网络脆弱性及网络空间供应链安全弹性投资协调机制

Network vulnerability and the coordination mechanism of cyber supply chain security resilience investment

网络空间供应链中企业的安全水平是受自身对网络安全的投入、网络脆弱性和相关联企业在网络安全方面的投入等多因素的影响。本研究首先讨论了分散决策下在网络脆弱性影响下,供应商和零售商成员网络安全弹性的投资策略选择,在此基础上分析了网络脆弱性、关联企业在网络安全方面的投入、对企业安全投资水平的影响。其次,在合作博弈情形下推导出供应商和零售商的最优投资策略,分析两种情形下的博弈,得出企业在非合作博弈下的网络安全投资不足。最后设计一种协调补偿机制形成网络投资不足问题,促使供应链整体的安全弹性投资水平最优。

Enterprise network security level under the Internet depends not only on its network security investment but also on many other factors such as the supply chain network vulnerability and the investment in network security.In the cyber supply chain,the network data protection ability of suppliers,retailers,and third-party logistics companies are profoundly different,and internet hackers often use the weakest link as the network attacking vulnerable point.Key members in the whole cyberspace need to plan,construct,manage,and maintain interactively in the supply chain organization and process level against attacks from the Internet.This paper considers a binary cyber supply chain consisting of an upstream supplier and a downstream retailer.The two enterprises in the supply chain connect through the Internet.The network hacker can compromise the supply chain system directly.Alternatively,the network hackers can invade the enterprise associated with the supply chain.Hackers can also indirectly invade the information system of the supply chain through the network system and gain economic benefits from the targeted enterprises.It is necessary to increase cybersecurity resilience and reduce cyber vulnerability in the supply chain through security investment to improve cybersecurity.As a result,the probability of external intrusion and reduce network loss can be reduced.In this context,this paper discusses the decentralized decision-making and centralized decision-making processes of the supply chain under the influence of cyber vulnerability.It establishes the coordination mechanism in the supply chain.Our proposed model assumes that once the information system of the supply chain is damaged,the supplier and the retailer will afford certain losses,and that will come from direct losses and indirect losses,respectively.The probability of direct loss of supplier or retailer depends on their investment level of cybersecurity resilience,and the probability function is a second-order differentiable convex function.The function shows that the probability of direct loss decreases with the increase of cybersecurity investment,but its effect is marginal decrease.As for the indirect loss,the model assumes that the probability of the indirect invasion to the supplier or retailer is constant.The constant is the vulnerability of the network location of the supplier or retailer.On this basis,the expected cost function of suppliers and retailers is established in the case of the cybersecurity resilience investment of each member.In the first part,the decentralized model discusses the choice of investment strategies for the cybersecurity resilience of the supplier and the retailer in the case of decentralized decision-making of supply chains.With decentralized decision-making,the decision of security resilience investment in the cyber supply chain is a non-cooperative game to maximize the interests of the supplier or the retailer itself.Based on this,it analyzes the influence of network vulnerability on the input of supply chain members and their affiliated enterprises in network security.The result shows that the level of cybersecurity resilience investment of the supplier and the retailer decreases with the cyber vulnerability and increases with each other in the supply chain.In the second part,the centralized model discusses the investment decision-making process of the cybersecurity resilience of the supplier and the retailer under centralized decision-making.With centralized decision making,the supplier and the retailer can coordinate their investment level to improve the security investment level and optimize the overall cybersecurity investment of the supply chain.In the third part,the comparative analysis compares the decentralized decision and centralized decision in the supply chain.It then establishes the transfer payment mechanism among the members of the supply chain to realize the coordination of the supply chain with the investment of security resilience,solving the double marginal effect of cybersecurity investment in the supply chain.Finally,The numerical simulation analyzes the influence of cyber vulnerability on the investment decision of the supplier and the retailer.It respectively analyzes cases along with the change of cyber vulnerability,how the cybersecurity resilience investment levels and the investment cost change,as so to describe the influence of cyber vulnerability to security investment decisions in the supply chain.