x + 1 + αγx , ehz ]. Equivalently, 4 2 the above condition can be written regarding variable i as  q α 2 γ 2 x2 αγx +1+ 2 ln 4 −2h(i−z) −h(i−z) ] −e + αγxe +1< 0, i ∈ [0, z − h q  α 2 γ 2 x2 ln + 1 + αγx 4 2 −e−2h(i−z) + αγxe−h(i−z) + 1 ≥ 0, i ∈ [z − , 1] h ln

second Therefore,  q αγx α2 γ 2 x 2 +1+ 4 2 h

(B.2)

(B.3)

order derivative of the objective function (6) is positive on [z −  q

, 1] and negative on [0, z −

ln

α 2 γ 2 x2 +1+ αγx 4 2

h

]. Therefore, the conclusion

of Lemma 1 follows.  Proof of Theorem 1

We start the proof of Theorem 1 by showing monotonicity of the objective (6) as a function of i. The first order derivative of objective (6) with respect to i is denoted as γx P P P −h(i−z) −α(x+ 1+e−h(i−z) ) e a∈A s∈S t∈T fat las αβγhxe 0 G (i) = − +κ 2 (1 + e−h(i−z) )

(B.4)

46

Following the conclusion of Lemma 1, G0 (i) is decreasing with q   respect to i for i ∈ [0, z − q ln

α2 γ 2 x 2 +1+ αγx 4 2

α 2 γ 2 x2 +1+ αγx 4 2

ln

], and increasing for i ∈ [z − q 

h

ln

reached at i0 = z −

α2 γ 2 x 2 +1+ αγx 4 2

h

h

, 1], with a minimum value

.

Next, we note that h is chosen to be a large enough number such that when i = 0, 1 1+e−h(1−z)

ehz ≈ 0, and when i = 1,

≈ 0. It can be shown by applying L’Hopital’s rule that

G0 (0) ≈ κ > 0 as well as G0 (1) ≈ κ > 0. Hence, the first order condition G0 (i) = 0 has two roots i∗(1) and i∗(2) if and only if the minimum value G0 (i0 ) < 0, and their values satisfy the inequality i∗(1) < i0 < i∗(2) . The signs of G0 (i) can be further determined as: G0 (i) ≥ 0 for i ∈ [0, i∗(1) ] ∪ [i∗(2) , 1] and G0 (i) < 0 for i ∈ [i∗(1) , i∗(2) ]. Based on the monotonicity of the first order derivative G0 (i), and the conclusion in Lemma 1 , the objective function (6) then has two local maxima at i = i∗(1) and i = 1, and two local minima at i = i∗(2) and i = 0. Therefore, the minimum occurs at i = 0 if the objective function G(i) has G(0) > G(i∗(2) ). Hence the conclusion of Theorem 1 follows.  Proof of Corollary 1 0 From the proof q of Theorem  1, the minimum value of the first order derivative is G (i0 ) where α2 γ 2 x 2 +1+ αγx 4 2

ln

i0 = z −

h

. Hence, the first order derivative with respect to i is positive

for i ∈ [0, 1] if G0 (i0 ) > 0, and the objective function would be increasing on i ∈ [0, 1]. The condition of G0 (i0 ) > 0 can be written in explicit form as

−

P

a∈A

P

s∈S

P

ln

t∈T

fat las αβγhxe−h(z− 

P

a∈A

αγx α2 γ 2 x 2 +1+ 2 4 h

ln

1 + e−h(z−

and simplified to

κ≥

r

r

!

−α(x+ −z)

α2 γ 2 x 2 αγx +1+ 2 4

!

h



e



ln 1+e

−h(z−

r

γx αγx α2 γ 2 x 2 +1+ 2 4 h

ln

z−

q

α2 γ 2 x 2 +1+ αγx 4 2

h

−z)

−z) 

γx



)

2 

 r −αx+  −α(x+γx)  αγx α2 γ 2 x 2 +1+ +1   2 4 −e s∈S fat las β e 

P

!

(B.5)

+κ>0

47

as in Corollary 1.  Proof of Proposition 1

From the proof of Theorem 1, the first order derivative of objective function 0

G (i) = − ln

q

P

a∈A

P

α2 γ 2 x 2 +1+ αγx 4 2

h ln

on i ∈ [z −

q

s∈S



P

t∈T

−α(x+

fat las αβγhxe−h(i−z) e

h

Next, conditioned on κ ≤ exist i∗ > z −

+ κ is increasing on i ∈ [z −

, 1]. Denote function T (i) = G0 (i)−κ, then function T (i) is also increasing 

α2 γ 2 x 2 +1+ αγx 4 2

ln

2

(1+e−h(i−z) )

γx ) 1+e−h(i−z)

q

, 1].

P

a∈A

α2 γ 2 x 2 +1+ αγx 4 2

h





P

s∈S

 −α x+

q  α2 γ 2 x 2 fat las αγxh +1+ αγx e 4 2 2  q 2 2 2 1+ α γ4 x +1+ αγx 2



 γx  r  α2 γ 2 x 2 αγx 1+ +1+ 4 2

, there

such that G0 (i∗ ) = 0 and T (i∗ ) = −κ. When κ increase

to a greater qvalue κl but  still satisfies the condition above, there also exist a value of i∗l

ln

> z −q ln

[z −

α2 γ 2 x 2 +1+ αγx 4 2

h  α2 γ 2 x 2 αγx +1+ 4 2 h

such that T (i∗l ) = −κl . As function T (i) is increasing on i ∈

, 1], it can be concluded by the property of the inverse function that

i∗l < i∗ since T (i∗l ) < T (i∗ ). Therefore, the conclusion of Proposition 1 holds. 

48

C. Numerical Analysis on Approximation Errors Table 4

Gap between piecewise linear approximations and original non-linear formulation values for constraint (8)

Number of pieces 5 7 9 11 13 15

10% 0.427% 0.132% 0.028% 0.041% 0.055% 0.042%

20% 0.069% 0.821% 0.210% 0.244% 0.188% 0.006%

30% 4.541% 1.214% 0.977% 0.885% 0.174% 0.493%

Information sharing level i 40% 50% 60% 70% 0.131% 0.087% 0.213% 2.527% 2.083% 0.035% 1.545% 0.517% 2.114% 0.017% 1.447% 0.569% 1.472% 0.009% 0.956% 0.458% 0.724% 0.005% 0.425% 0.126% 0.044% 0.003% 0.043% 0.270%

80% 0.028% 0.418% 0.121% 0.112% 0.099% 0.007%

90% 0.221% 0.071% 0.018% 0.015% 0.026% 0.021%

100% 0.001% 0.001% 0.001% 0.001% 0.001% 0.001%

49 Table 5

Gap between piecewise linear approximations and original non-linear formulation values for constraints (9)-(11)

Technology investment level as % of budget

5 pieces 50% 33% 25% 20% 17% 14% 13% 11% 10% 9%

Technology investment level as % of budget

10 pieces 50% 33% 25% 20% 17% 14% 13% 11% 10% 9%

Technology investment level as % of budget

15 pieces 50% 33% 25% 20% 17% 14% 13% 11% 10% 9%

10% 0.044% 0.444% 1.144% 0.168% 2.435% 3.157% 2.704% 1.493% 0.233% 2.378%

20% 0.013% 0.523% 1.278% 0.005% 2.666% 3.377% 2.911% 1.687% 0.038% 2.754%

30% 0.324% 0.432% 0.324% 1.443% 0.074% 0.977% 0.634% 0.511% 2.203% 1.482%

Information sharing level i 40% 50% 60% 70% 0.005% 0.006% 0.011% 0.048% 0.447% 0.341% 0.258% 0.317% 1.217% 1.095% 0.968% 1.179% 0.036% 0.001% 0.139% 1.090% 2.797% 2.941% 3.039% 3.818% 3.553% 3.734% 3.829% 4.519% 3.062% 3.226% 3.324% 3.966% 1.766% 1.874% 1.973% 2.587% 0.078% 0.044% 0.262% 2.578% 3.129% 3.824% 4.701% 7.164%

80% 0.004% 0.194% 0.826% 0.054% 2.899% 3.690% 3.208% 1.887% 0.081% 4.861%

90% 0.007% 0.199% 0.842% 0.132% 2.961% 3.745% 3.259% 1.936% 0.275% 5.065%

100% 0.004% 0.189% 0.814% 0.043% 2.883% 3.674% 3.194% 1.876% 0.054% 4.860%

10% 0.010% 0.158% 0.017% 0.017% 0.587% 0.484% 1.092% 0.835% 0.012% 1.106%

20% 0.009% 0.154% 0.012% 0.011% 0.583% 0.480% 1.092% 0.833% 0.003% 1.106%

30% 0.003% 0.140% 0.005% 0.010% 0.570% 0.464% 1.090% 0.827% 0.030% 1.109%

Information sharing level i 40% 50% 60% 70% 0.001% 0.006% 0.004% 0.002% 0.124% 0.113% 0.083% 0.067% 0.011% 0.028% 0.030% 0.019% 0.018% 0.036% 0.042% 0.027% 0.576% 0.624% 0.599% 0.566% 0.481% 0.589% 0.615% 0.593% 1.143% 1.296% 1.340% 1.321% 0.865% 0.995% 1.032% 1.015% 0.046% 0.051% 0.074% 0.044% 1.198% 1.477% 1.644% 1.670%

80% 0.002% 0.062% 0.014% 0.019% 0.553% 0.582% 1.310% 1.005% 0.028% 1.670%

90% 0.002% 0.061% 0.013% 0.017% 0.549% 0.578% 1.306% 1.001% 0.023% 1.669%

100% 0.001% 0.061% 0.012% 0.016% 0.548% 0.576% 1.305% 1.000% 0.020% 1.668%

10% 0.001% 0.002% 0.128% 0.010% 0.014% 0.285% 0.355% 0.470% 0.024% 0.598%

20% 0.006% 0.009% 0.141% 0.008% 0.008% 0.306% 0.382% 0.496% 0.004% 0.630%

30% 0.048% 0.111% 0.030% 0.202% 0.233% 0.049% 0.073% 0.204% 0.304% 0.286%

Information sharing level i 40% 50% 60% 70% 0.001% 0.003% 0.002% 0.004% 0.000% 0.007% 0.009% 0.022% 0.125% 0.121% 0.107% 0.124% 0.008% 0.010% 0.023% 0.077% 0.012% 0.011% 0.028% 0.103% 0.305% 0.337% 0.348% 0.410% 0.392% 0.452% 0.491% 0.590% 0.517% 0.587% 0.630% 0.724% 0.023% 0.009% 0.039% 0.174% 0.677% 0.802% 0.900% 1.053%

80% 0.001% 0.005% 0.089% 0.012% 0.014% 0.327% 0.476% 0.617% 0.016% 0.910%

90% 0.001% 0.005% 0.090% 0.015% 0.018% 0.331% 0.482% 0.623% 0.025% 0.920%

100% 0.001% 0.004% 0.087% 0.010% 0.011% 0.325% 0.473% 0.615% 0.012% 0.908%

50 Table 6

Gap between piecewise linear approximations and original non-linear formulation values for objective (7)

Technology investment level as % of budget

5 pieces 50% 33% 25% 20% 17% 14% 13% 11% 10% 9%

Technology investment level as % of budget

10 pieces 50% 33% 25% 20% 17% 14% 13% 11% 10% 9%

Technology investment level as % of budget

15 pieces 50% 33% 25% 20% 17% 14% 13% 11% 10% 9%

10% 7.016% 3.883% 1.384% 2.429% 2.189% 3.822% 2.780% 0.852% 1.160% 1.194%

20% 6.719% 3.668% 0.964% 1.908% 2.733% 4.205% 3.167% 1.112% 0.930% 1.694%

30% 8.172% 8.379% 6.756% 7.426% 2.978% 1.020% 0.596% 2.427% 4.309% 2.832%

Information sharing level i 40% 50% 60% 70% 6.148% 5.590% 5.263% 5.018% 4.963% 5.135% 4.901% 4.375% 1.256% 1.719% 2.365% 1.207% 5.081% 5.792% 5.962% 1.808% 4.794% 5.201% 5.788% 9.746% 4.896% 8.579% 8.504% 11.35% 3.539% 4.905% 7.474% 9.236% 1.394% 0.878% 2.629% 5.581% 1.795% 3.060% 2.394% 3.840% 3.358% 5.185% 7.296% 14.22%

80% 5.219% 4.946% 2.807% 6.818% 6.145% 8.035% 6.246% 2.707% 1.969% 8.550%

90% 5.202% 4.909% 2.699% 6.482% 6.462% 8.265% 6.414% 2.802% 1.439% 9.143%

100% 5.218% 4.956% 2.833% 6.872% 6.136% 7.967% 6.165% 2.578% 1.944% 8.663%

10% 2.537% 0.382% 1.496% 0.104% 0.322% 0.649% 1.271% 0.642% 0.259% 0.955%

20% 2.524% 0.540% 1.511% 0.112% 0.347% 0.644% 1.328% 0.650% 0.263% 0.966%

30% 2.436% 1.094% 1.452% 0.714% 0.422% 0.330% 1.581% 0.653% 0.491% 1.023%

Information sharing level i 40% 50% 60% 70% 2.061% 1.474% 1.256% 1.217% 2.011% 2.020% 1.641% 1.502% 0.469% 2.165% 2.617% 2.569% 1.576% 0.302% 1.792% 2.347% 1.378% 0.482% 1.691% 1.873% 0.138% 1.015% 0.531% 0.879% 1.813% 2.529% 3.071% 2.812% 1.216% 1.260% 2.518% 2.315% 0.665% 0.498% 0.667% 0.213% 1.225% 2.335% 2.703% 2.994%

80% 1.209% 1.477% 2.536% 2.499% 1.685% 1.002% 2.803% 2.126% 0.093% 3.130%

90% 1.207% 1.471% 2.531% 2.521% 1.582% 1.056% 2.803% 2.070% 0.096% 3.171%

100% 1.207% 1.470% 2.531% 2.528% 1.554% 1.067% 2.801% 2.054% 0.099% 3.179%

10% 1.214% 0.572% 0.051% 0.300% 0.243% 0.186% 0.446% 0.404% 0.064% 0.473%

20% 1.178% 0.528% 0.025% 0.182% 0.199% 0.216% 0.546% 0.429% 0.040% 0.537%

30% 1.382% 0.954% 0.417% 0.960% 0.907% 0.236% 0.001% 0.031% 0.620% 0.225%

Information sharing level i 40% 50% 60% 70% 0.850% 0.508% 0.440% 0.414% 0.916% 1.187% 0.810% 0.560% 0.265% 0.129% 0.709% 0.611% 0.537% 0.701% 0.324% 0.346% 0.310% 0.438% 0.636% 0.112% 0.475% 0.580% 0.756% 0.960% 0.423% 0.693% 1.050% 1.411% 0.784% 1.124% 1.360% 1.713% 0.288% 0.328% 0.313% 0.058% 0.714% 1.249% 1.851% 2.242%

80% 0.427% 0.611% 0.773% 0.822% 0.503% 0.575% 1.069% 1.396% 0.268% 1.848%

90% 0.426% 0.592% 0.758% 0.830% 0.485% 0.568% 1.099% 1.428% 0.224% 1.869%

100% 0.427% 0.595% 0.769% 0.862% 0.515% 0.538% 1.071% 1.407% 0.251% 1.839%