International Journal of Information Management Data Insights 2 (2022) 100073

Contents lists available at ScienceDirect

International Journal of Information Management Data

Insights
journal homepage: www.elsevier.com/locate/jjimei

Collaboration or separation maximizing the partnership between a “Gray

hat” hacker and an organization in a two-stage cybersecurity game
Daniel Cohen∗, Amir Elalouf, Raz Zeev
Department of Management, Bar Ilan University, Ramat Gan, Israel

a b s t r a c t

Vulnerability disclosure is a key topic in cybersecurity. It is a practice ensuring that organizations address and fix vulnerabilities before bad actors can find and
exploit them. This study focuses on the “disclose or exploit” dilemma. It presents a two-player non-zero-sum simultaneous cyber-security game between a hacker
and an organization at multiple rounds. The vulnerabilities classified as high, medium, and low are based on a Common Vulnerability Scoring System (CVSS). The
hacker can decide to act separately or to collaborate with the organization. Subsequently, the organization chooses to operate individually or cooperate with the
hacker. The organization also has a budget limit to patch the vulnerabilities. The paper developed an algorithm to determine the Nash equilibria of the game and
conducted a numerical analysis. It found that maximum cooperation occurred at the beginning of the game when both the organization and the hacker decided to
cooperate.

1. Introduction
While technology infrastructure is becoming complex and intercon-
nected, the difficulty in achieving security increases (Roumani et al.,
2016); hence, a threat to the organization, through a cyber-attack, can
occur in various attack vectors that exploit system vulnerabilities. Ex-
isting approaches mainly characterize vulnerabilities based on known
vulnerabilities or attack actions that compromise network objects. An
example of such an approach is the Common Vulnerability Scoring Sys-
tem (CVSS), a detailed technical framework to score particular vulner-
abilities in both the software, components, or systems that can be used
to perform actions (Ganin et al., 2020). According to Lockheed Mar-
tin Corporation (Fitch & Muckin, 2015), a system’s transactional data
can be subjected to theft, tampering, loss of availability, or repudiation.
Each of these threats has different potential impacts on the organiza-
tion’s mission and business needs. Therefore, organizations that fail to
integrate security throughout the development process are at risk that
their software will suffer from a systemic fault in the implementation
(Arkin et al., 2005).
Security threat is the reason why organizations use expert hackers
who penetrate computer systems, networks, applications, or other com-
puting resources on behalf of their owners and with their authoriza-
tion to uncover potential security vulnerabilities that malicious hack-
ers could exploit. Essentially, what determines the type of expert hack-
ers penetrating computer systems is their motivation and breaking the
law. Several actors are responsible for most of the cyber space’s main
threats, including professionals and sophisticated individuals from the
cyber-crime scene; state-sponsored groups, amateur hackers like terror-
ist affiliates, hacktivists, and script kiddies (Cohen, 2014).
(Ablon & Bogart, 2017) built a typology to three main groups: The
white hat, black hat, and grey hat hacker. The first group is white hat
hackers, vulnerability researchers who focus on finding vulnerabilities
and giving them to the affected organization for a fee or recognition.
White hats hackers can be part of an internal security team, bug bounty
program, or a third party. The second group is gray hat hackers, computer
security experts that often look for vulnerabilities in a system without
the owner’s permission or knowledge. If issues are found, they report
them to the owner, sometimes requesting a fee to fix the problem. The
third group is black hat cybercriminals black hat is a criminal who breaks
into computer networks with malicious intent (De Jong et al., 2016).
For example, a black hat can release malware that destroys files, holds
computers hostage, steals passwords, credit card numbers, and personal
information. Gaia et al. (2021) developed a scale to structure and clarify
the meanings of the white hat, grey hat, and black hat contrasts. According
to Gaia et al. (2021), White hat hackers assist system owners in detecting
and fixing security system vulnerabilities. They are referred to as ethical
hackers because they do not violate laws, even though they use many
of the same tools as black hat and grey hat hackers.
In contrast, Grey hats hackers are often prepared to break the law
by exploiting security and network vulnerabilities without prior con-
sent or authorization to achieve better security (Kirsch, 2014; Stacey,
Taylor, Olowosule, & Spanaki, 2021). When a gray hat hacker finds
vulnerabilities or system bugs, he will report them to the owner and
request a fee to fix them. If the owner does not collaborate, the hacker
can post the newly found threat publicly. This type of hacking is illegal
since the hacker did not receive the owner’s permission before mon-
itoring the system. Nevertheless, according to Kirsch (2014), grey hat
hackers will usually not exploit the found vulnerabilities.

∗
Corresponding author.

https://doi.org/10.1016/j.jjimei.2022.100073
Received 4 August 2021; Received in revised form 17 March 2022; Accepted 31 March 2022
2667-0968/© 2022 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/)
D. Cohen, A. Elalouf and R. Zeev
According to a industry report by Kaspersky,1 organizations from di-
verse sectors (e.g., finance, business, IT, energy) do not appreciate unau-
thorized forays into their business information infrastructure. Instead,
those organizations are anxious that gray hat hackers will become black
hats by posting exploitation on the internet or exploiting their vulnera-
bility. This dilemma is called “disclose or exploit,” whether to disclose
or stockpile the system’s vulnerabilities. Each decision has significant
consequences for the organization’s resilience (Hausken, 2020).
The “disclose or exploit” dilemma occurs because vendors often pre-
fer to wait until a patch or other form of mitigation is available before
making the vulnerability public. However, cybersecurity researchers
prefer that disclosures be made public as soon as possible. This dilemma
is even more challenging when ea gray hat hacker is involved. He often
looks for vulnerabilities in a system without the owner’s permission or
knowledge and requests a fee to fix problems, facing the potential will-
ingness of businesses to prosecute him. Chen et al. (2020) explain that
the answer to the “disclose or exploit” question depends upon many fac-
tors, such as how much it helps protect users of the affected technology,
the probability that the vulnerability will be discovered by someone else,
or the likelihood that an adversary will exploit the weakness. Finally, if
exploited, there should be a plan and process to be disclosed, and if so,
when?
After discovering software vulnerabilities, it is essential to react
quickly. Others may exploit unpatched vulnerabilities, or weaknesses
may become irrelevant due to updates and upgrades. Hence, by collab-
oration, the gray hat’s significant influence is a fee from the organization
and recognition of abilities. The organization’s considerable advantage
is that another entity can help path quickly, so both the organization
and gray hat can concentrate on working together.
One of the main theoretical consequences is that the gray hat can
take the vulnerabilities into the public domain through media, advi-
sories, and published vulnerability notices. One reason to execute this
action is the fear of legal action. Gamero-Garrido et al. (2017) note that
there are some legal theories for software developers. For instance, one
case can violate the Computer Fraud and Abuse Act (CFAA), covering
unauthorized access to computer systems. Other issues can violate elec-
tronic communications privacy laws and more generic libel claims, trade
secret misappropriation, and copyright infringement. The organization
also has reasons not to collaborate with the gray hat, and the main is-
sue is the purpose. The organization wants to adjust the timeline to its
convenience. However, according to Ablon & Bogart (2017), the most
talented gray hats aim to create an exploit. Hence, even in collaboration,
the gray hat wants to patch vulnerabilities for private use or reputation.
In parallel, there is a gap between introducing a new patch and applying
and fixing weaknesses in some cases.
Additionally, according to Gamero-Garrido et al. (2017), under 2%
of survey participants reported being named defendants in a Court of
Law. This legal legitimacy should lead to trust and cooperation between
the parties. However, the authors show that 22% of researchers re-
ported receiving legal threats because of their vulnerability research.
Thus, there remains significant concern about taking legal actions.
Another substantial issue is that the gray hat may want to hoard
vulnerabilities to find more bugs and contribute to its security. There-
fore, the gray hat has the incentive not immediately to report it to the
company and use it as an “entry point” to find other bugs.
In general, economic viability is of great importance. Ponemon Insti-
tute and IBM2 Security (2021) researched and strived to produce a data
breach report’s annual cost in the last fifteen years. This report presents
a point-in-time view of the factors that either mitigate or exacerbate the
1
Kaspersky, Black hat, White hat, and Gray hat hackers – Definition and
explanation.https://www.kaspersky.com/resource-center/definitions/hacker-
hat-types, n.d.(accessed 12 May 2020)
2
IBM, How much does a data breach cost?https://www.ibm.com/security/
data-breach, 2021(accessed 14 March 2021)
2
International Journal of Information Management Data Insights 2 (2022) 100073
cost of data breaches. It also views data breach trends, demonstrating
both consistencies and fluctuations in the costs over time. Thus, both
sides’ decisions to collaborate in cyberspace are not trivial. Both parties
are interested in fixing the vulnerability despite hesitations, hence con-
templating collaboration. The time dimension is critical, and they must
make a quick decision and bear the consequences.
The contribution of this study to the literature can be summarized
as follows: (i) Analyzing reliable information sources of behavior and
motives of gray hat hackers and organizations can help understand the
opinions and reactions regarding collaboration. (ii) This study applied
the gray hat hacker and organization aspect to Nash equilibrium to de-
tect three alternatives, collaborate, exploit, and disclose, at different
game stages. (iii) The proposed approach extracts budget and time con-
straints to apply them to the proposed algorithm. It examines changes in
the allocation of resources for decision-making. (iv) The experimental
results are compared with the utility function to choose a scenario with
the highest performance.
Therefore, the study presents the implications of providing an analyt-
ical framework for this issue. It discusses how to maximize cooperation
between grey hackers and organizations and examines if a change in an
optimal decision depends on both parties or only on one side. This pa-
per is organized as follows. Section Two portrays the conceptual back-
ground and relevant recent researches models. The following section,
section Three, depicts the model. Section Four presents the algorithm
for determining Nash equilibria of the game. Section Five reports the
results and provides a model analysis. Finally, sections Six and Seven
discuss the research’s theoretical and practical contributions.
Organizations from diverse sectors (e.g., finance, business, IT, en-
ergy) are countering and recognizing potential attack vectors that
threaten business and operational data discovered by gray hat hackers.
Hence, this paper’s research question is how to maximize cooperation
between grey hat hackers and vendors/organizations to develop an ef-
fective solution to real-time and time-sensitive cyber security events.
A collaboration would assist relevant industry management levels, cy-
ber security managers, chief information security officers, academic re-
searchers, and practitioners.
2. Literature review
2.1. Ethics and gray hat hacking
Existing studies on gray hat hackers have focused on ethical and
moral issues regarding gray hat intentions and motivations, real-time
dilemmas in cyber defense, cyber risk assessment, and incident re-
sponse. Bonina et al. (2021) acknowledge the positive benefits of digital
platforms for development. Nevertheless, they recognize digital tech-
nologies’ ‘dark side’ and negative consequences and proactively iden-
tify the need to address them. Falk (2004) examined normative eth-
ical theories from Mill, Kant, and Aristotle to claim that gray hack-
ing is morally wrong. He claims “gray hat” is a different form of a
“black hat” in ethical evaluations. Based on Aristotle’s ethics approach,
Radziwill et al. (2015) argue that gray hats believe their intent is morally
right.
However, a different approach (Goerzen & Matthews, 2019) main-
tains that similar to hackers, gray hat hackers perform penetration test-
ing, engage in security research, and disclose vulnerabilities. Goerzen
& Matthews (2019) argue that in contrast to white hat hackers, gray hat
hackers are trolls motivated by a sense of public interest rather than
intent to harm or secure personal gain. Chan & Janjarasjit (2019) in-
vestigate the moral effect from the hackers’ point of view. They afford
insight into hackers’ response to an information security breach perpe-
trated with a bad or good intention. The study examines if intent gener-
ates a different perceived moral effect, clarifying the impact of perceived
intensity of emotional distress on responsibility judgment. In addition,
the authors explore if the nature of a perpetrator’s intent affects the mod-
erating role of consequences consideration in the connection between
D. Cohen, A. Elalouf and R. Zeev
perceived moral effect and judgment. Chan & Janjarasjit (2019) dis-
covered that perceived moral effect mediates the impact of perceived
intensity of emotional distress on responsibility judgment only in a bad
intention breach. In contrast, consequences intensify the relationship
between perceived moral effect and responsibility judgment only in a
good intention breach.
2.2. Real-time dilemmas in cyber defense
Numerous studies describe real-time dilemmas in cyber defense.
Weulen Kranenbarg et al. (2018) describe a practice in which a hacker
who finds a vulnerability in an IT system reports it to its owner.
The owner will then resolve the problem after disclosing the vul-
nerability publicly. The researchers state that the hacker’s motives
will directly shape their cost-benefit analyses regarding the organi-
zational and criminal justice system responses to such disclosure.
Ruohonen et al. (2020) show that organizations prefer not to partici-
pate in direct disclosures. However, Walshe & Simpson (2020) found
the average cost of a bug bounty program.3 The program costs less than
hiring two additional software engineers.
Another issue is cyber risk assessment. (Derbyshire et al., 2021) pro-
pose a framework for anticipating adversary cost and demonstrative ap-
plication, using data inspired by a cyber risk assessment of a European
utility organization. The MITRE ATT&CK framework4 has two layers of
granularity - Tactics and their underlying techniques. Derbyshire et al.
used MITRE ATT&CK since they considered it the best foundation for
building a framework for adversary cost. Their model follows attack
narratives through the system under consideration, breaking them into
tactics aligned to the ATT&CK framework and considering each tactic’s
currently implemented cybersecurity controls. The two other cost fac-
tors, time and finance, are then decomposed. The individual components
give an upper and lower bound based on the end users’ confidence in-
terval and the estimated risk cost factor. Once all cost components get
an upper and lower bound, both factors aggregate, and each has a total
upper and lower bound. Subsequently, the time and finance cost factors’
total upper and lower bounds are applied to the lognormal probability
density function providing each factor with a lognormal probability dis-
tribution.
Naseer et al. (2021) emphasized the incident response (IR) function
to cybersecurity incidents. They claim that organizations must improve
‘agility’ in their IR process to react quickly and capably to high-level
and potent cyber threats. The researchers add that real-time analysis
presents organizations with the unique opportunity to drive their IR
process agilely by discovering cybersecurity occurrences swiftly and re-
sponding proactively.
Stacey et al. (2021) focused on a different aspect of cybersecurity
threat- the employees who experienced the attack. Their research ex-
plored employees’ emotional and coping responses to a cyber-attack.
The authors’ findings revealed that the IT security team fluctuated be-
tween positive problem-focused coping and negative emotion-focused
coping. Stacey et al. (2021) highlighted the crucial role of senior man-
agement in transforming employees’ emotional capabilities. They state
that senior management empathy and resource mobilization are the
turnaround mechanism that intermediates the oscillation.
2.3. Risk aversion
Kahneman & Tversky (1979) developed the prospect theory model.
They found the certainty effect of risk aversion in choices involving
positive gains and risk-seeking in choices involving sure losses. They
also found the isolation effect that leads to inconsistent preferences
3
Bug Bounty programs offer rewards by organizations to security researchers
who resolve critical vulnerabilities in core infrastructure data.
4
https://attack.mitre.org/Accessed 6 December 2020
3
International Journal of Information Management Data Insights 2 (2022) 100073
when presenting the same choice in different forms. Tversky & Kahne-
man (1992) also extended and applied the theory to uncertain and risky
prospects. They found a distinctive fourfold pattern of risk attitudes: risk
aversion for gains and risk-seeking for high probability; risk seeking for
gains and aversion for low probability losses.
Additionally, Chen et al. (2012) claim that Radio frequency identi-
fication (RFID) will offer researchers many large-scale data collection
opportunities. Matthias et al. (2017) stress the application and exploita-
tion of Big Data to form a competitive advantage. The study displays a
framework of application areas that ease understanding targeting and
scoping specific areas for sustainable progress. Curtin et al. (2007) de-
scribe RFID technology as the basis for many IT-reliant work systems.
2.4. Managment decision-making processes and security breeches
Sanjab et al. (2017) incorporate the concept formulation notions in
the game formulation to formulate Nash equilibrium in demonstrating
an organization’s behavior operating a drone delivery system and cyber
attacker. They found that the organization and the attacker’s subjective
decision-making processes lead to delays in delivery time, surpassing
the target delivery time to which the organization has committed. In
comparison, Hua & Bapna (2013) proposed a general game-theoretical
model to examine the optimal information systems security investment
to evaluate the losses caused by cyber terrorists and hackers. The grow-
ing availability of big data related to breaches allows investigating the
root causes of violations and recommending suitable mitigation strate-
gies (Dhillon et al., 2021). Numerous studies address the application
of big data to monitor breaches. George et al. (2016) describe that
the availability of advanced analytics packages enables scholars to shift
from case studies and simple two-by-two frameworks to complex mod-
els that leverage rich archival data. Kar & Dwivedi (2020) point out the
need for “big data studies” where findings can explain the interaction of
people with technological artifacts. Kushwaha et al. (2021) use a system-
atic literature review approach to uncover the emerging management
areas supported by big data. Kushwaha et al. (2020) claim that some
organizations scuffle the adoption owing to barriers as training, trust,
and security. An additional paper by Kushwaha et al. (2020) describes
machine learning that enables machines to learn from historical data
and make real-time predictions on numbers and texts. Also, (Kushwaha
et al., 2020) use sentiment analysis to find insights about raw data, the
groups of people who created them, and their sentiments which led to
the generation of such data.
Moreover, Colladon et al. (2020) present tools for text analysis to
help understand the power of words. Additionally, (Kushwaha et al.,
2020) present a method of blending neural networks based on deep
learning to predict tweets that are diffuse by users of Twitter. Finally,
Dong et al. (2018) propose an analytic framework that taps into unstruc-
tured data from financial and social media platforms to assess the risk
of corporate fraud.
2.5. The “disclose or exploit” dilemma
Diverse studies aim to find an answer to the “disclose or exploit”
dilemma. Based on 17 years of data records, Rajasooriya et al. (2017) set
transition probabilities in the vulnerability life cycle. The transition
probabilities are based on the Common Vulnerability Scoring System
(CVSS), which scores each vulnerability scale from 0 to 10. CVSS estab-
lishes a standard measure of how much concern vulnerability warrants
to prioritize efforts compared to other vulnerabilities. Vulnerabilities
with a base score in the range of 7.0– 10.0 are high, those in the ranges
4.0–6.9 are medium, and 0–3.9 are low. Rajasooriya et al. (2017) also
created Markovian process and nonlinear statistical models for predict-
ing the risk of a particular exploit vulnerability as a function of time.
Chen et al. (2020) demonstrate a model from a cyber-competition of
two entities over a cyber-vulnerability series. The first contribution pro-
poses an alternating stochastic optimization approach to compute the
D. Cohen, A. Elalouf and R. Zeev International Journal of Information Management Data Insights 2 (2022) 100073

Table 1
H’s and O’s payoffs at round i ∈  .

Grey hat utility function

Exploit Disclose
∑
Organization Collaborate — (𝑏, 𝑑 ) 𝑢𝑂 = i ∈ 𝑦𝑖 (𝑏𝑥𝑖 + (𝑤𝑖 − 𝑥𝑖 )𝑎) + (1 − 𝑦𝑖 )(𝑤𝑖 − 𝑥𝑖 )𝑒
Separate (𝑒, ℎ) (𝑎, 𝑐 )
𝐻 ∑
utility function 𝑢 = i ∈ 𝑦𝑖 (𝑑 𝑥𝑖 + (𝑤𝑖 − 𝑥𝑖 )𝑐) + (1 − 𝑦𝑖 )(𝑤𝑖 − 𝑥𝑖 )ℎ

pure strategy Nash equilibrium for each stage game associated with each This paper sheds additional light on the research of gray hat hack-
vulnerability. The second offers a learning framework to update the pa- ers to improve the understanding of hacking social dynamics. Namely,
rameter distribution’s belief for the two players. Unlike random strate- data collection opportunities present a significant potential to enhance
gies, they yield a higher payoff for the player, consistently exploiting and maximize cooperation between gray hat hackers and organizations.
and disclosing plans. The following model displays collaboration between the parties in a
Chen et al. (2020)’s model assumes an entire disclosure case, mean- low level of vulnerability. Hopefully, a numerical analysis discussion
ing vulnerability-related information released to the public upon the might assist with bridging the current gaps in the “disclose or exploit”
vulnerability discovery. Similarly, Arora et al. (2004) believe that full dilemma.
and public disclosure of vulnerabilities allows the organization to re-
spond faster in fixing vulnerabilities. However, full disclosure increases 3. The model
the number of attacks, and therefore, more options should be consid-
ered. For example, Bao et al. (2017) describe a cyber-warfare game in Consider a two-player non-zero-sum simultaneous cyber-security
which players can choose between two actions of disclosure: attack or game between a grey hat hackers H, and an organization O. The game
patch. They find out that a patch-then-attack strategy or a pure disclo- takes place at multiple rounds, which their set denoted by  ≡
sure strategy better serves the player in some situations. Individually, {1, 2, … , n}, n ≥ 2. H can decide to exploit (i.e., acting separately) or
Hahn & Govindarasu (2012) present two more disclosure options. One disclose (i.e., collaborating with the organization). If H decides to dis-
is a limited disclosure which requires provided vulnerability information close, the O’s responses are to act separately or collaborate with H. In
to the organization and commonly leverages a trusted third party to help case both players decide to collaborate, they continue for an additional
manage and coordinate the disclosure. The other is non-disclosure, lim- round of the game.
iting the disclosure to only the product organization without addressing The organization has a budget limit for the patch 𝑊 > 0 and can
the general public. continuously determine any effort down to 𝑊 . The organization may
invest 𝑥 ∈ [0, 𝑊 ] resources in patching the vulnerability.
Let ℝ⊕ ≡ {𝑡 ∈ ℝ | 𝑡 ≥ 0}. Then, O selects a vector 𝑥 ∈ , with
2.6. Game theory models { }
∑
𝑥≡ 𝑥 ∈ (ℝ)𝑛⊕ |𝑥𝑖 ≤ 𝑤𝑖 for each 𝑖 ∈  and 𝑥𝑖 ≤ 𝑊 (1)
Previous literature addresses a game between an inspection agency 𝑖∈
and multiple inspected subject to that agency’s random inspections.
Deutsch et al. (2011) formulated a game theory model that highlighted where 𝑥𝑖 is the amount of the budget allocated for specific round i ∈  ,
all Nash equilibria solutions for such games and provided explicit closed- and 𝑤𝑖 > 0 is the budget restriction at round 𝑖.
form expressions. The researchers assumed that the inspectors take their The gray hat can choose to exploit (𝑌 = 0) or disclose (𝑌 = 1). H
decisions independent of one another. Also, they discussed a single-stage selects a vector 𝑦 ∈ ,with
inspection game. However, most inspection games are repetitive in the { }
 ≡ 𝑦 ∈ ℕ||𝑦𝑖 ≤ 1𝑓 𝑜𝑟 𝑒𝑎𝑐ℎ 𝑐 (2)
real world. Thus, decisions in each stage are typically affected by the
cumulative information on the various parties’ compliance history. where 𝑦𝑖 being H’s diction for specific round i ∈  .
Furthermore, Deutsch et al. (2019) generalized and presented a This study presents a model based on Deutsch et al. (2011) model
game model that allows setting the intensity of monitoring technol- (Deutsch et al., 2018), exhibiting an assumption of 𝑐 − 𝑑 < ℎ. The model
ogy implementation as part of the inspection strategy. They exhibit a assumes that collaborating is worthwhile for a hacker; thus 𝑐, ℎ < 0 < 𝑑.
two-stage game between an inspector and multiple inspections. The It also supposes the most significant loss for the hacker is when the orga-
inspector has a limited budget for monitoring and may choose to in- nization act separate, thus 𝑐 < ℎ, i.e., 𝑐 − ℎ < 0. Therefore, the model’s
vest in a monitoring technology in the first stage to supplement the in- assumption is 𝑐 − ℎ < 𝑑 . Thus, 𝑐 − 𝑑 < ℎ, i.e., such as Deutsch’s model:
spector’s subsequent inspection in the second-stage simultaneous game.
Deutsch et al. developed an algorithm to determine Nash equilibria effi- 𝑐−𝑑−ℎ<0 (A1)
ciently and presented managerial insights. Based on the proposed model,
The utility functions of the organization and the gray hat hacker are
Deutsch (2021) extended the algorithm to determine all Nash equilibria
expressed by:
solutions for a two-person non-zero-sum simultaneous inspection game ∑ ( ) ( )( )
in some sites in a linear time. Deutsch (2021) assumed that both play- 𝑢𝑂 = 𝑦𝑖 (𝑏𝑥𝑖 + 𝑤𝑖 − 𝑥𝑖 𝑎) + 1 − 𝑦𝑖 𝑤𝑖 − 𝑥𝑖 𝑒 (3)
ers possess complete information about their opponents and the game’s i ∈
structure. The inspector has a limited continuous inspection resource. and
She needs to decide how to allocate it across the sites while adhering ∑ ( ) ( )( )
to local restrictions on the permitted inspection levels. The inspector 𝑢𝐻 = 𝑦𝑖 (𝑑 𝑥𝑖 + 𝑤𝑖 − 𝑥𝑖 𝑐) + 1 − 𝑦𝑖 𝑤𝑖 − 𝑥𝑖 ℎ (4)
has several employees; hence she needs to determine which sites the i ∈

employees should act on and how (legally, illegally, partially legally).
Deutsch (2021) shows that the inspector should carefully choose her re-
source. There are cases where even a tiny and insignificant increase of
her resource can make a difference in her payoffs and the inspection’s
behavior.
The functions represent the summaries of all rounds, from the first to
 , summarizing the utility from three different scenarios. Two scenarios
are related to the disclosed utility 𝑦𝑖 , and the last one is related to the
exploit utility (1 − 𝑦𝑖 ). Where 𝑢𝑂 is the organization’s utility function,
the first scenario is the collaborate utility (𝑏) multiplied by 𝑥𝑖 the budget

4
D. Cohen, A. Elalouf and R. Zeev International Journal of Information Management Data Insights 2 (2022) 100073

Table 2
Algorithm 1 Determining Nash equilibria of the game.
H’s and O’s parameters values at round i ∈N.
1: Input: Game instance // Sets game’s parameters
Category player Parameter Values
(𝑎, 𝑏, 𝑐, 𝑑, 𝑒, ℎ, 𝑊 )
Exploit payoff The organization 𝑒 𝐸𝑖 ≤ 0 2: Determine the cut point value // Sets game’s breakpoint
The gray hat hacker ℎ 𝐻𝑖 ≤ 0 𝑡𝓁 , 𝓁 = 0, … , 𝐿
The separate payoff The organization 𝑎 3: S←∅ // Array boot
The gray hat hacker 𝑐 𝐶𝑖 < 0 4: Determine 𝑤 // Budget restriction at the first round
The collaborate payoff The organization 𝑏 5: 𝓁= 0 // Set the first round
The gray hat hacker 𝑑 𝐷𝑖 > 0 6: while (𝓁 ≤ 𝐿 and 𝑊 − 𝑤 > 0) do // Compliance with the terms of
The total budget limit for the The organization 𝑊 𝑊 >0 breakpoint and spending limit
patch 7: x̂ = − 𝑐−𝑤𝑑
𝑑−ℎ
// Applies Nash equilibrium for the
The budget restriction at round i The organization 𝑤𝑖 𝑤𝑖 > 0 organization
𝑒
8: ŷ = − a−b−e // Applies Nash equilibrium for the gray
Note. Table 1 defines H’s and O’s payoffs and their dependence on the player’s hat hacker
action at round i ∈  . Table 2 defines H’s and O’s parameters values. The pay- 9: S ← S ∪ (x̂ , ŷ ) // Assign Nash equilibrium values in an
off is affected by exploit payoff, separate payoff, and collaborative payoff. The array
exploit payoff is both parties’ losses. The gray hat hacker’s loss outweighs his ex- 10: 𝑊 ←𝑊 −𝑤 // Update total budget limit for the patch
ploitation benefits (otherwise, he will not consider contacting the organization). 11: 𝓁 = 𝓁+1 // Continue to the next round
12: Determine 𝑤 // Budget restriction at the next round
The company lacks knowledge about the entities that know the vulnerability
13: end while // End loop
and can exploit it. The disclosed payoff is not individual and depends on the 14: Output: // utility functions of maximum Nash
organization’s response. The separate payoff for the gray hat is a loss because 𝑎𝑟𝑔 𝑚𝑎𝑥(𝑥∗ ,𝑦∗ )𝜖𝑠 {𝑔 [𝑢𝑂 (𝑥∗ ,𝑦∗ ) , 𝑢𝐻 (𝑥∗ ,𝑦∗ ) ]} equilibrium values
he shared information with the company, allowing it to take action against him
(such as legal action). For the company, the payoff is affected by the actions.
The company may lose if the gray hat takes action against it (sharing the in-
formation with other entities). At the same time, the company can gain if its
response is more significant than the gray hat hacker. The collaborative payoff
present the parameters’ values. The coefficient was changed to negative
advantage is finding the essential path quickly, so both the organization and for cases since the model parameter must be negative.
grey hat can concentrate effort working together. In each round, the organiza- According to Derbyshire et al. (2021), the time and finance param-
tion invests budget resources in patching the vulnerability. Thus, also the total eters amalgamated to a total upper and lower bound for the Time and
budget is positive. Finance cost factors with a 90% confidence interval. The researchers ap-
plied Time and Finance cost factors to the lognormal probability density
function. Since the values of all other parameters are between 0 to 1,
allocated. The second scenario is also related to disclosed utility in the we use to set the lognormal probability density function to set 𝑤̂𝑖 , the
separate utility (𝑎) multiple by (𝑤𝑖 − 𝑥𝑖 ) the budget restriction minus budget restriction at round 𝑖:
the budget allocated. The last scenario (𝑒) represents the organization’s [ ]
exploit utility, multiplied by (𝑤𝑖 − 𝑥𝑖 ) the budget restriction minus the 1 (ln 𝑖 − 𝜇)2
𝑤̂𝑖 = √ exp − , 𝑥>0 (6)
amount of the budget allocated. Respectively, 𝑢𝐻 signifies the utility 𝜎 2𝜋 2𝜎 2
function of gray hat hackers. The first scenario is the collaborate utility This research assumes that in each round, the company will add one
(𝑑) multiplied by 𝑥𝑖 , the budget allocated. The second scenario is also more £ than the previous iteration. Hence, we will set the parameters
related to disclosed utility in the separate utility (𝑐) multiple by (𝑤𝑖 − 𝑥𝑖 ) of 0 where i represents the index, which is the same as the values of
the budget restriction minus the budget allocated. The last scenario (ℎ) budget restriction at round 𝑖. 𝜇 is the mean of the natural logarithms
represents the gray hat hacker’s exploit utility, multiplied by (𝑤𝑖 − 𝑥𝑖 ), of the upper (£9,060) and lower (£1,640) bounds of finance. Moreover,
the budget restriction minus the amount of the budget allocated. 𝜎 is the standard deviation of the upper (£9,060) natural logarithms
and lower (£1,640) bounds of finance. Thus, the study can set the Nash
4. Solving the model equilibria as
( [ ] )
1 (ln 𝑖 − 𝜇)2 𝑑 𝑒
Deutsch et al. (2019) present Nash equilibrium for the game. We 𝑥∗ , 𝑦∗ ∈ − √ ∗ exp − ∗ ,− (6)
assume that the organization has no technology implementation (i.e., 𝜎 2𝜋 2𝜎 2 𝑐−𝑑−ℎ 𝑎−𝑏−𝑒
z=0 and exogenous fixed parameter). Deutsch’s solution depends on the Finally, we set g as the sum of the organization and the gray-hat
ratio between 𝛼𝑖 to W. Since 𝑍 = 0, 𝑑 > 0, 𝑐 < 0, and ℎ ≤ 0, we get 𝛼𝑖 ≡ hacker’s utility. i.e.,
𝑑
𝑤𝑖 ∗ (− 𝑐−𝑑− ). According to (A1), we set the denominator as negative ∑ [
ℎ ( ) ] ( )( )
𝑑
and, therefore, 𝛼𝑖 > 0. Also, since 𝑐 − ℎ < 𝑑, we set − 𝑐−𝑑− < 1. Thus, 𝑔(𝑢𝑂 , 𝑢𝐻 ) = 𝑦𝑖 (𝑏 + 𝑑 )𝑥𝑖 + 𝑤𝑖 − 𝑥𝑖 (𝑎 + 𝑐 ) + 1 − 𝑦𝑖 𝑤𝑖 − 𝑥𝑖 (𝑒 + ℎ)
ℎ
𝑑 i ∈
since 𝑤𝑖 > 0, and we get 𝑤𝑖 ∗ (− 𝑐−𝑑− ) < 𝑤𝑖 . i.e., 𝛼𝑖 < 𝑤𝑖 and therefore
∑ ∑ ∑ ℎ (7)
i ∈ 𝑖𝛼 < 𝑤
i ∈ 𝑖 , so 𝛼
i ∈ 𝑖 < 𝑊 . Then, this submitted paper can
set the Nash equilibria as Corollary 1. When the organization chooses to increase the resource
( ) allocation, the overall benefit and the hacker’s utility will decrease since
𝑊𝑖 𝑑 𝑒
𝑥∗ , 𝑦∗ ∈ − ,− (5) the allocation of resources is preferable for the organization up to a
𝑐−𝑑−ℎ 𝑎−𝑏−𝑒
particular ceiling.
Accordingly, the study presents the following Algorithm 1 for de- Proof. Although 𝑖 is a discrete number, since our case deals with
termining Nash equilibria of the game. The main loop of the algorithm large numbers, we will treat 𝑖 as a continuous number. By optimization
traverses breakpoint 𝑡𝓁 for 𝓁 = 0, … , 𝐿 and checks that we did not ex- Eq. (6), the first-order condition for 𝑖∗ is
ceed the spending limit. In each loop iteration, the paper applies Nash [ ]
𝜕 𝑥∗ 𝑑 (ln 𝑖 − 𝜇)2 (ln 𝑖 − 𝜇)
equilibrium, where x and y are defined by 0. = ∗ exp − ∗ √ =0
𝜕𝑖 (𝑐 − 𝑏 − 𝑒) 2𝜎 2 𝑖𝜎 3 2𝜋
𝜕 𝑥∗ 2 (𝑖) 2
5. Numerical example and second-order condition for 𝑖∗ is 𝜕𝑖2
= − (𝑐−𝑑𝑏−𝑒) ∗ exp[− (ln2𝑖𝜎−2𝜇) ] ∗
(ln2 𝑖+(𝜎 2 −2𝜇) ln 𝑖+(−𝜇−1)𝜎 2 +𝜇 2 )
Rajasooriya et al. (2017) set the parameters to reach the steady √ . Using the numerical examples for the low-
𝑖2 𝜎 3 2𝜋
states for low, medium, and high vulnerability levels. Table 3 and Fig. 1 level category of Vulnerabilities, we get unique solution 𝑖 = 𝑒𝜇 , which

5
D. Cohen, A. Elalouf and R. Zeev International Journal of Information Management Data Insights 2 (2022) 100073

Table 3
parameters values for a numerical example.

Our model parameter 𝝀𝒊 State represented Parameters

Category of Vulnerabilities Low Medium High

E 𝜆1 Discovered 0.178 0.189 0.18

ℎ 𝜆2 Exploited before patched or disclosed 0.016 0.081 0.147
𝑑 𝜆3 Disclosed but not yet patched or exploited 0.183 0.119 0.052
𝑎 𝜆4 Patched before disclosed 0.8 0.8 0.8
𝑐 𝜆5 Exploited after disclosed 0.6 0.6 0.6
𝑏 𝜆6 Patched after disclosed 0.4 0.4 0.4
𝑡𝓁 Number of iterations to reach the steady states 5,790 5,790 5,790
𝑊 The total budget limit for the patch £9,060 £9,060 £9,060

Note. Table 3 defines parameters values for a numerical example. The first category is named “Dis-
covered,” we compare it to the organization’s need to find the vulnerabilities. The second category,
“Exploited before patched or disclosed,” refers to gray hat hackers who exploit vulnerabilities. A third
category, named “Disclosed but not yet patched or exploited,” denotes gray hat hackers who decide to
collaborate with the organization. The fourth category, “Patched before disclosed,” is likened to an orga-
nization that chose to act separately after the gray hat disclosure. The fifth category, named “Exploited
after disclosed,” indicates the gray hat’s actions after the organization decided to operate separately.
The sixth category, “Patched after disclosed,” relates to an organization collaborating with the gray hat
hacker to patch the vulnerabilities. (Derbyshire et al., 2021) put 5790 h as upper and 2574 h as a lower
bound, we determine “The number of iterations to reach the steady states” as 5790 h, additionally since
they set £9,060 as upper and £1,640 as lower bound of finance, the paper determines “The total budget
limit for the patch” as £9,060.

Fig. 1. Probability by category of vulnerabili-

ties (low, medium, and high).

satisfies the second-order condition for a maximum, 𝜕 𝑥∗ 2 (𝑖)

= − 3.1∗√10
−8
< Proof. By optimization Eq. (4), the first-order condition for 𝑤∗ is
𝜕 𝑖2 𝜋
𝜕 𝑢𝐻 ∑ ( )
0. = 𝑦𝑖 𝑐 + 1 − 𝑦𝑖 ℎ
Fig. 2 indicates that in equilibrium, the organization prefers to in- 𝜕𝑤
i ∈
crease its financial outlay to a specific value of £3,855. Thus, the orga-
Using the numerical examples, we get 0 > ℎ > 𝑐, we obtain that
nization’s motivation to expand the financial investment will decrease. 𝜕 𝑢𝐻
Corollary 2. The organization will earn less from any additional re- 𝜕𝑤
< 0.
sources it allocates. Fig. 4 shows that the hacker’s benefit will decrease when the orga-
Proof. By optimization Eq. (3), the first-order condition for 𝑤∗ is nization increases its financial investment.
Corollary 4. The organization and the gray hat hacker are losing the
cybersecurity game.
𝜕 𝑢𝑂 ∑ ( ) Proof. By optimization Eq. (7), the first-order condition for 𝑤∗ is
= 𝑦𝑖 𝑎 + 1 − 𝑦𝑖 𝑒
𝜕𝑤 ∑ ( )
i ∈ 𝜕𝑔
= 𝑦𝑖 (𝑎 + 𝑐 ) + 1 − 𝑦𝑖 (𝑒 + ℎ)
𝜕𝑤
i ∈
𝜕 𝑢𝑂
Using the numerical examples we get 𝑎 > 𝑒 > 0, we obtain that 𝜕𝑤
> Using the numerical examples, we get 0.194 < 𝑦𝑖 < 0.224 and 𝑐, 𝑒, ℎ <
𝜕𝑔
0. 0 < 𝑎, we obtain that 𝜕𝑤 < 0.
Fig. 3 shows that the organization’s benefit will increase as it in- Fig. 5 illustrates the overall negative profit obtained from the orga-
creases its financial investment. Thus, the organization’s benefit of in- nization’s gain with the hacker’s loss.
creasing resource allocation does not grow directly to the increase in Under the budget constraint of £1,640 to £9,060, and according to
resources. corollary 1–4 this paper finds:
Corollary 3. The hacker’s profit decreases as the organization invest Proposition 1. (i) maximization occurs at the beginning of the pro-
more financial resources. cess, where both parties cooperate.

6
D. Cohen, A. Elalouf and R. Zeev International Journal of Information Management Data Insights 2 (2022) 100073

Fig. 2. Organization’s behavior in equilibrium depends on the budget constraint.

Fig. 3. Utility functions of the organization depend on the budget constraint.

(ii) When the parties decide to extend the game or continue on their
own, they lose their benefits.
6. Discussion
Examining the levels of vulnerability reveals that both sides will pre-
fer a low level of vulnerability. The organization will allocate fewer re-
sources to repair at a low vulnerability level, increasing its profit. The
hacker’s losses will also be minor, and the overall loss is lower than
medium and high vulnerability levels.
Therefore, our numerical example shows that the organization is the
leader in the game, and the hacker responds to it. The gray hat hacker
becomes transparent to the organization because this study assumes that
only the organization changes resource allocation during the game. The
two participants do not change their preferences. As long as the organi-
zation can discover the hacker’s preferences, it will adjust its resource
allocation to profit and harm the hacker. In contrast, a gray hat hacker
makes one strategic decision at the beginning of the game whether to
cooperate with the organization or not. From this stage, we can learn
that both parties are equal at the beginning of the process. Once the par-
ties have decided to cooperate, the hacker is powerless, and the power
completely shifts to the organization.
Other studies aimed to find an answer to the “disclose or exploit”
dilemma by statistical models for predicting the risk of a particular ex-
ploit vulnerability as a function of time or cyber-competition of two enti-
ties over a cyber-vulnerability series. Nevertheless, this proposed model
combines an inspection games’ algorithm with a game theory usef in
cybersecurity to present a case of collaboration between the parties in a
low level of vulnerability. This case contributes to encouraging a safer
cyber environment. Namely, it minimizes a hacker’s decision to exploit

7
D. Cohen, A. Elalouf and R. Zeev International Journal of Information Management Data Insights 2 (2022) 100073

Fig. 4. Utility functions of the gray-hat hacker depend on the budget constraint of the organization.

Fig. 5. Total functions depend on the budget constraint of the organization.

a vulnerability leveraged for malicious activity and ensures the organi-
zation will not ignore vulnerabilities.
7. Conclusion
Organizations must prepare for potential cyber attacks and data
breaches. In many cases rethinking security strategy is required in order
to achieve effective, measurable security posture. This paper argues that
for organizations facing dilemmas and risks, such public disclosure can
achieve better mitigation and remediation of the risk on their terms.
The study results show that during negotiation with a grey hat hack-
ers, the organization can take an active approach, while the hacker will
respond to its moves. Therefore, the gray hat hacker becomes trans-
parent to the organization and for the organization it will be more
effective to collaborate rather than act legally against the hacker or
ignore him.
The timing element is crucial to achieving the organization’s goals
in a disclosure negotiation. However, at the same time, any alternative
can result in a conflict between the two parties, leading to cyber risks to
the organization. The results show that when two side decide to extend
the game or continue on their own, they lose their benefits. Hence, the
study numerical analysis observed that maximum cooperation occurs
when both parties decide to collaborate at the beginning of the game.
Once the gray hat hacker chooses to share the details about the vul-
nerability with the organization, the organization will prefer to reduce
resource allocation and cooperate with the gray hat hacker. However,
the greater the organization’s financial allocation, the greater the cut
loss. The earnings decrease with any additional resource allocation.

8
D. Cohen, A. Elalouf and R. Zeev
This paper contributes to a better understanding of the delicate bal-
ance of the “disclose or exploit” dilemma, given that both parties will
prefer a low level of vulnerability. As a result, it will minimize a hacker’s
decision to exploit a vulnerability leveraged for malicious activity by
hackers. Instead, the organization will not ignore vulnerabilities and
have a safer environment.
Furthermore, future researchers are encouraged to consider other
types of cyber-attacks that can affect the timing element in negotia-
tion between an organization and a hacker, for example, a ransomware
cyber-attack on critical national infrastructure. While organizations and
companies are accumulating more and more significant digital assets
connected to global technology networks, the need to develop new mod-
els to cope with cyber threats is increasing.
References
Ablon, L., & Bogart, A. (2017). Zero days, thousands of nights: The life and times of zero-day
vulnerabilities and their exploits. Rand Corporation. 10.7249/RR1751.
Arora, A., Krishnan, R., Nandkumar, A., Telang, R., & Yang, Y. (2004). Impact of vulnera-
bility disclosure and patch availability-an empirical analysis. In Proceedings of the third
workshop on the economics of information security: 24 (pp. 1268–1287).
Arkin, B., Stender, S., & McGraw, G. (2005). Software penetration testing. IEEE Security &
Privacy, 3(1), 84–87. 10.1109/MSP.2005.23.
Bao, T., Shoshitaishvili, Y., Wang, R., Kruegel, C., Vigna, G., & Brumley, D. (2017). How
shall we play a game?: A game-theoretical model for cyber-warfare Games. In Proceed-
ings of the IEEE 30th computer security foundations symposium (CSF) (pp. 7–21). IEEE.
10.1109/CSF.2017.34.
Bonina, C., Koskinen, K., Eaton, B., & Gawer, A. (2021). Digital platforms for development:
Foundations and research agenda. Information Systems Journal. 10.1111/isj.12326.
Chana, S. H., & Janjarasjit, S. (2019). Insight into hackers’ reaction toward informa-
tion security breach. International Journal of Information Management, 49, 388–396.
10.1016/j.ijinfomgt.2019.07.010.
Chen, H., Chiang, R. H., & Storey, V. C. (2012). Business intelligence and analytics: From
big data to big impact. MIS Quarterly, 1165–1188. 10.2307/41703503.
Chen, H., Han, Q., Jajodia, S., Lindelauf, R., Subrahmanian, V. S., & Xiong, Y. (2020).
Disclose or exploit? A game-theoretic approach to strategic decision making in cyber-
warfare. IEEE Systems Journal, 14(3), 3779–3790. 10.1109/JSYST.2020.2964985.
(2014). Chapter 13-Cyber terrorism: Case studies. In Cyber Crime and
Cyber Terrorism Investigator’s Handbook (pp. 165–174). Elsevier Inc.
10.1016/B978-0-12-800743-3.00013-X.
Colladon, A. F., Gloor, P., & Iezzi, D. F. (2020). Editorial introduction: The power of words
and networks. International Journal of Information Management, 51, Article 102031.
10.1016/j.ijinfomgt.2019.10.016.
Curtin, J., Kauffman, R. J., & Riggins, F. J. (2007). Making the ‘MOST’out of RFID tech-
nology: A research agenda for the study of the adoption, usage and impact of RFID.‫‏‬
10.1007/s10799-007-0010-1.
de Jong, S., Oosterveld, W. T., De Spiegeleire, S., Bekkers, F., Usanov, A., Salah, K. E., Ver-
meulen, P., & Polácková, D. (2016). Better together: Case-study 2-The hacker community.
Hague Centre for Strategic Studies.
Derbyshire, R., Green, B., & Hutchison, D. (2021). Talking a different Language”: Antic-
ipating adversary attack cost for cyber risk assessment. Computers & Security, 103,
Article 102163. 10.1016/j.cose.2020.102163.
Deutsch, Y. (2021). A polynomial-time method to compute all Nash equilibria solutions
of a general two-person inspection game. European Journal of Operational Research,
288(3), 1036–1052. 10.1016/j.ejor.2020.06.032.
Deutsch, Y., Golany, B., & Rothblum, U. G. (2011). Determining all Nash equilibria in a (bi-
linear) inspection game. European Journal of Operational Research, 215(2), 422–430.
10.1016/j.ejor.2011.05.054.
Deutsch, Y., Goldberg, N., & Perlman, Y. (2019). Incorporating monitoring technology and
on-site inspections into an n-person inspection game. European Journal of Operational
Research, 274(2), 627–637. 10.1016/j.ejor.2018.10.012.
Dhillon, G., Smith, K., & Dissanayaka, I. (2021). Information systems security research
agenda: Exploring the gap between research and practice. Journal of Strategic Infor-
mation Systems, 30(4), Article 101693. 10.1016/j.jsis.2021.101693.
Dong, W., Liao, S., & Zhang, Z. (2018). Leveraging financial social media data for cor-
porate fraud detection. Journal of Management Information Systems, 35(2), 461–487.
10.1080/07421222.2018.1451954.
Falk, C. (2004). Gray hat hacking: Morally black and white. Gray Hat Hacking: Morally
Black and White. In Proceedings of the cyber security group (CSG) training conference.
International Journal of Information Management Data Insights 2 (2022) 100073
Gamero-Garrido, A., Savage, S., Levchenko, K., & Snoeren, A. C. (2017). Quantifying the
pressure of legal risks on third-party vulnerability research. In Proceedings of the ACM
SIGSAC conference on computer and communications security (pp. 1501–1513). Associ-
ation for Computing Machinery. 10.1145/3133956.3134047.
Ganin, A., Quach, P., Panwar, M., Collier, Z. A., Keisler, J. M., Marchese, D., &
Linkov, I. (2020). Multicriteria decision framework for cybersecurity risk assessment
and management. Risk Analysis, 40(1), 183–199. 10.1111/risa.12891.
Gaia, J., Sanders, G. L., Sanders, S. P., Wang, X., & Yoo, C. W. (2021). Dark
traits and hacking potential. Journal of Organizational Psychology, 21(3), 23–46.
10.33423/jop.v21i3.4307.
Fitch, S. C., & Muckin, M. (2015). Defendable architectures.‫‏‬
George, G., Osinga, E. C., Lavie, D., & Scott, B. A. (2016). Big data and data science
methods for management research.‫ ‏‬10.5465/amj.2016.4005
Goerzen, M., & Matthews, J. (2019). Black hat trolling, white hat trolling, and hacking
the attention landscape. In Proceedings of the world wide web conference (WWW ‘19)
(pp. 523–528). Association for Computing Machinery. 10.1145/3308560.3317598.
Hahn, A., & Govindarasu, M. (2012). Cyber vulnerability disclosure policies for the smart
grid. In Proceedings of the IEEE power and energy society general meeting (pp. 1–5). IEEE.
10.1109/PESGM.2012.6345603.
Hausken. (2020). Cyber resilience in firms, organizations and societies. Internet of Things,
11 100204.. 10.1016/j.iot.2020.100204.
Hua, J., & Bapna, S. (2013). The economic impact of cyber terrorism. Journal of Strategic
Information Systems, 22(2), 175–186. 10.1016/j.jsis.2012.10.004.
Kahneman, D & Tversky, A. (1979). Prospect theory: An analysis of decision under risk.
Econometrica 263-292. 10.2307/1914185
Kar, A. K., & Dwivedi, Y. K. (2020). Theory building with big data-driven research-moving
away from the “What” towards the “Why. International Journal of Information Manage-
ment, 54, Article 102205. 10.1016/j.ijinfomgt.2020.102205.
Kirsch, C. (2014). The grey hat hacker: Reconciling cyberspace reality and the law. Northern
Kentucky Law Review, 41(3), 383–404.
Kushwaha, A. K., Kar, A. K., & Dwivedi, Y. K. (2021). Applications of big data in
emerging management disciplines: A literature review using text mining. Inter-
national Journal of Information Management Data Insights, 1(2), Article 100017.
10.1016/j.jjimei.2021.100017.
Kushwaha, A. K., Mandal, S., Pharswan, R., Kar, A. K., & Ilavarasan, P. V. (2020). Studying
online political behaviours as rituals: A study of social media behaviour regarding the
CAA. In Proceedings of the international working conference on transfer and diffusion of
IT (pp. 315–326). Cham: Springer. 10.1007/978-3-030-64861-9_28.
Matthias, O., Fouweather, I., Gregory, I., & Vernon, A. (2017). Making sense of big data-
can it transform operations management? International Journal of Operations & Pro-
duction Management, 37(1), 37–55. http://doi.org/10.1108/IJOPM-02-2015-0084.
Naseer, A., Naseer, H., Ahmad, A., Maynard, S. B., & Siddiqui, A. M. (2021). Real-time
analytics, incident response process agility and enterprise cybersecurity performance:
A contingent resource-based analysis. International Journal of Information Management,
59, Article 102334. 10.1016/j.ijinfomgt.2021.102334.
Radziwill, N., Romano, J., Shorter, D., & Benton, M. (2015). The ethics of hacking: should
it be taught? Software Quality Professional, 18(1), 11–15.
Rajasooriya, S. M., Tsokos, C. P., & Kaluarachchi, P. K. (2017). Cyber security: Nonlin-
ear stochastic models for predicting the exploitability. Journal of Information Security,
8(2), 125–140. http://doi.org/10.4236/jis.2017.82009.
Roumani, Y., Nwankpa, J., & Roumani, Y. (2016). Examining the relationship between
firm’s financial records and security vulnerabilities. International Journal of Information
Management, 36(6) Part A, Pages 987-994. 10.1016/j.ijinfomgt.2016.05.016.
Ruohonen, J., Hyrynsalmi, S., & Leppänen, V. (2020). A mixed methods probe into the
direct disclosure of software vulnerabilities. Computers in Human Behavior, 103, 161–
173. 10.1016/j.chb.2019.09.028.
Sanjab, A., Saad, W., & Başar, T. (2017). Prospect theory for enhanced cyber-physical
security of drone delivery systems: A network interdiction game. In Proceedings
of the IEEE International Conference on Communications (ICC) (pp. 1–6). IEEE.
10.1109/ICC.2017.7996862.
Stacey, P., Taylor, R., Olowosule, O., & Spanaki, K. (2021). Emotional reactions and coping
responses of employees to a cyber-attack: A case study. International Journal of Infor-
mation Management, 58, 102298. https://doi.org/10.1016/j.ijinfomgt.2020.102298.
Tversky, A., & Kahneman, D. (1992). Advances in prospect theory: Cumulative
representation of uncertainty. Journal of Risk and uncertainty, 5(4), 297–323.
10.1007/BF00122574.
Walshe, T., & Simpson, A. (2020). An empirical study of bug bounty programs. In Proceed-
ings of the IEEE 2nd International Workshop on Intelligent Bug Fixing (IBF) (pp. 35–44).
IEEE. 10.1109/IBF50092.2020.9034828.
Weulen Kranenbarg, M., Holt, T. J., & van der Ham, J. (2018). Don’t shoot the messen-
ger! A criminological and computer science perspective on coordinated vulnerability
disclosure. Crime Science, 7(1), 16. 10.1186/s40163-018-0090-8.