Differential Games of Asymmetric Information for Dynamic Systemic Cyber Risk Management

With the massive connections between different agents in the Internet network, cyber threats become ubiquitous and raise critical concerns for resource owners, e.g., data storage and cloud service providers. To address this issue, the owners can outsource their cyber risk management tasks to the professional security entities. In this talk, we use a two-person differential game framework to capture the service relationships between two parties, i.e., the resource owner and the cyber risk manager. Specifically, we consider the differential game with asymmetric information where the owner only has the observations of cyber risk outcomes of the network rather than the efforts that the manager spends on protecting the resources. Under this information pattern, the owner aims to minimize the systemic cyber risks by designing a dynamic contract specifying the payment flows and the preferred efforts by taking the manager's incentives and rational behavior into account. We obtain the optimal contracts by reformulating the problem into a stochastic optimal control program which can be solved using HJB. We further investigate some special cases where the form of solutions can be fully characterized. Finally, some features of the optimal dynamic contracts are discussed including the information cost by comparing it with the one under complete information. This is the joint work with Juntao Chen.