Cyber Risk in Supply Chains: Strategic Interactions and Optimal Coordination

We develop a model of cybersecurity in a supply chain economy populated by multiple firms organized into two tiers of suppliers and retailers—and by cybercriminals. Suppliers and retailers form a network in which each supplier may be linked to several retailers. The length of each supplier-retailer edge represents the number of access points a cybercriminal can exploit to inflict damage; exploiting more access points brings the attacker “closer” to the firm and increases expected loss. The cybercriminal may be of two types, low cost or high cost, drawn by nature and unobserved by firms, which know only the distribution over types. Attackers allocate effort both to penetrating a firm’s defenses and to evading detection. We focus on ex ante prevention and detection choices and do not model false alarm responses as a separate decision stage because firms in our framework do not condition any actions on realized alarm signals. Accordingly, false alarms are absorbed into the effective cost of detection rather than modeled as a distinct decision. Within this structure, we derive equilibrium properties under four organizational settings: when firms act in isolation, when they share information vertically across tiers, when they share information horizontally within tiers, and when cybersecurity is coordinated by a central planner.