EconPapers    
Economics at your fingertips  
 

Dynamic Contract Design for Systemic Cyber Risk Management of Interdependent Enterprise Networks

Juntao Chen (), Quanyan Zhu () and Tamer Başar ()
Additional contact information
Juntao Chen: Fordham University
Quanyan Zhu: New York University
Tamer Başar: University of Illinois at Urbana-Champaign

Dynamic Games and Applications, 2021, vol. 11, issue 2, No 4, 294-325

Abstract: Abstract The interconnectivity of cyber and physical systems and Internet of things has created ubiquitous concerns of cyber threats for enterprise system managers. It is common that the asset owners and enterprise network operators need to work with cybersecurity professionals to manage the risk by remunerating them for their efforts that are not directly observable. In this paper, we use a principal–agent framework to capture the service relationships between the two parties, i.e., the asset owner (principal) and the cyber risk manager (agent). Specifically, we consider a dynamic systemic risk management problem with asymmetric information where the principal can only observe cyber risk outcomes of the enterprise network rather than directly the efforts that the manager expends on protecting the resources. Under this information pattern, the principal aims to minimize the systemic cyber risks by designing a dynamic contract that specifies the compensation flows and the anticipated efforts of the manager by taking into account his incentives and rational behaviors. We formulate a bi-level mechanism design problem for dynamic contract design within the framework of a class of stochastic differential games. We show that the principal has rational controllability of the systemic risk by designing an incentive compatible estimator of the agent’s hidden efforts. We characterize the optimal solution by reformulating the problem as a stochastic optimal control program which can be solved using dynamic programming. We further investigate a benchmark scenario with complete information and identify conditions that yield zero information rent and lead to a new certainty equivalence principle for principal–agent problems. Finally, case studies over networked systems are carried out to illustrate the theoretical results obtained.

Keywords: Systemic risk; Dynamic contracts; Differential games; Internet of Things; Economics of cybersecurity (search for similar items in EconPapers)
Date: 2021
References: View references in EconPapers View complete reference list from CitEc
Citations: Track citations by RSS feed

Downloads: (external link)
http://link.springer.com/10.1007/s13235-020-00363-y Abstract (text/html)
Access to the full text of the articles in this series is restricted.

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:spr:dyngam:v:11:y:2021:i:2:d:10.1007_s13235-020-00363-y

Ordering information: This journal article can be ordered from
http://www.springer.com/economics/journal/13235

DOI: 10.1007/s13235-020-00363-y

Access Statistics for this article

Dynamic Games and Applications is currently edited by Georges Zaccour

More articles in Dynamic Games and Applications from Springer
Bibliographic data for series maintained by Sonal Shukla () and Springer Nature Abstracting and Indexing ().

 
Page updated 2022-05-12
Handle: RePEc:spr:dyngam:v:11:y:2021:i:2:d:10.1007_s13235-020-00363-y