Cyberattacks, Operational Disruption, and Investment in Resilience Measures

References

• Amed I, Berg A, D’Auria G, Balchandani A, Rölkens F, Barrelet D, Grunberg J, et al. (2023) The state of fashion 2024. Accessed November 10, 2024, https://www.mckinsey.com/industries/retail/our-insights/state-of-fashion.Google Scholar
• Amir R, Jin JY, Troege M (2010) Robust results on the sharing of firm-specific information: Incentives and welfare effects. J. Math. Econom. 46(5):855–866.Crossref, Google Scholar
• Arora A, Caulkins JP, Telang R (2006) Research note—Sell first, fix later: Impact of patching on software quality. Management Sci. 52(3):465–471.Link, Google Scholar
• Athey S, Bagwell K (2008) Collusion with persistent cost shocks. Econometrica 76(3):493–540.Crossref, Google Scholar
• Athey S, Bagwell K, Sanchirico C (2004) Collusion and price rigidity. Rev. Econom. Stud. 71(2):317–349.Crossref, Google Scholar
• August T, Tunca TI (2011) Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Sci. 57(5):934–959.Link, Google Scholar
• Bagnoli M, Watts SG (2015) Competitive intelligence and disclosure. RAND J. Econom. 46(4):709–729.Crossref, Google Scholar
• Biden J (2021) Executive order on improving the nation’s cybersecurity. Accessed November 10, 2024, https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.Google Scholar
• Biener C, Eling M, Wirfs JH (2015) Insurability of cyber risk: An empirical analysis. Geneva Papers Risk Insurance Issues Practice 40:131–158.Crossref, Google Scholar
• Böhme R, Kataria G (2006) Models and measures for correlation in cyber-insurance. Workshop Econom. Inform. Security, vol. 2 (Springer, New York), 3.Google Scholar
• Broggi JJ (2014) Building on Executive Order 13636 to encourage information sharing for cybersecurity purposes. Harvard J. Law Public Policy 37:653–676.Google Scholar
• Brucato A (2023) SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Accessed November 10, 2024, https://sysdig.com/blog/scarleteel-2-0/.Google Scholar
• Brumfield C (2021) US government calls for better information sharing in wake of SolarWinds, Exchange attacks. Accessed November 10, 2024, https://www.csoonline.com/article/3612171/us-government-calls-for-better-information-sharing-in-wake-of-solarwinds-exchange-attacks.html.Google Scholar
• Businesswire (2021) Cyber threats have increased 81% since global pandemic. Accessed November 10, 2024, https://www.businesswire.com/news/home/20211108005775/en/Cyber-Threats-Have-Increased-81-Since-Global-Pandemic.Google Scholar
• Choudhary V, Xin M, Zhang Z (2023) Sequential IT investment: Can the risk of IT implementation failure be your friend? Inform. Systems Res. 34(3):1017–1044.Link, Google Scholar
• CIS (2022) Cyber attacks: In the healthcare sector. Accessed November 10, 2024, https://www.cisecurity.org/insights/blog/cyber-attacks-in-the-healthcare-sector.Google Scholar
• CISA (2021) Automated Indicator Sharing (AIS) submission guide. Accessed November 10, 2024, https://www.cisa.gov/sites/default/files/publications/AIS%202.0%20Submission%20Guide%20V1.0_508.pdf.Google Scholar
• Conn J (2013) Insurers, cvs join hitrust security program. Accessed November 10, 2024, https://www.modernhealthcare.com/article/20130508/NEWS/305089949/insurers-cvs-join-hitrust-security-program.Google Scholar
• Crowdstrike (2024) The impact of machine learning and AI in identity security. Accessed November 10, 2024, https://www.crowdstrike.com/en-us/cybersecurity-101/identity-protection/machine-learning-and-ai-in-iam/?srsltid=AfmBOoqDLnhViw78zDhOiFaXLlxdiVPqAfutag5iRVWrHusdrz-oBKtg.Google Scholar
• Cybeats (2023) Cybeats partners with Health-ISAC, a global healthcare cyber & physical security organization, to deliver joint commercial solution, ‘Health-ISAC SBOM Studio’. Accessed November 10, 2024, https://www.cybeats.com/news/cybeats-partners-with-health-isac-a-global-healthcare-cyber-physical-security-organization-to-deliver-joint-commercial-solution-health-isac-sbom-studio.Google Scholar
• Cyber Threat Alliance (2023) The cyber threat alliance. Accessed November 10, 2024, https://www.cyberthreatalliance.org/.Google Scholar
• Cyber Threat Alliance (2024) Membership. Accessed November 10, 2024, https://www.cyberthreatalliance.org/membership.Google Scholar
• Dafny LS, Lee TH (2016) Health care needs real competition. Accessed November 10, 2024, https://hbr.org/2016/12/health-care-needs-real-competition.Google Scholar
• DHS/DOJ (2024) Guidance to assist non-federal entities to share cyber threat indicators and defensive measures with federal entities under the Cybersecurity Information Sharing Act of 2015. Accessed November 10, 2024, https://www.cisa.gov/sites/default/files/2024-04/NonFederal-Entity-Sharing-Guidance-April-2024-Update.pdf.Google Scholar
• Diaz N (2023) Epic vs. Cerner: EHR market share. Accessed November 10, 2024, https://www.beckershospitalreview.com/ehrs/epic-vs-cerner-ehr-market-share.html.Google Scholar
• Douris C (2017) Cyber threat data sharing needs refinement. Accessed November 10, 2024, https://www.lexingtoninstitute.org/wp-content/uploads/2017/08/Lexington-Cyber-Threats-Data-Sharing-Needs-Refinement-August-2017.pdf.Google Scholar
• Erman M, Finkle J (2017) Merck says cyber attack halted production, will hurt profits. Accessed November 10, 2024, https://www.reuters.com/article/us-merck-co-results/merck-says-cyber-attack-halted-production-will-hurt-profits-idUSKBN1AD1AO.Google Scholar
• Fierce Healthcare (2010) Humana endorses HITRUST program to promote health care information security and achieve cost savings. Accessed November 10, 2024, https://www.fiercehealthcare.com/payer/humana-endorses-hitrust-program-to-promote-health-care-information-security-and-achieve-cost.Google Scholar
• Fried D (1984) Incentives for information production and disclosure in a duopolistic environment. Quart. J. Econom. 99(2):367–381.Crossref, Google Scholar
• FS-ISAC (2023) Safeguarding the global financial system by reducing cyber risk. Accessed November 10, 2024, https://www.fsisac.com/.Google Scholar
• Fudenberg D, Tirole J (1991) Game Theory (MIT Press, Cambridge, MA).Google Scholar
• Gal-Or E (1985) Information sharing in oligopoly. Econometrica 53(2):329–343.Crossref, Google Scholar
• Gal-Or E (1986) Information transmission—Cournot and Bertrand equilibria. Rev. Econom. Stud. 53(1):85–92.Crossref, Google Scholar
• Gal-Or E, Ghose A (2005) The economic incentives for sharing security information. Inform. Systems Res. 16(2):186–208.Link, Google Scholar
• Gal-Or E, Geylani T, Dukes AJ (2008) Information sharing in a channel with partially informed retailers. Marketing Sci. 27(4):642–658.Link, Google Scholar
• Gartner (2021) Gartner predicts by 2025 cyber attackers will have weaponized operational technology environments to successfully harm or kill humans. Accessed November 10, 2024, https://www.gartner.com/en/newsroom/press-releases/2021-07-21-gartner-predicts-by-2025-cyber-attackers-will-have-we.Google Scholar
• Gaynor M, Mostashari F, Ginsburg P (2017) Health care’s crushing lack of competition. Accessed November 10, 2024, https://www.forbes.com/sites/realspin/2017/06/28/health-cares-crushing-lack-of-competition.Google Scholar
• Goldstein J (2021) How retailers can compete with online stores. Accessed November 10, 2024, https://www.forbes.com/sites/forbesbusinessdevelopmentcouncil/2021/03/02/how-retailers-can-compete-with-online-stores/.Google Scholar
• Goodwin C, Nicholas JP (2015) A framework for cybersecurity information sharing and risk reduction. Accessed November 10, 2024, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/REVoNh.Google Scholar
• Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans. Inform. System Security 5(4):438–457.Crossref, Google Scholar
• Gordon LA, Loeb MP, Lucyshyn W (2003) Sharing information on computer systems security: An economic analysis. J. Accounting Public Policy 22(6):461–485.Crossref, Google Scholar
• Greenberg A (2018) The untold story of NotPetya, the most devastating cyberattack in history. Accessed November 10, 2024, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.Google Scholar
• Gudiksen KL, Gu AY, King JS (2021) Markets or monopolies? Considerations for addressing health care consolidation in California. Accessed November 10, 2024, https://www.chcf.org/wp-content/uploads/2021/11/MarketsMonopoliesHCConsolidation.pdf.Google Scholar
• Gyenes R (2013) A voluntary cybersecurity framework is unworkable-government must crack the whip. Pittsburgh J. Tech. Law Policy 14(2):293–314.Crossref, Google Scholar
• Ha AY, Tong S (2008) Contracting and information sharing under supply chain competition. Management Sci. 54(4):701–715.Link, Google Scholar
• Ha AY, Tian Q, Tong S (2017) Information sharing in competing supply chains with production cost reduction. Manufacturing Service Oper. Management 19(2):246–262.Link, Google Scholar
• Halprin P (2023) Merck’s insurance win after malware attack sets guideposts. Accessed November 10, 2024, https://news.bloomberglaw.com/us-law-week/mercks-insurance-win-after-malware-attack-sets-guideposts/.Google Scholar
• Hausken K (2007) Information sharing among firms and cyber attacks. J. Accounting Public Policy 26(6):639–688.Crossref, Google Scholar
• Health Catalyst (2021) Health catalyst earns HITRUST CSF certification, meets key regulatory requirements for security and privacy. Accessed November 10, 2024, https://www.healthcatalyst.com/news/health-catalyst-earns-hitrust-csf-certification.Google Scholar
• Health-ISAC (2023) Crowdsourced cyber security–sector threat intelligence–shared best practices. Accessed November 10, 2024, https://h-isac.org/.Google Scholar
• Hui K-L, Ke PF, Yao Y, Yue WT (2019) Bilateral liability-based contracts in information security outsourcing. Inform. Systems Res. 30(2):411–429.Link, Google Scholar
• IBISWorld (2024) Market share concentration of the retail trade industry in the US. Accessed November 10, 2024, https://www.ibisworld.com/united-states/market-research-reports/retail-trade-industry/#IndustryStatisticsAndTrends.Google Scholar
• ISAO (2024) Health ISAC. Accessed November 10, 2024, https://www.isao.org/group/h-isac/.Google Scholar
• Johnson C, Badger L, Waltermire D, Snyder J, Skorupka C (2016) Guide to cyber threat information sharing. Accessed November 10, 2024, https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-150.pdf.Google Scholar
• Jones D (2021) Colonial CEO says ransomware hackers exploited legacy VPN. Accessed November 10, 2024, https://www.cybersecuritydive.com/news/colonial-Joseph-Blount-ransomware-legacy-vpn/601523/.Google Scholar
• Kelly S, Resnick-Ault J, Sanicola L (2021) Colonial Pipeline hit by brief network outage amid efforts to harden system. Accessed November 10, 2024, https://www.reuters.com/business/energy/colonial-pipeline-nomination-system-shut-tuesday-market-sources-2021-05-18/.Google Scholar
• Kempner M (2021) Things to know about Atlanta’s Colonial pipeline, hit by ransomware. Accessed November 10, 2024, https://www.ajc.com/news/heres-a-primer-on-atlantas-colonial-pipeline-hit-by-ransomware/TZ2U3EM6RBAQHEAMVO3UYUQHMI/.Google Scholar
• Kirby AJ (1988) Trade associations as information exchange mechanisms. RAND J. Econom. 61(1):138–146.Crossref, Google Scholar
• Kouvelis P, Wu X, Xiao Y (2019) Cash hedging in a supply chain. Management Sci. 65(8):3928–3947.Link, Google Scholar
• Krämer J, Schnurr D, Wohlfarth M (2019) Winners, losers, and Facebook: The role of social logins in the online advertising ecosystem. Management Sci. 65(4):1678–1699.Link, Google Scholar
• Laffont J-J, Tirole J (1988) The dynamics of incentive contracts. Econometrica 56(5):1153–1175.Crossref, Google Scholar
• Laffont J-J, Tirole J (1993) A Theory of Incentives in Procurement and Regulation (MIT Press, Cambridge, MA).Google Scholar
• Landi H (2016) HITRUST pilot project advances cyber threat information sharing. Accessed November 10, 2024, https://www.hcinnovationgroup.com/cybersecurity/news/13026991/hitrust-pilot-project-advances-cyber-threat-information-sharing.Google Scholar
• Lee CH, Geng X, Raghunathan S (2013) Contracting information security in the presence of double moral hazard. Inform. Systems Res. 24(2):295–311.Link, Google Scholar
• Lee HL, Whang S (2000) Information sharing in a supply chain. Internat. J. Manufacturing Tech. Management 1(1):79–93.Crossref, Google Scholar
• Lenthang M, Margolin J (2021) Ransomware cyberattack shuts down major us pipeline, company says. Accessed November 10, 2024, https://abcnews.go.com/US/cyberattack-shuts-us-pipeline-supplies-45-fueleast/story?id=77573904.Google Scholar
• Levi R (2023) Ransomware attacks against hospitals put patients’ lives at risk, researchers say. Accessed November 10, 2024, https://www.npr.org/2023/10/20/1207367397/ransomware-attacks-against-hospitalsput-patients-lives-at-risk-researchers-say.Google Scholar
• Li L, McKelvey RD, Page T (1987) Optimal research for Cournot oligopolists. J. Econom. Theory 42:140–166.Crossref, Google Scholar
• Liu D, Ji Y, Mookerjee V (2011) Knowledge sharing and investment decisions in information security. Decision Support Systems 52(1):95–107.Crossref, Google Scholar
• MacLeod WB, Malcomson JM (1993) Investments, holdup, and the form of market contracts. Amer. Econom. Rev. 83(4):811–837.Google Scholar
• Marks J (2018) Only 6 non-federal groups share cyber threat info with homeland security. Accessed November 10, 2024, https://www.nextgov.com/cybersecurity/2018/06/only-6-non-federal-groups-sharecyber-threat-info-homeland-security/149343/.Google Scholar
• Mitra M (2019) Price wars and e-commerce investment to weigh on retailer profits, Moody’s says. Accessed November 10, 2024, https://www.cnbc.com/2019/11/01/retail-profits-to-take-a-hit-from-price-wars-andinvestments-moodys-says.html.Google Scholar
• Mitre (2023) Trusted automated exchange of indicator information – TAXII, enabling cyber threat information exchange. Accessed November 10, 2024, https://makingsecuritymeasurable.mitre.org/docs/taxii-intro-handout.pdf.Google Scholar
• Molina B, Snider M (2021) JBS USA, world’s largest meat supplier, shuts down 9 beef plants after cyberattack; ‘vast majority’ of plants to open Wednesday. Accessed November 10, 2024, https://www.usatoday.com/story/money/shopping/2021/06/01/jbs-cyberattack-worlds-largestmeat-supplier-closes-5-beef-plants/7493850002/.Google Scholar
• Moody R (2021) Defending against cyberattacks on operational technology. Accessed November 10, 2024, https://www.forbes.com/sites/forbestechcouncil/2021/10/28/defending-against-cyberattackson-operational-technology.Google Scholar
• MSB Docs (2024) Get ahead of compliance with HITRUST: What it is and why it matters. Accessed November 10, 2024, https://msbdocs.com/security-compliance/know-hitrust-certification/.Google Scholar
• Muller HM (2000) Asymptotic efficiency in dynamic principal-agent problems. J. Econom. Theory 91:292–301.Crossref, Google Scholar
• NIST (2018) Framework for improving critical infrastructure cybersecurity. Accessed November 10, 2024, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.Google Scholar
• Nolan A (2015) Cybersecurity and Information Sharing: Legal Challenges and Solutions, vol. 5 (Congressional Research Service, Washington, DC).Google Scholar
• NSA (2021) Stop malicious cyber activity against connected operational technology. Accessed November 10, 2024, https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/0/CSA_STOP-MCA-AGAINSTOTUOO13672321.PDF.Google Scholar
• Obama B (2015) Executive order – promoting private sector cybersecurity information sharing. Accessed November 10, 2024, https://obamawhitehouse.archives.gov/the-press-office/2015/02/13/executive-order-promotingprivate-sector-cybersecurity-information-shari.Google Scholar
• Optum (2018) Cybersecurity–protecting health information for millions of americans everyday. Accessed November 10, 2024, https://www.optum.com/content/dam/optum3/optum/en/resources/sell-sheet/Cybersecurity-Sell-Sheet-Final-no-bleeds.pdf.Google Scholar
• Pesendorfer W, Swinkels JM (2000) Efficiency and information aggregation in auctions. Amer. Econom. Rev. 90(3):499–525.Crossref, Google Scholar
• Pollard J, Turner S, Mellen A, Carielli S, Shey H (2021) Biden executive order bets big on zero trust for the future of us cybersecurity. Accessed November 10, 2024, https://go.forrester.com/blogs/biden-executive-orderbets-big-on-zero-trust-for-future-of-us-cybersecurity.Google Scholar
• Rosenbush S (2021) To thwart hackers, companies should focus more on modernizing their networks. Accessed November 10, 2024, https://www.wsj.com/articles/companies-should-focus-on-modernizing-networks-tothwart-hackers-11638824980.Google Scholar
• Rundle J (2021) Banks share data to block cyberattacks. Accessed November 10, 2024, https://www.wsj.com/articles/banks-share-data-to-block-cyberattacks-11632389402.Google Scholar
• Sanger DE, Perlroth N (2021a) Pipeline attack yields urgent lessons about U.S. cybersecurity. Accessed November 10, 2024, https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html.Google Scholar
• Sanger DE, Perlroth N (2021b) White house warns companies to act now on ransomware defenses. Accessed November 10, 2024, https://www.nytimes.com/2021/06/03/us/politics/ransomware-cybersecurityinfrastructure.html.Google Scholar
• Shamir N, Shin H (2018) The perils of sharing information in a trade association under a strategic wholesale price. Production Oper. Management 27(11):1978–1995.Crossref, Google Scholar
• Shapiro C (1986) Exchange of cost information in oligopoly. Rev. Econom. Stud. 53(3):433–446.Crossref, Google Scholar
• Sharton BR (2021) Ransomware attacks are spiking. Is your company prepared? Accessed November 10, 2024, https://hbr.org/2021/05/ransomware-attacks-are-spiking-is-your-company-prepared.Google Scholar
• Sherstobitoff R (2021) JBS ransomware attack started in march and much larger in scope than previously identified. Accessed November 10, 2024, https://securityscorecard.com/blog/jbs-ransomware-attack-started-in-march/.Google Scholar
• Shore B (2001) Information sharing in global supply chain systems. J. Global Inform. Tech. Management 4(3):27–50.Crossref, Google Scholar
• Sikorski M (2023) We can’t do it alone: Sharing threat intelligence makes everyone safer. Accessed November 10, 2024, https://www.paloaltonetworks.com/blog/2023/06/sharing-threat-intelligence/.Google Scholar
• Slingerland C (2023) 11 Top cloud service providers globally in 2024. Accessed November 10, 2024, https://www.cloudzero.com/blog/cloud-service-providers/.Google Scholar
• Spadafora A (2020) AWS hit by major DDoS attack. Accessed November 10, 2024, https://www.techradar.com/news/aws-hitby-major-ddos-attack.Google Scholar
• Temple-Raston D (2021) A ‘worst nightmare’ cyberattack: The untold story of the SolarWinds hack. Accessed November 10, 2024, https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-theuntold-story-of-the-solarwinds-hack.Google Scholar
• The Cigna Group (2024) Cigna form 10-k. Accessed November 10, 2024, https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739940/3d4e5959-a432-4d52-885e-1b77451772c8.pdf.Google Scholar
• Tidy J (2021) Colonial hack: How did cyber-attackers shut off pipeline? Accessed November 10, 2024, https://www.bbc.com/news/technology-57063636.Google Scholar
• Van Randwyk J, Chiang K, Lloyd L, Vanderveen K (2008) Farm: An automated malware analysis environment. 2008 42nd Annual IEEE Internat. Carnahan Conf. Security Tech. (IEEE, Piscataway, NJ), 321–325.Google Scholar
• Vereshchagina G, Hopenhayn HA (2009) Risk taking by entrepreneurs. Amer. Econom. Rev. 99(5):1808–1830.Crossref, Google Scholar
• Vives X (1990) Trade association disclosure rules, incentives to share information, and welfare. RAND J. Econom. 21(3):409–430.Crossref, Google Scholar
• Voreacos D, Chiglinsky K, Griffin R (2019) Merck cyberattack’s $1.3 billion question: Was it an act of war? Accessed November 10, 2024, https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war.Google Scholar
• Wan Z, Beil DR (2009) RFQ auctions with supplier qualification screening. Oper. Res. 57(4):934–949.Google Scholar
• Xin M, Choudhary V (2019) IT investment under competition: The role of implementation failure. Management Sci. 65(4):1909–1925.Link, Google Scholar