Cooperative security against interdependent risks

INTRODUCTION AND RELATED LITERATURE

Firms increasingly belong to a variety of interorganizational networks, such as complex supply chains, strategic alliances, or other types of partnerships. Membership in these networks can evidently yield economic benefits, but they also necessitate substantial additional security investments due to increased exposure to interdependent or contagion risks (Kunreuther & Heal, 2003). For instance, in January 2013, the European food industry endured a horse‐meat contamination scandal (Lawrence, 2013). Meat products from several retailers and fast‐food chains in the United Kingdom and Ireland, advertised as containing beef, were discovered upon testing to have been contaminated with horse‐meat. Further investigation revealed that in the complex meat supply networks, with contractors and subcontractors spread all across Europe, a particular supplier had indulged in deliberate contamination in a bid to cut costs. Several retailers, including Britain's largest retailer, TESCO, that had sourced the contaminated meat, faced economic repercussions from a drop in sales and reputational harm. Other notable cases of supply contamination include the adulteration of milk with melamine (Levi et al., 2020; Mu et al., 2016) and the 2008 heparin adulteration scandal (Babich & Tang, 2012). Contamination in supply networks, upon discovery, typically results in product recalls, regulatory fines, and brand equity loss, often entailing substantial costs for the concerned firms.

Besides supply networks, interdependent risks can arise in other contexts too. For instance, businesses have a growing recognition that they bear a social responsibility to secure their consumer data from cyber threats (Pollach, 2011). Malware infecting the systems of a company in an interfirm network can gain access to the IT systems of its partner firms. Due to poor cyber‐security practices by partner firms, companies such as Target and Home Depot have been the victims of high‐profile data and privacy breaches (McAfee, 2015). In today's highly interconnected networks, risks like contamination in food supply chains or consumer data breaches assume an interdependent nature. That is, the risks faced by a firm depend not only on internal risks arising from their own operations but also on the risk transferred from partner firms in the network. Further, the above examples involve risks transferred between networked partners with ongoing and frequent repeated interactions. Thus, a firm vulnerable to internal risks is near‐certain to transfer this risk to its partner firms if these partners do not take appropriate remedial actions.

Therefore, to secure themselves against interdependent risks, two general strategies are available to networked firms. First, firms in the network can choose to invest cooperatively in securing themselves, thereby removing sources of risk. Second, alternatively, firms can choose to independently secure themselves by eliminating risk from internal operations and then investing in security across the links that connect them to the other firms in the network. So, for example, firms could cooperatively share the costs of supplier quality improvements, thereby investing in suppliers' embracing responsible operational practices. Alternatively, a retailer can implement quality standards for internal processes and, simultaneously, inspect and quality test incoming products supplied by direct partners. The latter would correspond to the independent security strategy, while the former corresponds to the cooperative security strategy.

Security against interdependent risks is associated with positive externalities since other firms are benefited from the presence of a secured firm in the network. This would intuitively suggest that cooperative network‐wide security against interdependent risks can be a cost‐effective strategy as compared to each firm in the network independently securing itself. However, cooperation can be hindered by disagreements over cost‐sharing arrangements. Firms, in general, are heterogeneous, both, in the costs they incur to secure themselves as well as in the penalties that they may face in case of a realized risk. Thus, a priori, it is not clear whether there will always exist a stable and fair sharing of security costs that can sustain network‐wide cooperation. Furthermore, networked firms typically have visibility and mechanisms to cooperate and monitor with only immediate partners. For instance, extended multitier supply chains are often associated with a loss in visibility over firms further away in the network (Caro et al., 2021). Thus, it is also unclear whether one can find suitable mechanisms to implement cost‐sharing arrangements that circumvent coordination across firms that are not immediate or direct partners.1

To address these issues, in this paper, we consider an interdependent security model on a network and an associated cost‐sharing game. In our model, as motivated above, firms face an intrinsic risk from their internal operations and an extrinsic risk from their unsecured partners in the network. Firms in the network are heterogeneous in the costs they incur to secure themselves and the penalties they face in case of an actualized threat.

Further, we also consider our network security model under differing informational assumptions. In our private information model, we assume that all cost parameters are privately known to players. So, in the absence of explicit cooperation, each firm's security actions cannot be observed or inferred by other firms in the network. This private information assumption is a marked distinction from existing models of interdependent security in the literature, which typically assume that various model parameters and actions are public information. In several real‐world contexts, in the absence of formal mechanisms for cooperation, firms are neither aware of the security efforts undertaken by other firms nor can they infer their efforts since the underlying cost structures are typically private information. However, in certain other scenarios, it would be more reasonable to assume that firms are indeed aware of the security costs of other firms in the network. Therefore, we also analyze our network security model with the alternative informational assumption wherein efforts and cost structures are public information. Further, studying these two extreme informational assumptions also permits us to separate the benefits of cooperation arising from interdependence and information acquisition. In the Supporting Information, we also consider a more general hybrid model, the partial information model, where, as in practice, due to regulatory requirements or strategic disclosures, the cost parameters and efforts of some firms are publicly known whereas the costs and efforts of other firms are only known privately.

The network‐optimal security strategy under all informational assumptions is identical, and we demonstrate that it can be computed in polynomial time using a minimum weighted cut network‐flow algorithm. Then, we adopt a cooperative game‐theoretic approach to assess whether agents have an incentive to cooperate across the entire network and share the security investment costs. We show that, under the private information setting, agents have a clear incentive to cooperate globally, that is, form the grand coalition and share the resulting security costs. However, with even some information being public in the network, we show that, in general, there do not exist cost‐sharing mechanisms that can ensure the stability of the grand coalition. This can be explained by two drivers: first, with public information, the benefit from additional information acquisition is lowered. Thus, the benefits from cooperative security in the public information setting are arguably lower. Second, public information engenders free‐riding since firms can now anticipate and observe the security actions of other firms in the network and benefit from the cooperation of other firms in the network without participating in the grand coalition and sharing security costs. In similar cooperative settings with externalities, free‐rider concerns are acknowledged as a fundamental reason often precluding the stability of the grand coalition (see, e.g., Yi, 1997).

Importantly, we then introduce the notion of bilateral implementability. A cost‐sharing arrangement is said to be bilaterally implementable if it can be enforced by a series of bilateral cost‐sharing agreements between only direct partners in the network. Bilaterally implementable cost‐sharing mechanisms are resistant to the aforementioned limitations of network visibility and control. It is generally assumed, for example, in managing supply chains that it is easier for firms to contract with their immediate suppliers with whom they share direct relationships and that it is more challenging to gain visibility, manage, and contract with deep‐tier suppliers (see, e.g., L. Huang et al., 2020; Dong et al., 2022). We propose a novel security cost‐sharing mechanism, the agreeable allocation, which is a restricted variant of the Shapley value allocation (Shapley, 1971). We then demonstrate that the agreeable allocation satisfies notions of stability, is formalizably fair, and unlike the Shapley value, is easily computable, and always bilaterally implementable. However, the agreeable allocation may not always exist. We then construct δ‐agreeable allocations that satisfy a generalized notion of (δ+1)‐lateral implementability, for an integer

δ ≥ 1 $\delta \ge 1$

δ = 1 $\delta = 1$

To analyze the effects of network structure on the existence of the agreeable allocation, we consider the special case of quasi‐homogeneous networks, that is, networks where the security cost parameters are equal. We then provide a structural graph‐theoretic characterization for the existence of the agreeable allocation in these networks. Specifically, we show that the local density of networks plays a key role in determining whether the agreeable allocation exists.

In summary, one can view our work in both descriptive and normative terms. Descriptively, we observe that network‐wide security cooperation is efficient and, in some cases, this cooperation can be sustained with suitable cost‐sharing arrangements. However, when concerns pertaining to computability and implementability of these cost‐sharing mechanisms are incorporated, network‐wide security cooperation is rendered more challenging. Normatively, via our analysis of the agreeable allocation and its extensions, we are able to provide insights into when and how these implementation challenges can be surmounted.

A NETWORK SECURITY MODEL

We consider a set of heterogeneous players2 denoted by N. Following standard graph‐theoretic notation, let us suppose that the players occupy a network denoted as

G = ( N , A ) $\mathbb {G}= (N, A)$

G $\mathbb {G}$

( i , j ) ∈ A $(i, j) \in A$

i , j ∈ N $i, j \in N$

N + ( i ) $N^+(i)$

( i , j ) ∈ A $(i,j) \in A$

N − ( i ) $N^-(i)$

j ∈ N $j \in N$

( j , i ) ∈ A $(j,i) \in A$

N ( i ) : = N + ( i ) ∪ N − ( i ) $N(i) := N^+(i) \cup N^-(i)$

Each player faces two independent sources of risk: an intrinsic risk from its own operations and an extrinsic risk transferred from its partnerships with unsecured players.3 We assume the cost incurred by player i to secure itself against intrinsic risks is given by

θ i $\theta _i$

ξ j i $\xi _{ji}$

x i ∈ { 0 , 1 } $x_i \in \lbrace 0, 1\rbrace$

y j i ∈ { 0 , 1 } $y_{ji} \in \lbrace 0,1\rbrace$

j ∈ N − ( i ) $j \in N^-(i)$

L i $L_i$

As outlined in Section 1, firms can derive two distinct advantages from cooperative security in networks: first, the benefit of interdependence, which involves internalizing the positive externality of security, and, second, the advantage of information acquisition. Accordingly, we first consider two extreme informational assumptions, a private information model where each player, in the absence of cooperation, is aware of and can observe only its own security cost parameters and actions. At the other extreme, we also consider the more traditional informational assumption of public information where, even in the absence of cooperation, each player can observe the costs and actions of all other players in the network.

Private information model

In the private information model, we assume that all cost parameters including the cost of securing against intrinsic risk,

θ i $\theta _i$

, and the expected penalty in case of a realized risk,

L i $L_i$

, are private information known only to player i. Similarly, the cost,

ξ j i $\xi _{ji}$

, to secure the directed link between players j and i is assumed to be known only to players i and j. This private information assumption is a departure from several existing models of interdependent security. Specifically, the private information assumption implies that in the absence of explicit cooperation between players i and j, neither can observe or infer the actions of the other. Thus, in this scenario, we can formally define the information set of a player i acting independently as

I ( i , { i } ) = { θ i , ξ i j , ξ j i , L i , x i , y j i : j ∈ N − ( i ) } $I(i, \lbrace i\rbrace ) = \lbrace \theta _i, \xi _{ij}, \xi _{ji}, L_i, x_i, y_{ji} : j \in N^-(i)\rbrace$

. Therefore, in this scenario, the information set of player

i ∈ N $i \in N$

who cooperates with the set of players

i ∈ S ⊆ N $i \in S \subseteq N$

expands and is given by

I ( i , S ) = ∪ j ∈ S I ( j , { j } ) = { θ j , ξ k j , ξ j k , L j , x j , y k j : j ∈ S , k ∈ N − ( j ) } $I(i,S) = \cup _{j \in S}\ I(j,\lbrace j\rbrace ) = \lbrace \theta _j, \xi _{kj}, \xi _{jk}, L_j, x_j, y_{kj} : j \in S, k \in N^-(j)\rbrace$

.

Public information model

In contrast, in the public information model, we assume that all firms can observe each other's cost parameters and security actions even in the absence of cooperation. Then, the information set of a player i acting independently is

I ( i , { i } ) = { θ j , ξ j k , ξ k j , L j , x j , y j k : j ∈ N , k ∈ N − ( j ) } $I(i, \lbrace i\rbrace ) = \lbrace \theta _j, \xi _{jk}, \xi _{kj}, L_j, x_j, y_{jk} : j \in N, k \in N^-(j)\rbrace$

. Therefore, in the public information scenario,

I ( i , S ) = I ( i , { i } ) $I(i, S) = I(i, \lbrace i\rbrace )$

, and firms upon cooperation do not derive any benefits from additional information acquisition. By analyzing and comparing these two extreme informational assumptions, we can comment on the benefits from cooperation along the two dimensions of interdependence and information acquisition.

Partial information model

In practice, even in the absence of explicit cooperation, the security costs and actions of certain firms may be public knowledge, due to regulatory requirements or strategic disclosures, whereas the costs and actions of other firms may only be known privately. Thus, we also consider a more general partial information model which assumes that the costs and actions of a subset of firms,

P ⊆ N $\mathcal {P} \subseteq N$

are publicly known to all firms in the network whereas the costs and actions of firms in

N ∖ P $N\backslash \mathcal {P}$

are only privately known. Therefore, in this scenario,

I ( i , { i } ) = { θ j , ξ j k , ξ k j , L j , x j , y j k : j ∈ P ∪ { i } , k ∈ N − ( j ) } $I(i, \lbrace i\rbrace ) = \lbrace \theta _j, \xi _{jk}, \xi _{kj}, L_j, x_j, y_{jk} : j \in \mathcal {P}\cup \lbrace i\rbrace , k \in N^-(j)\rbrace$

. This more general hybrid model subsumes both the private and public information models described above. Clearly, when

P = ∅ $\mathcal {P} = \emptyset$

and

P = N $\mathcal {P} = N$

, we recover the private and public information models, respectively. In the interest of expositional clarity and brevity, we consider the private information and public information models in the paper and extend the discussion to the general partial information model in the Supporting Information Section EC.4.

Security actions

Players in the network choose security actions,

x i ∈ { 0 , 1 } $x_i \in \lbrace 0, 1\rbrace$

, and

y j i ∈ { 0 , 1 } $y_{ji} \in \lbrace 0,1\rbrace$

for all

i ∈ N $i \in N$

and

j ∈ N − ( i ) $j \in N^-(i)$

after considering the relevant trade‐off between the costs of security and the expected penalty in case of a realized risk. In order to do so, each player first forms beliefs on the security states of other firms in the network. That is, a player i, cooperating with players in S and with the information set

I ( i , S ) $I(i,S)$

, forms a belief on the security state of

j ∈ N $j \in N$

denoted by

σ j i ( I ( i , S ) ) ∈ { 0 , 1 } $\sigma _{ji}(I(i,S)) \in \lbrace 0, 1\rbrace$

, where

σ j i = 0 $\sigma _{ji} = 0$

means player i believes j to be unsecured, and if

σ j i = 1 $\sigma _{ji} = 1$

then i believes j is secured. We will subsequently clarify how players form beliefs on the security states of other firms in the network. Then, player i chooses security actions

x i $x_i$

and

y j i $y_{ji}$

accordingly to determine its own security state based on its beliefs. Since interdependent risks are transferable across partners, a player i identifies itself as secured, that is,

σ i = 1 $\sigma _i = 1$

, if and only if it is secured against its own intrinsic risk, that is,

x i = 1 $x_i = 1$

, and further, is also secured against extrinsic risks, that is,

y j i = 1 $y_{ji} = 1$

for all players

j ∈ N − ( i ) $j \in N^-(i)$

who it believes to be unsecured. For clarity, we note that the security state

σ i $\sigma _i$

of player i as a function of its own security actions, given its information set and its beliefs on the security states of its network partners, satisfies the following:

σ i ( x i , y i | I ( i , S ) ) = 0 , if x i ∏ j ∈ N − ( i ) σ j i = 0 y j i = 0 , 1 , otherwise. $$\begin{equation} \sigma _i(x_i, {\bm{y}_i} \vert I(i,S)) = {\begin{cases} 0, \quad \text{ if } x_i\prod _{\substack{j \in N^-(i)\\[0pt] \sigma _{ji} = 0}}y_{ji} = 0,\\[12pt] 1, \quad \text{ otherwise.}\end{cases}} \end{equation}$$

1

Thus, the expected security cost incurred by a player i is given as follows:

U i ( x i , y i | I ( i , S ) ) = L i ( 1 − σ i ( x i , y i | I ( i , S ) ) ) + θ i x i + ∑ j ∈ N − ( i ) ξ j i y j i . $${ \begin{equation} U_i(x_i, {\bm{y}_i}| I(i,S)) \,{=}\, L_i(1\,{-}\,\sigma _i(x_i, {\bm{y}_i}| I(i,S)))\,{+}\, \theta _ix_i \,{+}\,\! \sum \limits _{{j \in N^-(i)}} \xi _{ji}y_{ji}. \end{equation}}$$

2

The first term in (2) corresponds to the expected penalty from a realized risk and is incurred only when the player i is unsecured. The second and third terms correspond to the costs of securing itself against intrinsic risks, and extrinsic risks from unsecured partners, respectively.

In Sections 3 and 4, we analyze cooperative security strategies and the associated security cost‐sharing problem in the private information model whereas in Section 6 we study the public information model. This sequence is chosen for expositional clarity. Further, in the interest of parsimony, we relegate the analysis under the general partial information model where each player acting independently is aware of the cost parameters and actions for only a subset of players to the Supporting Information Section EC.4.

SECURITY STRATEGIES UNDER PRIVATE INFORMATION

Under the private information assumption, since a player cannot observe or infer the security actions of other players, we assume a player i forms a worst‐case belief on the security states of players it does not explicitly cooperate with. That is, a player i cooperating with the set of players

S ⊆ N $S \subseteq N$

σ j i = 0 $\sigma _{ji} = 0$

j ∉ S $j \notin S$

x i = 1 $x_i = 1$

y j i = 1 $y_{ji} = 1$

σ j i = 0 $\sigma _{ji} = 0$

σ i ∈ { 0 , 1 } $\sigma _i \in \lbrace 0, 1\rbrace$

σ i = 0 $\sigma _i = 0$

σ i = 1 $\sigma _i = 1$

We now consider two forms of security strategies in the network: the independent security strategy and the network‐optimal security strategy. While the former corresponds to the no‐cooperation, that is, individually rational scenario, the latter corresponds to the full cooperation, that is, the network‐optimal situation. In Section 4, we will consider all intermediate cooperative security strategies, that is, where a subset of firms in the network cooperatively secure themselves.

Independent security strategy

Since the players are not cooperating with each other on their security actions, as noted previously, the information set of each player

i ∈ N $i \in N$

,

I ( i , { i } ) $I(i,\lbrace i\rbrace )$

, only contains its own actions, expected penalty, and security costs. Then, player i is said to be independently secured if

U i $U_i$

, as defined in (2), is minimized when

σ i = 1 $\sigma _i = 1$

, for a suitable choice of

x i $x_i$

and y _i . The set of all players in N which are independently secured is denoted by

S I $S_\mathcal {I}$

. The following proposition characterizes when a player is independently secured. All proofs are provided in the Supporting Information. Proposition 1

A player

i ∈ S I $i \in S_\mathcal {I}$

if and only if

L i ≥ θ i + ∑ j ∈ N − ( i ) ξ j i $L_i \ge \theta _i + \sum _{j \in N^-(i)} \xi _{ji}$

. Further, then,

x i = y j i = 1 $x_i = y_{ji} = 1$

for all

j ∈ N − ( i ) $j \in N^-(i)$

.

The above proposition captures two straightforward notions in the private information setting: (i) the independent security strategy is based on a simple trade‐off between the cost of security and the expected penalty incurred from not securing itself, (ii) for an agent acting independently, it is not optimal to partially invest in securing some links and not others.

Network‐optimal security strategy

In this setting of full network‐wide cooperation, the information set of each player contains all the security costs and expected penalties of all other players in the network. The players act to minimize the total expected security cost of the network.

3

We denote the set of all players in N which are secured, that is,

σ i = 1 $\sigma _i = 1$

, under the above network‐optimal security strategy by

S ★ $S_\star$

. We first observe that all players that opt to be secured under the independent security strategy continue to be secured under the network‐optimal strategy. Proposition 2

Every player independently secured is also secured under the network‐optimal security strategy,

S ★ ⊇ S I $S_\star \supseteq S_\mathcal {I}$

.

However, the positive externalities, inherent to this context, may result in certain nodes being secured under the network‐optimal security strategy which are unsecured when acting independently. That is, we note that the above inclusion can be strict. We demonstrate this with Example EC.1 in the Supporting Information.

We now provide a key result demonstrating that the network‐optimal security strategy and equivalently,

U ( G ) $U(\mathbb {G})$

, can be computed via a network‐flow algorithm. The algorithm relies on the construction of an auxiliary directed network

G ∗ $\mathbb G^*$

. We then establish a connection between the network‐optimal security strategy in

G $\mathbb {G}$

and the minimum weight s‐ℓ cut problem in

G ∗ $\mathbb G^*$

.

Construction of the auxiliary network

G ∗ ${\mathbb G^*}$

The node set of

G ∗ $\mathbb G^*$

is given by

N ∪ { s , ℓ } $N \cup \lbrace s, \ell \rbrace$

, where s and ℓ are two additional nodes not present in the original network

G $\mathbb {G}$

. The nodes s and ℓ represent the source and sink of the network

G ∗ $\mathbb G^*$

, respectively. The arc set of

G ∗ $\mathbb G^*$

consists of (i) arcs from s to each node

i ∈ N $i \in N$

with weights

θ i $\theta _i$

, (ii) arcs from

i ∈ N $i \in N$

to

j ∈ N + ( i ) $j \in N^+(i)$

with weights

ξ i j $\xi _{ij}$

, and (iii) arcs from

i ∈ N $i \in N$

to ℓ with weights

L i $L_i$

. The construction of the auxiliary network is illustrated in Figure 1. Theorem 1

Suppose the minimum weight cut separating s and ℓ partitions the nodes of

G ∗ $\mathbb G^*$

into X and

X ¯ $\overline{X}$

such that

s ∈ X $s \in X$

. Then

S ★ = N ∖ X $S_\star = N\setminus X$

. Further,

U ( G ) $U(\mathbb {G})$

is the weight of the cut

( X , X ¯ ) $(X, \overline{X})$

.

OPEN IN VIEWER

FIGURE 1

Auxiliary network

G ∗ $\mathbb G^*$

.

Also, from (1), it follows that if x * and y * denote the network‐optimal security actions of the players, then

x i ∗ = 1 $x^*_i = 1$

if and only if

i ∈ X ¯ $i \in \overline{X}$

and

y j i = 1 $y_{ji} = 1$

if and only if

i ∈ X $i\in X$

,

j ∈ X ¯ $j \in \overline{X}$

. Therefore, from Theorem 1, we also immediately obtain the network‐optimal security strategy. Now, note that the directed network

G ∗ $\mathbb G^*$

has

O ( | N | ) $O(|N|)$

nodes and

O ( | N | + | A | ) $O(|N|+|A|)$

arcs. Thus, from the push‐relabel‐algorithm (Goldberg & Tarjan, 1988), we immediately obtain the following corollary. Corollary 1

S ★ $S_\star$

can be computed in

O ( ( n 2 + m n ) log ( n / m + n ) ) $O((n^2+mn) {\rm{log}}(n/m+n))$

time, where

n = | N | $n = |N|$

and

m = | A | $m = |A|$

.

In the private information model, the network‐optimal security strategy resolves two distinct kinds of inefficiencies engendered by the individually rational security strategies of the players. The first inefficiency arises from the canonical underinvestment of efforts resulting from a failure to internalize positive externalities. This is well recognized in the interdependent security literature (see, e.g., Acemoglu et al., 2016). Therefore, some agents for whom it was individually rational to not invest in security efforts are now secured since these erstwhile externalities are now internalized in the network‐level optimization. This reflects the strategic complementarity inherent in situations with interdependent risks. The second source of inefficiency arises, in the private information model, as a consequence of security costs being privately held information. Equivalently, the noninferability of security efforts of a player by other players who are not cooperating with it results in the inefficient duplication of security investments across the network. This provides an economic rationale for anecdotal evidence from diverse supply chain security contexts that bear out this source of inefficiency (ASEM, 2013).

Finally, we note the necessity of cost‐sharing mechanisms in order to implement the network‐optimal security strategy. For a player in the network, given the security states of all of its direct partner firms, the network‐optimal security action is not necessarily individually rational. That is, the network‐optimal security strategy is not always a Nash equilibrium strategy as demonstrated by Example EC.2 provided in the Supporting Information.

SECURITY COST SHARING MECHANISMS

The next natural question is therefore to ask whether network‐wide security cooperation in the private information model can be sustained with suitable cost‐sharing mechanisms. Equivalently, we are interested in finding whether and when cooperation can be made individually rational and the network‐wide efficiency gains can be shared among the firms in a stable and fair manner. The field of cooperative game theory is well suited to address these questions. Towards that end, we first briefly review some cooperative game theory preliminaries.

Cooperative game theory primarily addresses the question of whether cooperation can be sustained across a group of agents and, closely tied to this, is the problem of fairly sharing or allocation of profits (or cost savings) obtained via cooperation between those agents. A cooperative game is defined by

( N , c ) $(N, c)$

c ( · ) $c(\cdot )$

S ⊆ N $S \subseteq N$

c ( S ) $c(S)$

c ( S ) $c(S)$

( N , c ) $(N, c)$

c ( S ) + c ( T ) ≥ c ( S ∪ T ) $c(S) + c(T) \ge c(S \cup T)$

S , T ⊆ N $S, T \subseteq N$

c ( S ) + c ( T ) ≥ c ( S ∪ T ) + c ( S ∩ T ) $c(S) + c(T) \ge c(S \cup T) + c(S \cap T)$

S , T ⊆ N $S, T \subseteq N$

Interdependent security cost sharing

Consider the set of agents N situated on the graph

G $\mathbb {G}$

. Previously, the two security strategies considered represented the two extremes corresponding to no‐cooperation and full‐cooperation settings. We now extend the discussion to consider all intermediate levels of cooperation. That is, for any subset of agents,

S ⊆ N $S \subseteq N$

, we define the coalition‐optimal security strategy as that which minimizes the security cost of a cooperating set of agents S,

4

We define an indicator function

Υ S i $\Upsilon _S^i$

for player i belonging to a coalition S that indicates whether player i is secured under the coalition‐optimal security strategy for S in the private information model. Formally,

Υ S i = σ i ( x ∼ i , y ∼ i | I ( i , S ) ) $\Upsilon _S^i = \sigma _i(\widetilde{x}_i, {\bm{\widetilde{y}}_i}| I(i,S))$

, where

x ∼ i $\widetilde{x}_i$

and

y ∼ i $\bm{\widetilde{y}}_i$

denote the optimal solutions to (4). Further, denote the set of players secured in S under the coalition‐optimal security strategy by

Υ ( S ) $\Upsilon (S)$

. That is,

i ∈ Υ ( S ) $i \in \Upsilon (S)$

if and only if

Υ S i = 1 $\Upsilon _S^i = 1$

. Clearly,

S ∖ Υ ( S ) $S \backslash \Upsilon (S)$

are the players in S that are not secured under the coalition‐optimal security strategy. Further, for clarity, note that

Υ ( N ) = S ★ $\Upsilon (N) = S_\star$

. The following result demonstrates a monotonicity property satisfied by the coalition‐optimal security strategy that generalizes Proposition 2. Proposition 3

A player

i ∈ S $i \in S$

that is secured under the coalition‐optimal security strategy for a coalition

S ⊆ N $S \subseteq N$

is also secured under the coalition‐optimal security strategy for a coalition

T ⊇ S $T \supseteq S$

, that is, if

Υ S i = 1 $\Upsilon _S^i = 1$

, then

Υ T i = 1 $\Upsilon _T^i = 1$

.

Further, the pair

( N , c ) $(N, c)$

defines a cooperative game which we term as the interdependent security cost‐sharing game. This cost‐sharing game corresponds to our network model based on the private information assumption as clarified in Section 2. In Section 6, we will accordingly define and analyze the appropriate cost‐sharing game for the public information setting.

The following proposition indicates that

c ( S ) $c(S)$

can also be computed in polynomial time via a similar transformation to a minimum weight cut problem on the auxiliary graph

G ∗ $\mathbb G^*$

as in Theorem 1. Proposition 4

c ( S ) $c(S)$

is the weight of the minimum cut separating the node set

N ∖ S $N\backslash S$

and the node ℓ in the auxiliary directed graph

G ∗ $\mathbb G^*$

and thus can be computed in polynomial time.

An efficient security cost‐sharing mechanism is defined as

ϕ : ( N , c ) → R n $\bm{\phi }: (N,c) \rightarrow \mathbb R^n$

such that

∑ i ∈ N ϕ i = c ( N ) $\sum _{i\in N} \phi _i = c(N)$

. An efficient security cost‐sharing mechanism is said to be a core allocation, that is, it belongs to the core if and only if it is rational for all subsets of players in N to remain in the grand coalition rather than deviate to form a coalition among themselves. That is, ϕ is a core allocation if and only if,

∑ i ∈ S ϕ i ≤ c ( S ) ∀ S ⊆ N $\sum _{i\in S} \phi _i \le c(S)\ \forall \ S \subseteq N$

. The core of some cooperative games may be empty. An empty core will preclude the existence of stable cost‐sharing arrangements. However, in cooperative games that are also convex, it is well known that the core of such games is nonempty (Shapley, 1971). The following theorem demonstrating the convexity of the interdependent security cost‐sharing game, therefore, assumes significance since it guarantees the existence of a stable cost‐sharing mechanism. Theorem 2

The coalition‐optimal security cost,

c ( S ) $c(S)$

, is submodular in S. Thus, the interdependent security cost‐sharing game

( N , c ) $(N,c)$

always admits a stable security cost‐sharing mechanism.

Before we proceed to derive and analyze specific security cost‐sharing mechanisms, we observe that if a player is unsecured under the network‐optimal security strategy, then, the player is allocated

L i $L_i$

by all stable cost‐sharing arrangements as formally demonstrated in Lemma EC.1. Further, we also show that there exists a simple transformation of a network

G $\mathbb {G}$

where some players are unsecured under the network‐optimal security strategy to another network

G ′ $\mathbb G^{\prime }$

where all players are secured in the network‐optimal strategy and, further, there exists a one‐to‐one correspondence between the core allocations of the interdependent security games on

G $\mathbb {G}$

and

G ′ $\mathbb G^{\prime }$

. Thus, Lemma EC.1 allows us to restrict our attention to networks

G $\mathbb {G}$

and associated cost parameter vectors such that all firms are secured under the network‐optimal security strategy.

Shapley value based security cost sharing

The convexity of

( N , c ) $(N, c)$

guarantees that a well‐known and commonly employed allocation in cooperative games, the Shapley value (Shapley, 1953), belongs to the core. Beyond its membership in the core, the Shapley value also uniquely satisfies several natural fairness properties and has an axiomatic basis in general cooperative games. Formally, the Shapley value, Φ, allocates to a player i in a general cooperative game

( N , c ) $(N,c)$

,

Φ i = ∑ { S : i ∈ S } ( | S | − 1 ) ! ( n − | S | ) ! n ! c ( S ) − c ( S ∖ { i } ) . $$\begin{eqnarray} \Phi _i =\sum _{\lbrace S:i \in S\rbrace }\frac{(|S|-1)!(n-|S|)!}{n!}{\left(c(S)-c(S\setminus \lbrace i\rbrace \right)}). \end{eqnarray}$$

5

The Shapley value rewards players for their marginal contributions to various coalitions, and, to that extent, it can be argued as exemplifying a certain notion of fairness. Further, Φ is the unique efficient allocation characterized by the following properties (or axioms): (i)

Symmetry property: For players i and j such that for all subsets

S ⊂ N $S \subset N$

,

i , j ∉ S $i, j \notin S$

, if

c ( S ∪ { i } ) − c ( S ) = c ( S ∪ { j } ) − c ( S ) $c(S \cup \lbrace i\rbrace )-c(S) = c(S \cup \lbrace j\rbrace )-c(S)$

, then

Φ i = Φ j $\Phi _i=\Phi _j$

.

(ii)

Null player property: For player i such that

c ( S ∪ { i } ) = c ( S ) $c(S \cup \lbrace i\rbrace )=c(S)$

for all

S ⊂ N $S \subset N$

, then

Φ i = 0 $\Phi _i=0$

.

(iii)

Additivity property: The Shapley value, Φ^{1, 2}, of a cooperative game,

( N , c 1 + c 2 ) $(N, c^1+c^2)$

, that is the sum of two cooperative games,

( N , c 1 ) $(N, c^1)$

and

( N , c 2 ) $(N, c^2)$

, equals the sum of the Shapley values of the two games, Φ¹ and Φ², respectively.

Of these properties, we note that the symmetry property formalizes the idea that players which are “identical” in terms of their marginal contributions should receive an identical share of the value created by cooperation. This is, arguably, an innocent fairness criterion which, along with the marginal contribution interpretation discussed before, we shall return to later on in this work. The Shapley value is widely adopted as a cost sharing or a profit sharing, as the case may be, allocation method in diverse contexts, including several mentioned in Section 1.1, such as inventory pooling (Kemahlıoğlu‐Ziya & Bartholdi, 2011), capacity allocation and scheduling (Aydinliyim & Vairaktarakis, 2010), group purchasing (R. R. Chen & Yin, 2010), disaster preparedness (Rodríguez‐Pereira et al., 2021), and so forth. However, for our game, we establish a link between the computation of the Shapley value and the classical subset sum problem. In fact, this connection demonstrates that computing the Shapley value of interdependent security games is a computationally hard problem. Theorem 3

There is no polynomial time algorithm that computes the Shapley value for a given player in the interdependent security cost‐sharing game unless P = NP.

Further, from the proof of Theorem 3, we note that even for simple structures such as the assembly supply network, computing the Shapley value is hard. Beyond computational interest, the above result on the complexity of the Shapley value is of interest to us for reasons of implementation. In general, equilibrium concepts in noncooperative game theory or solution concepts in cooperative games that are computationally intractable raise the question of feasibility of whether self‐interested agents can identify and implement these mechanisms in practice.4

For a notable special case, however, the Shapley value can be computed easily. In fact, when the expected penalties, in case of a realized risk, are sufficiently large for all players, then the Shapley value has a straightforward closed form expression. Theorem 4

If

L i > θ i + ∑ j ∈ N − ( i ) ξ j i $L_i > \theta _i + \sum _{j \in N^-(i)} \xi _{ji}$

for all

i ∈ N $i\in N$

, that is, if

S I = S ★ = N $S_\mathcal {I}= S_\star = N$

, then, the Shapley value based security cost allocation to player

i ∈ N $i \in N$

is given by

Φ i = θ i + ∑ j ∈ N − ( i ) ξ j i 2 − ∑ j ∈ N + ( i ) ξ i j 2 . $$\begin{equation} \Phi _i = \theta _i + \sum _{j \in N^-(i)} \frac{\xi _{ji}}{2} - \sum _{j \in N^+(i)} \frac{\xi _{ij}}{2}. \end{equation}$$

6

In this scenario, when the expected penalties are sufficiently large, it is individually rational for all players to secure themselves (i.e., under the independent security strategy). That is, since all players choose to secure themselves even without cooperation, the network‐optimal security strategy resolves only one kind of inefficiency, that arising from duplication of security efforts. Under the Shapley value based security cost‐sharing mechanism, in this scenario, the cost savings from avoiding duplication of security efforts across each link are equally shared by both parties.

Extreme core allocations

However, this still leaves open the question of whether, in general interfirm networks, there exist stable security cost‐sharing arrangements sustaining network‐wide cooperation that can also be computed easily. We now provide an affirmative answer to this question. Consider an arbitrary permutation π of the players in N. Then, we can define a cost‐sharing allocation,

x π $x_\pi$

, corresponding to a permutation π as follows,

x π i = c ( { π 1 , π 2 , … , π i } ) − c ( { π 1 , π 2 , … , π i − 1 } ) ∀ i ∈ N $ x_{\pi _i} = c(\lbrace \pi _1,\pi _2,\ldots ,\pi _i\rbrace ) - c(\lbrace \pi _1,\pi _2,\ldots ,\pi _{i-1}\rbrace )\quad \forall i \in N$

. Proposition 5

For every permutation π of N, the allocation

x π $x_\pi$

is an extreme point of the core of the interdependent security cost‐sharing game and can be computed in polynomial time.

The proof of Proposition 5 relies on the convexity of the game and the characterization of the core of convex games as developed by Shapley (1971). Further, we demonstrate that the extreme core points of the interdependent security cost‐sharing game can be computed in polynomial time, thereby, allowing us to identify easily computable and stable security cost‐sharing arrangements. However, it can easily be seen that extreme core allocations as identified in Proposition 5 do not satisfy a basic notion of fairness as embodied in the symmetry property introduced earlier. Proposition 6

The security cost‐sharing allocation

x π $x_\pi$

does not satisfy the symmetry property.

Our discussion, thus far, uncovers what appears to be an “impossible” trilemma: stability, fairness, and implementability. That is, when we simultaneously require a security cost‐sharing arrangement to be stable (i.e., it must be individually and coalitionally rational), fair (in terms of a basic symmetry property), and implementable (in terms of ease of computability), it already proves to be too restrictive. Descriptively, this suggests why, although the welfare gains achieved by network‐wide security cooperation can, in principle, be stably shared, we may still not observe such cooperation in practice. In the next section, we will delve deeper into implementability concerns. Further, and importantly, we will also attempt to find a satisfactory reconciliation of the divergence between stability, fairness, and implementability.

BILATERAL AND MULTILATERAL IMPLEMENTABILITY

In Section 4, we considered a narrow version of implementability. Specifically, we presumed a security cost‐sharing mechanism that is easily computable is implementable. However, implementing cost‐sharing mechanisms via transfer payments across the network, even between firms that are not direct partners, is administratively challenging, perhaps even infeasible. Firms often have limited visibility let alone an ability to enter into cost‐sharing arrangements with indirect network members. Therefore, in this section, we are prompted to study whether there exist stable and fair cost‐sharing mechanisms that can be implemented via transfer payments only involving firms that are direct partners in the network. Indeed, since alliance networks are often comprised of a series of bilateral alliances in the first place, we develop a realistic bilateral implementation framework that can allow firms to sustain network‐wide security cooperation against interdependent risks.5

To this end, we define the bilateral implementability of a cost‐sharing allocation as follows. A cost‐sharing allocation Ψ is bilaterally implementable if and only if for a given network

G $\mathbb {G}$

{ L , θ , ξ } $\lbrace \bm{L}, \bm{\theta }, \bm{\xi }\rbrace$

{ g i j : j ∈ N ( i ) } $\lbrace g_{ij}: j \in N(i)\rbrace$

i ∈ N $i \in N$

Ψ i = ∑ j ∈ N ( i ) g i j ( θ i , θ j , L i , L j , ξ i j , ξ j i ) $$\begin{align} \Psi _i = \sum _{j \in N(i)} g_{ij}(\theta _i, \theta _j, L_i, L_j, \xi _{ij}, \xi _{ji}) \end{align}$$

7

B ε $\mathcal B^\epsilon$

( L , θ , ξ ) $(\bm{L}, \bm{\theta }, \bm{\xi })$

ε > 0 $\epsilon > 0$

First, we examine the bilateral implementability of the Shapley value based security cost‐sharing allocation discussed in Section 4. We introduce some definitions. For a given player

i ∈ N $i \in N$

P ⊆ N $P\subseteq N$

P ∪ { i } $P\cup \lbrace i\rbrace$

i ∈ Υ ( P ∪ { i } ) $i \in \Upsilon (P\cup \lbrace i\rbrace )$

G ( i ) $\mathcal {G}(i)$

G ¯ ( i ) = ⋃ P ∈ G ( i ) P $\overline{\mathcal {G}}(i) ={\textstyle \bigcup_{P\in \mathcal {G}(i)}}P$

Theorem 5

Consider the Shapley value based security cost‐sharing allocation Φ. (i)

Φ is bilaterally implementable if for all players

i ∈ N $i \in N$

,

i ∉ G ¯ ( j ) $i \not\in \overline{\mathcal {G}}(j)$

for all

j ∈ N ( i ) $j \in N(i)$

such that

| N ( j ) | > 1 $|N(j)| > 1$

.

(ii)

Φ is not bilaterally implementable if there exists a player

i ∈ N $i \in N$

such that

i ∈ G ¯ ( j ) $i \in \overline{\mathcal {G}}(j)$

for some

j ∈ N ( i ) $j \in N(i)$

such that

| N ( j ) ∖ N ( i ) | > 1 $|N(j)\backslash N(i)| > 1$

.

Theorem 5 provides characterizing conditions for when the Shapley value based cost‐sharing arrangement is bilaterally implementable. Observe that minimal coalitionally rational security sets formalize the externalities that secured players induce on other players in the network. Therefore, roughly speaking, the above theorem demonstrates that as the extent of positive externalities of security in the network increases, the Shapley value based security cost‐sharing fails to be bilaterally implementable. As a corollary, we observe that for the special case discussed in Theorem 4, the Shapley value cost‐sharing mechanism is clearly bilaterally implementable.

Theorem 5, in conjunction with Theorem 3, arguably also demonstrates the impracticality of adopting a Shapley value based security cost‐sharing arrangement in all but a narrow class of networks. Specifically, since it is neither computable efficiently nor bilaterally implementable, in general, we argue that this renders it contextually untenable. We now propose a novel security cost‐sharing mechanism that builds on the extreme core allocations considered in Proposition 5.

Extreme core allocations and the agreeable allocation

In light of Lemma EC.1, we limit our attention to networks where all firms are secured in the grand coalition. We further recall the previously defined indicator function

Υ S i $\Upsilon _S^i$

for player

i ∈ S $i \in S$

that indicates whether player i is secured under the coalition‐optimal security strategy for S. That is,

Υ S i = σ i ( x ∼ i , y ∼ i | I ( i , S ) ) $\Upsilon _S^i = \sigma _i(\widetilde{x}_i, {\bm{\widetilde{y}}_i}| I(i,S))$

, where

x ∼ i $\widetilde{x}_i$

and

y ∼ i $\bm{\widetilde{y}}_i$

denote the optimal solutions to (4). We now recursively define a finite family of mutually exclusive sets

S = { S 1 , … , S ℓ } $\mathcal {S}= \lbrace \mathcal S_1,\ldots ,\mathcal S_\ell \rbrace$

of players in the network, where

S 1 = { i ∈ N : Υ { i } i = 1 } = S I $\mathcal S_1 =\lbrace i\in N:\Upsilon _{\lbrace i\rbrace }^i = 1\rbrace =S_\mathcal {I}$

. For

k > 1 $k > 1$

, we define

S k $\mathcal S_k$

recursively as

S k = i ∈ N ∖ S k − 1 ¯ : Υ S k − 1 ¯ ∪ { i } i = 1 , $$\begin{align} \mathcal S_k = {\left\lbrace i \in N\setminus \overline{\mathcal S_{k-1}} : \Upsilon _{\overline{\mathcal S_{k-1}} \cup \lbrace i\rbrace }^i = 1 \right\rbrace} , \end{align}$$

8where

S k − 1 ¯ = S 1 ∪ ⋯ ∪ S k − 1 $\overline{\mathcal S_{k-1}}=\mathcal S_1 \cup \cdots \cup \mathcal S_{k-1}$

. In other words,

S 1 $\mathcal S_1$

contains the players that are secured even under the independent security strategy, that is, it is optimal for these players to secure themselves even when operating independently. Further,

S 2 $\mathcal S_2$

contains players that will be secured conditional on being in a coalition with players in

S 1 $\mathcal S_1$

, and so forth. Also note that if

S k $\mathcal S_k$

is a null set, then, so is

S k + 1 $\mathcal S_{k+1}$

. Suppose there exists

ℓ ∈ Z $\ell \in \mathbb {Z}$

such that

S ℓ ¯ = N $\overline{\mathcal S_{\ell }} = N$

, then the recursive procedure generating the family of sets terminates. Denote

s k = | S k ¯ | $s_k = |\overline{\mathcal S_k}|$

for

k = 1 , … , ℓ $k = 1,\ldots ,\ell$

. Then, any permutation π of the players in N such that

π 1 , … , π s 1 $\pi _1,\ldots ,\pi _{s_1}$

is a permutation of players in

S 1 $\mathcal S_1$

,

π s 1 + 1 , … , π s 2 $\pi _{s_1 + 1},\ldots ,\pi _{s_2}$

is a permutation of players in

S 2 $\mathcal S_2$

, and so on up to,

π s ℓ − 1 + 1 , … , π s ℓ $\pi _{s_{\ell -1}+1},\ldots ,\pi _{s_\ell }$

is a permutation of players in

S ℓ $\mathcal S_\ell$

is defined as an agreeable permutation.

We note that it is possible in certain networks and associated cost parameter vectors for no

ℓ ∈ Z $\ell \in \mathbb {Z}$

to exist such that

S ℓ ¯ = N $\overline{\mathcal S_{\ell }} = N$

. In these cases, consequently, no agreeable permutation of the players in N will exist either. Nevertheless, when the players in N can be partitioned into the family of sets as described above, or equivalently, when an agreeable permutation of the players exists, we can demonstrate, as will be shown during the course of proving Theorem 6, that the extreme core allocation

x π $x_\pi$

corresponding to each agreeable permutation π of N is bilaterally implementable.

Furthermore, recall that extreme core allocations are not symmetric, therefore, arguably, violating a basic notion of fairness. To remedy this, we are now in a position to propose our novel security cost‐sharing mechanism, the agreeable allocation, that is defined as the average of those extreme core allocations induced by all agreeable permutations of N. Theorem 6

The agreeable allocation of network‐wide security costs, when it exists, (i) belongs to the core and is (ii) polynomial‐time computable, (iii) symmetric, and (iv) bilaterally implementable. Further, it also satisfies (v) marginality and the (vi) null player property. Moreover, the security cost allocated to player i by the agreeable allocation

x ∗ $x^*$

is given by

Observe that the network‐wide security cost apportioned to each player by the agreeable allocation depends only on its own security cost parameters and that of its direct partners, and, therefore, it is bilaterally implementable. Also, importantly, we note that the agreeable allocation attempts to resolve the tension between stability, fairness, and implementability. Since, it belongs to the core, when it exists, it is a stable allocation of security costs. Further, in contrast to extreme core allocations, since it satisfies symmetry and marginality, it is in accordance with basic axiomatic descriptions of fairness. Further, in contrast to the Shapley value based cost‐sharing arrangement, since the agreeable allocation is computable in polynomial time, and, saliently, is bilaterally implementable, it also fares well with respect to implementability concerns. Finally, the closed‐form expression for the agreeable allocation provided above allows for transparency in the manner in which it allocates the network‐wide security costs to each individual firm. In fact, the algorithm to compute the agreeable allocation and the closed‐form expression lend themselves naturally to a straight‐forward implementation mechanism.

We also remark that for the special case considered in Theorem 4, that is, when

S I = S ★ $S_\mathcal {I}=S_\star$

, the agreeable allocation exists and coincides with the Shapley value.

Multilateral implementability and δ‐agreeable allocations

The agreeable allocation is indeed appealing since its bilateral implementability minimizes the coordination challenges involved in sustaining the network‐optimal security strategy. However, sometimes firms that are not direct partners may regardless cooperate via suitable transfer payments when it can be mutually beneficial. Consider a network

G $\mathbb {G}$

with associated cost parameter vectors

{ L , θ , ξ } $\lbrace \bm{L}, \bm{\theta }, \bm{\xi }\rbrace$

. Formally, for an integer

δ ≥ 1 $\delta \ge 1$

, a cost‐sharing allocation Ψ is said to be

( δ + 1 ) $(\delta +1)$

‐laterally implementable if and only if for cost parameters belonging to an open ball

B ε $\mathcal B^\epsilon$

centered at

( L , θ , ξ ) $(\bm{L}, \bm{\theta }, \bm{\xi })$

of radius ε for some

ε > 0 $\epsilon > 0$

, there exist differentiable functions

{ g i j : j ∈ N , d ( i , j ) ≤ δ } $\lbrace g_{ij}: j \in N, d(i,j) \le \delta \rbrace$

for each player

i ∈ N $i \in N$

such that

Ψ i = Σ j ∈ N , d ( i , j ) ≤ δ g i j $\Psi _i = \Sigma _{j \in N, d(i,j) \le \delta } \ g_{ij}$

, where

g i j $g_{ij}$

is a function solely of the security cost parameters of players i and j, and where

d ( i , j ) $d(i,j)$

denotes the distance between nodes i and j in the network

G $\mathbb {G}$

. That is, (

δ + 1 $\delta +1$

)‐lateral implementability of a cost‐sharing allocation permits transfer payments between players that are at a distance of at most δ in the network. As δ increases, we expect the coordination challenges associated with the cost‐sharing mechanism to also increase.

While our general approach to construct a

( δ + 1 ) $(\delta +1)$

‐laterally implementable allocation bears some resemblance to the previous development of the agreeable allocation, there are substantial technical differences. In the interest of brevity, we provide these details in the Supporting Information, Section EC.2. Broadly, we first identify a subset of permutations of the players in N denoted as δ‐agreeable permutations (Algorithm 2). A δ‐agreeable permutation can be computed via a fixed parameter tractable algorithm with respect to δ (i.e., polynomial time in

| N | $|N|$

but not in δ). We then demonstrate that the extreme core allocations corresponding to each δ‐agreeable permutation are

( δ + 1 ) $(\delta +1)$

‐laterally implementable (Proposition EC.1). We then define the δ‐agreeable allocation as the average of extreme core allocations induced by all δ‐agreeable permutations of N. Theorem 7

For a given integer

δ ≥ 1 $\delta \ge 1$

, the δ‐agreeable allocation, when it exists (i) belongs to the core,(ii) is symmetric, and is (iii) (δ+1)‐laterally implementable. Further, it also satisfies (iv) marginality and the (v) null player property.

The δ‐agreeable allocation satisfies the generalized notion of

( δ + 1 ) $(\delta +1)$

‐lateral implementability while retaining the fairness and stability properties of the agreeable allocation. Since the number of δ‐agreeable permutations can be exponential in

| N | $|N|$

, the δ‐agreeable allocation is, in general, not computable in polynomial time for

δ > 1 $\delta > 1$

. However, as noted above, the δ‐agreeable allocation can be computed via a fixed parameter tractable algorithm, that is, polynomial time in

| N | $|N|$

for a given δ. In comparison, we note that the Shapley value allocation is also not, in general, computable in polynomial time but since it involves the consideration of all permutations of N unlike the δ‐agreeable allocation which only considers a subset of permutations of players in N, the δ‐agreeable allocation is, in comparison, computationally less expensive, especially so when

| N | $|N|$

is large and δ is a fixed small number. In Section EC.2, we also provide Example EC.3 that clarifies the computation of the δ‐agreeable allocation and illustrates the notion of

( δ + 1 ) $(\delta +1)$

‐lateral implementability. Theorem 8

Consider the interdependent security cost‐sharing game under private information. (i)

If for an integer

δ ≥ 1 $\delta \ge 1$

, the δ‐agreeable allocation exists, then the

( δ + 1 ) $(\delta +1)$

‐agreeable allocation also exists and coincides with the δ‐agreeable allocation.

(ii)

For every integer

δ ≥ 1 $\delta \ge 1$

, there exist networks

G $\mathbb {G}$

with corresponding security cost parameters such that the δ‐agreeable allocation does not exist but the

( δ + 1 ) $(\delta +1)$

‐agreeable allocation exists.

(iii)

The n‐agreeable allocation always exists where

n = | N | $n = |N|$

.

(iv)

The n‐agreeable allocation coincides with the Shapley value allocation if and only if none of the δ‐agreeable allocations exist for

δ < n $\delta < n$

.

Theorem 8 clarifies a hierarchy of existence for δ‐agreeable allocations. As δ increases, and firms that are farther away from each other in the network are allowed to cooperate with each other via suitable transfer payments, the δ‐agreeable allocation is more likely to exist. However, naturally, as δ increases, arguably, the δ‐agreeable allocation becomes more challenging to implement than the agreeable allocation since it requires coordination between firms that are farther away in the network. Further, it follows from Theorem 8(iv), and since, in general, the Shapley value allocation involves transfer payments between any two firms in the network, δ‐agreeable allocations are (weakly) less challenging to implement than the Shapley value.

NETWORK SECURITY MODEL WITH PUBLIC INFORMATION

In this section, we consider the public information model, as presented in Section 2, wherein all network cost parameters and actions are known to all players in the network. That is, the information set of every player i in any coalition

S ⊆ N $S \subseteq N$

I ( i , S ) = { θ j , ξ k j , L j , x j , y k j : j ∈ N , k ∈ N − ( j ) } $I(i,S) = \lbrace \theta _j, \xi _{kj}, L_j, x_j, y_{kj} : j \in N, k \in N^-(j)\rbrace$

j ∈ N $j \in N$

σ j i = σ j $\sigma _{ji} = \sigma _j$

Characterizing the security strategy of a coalition, or even the independent security strategy, in the public information model poses some challenges. In our network security model, as is often the case in network games with public information (Galeotti et al., 2010), there could be multiple Nash equilibria. Further, in the public information setting, the actions of a player or a coalition also depend on the actions of other players, and, therefore, naturally on whether other players in the network are cooperating with each other. Therefore, we cannot analyze the security actions of a player or a coalition in isolation. We instead need to consider the cooperation structure across the entire network. This is in contrast to the interdependent security cost‐sharing game developed in Section 3, wherein the security cost of a coalition S could be expressed independent of considering the actions of other players. Therefore, the interdependent security cost‐sharing problem under public information is modeled as a cooperative game in partition function form (see, e.g., Fang & Cho, 2020; Hafalir, 2007). Formally, given a partition ρ of the players into disjoint coalitions whose union is N, the total security cost incurred by a coalition

S ∈ ρ $S \in \rho$

c ̂ ( S ; ρ ) $\widehat{c}(S; \rho )$

Again, we first consider the security actions of players when they are all acting independently. That is, ρ consists of singleton sets of players. Each player

i ∈ N $i \in N$

Υ ̂ { i } ; ρ i $\widehat{\Upsilon }^i_{\lbrace i\rbrace ; \rho }$

Algorithm 3 computes an equilibrium security state of player i,

Υ ̂ { i } ; ρ i $\widehat{\Upsilon }^i_{\lbrace i\rbrace ; \rho }$

Υ ̂ S ; ρ i $\widehat{\Upsilon }^i_{S; \rho }$

S ⊆ N $S \subseteq N$

S ∈ ρ $S \in \rho$

We then obtain the total security cost of a coalition S belonging to a general coalition structure ρ of N,

c ̂ ( S ; ρ ) $\widehat{c}(S; \rho )$

c ̂ ( S ; ρ ) = ∑ i ∈ S L i ( 1 − Υ ̂ S ; ρ i ) + θ i Υ ̂ S ; ρ i + ∑ ( j , i ) ∈ A Υ ̂ S ; ρ i = 1 , Υ ̂ T ; ρ j = 0 ξ j i , $$\begin{equation} \widehat{c}(S; \rho ) = \sum \limits _{i \in S} {\left(L_i(1-\widehat{\Upsilon }^i_{S; \rho })+ \theta _i\widehat{\Upsilon }^i_{S; \rho } + \sum _{\substack{(j, i) \in A \\ \widehat{\Upsilon }^i_{S; \rho } = 1, \widehat{\Upsilon }^j_{T; \rho } = 0}} \xi _{ji}\right)}, \end{equation}$$

9

where S and T are (possibly identical) coalitions in ρ with

i ∈ S $i \in S$

j ∈ T $j \in T$

ρ ∗ $\rho ^*$

c ̂ ( N ; ρ ∗ ) = c ( N ) $\widehat{c}(N; \rho ^*) = c(N)$

We demonstrate that in the interdependent security cost‐sharing game under public information,

( N , c ̂ ) $(N, \widehat{c})$

Proposition 7

The grand coalition in the interdependent security cost‐sharing game under public information,

( N , c ̂ ) $(N, \widehat{c})$

, is not, in general, stable to defections.

We now, however, show that the agreeable allocation can be extended to the public information setting while retaining several of its desirable properties. Notably, we prove that, analogous to Theorem 6, the public information version of the agreeable allocation, when it exists, satisfies individual rationality, a weaker notion of stability wherein each player is better off in the grand coalition (i.e., with full cooperation) as compared to the independent coalitions (i.e., no‐cooperation) scenario.

Agreeable allocation with public information

Again, for ease of exposition, we restrict our attention to networks where all firms are secured in the grand coalition. We recursively define a finite family of mutually exclusive sets

T = { T 1 , … , T ℓ } $\mathcal {T} = \lbrace \mathcal T_1,\ldots ,\mathcal T_\ell \rbrace$

of players in the network where

T 1 = { i ∈ N : Υ ̂ { i } ; ρ 1 i = 1 } $\mathcal T_1 =\lbrace i\in N:\widehat{\Upsilon }^i_{\lbrace i\rbrace ; \rho _1} = 1\rbrace$

, where ρ₁ corresponds to the independent coalition structure. For

k ≥ 1 $k \ge 1$

, we then define

T 2 k $\mathcal T_{2k}$

and

T 2 k + 1 $\mathcal T_{2k+1}$

recursively as follows, where

T k ¯ = T 1 ∪ ⋯ ∪ T k $\overline{\mathcal T_k}=\mathcal T_1 \cup \cdots \cup \mathcal T_k$

. Further, the coalition structure

ρ k + 1 $\rho _{k+1}$

contains the coalition

T k ¯ $\overline{\mathcal T_k}$

and all other players in

N ∖ T k ¯ $N \setminus \overline{\mathcal T_k}$

are in independent coalitions. Also, recall that

Υ ̂ S ; ρ i $\widehat{\Upsilon }^i_{S; \rho }$

is the equilibrium security state of player

i ∈ S $i \in S$

with the coalition structure ρ in the public information model whereas

Υ S i ${\Upsilon }^i_S$

is the coalition‐optimal security state of

i ∈ S $i \in S$

in the private information setting.

10

11

T 1 $\mathcal T_1$

contains players that are secured under the independent coalition structure. That is, in the equilibrium outcome obtained from Algorithm 3, these players are secured.

T 2 $\mathcal T_2$

contains players who, if they are secured, save the costs of extrinsic security for players in

T 1 $\mathcal T_1$

and bestow a direct positive externality to the players in

T 1 $\mathcal T_1$

that outweighs their own cost of security. Thus, for the players in

T 1 ∪ T 2 $\mathcal T_1 \cup \mathcal T_2$

, it is optimal in the private information model as well to secure themselves. Further, there will be players in

T 3 $\mathcal T_3$

for whom it is individually rational to secure themselves conditional upon players in

T 1 $\mathcal T_1$

and

T 2 $\mathcal T_2$

being in a coalition together,

T 1 ∪ T 2 $\mathcal T_1 \cup \mathcal T_2$

. Successive sets of players are identified iteratively. Note that these families of sets are constructed in a very similar manner as in the private information model. The only distinction arises in (11) from observing that in a public information model, the formation of each new coalition may also trigger a change in the security actions of other players who can respond to this.

Suppose there exists

ℓ ∈ Z $\ell \in \mathbb {Z}$

such that

T ℓ ¯ = N $\overline{\mathcal T_{\ell }} = N$

, then the recursive procedure generating the family of sets terminates. Again, it is possible in certain networks and associated cost parameter vectors for no

ℓ ∈ Z $\ell \in \mathbb {Z}$

to exist such that

T ℓ ¯ = N $\overline{\mathcal T_{\ell }} = N$

. In these cases, consequently, no agreeable allocation will exist. Unlike in the private information setting where a closed form expression for the agreeable allocation is derived, the agreeable allocation under public information

x ̂ $\widehat{x}$

is obtained by Algorithm 5 provided in Section EC.3, which takes in the family of sets

T $\mathcal {T}$

as an input. Theorem 9

The agreeable allocation under public information,

x ̂ $\widehat{x}$

, when it exists, is (i) individually rational, (ii) polynomial‐time computable, and (iii) bilaterally implementable. Further, it also satisfies (iv) symmetry and the (v) null player property.

Therefore, while the agreeable allocation cannot guarantee that the grand coalition is stable to defections by subsets of players (indeed no cost‐sharing allocation can), it still satisfies a weaker notion of stability. It ensures that all players will prefer to remain in the grand coalition structure

ρ ∗ $\rho ^*$

rather than in the independent coalition structure. Further, we interestingly find that the public information version of the agreeable allocation exists if and only if the agreeable allocation as defined in the private information setting exists. Corollary 2

For a given network

G = ( N , A ) $\mathbb {G} = (N,A)$

and associated security cost parameters, the agreeable allocation under public information

x ̂ $\widehat{x}$

exists if and only if the agreeable allocation under private information

x ∗ $x^*$

 exists.

Here, we briefly comment on some main implications of our analysis of the general partial information model in Section EC.4. First, we demonstrate that the agreeable allocation can be naturally extended to the partial information model thereby generalizing Theorem 9. Therein, we observe that Corollary 2 also generalizes and the existence of the agreeable allocation is not contingent on the informational assumption in the network. Finally, and importantly, we clarify that even in the presence of partial public information in the network, the grand coalition may be unstable and that if the grand coalition is unstable with a certain level of public information in the network, it remains unstable at higher levels of information provisioning in the network.

QUASI‐HOMOGENEOUS NETWORKS

The chief deficiency of the agreeable allocation, under all informational assumptions is that, in general, depending on the structure of the interfirm network, or the associated security costs, it may not exist. To the extent that an agreeable allocation is viewed as desirable for its fairness, bilateral implementability, and other properties as documented in Theorem 6 and Theorem 9, this offers a rationale for when interfirm networks will find it challenging to cooperatively secure themselves. In order to examine the role of the network structure on the existence of the agreeable allocation, we now consider quasi‐homogeneous networks

G $\mathbb {G}$

θ i $\theta _i$

ξ i j $\xi _{ij}$

G $\mathbb {G}$

θ i = θ $\theta _i = \theta$

L i = L $L_i = L$

i ∈ V $i \in V$

ξ i j = ξ $\xi _{ij} = \xi$

( i , j ) ∈ A $(i,j) \in A$

Analyzing quasi‐homogeneous networks permits us to isolate the effects of the network structure on the existence of the agreeable allocation. A priori, it is qualitatively unclear what the role of network structure would be on the existence of the bilaterally implementable agreeable allocation. For instance, denser networks can render it easier for efficient and stable cost‐sharing arrangements to be bilaterally implementable since there are more bilateral links. However, denser networks may also result in wider positive externalities to securing oneself necessitating multilateral cooperation.

We now introduce some graph‐theoretic definitions that aid us in identifying when quasi‐homogeneous networks admit and do not admit an agreeable allocation of security costs. We define a k‐core of network

G $\mathbb {G}$

H $\mathbb {H}$

G $\mathbb {G}$

H $\mathbb {H}$

( k , ℓ ) $(k,\ell )$

H $\mathbb {H}$

G $\mathbb {G}$

H $\mathbb {H}$

G ∖ H $\mathbb {G}\backslash \mathbb {H}$

k > ℓ $k > \ell$

( k , ℓ ) $(k,\ell )$

Theorem 10

Consider a quasi‐homogeneous network

G $\mathbb {G}$

with security cost parameters given by

L , θ $L,\ \theta$

, and ξ. (i)

G $\mathbb {G}$

admits an agreeable allocation if

G $\mathbb {G}$

does not contain a k‐core where

k = $k =$

L − θ ξ $\left\lceil \frac{L-\theta }{\xi } \right\rceil$

.

(ii)

G $\mathbb {G}$

does not admit an agreeable allocation if

G $\mathbb {G}$

contains a

( k , l ) $(k,l)$

‐core where

k = ℓ + $k = \ell +$

L − θ ξ $\left\lceil \frac{L-\theta }{\xi } \right\rceil$

.

The two parts of Theorem 10 provide distinct sufficient and necessary conditions, respectively, for the existence of the agreeable allocation in quasi‐homogeneous networks. From a descriptive standpoint, it implies qualitatively that the agreeable allocation is guaranteed to exist in (quasi‐homogeneous) networks so long as they are not sufficiently locally dense. This refines our earlier intuition on the role of interfirm network structure on the existence of the agreeable allocation. Further, in graphs that contain sufficiently dense and sufficiently local clusters, the agreeable allocation is guaranteed to not exist.

NUMERICAL CASE STUDY

We now present a case study analyzing the feasibility of cost‐sharing mechanisms to sustain network‐wide cooperative security in real‐world interfirm networks that can face interdependent risks. Specifically, we use the Refinitiv SDC Alliance database to extract all alliances in the food manufacturing sector formed between 2006 to 2020. The database contains 2339 alliances formed between 3073 unique firms in our industry of interest. Typically, these are bilateral alliances formed between two firms, while, on occasion, alliances are formed between three or more firms. For example, one of the alliances in the database is between Optibiotix Health Plc, a biotechnology company that manufactures SlimBiome, a weight management supplement, and John Morley (Importers) Ltd, which manufactures prepared perishable foods. Optibiotix Health would supply the weight management supplement to be included in prepared muesli packs manufactured by John Morley Ltd within the United Kingdom. In this example, the presence of an interdependent risk is evident. Over time, larger networks of alliances arise and we identify 792 distinct interfirm networks. Of these, the largest connected network of firms contains 1092 nodes. The other networks are smaller, and we remove all networks consisting of only two firms since these networks trivially permit bilaterally implementable cost‐sharing mechanisms. We in fact restrict our attention to alliance networks that are of size at least five, and we obtain exactly 50 such alliance networks.10 We depict two of these networks in Figure 2.

OPEN IN VIEWER

FIGURE 2

Examples of alliance networks in the food manufacturing sector.

We leverage the algorithmic results obtained in previous sections to numerically test whether the agreeable allocation exists, and when it exists, compute the network‐wide security cost apportioned by the allocation. These results are meant to be illustrative since the existence of the agreeable allocation naturally depends on the precise security cost parameter specifications. However, the security cost parameters and the penalties are simulated in a systematic manner. Across all simulated networks, we set the parameter

θ i ∼ U [ 15 , 25 ] $\theta _i \sim U[15,25]$

( i , j ) $(i,j)$

ξ i j ∼ U [ 3 , 5 ] $\xi _{ij} \sim U[3,5]$

L i ∼ U [ 17 + δ i , 23 + δ i ] $L_i \sim U[17+\delta _i, 23 + \delta _i]$

δ i = | N − | $\delta _i = |N^-|$

First, we observe that in 56.7% of the simulated networks, the agreeable allocation exists. In contrast, in only 0.79% of the simulated networks, the Shapley value based security cost‐sharing allocation is of the form given by Theorem 4 and, hence, bilaterally implementable. This, in conjunction with the straightforward implementation mechanism described in Section 5, demonstrates the practical relevance of our proposed security cost‐sharing allocation. Second, we find, interestingly, that the alliance network permitting the agreeable allocation to exist with the highest likelihood of 74.3%, is a star network. Finally, we observe that the networks which rarely permit the existence of the agreeable allocation, in only 2.6% and 4% of the simulations, respectively, are both completely connected networks, that is, cliques of size six. This lends further evidence in support of Theorem 10 that densely connected networks preclude the existence of the agreeable allocation.

In the above numerical experiment, the cost parameters for all nodes in a network were drawn from the same distributions. However, in real‐world networks, there is usually a significant asymmetry in the penalties incurred by firms in case of a realized risk. Consumer‐facing firms typically incur substantially larger penalties than others. To incorporate this in our simulation, we obtain the Standard Industrial Classification (SIC) codes of the firms from the SDC database. We then denote firms in the retail industry (with a SIC code in the range of 5200–5999) as consumer‐facing firms. Of the 3073 unique firms in our dataset, we identify 154 such (potentially) consumer‐facing firms. In our second numerical experiment, we simulate the cost parameter

L i $L_i$

L i = L 0 / c 0 d i $L_i = L_0/c_0^{d_i}$

d i = 0 $d_i = 0$

( ∑ i ∈ N L 0 / c 0 d i ) / N $(\sum _{i \in N} L_0/c_0^{d_i})/N$

CONCLUDING REMARKS

Networked firms are exposed to a variety of interdependent, or contagion, risks such as supply chain contamination, deliberate adulteration, or cybersecurity threats and data breaches. The fundamental distinction that sets apart these risks from other types of risks faced by firms is their transferable nature. In this paper, we develop a network model to study the cooperative management of interdependent risks by networked firms.

The network‐wide cooperative security strategy in our interdependent risk model can be computed in polynomial time via a minimum‐weight cut network flow algorithm. Assuming that the security costs and actions are private information known only to the respective players, we find that firms have a clear incentive to cooperate and that there exist stable security cost‐sharing mechanisms that can sustain network‐wide cooperation. However, in the presence of public information, we find that, in general, there do not exist cost‐sharing mechanisms that can ensure the stability of the grand coalition. Thus, it appears that interdependence of network security is alone insufficient to sustain network‐wide cooperation.

Introducing the notion of bilateral implementability, we uncover a fundamental trilemma between stability, fairness, and implementability of network security cost‐sharing mechanisms. We then develop a novel cost‐sharing mechanism, the agreeable allocation, which attempts to balance the three notions. The agreeable allocation, when it exists, satisfies notions of stability, is formalizably fair, easily computable, and is also implementable via a series of bilateral cost‐sharing agreements. However, the agreeable allocation may not always exist. This, we argue, once again, demonstrates that, although cost‐sharing mechanisms belonging to the core can be identified, sustaining network‐wide security cooperation can still be challenging and, therefore, may not always be possible in practice. We then construct δ‐agreeable allocations that satisfy the general notion of

( δ + 1 ) $(\delta +1)$

Moreover, to study the role of network structure on the existence of the agreeable allocation, we consider quasi‐homogeneous networks (i.e., networks with homogeneous costs of security and expected penalties in case of realized risk) and find that networks without sufficiently dense clusters admit an agreeable allocation. Whereas, networks containing sufficiently dense and local clusters do not permit an agreeable allocation of network‐wide security costs. Finally, using the SDC alliance database, we extract all alliances formed in the food manufacturing sector between 2006 and 2020. With numerical experiments and simulated cost parameters, we argue the practical feasibility and relevance of employing the agreeable allocation as a bilateral security cost‐sharing mechanism in real‐world alliances to sustain network‐wide cooperative security against interdependent risks.

This work develops, to the best of our knowledge, for the first time, an economic theory of cooperative security against interdependent risks in networks. However, we acknowledge several limitations and open problems arising from our study.