在當今的信息經濟，網絡演進是最偉大的發明之一，並已經改變了個人和企業組織的日常活動。在消費和交易的經濟活動中，電腦技術和互聯網無所不在。近20年來大眾消費行為已顯著改變，宅經濟正蓬勃發展。正因如此，企業大多採用資訊科技系統來存儲、處理和交換與他們的客戶、合作夥伴和股東的關鍵資訊。然而，對網路系統的依存性，其風險也隨之產生。因此新式網絡犯罪的迅速發展造成網絡安全事件頻頻發生。網絡安全漏洞可能會導致企業重大的損失。根據2008年CSI / FBI計算機犯罪和安全調查顯示的結果，在144企業受訪者中，2007年平均最高損失為345005美元。. 這就是為什麼企業要投資網絡安全系統的主要原因，其目的是為了保護資訊資產的機密性，完整性和可用性的。
本研究欲探討網絡外部性如何影響企業對網絡安全投資的策略。本文根據電子商務產業中，同質商品的競爭，建立一個理論模型來分析在短期內網絡外部性如何影響企業對網絡安全投資的最適策略。藉由廠商對網絡安全投資誘因的推導，進而分析生存機率、市場規模、投資廠商家數對投資誘因的影響。最後根據研究結論得到政策意函，冀期電子商務產業甚至整體網路環境安全能有所提升。

In today’s information-based economy, the network evolution is one of the greatest innovations and has changed lives of individuals and business organizations. Computer technology and the Internet play a ubiquitous role in economic activities related to consumption and transactions. Home shopping Home economics has been booming in recent decades since public consumption behavior has substantially changed. For this reason most organizations depend on information technology (IT) systems to store, process and exchange critical information with their customers, partners and shareholders. This dependency comes along with major risks to the information and its IT systems. As a result Network security incidents frequently occur along with the rapid evolution of new cyber crimes. Breaches of network security can result in substantial losses for businesses. With the results of shown in 2008 CSI/FBI computer crime and security survey, the average loss per respondent was $288,618 for 144 respondents, down from $345,005 in 2007, but up from the low of $167,713 in 2006. This is the main reason why organizations are investing in Network security systems, which are designed to protect the confidentiality, integrity and availability of information assets. The importance of information security has led many organizations to pay close attention to related investment decisions.
This research examined how network externality influences the optimal strategy of a firm with regard to investments in network security (NS). A theory-based model is developed to investigate in the short run how network externality influences the optimal strategy of competing online firms producing homogenous services related to investment in NS. The incentive of a firm to invest in NS is derived, and the impact of the survival probability, market size, and the effect of the number of firms investing in NS on a firm’s incentive to invest in NS are also analyzed. Policy implications drawn from the research are provided at the end the work.

Anderson, R. (2001). Why Information Security is Hard-An Economic Perspective. Paper presented at the Proceedings of the 17th Annual Computer Security Applications Conference.
Anderson, R. (2002). Maybe we spend too much? Unsettling Parallels Between Security and the Environment. Retrieved from http://www.cl.cam.ac.uk/~rja14/econws/37.txt.
Attewell, P. (1992). Technology Diffusion and Organizational Learning - the Case of Business Computing. Organization Science, 3(1), 1-19.
August, T., & Tunca, T. I. (2006). Network software security and user incentives. Management Science, 52(11), 1703-1720. doi: DOI 10.1287/mnsc.1060.0568
Bayuk, J. L. (2001). Security metrics: How to justify security dollars and what to spend them on. Computer security journal, 17(1), 1-12
Bojanc, R., & Jerman-Blažič, B. (2008a). An economic modelling approach to information security risk management. International Journal of Information Management, 28(5), 413-422. doi: 10.1016/j.ijinfomgt.2008.02.002
Bojanc, R., & Jerman-Blažič, B. (2008b). Towards a standard approach for quantifying an ICT security investment. Computer Standards & Interfaces, 30(4), 216-222. doi: 10.1016/j.csi.2007.10.013
Bollier, D. (1996). The future of electronic commerce: a report of the fourth annual Aspen Institute Roundtable on Information Technology. Washington, D.C.: Aspen Institute.
Bolot, J., & Lelarge, M. (2009). Cyber Insurance as an Incentivefor Internet Security. 269-290. doi: 10.1007/978-0-387-09762-6_13
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). A model for evaluating IT security investments. Communications of the Acm, 47(7), 87-92.
Chappell, C., & Feindt, S. (1999). Analysis of E-commerce practice in SMEs.
Coppel, J. (2000). E-commerce: Impacts and Policy Challenges: OECD.
Dynes, S., Johnson, M. E., Andrijcic, E., & Horowitz, B. (2007). Economic costs of firm-level information infrastructure failures: Estimates from field studies in manufacturing supply chains. The International Journal of Logistics Management, 18(3), 420-442. doi: 10.1108/09574090710835147
Gal-Or, E., & Ghose, A. (2005). The Economic Incentives for Sharing Security Information. Information Systems Research, 16(2), 186-208. doi: 10.1287/isre.1050.0053
Garcia, A., & Horowitz, B. (2007). The potential for underinvestment in internet security: implications for regulatory policy. Journal of Regulatory Economics, 31(1), 37-55. doi: 10.1007/s11149-006-9011-y
CompTIA, 2007. Information security spending on the rise. http://www.comptia.org/home.aspx
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Trans. Inf. Syst. Secur., 5(4), 438-457. doi: 10.1145/581271.581274
Hausken, K. (2006). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5), 338-349. doi: 10.1007/s10796-006-9011-6
Hoo, K. J. S. (2000). How Much is Enough? A Risk Management Approach to Computer Security: Stanford University.
Huang, C. D., Hu, Q., & Behara, R. S. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, 114(2), 793-804. doi: DOI 10.1016/j.ijpe.2008.04.002
Iheagwara, C., Blyth, A., Kevin, T., & Kinn, D. (2004). Cost effective management frameworks: the impact of IDS deployment technique on threat mitigation. Information and Software Technology, 46(10), 651-664. doi: 10.1016/j.infsof.2003.11.004
Iheagwara, C., Arthur, S. & Acar, Y. (2005). The Different Metrics of ROI: Implications for Information Assurance, www.isaca -washdc.org/pages/articles/article-nov2005-print.htm
Jean Camp, L., & Wolfram, C. (2004). Pricing SecurityEconomics of Information Security. In L. Camp & S. Lewis (Eds.), (Vol. 12, pp. 17-34): Springer US.
Jiang, L., Anantharam, V., & Walrand, J. (2008a). Efficiency of selfish investments in network security. Paper presented at the Proceedings of the 3rd international workshop on Economics of networked systems, Seattle, WA, USA.
Jiang, L., Anantharam, V., & Walrand, J. (2008b). How Bad are Selfish Investments in Network Security? : EECS Department, University of California, Berkeley.
Kumar, R., Park, S., & Subramaniam, C. (2008). Understanding the Value of Countermeasure Portfolios in Information Systems Security. J. Manage. Inf. Syst., 25(2), 241-280. doi: 10.2753/mis0742-1222250210
Kunreuther, H., & Heal, G. (2003). Interdependent Security. Journal of Risk and Uncertainty, 26(2), 231-249. doi: 10.1023/a:1024119208153
Lelarge, M. (2009). Economics of malware: epidemic risks model, network externalities and incentives. Paper presented at the Proceedings of the 47th annual Allerton conference on Communication, control, and computing, Monticello, Illinois, USA.
Liu, P., Zang, W., & Yu, M. (2005). Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Trans. Inf. Syst. Secur., 8(1), 78-118. doi: 10.1145/1053283.1053288
Ogut, H., Menon, N., & Raghunathan, S. (2005). Cyber Insurance and IT Security Investment: Impact of Interdependent Risk. Paper presented at the 4th Workshop on the Economics of Information Security, Cambridge, MA, USA.
Passionate Project Management, 2013. . Retrieved from http://www.passionatepm.com/.
Powell, B. (2005). Is Cybersecurity a Public Good? Evidence from the Financial Services Industry. Journal of Law, Economics and Policy, 1, 497-510.
Purser, S. A. (2004). Improving the ROI of the security management process. Computers & Security, 23(7), 542-546. doi: 10.1016/j.cose.2004.09.004
Richardson, R. (2008). CSI Computer Crime & Security Survey This is the 13th year of the survey: Computer Security Institute
Rowe, B., & Gallaher, M. P. (2006). Could IPv6 improve network security? And, if so, at what cost? Cybersecurity. I/S: A Journal of Law and Policy for the Information Society, 2(2), 231-267.
Schechter, S. E., & Smith, M. D. (2003). How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks. Paper presented at the Financial Cryptography. http://dblp.uni-trier.de/db/conf/fc/fc2003.html#SchechterS03
Shostack, A. (2005 ). Avoiding Liability: An Alternative Route to More Secure Products. Paper presented at the Fourth Workshop on the Economics of Information Security, Cambridge, MA. http://infosecon.net/workshop/pdf/44.pdf
Tsiakis, T., & Stephanides, G. (2005). The economic approach of information security. Computers & Security, 24(2), 105-108. doi: 10.1016/j.cose.2005.02.001
U.S. Census Bureau, E-Stats (Washington, D.C.: 2010), available online athttp://www.census.gov/econ/estats/2008/2008reportfinal.pdf.
van Kessel, P. (2009). Outpacing Change12th Annual Global Information Security Survey: Ernst & Young.
Varian, H. (2004). System reliability and free riding. In L. J. Camp & S. Lewis (Eds.), Economics Of Information Security. New York Springer: Kluwer Academic Publishers.
Walsh, K. R. (2003). Analyzing the application ASP concept. Communications of the Acm, 46(8), 103-107. doi: 10.1145/859670.859677
Wang, Y. Z., Yu, M., Li, J. Y., Meng, K., Lin, C., & Cheng, X. Q. (2012). Stochastic game net and applications in security analysis for enterprise network. International Journal of Information Security, 11(1), 41-52. doi: DOI 10.1007/s10207-011-0148-z
Wang, Z. & Song, H. (2008). Towards an Optimal Information Security Investment Strategy. In Book Towards an Optimal Information Security Investment Strategy. Security, L.J. Camp and S. Lewis (eds.), Kluwer Academic Publishers, New York Springer.
Warrington, T. B., Abgrab, N. j., & Caldwell, H. M. (2000). Building trust to develop competitive advantage in e-business relationships. Competitiveness Review, 10(2), 160-168. doi: 10.1108/eb046409
Yue, W. T., Cakanyildirim, M., Ryu, Y. U., & Liu, D. (2007). Network externalities, layered protection and IT security risk management. Decision Support Systems, 44(1), 1-16. doi: DOI 10.1016/j.dss.2006.08.009