A differential game approach to security investment and information sharing in a competitive environment

ABSTRACT Information security economics, an emerging and thriving research topic, attempts to address the problems of distorted incentives for stakeholders in an Internet environment, including firms, hackers, the public sector, and other participants, using economic approaches. To alleviate consumer anxiety about the loss of sensitive information, and to further increase consumer demand, firms usually integrate their information security investment strategies to capture market share from competitors and their security information sharing strategies to increase consumer demand across all member firms in industry-based information sharing centers. Using differential game theory, this article investigates dynamic strategies for security investment and information sharing for two competing firms under targeted attacks, in which both firms can influence the value of their information assets through the endogenous determination of pricing rates. We analytically and numerically examine how both security investment rates and information sharing rates are affected by several key parameters in a non-cooperative scenario, including the efficiency of security investment rates, sensitivity parameters for pricing rates, coefficients of consumer demand losses, and the density of targeted attacks. Our results reveal that, confronted with a higher coefficient of consumer demand loss and a higher density of targeted attacks, both firms are reluctant to aggressively defend against hackers and would rather decrease the negative effect of hacker attacks by lowering their pricing rates. Also, we derive feedback equilibrium solutions for the situation where both firms cooperate in security investment, information sharing, or both. It is revealed that although a higher hacker attack density always decreases a firm's integral profits, both firms are not always willing to cooperate in security investment and information sharing. Specifically, the superior firm benefits most when both firms fully cooperate and benefits the least when they behave fully non-cooperatively. However, the inferior firm enjoys the highest integral profit when both firms only cooperate in information sharing and the lowest integral profit in the completely cooperative situation.


Introduction
Competition between firms has become increasingly fierce due to the rapid development of science and technology, the intensive evolution of economic globalization, and in-depth changes in market environments. To address these challenges, an increasing number of firms are tending to adopt information technology to construct and rebuild their business structures. However, unimaginable losses may occur as a result of information security incidents. Traditional approaches to technology security programs have gradually become inadequate to effectively reduce frequent information security incidents. These information security technologies primarily focus on better access control policies, complex cryptographic protocols, advanced firewalls and intrusion detection systems (IDS) (Cavusoglu and Raghunathan, 2004;Cavusoglu et al., 2009;Gao et al., 2013c), better system evaluation tools, perfect code design, and so on. Although these security technologies perform outstandingly, more and more firms and organizations have suffered serious cyber-attacks from hackers and thus incurred heavy losses in business, customer trust, reputation, and competitiveness. For example, JPMorgan Chase Bank, one of the largest financial service organizations in America, with CONTACT Xing Gao xgaoseu@.com Supplemental data for this article can be accessed on the publisher's website at http://www.tandfonline.com/uiie. sophisticated security network systems, was attacked by hackers in 2014 and incurred a data loss that included user names, home addresses, telephone numbers, and email addresses of 76 million families and 7 million small enterprises. SafeNet Corporation reported that during the first quarter of 2014, nearly two hundred million record stealing incidents occurred, representing an increase of 233% over the same period in 2013.
An underlying shortcoming of traditional security technologies is that they only concern technology solutions and thus neglect the economic motivations of stakeholders in the context of Internet security. Information security economics has recently emerged as a fast-moving inter-disciplinary research branch that links information systems and economics. This research is aimed at improving the security level of information systems by fully highlighting the behavior of all agents in a network environment, such as competitor firms (Gal-Or and speaking, information security economics takes various economic and social elements into account, applies the concepts and ideology of economics and management, addresses the problems of conflict and divergence of interest of all stakeholders, and finally formulates reasonable information security management strategies. It is important to understand information security economics because, as argued by Anderson and Moore (2006), information security failures result from the distorted economic incentives of participants at least as often as from poor technological design.
Constructing a differential game framework, this article discusses dynamic strategies for security investment and information sharing for two competitor firms, both of which are confronted with targeted attacks by hackers and are able to affect the values of information assets related to information systems by endogenous pricing choices. We focus on security-related industries involving electronic commerce, electronic payment, electronic banking, credit cards, etc., in which consumers are likely to be concerned about information security. Both security investment and information sharing are the main components of the security strategies that firms usually employ to defend against hackers and to influence their market share. Faced with two different firms, consumers make choices based on the security investment undertaken by each firm. When a firm increases its security investment to prevent security breaches of its information systems, consumer anxiety about a transaction with that firm will be assuaged and their confidence and willingness to pay for a product will be enhanced, thus attracting the competitor's consumers. However, if the competitor increases its security investment, the first firm incurs a loss of consumers, as the competitor will be considered to be a more reliable and secure firm. In other words, a firm can acquire market share from its competitor through a greater investment in security. Gal-Or and Ghose (2005), Cezar et al. (2010), and Kolfal et al. (2013) explicitly assume that a firm's consumer demand function is dependent on its security investment and that of its competitor in a competitive environment. Again, some evidence here shows that consumers can indeed perceive information security investments when making purchasing decisions, at least in the security-related industries under consideration. There are many facets of security mechanisms and measures that firms invest in and employ in different business environments. Although some security tools, such as firewalls, IDSs, and encrypted transmissions, are highly technical and therefore not always visible to consumers, they are still able to form strong perceptions of a firm's information security levels (Miyazaki and Fernandez, 2000;Suh and Han, 2003;Cheung and Lee, 2006;Román, 2007;Kim et al., 2010;Ray et al., 2011;Hartono et al., 2014). In particular, Kim et al. (2010) categorize the factors that influence consumers' perceptions of information security in the use of e-payment systems into technical protection, security statements, and transaction procedures. Precisely speaking, technical protection involves specific and technical mechanisms to ensure privacy, integrity, confidentiality, and stability in online transactions, which can be achieved by using certain specific policies such as explicit standardization. Security statements refers to the information provided to consumers in the operation of e-payment systems and related security solutions. Security statements that are posted on websites usually involve security feature statements, data protection and privacy statements, security-policy statements, and other descriptive content concerning security precautions. Transaction procedures indicate the processes of authentication, modification, and confirmation, which can be informed to consumers. Obviously, authentication is a visible procedure by which the identity of consumers is verified through their identity and password. In one type of e-payment system, online banks in China have adopted different types of identity authentication mechanisms to guarantee information security, such as the first-generation USB key, the second-generation USB key, and the dynamic password. The first-generation USB key guarantees identity authentication security through a physical USB key; however, it can be hijacked by a Trojan virus launched by hackers. The secondgeneration USB key ensures identity authentication security not only by the physical USB key but also by a manual confirmation by the consumer on an additional LCD display, which reduces the risk of being hijacked by a Trojan virus. The dynamic password approach ensures the best identity authentication security by using changeable passwords for every transaction. Moreover, Kolfal et al. (2013) assume that consumers can perceive information security investments because they must be notified of security breaches in a timely manner by laws such as California's SB 1386, HIPAA, and DPA in the UK. As evidenced by Marte (2014), consumer purchasing decisions are indeed affected by security breaches. Although the number of security breaches that one firm suffers does not necessarily exactly correlate with the security investment of that firm, higher information security investment on the part of a given firm is usually accompanied by fewer security breaches. Cremonini and Nizovtsev (2009) find that firms have the ability to signal security characteristics in their information systems as a deterrence tool.
In our model, information sharing serves as another key factor to improve the level of information security. The U.S. federal government has even encouraged the establishment of industry-based Information Sharing and Analysis Centers (ISACs), including the Aviation ISAC (A-ISAC), Defense Industrial Base ISAC (DIB-ISAC), Electric Sector ISAC (ES-ISAC), Financial Services ISAC (FS-ISAC), Information Technology ISAC (IT-ISAC), Supply Chain ISAC, Real Estate ISAC, Public Transit ISAC, and so on. Meanwhile, there are other information sharing organizations such as the Computer Emergency Response Team, Information Sharing and Analysis Centers, Electron Crimes Task Forces and Chief Security Officers Round Tables. When firms share security information through such organizations, the information can be analyzed and classified to quickly disseminate physical and cyber threat alerts and security solutions can be recommended to member firms to protect their information systems as soon as possible. By reporting security breaches and sharing related security information in these information sharing organizations, all member firms can send a strong message to their customers that they are committed to developing rigorous information security procedures and are taking all necessary steps to mitigate damage from future breaches (Schenk and Schenk, 2002). Recognizing an increase in information security levels, consumers will become more willing to transact with all member firms. Hence, unlike security investments, information sharing allows all member firms to experience a positive demand shock and enlarge their market share.
Based on hacker behavior, cyber-attacks can be classified as either a targeted attack or a mass attack. Targeted attacks, such as pharming, industrial espionage, denial of service, and intrusions, are aimed at high-return firms, whereas mass attacks such as worms, viruses, spam, spyware, and bots are intended for all firms (Cavusoglu et al., 2008). That is, in targeted attacks, hackers execute cyber-attacks discriminately based on the related returns they can obtain, but mass attacks are implemented without distinction (Png and Wang, 2009;Ransbotham and Mitra, 2009;Mookerjee et al., 2011;Dey et al., 2012Dey et al., , 2014. In addition to behavior characteristics, the hacker community can be divided into those whose motivations are profit-driven, fame-driven, excitement-driven, and politics-driven (Leeson and Coyne, 2006;Kim et al., 2012). However, their motivations have mainly moved from fame and excitement to financial and political gains. This article focuses on profit-driven hackers launching targeted attacks, which constitute an increasingly large proportion of hackers in this networked world of electronic commerce.
In the current study, in addition to security investment and information sharing, we assume that firms can endogenously determine the prices of their products and services over time, which has a further impact on consumer demand and even on the value of information assets in information systems. Information assets are mainly related to customer names, credit card data, user names, passwords, social security numbers, addresses, phone numbers, and other sensitive data. Firms that possess and control information assets can gain economic benefits by utilizing them in their business activities. As information assets contribute to a firm's profits, their value can be reflected in that firm's profits when all other factors such as the conversion efficiency of information assets remain unchanged. The value of information assets for firms, which is realized in legal business processes, is not necessarily equal to the value to a hacker, which is realized by unauthorized and unlawful use in black markets. For instance, credit card firms realize the value of information assets by facilitating the customer payment process during purchasing transactions, whereas hackers illegally achieve the value by fraudulent purchase and identity theft (Bandyopadhyay et al., 2014). Even so, a hacker's evaluation of information assets should be positively related to the value of information assets for a firm (Hausken, 2007(Hausken, , 2008Png and Wang, 2009;Kannan et al., 2016). Given that a firm's value of information assets can be measured by its profits, a hacker's evaluation of information assets would also be influenced by the profits of that firm. As for the example of credit card firms, their prices for information assets can be approximately evaluated by the status and the payment capacity of the credit cards. As a firm's profit increases, its price for information assets becomes higher for a given market share or, alternatively, their market share becomes larger for a given price of information assets. Hackers can obtain greater gains by breaching firms with higher profits, due to more valuable data or larger volumes of information. The degree of positive correlation between a hacker's returns and a firm's profits commonly depends on whether the hacker can easily sell their stolen information assets on the black market. In targeted attacks that are aimed at stealing a firm's information assets from information systems discriminatively, the value of information assets can be influenced by the endogenous determination of pricing. Therefore, a firm's pricing strategy becomes sophisticated and needs a comprehensive consideration of the effects of the behavior of both competitors and hackers.
The current research attempts to answer the following questions.
1. What should a firm's dynamic security investment, dynamic information sharing, dynamic pricing, and even integral profit be in a competitive environment? 2. How do market characteristics and cyber-attack characteristics influence such dynamic strategies and integral profit? 3. How do such dynamic strategies and integral profit change when firms cooperate in security investment, information sharing or both? To the best of our knowledge, this article is the first to address the value of information assets by endogenous pricing decisions under targeted attacks. These questions are important but remain unaddressed in information security economics. This study can help a firm to formulate dynamic strategies for security investment, information sharing, and pricing over time and to analyze the effects of market characteristics, cyber-attack characteristics, and cooperation forms on these strategies and the resulting integral profit. To obtain the main findings, we build a differential game model that reflects the dynamic effects of security investment, information sharing, and pricing under targeted attacks and in addition facilitates the mathematical tractability of the feedback equilibrium solution.
Unlike static game approaches, differential game approaches can characterize the inherently dynamic features of related problems and are apparently more appropriate for formulating information security issues. From the perspective of modern firms, when their business structures alter, the information systems supporting these structures dynamically change, and the security programs for information systems must be correspondingly adjusted. More important, from the perspective of hackers, attacking modes , knowledge dissemination , and virus propagation (Chen and Carley, 2004;Griffin and Brooks, 2006;Yuan et al., 2009;Ransbotham et al., 2012) have to be characterized in a dynamic setting. Many studies on configuration and investment in information security have been conducted based on optimal controls (Yue and Cakanyildirim, 2007;Mookerjee et al., 2011) and differential games (Bandyopadhyay et al., 2014;Garcia et al., 2014). In addition to security investment and information sharing, which are aimed at defending against hackers, a firm's pricing decisions are assumed to be dynamic in this article. Pricing decisions, including skimming and penetration pricing, are long-run strategies and are usually characterized dynamically (Feichtinger and Dockner, 1985;Krishnamoorthy et al., 2010). We construct our model using differential games, in which pricing, security investment, and information sharing interact with each other in their dynamic effects.
The remainder of this article is organized as follows. Section 2 reviews the related literature on information security economics. Section 3 presents the model in a non-cooperative situation, and Section 4 discusses a firm's feedback equilibrium solution and resulting integral profit. Section 5 analyzes feedback equilibrium solutions and integral profits when two firms cooperate partially and completely, respectively. Section 6 concludes this article. All omitted proofs are relegated to the online Appendices.

Related literature
In their pioneering research, Gordon and Loeb (2002) show that a firm should not necessarily heavily invest in security for an information system with high levels of vulnerability, because it may incur the most frequent cyber-attacks from hackers. This finding can to some degree illustrate that an underlying reason for information security failures rests with misaligned incentives for stakeholders, as confirmed by Anderson and Moore (2006). Since then, information security economics has developed rapidly; this branch of study involves economics and management models and considers all related agents in a network environment. Introducing a strategic hacker, Cavusoglu et al. (2008) construct a game between a hacker and a firm to analyze the effect of their move-timing on the information security investment of the firm. Cremonini and Nizovtsev (2009) find that well-protected firms can use the signal of their superior protection level as a deterrence tool when hackers can change cyberattacks between firms. Hausken (2006) examines how hackers' income and ability affect a firm's information security investment. Hausken (2008) and Cárceles-Poveda and Tauman (2011) consider a two-stage security investment game and a security allocation game, respectively. It should be noted that real options techniques (Herath and Harath 2009), the value-at-risk method (Wang et al., 2008), the analytic hierarchy process (Bodin et al., 2005), and the empirical approach (Kannan et al., 2007) are all employed to examine information security investment.
With the establishment of the origins of information sharing, information sharing as a powerful approach to enhancing information system security has been extensively examined. Gordon et al. (2003) show that exogenously given information sharing may reduce the information security expenditure and increase information security levels and total social welfare. Gal-Or and Ghose (2005) show that a firm benefits more from information sharing in more competitive industries. Hausken (2007) discusses the effect of interdependence on information sharing between two firms. Liu et al. (2011) find that whether firms are willing to share security information depends on the relationship between their information assets. Gao et al. (2014Gao et al. ( , 2015 examine information sharing for firms with different relationships between information assets. Böhme (2010) discusses the relation between security investment models and security metrics. Böhme and Moore (2009) consider a security investment model that reflects the dynamic interaction between a defender facing uncertainty and an attacker repeatedly targeting the weakest link. Khouzani et al. (2014) analyzes security information sharing regarding vulnerabilities in competitive environments.
Another interesting area in the field of information security economics is the analysis of hackers' modes of cyber-attacks on information security investments, targeted attacks and mass attacks. Png and Wang (2009) find that more effort should be exerted in precautions against mass attacks rather than targeted attacks. Ransbotham and Mitra (2009) empirically analyze paths and strategies under mass and targeted attacks. Mookerjee et al. (2011) examine the effect of mass and targeted attacks on the discrimination ability of a security system. Huang and Behara (2013) investigate how a firm should allocate its limited information security budget between mass and targeted attacks. Dey et al. (2012) examine the effect of two types of cyber-attacks on the security software market. Kim and Kim (2014) study the effect of mass and targeted attacks on malware resolution processes. Tunca (2006, 2011) analyze user incentives for security investment and liability policies for security incidents under mass attacks in a network environment.
The current article investigates dynamic competition in security investment and information sharing, whereas the previous relevant literature only considers static counterparts or fails to fully characterize the targeted attacks of hackers. Although Gal-Or and Ghose (2005) build their model under static price competition, unlike our article, they still neglect to incorporate the hackers' economic incentives and partial cooperation between firms. Bandyopadhyay et al. (2014) and Gao et al. (2013aGao et al. ( , 2013c) use a differential game approach to investigate dynamic security investment; neither of them, however, takes pricing or targeted attacks into account. This article examines the dynamic interaction between security investment and information sharing in a competitive environment when targeted attacks are taken into account, which helps to understand the effects of competitors and hackers in information security economics.

The model
We now characterize the effects of security investment rates, information sharing rates, and pricing rates on changes in consumer demand rates. As emphasized by Gal-Or and Ghose (2005, p. 192): When a given firm increases its investment in security technology to prevent security breaches or enhance the effectiveness of security products, and consumers become informed of this increase, their level of anxiety about transacting with the firm declines, thus enhancing their expected utility and willingness to pay for the product.
There are very similar arguments presented in both Cezar et al. (2010) and Kolfal et al. (2013). That is, when a given firm increases its security investment rate, the security level of its information system becomes higher, resulting in a lower chance of security breaches or a smaller loss from security breaches. Therefore, some consumers of a rival firm will switch to this firm due to its advantage in information system security. In contrast, when the rival firm increases its security investment rate, some consumers of the first firm will lose their sense of security and switch to the rival that is comparatively more secure. The change in the consumer demand rate of firm i due to security investment rates can be described bẏ where z i (t ) denotes the security investment rate of firm i at time t ∈ [0, ∞) and a i is the related efficiency (i = 1, 2). The form of Equation (1) has been widely used (He et al., 2009;He et al., 2012) and characterizes the effects of both firms' security investment rates and also guarantees an analytical solution to our problem. Note that each firm's information sharing rate can contribute to the information security level of the entire related industry through industry-based information sharing organizations such as A-ISAC, DIB-ISAC, ES-ISAC, FS-ISAC, IT-ISAC, and others. Firm i will experience the following positive demand shock: where s i (t ) represents the rate of information sharing provided by firm i to these organizations and c i is the related efficiency. Note that security information rate that firm i offers and shares with its rival has a positive effect on firm i. That is, the effect of information sharing rates on each firm should be weighed by the collective measure, c 1 s 1 (t ) + c 2 s 2 (t ). The reason for this observation is that in practice, the security information about a particular security attack received by a firm through information sharing centers may be fragmented and thus it will carry very little substantive information until it is combined with related security information of its own . As reported above, when firm i offers and shares its security information through information sharing centers, the member firms in such centers are able to obtain timely and better information for decisionmaking on security that will allow improvement in their security control mechanisms, leading to a higher security level for their information systems. As a result, there is a lower chance of security breaches for member firms and, thus, potential consumers may pick these firms for transactions. The change in the consumer demand rate of firm i due to pricing rates is characterized bẏ where p i (t ) is firm i's pricing rate and b i is the sensitivity parameter. Equation (3) is a somewhat revised form of the change in market share rates defined by Feichtinger and Dockner (1985), who assume that in a dynamic oligopoly the proportion of customers driven away from firm i, b i p i (t )x i (t ) is allocated to its competitors. The total change in the consumer demand rate of firm i iṡ (1), (2), and (3), the total effect of security investment rates, information sharing rates, and pricing rates is given bẏ We are now in a position to discuss the effect of targeted hacker attacks on consumer demand. Targeted attacks imply that hackers launch more frequent cyber-attacks on firms with higher profits. Breaching the information system of a firm with higher profits can bring greater gains for hackers. In an environment of rigorous laws against information security incidents, hackers can convert information assets stolen from firms for low gains on the black market. On the contrary, hackers can benefit more when the related laws are loose. In either case, hackers can earn higher profits when a firm's value of its information assets (measured by its profits) is higher. Note that Hausken (2007) assumes that the value attached to information assets remains unchanged between firms and hackers. The positive relation of the value of information assets between firms and hackers can also be found in Png andWang (2009) andDey et al. (2012). Assuming that the marginal product costs of both firms are zero, the instantaneous profit of firm i in the current model is The effect of targeted attacks by hackers on the consumer demand rate of firm i is thus where d is the density of the hackers' targeted attacks and l i is a coefficient of consumer demand loss caused by security breaches. Parameter d reflects hackers' efforts for the unit profit of firm i and, therefore, hackers who are more profit-motivated have a higher d. Also, parameter d can indicate the rigorousness degree of security laws, and a higher d implies loose security laws. Parameter l i characterizes the loss in the consumer demand rate to measure the negative effect of targeted attacks. When there are more (less) security-sensitive consumers for firm i, the value of l i will be higher (lower).
Firm i's integral profit is thus where r is the discount rate of both firms, α is the cost coefficient of security investment rates, and β is the cost coefficient of information sharing rates. Parameter β refers to the leakage cost of the security information that is incurred due to the information sharing rates. There exists a leakage cost for information sharing that involves disclosing security breaches information, including the moral hazard of participating firms, loss of consumer loyalty and satisfaction (Gal-Or and Ghose, 2005;Lee and Lee, 2012;Liu et al., 2014), a membership fee, and a possible reduction in welfare (Kannan and Telang, 2005). The cost structures of security investment rates and information sharing rates in Equation (5) ensure that they exhibit diminishing marginal returns. Such types of cost structures have been commonly used in other economic activities, such as advertising investment (He et al., 2009;He et al., 2012) and R&D investment (Cellini and Lambertini, 2009;Mantovani, 2009, 2010). The decision variables for each firm are therefore the pricing rate, the security investment rate, and the information sharing rate, so the discounted profit-maximization problem can be described by the following differential game: subject tȯ in which V i (x 1 , x 2 ) is the value function of firm i. From Equations (6) and (7), one can discover that the rates of security investment and information sharing of each firm exert a positive effect on its consumer demand rate, whereas targeted attacks against this firm have a negative effect on the consumer demand rate.

Equilibrium analysis
In this section, we first attempt to derive the analytical solution of the differential game in which both firms choose their rates for pricing, security investment, and information sharing in a non-cooperative manner. Then, the comparative statistics of these decision variables are discussed as a function of some key parameters including a i , l i , b i , and d.

Equilibrium solution
We now attempt to find the feedback equilibrium solution of the differential game given by Equations (6) and (7). The feedback equilibrium solution, which is also the Markov perfect equilibrium or closed-loop equilibrium, appears to be more meaningful than the open-loop equilibrium in that the former takes into account strategic interaction between firms through the evolution of consumer demand rates over time and the associated adjustment in controls. Appendix A provides the feedback equilibrium solution in Proposition 1.

Proposition 1.
(a) The feedback equilibrium solution for firm i is provided that 2a 2 i /α − b 2 i /(l i d) > 0, and parameters β i and γ i satisfy the following equations: (b) The integral profit for firm i is with O i , F i , G i , and H i being given in Appendix A.
Note that the restriction condition 2a 2 i /α − b 2 i /(l i d) > 0 guarantees a positive feedback equilibrium solution. When this condition fails to be satisfied, the feedback equilibrium solution may still be positive, implying that the feedback equilibrium solution may be available for a wider range of parameter setting. It follows from Proposition 1(a) that each firm's security investment rate is increasing with its competitor's consumer demand rate, while each firm's information sharing rate and pricing rate are stationary. Unlike the value function in an instantaneous setting, the integral equilibrium profit given by Proposition 1(b) is derived in an infinite-horizon setting and is of more importance for firms that focus on their long-term profits.
The feedback equilibrium solution for symmetric firms is obtained explicitly in Corollary 1, in which a i = a, b i = b,c i = c, l i = l, x 10 = x 20 = x 0 .

Corollary 1. The feedback equilibrium solution for each firm in the symmetric situation is
Letting a = 1, b = 1, c = 1, l = 1, x 0 = 0, r = 0.05, α = 1, β = 1, we can obtain the feedback equilibrium solution and the integral profit with t = 50 over the density of targeted attacks d shown in Fig. 1. From Fig. 1(a), one can observe that the rates of security investment, information sharing, and pricing decrease with the density of targeted attacks. When the density of targeted attacks increases, hackers become more profit-motivated and launch more frequent targeted attacks, even though the profit rates of firms may not be higher. Considering the costs of the security investment rate and the information sharing rate, a rational firm that is confronted with more frequent targeted attacks would have to decrease both of them. Meanwhile, to decrease the consumer demand loss caused by targeted attacks, a firm needs to decrease its pricing rate. It is consistent with common sense that the higher density of targeted attacks seems to always harm a firm's integral profit, as shown in Fig. 1(b).
Given the optimal decisions for security investment rates, information sharing rates, and pricing rates, one can obtain the long-run equilibrium market share rates of the two firms, which is given in Proposition 2.

Proposition 2. When both firms non-cooperatively choose their rates of security investment and information sharing, their longrun market share rates arê
One can observe that the long-run market share rates are unaffected by the cost coefficient and efficiency of information sharing rates. A possible reason for this behavior is that information sharing rates increase the consumer demand rate of the total industry, not the relative proportion of consumer demand rates of the two firms. The effects of other key model parameters on the long-run market share rates are difficult to analytically examine and are thus discussed numerically in the next section.

Comparative statics
Although we are able to obtain the analytical form of the feedback equilibrium solution, we unfortunately fail to analytically derive all results of comparative statics for such a solution. Hence, numerical methods must be used. Due to symmetry properties, this section only discusses the effects of a 1 , l 1 , b 1 , and d on the feedback equilibrium solutions and the resulting profits for both firms. Throughout this article, we assume that r = 0.05, α = β = 1, c 1 = c 2 = 1, and x 10 = x 20 = 0.
Letting a 2 = 1, b 1 = b 2 = 0.1, l 1 = l 2 = 1, d = 0.1, one can obtain the change in feedback equilibrium solutions and the resulting integral profits for both firms over the efficiency of the security investment rate of firm 1, a 1 , as shown in Table 1. When a 1 increases, firm 1 can protect its information system more effectively by using a higher security investment rate, whereas firm 2 finds it difficult to capture firm 1's consumers and rationally lowers its security investment rate; see Fig. 2. In this situation, firm 1 becomes more aggressive in that it would be more willing to share its security information. In contrast, firm 2 takes the free-ride strategy and shares less security information. The free-ride effect seems so strong that firm 2 will increase its pricing rate without any major concern about consumer loss due to hacker attacks. One can observe that a 1 does not always increase firm 1's pricing rate. Intuitively, when a 1 is increased from an existing low value, firm 1's rates of security investment and information sharing are lower, although both are increasing. In this case, firm 1 would not increase its pricing rate out of consideration for consumer loss. When a 1 is increased from an existing high value, firm 1 takes enough security measures and increases the pricing rate without worrying about security breaches. One can find that, consistent with common sense, the integral profit of firm 1 increases with a 1 , whereas that of firm 2 decreases.
Assuming that a 1 = a 2 = 1, l 1 = l 2 = 1, b 2 = 0.1, d = 0.1, one can find the change in feedback equilibrium solutions and  the resulting integral profits for both firms over the sensitivity parameter of the pricing rate of firm 1, b 1 , as shown in Table 2. One can discover from Table 2 that as b 1 increases, the pricing rate of firm 1 decreases, whereas the pricing rate of firm 2 increases. With a higher b 1 , there is a greater negative effect on the consumer demand rate of firm 1 and a greater positive effect on that of firm 2. Firm 1 restricts its pricing rate to maintain its consumer demand rate, whereas firm 2 improves its pricing rate to obtain a higher profit. Firm 1 reduces the negative effect of a higher b 1 on its change in the consumer demand rate through negative feedback in Equation (3) by decreasing its rates of security investment and information sharing, because both can increase firm 1's consumer demand rate; see Fig. 3. Firm 2 does not need to invest more in information security to attract consumers, due to the positive effect of b 1 on its consumer demand rate. However, it can be observed that as b 1 increases, firm 2 shares more security information, implying that firm 2 focuses on enlarging the consumer demand rate for the entire industry. A higher b 1 has a positive effect on firm 2 and therefore always improves firm 2's integral profit. It is interesting that b 1 does not always harm firm 1's integral profit, despite its negative effect. A possible explanation is that when b 1 increases from an initial low value, firm 1's expenditure rates for security investment and information sharing decrease, and such cost reductions prevail over the loss in the consumer demand rate. Assume that a 1 = a 2 = 1, b 1 = b 2 = 0.1, l 2 = 1, d = 0.1. Table 3 gives the change in feedback equilibrium solutions and resulting integral profits for both firms over the consumer demand loss coefficient of firm 1, l 1 . One can find that as l 1 increases, firm 1 decreases its pricing rate to alleviate the negative effect of hacker attacks. Noting that the positive effect of firm 1's pricing rate on firm 2's consumer demand rate decreases, firm 2 needs to decrease its pricing rate to maintain its consumer demand rate. At first glance, it seems economically plausible that as l 1 increases, firm 1 would increase both its security investment rate and its information sharing rate to improve its consumer demand rate. However, one can observe from Fig. 4 that firm 1's rates of security investment and information sharing decrease over l 1 . In reality, each firm's consumer demand rate serves as a double-edged sword, which can contribute to its profit and meanwhile can strengthen the negative effect of targeted attacks. The negative effect prevails in this situation, and firm 1 does not need to invest more and share more to reduce such an effect. Firm 2 invests more in this situation to increase its consumer demand rate, as l 1 has no negative effect on it. It follows that firm 2's information sharing rate first decreases and then increases  with l 1 . It is straightforward to understand that as l 1 increases from a high value, firm 2 is ready to share security information to increase its consumer demand rate. When l 1 increases from an initial low value, firm 1's information sharing rate remains high even though it is decreasing. Firm 2 decreases its information sharing rate out of consideration for free riding. Furthermore, one can observe that consistent with common sense, the integral profit of firm 1 decreases with l 1 . Interestingly, the integral profit of firm 2, however, also decreases with l 1 , although its long-run market share rate increases. The reason for this behavior may be that an increase in l 1 results in a drastic decrease in firm 2's pricing rate.
Letting a 1 = 1.1, a 2 = 1, l 1 = 0.9, l 2 = 1, and b 1 = b 2 = 0.1, we can obtain the change in feedback equilibrium solutions and resulting integral profits for both firms over the density of hacker attacks, d, shown in Table 4. Here, we simply define the superior firm as the one with more favorable model parameters; i.e., a higher efficiency in the security investment rate and a lower consumer demand loss coefficient than those of the inferior firm. That is, firm 1 is superior, and firm 2 is inferior. One can see that as d increases, both firms decrease pricing rates to increase their respective consumer demand rates. Figure 5 shows that the security investment rates of both firms decrease with d, meaning that the firms seem reluctant to defend against hackers. Actually,  to deter the hacker, a firm requires an enormous security budget to employ better access control policies, complex cryptographic protocols, advanced firewalls and IDSs, better system evaluation tools, and the perfect code design. In contrast, hackers only need to exploit one drawback in order to successfully intrude into a firm's information system (Anderson and Moore, 2006). One can observe that as d increases, both firms will share less security information. The reason for this behavior may rest with the fact that after decreasing information sharing rates, both firms would decrease the negative effect of hacker attacks by decreasing their consumer demand rates. It can be observed that the integral profits of both firms decrease with d, even though the consumer demand rate of the superior firm, firm 1, increases.
In this subsection, we examine the effects of key model parameters using numerical methods, due to the extreme difficulty in analytical tractability. Nevertheless, we are able to obtain some analytical results in Appendix A, which, together with the numerical results above, are summarized in Table 5.

The cooperative scenarios
As discussed above, many information sharing organizations have been established that can intervene in firms' decisions on information security so that their rates of security investment or/and information sharing may be specified in a centralized fashion. Moreover, there has been rapid growth in serious security threats from hackers. Underground hacker industry chains have emerged that involve purchasing attack tools from hacking experts, selling information assets stolen from firms, Table . A brief summary of the obtained analytical and numerical results ↑ denotes increase; ↓ denotes decrease; denotes first increase and then decrease; Þ denotes first decrease and then increase.
disseminating attacking knowledge among the hacker population, and training fresh hackers. To curb such serious threats, firms sometimes need to cooperate in a series of security measures to prevent hacker attacks and satisfy their own security requirements. This section studies how feedback equilibrium strategies and resulting integral profits for both firms change when security investment rates, information sharing rates, or both are regulated cooperatively. Naturally, the purpose of both firms is to maximize the sum of their integral profits when they behave cooperatively.

Equilibrium solution when firms cooperate in security investment
It is not difficult to observe in Appendix B that one of the two firms has a zero rate of security investment in this partially cooperative situation. Without loss of generality, we assume that firm 2 has a zero security investment rate in this subsection.

Proposition 3. When the firms choose security investment rates cooperatively but information sharing rates non-cooperatively:
(a) the feedback equilibrium solution for each firm is provided that they are positive, and the parameters β zi , γ zi , and κ i satisfy the equations: (b) The integral profits for both firms are with O zi , F zi , G zi , and H zi being given in Appendix B.
Note that the feedback equilibrium strategies and resulting integral profits for both firms are independent of a 2 . Although it is quite difficult to derive the necessary condition to ensure the positive feedback equilibrium solution in Proposition 3 (as well as the following Propositions 4 and 5), we find that the equilibrium solution is always positive for a wide range of parameters. Considering that our aim here is to compare the equilibrium solution in such a situation with that in the completely independent situation above, in this section and the following sections, we borrow the parameter values listed in Table 4 to examine the effect of the density of hacker attacks, d, with firm 1 being the superior firm and firm 2 the inferior one. The feedback equilibrium solutions and resulting integral profits are given in Table 6 and Fig. 6.

Equilibrium solution when firms cooperate in information sharing
When firms choose security investment rates non-cooperatively but information sharing rates cooperatively, the following results can be obtained.
Proposition 4. When the firms choose security investment rates non-cooperatively but information sharing rates cooperatively: (a) the feedback equilibrium solution for each firm is  provided that they are positive, and the parameters β si , γ si , and ρ i satisfy the following equations: with O si , F si , G si , and H si being given in Appendix C.
Comparing Equation (9) and Equation (16) yields that positive pricing rates and positive security investment rates in such a partially cooperative situation can be guaranteed under the condition in Proposition 1. The feedback equilibrium solutions and resulting integral profits in this partially cooperative case are given in Table 7 and Fig. 7.

Equilibrium solution when firms cooperate in both security investment and information sharing
We are now in a position to discuss the fully cooperative situation, in which rates of both security investment and information sharing are determined centrally. We assume again that firm 2 has a zero security investment rate without loss of any generality.

Proposition 5. When the firms choose rates of both security investment and information sharing cooperatively:
(a) the feedback equilibrium solution for each firm is provided that they are positive, and the parameters β bi , γ bi , and σ i satisfy the following: (b) The integral profits for both firms are with O bi F bi , G bi , and H bi being given in Appendix D.
The feedback equilibrium solutions and resulting profits are shown in Table 8 and Fig. 8.

Comparison between non-cooperative and cooperative scenarios
One can find that Equation (9) for β i and γ i in Proposition 1 is equivalent to Equation (16) for β si and γ si in Proposition 4, implying that p * i (t ) = p * si (t ). Similarly, it is clear that β zi , γ zi , and κ i in Equation (13) in Proposition 3 are equal to β bi , γ bi , and σ i , respectively, in Equation (19) in Proposition 5, implying that p * zi (t ) = p * bi (t ).
The results of Proposition 6 are independent of which firm is superior. Proposition 6 implies that when both firms choose security investment rates independently, each firm's pricing strategy remains unchanged whether they behave noncooperatively or cooperatively in determining the information sharing rates. In addition, provided that both firms choose the security investment rates cooperatively, each firm's pricing rate is still independent of whether they choose information sharing rates independently or cooperatively. We next compare rates of security investment and information sharing based on the presented numerical results.
Observation 1: (a) When security investment rates are chosen cooperatively, the inferior firm always has a zero security investment rate whether both firms' information sharing rates are determined cooperatively or non-cooperatively. (b) The security investment rate of the superior firm when information sharing rates are determined cooperatively is always higher than that when information sharing rates are determined non-cooperatively, whether both firms' security investment rates are determined cooperatively or non-cooperatively. (c) Information sharing rates of both firms in the fully cooperative situation are the highest, whereas those in the independent situation are the lowest. The security investment rate of a firm aims to attract its rival's consumers by improving its relative security level; that is, investing in information security is a competitive strategy. When security investment rates are chosen in a centralized fashion, there would be investment waste if both firms have positive security investment rates. The inferior firm can only create a minor security improvement in the case of a positive security investment rate, which finally decreases its security investment rate to zero, as illustrated by Observation 1(a). Observation 1(b) shows that the security investment rate seems to be more effective when the information sharing rates are chosen cooperatively than when they are chosen independently. Consistent with common sense, Observation 1(c) implies that the free-riding effect of information sharing rates is more remarkable when they are determined non-cooperatively. That is, individual optimization in more likely to bring the effect of free riding on information sharing.
Observation 2: (a) The superior firm enjoys the highest integral profit in the fully cooperative situation and the lowest integral profit in fully non-cooperative situations. (b) The inferior firm almost always obtains the highest integral profit with cooperative security investment rates and always gains the lowest integral profit in the fully cooperative case. Observation 2 shows that the superior firm prefers the organizational structure where both firms cooperate in choosing rates for both security investment and information sharing, whereas in most cases, the inferior firm prefers the situation where both firms cooperate solely in choosing security investment rates. There are two factors that can explain why the superior firm enjoys the highest integral profit in the fully cooperative case. First, the positive effect of security investment for the superior firm is greater because its competitor, the inferior firm, does not invest at all at equilibrium. Second, the free ride obtained by the inferior firm is weaker and can effectively improve both firms' consumer demand. The inferior firm benefits least in the fully cooperative situation for opposite reasons, namely, ineffective security investment and insignificant free ride effect. It can be concluded that although the inferior firm tends to cooperate in security investment, the superior firm should offer some economic incentive, such as a subsidy, to the inferior firm so that both of them can cooperate in information sharing as well. Moreover, it is not difficult to observe that social welfare, measured by the sum of the two firms' integral profits, is highest when both firms cooperate in security investment and information sharing. Hence, it is in the interest of the whole of society to encourage and even to require different firms to cooperate in both security investment and information sharing.

Concluding remarks
This article constructs a differential game framework in which the effects of security investment, information sharing as well as pricing are taken into account. In particular, we characterize targeted attacks by hackers as a negative effect on consumer demand and assume that firms' information assets can be changed via an endogenous determination of pricing. The differential game established here allows us to derive feedback equilibrium solutions for rates of pricing, security investment, and information sharing. We demonstrate that a firm's higher efficiency in security investment leads to higher rates for both security investment and information sharing. There exists a Ushaped relationship between this firm's pricing rate and such efficiency. We indicate that a higher consumer demand loss coefficient, caused by targeted attacks, leads to lower pricing rates for both firms. Furthermore, we demonstrate that a higher hacker attack density always decreases both firms' pricing rates, security investment rates, information sharing rates, and finally their integral profits. We reveal that as the density of hacker attacks increases, both firms are not always willing to cooperate in either security investment or information sharing. In particular, we reach the conclusion that the superior firm prefers the fully cooperative situation, whereas the inferior firm almost prefers the situation where only cooperative security investment occurs.
Despite these contributions on information security economics, there are still several limitations in our article, which will be left for our future research. First, although the differential game constructed in this article leads to feedback equilibrium solutions, complete analytical results regarding the comparative statics of key model parameters and the comparisons between the four forms of situations are quite difficult to obtain. The robustness of the related results needs further validation. Second, for the analytical expression of feedback equilibrium solutions, we only consider targeted attacks by hackers. Although targeted attacks constitute an increasingly important type of cyber-attack, one can construct alternative models that also including mass attacks and examine the effects of the two main types of cyber-attacks. Third, we assume that decisions regarding rates of pricing, security investment, and information sharing are determined in a single stage, for mathematical tractability; one can generalize our model into a two-stage differential game, in which both firms choose rates of security investment and information sharing in the first stage and then choose pricing rates in the second stage. Fourth, the model under current study assumes that the demand loss and hackers' attack density are completely exogenous and independent of firms' security decisions. In reality, when a firm invests more in its security, the improved security should deter hackers, make attacks more costly, or decrease the demand loss from a successful attack. Making the demand loss and hackers' attack density endogenous implies that hackers are strategic in their choice of attacking activities, which requires a model extension from our differential game model between two competitive firms into a more interesting but complex differential game model between hackers and these firms. Fifth, the information a firm receives from information sharing arrangements may provide critical insights on the threats the firm is facing and significantly influence the firm's cybersecurity investment decisions. Gordon et al. (2015) demonstrate that a firm's information sharing practice may impact both the timing and expected value of its cybersecurity investments. Hence, our assumption that security investments and information sharing are independent of each other does not always hold. Although formally modeling the relation between information sharing and cybersecurity investments could cause loss of mathematical traceability, this issue deserves further investigation. Finally, the results of our article are obtained based on a differential game, which need to be empirically evidenced by realistic cases in the field of information security.