{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T04:39:45Z","timestamp":1773203985538,"version":"3.50.1"},"reference-count":100,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2020,8,26]],"date-time":"2020-08-26T00:00:00Z","timestamp":1598400000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2021,5,10]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to examine optimal decisions for information security investments for a firm in a fuzzy environment. Under both sequential and simultaneous attack scenarios, optimal investment of firm, optimal efforts of attackers and their economic utilities are determined.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Throughout the analysis, a single firm and two attackers for a \u201cfirm as a leader\u201d in a sequential game setting and \u201cfirm versus attackers\u201d in a simultaneous game setting are considered. While the firm makes investments to secure its information assets, the attackers spend their efforts to launch breaches.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>It is observed that the firm needs to invest more when it announces its security investment decisions ahead of attacks. In contrast, the firm can invest relatively less when all agents are unaware of each other\u2019s choices in advance. Further, the study reveals that attackers need to exert higher effort when no agent enjoys the privilege of being a leader.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon \u2013 Loeb breach function, with the help of fuzzy expectation operator.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>This study reports that the optimal breach effort exerted by each attacker is proportional to its obtained economic benefit for both sequential and simultaneous attack scenarios. A set of numerical experiments and sensitivity analyzes complement the analytical modeling.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon \u2013 Loeb breach function, with the help of fuzzy expectation operator.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-02-2020-0028","type":"journal-article","created":{"date-parts":[[2020,8,24]],"date-time":"2020-08-24T12:26:14Z","timestamp":1598271974000},"page":"73-104","source":"Crossref","is-referenced-by-count":10,"title":["Firm investment decisions for information security under a fuzzy environment: a game-theoretic approach"],"prefix":"10.1108","volume":"29","author":[{"given":"Rohit","family":"Gupta","sequence":"first","affiliation":[]},{"given":"Baidyanath","family":"Biswas","sequence":"additional","affiliation":[]},{"given":"Indranil","family":"Biswas","sequence":"additional","affiliation":[]},{"given":"Shib Sankar","family":"Sana","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2020,8,26]]},"reference":[{"key":"key2021050810165825400_ref001","volume-title":"Phishing for Phools: The Economics of Manipulation and Deception","year":"2015"},{"issue":"8","key":"key2021050810165825400_ref002","doi-asserted-by":"crossref","first-page":"1606","DOI":"10.1111\/risa.12864","article-title":"Security events and vulnerability data for cybersecurity risk estimation","volume":"37","year":"2017","journal-title":"Risk Analysis"},{"key":"key2021050810165825400_ref003","first-page":"358","article-title":"Why information security is hard-an economic perspective","year":"2001"},{"issue":"5799","key":"key2021050810165825400_ref004","doi-asserted-by":"crossref","first-page":"610","DOI":"10.1126\/science.1130992","article-title":"The economics of information security","volume":"314","year":"2006","journal-title":"Science"},{"issue":"2","key":"key2021050810165825400_ref005","doi-asserted-by":"crossref","first-page":"183","DOI":"10.1177\/0022002704272863","article-title":"Counterterrorism: a game-theoretic analysis","volume":"49","year":"2005","journal-title":"Journal of Conflict Resolution"},{"key":"key2021050810165825400_ref006","article-title":"IT Security in supply chain: does a leader-follower structure matter?","volume-title":"AMCIS","year":"2011"},{"issue":"4","key":"key2021050810165825400_ref007","doi-asserted-by":"crossref","first-page":"643","DOI":"10.1007\/s10796-012-9373-x","article-title":"Dynamic competition in IT security: a differential games approach","volume":"16","year":"2014","journal-title":"Information Systems Frontiers"},{"issue":"2","key":"key2021050810165825400_ref008","doi-asserted-by":"crossref","first-page":"315","DOI":"10.1287\/isre.2017.0714","article-title":"Real options models for proactive uncertainty-reducing mitigations and applications in cybersecurity investment decision-making","volume":"29","year":"2018","journal-title":"Information Systems Research"},{"issue":"2","key":"key2021050810165825400_ref009","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1108\/JEIM-05-2017-0069","article-title":"G-RAM framework for software risk assessment and mitigation strategies in organisations","volume":"31","year":"2018","journal-title":"Journal of Enterprise Information Management"},{"key":"key2021050810165825400_ref010","article-title":"\u2018Leadership in action: how top hackers behave\u2019 a big-data approach with text-mining and sentiment analysis","volume-title":"Proceedings of the 51st HI International Conference on System Sciences","year":"2018"},{"key":"key2021050810165825400_ref011","first-page":"72","article-title":"Economics of IT security management","volume-title":"Economics of Information Security","year":"2006"},{"issue":"3","key":"key2021050810165825400_ref012","doi-asserted-by":"crossref","first-page":"131","DOI":"10.1287\/deca.1040.0022","article-title":"Configuration of detection software: a comparison of decision and game theory approaches","volume":"1","year":"2004","journal-title":"Decision Analysis"},{"issue":"2","key":"key2021050810165825400_ref013","doi-asserted-by":"crossref","first-page":"281","DOI":"10.2753\/MIS0742-1222250211","article-title":"Decision-theoretic and game-theoretic approaches to IT security investment","volume":"25","year":"2008","journal-title":"Journal of Management Information Systems"},{"issue":"3","key":"key2021050810165825400_ref014","doi-asserted-by":"crossref","first-page":"1026","DOI":"10.1016\/j.ejor.2005.07.003","article-title":"Evaluating IT\/is investments: a fuzzy multi-criteria decision model approach","volume":"173","year":"2006","journal-title":"European Journal of Operational Research"},{"issue":"1","key":"key2021050810165825400_ref015","doi-asserted-by":"crossref","first-page":"25","DOI":"10.1016\/j.ijinfomgt.2015.09.003","article-title":"Information security risk analysis model using fuzzy decision theory","volume":"36","year":"2016","journal-title":"International Journal of Information Management"},{"issue":"3","key":"key2021050810165825400_ref016","doi-asserted-by":"crossref","first-page":"239","DOI":"10.1016\/0167-4048(96)00008-9","article-title":"Risk analysis modelling with the use of fuzzy logic","volume":"15","year":"1996","journal-title":"Computers and Security"},{"key":"key2021050810165825400_ref017a","doi-asserted-by":"crossref","first-page":"576","DOI":"10.1016\/j.ins.2018.12.051","article-title":"An insurance theory based optimal cyber-insurance contract against moral hazard","volume":"527","year":"2020","journal-title":"Information Sciences"},{"key":"key2021050810165825400_ref017","doi-asserted-by":"crossref","first-page":"327","DOI":"10.1016\/j.eswa.2017.06.042","article-title":"Information sharing vs privacy: a game theoretic analysis","volume":"88","year":"2017","journal-title":"Expert Systems with Applications"},{"issue":"1","key":"key2021050810165825400_ref018","first-page":"1","article-title":"Interdependency analysis in security investment against strategic attacks","volume":"22","year":"2018","journal-title":"Information Systems Frontiers"},{"key":"key2021050810165825400_ref019","article-title":"Joint pricing and security investment in cloud security service market with user interdependency","year":"2020"},{"issue":"5","key":"key2021050810165825400_ref020","doi-asserted-by":"crossref","first-page":"410","DOI":"10.1108\/IMCS-07-2013-0053","article-title":"Current challenges in information security risk management","volume":"22","year":"2014","journal-title":"Information Management and Computer Security"},{"issue":"2","key":"key2021050810165825400_ref021","doi-asserted-by":"crossref","first-page":"34","DOI":"10.3390\/g9020034","article-title":"Risk assessment uncertainties in cybersecurity investments","volume":"9","year":"2018","journal-title":"Games"},{"key":"key2021050810165825400_ref022","unstructured":"Fielder, A., Panaousis, E., Malacaria, P., Hankin, C. and Smeraldi, F. (2015), \u201cComparing decision support approaches for cyber security investment\u201d, available at: https:\/\/arxiv.org\/abs\/1502.05532"},{"key":"key2021050810165825400_ref023","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1016\/j.dss.2016.02.012","article-title":"Decision support approaches for cyber security investment","volume":"86","year":"2016","journal-title":"Decision Support Systems"},{"issue":"1","key":"key2021050810165825400_ref024","doi-asserted-by":"crossref","first-page":"277","DOI":"10.1007\/s10479-015-1925-2","article-title":"Information security investment for competitive firms with hacker behavior and security requirements","volume":"235","year":"2015","journal-title":"Annals of Operations Research"},{"issue":"6","key":"key2021050810165825400_ref025","doi-asserted-by":"crossref","first-page":"511","DOI":"10.1080\/0740817X.2015.1125044","article-title":"A differential game approach to security investment and information sharing in a competitive environment","volume":"48","year":"2016","journal-title":"IIE Transactions"},{"issue":"11","key":"key2021050810165825400_ref026","doi-asserted-by":"crossref","first-page":"1682","DOI":"10.1057\/jors.2013.133","article-title":"A game-theoretic analysis of information sharing and security investment for complementary firms","volume":"65","year":"2014","journal-title":"Journal of the Operational Research Society"},{"issue":"2","key":"key2021050810165825400_ref027","doi-asserted-by":"crossref","first-page":"423","DOI":"10.1007\/s10796-013-9411-3","article-title":"Security investment and information sharing under an alternative security breach probability function","volume":"17","year":"2015","journal-title":"Information Systems Frontiers"},{"key":"key2021050810165825400_ref030","article-title":"Virus writers: the end of the innocence?","volume-title":"10th Annual Virus Bulletin Conference (VB2000)","year":"2000"},{"issue":"4","key":"key2021050810165825400_ref028","doi-asserted-by":"crossref","first-page":"438","DOI":"10.1145\/581271.581274","article-title":"The economics of information security investment","volume":"5","year":"2002","journal-title":"Acm Transactions on Information and System Security (Tissec)"},{"issue":"1","key":"key2021050810165825400_ref029","doi-asserted-by":"crossref","first-page":"tyaa005","DOI":"10.1093\/cybsec\/tyaa005","article-title":"Integrating cost \u2013 benefit analysis into the NIST cybersecurity framework via the Gordon \u2013 Loeb model","volume":"6","year":"2020","journal-title":"Journal of Cybersecurity"},{"key":"key2021050810165825400_ref031","first-page":"209","article-title":"Secure or insure? A game-theoretic analysis of information security games","year":"2008"},{"issue":"2","key":"key2021050810165825400_ref032","doi-asserted-by":"crossref","first-page":"87","DOI":"10.1287\/deca.2017.0346","article-title":"Modeling a multitarget attacker \u2013 defender game with budget constraints","volume":"14","year":"2017","journal-title":"Decision Analysis"},{"issue":"9","key":"key2021050810165825400_ref033","doi-asserted-by":"crossref","first-page":"2715","DOI":"10.1080\/00207543.2018.1547434","article-title":"Pricing decisions for three-echelon supply chain with advertising and quality effort-dependent fuzzy demand","volume":"57","year":"2019","journal-title":"International Journal of Production Research"},{"issue":"5","key":"key2021050810165825400_ref035a","first-page":"338","article-title":"Returns to information security investment: the effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability","volume":"8","year":"2006","journal-title":"Information Systems Frontiers"},{"issue":"2","key":"key2021050810165825400_ref034","doi-asserted-by":"crossref","first-page":"329","DOI":"10.1007\/s10796-012-9390-9","article-title":"Returns to information security investment: endogenizing the expected loss","volume":"16","year":"2014","journal-title":"Information Systems Frontiers"},{"issue":"2","key":"key2021050810165825400_ref035","doi-asserted-by":"crossref","first-page":"582","DOI":"10.1016\/j.ejor.2016.06.033","article-title":"Defense and attack for interdependent systems","volume":"256","year":"2017","journal-title":"European Journal of Operational Research"},{"issue":"2","key":"key2021050810165825400_ref036","doi-asserted-by":"crossref","first-page":"1750010","DOI":"10.1142\/S0219198917500104","article-title":"Information sharing among cyber hackers in successive attacks","volume":"19","year":"2017","journal-title":"International Game Theory Review"},{"key":"key2021050810165825400_ref037","doi-asserted-by":"crossref","first-page":"239","DOI":"10.1016\/j.ress.2017.03.027","article-title":"Special versus general protection and attack of parallel and series components","volume":"165","year":"2017","journal-title":"Reliability Engineering and System Safety"},{"issue":"1","key":"key2021050810165825400_ref040a","doi-asserted-by":"crossref","first-page":"1750027","DOI":"10.1142\/S021919891750027X","article-title":"Proactivity and retroactivity of firms and information sharing of hackers","volume":"20","year":"2018","journal-title":"International Game Theory Review"},{"issue":"3","key":"key2021050810165825400_ref038","doi-asserted-by":"crossref","first-page":"364","DOI":"10.1080\/01605682.2018.1438763","article-title":"Defence and attack of complex interdependent systems","volume":"70","year":"2019","journal-title":"Journal of the Operational Research Society"},{"issue":"2","key":"key2021050810165825400_ref039","doi-asserted-by":"crossref","first-page":"370","DOI":"10.1016\/j.ejor.2010.12.013","article-title":"Defending against multiple different attackers","volume":"211","year":"2011","journal-title":"European Journal of Operational Research"},{"issue":"6","key":"key2021050810165825400_ref040","doi-asserted-by":"crossref","first-page":"726","DOI":"10.1057\/jors.2011.79","article-title":"The timing and deterrence of terrorist attacks due to exogenous dynamics","volume":"63","year":"2012","journal-title":"Journal of the Operational Research Society"},{"issue":"6","key":"key2021050810165825400_ref041","doi-asserted-by":"crossref","first-page":"1285","DOI":"10.1007\/s10796-019-09959-1","article-title":"Investigating the security divide between SME and large companies: how SME characteristics influence organizational IT security investments","volume":"21","year":"2019","journal-title":"Information Systems Frontiers"},{"issue":"2","key":"key2021050810165825400_ref042","doi-asserted-by":"crossref","first-page":"175","DOI":"10.1016\/j.jsis.2012.10.004","article-title":"The economic impact of cyber terrorism","volume":"22","year":"2013","journal-title":"The Journal of Strategic Information Systems"},{"issue":"1","key":"key2021050810165825400_ref043","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1016\/j.ijpe.2012.06.022","article-title":"Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints","volume":"141","year":"2013","journal-title":"International Journal of Production Economics"},{"issue":"2","key":"key2021050810165825400_ref044","doi-asserted-by":"crossref","first-page":"793","DOI":"10.1016\/j.ijpe.2008.04.002","article-title":"An economic analysis of the optimal information security investment in the case of a risk-averse firm","volume":"114","year":"2008","journal-title":"International Journal of Production Economics"},{"key":"key2021050810165825400_ref048a","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.dss.2013.10.011","article-title":"Optimal information security investment in a healthcare information exchange: an economic analysis","volume":"61","year":"2014","journal-title":"Decision Support Systems"},{"issue":"1","key":"key2021050810165825400_ref045","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/s10257-016-0306-y","article-title":"Ranking information security controls by using fuzzy analytic hierarchy process","volume":"15","year":"2017","journal-title":"Information Systems and e-Business Management"},{"issue":"9","key":"key2021050810165825400_ref046","doi-asserted-by":"crossref","first-page":"3522","DOI":"10.1007\/s11227-015-1547-0","article-title":"Benefits of cloud computing adoption for smart grid security from security perspective","volume":"72","year":"2016","journal-title":"The Journal of Supercomputing"},{"issue":"3","key":"key2021050810165825400_ref051a","doi-asserted-by":"crossref","first-page":"1122","DOI":"10.1016\/j.ejor.2019.07.064","article-title":"Attacking and defending multiple valuable secrets in a big data world","volume":"280","year":"2020","journal-title":"European Journal of Operational Research"},{"issue":"11","key":"key2021050810165825400_ref047","doi-asserted-by":"crossref","first-page":"1329","DOI":"10.1109\/12.324566","article-title":"Fuzzy systems as universal approximators","volume":"43","year":"1994","journal-title":"IEEE Transactions on Computers"},{"issue":"1","key":"key2021050810165825400_ref048","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1007\/s10660-013-9105-4","article-title":"Cybercrime and cyber-security issues associated with China: some economic and institutional considerations","volume":"13","year":"2013","journal-title":"Electronic Commerce Research"},{"issue":"3","key":"key2021050810165825400_ref049","doi-asserted-by":"crossref","first-page":"313","DOI":"10.1007\/s10611-016-9629-3","article-title":"Cybercrime and cybersecurity in India: causes, consequences and implications for the future","volume":"66","year":"2016","journal-title":"Crime, Law and Social Change"},{"issue":"2","key":"key2021050810165825400_ref050","first-page":"23","article-title":"A survey of interdependent information security games","volume":"47","year":"2015","journal-title":"Acm Computing Surveys)"},{"key":"key2021050810165825400_ref051","first-page":"1","article-title":"Cybersecurity investments in a two-echelon supply chain with third-party risk propagation","year":"2020","journal-title":"International Journal of Production Research"},{"issue":"4","key":"key2021050810165825400_ref052","doi-asserted-by":"crossref","first-page":"445","DOI":"10.1109\/TFUZZ.2002.800692","article-title":"Expected value of fuzzy variable and fuzzy expected value models","volume":"10","year":"2002","journal-title":"IEEE Transactions on Fuzzy Systems"},{"issue":"2","key":"key2021050810165825400_ref053","doi-asserted-by":"crossref","first-page":"195","DOI":"10.1142\/S0218488503002016","article-title":"Expected value operator of random fuzzy variable and random fuzzy expected value models","volume":"11","year":"2003","journal-title":"International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems"},{"key":"key2021050810165825400_ref054","doi-asserted-by":"crossref","first-page":"519","DOI":"10.1016\/j.ijpe.2016.09.018","article-title":"An economic model to evaluate information security investment of risk-taking small and medium enterprises","volume":"182","year":"2016","journal-title":"International Journal of Production Economics"},{"issue":"2","key":"key2021050810165825400_ref055","doi-asserted-by":"crossref","first-page":"261","DOI":"10.1007\/s10796-017-9745-3","article-title":"Enterprise security investment through time when facing different types of vulnerabilities","volume":"21","year":"2019","journal-title":"Information Systems Frontiers"},{"issue":"2","key":"key2021050810165825400_ref061a","doi-asserted-by":"crossref","first-page":"97","DOI":"10.1016\/0165-0114(78)90011-8","article-title":"Fuzzy variables","volume":"1","year":"1978","journal-title":"Fuzzy Sets and Systems"},{"key":"key2021050810165825400_ref056","doi-asserted-by":"crossref","first-page":"436","DOI":"10.1016\/j.cose.2017.06.010","article-title":"Assessing and augmenting SCADA cyber security: a survey of techniques","volume":"70","year":"2017","journal-title":"Computers and Security"},{"issue":"2","key":"key2021050810165825400_ref057","doi-asserted-by":"crossref","first-page":"235","DOI":"10.1016\/j.dss.2003.12.002","article-title":"Fuzzy decision support system for risk analysis in e-commerce development","volume":"40","year":"2005","journal-title":"Decision Support Systems"},{"issue":"1","key":"key2021050810165825400_ref058","doi-asserted-by":"crossref","first-page":"320","DOI":"10.1016\/j.ejor.2015.04.043","article-title":"On the value of exposure and secrecy of defense system: first-mover advantage vs robustness","volume":"246","year":"2015","journal-title":"European Journal of Operational Research"},{"issue":"1","key":"key2021050810165825400_ref059","first-page":"364","article-title":"Defense resource allocation against sequential unintentional and intentional impacts","volume":"68","year":"2018","journal-title":"IEEE Transactions on Reliability"},{"key":"key2021050810165825400_ref060","doi-asserted-by":"crossref","first-page":"106651","DOI":"10.1016\/j.ress.2019.106651","article-title":"Defending a parallel system against a strategic attacker with redundancy, protection and disinformation","volume":"193","year":"2020","journal-title":"Reliability Engineering and System Safety"},{"key":"key2021050810165825400_ref061","doi-asserted-by":"crossref","first-page":"137","DOI":"10.1016\/j.ress.2016.01.002","article-title":"Defending a single object against an attacker trying to detect a subset of false targets","volume":"149","year":"2016","journal-title":"Reliability Engineering and System Safety"},{"key":"key2021050810165825400_ref062","unstructured":"Ponemon Institute L.L.C (2017), \u201c2017 cost of data breach study - global overview\u201d, available at: www.ibm.com\/security\/data-breach\/#cost (accessed 20 October 2017)."},{"issue":"12","key":"key2021050810165825400_ref063","doi-asserted-by":"crossref","first-page":"4069","DOI":"10.1080\/00207543.2017.1400704","article-title":"A new game of information sharing and security investment between two allied firms","volume":"56","year":"2018","journal-title":"International Journal of Production Research"},{"issue":"10","key":"key2021050810165825400_ref064","doi-asserted-by":"crossref","first-page":"1290","DOI":"10.1057\/s41274-016-0134-y","article-title":"A game-theoretic analysis of information security investment for multiple firms in a network","volume":"68","year":"2017","journal-title":"Journal of the Operational Research Society"},{"issue":"1","key":"key2021050810165825400_ref065","doi-asserted-by":"crossref","first-page":"129","DOI":"10.1080\/07421222.1991.11517914","article-title":"Risk analysis for information technology","volume":"8","year":"1991","journal-title":"Journal of Management Information Systems"},{"issue":"5","key":"key2021050810165825400_ref066","doi-asserted-by":"crossref","first-page":"1205","DOI":"10.1007\/s10796-016-9648-8","article-title":"Economic valuation for information security investment: a systematic literature review","volume":"19","year":"2017","journal-title":"Information Systems Frontiers"},{"issue":"1","key":"key2021050810165825400_ref067","first-page":"31","article-title":"Measuring dimensions of perceived e-business risks","volume":"2","year":"2004","journal-title":"Information Systems and e-Business Management"},{"issue":"1","key":"key2021050810165825400_ref074a","doi-asserted-by":"crossref","first-page":"161","DOI":"10.1016\/j.ejor.2019.09.017","article-title":"Cybersecurity investments in the supply chain: coordination and a strategic attacker","volume":"282","year":"2020","journal-title":"European Journal of Operational Research"},{"key":"key2021050810165825400_ref068","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1016\/j.dss.2015.04.011","article-title":"Allocation of resources to cyber-security: the effect of misalignment of interest between managers and investors","volume":"75","year":"2015","journal-title":"Decision Support Systems"},{"issue":"2","key":"key2021050810165825400_ref069","first-page":"148","article-title":"On the continuity and convexity analysis of the expected value function of a fuzzy mapping","volume":"1","year":"2007","journal-title":"Journal of Uncertain Systems"},{"issue":"4","key":"key2021050810165825400_ref070","doi-asserted-by":"crossref","first-page":"455","DOI":"10.1007\/s10257-011-0173-5","article-title":"Measuring and ranking attacks based on vulnerability analysis","volume":"10","year":"2012","journal-title":"Information Systems and e-Business Management"},{"key":"key2021050810165825400_ref071","volume-title":"IT governance: How Top Performers Manage IT decision Rights for Superior Results","year":"2004"},{"key":"key2021050810165825400_ref072","doi-asserted-by":"crossref","first-page":"807","DOI":"10.1016\/j.cose.2018.02.001","article-title":"Information security investments: an exploratory multiple case study on decision-making, evaluation and learning","volume":"77","year":"2018","journal-title":"Computers and Security"},{"key":"key2021050810165825400_ref073","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1016\/j.ress.2017.08.006","article-title":"Object defense with preventive strike and false targets","volume":"169","year":"2018","journal-title":"Reliability Engineering and System Safety"},{"key":"key2021050810165825400_ref074","first-page":"1","article-title":"Optimal defence-attack strategies between one defender and two attackers","year":"2019","journal-title":"Journal of the Operational Research Society"},{"key":"key2021050810165825400_ref075","doi-asserted-by":"crossref","first-page":"106778","DOI":"10.1016\/j.ress.2019.106778","article-title":"Risk-attitude-based defense strategy considering proactive strike, preventive strike and imperfect false targets","volume":"196","year":"2020","journal-title":"Reliability Engineering and System Safety"},{"key":"key2021050810165825400_ref076","article-title":"Managing security outsourcing in the presence of strategic hackers","year":"2020"},{"issue":"15\/16","key":"key2021050810165825400_ref077","first-page":"6132","article-title":"Game of information security investment: impact of attack types and network vulnerability","volume":"42","year":"2015","journal-title":"Expert Systems with Applications"},{"key":"key2021050810165825400_ref078","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cie.2017.05.018","article-title":"Decisions-making in information security outsourcing: impact of complementary and substitutable firms","volume":"110","year":"2017","journal-title":"Computers and Industrial Engineering"},{"key":"key2021050810165825400_ref079","doi-asserted-by":"crossref","first-page":"106952","DOI":"10.1016\/j.ress.2020.106952","article-title":"Optimal resource allocation for defending k-out-of-n systems against sequential intentional and unintentional impacts","volume":"201","year":"2020","journal-title":"Reliability Engineering and System Safety"},{"issue":"5","key":"key2021050810165825400_ref080","first-page":"1","article-title":"Do strategy and timing in IT security investments matter? An empirical investigation of the alignment effect","volume":"21","year":"2019","journal-title":"Information Systems Frontiers"},{"issue":"6","key":"key2021050810165825400_ref081","doi-asserted-by":"crossref","first-page":"1414","DOI":"10.1111\/risa.13257","article-title":"A study on a sequential one\u2010defender\u2010N\u2010attacker game","volume":"39","year":"2019","journal-title":"Risk Analysis"},{"issue":"1","key":"key2021050810165825400_ref082","doi-asserted-by":"crossref","first-page":"60","DOI":"10.1057\/jit.2010.4","article-title":"The impact of information security events on the stock value of firms: the effect of contingency factors","volume":"26","year":"2011","journal-title":"Journal of Information Technology"},{"key":"key2021050810165825400_ref083","doi-asserted-by":"crossref","first-page":"43","DOI":"10.1016\/j.ijcip.2016.04.001","article-title":"A framework for incorporating insurance in critical infrastructure cyber risk strategies","volume":"14","year":"2016","journal-title":"International Journal of Critical Infrastructure Protection"},{"issue":"3","key":"key2021050810165825400_ref084","doi-asserted-by":"crossref","first-page":"338","DOI":"10.1016\/S0019-9958(65)90241-X","article-title":"Fuzzy sets","volume":"8","year":"1965","journal-title":"Information and Control"},{"issue":"1","key":"key2021050810165825400_ref092a","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1016\/0165-0114(78)90029-5","article-title":"Fuzzy sets as a basis for a theory of possibility","volume":"1","year":"1978","journal-title":"Fuzzy Sets and Systems"},{"issue":"2","key":"key2021050810165825400_ref085","doi-asserted-by":"crossref","first-page":"408","DOI":"10.1111\/risa.13399","article-title":"Defender\u2013attacker games with asymmetric player utilities","volume":"40","year":"2020","journal-title":"Risk Analysis"},{"issue":"1","key":"key2021050810165825400_ref094a","doi-asserted-by":"crossref","first-page":"189","DOI":"10.1016\/j.ejor.2004.04.049","article-title":"Random fuzzy renewal process","volume":"169","year":"2006","journal-title":"European Journal of Operational Research"},{"issue":"10","key":"key2021050810165825400_ref086","doi-asserted-by":"crossref","first-page":"2196","DOI":"10.3390\/ijerph15102196","article-title":"An evolutionary game-theoretic approach for assessing privacy protection in mHealth systems","volume":"15","year":"2018","journal-title":"International Journal of Environmental Research and Public Health"},{"issue":"2","key":"key2021050810165825400_ref087","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1016\/S0377-2217(99)00228-3","article-title":"An application-oriented view of modeling uncertainty","volume":"122","year":"2000","journal-title":"European Journal of Operational Research"},{"key":"key2021050810165825400_ref088","article-title":"Managing information system security under continuous and abrupt deterioration","year":"2020"},{"key":"key2021050810165825400_ref089","doi-asserted-by":"crossref","first-page":"224","DOI":"10.1016\/j.ress.2017.08.021","article-title":"Defending a cyber system with early warning mechanism","volume":"169","year":"2018","journal-title":"Reliability Engineering and System Safety"},{"issue":"3","key":"key2021050810165825400_ref090","article-title":"Revenge or continued attack and defense in defender\u2013attacker conflicts","volume":"287","year":"2020","journal-title":"European Journal of Operational Research"},{"issue":"2","key":"key2021050810165825400_ref091","doi-asserted-by":"crossref","first-page":"189","DOI":"10.1007\/s10257-003-0004-4","article-title":"Coordination in networks: an economic equilibrium analysis","volume":"1","year":"2003","journal-title":"Information Systems and e-Business Management"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2020-0028\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2020-0028\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:42Z","timestamp":1753406562000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/29\/1\/73-104\/103767"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,8,26]]},"references-count":100,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2020,8,26]]},"published-print":{"date-parts":[[2021,5,10]]}},"alternative-id":["10.1108\/ICS-02-2020-0028"],"URL":"https:\/\/doi.org\/10.1108\/ics-02-2020-0028","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2020,8,26]]}}}