Sage Journals: Discover world-class research

Abstract

In recent years, data leakage incidents have been frequently exposed, and personal privacy protection has become a major issue. To explore the laws of data leakage and solve practical problems, the reasons for data leakage and the evolution of players’ strategy in the game are discussed. After sorting out the interest relationship of data leakage incidents, a three-party evolution model of invaders, operators, and regulators is established to analyze the evolution path from the perspective of a single party. The Lyapunov theory is used to analyze the stability of equilibrium points of the system and then verified by MATLAB simulation. The influence relationship of various parameters on the system is analyzed. Finally, the ideal state is defined and the system is attempted to be modified. The results demonstrate that under the current system, the evolution direction cannot be changed by the initial intention of players. The game result will eventually form a situation with a strong attack from invaders, advanced defense from operators, and extensive management from regulators. The attack level can be reduced by adjusting the controllable parameters, modifying the evolution path, and calculating the parameter range.

Keywords

Data leakage three-party evolutionary game replication dynamic equation evolutionary path stability of equilibrium points

Introduction

With the advancement of social informatization, the demand for intelligence is constantly increasing in many industries, and user data is surging from “geometric level” to “exponential level.” People's awareness of information protection lags behind the development of big data,¹ which is reflected in the random storage of enterprise data, lack of protection measures, and inadequate supervision of government departments, creating external invading conditions for hackers. As the illegal income from data leakage far exceeds the criminal cost, hackers have inherent motivation to invade. In recent years, data leakage has become a major social problem worldwide because of frequent exposure of incidents.² It was reported that from illegal data theft at the upstream to data trading and fraud at the downstream, a complete black industrial chain has been formed, creating huge illegal profit space. A large amount of information is sold on the dark web. Data leakage makes information crimes be more accurate and seriously threatens personal, corporate and even national security.³ As such, studying the process of data leakage has important practical significance for information management and control.

Due to the information asymmetry of all parties, data security protection is a game process in which all stakeholders make dynamic and irrational decisions. To this end, this paper mainly discusses the three-party game of data leakage, aiming to address the following key questions: Question 1, how does the existing three-party game system evolve? Question 2, how does operators adjust their strategies to maximize data protection at the lowest possible cost? Question 3, how does the supervisors adjust punishment measures to ensure the benign development of the industry?

The main contributions are as follows: (a) In data leakage cases, there is information asymmetry between operators and consumers, and consumers cannot participate in the game (in reality, few consumers defend their rights due to data leakage). As a result, on the basis of clarifying information leakage events, the uncertain value is quantified, and a new three-party evolutionary game model consisting of invaders, operators and regulators is constructed; (b) The system is analyzed and verified from two aspects: the evolution path analysis from the perspective of one party of the game and the stability analysis from the perspective of the whole; (c) The simulation is combined with the data leakage cost report and the general data protection regulations to complete data selection and verify the results that are close to reality; (d) The significance of modifying the evolutionary game path by changing the investment is that the optimal strategy of players, the value range of relevant parameters and the minimum investment of operators can be selected.

The rest chapters are as follows: Section 2 presents relevant research; Section 3 constructs the three-party game evolution model; Section 4 explores and analyzes the stable strategy and equilibrium point of the three-party; Section 5 implements simulation, validation, sensitivity analysis, and evolutionary path correction, and Section 6 presents the conclusion.

Related work

Information security has been a difficult problem for all governments around the world. As a main content of information security, information leakage has become a hotspot of scholars. In fact, the information leakage event is mainly a series of activities carried out by the four parties involved with invaders (hackers), operators (enterprises), regulators (local government, industry association, and more), and victims (consumers). Current research mainly focuses on the infringement mechanism of personal information and the game between the players of information leakage.

Invasion mechanism of personal information

The macro level includes the generation mechanism of personal information leakage,^2,3 transmission process,⁴ and governance countermeasures.^5–9 Based on 650 cases of personal information infringement, Ye and Zhao³ analyzed and explained the mechanism using an economic model and concluded that personal information infringement was characterized by high quantity, low risk, low cost, light punishment, high crime success rate, and high income. Based on the dissemination theory, Ma and Xu⁴ improved the Rathwell model and thought that the communication included two sources of hackers and moles, two communication modes of platform leakage and individual trafficking, and five leakage consequences of promotion, illegal business competition, and criminal crimes. Van der Kleij et al.⁵ analyzed the interaction of employee knowledge, opportunity, and motivation based on the data leakage prevention behaviors of 384 bank employees and proposed a framework to shape a corporate culture to prevent data leakage of employees. In view of the problem of accidental data leakage caused by mail, network, and more, Guri et al.⁶ proposed a method to simulate the leakage scenario of real network topology. Eom and Huh⁷ studied the problem of leaking users’ personal information by the internet of things system (IoTSyS) and proposed an anonymous scheme taking into account information protection and legitimate user confirmation to provide a solution for the privacy protection of IoTSyS. Alneyadi et al.⁸ thought that traditional data protection measures such as firewall, VPN, and intrusion detection lack initiative. They defined a data leakage prevention system and implemented its deployment on the network to provide a solution for proactive data prevention. Schwarzbach et al.⁹ studied information sharing and data sensitivity between supply chains and proposed privacy-preserving business process execution architecture. In terms of data protection, Stergiou et al.¹⁰ proposed a new cloud computing system for privacy. This system integrates with IOT and establishes a network security-based architecture by installing a security “wall” between cloud servers and different users on the Internet, aiming at improving the security and privacy issues. Tewari and Gupta¹¹ proposed a new ultra-lightweight IoT device tag mutual authentication protocol to protect RFID tags through encryption mechanisms and timestamps, to prevent adversary desynchronization behavior and overcome data security and privacy issues.

The game between information leakage subjects

The main content includes strategy selection of all parties, investment of defenders, protection of consumer rights, and punishment intensity of regulators. For specific practical problems, different subject behaviors are simulated, which can be divided into three categories according to the subjects involved:

Game between attack and defense. Based on the actual background of the conflict between two parties, Liu et al.¹² built a game model and simulated the dynamic process of network attack and defense simulation parameters under different situations, aiming to provide a theoretical basis for the study of network information security conflict. However, there is no research on how to adjust the income function for effective control. Sun¹³ analyzed the information security of cloud services through an established game model and improved the classical dynamic replication equations by incentive coefficients. To deal with the strategic choice in the case of Distributed Denial of Service (DDoS), Aydeger et al.¹⁴ established a defense signal game model to obtain the best defense strategy by solving the game equilibrium, thereby effectively mitigating SLFA (Stealthy Link Flooding Attacks, a variant of DDoS). Abass et al.¹⁵ thought that data centers and cloud storage were subjected to advanced persistent threats (APTs). They established a network attack and defense game model for optimal defense strategy choice under APTs attack, to deduce the ESS of APTs defense game and provide the conditions for each ESS. Kandoussi et al.¹⁶ proposed an integrated defense method combining virtual machine migration with honeypot technology and used random game theory to determine potential attack paths under attack and defense conditions. Jakóbik¹⁷ proposed a game decision-making model based on a cloud computing system and established two types of players: cloud computing providers and attackers. Moreover, an artificial neural network is also applied to obtain the utility function and simulate the optimal defense strategy. According to a Bayesian game-based DDoS Defense mechanism, Dahiya and Gupta¹⁸ calculated the probability of malicious nodes by sharing information between users to fight against malicious users in the network and established a Bayesian pricing and auction mechanism to achieve Bayesian Nash equilibrium points in different scenarios. De Witte et al.¹⁹ detailed a policy defense configuration model in which defenders share sensitive information in the network and invest to defend against cyberattacks. They also analyzed how the attack type of the opponent affects the investment of agents. The game model with attack and defense as the main body can effectively deal with the network confrontation, but it ignores the players such as user data leakage and government supervision who have limitations in the choice of game parties.

Two-sided game around information security subjects. Li²⁰ studied the information security investment of information-sharing platforms through evolutionary games and analyzed the strategic evolution of the platforms and its influencing factors. Regrettably, only two companies were modeled. Li et al.²¹ proposed an evolutionary game model for privacy protection between e-commerce enterprises and consumers and adjusted the initial intention, privacy protection cost, and commodity price to make the system develop in a win-win direction. Zou et al.²² believed that the game subject of information security is operators and the regulators. They built a game model for operations and regulators and analyzed the influence of the strategy choice and punishment intensity, and found that heavy punishment intensity can accelerate the convergence speed. The two-sided game around the information security subject has been deeply studied, but the composition of the game players is not comprehensive enough.

Game between consumers, operators, and regulators. Combined with the actual situation, Qu and Hou (2020) constructed an evolutionary game model for users and governments. The influence of subjects’ intention on user right protection, user information platform disclosure, and government punishment was analyzed. In the face of a large number of data leakage, users are rarely able to protect their personal rights. Generally, data leakage events can be simplified into invaders’ attack, operators’ defenses, consumer information leakage, and regulators’ management. In fact, even if data leakage is reported, the public does not know the details of the leaked information. On the other hand, when consumers suffer from telecom fraud, it is impossible for them to accurately know which operator leaked their privacy. Obviously, there is asymmetric information between operators and consumers. Among the numerous data leakage incidents, there are few cases where the protection of consumers’ personal rights can be realized.

Industry application of game theory

In recent years, game theory has been widely used in various industries. Zheng et al.²³ applied the incomplete information dynamic game to the recycling supply chain of construction and demolition waste (CDW), revealing the impact of information sharing on the recycler market. Ma et al.²⁴ built a duopoly game model between green and traditional developers and applied it to the building carbon emissions to study the pricing decisions, profits of green developers and carbon emission reduction of green housing. Yu and Rehman et al.²⁵ applied the evolutionary game model to the financing decision-making of agricultural product suppliers and studied the evolution of green agricultural product supply chain financing system. Hosseini et al.²⁶ proposed a profit plus distribution (PSD) mechanism for supply chain coordination using evolutionary game theory and explored how the long-term behavior of supply chains (SCs) members would affect coordinated decision-making. Li et al.²⁷ introduced enterprise leadership into the evolutionary game model and studied the optimal decision-making of the recovery supply chain of CDW under different conditions. To explore the influence of group behavior for the spread of misinformation, Xianyong Li et al. (2022) constructed a tripartite evolutionary game model for the spread of misinformation and effectively analyzed the influence of network media, government, and Internet users’ decisions on the spread of misinformation.²⁸

In this way, the three-party game that leads to a data leakage event includes invaders, operators, and regulators. Throughout the research on the information security evolutionary game, the players mainly focus on the attackers and defenders, operators and regulators, or regulators, operators, and consumers. The first two types of research are not comprehensive enough. The third is less reasonable in the selection of players, leading to an unclear game mechanism and limited practical significance. Few scholars combine the game situation of invaders, operators, and regulators. On the basis of redefining the game subject, this paper constructs a three-party evolutionary game model, aiming to select the optimal strategy of players and calculate the relevant parameter range of operators. According to a large number of data leakage cases in reality and the practical significance introduced in Table 1, adopting the evolutionary game method is a good measure.

Table 1.

Role information of data leakage in the three-party game.

The game party	Group	The practical significance
Invaders	Individuals or organizations that launch attacks on enterprise systems	Hackers, hacker groups
Operators	Enterprises and institutions that take various measures to prevent hacker intrusion	Cloud service providers, IT and Internet companies, universities, and hospitals
Regulators	Departments that supervise citizens and organizations	Network monitoring center, network security emergency response center, and critical network system disaster recovery center

The main originalities of this paper are as follows: (a) In view of the uncertainty of the degree of data leakage after intrusion, the profit and loss coefficients of attack and defense are set to quantify the leakage degree; (b) The interests of players are analyzed and a new three-party game model is established; (c) The data in the “A cost of Data Breach Report” and “General Data Protection Regulation” are selected for actual verification; (d) The simulation experiments find that changing the initial choice will not break the relationship of interests, and eventually lead to invaders’ strong attacks, operators’ advanced defense, and regulators’ extensive supervision. Increasing the investment of operators can significantly improve this situation, whereas the investment cannot be too high, which has a critical value.

Main steps of the three-party evolutionary game model

The main methods are as follows: (a) Define the game players of information leakage; (b) Analyze the interest relationship of the game players (invaders, operators, and regulatory departments) and find out the key influencing factors; (c) Put forward the preconditions and assumptions of the model and complete the analysis and quantification of cost-benefit indicators; (d) Build an evolutionary game model, including constructing a payoff matrix, calculating the expected return, average return and replicating the dynamic equations of the strategy; (e) Model analysis and simulation.

The application of the Lyapunov stability criterion is as follows: a three-dimensional replication dynamic system equation is established by simultaneous replication dynamic equations, and the Jacobian determinant $J = (J_{i j})_{3 \times 3}$ is calculated. If $λ_{i} < 0 (i = 1, \dots, n)$ , the system is asymptotically stable at x, and $\exists λ_{i} > 0 (i = 1, \dots, n)$ is unstable.

Game model hypothesis and construction

Problem description

The development of data leakage can be summarized, as shown in Figure 1. To obtain the hidden value of the data (e.g. data analysis, peddling in the dark web), the invader attacks the system through certain technical to obtain system permissions and steal user data.^27,29 Because of different security principles,³⁰ technology, and tools, invaders have different invasion abilities.³¹ To prevent data from intrusion, operators take certain measures (such as installing external security devices, updating technologies, and optimizing management) to achieve information systems for data security protection, and different defense capabilities are affected by the investment of enterprises.^32–34 During the attack and defense process, according to the development plan, regulators adopt different management methods (extensive management, and fine management) to invest corresponding manpower, material, and financial resources to manage citizens and enterprises and protect the rights of economic subjects. This measure can ensure the security of enterprise information and promote the benign operation of society for positive and orderly development.^35,36

Figure 1.

Logic diagram of three-party game.

When information leakage occurs, regulators shall take some measures such as investigation, interview, and rectification to impose penalties on both sides according to the actual situation.

Model assumptions

Game subjects (player)

The game subjects include three players: invaders, operators, and regulators. An invader represents an individual or organization that attacks a network system; an operator represents an enterprise and institution that takes measures to prevent intrusion, and a regulator represents the department that supervises citizens and organizations. The practical significance²² of game parties is shown in Table 1.^37–40

Economic man hypothesis

The main purpose of the game subjects is to maximize their own interests. First, invaders are trying to gain access under limited conditions to achieve more data for profit. Then, to reduce security costs as much as possible, operators protect their data resources and business positions to avoid punishment by regulators. Finally, to guide enterprises to standardize the development of information security, regulators supervise citizens and enterprises to achieve the highest management efficiency.

Bounded rationality hypothesis

The players (invaders, operators, regulators) are bounded rational. Due to the complexity of information security supervision, network attacks, data leakage, and the cognitive differences among the three-party of the game, each player has to find the most favorable strategy through constant trial and error.

Game strategy

The strategy selection space of invaders, operators, and regulators is {strong attack, general attack}, {advanced defense, basic defense}, and {extensive management, fine management}, respectively. The practical significance of specific strategies is shown in Table 2.

Table 2.

Strategy space of players and its significance.

Players	Strategy selection space	Strategic significance
Invaders	{strong attack, general attack}	"Strong attack” is organized, large-scale, and multi-type malicious attacks.
Invaders	{strong attack, general attack}	"General attack” is a conventional attack that the invader uses consensus.
Operators	{Advanced defense, basic defense}	Advanced defense means that the system can resist strong attacks, detect, identify, and record intrusions, and quickly recover the system.
Operators	{Advanced defense, basic defense}	Basic defense refers to using the original system software so that the system can resist general attacks, detect attacks, and restore main functions.
Regulators	{extensive management, fine management}	"Extensive management” refers to the hope for rapid development of the industry, pay attention to the basic requirements of information security.
Regulators	{extensive management, fine management}	"Fine management” refers to the industry has formed a scale based on more stringent requirements.

Parameter settings

Proportion of strategy selection

The proportion of invaders choosing strong attack strategy is x and that of a general attack strategy is $1 - x$ ; the proportion of operators choosing advanced defense is y and that of basic defense is $1 - y$ ; the proportion of fine management selected by regulators is z and that of extensive management is $1 - z$ .

Invaders parameters

The cost for invaders to choose a strong attack is $C_{1}$ and that for a general attack is $C_{2}$ ( $C_{1} > C_{2} > 0$ ). The profit and loss of the invasion depend on the strategies of both parties, as shown in Table 3. $α$ and $β$ represent the probabilities of successful invasion under different conditions ( $β > α > 0$ ).

Table 3.

Attack and defense profit and loss coefficient table.

	Advanced defense of operators	Basic defense of operators
Invaders strong attack	$α$	$β$
Invaders basic attack	×	$α$

Operator parameters

The investment required by an operator to choose advanced defense is $C_{3}$ . The basic defense means that enterprises do not add external facilities and only rely on defense measures, such as scanning software provided by the system without other costs.^41,42 The data asset of an enterprise is A, and the fixed income it can bring to the enterprise is E. When an enterprise is invaded, the public opinion will be affected and the public relations costs e will be needed to compensate for the reputational loss.

Parameters of regulators

The fine management cost required by regulators is $C_{4}$ , and the extensive management cost is negligible. When data leakage occurs, the hack must be found and the enterprise will be investigated with careful management. Under the extensive management, there is a probability of $λ \in (0, 1)$ to detect the hacking behavior and inspect enterprises, where enterprises will be punished if there are no security measures. The fines for hackers and enterprises are $P_{1}$ and $P_{2}$ respectively. Regardless of whether hackers are successful or not, once they are caught, they are punished. The profit and loss of administrative performance obtained by the regulator is R (if the data is safe, the performance gains will be obtained; otherwise, the performance losses will be obtained). The symbols and meanings of the three-party parameters in the game are shown in Table 4.

Table 4.

Parameter symbols and meanings of the three-party in the game.

Game party	Symbol	Meaning
Invaders	$x$	Probability that the invaders choose a “strong attack” strategy
	$C_{1}$	The cost of knowledge and capability required by a strong attack
	$C_{2}$	The cost of knowledge and capability required for a general attack
	$α β$	The profit and loss coefficient of hacking under different strategies
Operators	$y$	Probability that operators choose advanced defense
	$E$	Fixed income of owned assets
	$A$	Value of owned assets
	$C_{3}$	The invest cost of advanced defense
	$e$	Public relations costs in case of data leakage and reputational damage
Regulators	$z$	Probability of regulators choosing “fine management"
	$P_{1}$	Penalty for invaders when an intrusion is detected
	$P_{2}$	Penalty for operators when data leakage is found and the enterprise has no protective measures
	$C_{4}$	Invest cost of fine management
	$λ$	Probability of finding hacking when widely managed
	$R$	Potential performance gains and losses for governments

According to the above assumptions, the mixed strategy game matrix among invaders, operators, and regulators can be obtained, as shown in Table 5, where the benefit values represent invaders, operators, and regulators in turn.

Table 5.

Benefit statement in the three-party game.

Regulators		Fine management $z$		Extensive management $1 - z$
Operators		Advanced defense $y$	Basic defense $1 - y$	Advanced defense $y$	Basic defense $1 - y$
Invaders	Strong attack $x$	$α A - C_{1} - P_{1}$	$β A - C_{1} - P_{1}$	$α A - C_{1} - λ P_{1}$	$β A - C_{1} - λ P_{1}$
		$\begin{matrix} E - C_{3} - α A \\ - e - P_{2} \end{matrix}$	$E - β A - e - P_{2}$	$\begin{matrix} E - C_{3} - α A \\ - e - λ P_{2} \end{matrix}$	$E - β A - e - λ P_{2}$
		$P_{1} + P_{2} - C_{4} - R$	$P_{1} + P_{2} - C_{4} - R$	$λ P_{1} + λ P_{2} - R$	$λ P_{1} + λ P_{2} - R$
	General attack $1 - x$	$- C_{2} - P_{1}$	$α A - C_{2} - P_{1}$	$- C_{2} - λ P_{1}$	$α A - C_{2} - λ P_{1}$
		$E - C_{3}$	$E - α A - e - P_{2}$	$E - C_{3}$	$E - α A - e - λ P_{2}$
		$P_{1} - C_{4} + R$	$P_{1} + P_{2} - C_{4} - R$	$λ P_{1} + R$	$λ P_{1} + λ P_{2} - R$

Solution and analysis of the model

Game model solution

Replication dynamics equations of invaders

The expected benefits of invaders choosing a strong attack are as follows:

\begin{aligned} U_{x 1} = & y z (α A - C_{1} - P_{1}) + z (1 - y) (β A - C_{1} - P_{1}) \\ + y (1 - z) (a A - C_{1} - λ P_{1}) \\ + (1 - y) (1 - z) (β A - C_{1} - λ P_{1}) = (λ - 1) P_{1} z \\ + (α A - β A) y - λ P_{1} - C_{1} + β A \end{aligned}

(1)

The expected benefits of invaders choosing a general attack are as follows:

\begin{aligned} U_{x 2} = & y z (C_{2} - P_{1}) + z (1 - y) (α A - C_{2} - P_{1}) \\ + y (1 - z) (- C_{2} - λ P_{1}) \\ + (1 - y) (1 - z) (α A - C_{2} - λ P_{1}) = (λ - 1) P_{1} z \\ - α A y - λ P_{1} - C_{2} + α A \end{aligned}

(2)

The average expected benefits of invaders is as follows:

{\bar{U}}_{x} = x U_{x 1} + (1 - x) U_{x 2}

(3)

Then, it can be concluded that the replication dynamic equation for an invader choosing a strong attack strategy is:

\begin{aligned} f (x) = d x / d t = x (U_{x 1} - \bar{U_{x}}) = x (1 - x) (U_{x 1} - U_{x 2}) \\ = x (1 - x) ((2 α A - β A) y + A (β - α) + C_{2} - C_{1}) \end{aligned}

(4)

Replication dynamics equations of operators

The expected benefits of operators choosing advanced defense are as follows:

\begin{aligned} U_{y 1} = x z (E - C_{3} - α A - e - P_{2}) + z (1 - x) (E - C_{3}) & + x (1 - z) (E - C_{3} - α A - e - λ P_{2}) \\ + (1 - x) (1 - z) (E - C_{3}) = (λ - 1) P_{2} x z \\ + (- λ P_{2} - e - α A) x - C_{3} + E \end{aligned}

(5)

The expected benefits of operators choosing basic defense are as follows:

\begin{aligned} U_{y 2} = & x z (E - β A - e - P_{2}) + z (1 - x) (E - α A - e - P_{2}) \\ + x (1 - z) (E - β A - e - λ P_{2}) \\ + (1 - x) (1 - z) (E - α A - e - λ P_{2}) = (λ - 1) P_{2} z \\ + (α A - β A) x - λ P_{2} - e - α A + E \end{aligned}

(6)

The average expected revenue of operators is:

\bar{U_{y}} = y U_{y 1} + (1 - y) U_{y 2}

(7)

Then, it can be concluded that the replication dynamic equations for operators choosing advanced defense strategies is:

\begin{aligned} f (y) = d y / d t = y (U_{y 1} - \bar{U_{y}}) = y (1 - y) ((1 - x) \\ ((1 - λ) P_{2} z + λ P_{2} + e) + A ((β - 2 α) x + α) - C_{3}) \end{aligned}

(8)

Replication dynamic equations of regulators

The expected benefits of regulators choosing fine management are as follows:

\begin{aligned} U_{z 1} = & x y (P_{1} + P_{2} - C_{4} - R) + x (1 - y) (P_{1} \\ + P_{2} - C_{4} - R) + y (1 - x) (P_{1} - C_{4} + R) \\ + (1 - x) (1 - y) (P_{1} + P_{2} - C_{4} - R) & = ((P_{2} - 2 R) x - P_{2} + 2 R) y + P_{2} - C_{4} - R + P_{1} \end{aligned}

(9)

The expected benefits of regulators choosing extensive management are as follows:

\begin{aligned} U_{z 2} = & x y (λ P_{1} + λ P_{2} - R) + x (1 - y) (λ P_{1} + λ P_{2} - R) \\ + y (1 - x) (λ P_{1} + R) + (1 - x) (1 - y) \\ (λ P_{1} + λ P_{2} - R) = ((λ P_{2} - 2 R) x - λ P_{2} + 2 R) y \\ + λ P_{2} + λ P_{1} - R \end{aligned}

(10)

The average expected return of regulators is:

\bar{U_{z}} = z U_{z 1} + (1 - z) U_{z 2}

(11)

Then, it can be concluded that the replication dynamic equation for regulators choosing fine management strategy is:

\begin{aligned} f (z) = & d z / d t = z (1 - z) (U_{z 1} - U_{z 2}) = z (1 - z) \\ ((1 - λ) P_{2} x + (λ - 1) P_{2}) y + (1 - λ) P_{2} \\ - P_{1} d - C_{4} + P_{1} = z (1 - z) ((1 - λ) \\ (P_{1} + P_{2} - P_{2} (1 - x) y) - C_{4}) \end{aligned}

(12)

Tripartite evolutionary path analysis based on unilateral perspective

Evolutionary path analysis of invaders

The zero case of $d x / d t$ is discussed as follows: when $y = (C_{1} - C_{2} + A (α - β)) / A (2 α - β)$ is satisfied, $d x / d t \equiv 0$ , which is stable strategy regardless of x; when $y \neq (C_{1} - C_{2} + A (α - β)) / A (2 α - β)$ , $x = 0 or 1$ is two stable points, the classification discussion of $d f (x) / d t = (1 - 2 x) ((2 α A - β A) y + A (β - α) + C_{2} - C_{1})$ is shown in Table 6.

Table 6.

Distribution of stable points of invaders’ evolution under different conditions.

Discussion of $d f (x) / d t$	$2 α - β > 0$		Evolutionary stability point	$2 α - β < 0$		Evolutionary stability point
Discussion of $d f (x) / d t$	$x = 0$	$x = 1$	Evolutionary stability point	$x = 0$	$x = 1$	Evolutionary stability point
$y > (C_{1} - C_{2} + A (α - β)) / A (2 α - β)$	+	−	$x = 1$ I	−	+	$x = 0$ III
$y < (C_{1} - C_{2} + A (α - β)) / A (2 α - β)$	−	+	$x = 0$ II	+	−	$x = 1$ IV

When the operator's strategy and profit and loss coefficient meet I $y > (C_{1} - C_{2} + A (α - β)) / A (2 α - β)$ , $2 α - β > 0$ or IV $y < (C_{1} - C_{2} + A (α - β)) / A (2 α - β)$ , $2 α - β < 0$ , $x = 1$ is the direction of the final evolutionary path, which means that when the operator's investment reaches a certain level, the success rate of the invader choosing a strong attack is higher and the income is greater. When the operator's strategy and profit and loss coefficient meet II $y < (C_{1} - C_{2} + A (α - β)) / A (2 α - β)$ , $2 α - β > 0$ or III $y > (C_{1} - C_{2} + A (α - β)) / A (2 α - β)$ , $2 α - β < 0$ , $x = 0$ is the direction of the final evolutionary path, which means that when the operators’ investment is reduced to a certain extent, the cost of strong attacks is relatively higher, and the benefits of general attacks are greater.

Evolutionary path analysis of operators

The zero case of $d y / d t$ is discussed as follows: when $x = (A ((β - 2 α) x + α) - C_{3}) / ((1 - λ) P_{2} z + λ P_{2} + e)) + 1$ is satisfied, $d y / d t \equiv 0$ , which means there will be stable strategies regardless of y. When $x \neq (A ((β - 2 α) x + α) - C_{3}) / ((1 - λ) P_{2} z + λ P_{2} + e)) + 1$ , $y = 0 or 1$ is two stable points, the classification of $d f (y) / d t = (1 - 2 y) ((1 - x) ((1 - λ) P_{2} z + λ P_{2} + e) + A ((β - 2 α) x + α) - C_{3})$ is shown in Table 7.

Table 7.

Stable point distribution of operator evolution under different conditions.

Discussion of $d f (y) / d t$	$y = 0$	$y = 1$	Evolutionary stability point
$A ((β - 2 α) x + α) > C_{3} - ((1 - λ) P_{2} z + λ P_{2} + e) (1 - x)$	+	−	$y = 1$ V
$A ((β - 2 α) x + α) < C_{3} - ((1 - λ) P_{2} z + λ P_{2} + e) (1 - x)$	−	+	$y = 0$ VI

When $A ((β - 2 α) x + α) > C_{3} - ((1 - λ) P_{2} z + λ P_{2} + e) (1 - x)$ is satisfied, $y = 1$ is the direction of the final evolutionary path, which means that when the attack intensity and supervision degree of invaders reach a certain level, the advanced defense can effectively protect the data to minimize the loss. When $A ((β - 2 α) x + α) < C_{3} - ((1 - λ) P_{2} z + λ P_{2} + e) (1 - x)$ is satisfied, $y = 0$ is the direction of the final evolutionary path, which means that when the attack intensity and supervision degree of hackers are reduced to a certain extent, it is not worthwhile to choose a more advanced defense, and the basic defense is effective.

Evolutionary path analysis of regulators

The zero case of $d z / d t$ is discussed as follows: when $y = (P_{1} + P_{2} - C_{4} / (1 - λ)) / P_{2} (1 - x)$ is satisfied, $d z / d t \equiv 0$ , there will be stable strategies regardless of z; when $y \neq (P_{1} + P_{2} - C_{4} / (1 - λ)) / P_{2} (1 - x)$ , $z = 0 o r 1$ is two stable points. The classification of $d f (z) / d t = (1 - 2 y) ((1 - λ) (P_{1} + P_{2} - P_{2} (1 - x) y) - C_{4})$ is shown in Table 8.

Table 8.

Distribution of regulatory evolution stability points under different conditions.

Discussion on the situation of $d f (z) / d t$	$z = 0$	$z = 1$	Evolutionary stability point
$y < (P_{1} + P_{2} - C_{4} / (1 - λ)) / P_{2} (1 - x)$	+	−	$z = 1$ VII
$y > (P_{1} + P_{2} - C_{4} / (1 - λ)) / P_{2} (1 - x)$	−	+	$z = 0$ VIII

When $y < (P_{1} + P_{2} - C_{4} / (1 - λ)) / P_{2} (1 - x)$ is satisfied, $z = 1$ is the direction of the final evolutionary path, which means that when the attack intensity of hackers and the investment of operators reached a certain level, fine management brings more benefits and better conducive to the virtuous cycle of the industry. This strategy is adopted when the industry has reached a certain level and needs standardization. When $y > (P_{1} + P_{2} - C_{4} / (1 - λ)) / P_{2} (1 - x)$ is satisfied, $z = 0$ is the direction of the final evolutionary path, which means that when the attack intensity of hackers and the investment of operators are reduced to a certain extent, extensive management will bring more benefits. This strategy is adopted in the early stage of the industry, because there are almost no network attacks and enterprises need to be in a savage growth stage.

Stability analysis of equilibrium points in the three-party evolutionary game system

Combining the replication dynamic equations of invaders, operators, and regulators, a three-dimensional replication dynamic system is obtained in the evolutionary game process of three players.

{\begin{matrix} f (x) = x (1 - x) ((2 α A - β A) y + A (β - α) + C_{2} - C_{1}) = 0 \\ f (y) = y (1 - y) ((1 - x) ((1 - λ) P_{2} z + λ P_{2} + e) + A ((β - 2 α) x + α) - C_{3}) = 0 \\ f (z) = z (1 - z) ((1 - λ) (P_{1} + P_{2} - P_{2} (1 - x) y) - C_{4}) = 0 \end{matrix}

(13)

Nine equilibrium points of the three-dimensional replicative dynamical system can be obtained by solving these equations:

E_{1} (0, 0, 0)

E_{2} (0, 0, 1)

E_{3} (0, 1, 0)

E_{4} (1, 0, 0)

E_{5} (1, 1, 0)

E_{6} (1, 0, 1)

E_{7} (0, 1, 1)

E_{8} (1, 1, 1)

and

E_{9} (x^{*}, y^{*}, z^{*})

. It is worth noting that the solution of Eq. (14) is

(x^{*}, y^{*}, z^{*})

{\begin{matrix} (2 α A - β A) y + A (β - α) + C_{2} - C_{1} = 0 \\ (1 - x) ((1 - λ) P_{2} z + λ P_{2} + e) + A ((β - 2 α) x + α) - C_{3} = 0 \\ (1 - λ) (P_{1} + P_{2} - P_{2} (1 - x) y) - C_{4} = 0 \end{matrix}

(14)

Jacobian is constructed as follows:

J = [\begin{matrix} J_{11} & J_{12} & J_{13} \\ J_{21} & J_{22} & J_{23} \\ J_{31} & J_{32} & J_{33} \end{matrix}], then {\begin{matrix} J_{11} = \partial f (x) / \partial x = (1 - 2 x) ((2 α A - β A) y + A (β - α) + C_{2} - C_{1}) \\ J_{12} = \partial f (x) / \partial y = x (1 - x) A (2 α - β) \\ J_{13} = \partial f (x) / \partial z = 0 \\ J_{21} = \partial f (y) / \partial x = y (1 - y) (- (1 - λ) P_{2} z - λ P_{2} - e + β A - 2 α A) \\ J_{22} = \partial f (y) / \partial y = (1 - 2 y) f (y) / y (1 - y) \begin{matrix} \begin{matrix}  \end{matrix} \end{matrix} \\ J_{23} = \partial f (y) / \partial z = y (1 - y) (1 - x) (1 - λ) P_{2} \\ J_{31} = \partial f (z) / \partial x = z (1 - z) (1 - λ) P_{2} \\ J_{32} = \partial f (z) / \partial y = z (1 - z) ((1 - λ) P_{2} (x - 1) \\ J_{33} = \partial f (z) / \partial z = (1 - 2 z) ((1 - λ) (P_{1} + P_{2} - P_{2} (1 - x) y) - C_{4}) \end{matrix}

(15)

The nine equilibrium points are substituted into the Jacobian determinant to obtain the eigenvalue expressions of each equilibrium point, to facilitate the subsequent judgment of the stability of equilibrium points. Taking

E_{1} (0, 0, 0)

as an example, the expression of the replicated dynamic system can be obtained by substituting the Jacobian determinant:

[\begin{matrix} A (β - α) + C_{2} - C_{1} & 0 & 0 \\ 0 & λ P_{2} + e - C_{3} + α A & 0 \\ 0 & 0 & (P_{1} + P_{2}) (1 - λ) - C_{4} \end{matrix}]

Obviously, the eigenvalue of the matrix is

λ_{1} = A (β - α) + C_{2} - C_{1}

λ_{2} = λ P_{2} + e - C_{3} + α A

λ_{3} = (P_{1} + P_{2}) (1 - λ) - C_{4}

, Similarly, eigenvalues of other equilibrium points can be calculated, as shown in Table 9:

Table 9.

Eigenvalue matrix of the three dimensional replicative dynamical system.

Equilibrium	The eigenvalue $λ_{1}$	The eigenvalue $λ_{2}$	The eigenvalue $λ_{3}$
$E_{1} (0, 0, 0)$	$A (β - α) + C_{2} - C_{1}$	$λ P_{2} + e - C_{3} + α A$	$(P_{1} + P_{2}) (1 - λ) - C_{4}$
$E_{2} (0, 0, 1)$	$A (β - α) + C_{2} - C_{1}$	$P_{2} + e - C_{3} + α A$	$- ((P_{1} + P_{2}) (1 - λ) - C_{4})$
$E_{3} (0, 1, 0)$	$α A + C_{2} - C_{1}$	$- (λ P_{2} + e - C_{3} + α A)$	$P_{1} (1 - λ) - C_{4}$
$E_{4} (1, 0, 0)$	$- (A (β - α) + C_{2} - C_{1})$	$A (β - α) - C_{3}$	$(P_{1} + P_{2}) (1 - λ) - C_{4}$
$E_{5} (1, 1, 0)$	$- (α A + C_{2} - C_{1})$	$- (A (β - α) - C_{3})$	$(P_{1} + P_{2}) (1 - λ) - C_{4}$
$E_{6} (1, 0, 1)$	$- (A (β - α) + C_{2} - C_{1})$	$A (β - α) - C_{3}$	$- ((P_{1} + P_{2}) (1 - λ) - C_{4})$
$E_{7} (0, 1, 1)$	$α A + C_{2} - C_{1}$	$P_{2} + e - C_{3} + α A$	$- (P_{1} (1 - λ) - C_{4})$
$E_{8} (1, 1, 1)$	$- (α A + C_{2} - C_{1})$	$- (A (β - α) - C_{3})$	$- ((P_{1} + P_{2}) (1 - λ) - C_{4})$
$E_{9} (x^{}, y^{}, z^{*})$	Eigenvalue of the center point is complicated to be solved and analyzed in the simulation stage

For asymmetric games, if the equilibrium of an evolutionary game is asymptotically stable, the result must satisfy that the equilibrium is a strict Nash equilibrium, which is pure strategy equilibrium.⁴³ To analyze the asymptotic stability of equilibrium points of the replication dynamic equation, we only need to discuss the asymptotic stability of the equilibrium point in the replication dynamic equations involving pure strategies, and the equilibrium points that satisfy the conditions include $E_{1} - E_{8}$ eight points. The classification discussion is as follows: In the case of actual data leakage, the illegal incomes of hackers are far greater than the costs. Therefore, according to Table 10 and the value range of each parameter, $λ_{1} (E_{1}, E_{2}, E_{3}, E_{7}) > 0$ , and $E_{1}, E_{2}, E_{3}, E_{7}$ is not a stable point. When $λ_{2}, λ_{3}$ of $E_{4}, E_{5}, E_{6}, E_{8}$ are analyzed, the positive and negative values of $A (β - α) - C_{3}$ , $(P_{1} + P_{2}) (1 - λ) - C_{4}$ cannot be determined and different cases are discussed. Obviously, $λ_{2}, λ_{3}$ do not affect each other. When $(P_{1} + P_{2}) (1 - λ) - C_{4} > 0$ and $A (β - α) - C_{3} > 0$ , $λ_{2} (E_{4}, E_{6}) > 0$ and $λ_{3} (E_{4}, E_{5}) > 0$ , the three equilibrium points $E_{4}, E_{5}, E_{6}$ are excluded. In the same way, the stable point results are shown in Table 10.

Table 10.

Three-party evolutionary stability points under different conditions.

	$(P_{1} + P_{2}) (1 - λ) - C_{4} > 0$	$(P_{1} + P_{2}) (1 - λ) - C_{4} < 0$
$A (β - α) - C_{3} > 0$	$E_{8} (1, 1, 1)$	$E_{5} (1, 1, 0)$
$A (β - α) - C_{3} < 0$	$E_{6} (1, 0, 1)$	$E_{4} (1, 0, 0)$

Simulation analysis and evolution correction

The evolutionary game process of the behavior of the three players is simulated using MATLAB 2015 software and the evolutionary stability is verified.

Selection of initial simulation data

According to the Global Data Breach Cost Report released by IBM in 2020, the average total cost of data leakage events is 3.86 million dollars in 2020. As such, $3.5-$4 million is a reasonable range of average total cost. Since catastrophic large-scale data leakage is not universal and persuasive, the average total cost in this report is no more than 100,000 records of data leakage events as the research target. This paper continues to use the data volume of 100,000 copies (Ponemon Institute).⁴⁴ According to the General Data Protection Regulation implemented by the European Union, Internet companies that illegally collect personal information can be fined up to 20 million Euros, which is equivalent to about 17 million dollars at the exchange rate of USD and Euro 0.85. Thereby 15–20 million yuan is the reasonable range of punishment. Suppose the time and energy cost of a strong attack of an invader is $2 million, and the time and energy cost of the general attack is $500,000. The value of own assets is $150 per piece; the fixed income of data resources is $300 per piece, and the individual penalty is $P_{1}$ = 0.25 $P_{2}$ (5 million dollars). Fine management investment and management profit and loss of regulators are 20 million. To ensure the evolutional universality, assuming the initial intention of the game player's strategy choice is neutral (the following paper proves that the initial intention cannot change the strategy evolution), the mixed strategy set is (0.5, 0.5, 0.5).

According to the report, the average leakage cost caused by malicious attacks that destroy data with destructive/wiper attacks is $4.52 million, and the cost of hacking is much less than the cost of operators $C_{3}$ . Thereby the cost of hacking between 0.1 and 0.2 is reasonable. The calculation of operator cost includes four categories: (a) Cost of detection, investigation, evidence collection, assessment, and audit activities; (b) Damaged reputation, reduced goodwill, and loss of customers; (c) Activity costs of contacting external experts, and data protection supervisory authorities; (d) Cost of post analysis response.

Based on the above analysis, the initial parameters that are in line with the actual situation are finally determined, as shown in Table 11. Except for coefficients, all parameters are in units of millions ( $β$ > $α$ satisfies the preconditions).

Table 11.

Initial simulation parameters.

symbol	$C_{1}$	$C_{2}$	$α$	$β$	$E$	$A$	$C_{3}$	$e$	$P_{1}$	$P_{2}$	$C_{4}$	$λ$	$R$	$x$	$y$	$z$
The numerical	0.2	0.05	0.5	0.8	3	1.5	0.38	0.1	0.5	2	2	0.5	5	0.5	0.5	0.5

Influence factors and evolution path of game

To explore the impact of initial intention on the system, the values in [0, 1] are uniformly selected to observe the change of strategy choice. Specifically, according to observing Eq. (13) of the three-dimensional replication dynamic system and comparing the parameter settings of the three-party in Table 4, it can be seen that the game evolution of the three-party has nothing to do with the fixed profit value of the operator and the political profit and loss value of the government. The choice of invaders’ behavior strategy is related to the profit and loss coefficient, the data assets of operators, and the cost of different intrusions. The choice of operators’ behavior strategy is related to the punishment of regulators, the investment of defense measures, the investment of public relations, and the profit and loss coefficient. The choice of regulator's behavior strategy is related to the punishment and management investment. In addition, the choice of the three-party behavioral strategy is affected by the choice of other players in the derivate Eq. (13).

According to Table 11, the dynamic evolution process of the game under this state is simulated as shown in Figure 2. In Figure 2(a), the horizontal axis represents the evolution time and the vertical axis represents the proportion of strategy selection. Figure 2(b) shows the trend of the three-party strategy over time. The results show that when the initial condition of the three-party is (0.5, 0.5, 0.5), they will fall into the dilemma of “strong attack by invaders, advanced defense by operators and extensive management by regulators” to maximize their own interests. Taking $x, y, z$ as the independent variables, the parameters are taken into the three-party evolutionary path for analysis, as shown in Section 4.2. $x, y, z \in [0, 1]$ always satisfy I, V, VIII, and the final result is (1, 1, 0).

Figure 2.

Probability diagram of strategy selection (a) and change trend of the three-party strategy over time (b).

Analysis of central equilibrium point

Substituting the simulation parameter set into Eq. (14) in Section 4.3, the solution is $x^{*} = - 2.75$ , $y^{*} = - 1$ and $z^{*} = - 77 / 75$ . $x^{*}, y^{*}, z^{*}$ are less than 0, indicating that the central equilibrium point is not within the solution interval $x, y, z \in [0, 1]$ . As such, there is no impure Nash equilibrium point strategy in the current three-party game system. In other words, no matter whether the three-party chooses a pure strategy or a mixed strategy, there is no equilibrium point strategy belonging to any strategy to balance the interests and achieve a stable state in the current system.

Under the above assumptions, there is no stable central equilibrium in the current three-party game system, and the evolutionary game results can only be pure Nash equilibrium strategy.

Influence of players’ initial intention on the system evolution path

Due to $x, y \in [0, 1]$ ，the value is taken uniformly. Let other variables be constant and x be 0.2, 0.4, 0.6 and 0.8 respectively, the game evolution results can be obtained through the simulation system. Similarly, y and z are also 0.2, 0.4, 0.6, and 0.8 respectively, and the game evolution results are obtained as shown in Figure 3. Figure 3(a) to (c) represents the strategy selection probabilities of invaders, operators, and regulators, respectively. The horizontal axis in the figure represents the evolution time, and the vertical axis represents the proportion of strategy selection (similarly hereinafter).

Figure 3.

Influence of the initial intention of the three-party game players on the system evolution path.

For invaders, when x is 0.2, 0.4, 0.6, and 0.8, respectively, the evolutionary game is stable at $x = 1$ . t = 10 means that the initial intention can adjust the evolutionary rate of invaders, but cannot change the evolution direction. The reasons are as follows: taking any value in $x \in [0, 1]$ , the stability condition belongs to condition I, that is, it is most conducive to the invader to launch a strong attack, thereby the evolution direction has always been the direction of invaders to launch a strong attack. Similarly, for operators and regulators, the final direction of the evolutionary game is not affected when y and z is set to 0.2, 0.4, 0.6, and 0.8 respectively. The reason is that if the value is set to any value in $y, z \in [0, 1]$ , the stability conditions are V and VIII, respectively, indicating that operators choose advanced defense and regulators choose extensive management.

Based on the above analysis, it is concluded that under the current system, the initial intention of the three-party in the game changes the convergence speed without changing the evolution direction, which means that the information leakage is serious. Regardless of the percentage of initial intention, the result will translate into powerful attacks by invaders and widespread government-managed chaos. This means that the current situation is not optimistic and individual intentions cannot control the final result. Due to the interest tendency of all parties, an unfavorable situation will eventually be formed: Invaders choose strong attacks to bring greater benefits; operators choose advanced defense to mitigate property losses, and regulators choose extensive management to greatly save management costs.

Influence of controllable parameters on the system evolution

In the three-party game, each game can adjust some parameters according to the needs. For example, the invader can adjust the profit and loss coefficient $α$ and $β$ to control the degree of data leakage. Operators can adjust the investment of information security protection $C_{3}$ according to the data level, and regulators can adjust the punishment $P_{1}$ and $P_{2}$ for the other two parties according to market conditions. Therefore, the controllable parameters can be adjusted to change the direction of the game, and the simulation analysis can be performed with different parameters.

For the influence of the controllable parameters $α$ and $β$ of invaders on the evolution of the system, four groups of parameter values are selected, which are respectively two groups of parameter values satisfying the conditions of evolution path I and two groups of parameter values satisfying the conditions of evolution path II. In addition, the two groups of parameter values also show their influence on the results through numerical differences. Similarly, the parameters of cost $C_{3}$ , penalties $P_{1}$ and $P_{2}$ are also selected on the same basis.

Influence of invaders controllable parameters $α$ and $β$ on the system evolution

Let other conditions be unchanged, two groups of data satisfying condition I: $α = 0.5$ , $β = 0.9$ and $α = 0.3$ , $β = 0.7$ and two groups of data satisfying condition III: $α = 0.08$ , $β = 0.16$ and $α = 0.06$ , $β = 0.12$ are selection. The evolution of invaders’ strategy selection under different conditions is simulated, and the results are shown in Figure 4.

Figure 4.

Influence of invaders’ controllable parameters $α$ and $β$ on the system evolution.

The four curves represent the changes of invader strategy selection over time under different conditions. The simulation results are consistent with the game analysis of conditions I and III, which eventually evolve to $x = 1$ and $x = 0$ , respectively. Comparing the two curves of $α = 0.5$ , $β = 0.9$ and $α = 0.3$ , $β = 0.7$ , when condition I is met, increasing the profit and loss coefficient will accelerate the evolution rate. Comparing the two curves of $α = 0.08$ $β = 0.16$ and $α = 0.06$ , $β = 0.12$ , it can be found that increasing the profit and loss coefficient will slow down the evolution of condition III. Obviously, $x = 0$ means a full-scale attack by invaders, which help operators to grow. $α = 0.08$ , $β = 0.16$ and $α = 0.06$ , $β = 0.12$ indicate that the invaders do not voluntarily reduce the profit and loss to maximize the profits. If operators want to reduce the attack level, they should rely on improved defense measures to reduce the probability of invaders damaging the system and passively accept the low profit and loss coefficient.

Influence of operators’ controllable parameters $C_{3}$ on the system evolution

Similarly, other control conditions remain unchanged, and four sets of data satisfying conditions V and VI are taken respectively as $C_{3} = 0.2$ , $C_{3} = 0.38$ , $C_{3} = 1.5$ , and $C_{3} = 2$ . The evolution of operators’ policy choice under different conditions is simulated as shown in Figure 5.

Figure 5.

Influence of operators controllable parameters $C_{3}$ on the system evolution.

The four curves represent the changes of operator strategy choice over time under different conditions. The simulation results are in line with the game analysis of conditions V and VI and finally evolve to $y = 1$ and $y = 0$ , respectively. The curve shows that changing the investment can change the evolution path, but the evolution rate does not change significantly.

Influence of regulators controllable parameters $P_{1}$ and $P_{2}$ on the system evolution

Other conditions remain unchanged, and two sets of data satisfying condition VII are taken, respectively, as $P_{1} = 0.5$ , $P_{2} = 2$ and $P_{1} = 1$ , $P_{2} = 3$ . Two sets of data satisfying condition VIII are taken as $P_{1} = 1.5$ , $P_{2} = 4$ and $P_{1} = 2$ , $P_{2} = 4$ , respectively, the evolution of regulators’ strategy choice under different conditions is simulated, and the results are shown in Figure 6.

Figure 6.

Influence of regulators controllable parameters $P_{1}$ and $P_{2}$ of on the system evolution.

The four curves represent the changes of regulators strategy choice over time under different conditions. The simulation results are consistent with the game analysis of VII and VIII, and eventually evolve to $z = 0$ and $z = 1$ , respectively. Comparing the curves of ( $P_{1} = 0.5$ , $P_{2} = 2$ ) and ( $P_{1} = 1$ , $P_{2} = 3$ ), under condition VII, increasing the punishment will slow down the evolution rate. Comparing the curves of ( $P_{1} = 1.5$ , $P_{2} = 4$ ) and ( $P_{1} = 2$ , $P_{2} = 4$ ), increasing punishment will accelerate the evolution in condition VIII.

In the three-party game, based on the unilateral perspective (only changing the controllable parameters of one party), each game can adjust the parameter by changing its own technical means and measures to affect the evolution direction of the game, so that the game can evolve in its own favorable direction. This means that the gradual increase of investment by operators and the increase of punishment by regulators can effectively suppress intrusion. In addition, when the regulators change from extensive management to refined management, the increase of regulatory intensity will be strengthened to improve the probability of detecting invaders.

Ideal state definition and evolution path modification

According to the behaviors of the three-party game strategy, combined with the practical significance (social development needs), the evolution path that managers hope is that invaders’ strategy is a general attack; the operators’ strategy is advanced defense, and the regulators’ strategy is fine management to improve the low level of operators’ defense and regulatory management. Accordingly, (0, 1, 1) is the most ideal state.

Through the above analysis and simulation, the correctness of the model can be verified and the evolution results of some game systems can be obtained: the game status of the current system is (1, 1, 0), where invaders launch strong attacks, operators have advanced defenses and regulators have extensive management. However, this is far from the ideal state. To achieve the ideal state, the controllable parameters need to be adjusted to form a new evolutionary game system. Taking the controllable parameters as variables and restricting the evolutionary conditions to conditions II, V, VII or III, V, VII, Eq. (16) is obtained by simultaneously replicating the kinetic equations.

{\begin{matrix} {\begin{matrix} y < (C_{1} - C_{2} + A (α - β)) / A (2 α - β) \\ 2 α - β > 0 \end{matrix} or {\begin{matrix} y > (C_{1} - C_{2} + A (α - β)) / A (2 α - β) \\ 2 α - β < 0 \end{matrix} \\ \begin{matrix} A ((β - 2 α) x + α) > C_{3} - ((1 - λ) P_{2} z + λ P_{2} + e) (1 - x) \\ y < (P_{1} + P_{2} - C_{4} / (1 - λ)) / P_{2} (1 - x) \end{matrix} \end{matrix}

(16)

Substituting the simulated data into Eq. (16) and the following solution is obtained:

{\begin{matrix} 2 α - β \neq 0 \\ α < β < 0.2 \\ 1.5 β + 0.75 P_{2} + 0.1 > 2 C_{3} \\ P_{1} + 0.75 P_{2} > 4 \end{matrix}

(17)

Consequently,

2 α - β \neq 0

and

α < β < 0.2

represent that only when the profit and loss coefficient decreases to a certain extent, the invaders can give up a strong strategic attack.

1.5 β + 0.75 P_{2} + 0.1 > 2 C_{3}

indicates that when the investment is lower than a certain value, the operator can satisfy the maximum benefit and evolve to advanced defense. Since the profit and loss coefficient of the invader is related to the defense of the operator, the investment of invaders should be as large as possible within a reasonable range..

P_{1} + 0.75 P_{2} > 4

indicates that the punishment of regulators should be higher than a certain value to balance the benefits of punishment and investment, and eventually evolve to refined management.

The new parameters $α = 0.05, β = 0.12, C_{3} = 1.6, P_{1} = 1.2, P_{2} = 4$ satisfying Eq. (17) are taken for simulation analysis. The simulation game change results of the new system are shown in Figure 7, which are consistent with the above analysis and the new system evolutionary game can be realized.

Figure 7.

Strategy selection probability (a); Change trend of the three-party strategy over time (b).

As shown in Figure 7, the game result can be realized as (01,1) under the new system with modified parameters, where invaders evolve into general attacks, operators evolve into advanced defenses, and regulators evolve into fine management.

Scheme comparison

To prove the advantages of this model, the comparison between this model and other models is shown in Table 12. This model has advantages in the selection of game players, game theory analysis, and system correction and has greater practical significance.

Table 12.

Comparison of models and methods.

Model	Subject	Precondition	Solution	Applications	Evaluation	Value
Aydeger et al. (2021)¹⁴	Network attack and defense	Complete rationality	Stealthy Link Flooding Attack situational Cybersecurity	Realize network system defense and security defense	The best defense strategy can be obtained, but the conditions for complete rationality are harsh and the players are single, which has limited practical significance	Low
Dahiya and Gupta (2021)¹⁸	Multiple users, opponents	Complete rationality	DDoSNetwork system security in the context of DDoS attack	Security defense of multiple network nodes	Combined with Bayesian probability optimization node information, the best defense strategy can be obtained; the conditions of complete rationality are harsh, and the probability quantification of malicious nodes is not easy to achieve	Medium
Li et al. (2018)²¹	E-commerce enterprises and consumers	Bonded rationality	Information security in E-commerce	E-commerce information security	No evolutionary path analysis was conducted, and the game players are not rich enough	Low
Li (2022)	Between multiple enterprises	Bonded rationality	Information security investment of sharing platform	Security of platform information sharing	Only considering the game between two enterprises	Medium
Qu and Hou (2020)²⁰	Platform, users and government	Bonded rationality	Platform information security governance	Platform information security	In practice, users cannot participate in the game, and the determination of the game subject is not rigorous	High
This paper	Invaders, operators and regulators	Bonded rationality	Data leakage of operators	Data leakage of operators	Considering that users do not participate in the game, the game system is updated, making the players more complete and the model more perfecto solve the best strategy and optimize the system	Higher

Conclusion

This article discusses how to reduce hacker attack level and reduce the investment of regulators and operators to achieve maximum protection of data security and development of information security. Based on the three-party evolutionary game model, a three-dimensional replication dynamic system is constructed, and the system stability is analyzed from the perspective of individual and the whole entity. Finally, the analysis results are verified by parameter simulation, and the evolution path is modified.

Under the assumptions of the model, that is economic man hypothesis, bounded rationality hypothesis, behavioral strategy hypothesis, and interest relationship hypothesis, the following conclusions are drawn:

(a) The profit and loss coefficients of attack and defense are set according to the uncertainty of the damage of intrusion system and data leakage to quantify the degree of leakage; (b) The evolution of the three-party game is not related to the fixed profit of operators and the profit and loss of government performance. There is no stable central equilibrium point in the game system, which means there is no mixed strategy to balance the interests of the three-party (the evolutionary game result will be a pure Nash equilibrium strategy); (c) In the current system, the initial intention of the three-party in the game will not change the evolution direction. Changing the original intention cannot break the interest relationship, and the profit drive and evolution direction are unchanged, the game results will eventually form the stability of invaders’ strong attack, operators’ advanced defense, and regulators’ extensive management; (d) From the perspective of unilateral (only changing the controllable parameter of one party), the stolen data of invaders, the investment of data protection, and the punishment intensity of regulators can be adjusted to make the game evolve in its favorable direction; (e) From the perspective of the whole system, the game result (01,1) can be achieved in the new system after parameter modification, that is, invaders evolve into general attack, operators evolve into advanced defense, and regulators evolve into refined management. At the same time, the evolution should satisfy the following four conditions: $2 α - β \neq 0$ , $α < β < 0.2$ , $1.5 β + 0.75 P_{2} + 0.1 > 2 C_{3}$ and $P_{1} + 0.75 P_{2} > 4$ .

According to research, some management enlightenment for operators and regulators is obtained as follows:

For operators, the choice of operators’ behavior strategy is related to the punishment $P_{2}$ of regulators, the input $C_{3}$ of defense measures, the input e of public relations, and the profit and loss coefficient $α$ and $β$ . The impact curve of operators’ cost $C_{3}$ shows that cost changes can change the evolutionary path, but the evolutionary rate changes little when the costs are increased again. To this end, operators should strive to adjust $C_{3}$ and control the cost $C_{3}$ as much as possible within the scope of meeting the cost value, to meet the information security, save costs and maximize the benefits. On the other hand, the impact of parameters $α$ and $β$ on the system shows that low profit and loss coefficients $α$ and $β$ can effectively inhibit the intrusion behavior. Operators should adopt new technologies and methods to improve system security, reduce profit and loss coefficients $α$ and $β$ , and thus reduce losses.

For regulators, the choice of regulators’ behavior strategies is related to the punishment $P_{1}$ and $P_{2}$ and the management input $C_{4}$ . Under the extensive management strategy, the probability of finding hacker behavior is $λ$ , and the cost is 0. Under the condition of fine management, the probability of finding hacker behavior is 1, and the cost is $C_{4}$ . In the process of transforming from extensive management strategy to fine management strategy, regulatory authorities should take more stringent punishment measures on the one hand, and on the other hand, control costs, enhance regulatory intensity and improve the probability of discovering hacker behavior.

The limitations of this paper are as follows: (a) In terms of evolutionary process, players’ strategic orientation is profitable, and in reality, they will give up the strategy when the benefits fail to reach the expectation; (b) The range of punishment $P_{1}$ and $P_{2}$ of regulators is calculated according to the theory. The actual regulatory department may be a non-profit organization, and there may be deviation in the profit-oriented strategy; (c) This paper conducts a game study on the main three-party involved in the data leakage incidents, but other interest groups may be involved in the practice, such as data trafficking intermediaries. Therefore, other parties should be included in the subsequent study to make the game system more complete and the research results more in line with reality.

Footnotes

Acknowledgments

This work was supported by Hebei Higher Education Teaching Reform Research and Practice Project (2020GJJG441) and Hebei Innovation Capability Enhancement Project (22550103D).

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the Hebei Innovation Capability Enhancement Project, Hebei Higher Education Teaching Reform Research and Practice Project, (grant number 22550103D, 2020GJJG441).

ORCID iD

Lei Feng

References

Zhao

Liu

Chen

, et al. Intelligent diagnosis using continuous wavelet transform and Gauss convolutional deep belief network. IEEE Trans Reliab 2022: 1–11. doi: 10.1109/TR.2022.3180273

Liang Q. Punishing data leakage shouldn't just be “Three drinks penalty”. Beijing: Economic Information Daily, 2021. http://www.jjckb.cn/

Zhao

. Analysis of the governance of crimes against personal information from economic perspective. J Taiyuan Univ Technol 2019; 37: 29–34.

. Disclosure and dissemination of citizen’s personal information. Credit Ref 2014; 32: 33–37.

Van der Kleij

Wijn

Hof

. An application and empirical test of the capability opportunity motivation-behaviour model to data leakage prevention in financial organizations. Comput Secur 2020; 97: 101970.

Guri

Puzis

Choo

KKR

, et al. Using malware for the greater good: mitigating data leakage. J Netw Comput Appl 2019; 145: 102405.

Eom

Huh

. Group signature with restrictive linkability: minimizing privacy exposure in ubiquitous environment. J Ambient Intell Humaniz Comput 2018. https://doi.org/10.1007/s12652-018-0698-2

Alneyadi

Sithirasenan

Muthukkumarasamy

. A survey on data leakage prevention systems. J Netw Comput Appl 2016; 62: 137–152.

Schwarzbach

Glöckner

Franczyk

, et al. Evaluation of user specific privacy policy architecture for collaborative BPaaS on the example of logistics. In: Ziemba

(ed.) Information technology for management: new ideas and real solutions. ISM AITM 2016 2016. Lecture notes in business information processing. Cham: Springer, 2017, vol. 277, pp.137–154. https://doi.org/10.1007/978-3-319-53076-5_8

10.

Stergiou

Psannis

Gupta

, et al. Security, privacy & efficiency of sustainable cloud computing for big data &IoT. Sustain Comput Inform Syst 2018; 19: 174–184.

11.

Tewari

Gupta

. Secure timestamp-based mutual authentication protocol for IoT devices using RFID tags. Int J Semantic Web Inf Syst 2020; 16: 20–34.

12.

Liu

Wang

. Network attack and defense strategy based on evolutionary game model. Sci Technol Eng 2020; 20: 8671–8675.

13.

Sun

. The optimal privacy strategy of cloud service based on evolutionary game. Cluster Comput 2022; 25: 13–31.

14.

Aydeger

Manshaei

Rahman

, et al. Strategic defense against stealthy link flooding attacks: a signaling game approach. IEEE Trans Netw Sci Eng 2021; 8: 751–764.

15.

Abass

AAA

Xiao

Mandayam

, et al. Evolutionary game theoretic analysis of advanced persistent threats against cloud storage. IEEE Access 2017; 5: 8482–8491.

16.

Kandoussi

Hanini

El Mir

, et al. Toward an integrated dynamic defense system for strategic detecting attacks in cloud networks using stochastic game. Telecommun Syst 2020; 73: 397–417.

17.

Jakóbik

. Stackelberg game modeling of cloud security defending strategy in the case of information leaks and corruption. Simul Model Pract Theory 2020; 103: 102071.

18.

Dahiya

Gupta

. A reputation score policy and Bayesian game theory based incentivized mechanism for DDoS attacks mitigation and cyber defense. Future Gener Comput Syst 2021; 117: 193–204.

19.

De Witte

Frasca

Overvest

, et al. Protecting shared information in networks: a network security game with strategic attacks. Int J Robust Nonlinear Control 2020; 30: 4255–4277.

20.

. An evolutionary game-theoretic analysis of enterprise information security investment based on information sharing platform. MDE Manage Decis Econ 2022; 43: 595–606.

21.

Liu

. Evolutionary game analysis on e-commerce personalization and privacy protection. Wuhan Univ J Nat Sci 2018; 23: 17–24.

22.

Zou

Wan

Cao

, et al. Evolutionary game analysis of information security regulatory strategy in smart city. J Mod Inf 2021; 41: 3–14.

23.

Zheng

Zhu

, et al. Impact of recycler information sharing on supply chain performance of construction and demolition waste resource utilization. Int J Environ Res Public Health 2022; 19: 3878.

24.

Ren

. Green housing subsidy strategies considering Consumers’ green preference. Sustainability 2022; 14: 1–22.

25.

Rehman

KSA

. Evolutionary game analysis of green agricultural product supply chain financing system: COVID-19 pandemic. Int J Logist Res Appl 2022; 25: 1115–1135.

26.

Hosseini

MSM

Choi

Johari

, et al. A profit surplus distribution mechanism for supply chain coordination: an evolutionary game-theoretic analysis. Eur J Oper Res 2022; 301: 561–575.

27.

Zhao

, et al. Feature extraction using parameterized multisynchrosqueezing transform. IEEE Sensors J 2022; 22: 14263–14272.

28.

, et al. A novel tripartite evolutionary game model for misinformation propagation in social networks. Secur Commun Netw 2022; 2022: 13.

29.

Huang

Dai

, et al. Research on the evolutionary game of construction and demolition waste (CDW) recycling units’ green behavior, considering remanufacturing capability. Int J Environ Res Public Health 2021; 18: 9268.

30.

Wang

, et al. Robust visual tracking for UAVs with dynamic feature weight selection. Appl Intell 2023; 53: 3836–3849.

31.

Long

. Design of network information security protection system based on attack-defense game model. Mod Electron Tech 2021; 44: 115–118.

32.

Zeng

Guo

. Evolutionary game analysis on personal information privacy protection of express logistics industry. J Mod Inf 2019; 39: 142–148.

33.

Peng

Wang

Han

. A tripartite evolutionary game analysis on embedded risk controlling in B2C network platform. Manage Rev 2021a; 33: 147–159.

34.

Zhao

Zhang

. Research on influencing factors of internet user data security-based on evolutionary game model. J Mod Inf 2020; 40: 106–113.

35.

Peng

Wang

. Research on the three-party evolutionary game of safe quality production of agricultural products under government supervision mechanism. Math Pract Theory 2021; 51: 114–126.

36.

Wei

Chen

Zou

. Evolutionary game analysis of personal information protection based on data sharing. Inquiry Into Economic Issues 2019; 12: 79–88.

37.

Hou

. Governance of platform information security based on tripartite evolutionary game. J Mod Inf 2020; 40: 114–125.

38.

Levina

Mostovoi

Sleptsova

, et al. Physical model of sensitive data leakage from PC-based cryptographic systems. J Cryptographic Eng 2019; 9: 393–400.

39.

Liu

Zhang

, et al. Optimal network defense strategy selection based on incomplete information evolutionary game. IEEE Access 2018; 6: 29806–29821.

40.

Durowoju

Chan

Wang

. Investigation of the effect of e-platform information security breaches: a small and Medium enterprise supply chain perspective. IEEE Trans Eng Manage 2020: 1–16. DOI: 10.1109/TEM.2020.3008827

41.

Miaoui

Boudriga

. Enterprise security investment through time when facing different types of vulnerabilities. Inf Syst Front 2019; 21: 261–300.

42.

Kim

. Benefits of cloud computing adoption for smart grid security from security perspective. J Supercomput 2016; 72: 3522–3534.

43.

Zhao

Hao

Cao

, et al. Evolutionary game analysis of three-player for low-carbon production capacity sharing. Sustainability 2019; 11: 2996.

44.

Ponemon Institute. 2020 Data breach data breach report. North Traverse City, Michigan, USA: IBM Security, 2020.

Research on the evolution of tripartite data protection strategy based on game theory

Abstract

Keywords

Introduction

Related work

Invasion mechanism of personal information

The game between information leakage subjects

Industry application of game theory

Main steps of the three-party evolutionary game model

Game model hypothesis and construction

Problem description

Model assumptions

Game subjects (player)

Economic man hypothesis

Bounded rationality hypothesis

Game strategy

Parameter settings

Proportion of strategy selection

Invaders parameters

Operator parameters

Parameters of regulators

Solution and analysis of the model

Game model solution

Replication dynamics equations of invaders

Replication dynamics equations of operators

Replication dynamic equations of regulators

Tripartite evolutionary path analysis based on unilateral perspective

Evolutionary path analysis of invaders

Evolutionary path analysis of operators

Evolutionary path analysis of regulators

Stability analysis of equilibrium points in the three-party evolutionary game system

Simulation analysis and evolution correction

Selection of initial simulation data

Influence factors and evolution path of game

Analysis of central equilibrium point

Influence of players’ initial intention on the system evolution path

Influence of controllable parameters on the system evolution

Influence of invaders controllable parameters α and β on the system evolution

Influence of operators’ controllable parameters C 3 on the system evolution

Influence of regulators controllable parameters P 1 and P 2 on the system evolution

Ideal state definition and evolution path modification

Scheme comparison

Conclusion

Footnotes

Acknowledgments

Declaration of conflicting interests

Funding

ORCID iD

References

Influence of invaders controllable parameters $α$ and $β$ on the system evolution

Influence of operators’ controllable parameters $C_{3}$ on the system evolution

Influence of regulators controllable parameters $P_{1}$ and $P_{2}$ on the system evolution