Cooperative Security Against Interdependent Risks

Firms in inter-organizational networks such as supply chains or strategic alliances are exposed to interdependent risks. These are risks that are transferable across partner firms. They can be decomposed into intrinsic risks a firm faces from its own operations and extrinsic risks transferred from its partners. Firms broadly have access to two security strategies: either they can independently eliminate both intrinsic and extrinsic risks by securing their links with partners, or alternatively, firms can cooperate with partners to eliminate sources of intrinsic risk in the network. We develop a graph-theoretic model of interdependent security and demonstrate that the network-optimal security strategy can be computed in polynomial time. Then, we use cooperative game-theoretic tools to examine whether and when firms can sustain the network-optimal security strategy via cost-sharing mechanisms that are stable, fair, computable, and implementable via a series of bilateral cost-sharing arrangements. We consider different informational assumptions in the network and show that, when the players know only their own costs, firms have a clear incentive to cooperate globally whereas, in the presence of public information, there may not exist cost-sharing mechanisms that can sustain network-wide cooperation. We then design a novel cost-sharing mechanism: the agreeable allocation, that is easy to compute, bilaterally implementable, ensures stability, and is fair in a well-defined sense. However, the agreeable allocation need not always exist. We then generalize levels of agreeable allocation, with weaker implementability properties but greater existence guarantees.


Introduction and Related Literature
Firms increasingly belong to a variety of inter-organizational networks, such as complex supply chains, strategic alliances, or other types of partnerships.Membership in these networks can evidently yield economic benefits, but they also necessitate substantial additional security investments due to increased exposure to interdependent or contagion risks (Kunreuther and Heal 2003).For instance, in January 2013, the European food industry endured a horse-meat contamination scandal (Lawrence 2013).Meat products from several retailers and fast-food chains in the United Kingdom and Ireland, advertised as containing beef, were discovered upon testing to have been contaminated with horse-meat.Further investigation revealed that in the complex meat supply networks, with contractors and subcontractors spread all across Europe, a particular supplier had indulged in deliberate contamination in a bid to cut costs.Several retailers, including Britain's largest retailer, TESCO, that had sourced the contaminated meat, faced economic repercussions from a drop in sales and reputational harm.Other notable cases of supply contamination include the adulteration of milk with melamine (Levi et al. 2020, Mu et al. 2016) and the 2008 heparin adulteration scandal (Babich and Tang 2012).Contamination in supply networks, upon discovery, typically results in product recalls, regulatory fines, and brand equity loss, often entailing substantial costs for the concerned firms.
Besides supply networks, interdependent risks can arise in other contexts too.For instance, businesses have a growing recognition that they bear a social responsibility to secure their consumer data from cyber threats (Pollach 2011).Malware infecting the systems of a company in an inter-firm network can gain access to the IT systems of its partner firms.Due to poor cyber-security practices by partner firms, companies such as Target and Home Depot have been the victims of high-profile data and privacy breaches (McAfee 2015).In today's highly interconnected networks, risks like contamination in food supply chains or consumer data breaches assume an interdependent nature.That is, the risks faced by a firm depend not only on internal risks arising from their own operations but also on the risk transferred from partner firms in the network.Further, the above examples involve risks transferred between networked partners with ongoing and frequent repeated interactions.Thus, a firm vulnerable to internal risks is near-certain to transfer this risk to its partner firms if these partners do not take appropriate remedial actions.
Therefore, to secure themselves against interdependent risks, two general strategies are available to networked firms.First, firms in the network can choose to invest cooperatively in securing themselves, thereby removing sources of risk.Second, alternatively, firms can choose to independently secure themselves by eliminating risk from internal operations and then investing in security across the links that connect them to the other firms in the network.So, for example, firms could cooperatively share the costs of supplier quality improvements, thereby investing in suppliers' embracing responsible operational practices.Alternatively, a retailer can implement quality standards for internal processes, and simultaneously, inspect and quality test incoming products supplied by direct partners.The latter would correspond to the independent security strategy, while the former corresponds to the cooperative security strategy.
Security against interdependent risks is associated with positive externalities since other firms are benefited from the presence of a secured firm in the network.This would intuitively suggest that cooperative network-wide security against interdependent risks can be a cost-effective strategy as compared to each firm in the network independently securing itself.However, cooperation can be hindered by disagreements over cost-sharing arrangements.Firms, in general, are heterogeneous, both, in the costs they incur to secure themselves as well as in the penalties that they may face in case of a realized risk.Thus, a priori, it is not clear whether there will always exist a stable and fair sharing of security costs that can sustain network-wide cooperation.Furthermore, networked firms typically have visibility and mechanisms to cooperate and monitor with only immediate partners.For instance, extended multi-tier supply chains are often associated with a loss in visibility over firms further away in the network (Caro et al. 2021).Thus, it is also unclear whether one can find suitable mechanisms to implement cost-sharing arrangements that circumvent coordination across firms that are not immediate or direct partners. 1o address these issues, in this paper, we consider an interdependent security model on a network and an associated cost-sharing game.In our model, as motivated above, firms face an intrinsic risk from their internal operations and an extrinsic risk from their unsecured partners in the network.Firms in the network are heterogeneous in the costs they incur to secure themselves and the penalties they face in case of an actualized threat.
Further, we also consider our network security model under differing informational assumptions.In our private information model, we assume that all cost parameters are privately known to players.So, in the absence of explicit cooperation, each firm's security actions cannot be observed or inferred by other firms in the network.This private information assumption is a marked distinction from existing models of interdependent security in the literature, which typically assume that various model parameters and actions are public information.In several real-world contexts, in the absence of formal mechanisms for cooperation, firms are neither aware of the security efforts undertaken by other firms nor can they infer their efforts since the underlying cost structures are typically private information.However, in certain other scenarios, it would be more reasonable to assume that firms are indeed aware of the security costs of other firms in the network.Therefore, we also analyze our network security model with the alternative informational assumption wherein efforts and cost structures are public information.Further, studying these two extreme informational assumptions also permits us to separate the benefits of cooperation arising from interdependence and information acquisition.In the e-companion, we also consider a more general hybrid model, the partial information model, where, as in practice, due to regulatory requirements or strategic disclosures, the cost parameters and efforts of some firms are publicly known whereas the costs and efforts of other firms are only known privately.
The network-optimal security strategy under all informational assumptions is identical, and we demonstrate that it can be computed in polynomial time using a minimum weighted cut network-flow algorithm.Then, we adopt a cooperative game-theoretic approach to assess whether agents have an incentive to cooperate across the entire network and share the security investment costs.We show that, under the private information setting, agents have a clear incentive to cooperate globally, i.e., form the grand coalition and share the resulting security costs.However, with even some information being public in the network, we show that, in general, there do not exist cost-sharing mechanisms that can ensure the stability of the grand coalition.This can be explained by two drivers: first, with public information, the benefit from additional information acquisition is lowered.Thus, the benefits from cooperative security in the public information setting are arguably lower.Second, public information engenders free-riding since firms can now anticipate and observe the security actions of other firms in the network and benefit from the cooperation of other firms in the network without participating in the grand coalition and sharing security costs.In similar cooperative settings with externalities, free-rider concerns are acknowledged as a fundamental reason often precluding the stability of the grand coalition (see, e.g., Yi (1997)).
Importantly, we then introduce the notion of bilateral implementability.A cost-sharing arrangement is said to be bilaterally implementable if it can be enforced by a series of bilateral cost-sharing agreements between only direct partners in the network.Bilaterally implementable cost-sharing mechanisms are resistant to the aforementioned limitations of network visibility and control.It is generally assumed, for example, in managing supply chains that it is easier for firms to contract with their immediate suppliers with whom they share direct relationships and that it is more challenging to gain visibility, manage, and contract with deeptier suppliers (see, e.g., Huang et al. (2020) and Dong et al. (2022)).We propose a novel security cost sharing mechanism, the agreeable allocation, which is a restricted variant of the Shapley value allocation (Shapley 1971).We then demonstrate that the agreeable allocation satisfies notions of stability, is formalizably fair, and unlike the Shapley value, is easily computable, and always bilaterally implementable.However, the agreeable allocation may not always exist.We then construct δ-agreeable allocations that satisfy a generalized notion of (δ+1)-lateral implementability, for an integer δ ≥ 1, whereby firms that are at a distance of at most δ from each other in the network can enter into cost-sharing agreements.When δ = 1, we recover bilateral implementability.This allows us to delineate a hierarchy of cost-sharing mechanisms such that as δ increases (i.e., firms that are farther away from each other in the network are allowed to cooperate), the corresponding δ-agreeable allocation is more likely to exist.
To analyze the effects of network structure on the existence of the agreeable allocation, we consider the special case of quasi-homogeneous networks, i.e., networks where the security cost parameters are equal.We then provide a structural graph-theoretic characterization for the existence of the agreeable allocation in these networks.Specifically, we show that the local density of networks plays a key role in determining whether the agreeable allocation exists.
In summary, one can view our work in both descriptive and normative terms.Descriptively, we observe that network-wide security cooperation is efficient and in some cases, this cooperation can be sustained with suitable cost-sharing arrangements.However, when concerns pertaining to computability and implementability of these cost-sharing mechanisms are incorporated, network-wide security cooperation is rendered more challenging.Normatively, via our analysis of the agreeable allocation and its extensions, we are able to provide insights into when and how these implementation challenges can be surmounted.

Overview of Related Literature
This work is related to three distinct streams of literature.First, it contributes to extant work on social responsibility and risk management in supply chains.Second, our work is closely tied to interdependent security models introduced by Kunreuther and Heal (2003).One of our aims is to bridge these two bodies of literature.Finally, our work adds to the growing literature on applications of cooperative game theory to operations management.

Supply Chain Social Responsibility and Risk Management.
There is a vast literature investigating the role of several instruments such as auditing (Caro et al. 2018, Chen et al. 2020, Fang and Cho 2020, Plambeck and Taylor 2016), inspection and testing (Babich andTang 2012, Lee andLi 2018), and more recently, contracts (Dhingra and Krishnan 2021), in mitigating social responsibility risks associated with extended global supply chains.We refer the interested reader to Dawande and Qi (2021) for a recent review.While previously, most of this literature dealt with two firm or dyadic scenarios, recently, several studies also deal with multi-tier supply chains, e.g., supply networks with three tiers or other network structures (Chen et al. 2020, Huang et al. 2020, Zhang et al. 2021).Also closely related to our work, Feng et al. (2021) study the implementation of ESR programs in general supply networks and gain sharing via a bilateral bargaining framework that generalizes a conventional Shapley value based cooperative-game theoretic approach.Recently, Blaettchen et al. (2021) also study the optimal adoption seeding of traceability technologies which carry several implications for sustainable practices in supply networks.While we view our work as contributing to this stream of literature, we note that it bears some differences.For instance, we consider a general network structure and do not impose any structural assumptions.Second, our work deals with only interdependent risks.That is risks that are contagion risks spreading via the network.These scenarios include cases such as food contamination risks or data breach threats as motivated in the introduction.

Interdependent Security.
In terms of model development, our work is most closely related to the interdependent security literature.Interdependent security models were introduced by Kunreuther and Heal (2003) and have since spawned a rich literature in the intersection of economics and computer science that studies various related models (see, for example, Laszka et al. (2014) for a review).In these models, as in ours, the security of agents depends on an agent's own actions (direct risk, or as we term it, intrinsic risk) and those of other agents (indirect or extrinsic risk).The present work aims to bridge the interdependent security literature with the rich stream of work on socially responsible operations in supply networks.While this research stream inspires our model, our work differs from existing literature in some crucial ways.First, in several of the existing models, the agents can only curb their own intrinsic risk and cannot mitigate extrinsic risks.Second, a majority of the interdependent security literature adopts a non-cooperative (game-theoretic) perspective.They assume that players in the network act to secure themselves independently and then characterize and compute the noncooperative equilibria of these games.Kearns and Ortiz (2003) and Chan et al. (2012) develop algorithms to compute the equilibria of classes of interdependent security games.Heal and Kunreuther (2007) also consider the Nash equilibria of such games and study conditions to tipping sub-optimal equilibria to an optimal one.Chan and Ortiz (2014) consider a more general model where agents can influence the transfer of extrinsic risk and then analyze equilibria computations.However, this literature largely ignores issues of cooperation in networks and the problem of when and how cooperation can be sustained.In practice, agents can and indeed do cooperatively secure themselves against interdependent risks.This, therefore, is the central focus of this present paper.
Cooperative Game Theory in Operations Management.
Finally, we also contribute to the growing body of work dealing with applying cooperative game theory to problems in operations management.For a review of this literature, we refer the reader to Nagarajan and Sošić (2008).Benefits of cooperation can be realized and therefore studied in several diverse settings.Some recent applications include inventory pooling (Kemahlıoglu-Ziya and Bartholdi III 2011), inventory transshipments (Granot andSošić 2003, Sošić 2006), demand information sharing (Leng and Parlar 2009), supplier alliances to mitigate order default risk (Huang et al. 2016), production schedule coordination (Aydinliyim and Vairaktarakis 2010), supply chain emissions management and reduction (Gopalakrishnan et al. 2021a,b), recycling (Gui et al. 2018, Tian et al. 2020), humanitarian operations (Ergun et al. 2014), vaccine distribution (Westerink-Duijzer et al. 2020) and so forth.Related to our work, Mu et al. (2019) study quality management in milk cooperatives.In dairy cooperatives, individual farmers can shirk on quality and freeride on the higher quality milk produced by other farmers in the cooperative.Mu et al. (2019), therefore, develop a revenue allocation rule that achieves quantity and quality efficiency with minimal testing while incorporating other practical implementation considerations.

A Network Security Model
We consider a set of heterogeneous players2 denoted by N .Following standard graph-theoretic notation, let us suppose that the players occupy a network denoted as G = (N, A).The node set N of the network coincides with the set of players with each player occupying a unique corresponding node in G.An arc (i, j) ∈ A for i, j ∈ N represents a directed link from the player i to the player j.The set of arcs in the network is denoted by A. Let N + (i) denote the set of players in N to which i is connected by an outgoing arc (i, j) ∈ A, and similarly, let N − (i) be the set of players j ∈ N such that the arc (j, i) ∈ A. Further, let Each player faces two independent sources of risk: an intrinsic risk from its own operations and an extrinsic risk transferred from its partnerships with unsecured players. 3We assume the cost incurred by player i to secure itself against intrinsic risks is given by θ i .Further, the cost incurred by i to secure itself against the extrinsic risk transferred from a partner in the network j is denoted by ξ ji .Each player i exerts binary actions, x i ∈ {0, 1}, and y ji ∈ {0, 1} for all j ∈ N − (i), corresponding to whether to secure itself against its own intrinsic risk and extrinsic risk from its partners, respectively.Since different players may face differing penalties (in regulatory fines or reputational damage) in the case of a realized risk, we assume an unsecured player i faces an expected penalty of L i .A secured player faces a zero penalty.We will subsequently clarify when a player is said to be secured and unsecured, respectively.
As outlined in §1, firms can derive two distinct advantages from cooperative security in networks: first, the benefit of interdependence, which involves internalizing the positive externality of security, and second, the advantage of information acquisition.Accordingly, we first consider two extreme informational assumptions, a private information model where each player, in the absence of cooperation, is aware of and can observe only its own security cost parameters and actions.At the other extreme, we also consider the more traditional informational assumption of public information where, even in the absence of cooperation, each player can observe the costs and actions of all other players in the network.

Private Information Model.
In the private information model, we assume that all cost parameters including the cost of securing against intrinsic risk, θ i , and the expected penalty in case of a realized risk, L i , are private information known only to player i.Similarly, the cost, ξ ji , to secure the directed link between players j and i is assumed to be known only to players i and j.This private information assumption is a departure from several existing models of interdependent security.Specifically, the private information assumption implies that in the absence of explicit cooperation between players i and j, neither can observe or infer the actions of the other.Thus, in this scenario, we can formally define the information set of a player i acting independently as I(i, {i}) = {θ i , ξ ij , ξ ji , L i , x i , y ji : j ∈ N − (i)}.Therefore, in this scenario, the information set of player i ∈ N who cooperates with the set of players i ∈ S ⊆ N expands and is given by I(i, S) = ∪ j∈S I(j, {j}) = {θ j , ξ kj , ξ jk , L j , x j , y kj : j ∈ S, k ∈ N − (j)}.

Public Information Model.
In contrast, in the public information model, we assume that all firms can observe each other's cost parameters and security actions even in the absence of cooperation.Then, the information set of a player i acting independently is I(i, {i}) = {θ j , ξ jk , ξ kj , L j , x j , y jk : j ∈ N, k ∈ N − (j)}.Therefore, in the public information scenario, I(i, S) = I(i, {i}), and firms upon cooperation do not derive any benefits from additional information acquisition.By analyzing and comparing these two extreme informational assumptions, we can comment on the benefits from cooperation along the two dimensions of interdependence and information acquisition.

Partial Information Model.
In practice, even in the absence of explicit cooperation, the security costs and actions of certain firms may be public knowledge, due to regulatory requirements or strategic disclosures, whereas the costs and actions of other firms may only be known privately.Thus, we also consider a more general partial information model which assumes that the costs and actions of a subset of firms, P ⊆ N are publicly known to all firms in the network whereas the costs and actions of firms in N \P are only privately known.Therefore, in this scenario, I(i, {i}) = {θ j , ξ jk , ξ kj , L j , x j , y jk : j ∈ P ∪ {i}, k ∈ N − (j)}.This more general hybrid model subsumes both the private and public information models described above.Clearly, when P = ∅ and P = N , we recover the private and public information models, respectively.In the interest of expositional clarity and brevity, we consider the private information and public information models in the paper and extend the discussion to the general partial information model in the e-companion §EC.4.

Security Actions.
Players in the network choose security actions, x i ∈ {0, 1}, and y ji ∈ {0, 1} for all i ∈ N and j ∈ N − (i) after considering the relevant trade-off between the costs of security and the expected penalty in case of a realized risk.In order to do so, each player first forms beliefs on the security states of other firms in the network.That is, a player i, cooperating with players in S and with the information set I(i, S), forms a belief on the security state of j ∈ N denoted by σ ji (I(i, S)) ∈ {0, 1} where σ ji = 0 means player i believes j to be unsecured, and if σ ji = 1, then i believes j is secured.We will subsequently clarify how players form beliefs on the security states of other firms in the network.Then, player i chooses security actions x i and y ji accordingly to determine its own security state based on its beliefs.Since interdependent risks are transferable across partners, a player i identifies itself as secured, i.e., σ i = 1, if and only if its secured against its own intrinsic risk, i.e., x i = 1, and further, is also secured against extrinsic risks, i.e., y ji = 1 for all players j ∈ N − (i) who it believes to be unsecured.For clarity, we note that the security state σ i of player i as a function of its own security actions, given its information set and its beliefs on the security states of its network partners, satisfies the following, y ji = 0, 1, otherwise. (1) Thus, the expected security cost incurred by a player i is given as follows, ξ ji y ji . (2) The first term in (2) corresponds to the expected penalty from a realized risk and is incurred only when the player i is unsecured.The second and third terms correspond to the costs of securing itself against intrinsic risks, and extrinsic risks from unsecured partners, respectively.
In §3 and §4, we analyze cooperative security strategies and the associated security cost sharing problem in the private information model whereas in §6, we study the public information model.This sequence is chosen for expositional clarity.Further, in the interest of parsimony, we relegate the analysis under the general partial information model where each player acting independently is aware of the cost parameters and actions for only a subset of players to the e-companion §EC.4.

Security Strategies under Private Information
Under the private information assumption, since a player cannot observe or infer the security actions of other players, we assume a player i forms a worst-case belief on the security states of players it does not explicitly cooperate with.That is, a player i cooperating with the set of players S ⊆ N forms the worst-case belief that σ ji = 0 for all players j / ∈ S. Therefore, i identifies itself as secured if and only if it is secured against its own intrinsic risk, x i = 1, and further, is also secured against extrinsic risks, y ji = 1 for all j such that σ ji = 0, i.e., (i) for j not in S, and (ii) for j in S who are themselves not secured.Therefore, in the private information model, the security state of i is denoted by σ i ∈ {0, 1}, where σ i = 0 means, in the worst-case, player i is unsecured, and if σ i = 1, then i is secured in the worst-case.Similar worst-case considerations are commonly employed in diverse network security applications (see, e.g., a review on planning for supply network disruptions by Snyder et al. (2006)).
We now consider two forms of security strategies in the network: the independent security strategy and the network-optimal security strategy.While the former corresponds to the no-cooperation, i.e., individually rational scenario, the latter corresponds to the full-cooperation, i.e., the network-optimal situation.In §4, we will consider all intermediate cooperative security strategies, i.e., where a subset of firms in the network cooperatively secure themselves.

Independent Security Strategy.
Since the players are not cooperating with each other on their security actions, as noted previously, the information set of each player i ∈ N , I(i, {i}), only contains its own actions, expected penalty, and security costs.Then, player i is said to be independently secured if U i , as defined in (2), is minimized when σ i = 1, for a suitable choice of x i and y i .The set of all players in N which are independently secured is denoted by S I .The following proposition characterizes when a player is independently secured.All proofs are provided in the e-companion.
The above proposition captures two straightforward notions in the private information setting: (i) the independent security strategy is based on a simple trade-off between the cost of security and the expected penalty incurred from not securing itself, (ii) for an agent acting independently, it is not optimal to partially invest in securing some links and not others.

Network-Optimal Security Strategy.
In this setting of full network-wide cooperation, the information set of each player contains all the security costs and expected penalties of all other players in the network.The players act to minimize the total expected security cost of the network.
We denote the set of all players in N which are secured, i.e., σ i = 1, under the above network-optimal security strategy by S .We first observe that all players that opt to be secured under the independent security strategy continue to be secured under the network-optimal strategy.Proposition 3.2 Every player independently secured is also secured under the network-optimal security strategy, S ⊇ S I .
However, the positive externalities, inherent to this context, may result in certain nodes being secured under the network-optimal security strategy which are unsecured when acting independently.That is, we note that the above inclusion can be strict.We demonstrate this with Theorem A.1 in the e-companion.
We now provide a key result demonstrating that the network-optimal security strategy and equivalently, U (G), can be computed via a network-flow algorithm.The algorithm relies on the construction of an auxiliary directed network G * .We then establish a connection between the network-optimal security strategy in G and the minimum weight s-cut problem in G * .
Construction of the Auxiliary Network G * .
The node set of G * is given by N ∪ {s, } where s and are two additional nodes not present in the original network G.The nodes s and represent the source and sink of the network G * , respectively.The arc set of G * consists of, (i) arcs from s to each node i ∈ N with weights θ i , (ii) arcs from i ∈ N to j ∈ N + (i) with weights ξ ij , (iii) arcs from i ∈ N to with weights L i .The construction of the auxiliary network is illustrated in Figure 1.Also, from (1), it follows that if x * and y * denote the network-optimal security actions of the players, then, x * i = 1 if and only if i ∈ X, and, y ji = 1 if and only if i ∈ X, j ∈ X.Therefore, from Theorem 3.3, we also immediately obtain the network-optimal security strategy.Now, note that the directed network G * has O(|N |) nodes and O(|N |+|A|) arcs.Thus, from the push-relabel-algorithm (Goldberg and Tarjan 1988), we immediately obtain the following corollary.In the private information model, the network-optimal security strategy resolves two distinct kinds of inefficiencies engendered by the individually rational security strategies of the players.The first inefficiency arises from the canonical under-investment of efforts resulting from a failure to internalize positive externalities.This is well recognized in the interdependent security literature (see, for example, Acemoglu et al. (2016)).Therefore, some agents for whom it was individually rational to not invest in security efforts are now secured since these erstwhile externalities are now internalized in the network-level optimization.This reflects the strategic complementarity inherent in situations with interdependent risks.The second source of inefficiency arises, in the private information model, as a consequence of security costs being privately held information.Equivalently, the non-inferability of security efforts of a player by other players who are not cooperating with it results in the inefficient duplication of security investments across the network.This provides an economic rationale for anecdotal evidence from diverse supply chain security contexts that bear out this source of inefficiency (ASEM 2013).
Finally, we note the necessity of cost-sharing mechanisms in order to implement the network-optimal security strategy.For a player in the network, given the security states of all of its direct partner firms, the network-optimal security action is not necessarily individually rational.That is, the network-optimal security strategy is not always a Nash equilibrium strategy as demonstrated by Theorem A.2 provided in the e-companion.

Security Cost Sharing Mechanisms
The next natural question is therefore to ask whether network-wide security cooperation in the private information model can be sustained with suitable cost-sharing mechanisms.Equivalently, we are interested in finding whether and when cooperation can be made individually rational, and the network-wide efficiency gains can be shared amongst the firms in a stable and fair manner.The field of cooperative game theory is well suited to address these questions.Towards that end, we first briefly review some cooperative game theory preliminaries.
Cooperative game theory primarily addresses the question of whether cooperation can be sustained across a group of agents, and closely tied to this, is the problem of fairly sharing or allocation of profits (or cost savings) obtained via cooperation between those agents.A cooperative game is defined by (N, c) where N is the set of players in the game and c(•) is a characteristic function that associates to every subset (or, coalition) S ⊆ N a corresponding cost c(S).The subset consisting of all players, that is, the set N itself is known as the grand coalition.An object of frequent interest is whether the grand coalition will form and whether it remains rational for individual players, or groups of players, to remain in the grand coalition.In this work, we will only deal with cost games, i.e., where c(S) is the cost incurred by coalition S, and players act to minimize their costs.A cooperative game (N, c) is said to be subadditive if the characteristic function satisfies c(S) + c(T ) ≥ c(S ∪ T ) for S, T ⊆ N .Subadditivity can loosely be interpreted as offering an incentive for disjoint coalitions to cooperate.Another important property that a cooperative game can satisfy is convexity.The convexity property is stronger than the subadditivity property, and it loosely captures the intuition that as a coalition grows larger, the greater the incentive for other players to join it.Formally, c(S) + c(T ) ≥ c(S ∪ T ) + c(S ∩ T ) for S, T ⊆ N .

Interdependent Security Cost Sharing
Consider the set of agents N situated on the graph G. Previously, the two security strategies considered represented the two extremes corresponding to no-cooperation and full-cooperation settings.We now extend the discussion to consider all intermediate levels of cooperation.That is, for any subset of agents, S ⊆ N , we define the coalition-optimal security strategy as that which minimizes the security cost of a cooperating set of agents S, We define an indicator function Υ i S for player i belonging to a coalition S that indicates whether player i is secured under the coalition-optimal security strategy for S in the private information model.Formally, , where x i and y i denote the optimal solutions to (4).Further, denote the set of players secured in S under the coalition-optimal security strategy by Υ(S).That is, i ∈ Υ(S) if and only if Υ i S = 1.Clearly, S\Υ(S) are the players in S that are not secured under the coalition-optimal security strategy.Further, for clarity, note that Υ(N ) = S .The following result demonstrates a monotonicity property satisfied by the coalition-optimal security strategy that generalizes Theorem 3.2.Proposition 4.1 A player i ∈ S that is secured under the coalition-optimal security strategy for a coalition S ⊆ N is also secured under the coalition-optimal security strategy for a coalition T ⊇ S, i.e., if Further, the pair (N, c) defines a cooperative game which we term as the interdependent security cost sharing game.This cost sharing game corresponds to our network model based on the private information assumption as clarified in §2.In §6, we will accordingly define and analyze the appropriate cost sharing game for the public information setting.
The following proposition indicates that c(S) can also be computed in polynomial time via a similar transformation to a minimum weight cut problem on the auxiliary graph G * as in Theorem 3.3.Proposition 4.2 c(S) is the weight of the minimum cut separating the node set N \S and the node in the auxiliary directed graph G * and thus can be computed in polynomial time.
An efficient security cost sharing mechanism is defined as φ : (N, c) → R n such that i∈N φ i = c(N ).An efficient security cost sharing mechanism is said to be a core allocation, i.e., it belongs to the core if and only if it is rational for all subsets of players in N to remain in the grand coalition rather than deviate to form a coalition among themselves.That is, φ is a core allocation if and only if, The core of some cooperative games may be empty.An empty core will preclude the existence of stable cost sharing arrangements.However, in cooperative games that are also convex, it is well known that the core of such games is non-empty (Shapley 1971).The following theorem demonstrating the convexity of the interdependent security cost sharing game therefore assumes significance since it guarantees the existence of a stable cost sharing mechanism.
Theorem 4.3 The coalition-optimal security cost, c(S), is submodular in S. Thus, the interdependent security cost sharing game (N, c) always admits a stable security cost sharing mechanism.
Before we proceed to derive and analyze specific security cost sharing mechanisms, we observe that if a player is unsecured under the network-optimal security strategy, then, the player is allocated L i by all stable cost sharing arrangements as formally demonstrated in Theorem A.3.Further, we also show that there exists a simple transformation of a network G where some players are unsecured under the network-optimal security strategy to another network G where all players are secured in the network-optimal strategy and further, there exists a one-to-one correspondence between the core allocations of the interdependent security games on G and G .Thus, Theorem A.3 allows us to restrict our attention to networks G and associated cost parameter vectors such that all firms are secured under the network-optimal security strategy.

Shapley Value Based Security Cost Sharing.
The convexity of (N, c) guarantees that a well-known and commonly employed allocation in cooperative games, the Shapley value (Shapley 1953), belongs to the core.Beyond its membership in the core, the Shapley value also uniquely satisfies several natural fairness properties and has an axiomatic basis in general cooperative games.Formally, the Shapley value, Φ, allocates to a player i in a general cooperative game (N, c), The Shapley value rewards players for their marginal contributions to various coalitions, and to that extent, it can be argued as exemplifying a certain notion of fairness.Further, Φ is the unique efficient allocation characterized by the following properties (or axioms): i. Symmetry Property: For players i and j such that for all subsets ii. Null Player Property: For player i such that c(S ∪ {i}) = c(S) for all S ⊂ N , then Φ i = 0.
iii.Additivity Property: The Shapley value, Φ 1,2 , of a cooperative game, (N, c 1 + c 2 ), that is the sum of two cooperative games, (N, c 1 ) and (N, c 2 ), equals the sum of the Shapley values of the two games, Φ 1 and Φ 2 , respectively.
Of these properties, we note that the symmetry property formalizes the idea that players which are "identical" in terms of their marginal contributions should receive an identical share of the value created by cooperation.This is, arguably, an innocent fairness criterion which, along with the marginal contribution interpretation discussed before, we shall return to later on in this work.The Shapley value is widely adopted as a cost-sharing or a profit-sharing, as the case may be, allocation method in diverse contexts, including several mentioned in §1.1, such as inventory pooling (Kemahlıoglu-Ziya and Bartholdi III 2011), capacity allocation and scheduling (Aydinliyim and Vairaktarakis 2010), group purchasing (Chen and Yin 2010), disaster preparedness (Rodríguez-Pereira et al. 2021), and so forth.However, for our game, we establish a link between the computation of the Shapley value and the classical subset sum problem.In fact, this connection demonstrates that computing the Shapley value of interdependent security games is a computationally hard problem.
Theorem 4.4 There is no polynomial time algorithm that computes the Shapley value for a given player in the interdependent security cost sharing game unless P = NP.
Further, from the proof of Theorem 4.4, we note that even for simple structures such as the assembly supply network, computing the Shapley value is hard.Beyond computational interest, the above result on the complexity of the Shapley value is of interest to us for reasons of implementation.In general, equilibrium concepts in non-cooperative game theory or solution concepts in cooperative games that are computationally intractable raise the question of feasibility of whether self-interested agents can identify and implement these mechanisms in practice. 4or a notable special case, however, the Shapley value can be computed easily.In fact, when the expected penalties, in case of a realized risk, are sufficiently large for all players, then the Shapley value has a straightforward closed form expression.
ξ ji for all i ∈ N , i.e., if S I = S = N , then, the Shapley value based security cost allocation to player i ∈ N is given by, In this scenario, when the expected penalties are sufficiently large, it is individually rational for all players to secure themselves (i.e., under the independent security strategy).That is, since all players choose to secure themselves even without cooperation, the network-optimal security strategy resolves only one kind of inefficiency, that arising from duplication of security efforts.Under the Shapley value based security cost sharing mechanism, in this scenario, the cost savings from avoiding duplication of security efforts across each link are equally shared by both parties.
Extreme Core Allocations.
However, this still leaves open the question of whether, in general inter-firm networks, there exist stable security cost-sharing arrangements sustaining network-wide cooperation that can also be computed easily.We now provide an affirmative answer to this question.Consider an arbitrary permutation π of the players in N .Then, we can define a cost-sharing allocation, x π , corresponding to a permutation π as follows, Proposition 4.6 For every permutation π of N , the allocation x π is an extreme point of the core of the interdependent security cost sharing game and can be computed in polynomial time.
The proof of Theorem 4.6 relies on the convexity of the game and the characterization of the core of convex games as developed by Shapley (1971).Further, we demonstrate that the extreme core points of the interdependent security cost sharing game can be computed in polynomial time, thereby, allowing us to identify easily computable and stable security cost sharing arrangements.However, it can easily be seen that extreme core allocations as identified in Theorem 4.6 do not satisfy a basic notion of fairness as embodied in the symmetry property introduced earlier.
Proposition 4.7 The security cost-sharing allocation x π does not satisfy the symmetry property.
Our discussion, thus far, uncovers what appears to be an "impossible" trilemma: stability, fairness, and implementability.That is, when we simultaneously require a security cost-sharing arrangement to be stable (i.e., it must be individually and coalitionally rational), fair (in terms of a basic symmetry property), and implementable (in terms of ease of computability), it already proves to be too restrictive.Descriptively, this suggests why, although the welfare gains achieved by network-wide security cooperation can, in principle, be stably shared, we may still not observe such cooperation in practice.In the next section, we will delve deeper into implementability concerns.Further, and importantly, we will also attempt to find a satisfactory reconciliation of the divergence between stability, fairness, and implementability.

Bilateral and Multilateral Implementability
In §4, we considered a narrow version of implementability.Specifically, we presumed a security cost-sharing mechanism that is easily computable is implementable.However, implementing cost-sharing mechanisms via transfer payments across the network, even between firms that are not direct partners, is administratively challenging, perhaps even infeasible.Firms often have limited visibility let alone an ability to enter into costsharing arrangements with indirect network members.Therefore, in this section, we are prompted to study whether there exist stable and fair cost-sharing mechanisms that can be implemented via transfer payments only involving firms that are direct partners in the network.Indeed, since alliance networks are often comprised of a series of bilateral alliances in the first place, we develop a realistic bilateral implementation framework that can allow firms to sustain network-wide security cooperation against interdependent risks.5 To this end, we define the bilateral implementability of a cost-sharing allocation as follows.A cost-sharing allocation Ψ is bilaterally implementable if and only if for a given network G and associated cost parameter vectors {L, θ, ξ}, there exist differentiable functions {g ij : j ∈ N (i)} for each player i ∈ N such that, for cost parameters belonging to an open ball B centred at (L, θ, ξ) of radius for some > 0. That is, qualitatively, the security cost apportioned to each player i can be supported via verifiable transfer payments between only direct partners in the network.As discussed before, bilateral implementability obviates the need for transfer payments between firms not direct partners in the network.And consequently, since typically alliance networks expand via bilateral alliances, it also allows for sustaining network-wide cooperative security as the network structure evolves.First, we examine the bilateral implementability of the Shapley value based security cost sharing allocation discussed in §4.We introduce some definitions.For a given player i ∈ N , a set of players P ⊆ N is said to be a coalitionally rational security set for i if i is secured in the coalitional optimal security strategy for the coalition P ∪ {i}, i.e., i ∈ Υ(P ∪ {i}).We denote the set of all minimal6 coalitionally rational security sets for player i by G(i) and further, G(i) = P ∈G(i) P .
Theorem 5.1 Consider the Shapley value based security cost sharing allocation Φ. i) Φ is bilaterally implementable if for all players i ∈ N , i ∈ G(j) for all j ∈ N (i) such that |N (j)|> 1. ii) Φ is not bilaterally implementable if there exists a player i ∈ N such that i ∈ G(j) for some j ∈ N (i) such that |N (j)\N (i)|> 1.
Theorem 5.1 provides characterizing conditions for when the Shapley value based cost sharing arrangement is bilaterally implementable.Observe that minimal coalitionally rational security sets formalize the externalities that secured players induce on other players in the network.Therefore, roughly speaking, the above theorem demonstrates that as the extent of positive externalities of security in the network increases, the Shapley value based security cost sharing fails to be bilaterally implementable.As a corollary, we observe that for the special case discussed in Theorem 4.5, the Shapley value cost-sharing mechanism is clearly bilaterally implementable.
Theorem 5.1, in conjunction with Theorem 4.4, arguably also demonstrates the impracticality of adopting a Shapley-value based security cost sharing arrangement in all but a narrow class of networks.Specifically, since it is neither computable efficiently nor bilaterally implementable, in general, we argue that this renders it contextually untenable.We now propose a novel security cost-sharing mechanism that builds on the extreme core allocations considered in Theorem 4.6.
Extreme Core Allocations and the Agreeable Allocation.
In light of Theorem A.3, we limit our attention to networks where all firms are secured in the grand coalition.We further recall the previously defined indicator function Υ i S for player i ∈ S that indicates whether player i is secured under the coalition-optimal security strategy for S. That is, Υ i S = σ i ( x i , y i |I(i, S)), where x i and y i denote the optimal solutions to (4).We now recursively define a finite family of mutually exclusive sets S = {S 1 , . . ., S } of players in the network where S 1 = {i ∈ N : Υ i {i} = 1} = S I .For k > 1, we define S k recursively as, where In other words, S 1 contains the players that are secured even under the independent security strategy, i.e., it is optimal for these players to secure themselves even when operating independently.Further, S 2 contains players that will be secured conditional on being in a coalition with players in S 1 , and so forth.Also note that if S k is a null set, then, so is S k+1 .Suppose there exists ∈ Z such that S = N , then the recursive procedure generating the family of sets terminates.Denote Then, any permutation π of the players in N such that π 1 , ..., π s1 is a permutation of players in S 1 , π s1+1 , ..., π s2 is a permutation of players in S 2 , and so on up to, π s −1 +1 , ..., π s is a permutation of players in S is defined as an agreeable permutation.We note that it is possible in certain networks and associated cost parameter vectors for no ∈ Z to exist such that S = N .In these cases, consequently, no agreeable permutation of the players in N will exist either.Nevertheless, when the players in N can be partitioned into the family of sets as described above, or equivalently, when an agreeable permutation of the players exists, we can demonstrate, as will be shown during the course of proving Theorem 5.2, that the extreme core allocation x π corresponding to each agreeable permutation π of N is bilaterally implementable.
Furthermore, recall that extreme core allocations are not symmetric therefore, arguably, violating a basic notion of fairness.To remedy this, we are now in a position to propose our novel security cost sharing mechanism, the agreeable allocation, that is defined as the average of those extreme core allocations induced by all agreeable permutations of N .
Theorem 5.2 The agreeable allocation of network-wide security costs, when it exists, (i) belongs to the core, and is, (ii) polynomial-time computable, (iii) symmetric, and (iv) bilaterally implementable.Further, it also satisfies, (v) marginality, and the (vi) null player property.Moreover, the security cost allocated to player i by the agreeable allocation x * is given by, Observe that the network-wide security cost apportioned to each player by the agreeable allocation depends only on its own security cost parameters and that of its direct partners, and therefore, it is bilaterally implementable.Also, importantly, we note that the agreeable allocation attempts to resolve the tension between stability, fairness, and implementability.Since, it belongs to the core, when it exists, it is a stable allocation of security costs.Further, in contrast to extreme core allocations, since it satisfies symmetry and marginality, it is in accordance with basic axiomatic descriptions of fairness.Further, in contrast to the Shapley value based cost sharing arrangement, since the agreeable allocation is computable in polynomial time, and saliently, is bilaterally implementable, it also fares well with respect to implementability concerns.Finally, the closed-form expression for the agreeable allocation provided above allows for transparency in the manner in which it allocates the network-wide security costs to each individual firm.In fact, the algorithm to compute the agreeable allocation and the closed-form expression lend themselves naturally to a straightforward implementation mechanism.
We also remark that for the special case considered in Theorem 4.5, i.e., when S I = S , the agreeable allocation exists and coincides with the Shapley value.
The agreeable allocation is indeed appealing since its bilateral implementability minimizes the coordination challenges involved in sustaining the network-optimal security strategy.However, sometimes firms that are not direct partners may regardless cooperate via suitable transfer payments when it can be mutually beneficial.Consider a network G with associated cost parameter vectors {L, θ, ξ}.Formally, for an integer δ ≥ 1, a cost-sharing allocation Ψ is said to be (δ+1)-laterally implementable if and only if for cost parameters belonging to an open ball B centred at (L, θ, ξ) of radius for some > 0, there exist differentiable functions {g ij : j ∈ N, d(i, j) ≤ δ} for each player i ∈ N such that Ψ i = Σ j∈N,d(i,j)≤δ g ij where g ij is a function solely of the security cost parameters of players i and j, and where d(i, j) denotes the distance between nodes i and j in the network G.That is, (δ + 1)-lateral implementability of a cost sharing allocation permits transfer payments between players that are at a distance of at most δ in the network.As δ increases, we expect the coordination challenges associated with the cost sharing mechanism to also increase.
While our general approach to construct a (δ + 1)-laterally implementable allocation bears some resemblance to the previous development of the agreeable allocation, there are substantial technical differences.In the interest of brevity, we provide these details in the e-companion, §EC.2.Broadly, we first identify a subset of permutations of the players in N denoted as δ-agreeable permutations (algorithm 2).A δ-agreeable permutation can be computed via a fixed parameter tractable algorithm with respect to δ (i.e., polynomial time in |N | but not in δ).We then demonstrate that the extreme core allocations corresponding to each δ-agreeable permutation is (δ + 1)-laterally implementable (Theorem B.4).We then define the δ-agreeable allocation as the average of extreme core allocations induced by all δ-agreeable permutations of N .
The δ-agreeable allocation satisfies the generalized notion of (δ + 1)-lateral implementability while retaining the fairness and stability properties of the agreeable allocation.Since the number of δ-agreeable permutations can be exponential in |N |, the δ-agreeable allocation is, in general, not computable in polynomial time for δ > 1.However, as noted above, the δ-agreeable allocation can be computed via a fixed parameter tractable algorithm, i.e., polynomial time in |N | for a given δ.In comparison, we note that the Shapley value allocation is also not, in general, computable in polynomial time but since it involves the consideration of all permutations of N unlike the δ-agreeable allocation which only considers a subset of permutations of players in N , the δ-agreeable allocation is, in comparison, computationally less expensive, especially so when |N | is large and δ is a fixed small number.In §EC.2, we also provide Theorem B.5 that clarifies the computation of the δ-agreeable allocation and illustrates the notion of (δ + 1)-lateral implementability.
Theorem 5.4 Consider the interdependent security cost sharing game under private information.
i.If for an integer δ ≥ 1, the δ-agreeable allocation exists, then the (δ + 1)-agreeable allocation also exists and coincides with the δ-agreeable allocation.
ii.For every integer δ ≥ 1, there exist networks G with corresponding security cost parameters such that the δ-agreeable allocation does not exist but the (δ + 1)-agreeable allocation exists.
iii.The n-agreeable allocation always exists where n = |N |.
iv.The n-agreeable allocation coincides with the Shapley value allocation if and only if none of the δagreeable allocations exist for δ < n.
Theorem 5.4 clarifies a hierarchy of existence for δ-agreeable allocations.As δ increases, and firms that are farther away from each other in the network are allowed to cooperate with each other via suitable transfer payments, the δ-agreeable allocation is more likely to exist.However, naturally, as δ increases, arguably, the δ-agreeable allocation becomes more challenging to implement than the agreeable allocation since it requires coordination between firms that are farther away in the network.Further, it follows from Theorem 5.4(iv), and since in general, the Shapley value allocation involves transfer payments between any two firms in the network, δ-agreeable allocations are (weakly) less challenging to implement than the Shapley value.

Network Security Model With Public Information
In this section, we consider the public information model, as presented in §2, wherein all network cost parameters and actions are known to all players in the network.That is, the information set of every player i in any coalition S ⊆ N includes the security cost parameters and actions of all players in the network, I(i, S) = {θ j , ξ kj , L j , x j , y kj : j ∈ N, k ∈ N − (j)}.Further, since a player can observe and infer the security actions of all other players in the network, player i no longer needs to form a worst-case belief7 on the security state of other players j ∈ N , i.e, σ ji = σ j .And thus, firm i ends up minimizing its its expected cost rather than its worst-case expected cost.
Characterizing the security strategy of a coalition, or even the independent security strategy, in the public information model poses some challenges.In our network security model, as is often the case in network games with public information (Galeotti et al. 2010), there could be multiple Nash equilibria.Further, in the public information setting, the actions of a player or a coalition also depends on the actions of other players, and therefore, naturally on whether other players in the network are cooperating with each other.Therefore, we cannot analyze the security actions of a player or a coalition in isolation.We instead need to consider the cooperation structure across the entire network.This in contrast to the interdependent security cost sharing game developed in §3 wherein the security cost of a coalition S could be expressed independent of considering the actions of other players.Therefore, the interdependent security cost sharing problem under public information is modelled as a cooperative game in partition function form (see, e.g., Hafalir (2007), Fang and Cho (2020)).Formally, given a partition ρ of the players into disjoint coalitions whose union is N , the total security cost incurred by a coalition S ∈ ρ in equilibrium is denoted by c(S; ρ).
Again, we first consider the security actions of players when they are all acting independently.That is, ρ consists of singleton sets of players.Each player i ∈ N considers its security actions independently but knows all cost parameters in the network and can therefore infer the security actions of other players.Let Υ i {i};ρ be an indicator function denoting the equilibrium security state of player i acting independently where ρ is the coalition structure with all players in independent singleton coalitions.To address the multiplicity of equilibrium outcomes, we adopt a specific equilibrium selection procedure.Initially, all players choose their security actions independently without regard to the actions of other players in the network.Then, in subsequent rounds, players reassess their actions given the actions of others in preceding rounds.This procedure8 is formally described (algorithm 3) in the e-companion §EC.3.Details and proofs for the results in this section are also provided in the e-supplement EC.3 in the interest of brevity.
algorithm 3 computes an equilibrium security state of player i, Υ i {i};ρ , in polynomial time.Given a general coalition structure ρ, we denote an equilibrium security state of player i in coalition S by Υ i S;ρ .The equilibrium selection procedure described above for the case of independent coalitions can similarly be extended (algorithm 4) to compute, in polynomial time, an equilibrium security strategy for a coalition S ⊆ N with a general partition ρ of N with S ∈ ρ.
We then obtain the total security cost of a coalition S belonging to a general coalition structure ρ of N , c(S; ρ), as follows, where S and T are (possibly identical) coalitions in ρ with i ∈ S and j ∈ T .For clarity, we note that for the grand coalition structure ρ * , i.e., when all players cooperate with each other, the total security cost under the public information and private information settings are equal, c(N ; ρ * ) = c(N ).This is since even under the private information setting all players in the grand coalition are aware of all security cost parameters in the network.
We demonstrate that in the interdependent security cost sharing game under public information, (N, c), the grand coalition is not necessarily stable.This is in contrast to our earlier result (Theorem 4.3) that there always exists a stable security cost sharing mechanism under the private information setting.This can be explained by two drivers.First, in the public information setting, one of the benefits of cooperative security, the benefit from additional information acquisition is removed.Thus, the benefits from cooperative security in the public information setting are arguably lower.Second, public information engenders free-riding since firms can now anticipate and observe the security actions of other firms in the network and benefit from the cooperation of other firms in the network without participating in the grand coalition and sharing security costs.Such free-rider issues have also been identified in other contexts to hinder cooperation and stability of the grand coalition in other partition function form games (see, e.g., Yi (1997)).
Proposition 6.1 The grand coalition in the interdependent security cost sharing game under public information, (N, c), is not, in general, stable to defections.
We now, however, show that the agreeable allocation can be extended to the public information setting while retaining several of its desirable properties.Notably, we prove that, analogous to Theorem 5.2, the public information version of the agreeable allocation, when it exists, satisfies individual rationality, a weaker notion of stability wherein each player is better off in the grand coalition (i.e., with full cooperation) as compared to the independent coalitions (i.e., no-cooperation) scenario.

Agreeable Allocation with Public Information.
Again, for ease of exposition, we restrict our attention to networks where all firms are secured in the grand coalition.We recursively define a finite family of mutually exclusive sets T = {T 1 , . . ., T } of players in the network where T 1 = {i ∈ N : Υ i {i};ρ1 = 1} where ρ 1 corresponds to the independent coalition structure.For k ≥ 1, we then define T 2k and T 2k+1 recursively as follows, where T k = T 1 ∪ . . .∪ T k .Further, the coalition structure ρ k+1 contains the coalition T k and all other players in N \ T k are in independent coalitions.Also, recall that Υ i S;ρ is the equilibrium security state of player i ∈ S with the coalition structure ρ in the public information model whereas Υ i S is the coalition-optimal security state of i ∈ S in the private information setting.
T 1 contains players that are secured under the independent coalition structure.That is, in the equilibrium outcome obtained from algorithm 3, these players are secured.T 2 contains players who, if they are secured, save the costs of extrinsic security for players in T 1 and bestow a direct positive externality to the players in T 1 that outweighs their own cost of security.Thus, for the players in T 1 ∪ T 2 , it is optimal in the private information model as well to secure themselves.Further, there will be players in T 3 for whom it is individually rational to secure themselves conditional upon players in T 1 and T 2 being in a coalition together, T 1 ∪ T 2 .Successive sets of players are identified iteratively.Note that these families of sets are constructed in a very similar manner as in the private information model.The only distinction arises in (11) from observing that in a public information model, the formation of each new coalition may also trigger a change in the security actions of other players who can respond to this.
Suppose there exists ∈ Z such that T = N , then the recursive procedure generating the family of sets terminates.Again, it is possible in certain networks and associated cost parameter vectors for no ∈ Z to exist such that T = N .In these cases, consequently, no agreeable allocation will exist.Unlike in the private information setting where a closed form expression for the agreeable allocation is derived, the agreeable allocation under public information x is obtained by algorithm 5 provided in §EC.3 which takes in the family of sets T as an input.Theorem 6.2 The agreeable allocation under public information, x, computed by algorithm 5, when it exists, is (i) individually rational, (ii) polynomial-time computable, and (iii) bilaterally implementable.Further, it also satisfies, (iv) symmetry, and the (v) null player property.
Therefore, while the agreeable allocation cannot guarantee that the grand coalition is stable to defections by subsets of players (indeed no cost sharing allocation can), it still satisfies a weaker notion of stability.It ensures that all players will prefer to remain in the grand coalition structure ρ * rather than in the independent coalition structure.Further, we interestingly find that the public information version of the agreeable allocation exists if and only if the agreeable allocation as defined in the private information setting exists.
Corollary 6.3For a given network G = (N, A) and associated security cost parameters, the agreeable allocation under public information x exists if and only if the agreeable allocation under private information x * exists.
Here, we briefly comment on some main implications of our analysis of the general partial information model in §EC.4.First, we demonstrate that the agreeable allocation can be naturally extended to the partial information model thereby generalizing Theorem 6.2.Therein, we observe that Theorem 6.3 also generalizes and the existence of the agreeable allocation is not contingent on the informational assumption in the network.Finally, and importantly, we clarify that even in the presence of partial public information in the network, the grand coalition may be unstable and that if the grand coalition is unstable with a certain level of public information in the network, it remains unstable at higher levels of information provisioning in the network.

Quasi-Homogeneous Networks
The chief deficiency of the agreeable allocation, under all informational assumptions is that, in general, depending on the structure of the interfirm network, or the associated security costs, it may not exist.To the extent that an agreeable allocation is viewed as desirable for its fairness, bilateral implementability, and other properties as documented in Theorem 5.2 and Theorem 6.2, this offers a rationale for when inter-firm networks will find it challenging to cooperatively secure themselves.In order to examine the role of the network structure on the existence of the agreeable allocation, we now consider quasi-homogeneous networks G as networks wherein the costs of securing against intrinsic risks for firm i, θ i , are identical for all firms.Similarly, we also assume costs of securing against extrinsic risks, ξ ij , are identical across all links in the network, and the expected penalties faced by players in the event of a realized risk are also equal.Formally, a network G is said to be quasi-homogeneous if θ i = θ and L i = L for all i ∈ V , and, ξ ij = ξ for all (i, j) ∈ A.
Analyzing quasi-homogeneous networks permits us to isolate the effects of the network structure on the existence of the agreeable allocation.A priori, it is qualitatively unclear what the role of network structure would be on the existence of the bilaterally implementable agreeable allocation.For instance, denser networks can render it easier for efficient and stable cost sharing arrangements to be bilaterally implementable since there are more bilateral links.However, denser networks may also result in wider positive externalities to securing oneself necessitating multilateral cooperation.
We now introduce some graph-theoretic definitions that aid us in identifying when quasi-homogeneous networks admit and do not admit an agreeable allocation of security costs.We define a k-core of network G as an induced subgraph H of G such that the in-degree of all nodes in H is at least k.9Then, a (k, )-core is a k-core H of G such that, if denotes the maximum out-degree of a node in H to the nodes in G\H, then k > .Therefore, while a k-core is a sufficiently dense induced subgraph, a (k, )-core is an induced subgraph that is sufficiently dense internally and simultaneously sparse in its connections with other nodes in the graph. .
The two parts of Theorem 7.1 provide distinct sufficient and necessary conditions, respectively, for the existence of the agreeable allocation in quasi-homogeneous networks.From a descriptive standpoint, it implies qualitatively that the agreeable allocation is guaranteed to exist in (quasi-homogeneous) networks so long as they are not sufficiently locally dense.This refines our earlier intuition on the role of interfirm network structure on the existence of the agreeable allocation.Further, in graphs that contain sufficiently dense and sufficiently local clusters, the agreeable allocation is guaranteed to not exist.

Numerical Case Study
We now present a case study analyzing the feasibility of cost sharing mechanisms to sustain network-wide cooperative security in real-world interfirm networks that can face interdependent risks.Specifically, we use the Refinitiv SDC Alliance database to extract all alliances in the food manufacturing sector formed between 2006 to 2020.The database contains 2339 alliances formed between 3073 unique firms in our industry of interest.Typically, these are bilateral alliances formed between two firms, while, on occasion, alliances are formed between three or more firms.For example, one of the alliances in the database is between Optibiotix Health Plc, a biotechnology company that manufactures SlimBiome, a weight management supplement, and John Morley (Importers) Ltd, which manufactures prepared perishable foods.Optibiotix Health would supply the weight management supplement to be included in prepared muesli packs manufactured by John Morley Ltd within the UK.In this example, the presence of an interdependent risk is evident.Over time, larger networks of alliances arise and we identify 792 distinct interfirm networks.Of these, the largest connected network of firms contains 1092 nodes.The other networks are smaller, and we remove all networks consisting of only two firms since these networks trivially permit bilaterally implementable cost sharing mechanisms.We in fact restrict our attention to alliance networks that are of size at least five and we obtain exactly 50 such alliance networks. 10We depict two of these networks in Figure 2.
We leverage the algorithmic results obtained in previous sections to numerically test whether the agreeable allocation exists, and when it exists, compute the network-wide security cost apportioned by the allocation.These results are meant to be illustrative since the existence of the agreeable allocation naturally depends on the precise security cost parameter specifications.However, the security cost parameters and the penalties are simulated in a systematic manner.Across all simulated networks, we set the parameter θ i ∼ U [15, 25] for all firms i, and for all links between firms i and j, (i, j), where δ i = |N − |.That is, we assume that firms with more partners are larger firms and thus, also likely to incur higher reputation costs.Based on 1000 simulated runs for each of the 50 alliance networks, we make the following observations.First, we observe that in 56.7% of the simulated networks, the agreeable allocation exists.In contrast, in only 0.79% of the simulated networks, the Shapley value based security cost sharing allocation is of the form given by Theorem 4.5 and hence, bilaterally implementable.This, in conjunction with the straightforward implementation mechanism described in §5, demonstrates the practical relevance of our proposed security cost sharing allocation.Second, we find, interestingly, that the alliance network permitting the agreeable allocation to exist with the highest likelihood of 74.3%, is a star network.Finally, we observe that the networks which rarely permit the existence of the agreeable allocation, in only 2.6% and 4% of the simulations, respectively, are both completely connected networks, i.e., cliques of size six.This lends further evidence in support of Theorem 7.1 that densely connected networks preclude the existence of the agreeable allocation.
In the above numerical experiment, the cost parameters for all nodes in a network were drawn from the same distributions.However, in real-world networks, there is usually a significant asymmetry in the penalties incurred by firms in case of a realized risk.Consumer-facing firms typically incur substantially larger penalties than others.To incorporate this in our simulation, we obtain the Standard Industrial Classification (SIC) codes of the firms from the SDC database.We then denote firms in the retail industry (with an SIC code in the range 5200 to 5999) as consumer-facing firms.Of the 3073 unique firms in our dataset, we identify 154 such (potentially) consumer-facing firms.In our second numerical experiment, we simulate the cost parameter L i for a firm i such that a consumer-facing firm faces a larger expected penalty and the expected penalty decays exponentially with the distance from the consumer, i.e., L i = L 0 /c di 0 , where d i = 0 if i is a consumer-facing firm, L 0 is the expected penalty it faces and c 0 is a constant.11We again perform 1000 simulation runs for each of the 50 alliance networks.Each network is then compared against a benchmark simulation wherein the penalties of all firms are drawn from the same uniform distribution with an expected penalty given by i∈N L 0 /c di 0 /N .This allows us to comment on the role of cost asymmetry on the existence of the agreeable allocation vis-á-vis the bilateral implementability of the Shapley mechanism.For our chosen parameter values, we find that in the benchmark network simulations, the Shapley value nearly always coincides with the agreeable allocation and is bilaterally implementable for all of the 50 networks.However, with asymmetric penalties, the Shapley value is bilaterally implementable only in 34.47% of the simulations.For 15 of the 50 networks, it was never bilaterally implementable across all 1000 runs.In contrast, the bilaterally implementable agreeable allocation exists in 71.35% of the simulated networks.Across various choices of L 0 and c 0 , we recover qualitatively identical results.In summary, in real-world networks with cost asymmetries, despite the non-existence of the agreeable allocation in certain instances, the practical advantage12 of the agreeable allocation in terms of its bilaterally implementability over the Shapley mechanism is further underscored.

Concluding Remarks
Networked firms are exposed to a variety of interdependent, or contagion, risks such as supply chain contamination, deliberate adulteration, or cybersecurity threats and data breaches.The fundamental distinction that sets apart these risks from other types of risks faced by firms is their transferable nature.In this paper, we develop a network model to study the cooperative management of interdependent risks by networked firms.
The network-wide cooperative security strategy in our interdependent risk model can be computed in polynomial time via a minimum-weight cut network flow algorithm.Assuming that the security costs and actions are private information known only to the respective players, we find that firms have a clear incentive to cooperate and that there exist stable security cost-sharing mechanisms that can sustain network-wide cooperation.However, in the presence of public information, we find that, in general, there do not exist cost-sharing mechanisms that can ensure the stability of the grand coalition.Thus, it appears that interdependence of network security is alone insufficient to sustain network-wide cooperation.
Introducing the notion of bilateral implementability, we uncover a fundamental trilemma between stability, fairness, and implementability of network security cost-sharing mechanisms.We then develop a novel cost sharing mechanism, the agreeable allocation, which attempts to balance the three notions.The agreeable allocation, when it exists, satisfies notions of stability, is formalizably fair, easily computable, and is also implementable via a series of bilateral cost sharing agreements.However, the agreeable allocation may not always exist.This, we argue, once again, demonstrates that, although cost-sharing mechanisms belonging to the core can be identified, sustaining network-wide security cooperation can still be challenging and therefore, may not always be possible in practice.We then construct δ-agreeable allocations that satisfy the general notion of (δ + 1)-implementability which permits firms that are not direct partners to also enter into cost-sharing agreements if they are at a distance of at most δ from each other in the network.As δ increases, the δ-agreeable allocation is more likely to exist.However, as δ increases, we also expect the coordination challenges to increase thereby highlighting a fundamental trade-off.
Moreover, to study the role of network structure on the existence of the agreeable allocation, we consider quasi-homogeneous networks (i.e., networks with homogeneous costs of security and expected penalties in case of realized risk), and find that networks without sufficiently dense clusters admit an agreeable allocation.Whereas, networks containing sufficiently dense and local clusters do not permit an agreeable allocation of network-wide security costs.Finally, using the SDC alliance database, we extract all alliances formed in the food manufacturing sector between 2006 to 2020.With numerical experiments and simulated cost parameters, we argue the practical feasibility and relevance of employing the agreeable allocation as a bilateral security cost-sharing mechanism in real-world alliances to sustain network-wide cooperative security against interdependent risks.This work develops, to the best of our knowledge, for the first time, an economic theory of cooperative security against interdependent risks in networks.However, we acknowledge several limitations and open problems arising from our study.Limitations.Certainly, there are some important questions that remain to be answered.First, for instance, the question of the general existence (or non-existence) of a bilaterally implementable and stable cost sharing mechanism remains open.Second, and crucially, in this paper, we consider interfirm networks characterized by repeated and ongoing interactions between firms.Thus, a vulnerable firm is nearly certain to transfer risks to its partner firms if the partner firms do not secure the corresponding link.A richer model of interdependent security would allow for a stochastic transmission and propagation of risk in the network.However, this richer stochastic model of interdependent network security is challenging to analyze.Particularly, the characterization of cooperative security strategies in this stochastic model of interdependent security is a non-trivial problem.Finally, we assume that the considered networks are static whereas, in reality, networks tend to change dynamically, with new alliances being formed, and existing alliances being broken over time.Bilaterally implementable cost-sharing mechanisms, in particular, may be well-suited to sustain cooperation in dynamic alliances, as we have noted earlier.

A Proofs and Technical Results
Proof of Theorem 3.1.Consider a player i ∈ N .First, note that under the independent security strategy, the worst-case security state of player i as a function of its information set and security actions is given by, Therefore, σ i = 1 if and only if x i = y ji = 1 for all j ∈ N − (i).Further, if σ i = 0, then U i is minimized when x i = y ji = 0 for all j ∈ N − (i).We now analyze these two cases in succession.If σ i = 0, then the minimum worst-case expected cost ξ ji .Therefore, player i is independently secured, i.e., belongs to S I when U i is minimized at σ i = 1.That is, i ∈ S I if and only if Proof of Theorem 3.2.Suppose that player k ∈ N is secured under the independent security strategy.We will now show that k will remain secured under the network-optimal security strategy.Consider U (G) and let x * i , y * ji for j ∈ N − (i) denote the network-optimal security actions by any player i ∈ N .Suppose, to the contrary, that k is unsecured in the network-optimal security strategy, that is, x * k = y * jk = 0 for j ∈ N − (k).Consider an alternate security strategy such that x i = x * i and y ji = y * ji for all i = k and j ∈ N − (i), and x k = y jk = 1 for j ∈ N − (k).Then, it is clear from (1) that the security state of every player remains the same except for k who is now secured under the new security strategy.Therefore, The inequality follows from Theorem 3.1 yielding a contradiction to the minimality of U (G).Therefore, k has to remain secured under the network-optimal security strategy.Consequently, S I ⊆ S .
Proof of Theorem 3.3.
Let σ * i denote the network-optimal security state of player i, i.e., σ * i = 1 if and only if i ∈ S .Further, let us denote by x * i , and y * ji for j ∈ N − (i), the network-optimal security actions by player i ∈ N .We first note that for i ∈ S from (1) with S = N , x * i = 1, and y * ji = 1 for all j ∈ N \S .Further, y * ji = 0 for all i, j ∈ S since if players i and j are both secured, it is not optimal to secure the links between them.Moreover, for i ∈ N \S , that is when i is unsecured, it is not optimal for i to partially secure itself from intrinsic or extrinsic risks.Therefore, x * i = 0, and y * ji = 0 for all j ∈ N \{i}.Then, Now, consider the auxiliary network G * and the minimum weight directed cut (X, X) separating s and in G * with source s ∈ X and sink ∈ X.The minimum weight directed cut in this network identifies X and X such that the sum of weights on arcs directed from X to X is minimized.The sum of weights of these arcs is given by, Comparing the expressions, w(X, X) and U (G) are simultaneously minimized when X = S and X = N \S .This completes the proof.
The following example demonstrates that the network-optimal security actions are not always individually rational for the players.Thus, cost-sharing mechanisms are required for firms to adopt and sustain the network-optimal security strategy.
It is easily seen that the network-optimal security strategy secures both players.However, even given that 1 is secured, it is still not individually rational for 2 to secure itself since its expected penalty is lower than its instrinsic security cost.Thus, the network-optimal security strategy is not a Nash equilibrium strategy.This example demonstrates that in order to implement and sustain the network-optimal security strategy, transfer payments between the players are necessary.
Proof of Theorem 4.1.Suppose S ⊂ T and let Υ(S), Υ(T ) denote the set of secured players under the coalition-optimal security strategies of coalitions S and T , respectively.Then, let X denote Υ(S)\Υ(T ), Y = Υ(S) ∩ Υ(T ), and Z = Υ(T )\Υ(S).Then, if X is an empty set, then our proof is complete, since, then Υ(S) ⊆ Υ(T ).Therefore, suppose X is not an empty set.Then, consider the change in the coalitionoptimal security cost c(T ) if the nodes in X were also secured.The change in the coalition-optimal security cost will be given by, θ(X) consider the change in the coalition-optimal security cost c(S) if the set of players in X were to be unsecured.Then, the change in c(S) is given by, the non-negativity of the security cost parameters.This yields a contradiction, and therefore, X has to be an empty set.Thus, Υ(S) ⊆ Υ(T ) and any player i ∈ S secured under the coalition-optimal security strategy for S, i.e., Υ 1 S = 1, is also secured under the coalition-optimal security strategy for T , i.e., Υ 1 T = 1.This completes the proof.
Proof of Theorem 4.2.Consider c(S), as defined in (4), and let σ i denote the coalition-optimal security state of player i in coalition S. For all i ∈ S such that σ i = 1, i ∈ S. That is, S denotes the set of players in S that are secured under the coalition-optimal security strategy.Further, let us denote by x i , and y ji for j ∈ N − (i), the coalition-optimal security actions by player i ∈ S. We note that for all i ∈ S, from (1), x i = 1 and y ji = 1 for all j ∈ N \ S. Further, y * ji = 0 for all i, j ∈ S, since, if players i and j are both secured, it is not optimal (with respect to (4.2)) to secure the links between them.Moreover, similarly, for i ∈ N \ S, that is when i is unsecured under the coalition-optimal security strategy, it is not optimal to partially secure i from intrinsic or extrinsic risks.Therefore, for i ∈ N \ S, x i = 0 and y ji = 0 for all j ∈ N \{i}.Thus, Now, consider the auxiliary network G * and the minimum weight directed cut (X, X) separating the node and the node set {s} ∪ N \S in G * with {s} ∪ N \S ∈ X and sink ∈ X.This constrained minimum weight directed cut in this network identifies X and X such that the sum of weights on arcs directed from X to X is minimized.The sum of weights of these arcs is given by, From comparing the expressions, w(X, X) and c(S) are simultaneously minimized when X = S ∪ { } and X = N \ S.This completes the proof.
Proof of Theorem 4.3.Consider coalitions S and T such that T = S ∪ {j} and i / ∈ S. Denote S = S ∪ {i} and T = T ∪ {i}.Suppose that i / ∈ Υ(T ), that is player i is not secured in the coalition T , then, from Theorem 4.1, player i is not secured in the coalition S either, i / ∈ Υ(S ).Therefore, c(T ∪ {i}) = c(T ) + L i and c(S ∪ {i}) = c(S) Finally, suppose i ∈ Υ(S ).Then, again, from Theorem 4.1, i ∈ Υ(T ).Let us denote Υ(S) = Υ 1 .We then consider the intersections of the secured sets of the coalitions S , T , and The intersections of Υ(S), Υ(S), Υ(S), and Υ(S) are depicted for clarity in Figure 3.We now consider three exhaustive subcases.
In subcase (i), we consider j ∈ Υ(T ).This implies j ∈ Υ(T ) as well.Further, since, by Theorem 4.1, all players secured in S are also secured in T , it therefore follows that Υ Now, from the optimality of Υ(S) = Υ 1 , we obtain that if the set of players in Υ 2 were also to be secured in S, then, Similarly, from the optimality of Υ(T ) = Υ 1 ∪ Υ 2 ∪ Υ 3 ∪ Υ 4 ∪ Υ 5 ∪ {i, j}, if the set of players in Υ 5 were to be unsecured instead, then, Summing ( 8)-( 10), we obtain, which yields a contradiction since by assumption, parameters θ i and ξ ji are positive for all i ∈ N and (j, i) In subcase (ii), we consider j / ∈ Υ(T ) but j ∈ Υ(T ) and in subcase (iii), we consider j / ∈ Υ(T ).Using arguments similar to subcase (i), we can demonstrate that in both these subcases, c(T )−c(T ) ≤ c(S )−c(S).Furthermore, by induction, for any coalitions S and T such that S ⊂ T ⊂ N , and for i / ∈ T , c(T ∪{i})−c(T ) ≤ c(S ∪ {i}) − c(S).Thus, the coalition-optimal security cost c(S) is submodular in S.
Finally, therefore it follows from Shapley (1971), that the interdependent security cost sharing game has a non-empty core, i.e., there exists a stable security cost sharing mechanism.
The following observation notes that if a player is unsecured under the network-optimal security strategy, then, the player is allocated L i by all stable cost sharing arrangements.Lemma A.3 Consider i ∈ N such that i / ∈ S and an arbitrary core allocation φ of the interdependent security cost sharing game on network G.
i. φ allocates to player i, φ i = L i .
ii. Define G as the induced subgraph of G on the node set N \{i}.Further, let θ j = θ j + ξ ij for j ∈ N + (i), and let all the other security cost parameters of G be identical to the corresponding costs in G.Then, there exists a one-to-one correspondence between the core allocations of the interdependent security games on G and G , respectively.
While analyzing security cost sharing mechanisms, Theorem A.3 also allows us to restrict our attention to networks G and associated cost parameter vectors such that all firms are secured under the network-optimal security strategy.Proof of Theorem A.3.Consider i ∈ N such that i / ∈ S .That is, i is not secured under the networkoptimal security strategy.Then, suppose φ is an arbitrary core allocation of the corresponding interdependent security cost sharing game.Suppose the cost allocated to i by φ, φ i > L i .This leads to a contradiction since c({i}) = L i by Theorem 3.2 and c({i}) < φ i implying φ cannot be a core allocation.Suppose instead that φ i < L i .Note that, since i / ∈ S , c(N \{i}) = c(N ) − L i .Since φ belongs to the core, it is an efficient allocation, and therefore, φ(N \{i}) = c(N ) − φ i > c(N ) − L i = c(N \{i}), again leading to a contradiction to the coalitional rationality of core allocations.Thus, φ i = L i .This completes the proof of part (i) of the lemma.
Consider the associated interdependent security cost sharing game (N \{i}, c ) defined on G .Since i / ∈ S , it follows from Theorem 4.1 that it is not secured under the coalition-optimal security strategy for any coalition in N .Thus, it follows from (1) that for any player j that is secured under a coalition-optimal security strategy for any coalition, y ij = 1.Therefore, from (4), for any subset S ⊆ N \{i}, it follows that c (S) = c(S).Finally, from part (i) of the lemma, since player i is allocated L i by all core allocations in (N, c), for any core allocation φ in (N \{i}, c ), consider its extension to an allocation φ in (N, c) such that φ j = φ j for all j ∈ N \{i} and φ i = L i .It follows that since φ is a core allocation in (N \{i}, c ), φ is efficient and also satisfies all the core inequalities given by ( 7) in (N, c).The reverse direction also follows by identical arguments.This demonstrates a one-to-one correspondence between the core allocations of (N, c) and (N \{i}, c ).
Proof of Theorem 4.4.Consider an assembly network (or, also termed a star network), where N denotes the set of players in the network, and the set of arcs A = {(i, j) : i ∈ N \{0}, j = {0}).Thus, node 0 corresponds to the assembler in the network (or, the central node in the star network).Further, we assume that L i for all i = 0 is sufficiently large such that it is optimal for i to be independently secured.Further, assume that θ 0 + Σ i∈N \{0} ξ i0 > L 0 and therefore, node 0 will not be secured independently.Also, assume that L 0 > θ 0 .Since all the other nodes in N will be secured under the network-optimal security strategy, it is also optimal for 0 to be secured under the network-optimal security strategy.Also, therefore, note that player 0 will be secured in a coalition S that contains 0, i.e., 0 ∈ Υ(S) if and only if If Φ i denotes the security cost allocated to player i by the Shapley value based security cost sharing mechanism, then, from ( 12) and ( 16), Φ i < θ i if and only if there exists a subset T in N \{i}, where T = N \(S ∪{i}), . This is a generalization of the classical subset sum problem in which given a set of integers, the problem is to identify whether there exists a subset that sums to a prespecified target value.Since, the classical subset sum problem is well-known to be NP-complete, it follows that determining whether Φ i < θ i is also NP-complete.This concludes the proof.
Proof of Theorem 4.5.Note that when L i > θ i + Σ j∈N − (i) ξ ji , then, from Theorem 3.1 and Theorem 4.1, player i ∈ S is always secured under the coalition-optimal security strategy for any such coalition S. Therefore, it follows from (4) that c(S) = Σ i∈S θ i + Σ j∈N − (i),j∈N \S ξ ji .Now, for each i ∈ N , define a corresponding cooperative game given by the characteristic function c i (S) for S ⊆ N as follows: It can be easily seen that the Shapley value of (N, c i ) allocates to player i, ξ ji and for all players j = i, Φ j (N, c i ) = 0. Furthermore, for each arc a = (j, i) ∈ A, define a corresponding cooperative game given by the characteristic function c a (S) for S ⊆ N as follows: Again, from the symmetry property, it can be seen that the Shapley value of (N, c a ) allocates to players i and j, Φ i (N, c a ) = Φ j (N, c a ) = −ξ ji /2 and for all players k = i, j, Φ k (N, c i ) = 0. Finally, note that for each S ⊆ N , c(S) = Σ i∈N c i (S) + Σ a∈A c a (S).Therefore, from the additivity property, the Shapley value based security cost allocation is given by, Proof of Theorem 4.6.Theorem 4.3 demonstrates that the interdependent security cost sharing game is convex.Further, from Theorems 3 and 5 in Shapley (1971), the allocation x π , also sometimes denoted as marginal worth vectors, is an extreme point of the core.Finally, for any permutation π of N , from Theorem 4.2, both c({π 1 , π 2 , ..., π i }) and c({π 1 , π 2 , ..., π i−1 }) can be computed in polynomial time, and therefore, so can x πi for all i ∈ N .
Proof of Theorem 4.7.We demonstrate that the security cost sharing allocation x π does not, in general, satisfy the symmetry property, by considering a 2-player example.Consider a network given by the node set N = {1, 2} and the arc set S = {(1, 2), (2, 1)}.Further, let the security cost parameters be given by θ 1 = θ 2 = 5, and ξ 12 = ξ 21 = 10, and finally, L 1 = L 2 = 100.Clearly, the security incurred by each coalition, i.e., the characteristic cost function of the associated cooperative game is given by c(φ) = 0, c Proof of Theorem 5.1.Denote ∆(S, i) := c(S ∪ {i}) − c(S).Indeed, the Shapley value allocates to player i, where . Note that k(|S|, n) depends only on |S| and not on the security cost parameters of the players in S.
Part (i).We consider the computation of ∆(S, i).We prove that if the given conditions hold, then the Shapley value is bilaterally implementable.Suppose i / ∈ G(j) for all j ∈ N (i).Then, for all S, the security states of players in S remains the same under the coalitionally optimal strategy for S ∪{i}.Therefore, ∆(S, i) is either L i or θ i + j∈S\Υ(S),j∈N − (i) ξ ji − j∈Υ(S),j∈N + (i) ξ ij .In both cases, ∆(S, i) only contains parameters involving i and its direct partners.
Then, suppose i ∈ G(j) for some neighbors j, but |N (j)|= 1 for all such j, that is, i is the only direct partner of j whenever it belongs to a minimal coalitionally rational set for j.Then, again, by similar arguments as before, ∆(S, i) is either −L i or only contains parameters involving i and other direct partners of i.Therefore, it follows, from (20), that Φ is bilaterally implementable.
Part (ii).Now, suppose there exists a player i ∈ N such that i ∈ G(j) for some j ∈ N (i) such that |N (j)\N (i)|> 1.That is, suppose there exists some P such that P ∪ {i} is a minimal coalitionally rational security set for j.Then, clearly, there exist sets S such that P ⊂ S, j ∈ S and a neighbor of j that is not a neighbor of i, say k, that is, k ∈ N (j)\N (i) also belongs to S. Also, suppose i / ∈ S and S does not contain any other minimal coalitionally rational security set for j.Then, j / ∈ Υ(S) but j ∈ Υ(S ∪ {i}).Now, we have three possible cases.If k ∈ Υ(S), then, ∆(S, i) will contain the term −ξ jk .If k / ∈ Υ(S) but k ∈ Υ(S ∪ {i}), then, ∆(S, i) will contain the terms L k and θ k where k / ∈ N (i).Finally, if k / ∈ Υ(S ∪ {i}), then, ∆(S, i) will include the term θ kj .Thus, in all three cases, from (20), it also follows that Φ i will include linear terms involving a player k that is not a partner of i, thereby violating the bilateral implementability of Φ.
Proof of Theorem 5.2.The agreeable allocation, denoted by x , belongs to the core since it is a convex combination of a subset of extreme points of the core.We now demonstrate that it also satisfies all the other properties.
i. Polynomial-time computability.We first present an algorithm that computes S 1 to S in polynomial time.Then, given S 1 to S , we provide a closed-form expression for the allocation x .Denote n = |N |.From Theorem 3.1, it follows that the set S 1 can be identified in polynomial time by checking whether L i ≥ θ i + Σ j∈N − (i) ξ ji for each i ∈ N .If S 1 = ∅, then no agreeable permutation exists.Iteratively, suppose for k ≥ 2, S 1 , . . ., S k−1 is known.Compute S k−1 .If S k−1 = N , then we terminate with = k −1.Otherwise, for each i ∈ N \ S k−1 , if Υ i S k−1 ∪{i} = 1, then, i ∈ S k .To verify whether Υ i S k−1 ∪{i} = 1, since all players in S k−1 are secured, it involves comparing L i with θ i + Σ j∈N \S k−1 ∩N − (i) ξ ji − Σ j∈S k−1 ∩N + (i) ξ ij .Thus, S k can be constructed in polynomial time.If S k = ∅, then again, no agreeable permutation exists.Now that we have S k for k = 1, . . ., , we note that the extreme core allocation corresponding to any agreeable permutation allocates to a player i ∈ S k , (i) its own cost of intrinsic security, θ i , (ii) the cost of extrinsic security with respect to players not in S k , (iii) the security cost savings generated for the players in S k−1 , (iv) finally, the cost of extrinsic security and the security cost savings generated with respect to its partners also in S k .Consider partners i and j in S k .For exactly half of the agreeable permutations, i shall appear before j in the permutation, whereas for exactly half the permutations, j shall appear before i.Since the agreeable allocation is a convex combination of the extreme core allocations induced by all agreeable permutations, we have, ii. Efficiency.
Efficiency follows from the fact that the defined allocation is a convex combination of efficient allocations.
Observe that in the definition of the allocation defined by a permutation, the allocation is always the marginal contribution of the player i to the coalition of every player that appears earlier in the permutation.Clearly, this has the marginality property.Since x is a linear combination of such marginal allocation, x has the marginality property too.iv.Null player property.
Observe that for every allocation defined by some permutation π, the payoff of a player i is c(S ∪ {i}) − c(S) for some S.This difference is a constant c if i is a dummy player.The proposed allocation suggests a convex combination of these payoffs, which, in this cases is a convex combination c which is c.

v. Symmetry.
Observe that if two players i and j are symmetric, then ∃ k such that {i, j} ⊆ S k .But, now, from (20), it follows that their security cost allocations are identical.
Algorithm 1 Augmenting valid permutations corresponding to δ-MRS Output: A valid permutation ζ of players that appear in at least one of the sets in R Proof of Theorem B.3.From Theorem B.1, we know that for any j, all nodes in S ∪ {v j 1 , . . ., v j j } are secured.Observe that any coalition of the form S ∪ {v 1 1 , . . ., v i i } is the union of S and i δ-MRS sets of S. When players join a coalition, we know, from Theorem 4.1 that players that are secured in the original coalition continue to remain secured.This implies all players in S ∪ {v 1 1 , . . ., v i i } are secured.This completes the proof.
We are now in a position to employ the notion of valid permutations to construct a δ-agreeable permutation.For clarity, let us denote a valid permutation of players that appear in at least one of the sets in R δ (S) obtained from algorithm 1 by ζ(S).
ii.Consider a complete graph G = (V, A) of size n.For each v ∈ V , let θ v = 0.For each u, v ∈ V , let ξ uv = 1.Let L v = n − δ − 1.Now, any subset S ⊆ N with δ or fewer players have no incentive to secure themselves.Because, each player in S will have to secure itself from the extrinsic risk from the players in N \ S.But if |S|≤ δ, |N \ S|≥ n − δ.Given each ξ uv = 1, each player incurs a cost of n − δ to secure itself, while the expected penalty from being unsecured is only n − δ − 1.Thus, there exist no (δ − 1)-MRS.Therefore, a (δ − 1)-agreeable allocation does not exist.On the other hand any set of δ + 1 players have an incentive to secure themselves in the above example, implying the existence of a (δ + 1)-agreeable allocation.
iii.An n-agreeable allocation always exists because by definition, we consider the scenario where all players in the network-optimal security strategy are secured.iv.Suppose δ-agreeable allocation does not exist for δ = n − 1.This necessarily implies that all n players in the first iteration of algorithm 2. This means all n! permutations of the n players are valid permutations.Now, it is a well known result that the average of all n! extreme allocations in cooperative game is the Shapley value.To prove the converse, we show that at least one of the n! permutations is not included in the averaging if δ-agreeable allocation exists for some δ ≤ n − 1.If δ-agreeable allocation exists for some δ ≤ n − 1, then, it necessarily means that all n players were not added to the permutation ϕ in the first iteration of algorithm 2 since the first iteration can only add at most δ players.This indicates that there were at least two iterations within algorithm 2. Now, let v 1 be a node added in the first iteration of algorithm 2 and v 2 be a node added in the second iteration.Any permutation starting ϕ = (v 2 , v 1 , . . . ) is not a valid permutation, and hence is not included in the averaging.Thus, the δ-agreeable permutation cannot be the Shapley value.Further, from (i), it follows that the n-agreeable permutation coincides with the δ-agreeable permutation and therefore, cannot be the Shapley value either.Now, we illustrate the computation of the δ-agreeable allocation with an example, and also clarify the notion of δ + 1-lateral implementability.First, it is easily seen that in this network, the agreeable allocation does not exist.To see this, observe that for each of the players {1, 5}, it is individually rational to secure themselves and therefore, S 1 = {1, 5}.However, S 2 is empty because players 2, 3, and 4 will not be secured even conditional on being in a coalition with {1, 5}.Therefore, S 2 is empty implying there does not exist an integer l such that S l = N .Thus, the agreeable allocation does not exist.Now, let us consider the δ-agreeable allocation, and we shall demonstrate that it exists for δ = 2. First, we construct all δ-agreeable permutations of the players in N according to algorithm 2. To do so, note that for S 0 = ∅, the δ-minimal rational security sets, R δ (S 0 ), are exactly the singleton sets, {1}, and {5} since it is individually rational for these players to secure themselves.Thus, S 1 = {1, 5}.Then, the δ-minimal rational security sets for the coalition S 1 , R δ (S 1 ) is achieved for δ = 2, and consists of the sets {2, 3} and {3, 4}, since it is rational for players 2 and 3 (and 3 and 4) to both be secured when they are jointly in a coalition with {1, 5}.Thus, the set of valid permutations of players 2, 3, and 4, from algorithm 1 are the ordered sets: {2, 3, 4}, {3, 2, 4}, {3, 4, 2}, and {4, 3, 2}.
By considering and averaging the extreme core allocations corresponding to each agreeable permutation, as depicted below, we obtain the 2-agreeable allocation.
Therefore, the 2-agreeable allocation is given by, To observe that the 2-agreeable allocation is not bilaterally implementable, notice that the cost allocated to player 2, x * 2 includes terms ξ 43 and ξ 35 that do not involve the player 2. Similarly, x * 4 includes terms ξ 23 and ξ 35 that do not involve player 4. Thus, the cost allocated to players 2 and 4 is not expressible in the form of equation 7.However, it is trilaterally implementable.
Algorithm 4 An equilibrium security strategy for a coalition under public information The objective of the minimization problem can again be mapped on to the weight of a minimum directed cut separating the node set (N \ S) \ X from the node set l ∪ (X \ S) in the auxiliary directed graph G * .Thus, the minimization problem can be solved also in polynomial time.Therefore, algorithm 4 runs in polynomial time.The proof that Υ i S;ρ is an equilibrium outcome is identical to the arguments in the proof of Theorem C.1 and thus we omit them here.
Proof of Theorem 6.1.We provide a proof by example.
It is easily seen that the networkoptimal security strategy secures all players and that players 2 and 3 will compensate 1 for securing itself.However, player 3 can defect from the grand coalition knowing that in the coalition structure, {{1, 2}, {3}}, player 1 will still be secured and be compensated by player 2. Thus, the grand coalition is not stable to defections.
The following Algorithm 5 computes the agreeable allocation x.The algorithm takes in the family of sets T constructed in §6 as an input.
Algorithm 5 Computing the agreeable allocation x under public information Output: Proof of Theorem 6.2.
i.Note that under the independent coalition structure, each player i is either unsecured and therefore incurs a cost L i , or player i ∈ T 1 .The agreeable allocation x allocates to all players i a payoff smaller than L i so if player i is unsecured, then it is immediately better off under the agreeable allocation.Suppose i ∈ T 1 .Then, in the independent coalition structure, player i incurs a cost x i = θ i + Σ j∈N \T1 ξ ji .This is identical to the update equation for x i in the first iteration of the algorithm since T 1 = T 1 .Then, note that the only other update equation for x i is when k = 2 and i ∈ T 1 .In this update equation, the assigned value for x i either remains the same or is reduced.Therefore, player i cannot be worse off with the agreeable allocation.This shows that the agreeable allocation is individually rational.That is, all players will prefer to remain in the grand coalition over forming the independent coalition structure.
ii.From Theorem C.2 and Theorem 4.2, it follows that the family of sets T can be computed in polynomial time.Further, clearly, there are at most |N | sets in the family of sets T .That is, l ≤ n = |N |.Therefore, the algorithm runs for at most n iterations.Further, within each iteration, the computation of x i is trivial.Thus, Algorithm 5 computes the agreeable allocation in polynomial time.
iii.The expressions for x i in all three cases in Algorithm 5 (i.e., k is odd and i ∈ T k , k is even and i ∈ T k , or k is even and i ∈ T k−1 ) only contains cost parameters pertaining to player i or its partners j ∈ N .Therefore, clearly, the agreeable allocation is bilaterally implementable.iv.If two players i and j are symmetric, then they will belong to the same set T k for some k.Therefore, the allocation received by i and j will also be identical and therefore, x is a symmetric allocation.
v. If a player i is such that its marginal contribution to any coalition is 0, then, recall our assumption that all players are secured in the grand coalition.Then, considering the coalition N \ {i}, it follows that for player i, θ i = ξ ij = ξ ji = 0. Therefore, all update expressions for x i in the algorithm also evaluate to zero.Thus, the agreeable allocation satisfies the null player property.This concludes the proof. .Therefore, L ≥ θ + ξ|N − (i)|.Therefore, from Theorem 3.1, i ∈ S 1 , and thus, S 1 is not empty.Suppose that S k−1 is not empty for k > 2. If S k−1 = N , then, we are done, since, an agreeable permutation exists.If not, suppose the subgraph induced by players in N \S k−1 be denoted by H.Then, there again exists a player i in H such that the in-degree of i in H, | N \S k−1 ∪ N − (i)|≤ k.Note, from the proof of Theorem 5.2, that i ∈ S k if L i ≥ θ i + Σ j∈N \S k−1 ∩N − (i) ξ ji − Σ j∈S k−1 ∩N + (i) ξ ij .Now, in our quasi-homogeneous network, we have that, The last inequality follows since |N \S k−1 ∪ N − (i)|≤ k.Therefore, i ∈ S k and the iterative procedure can continue.This completes the proof of part (i).Now, suppose, G contains a (k, l)-core, denoted by H, where k = + L − θ ξ . Consider i ∈ H. Suppose i ∈ S k for some k.Therefore, i ∈ N \S k−1 .Then, Thus, i / ∈ S k .This yields a contradiction.That is, i does not belong to S k for any k and therefore, an agreeable permutation (equivalently, the agreeable allocation) does not exist.
We now extend the ideas above to characterize the equilibrium security strategy and security states of players when acting in coalitions.That is, we consider a general coalition structure ρ and a coalition S ∈ ρ to obtain the equilibrium security states and actions of the players in coalition S. Proof of Theorem D.2.As in the proof of Theorem C.2, we note that it is easy to see algorithm 6 terminates in a polynomial number of steps since in each iteration either the size of the set P \ X strictly reduces.If the size of the set P \X does not reduce in some iteration of the algorithm, then in the subsequent iteration, k = 0 because all firms for whom it was rational to be unsecured in the previous iteration will remain unsecured.Further, the objective of the minimization problem in each iteration can again be mapped on to the weight of a minimum directed cut separating two node sets in the auxiliary directed graph G * .Thus, the minimization problem can be solved also in polynomial time.Therefore, algorithm 6 runs in polynomial time.Finally, since at each iteration, coalitional rationality is maintained by ensuring each coalition solves its cost minimization problem given the security states of all other players in the network, therefore, it follows that Υ i S;ρ will automatically be an equilibrium outcome when the algorithm terminates.
We can then obtain the total security cost of a coalition S belonging to a general coalition structure ρ of N in the partial information model, c(S; ρ), as follows, where S and T are (possibly identical) coalitions in ρ with i ∈ S and j ∈ T .That is, players in coalition S who are secured pay the costs of securing the links with firms j ∈ N \P since the security costs and actions of these firms are private information not known to S. Further, firms in S that are secured also pay the costs of securing links to other firms j ∈ P that are not secured.
For clarity, note that when P = ∅, then, (22) coincides with (4), and therefore, c(S; ρ) = c(S).Likewise, when P = N , note that (22) coincides with (6), and therefore, c(S; ρ) = c(S; ρ).Also, we note that the example provided in the proof of Theorem 6.1 is easily modified to also demonstrate the instability of the grand coalition when |P|= 2, with only players 1 and 2 in P, while player 3's parameters and actions are privately known.Then, the grand coalition will again not be stable and player 3 will defect from the grand coalition.
Further, as a corollary from the proof of Theorem D.2, we obtain the following.
Corollary D.3 Consider the network G and k interdependent security cost sharing games under partial information with ∅ ⊆ P 1 ⊂ P 2 . . .⊂ P k ⊆ N where P i denotes the set of players whose cost parameters and actions are known publicly in the i th game.Then, if the grand coalition is stable for some i for 1 ≤ i ≤ k, then the grand coalition is stable for all j ≤ i.
The contrapositive of the above statement confirms the basic insight that if the grand coalition is unstable at a certain level of public information in the network, the grand coalition will continue to remain unstable at higher levels of information provisioning in the network.Again, as noted before, the instability of the grand coalition even with partially public information is, in general, driven by two factors: the reduced benefits of information acquisition from cooperative security, and the free-riding of firms on the security actions and cost-sharing of firms whose parameters and actions are known publicly.

Agreeable Allocation in the Partial Information Model
Naturally, this again motivates us to search for a cost-sharing mechanism that can support cooperative security.We show that once again we can extend the agreeable allocation to this general partial information setting while retaining several of its desirable properties.Notably, we prove that, analogous to Theorem 6.2, the partial information version of the agreeable allocation, when it exists, satisfies individual rationality, a weaker notion of stability wherein each player is better off in the grand coalition (i.e., with full cooperation) as compared to the independent coalitions (i.e., no-cooperation) scenario.
As in the case of private and public information, for ease of exposition, we restrict our attention to networks where all firms are secured in the grand coalition.The algorithm to compute the agreeable allocation, in this case, is presented in algorithm 7, and once again involves as a first step the recursive computation of a finite family of mutually exclusive sets denoted here by T .Then, the agreeable allocation computed for a player depends on its membership in the family of sets.
Note that, in the partial information case, since there is a set of players P for whom their costs and actions are public information, and the set of players in N \P for whom their information is private, this implies there are separate routines to handle the players in each of these two sets.Further, within each of these two sets of players, we in turn have two distinct steps where in one step, players are identified for whom it is individually rational to secure themselves given the players already identified as secured, and in the other step, players are identified who will secure themselves for the direct positive externality they bestow on the players already secured.This is identical to equations ( 10) and ( 11) describing the computation of the agreeable allocation in the public information model.
For brevity, in algorithm 7, we have combined the construction of the family of sets T as well as the agreeable allocation to each player i ∈ T .It can be seen that if P = ∅, then the output of algorithm 7 coincides with the agreeable allocation in the private information setting.If P = N , then the output of algorithm 7 coincides with the agreeable allocation computed by algorithm 4 in the public information model.
As, in the private information and public information models, when the construction procedure of the family of sets T terminates, if the union of the sets does not comprise all the players in N , then the agreeable allocation does not exist.In the two results below, we demonstrate that versions of Theorem 6.2 and Theorem 6.3 extend to the partial information model.In fact, naturally, since the partial information model is a generalization of the private and public information models, Theorem D.4 generalizes Theorem 6.2.

Theorem D.4
The agreeable allocation under partial information, x, computed by algorithm 7, when it exists, is (i) individually rational, (ii) polynomial-time computable, and (iii) bilaterally implementable.Further, it also satisfies, (iv) symmetry, and the (v) null player property.

Theorem 7. 1
Consider a quasi-homogeneous network G with security cost parameters given by L, θ, and ξ. i. G admits an agreeable allocation if G does not contain a k-core where k = L − θ ξ .ii. G does not admit an agreeable allocation if G contains a (k, l)-core where k = + L − θ ξ

Figure 2 :
Figure 2: Examples of alliance networks in the food manufacturing sector.

Figure 3 :
Figure 3: Intersections of the secured sets of coalitions S, S , T , and T .

Algorithm 6
An equilibrium security strategy for a coalition under partial informationOutput: Υ i S;ρ for i ∈ S ⊆ N X ← ∅ k ← 1 while k = 0 do Y ← ∅ for S ∈ ρ do minimize Σ i∈S   L i (1 − Υ i S;ρ ) + θ i Υ i S;ρ + (j,i)∈A, j∈(N \P) ∪ {i : Υ i S;ρ = 1}, k ← |Y | X ← X ∪ {i ∈ P : Υ i S;ρ = 1}, end for end while Lemma D.2 Given a general coalition structure ρ, under the partial information model, algorithm 6 computes an equilibrium security state of player i in coalition S, i, Υ i S;ρ , in polynomial time.