1 Introduction
Firms increasingly belong to a variety of interorganizational networks such as complex supply chains, strategic alliances, or other types of partnerships. Membership in these networks can evidently yield economic benefits, but they also necessitate substantial additional security investments due to increased exposure to interdependent or contagion risks (Kunreuther and Heal 2003). For instance, in January 2013, the European food industry endured a horsemeat contamination scandal (Lawrence 2013). Meat products from several retailers and fastfood chains in the United Kingdom and Ireland, advertised as containing beef, were discovered upon testing to have been contaminated with horsemeat. Further investigation revealed that in the complex meat supply networks, with contractors and subcontractors spread all across Europe, a particular supplier had indulged in deliberate contamination in a bid to cut costs. Several retailers, including Britain’s largest retailer, TESCO, that had sourced the contaminated meat faced economic repercussions from a drop in sales and reputational harm. Meanwhile, Sainsbury, a retailer that had not experienced contamination in its meat products, increased its quarterly sales by about 6.3% in the weeks immediately postscandal (Neville 2013). Other notable cases of supply contamination include the adulteration of milk with melamine (Mu et al. 2016, Levi et al. 2020) and the 2008 heparin adulteration scandal (Babich and Tang 2012). Contamination in supply networks, upon discovery, typically results in product recalls, regulatory fines, and brand equity loss, often entailing substantial costs for the concerned firms.
Besides supply networks, interdependent risks can arise in other contexts too. For instance, businesses have a growing recognition that they bear a social responsibility to secure their consumer data from cyber threats (Pollach 2011). Malware infecting the systems of a company in an interfirm network can gain access to the IT systems of its partner firms. Due to poor cybersecurity practices by partner firms, companies such as Target and Home Depot have been the victims of highprofile data and privacy breaches (McAfee 2015, Seals 2014). In today’s highly interconnected networks, risks like contamination in food supply chains or consumer data breaches assume an interdependent nature. That is, the risks faced by a firm depend not only on internal risks arising from their own operations but also on the risk transferred from other firms in the network.
Therefore, to secure themselves against interdependent risks, two general strategies are available to networked firms. First, firms in the network can choose to invest cooperatively in securing themselves, thereby removing sources of risk. Second, alternatively, they can choose to independently secure themselves by eliminating risk from internal operations and then investing in security across the links that connect them to the other firms in the network. So, for example, firms could cooperatively share the costs of supplier quality improvements, thereby investing in suppliers’ embracing responsible operational practices. Alternatively, a retailer can implement quality standards for internal processes, and simultaneously, inspect and quality test incoming products supplied by direct partners. The latter would correspond to the independent security strategy, while the former corresponds to the cooperative strategy.
That is, to manage interdependent risks, firms in the network can either cooperatively invest in security or instead resort to selfinterestedly eliminating transfer risks. Security against interdependent risks is associated with positive externalities since other firms are benefited by the presence of a secured firm in the network. Equivalently, firms that indulge in socially irresponsible practices impose a negative externality on other firms. This would intuitively suggest that cooperative networkwide security against interdependent risks can be a costeffective strategy as compared to each firm in the network independently securing itself. However, cooperation can be hindered by disagreements over costsharing arrangements. Firms, in general, are heterogeneous, both, in the costs they incur to secure themselves as well as in the penalties that they may face in case of a realized risk. Thus, a priori, it is not clear whether there will always exist a stable and fair sharing of security costs that can sustain networkwide cooperation. Furthermore, networked firms typically have visibility and mechanisms to cooperate and monitor with only immediate partners. For instance, extended multitier supply chains are often associated with a potential loss in visibility over firms further away in the network (Caro et al. 2021). Thus, it is also unclear whether one can find suitable mechanisms to implement costsharing arrangements that circumvent coordination across firms that are not immediate or direct partners.^{1}^{1}1Relatedly, Dawande and Qi (2021), in a review of recent research on socially responsible operations management, note that, ”a topic that has not received much attention yet is the design of cooperative strategies among stakeholders in different tiers of a supply chain to collectively ensure socially responsible actions across the supply chain… the utilities of different players from actions such as auditing, inspections, and testing become interconnected in a complex manner. Consequently, the sharing of costs in a fair manner to incentivize cooperation across tiers becomes challenging.”
To address these issues, in this paper, we first consider an interdependent security model on a network and an associated costsharing game. In our interdependent security model, firms in the network are heterogeneous in the costs they incur to secure themselves and the penalties they face in case of an actualized threat. Further, we assume that the security costs are all private information, as will be clarified in §3. Moreover, we assume that unless two firms are cooperatively securing themselves against interdependent risks, each firm is unaware of the other firm’s actions. So, in the absence of explicit cooperation, each firm’s security actions are hidden from other firms in the network. These assumptions are a marked distinction from existing models of interdependent risk and security in the literature, which typically assume that various model parameters are common knowledge and actions are observable. However, in several realworld contexts, in the absence of formal mechanisms for cooperation, firms are neither aware of the security efforts undertaken by other firms and nor can they infer their efforts since the underlying cost structures are typically private information. Finally, in our interdependent security model, as motivated above, firms face an intrinsic risk from their internal operations and an extrinsic risk from their unsecured partners in the network. The characterization of the networkoptimal security strategy is a nontrivial problem. However, we demonstrate that it can be computed in polynomial time using a minimum weighted cut networkflow algorithm.
Then, we adopt a cooperative gametheoretic approach to evaluate whether agents have an incentive to cooperate across the entire network and share the security investment costs, or if they will prefer to invest by themselves (or in smaller groups) to secure themselves selfinterestedly. We show that agents have an incentive to cooperate globally, i.e., form the grand coalition and share the resulting security costs. We do so by demonstrating that the coalition optimal security cost is submodular, and hence, the core of the game is always nonempty (Shapley 1971), and in particular, the Shapley value of the game belongs to the core. Therefore, there exist costsharing mechanisms that can apportion the total cost of network security in a fair and stable, i.e., individually and coalitionally rational fashion. The Shapley value is a wellknown and attractive solution concept for cooperative games from the perspective of fairness considerations. However, in our context, we demonstrate that its computation is a hard problem even for simple network structures.
Importantly, we introduce the notion of bilateral implementability. A costsharing arrangement is said to be bilaterally implementable if and only if it can be enforced by a series of bilateral costsharing agreements between only direct partners in the network. As clarified previously, bilaterally implementable costsharing mechanisms are resistant to limitations of network visibility and control. Further, they can also allow for changes to the underlying network structure over time. We then demonstrate that the Shapley value is not bilaterally implementable in general. Since, in general, the Shapley value is both hard to compute and not bilaterally implementable, we continue the search for suitable security costsharing mechanisms that are stable, fair, and implementable. We then propose a novel security cost sharing mechanism, the agreeable allocation, which is a restricted variant of the Shapley value allocation. We then demonstrate that the agreeable allocation (i) belongs to the core, (ii) is easily computable, (iii) is formalizably fair, and is, (iv) bilaterally implementable. However, agreeable costsharing allocations may not always exist. For the case of quasihomogeneous networks, i.e., networks where the security cost parameters are equal, we provide a graphtheoretic characterization for the existence of the agreeable allocation in terms of the network structure. Specifically, we show that the local density of networks plays a significant role in determining whether the agreeable allocation exists.
In summary, one can view our work in both descriptive and normative terms. Descriptively, we observe that networkwide security cooperation is efficient and there exist stable costsharing mechanisms that can sustain this cooperation. However, when concerns pertaining to computability and implementability of these costsharing mechanisms are incorporated, networkwide security cooperation is rendered more challenging. Normatively, via our analysis of stable, fair, and bilaterally implementable costsharing rules, we are able to provide characterizations of when and how these implementation challenges can be surmounted.
2 Overview of Related Literature
This work is related to three distinct streams of literature. First, it contributes to extant work on social responsibility and risk management in supply chains. Second, our work is closely tied to interdependent security models introduced by (Kunreuther and Heal 2003)
. One of our aims is to bridge these two bodies of literature. Finally, our work adds to the growing literature on applications of cooperative game theory to operations management.
Supply Chain Social Responsibility and Risk Management.
There is a vast literature investigating the role of several instruments such as auditing (Plambeck and Taylor 2016, Caro et al. 2018, Fang and Cho 2020, Chen et al. 2020), inspection and testing (Babich and Tang 2012, Lee and Li 2018), and more recently, contracts (Dhingra and Krishnan 2021), in mitigating social responsibility risks associated with extended global supply chains. We refer the interested reader to Dawande and Qi (2021) for a recent review. While previously, most of this literature dealt with two firm or dyadic scenarios, recently, several studies also deal with multitier supply chains, e.g., supply networks with three tiers or other network structures (Huang et al. 2020, Zhang et al. 2021, Chen et al. 2020). Also closely related to our work, Feng et al. (2021) study the implementation of ESR programs in general supply networks and gain sharing via a bilateral bargaining framework that generalizes a conventional Shapley value based cooperativegame theoretic approach.
While we view our work as contributing to this stream of literature, we note that it bears some differences from extant literature. For instance, we consider a general network structure and do not impose any structural assumptions. Second, and most importantly, our work deals with only interdependent risks. That is risks that are, in a sense, contagion risks spreading via the network. Equivalently, we only consider scenarios wherein firms generally have two broad classes of strategies available to secure themselves: firms can cooperatively secure themselves, or, firms can independently choose to secure themselves by eliminating their intrinsic risk and then investing in security only across the links to their direct partners. These scenarios include cases such as food contamination risks or data breach threats as motivated in the introduction. For example, with extensive quality testing of incoming food products, a firm can secure itself against adulteration.^{2}^{2}2Similarly, a company digitally connected to other firms in a strategic alliance can nevertheless independently secure its IT systems by investing in securing its digital links to its direct partners. This will ensure that even if other unsecured firms in the alliance are compromised by malware or hackers, the focal company will not be affected.
Interdependent Security.
In terms of model development, our work is most closely related to the interdependent security literature. Interdependent security models were introduced by Kunreuther and Heal (2003) and have since spawned a rich literature in the intersection of economics and computer science that studies various related models (see, for example, Laszka et al. (2014) for a review). In these models, as in ours, the security of agents depends on an agent’s own actions (direct risk, or as we term it, intrinsic risk) and those of other agents (indirect or extrinsic risk). The present work aims to bridge the interdependent security literature with the rich stream of work on socially responsible operations in supply networks. While this research stream inspires our model, our work differs from existing literature in some crucial ways. First, in several of the existing models, the agents can only curb their own intrinsic risk and cannot mitigate extrinsic risks. Second, and importantly, a majority of the interdependent security literature adopts a noncooperative (gametheoretic) perspective. They assume that players in the network act to secure themselves independently and then characterize and compute the noncooperative equilibria of these games. Kearns and Ortiz (2003) and Chan et al. (2012) develop algorithms to compute the equilibria of classes of interdependent security games. Heal and Kunreuther (2007) also consider the Nash equilibria of such games and study conditions to tipping suboptimal equilibria to an optimal one. Chan and Ortiz (2014) consider a more general model where agents can influence the transfer of extrinsic risk and then analyze equilibria computations. However, this literature largely ignores issues of cooperation in networks and the problem of when and how cooperation can be sustained. In practice, agents can and indeed do cooperatively secure themselves against interdependent risks. This, therefore, is the central focus of this present paper.
Cooperative Game Theory in Operations Management.
Finally, we also contribute to the growing body of work dealing with applying cooperative game theory to problems in operations management. For a review of this literature, we refer the reader to Nagarajan and Sošić (2008). Benefits of cooperation can be realized and therefore studied in several diverse settings. Some recent applications include inventory pooling (KemahlıoğluZiya and Bartholdi III 2011), inventory transshipments (Granot and Sošić 2003, Sošić 2006), demand information sharing (Leng and Parlar 2009), supplier alliances to mitigate order default risk (Huang et al. 2016), production schedule coordination (Aydinliyim and Vairaktarakis 2010, Cai and Vairaktarakis 2012), supply chain emissions management and reduction (Gopalakrishnan et al. 2021b, a), recycling (Gui et al. 2018, Tian et al. 2020), humanitarian operations (Ergun et al. 2014), vaccine distribution (WesterinkDuijzer et al. 2020) and so forth. Related to our work, Mu et al. (2019) study quality management in milk cooperatives. In dairy cooperatives, individual farmers can shirk on quality and freeride on the higher quality milk produced by other farmers in the cooperative. Mu et al. (2019), therefore, develop a revenue allocation rule that achieves quantity and quality efficiency with minimal testing while incorporating other practical implementation considerations.
3 Interdependent Network Security Model
We consider a set of heterogeneous players^{3}^{3}3The terms agents, firms, and players are used interchangeably in this paper. denoted by . Following standard graphtheoretic notation (Bondy and Murty 2008), let us suppose that the players occupy a network denoted as . The node set of the network coincides with the set of players with each player occupying a unique corresponding node in . An arc for represents a directed link from the player to the player . The set of arcs in the network is denoted by .
Let denote the set of players in to which is connected by an outgoing arc , and similarly, let be the set of players such that the arc . Further, let .
Each player faces two independent sources of risk: an intrinsic risk from its own operations and an extrinsic risk transferred from its partnerships with unsecured players.^{4}^{4}4In the interdependent security literature, intrinsic and extrinsic risks are sometimes referred to as direct and indirect risks, respectively. We assume the cost incurred by player to secure itself against intrinsic risks is given by . Further, the cost incurred by to secure itself against the extrinsic risk transferred from a partner in the network is denoted by . Each player exerts binary actions, , and for all , corresponding to whether to secure itself against its own intrinsic risk and extrinsic risk from its partners, respectively. Since different players may face differing penalties (in regulatory fines or reputational damage) in the case of a realized risk, we assume an unsecured player faces an expected penalty of . A secured player faces a zero penalty. We will subsequently formally clarify when a player is said to be secured and unsecured, respectively.
We assume that the cost of securing against intrinsic risk, , and the expected penalty in case of a realized risk, , are private information known only to player . Similarly, the cost, , to secure the directed link between players and is assumed to be known only to players and . This private information assumption is an important departure from several existing models of interdependent security. Specifically, this assumption implies that in the absence of explicit cooperation between players and , neither can infer the actions of the other. Further, we assume that the security actions of a player are also unobservable by others in the absence of cooperation. Therefore, formally, we define the information set of player who cooperates with the set of players as . Thus, note that for a player acting independently, its information set only consists of its own actions, expected penalty, and costs of securing against its own intrinsic and extrinsic risks.
Given their information set, players in the network choose security actions, , and for all N and after considering the relevant tradeoff between the costs of security and the expected penalty.
Since a player cannot observe or infer the security actions of other players that it does not explicitly cooperate with, it can only identify whether it is secured or unsecured in the worstcase. A player cooperating with the set of players is worstcase secured if and only if it is secured against its own intrinsic risk, i.e., , and further, is also secured against extrinsic risks, i.e., for all (i) players not in , and (ii) players in who are themselves not secured. The worstcase security state of can be denoted by where means, in the worstcase, player is unsecured, and if , then is secured in the worstcase. Henceforth, for convenience, for a fixed cooperation structure, or equivalently, when the information set is implicit, a player is said to be secured (respectively, unsecured) if, in the worstcase, the player is secured (respectively unsecured). For clarity, we note that the worstcase security state of as a function of its information set and security actions satisfies the following,^{5}^{5}5We note that (1) does not always uniquely characterize the worstcase security states. Consider an example with with and for and . In this example, the worstcase security states of players and in the coalition , for . However, for also satisfy (1).
(1) 
The worstcase expected cost incurred by a player as a function of its information set and security actions is given as follows,
(2) 
The worstcase expected cost given by (2) is comprised of three terms. The first term corresponds to the expected penalty from a realized risk and is incurred only when the player is worstcase unsecured. The second and third terms correspond to the costs of securing itself against intrinsic risks, and extrinsic risks from unsecured partners, respectively.
We first consider two extreme forms of security strategies in the network: the independent security strategy and the networkoptimal security strategy. While the former corresponds to the nocooperation, i.e., individually rational scenario, the latter corresponds to the fullcooperation, i.e., the networkoptimal situation. We characterize the security actions and worstcase security states of the players in each of these two scenarios. In §4, we will consider all intermediate cooperative security strategies, i.e., where a subset of firms in the network can cooperatively secure themselves.
Independent Security Strategy.
Since the players are not cooperating with each other on their security actions, as noted previously, the information set of each player is given by which only contains its own actions, expected penalty, and security costs. Then, player is said to be independently secured if , as defined in (2), is minimized when , for a suitable choice of and . The set of all players in which are independently secured is denoted by . The following proposition characterizes when a player is independently secured.^{6}^{6}6All omitted proofs are provided in Appendix I.
Proposition 3.1
A player if and only if . Further, then, for all .
The above proposition captures two straightforward notions: (i) the security strategy is based on a simple tradeoff between the cost of security and the expected penalty incurred from not securing itself, (ii) for an agent acting independently, it is not optimal to partially invest in securing some links and not others. For a player to secure itself in the worstcase, it needs to secure itself from intrinsic risks as well as extrinsic risks from all its partners since it can neither observe nor infer their security actions.
Network Optimal Security Strategy.
We now define the network optimal security strategy for the network wherein all the agents cooperate explicitly. In this setting of full networkwide cooperation, the information set of each player contains all the security costs and expected penalties of all other players in the network. Therefore, the minimum total worstcase expected cost incurred by all players in is given as,
(3) 
We denote the set of all players in which are secured, i.e., , under the above network optimal security strategy by . We first observe that all players that opt to be secured under the independent security strategy continue to be secured under the network optimal strategy.
Proposition 3.2
Every player independently secured is also secured under the network optimal security strategy, .
However, the positive externalities, inherent to the context, may result in certain nodes being secured under the networkoptimal security strategy which are unsecured when acting independently. That is, we note that the above inclusion can be strict since, in general, there can exist players that are unsecured under the independent strategy but are secured under the network optimal strategy, as demonstrated by the following example.
Example 3.3 ( strictly)
Consider a set of players, situated on a graph with arc set . Further, let for all , and let . It can be easily verified that , however, .
We now provide a key result demonstrating that the network optimal security strategy and equivalently, , can be computed via a networkflow algorithm. The algorithm relies on the construction of an auxiliary directed network . We then transform the problem of computing to that of identifying a minimum weight  cut in .
Construction of the Auxiliary Network .
The node set of is given by where and are two additional nodes not present in the original network . The nodes and represent the source and sink of the network , respectively. The arc set of consists of, (i) arcs from to each node with capacity , (ii) arcs from to with capacity , (iii) arcs from to with capacity . The construction of the auxiliary network is illustrated in Figure 1. The following theorem establishes the connection between the network optimal security strategy in and the minimum weight  cut problem in .
Theorem 3.4
Suppose the minimum weight cut separating and partitions the nodes of into and such that . Then . Further, is the weight of the cut .
Proof.
Let denote the network optimal security state of player , i.e., if and only if . Further, let us denote by , and for , the network optimal security actions by player . We first note that for from (1) with , , and for all . Further, for all since if players and are both secured, it is not optimal to secure the links between them. Moreover, for , that is when is unsecured, it is not optimal for to partially secure itself from intrinsic or extrinsic risks. Therefore, , and for all . Then,
Now, consider the auxiliary network and the minimum weight directed cut separating and in with source and sink . The minimum weight directed cut in this network identifies and such that the sum of weights on arcs directed from to is minimized. The sum of weights of these arcs is given by,
Comparing the expressions, and are simultaneously minimized when and . This completes the proof.
Also, from (1), it follows that if and denote the network optimal security actions of the players, then, if and only if , and, if and only if , . Therefore, from Theorem 3.4, we also immediately obtain the network optimal security strategy. Now, note that the directed network has nodes and arcs. Thus, from the pushrelabelalgorithm (Goldberg and Tarjan 1988) to compute maximum flows, we immediately obtain the following corollary.
Corollary 3.5
can be computed in time where and .
Apart from being of computational and theoretical interest, the connection between the network optimal security strategy and the minimum weight cut problem can also allow one to leverage parametric properties of mincuts to perform comparative static analyses and derive qualitative insights on the network optimal security strategy.
The network optimal security strategy resolves two distinct kinds of inefficiencies engendered by the individually rational security strategies of the players. The first inefficiency arises from the canonical underinvestment of efforts resulting from a failure to internalize positive externalities. This is well recognized in the interdependent security literature (see, for example, Acemoglu et al. (2016)).^{7}^{7}7Acemoglu et al. (2016), for instance, note that,
”a clear positive externality exists in security investments. An agent that fails to protect itself adequately not only increases the probability of its own infection but also increases the likelihood that infection will spread to other agents.”
Therefore, some agents for whom it was individually rational to not invest in security efforts are now secured since these erstwhile externalities are now internalized in the networklevel optimization. This reflects the strategic complementarity inherent in situations with interdependent risks. The second source of inefficiency arises, in our model, as a consequence of security costs being privately held information. Equivalently, the noninferability of security efforts of a player by other players who are not cooperating with it results in the inefficient duplication of security investments across the network. This provides an economic rationale for anecdotal evidence from diverse supply chain security contexts that bear out this source of inefficiency (ASEM 2013).Finally, we now demonstrate the necessity of costsharing mechanisms in order to implement the networkoptimal security strategy. For a player in the network, given the security states of all its direct partner firms, the networkoptimal security action is not necessarily individually rational. That is, the networkoptimal security strategy is not always a Nash equilibrium strategy.
Example 3.6
Let . Let , . Further, let . It is easily seen that the networkoptimal security strategy secures both players. However, even given that is secured, it is still not individually rational for to secure itself since its expected penalty is lower than its instrinsic security cost. Thus, the networkoptimal security strategy is not a Nash equilibrium strategy.
The above example demonstrates that in order to implement and sustain the networkoptimal security strategy, transfer payments between the players are necessary.
4 Security Cost Sharing Mechanisms
The next natural question is therefore to ask whether networkwide security cooperation can be sustained with suitable costsharing mechanisms. Equivalently, we are interested in finding whether and when cooperation can be made individually rational, and the networkwide efficiency gains can be shared amongst the firms in a stable and fair manner. The field of cooperative game theory is well suited to address these questions. Towards that end, we first briefly review some cooperative game theory preliminaries. We refer the interested reader to Maschler et al. (2013) and other standard textbooks for a more thorough treatment. We will subsequently employ these concepts to define an interdependent security cost sharing cooperative game to shed light on whether networkwide security cooperation can be sustained via stable, fair, and implementable security cost sharing mechanisms.
4.1 Cooperative Game Theory Preliminaries
Cooperative game theory primarily addresses the question of whether cooperation can be sustained across a group of agents, and closely tied to this, is the problem of fairly sharing or allocation of profits (or cost savings) obtained via cooperation between those agents. A cooperative game is defined by where is the set of players in the game and
is a characteristic function that associates to every subset (or, coalition)
a corresponding cost . The subset consisting of all players, that is, the set itself is known as the grand coalition. An object of frequent interest is whether the grand coalition will form and whether it remains rational for individual players, or groups of players, to remain in the grand coalition.In this work, we will only deal with cost games, i.e., where is the cost incurred by the coalition , and players act to minimize their costs. The concepts introduced here easily carry over to games where the characteristic function represent profits gained by coalitions, and players intend to maximize their profits. A cooperative game is said to be subadditive if the characteristic function satisfies for . Subadditivity of the characteristic function can loosely be interpreted as offering an incentive for disjoint coalitions to cooperate. Another important property that a cooperative game can satisfy is convexity. The convexity property is stronger than the subadditivity property, and it loosely captures the intuition that as a coalition grows larger, the greater the incentive for other players to also join it. Formally, for . Note that convexity along with the standard assumption that implies subadditivity of the game.
4.2 Interdependent Security Cost Sharing Game
Consider the set of agents situated on the graph . Previously, the two security strategies considered represented the two extremes corresponding to nocooperation and fullcooperation settings. We now extend the discussion to consider all intermediate levels of cooperation. That is, for any subset of agents, , we can define the coalition optimal security strategy as that which minimizes the expected worstcase security cost of a cooperating set of agents ,
(4) 
We define an indicator function for player belonging to a coalition that indicates whether player is secured under the coalition optimal security strategy for . Formally,
(5) 
where and denote the optimal solutions to (4.2). Further, denote the set of players secured in under the coalition optimal security strategy by . That is, if and only if . Clearly, are the players in that are not secured under the coalition optimal security strategy. Further, for clarity, note that . The following result demonstrates a monotonicity property satisfied by the coalition optimal security strategy that generalizes Proposition 3.2.
Proposition 4.1
A player that is secured under the coalition optimal security strategy for a coalition is also secured under the coalition optimal security strategy for a coalition , i.e., if , then .
Further, the pair defines a cooperative game which we term as the interdependent security cost sharing game. The following proposition indicates that can also be computed via a similar transformation to a minimum weight cut problem on the auxiliary graph as in Theorem 3.4. This again immediately lends itself to a polynomial time algorithm to compute the coalition optimal security cost, .^{8}^{8}8Note that when , then, .
Proposition 4.2
is the weight of the minimum cut separating the node set and the node in the auxiliary directed graph and thus can be computed in polynomial time.
An efficient security cost sharing mechanism is defined as such that
(6) 
An efficient security cost sharing mechanism is said to be a core allocation, i.e., it belongs to the core if and only if it is rational for all subsets of players in to remain in the grand coalition rather than deviate to form a coalition among themselves. That is, is a core allocation if and only if,
(7) 
The core of some cooperative games may be empty. An empty core will preclude the existence of stable cost sharing arrangements. However, in cooperative games that are also convex, it is well known that the core of such games is nonempty (Shapley 1971). The following theorem demonstrating the convexity of the interdependent security cost sharing game therefore assumes significance since it guarantees the existence of a stable cost sharing mechanism.
Theorem 4.3
The coalition optimal security cost, , is submodular^{9}^{9}9The set function is said to be submodular if for sets and such that , for , . in . Thus, there always exists a stable security cost sharing mechanism.
Before we proceed to derive and analyze specific security cost sharing mechanisms, the following observation notes that if a player is unsecured under the networkoptimal security strategy, then, the player is allocated by all stable cost sharing arrangements.
Lemma 4.4
Consider such that and an arbitrary core allocation of the interdependent security cost sharing game on network .

allocates to player , .

Define as the induced subgraph of on the node set . Further, let for , and let all the other security cost parameters of be identical to the corresponding costs in . Then, there exists a onetoone correspondence between the core allocations of the interdependent security games on and , respectively.
Lemma 4.4 also allows us to restrict our attention, in this paper henceforth, to networks
and associated cost parameter vectors such that all firms are secured under the networkoptimal security strategy.
Shapley Value Based Security Cost Sharing.
The convexity of guarantees that a specific wellknown and commonly employed allocation in cooperative games, the Shapley value (Shapley 1953), belongs to the core. Beyond its membership in the core, the Shapley value also uniquely satisfies several natural fairness properties and has an axiomatic basis in general cooperative games. Formally, the Shapley value, , introduced by Shapley (1953), allocates to a player in a general cooperative game ,
(8) 
As clarified by the above equation (8), the Shapley value rewards players for their marginal contributions to various coalitions, and to that extent, it can be argued as exemplifying a certain notion of fairness.^{10}^{10}10For instance, Kleinberg and Weiss (1985) note that, ”For the most part, informal inspections of this formula have formed the basis for the widely accepted notion that the Shapley value is a “fair” way of dividing up, among other things, the gains from group cooperation […] In each of these situations, when two or more players cooperate, interactive or synergistic effects take place. The problem then arises as to how to assign to each player his share of these effects in a way that takes due account of his overall position in the game. A seemingly fair way to do this is to […] calculate a player’s marginal contribution to each coalition to which he could belong and then take a weighted average of these contributions.” Further, Shapley (1953) demonstrates that is the unique efficient allocation characterized by the following properties (or axioms):
i. Symmetry Property: For players and such that for all subsets , , if , then .
ii. Null Player Property: For player such that for all , then .
iii. Additivity Property: The Shapley value, , of a cooperative game, , that is the sum of two cooperative games, and , equals the sum of the Shapley values of the two games, and , respectively.
Of these properties, we note that the symmetry property formalizes the idea that players which are “identical” in terms of their marginal contributions should receive an identical share of the value created by cooperation. This is, arguably, an innocent fairness criterion which, along with the marginal contribution interpretation discussed before, we shall return to later on in this work. The Shapley value is widely adopted as a costsharing or a profitsharing, as the case may be, allocation method in diverse contexts, including several mentioned in §2, such as inventory pooling (KemahlıoğluZiya and Bartholdi III 2011), capacity allocation and scheduling (Aydinliyim and Vairaktarakis 2010), group purchasing (Chen and Yin 2010), disaster preparedness (RodríguezPereira et al. 2021), emission responsibility allocation in supply chains (Gopalakrishnan et al. 2021b), and so forth.
This motivates our search for characterizing and computing the Shapley value of the game. However, for our game, the computation of the Shapley value can be shown to be linked with the classical subset sum problem in theoretical computer science. In fact, this connection allows to deduce a polynomial time reduction to the subset sum problem thereby demonstrating that computing the Shapley value of interdependent security games is a computationally hard problem.
Theorem 4.5
There is no polynomial time algorithm that computes the Shapley value for a given player in the interdependent security cost sharing game unless P = NP.
Further, from the proof of Theorem 4.5, we note that even for simple structures such as the assembly supply network, computing the Shapley value is hard. Beyond computational interest, the above result on the complexity of the Shapley value is of interest to us for reasons of implementation. In general, equilibrium concepts in noncooperative game theory or solution concepts in cooperative games that are computationally intractable raise the question of feasibility of whether selfinterested agents can identify and implement these mechanisms in practice.^{11}^{11}11Relatedly, Roughgarden (2010) observes, “(A) complexitytheoretic hardness result can diminish the predictive interpretation of an equilibrium concept and suggests more tractable alternatives […] In a practical design context, it is obvious that a mechanism that is actually implemented had better be computationally tractable to run, like the deferred acceptance algorithm, and also easy to play, in the sense that participants should not need to perform difficult computations.”
For a notable special case, however, the Shapley value can be computed easily. In fact, when the expected penalties, in case of a realized risk, are sufficiently large for all players, then the Shapley value has a straightforward closed form expression.
Theorem 4.6
If for all , i.e., if , then, the Shapley value based security cost allocation to player is given by,
(9) 
In this scenario, when the expected penalties are sufficiently large, it is individually rational for all players to secure themselves (i.e., under the independent security strategy). That is, since all players choose to secure themselves even without cooperation, the networkoptimal security strategy resolves only one kind of inefficiency, that arising from duplication of security efforts. Under the Shapley value based security cost sharing mechanism, in this scenario, the cost savings from avoiding duplication of security efforts across each link in the network are equally shared by both parties. This also carries implications for the implementation of the cost sharing mechanism which will be elaborated on in §5.
Extreme Core Allocations.
However, this still leaves open the question of whether, in general interfirm networks, there exist stable security costsharing arrangements sustaining networkwide cooperation that can also be computed easily. We provide an affirmative answer to this question. Consider a permutation of the players in . Then, we define a costsharing allocation, , corresponding to the permutation as follows,
Proposition 4.7
For every permutation of , the allocation is an extreme point of the core of the interdependent security cost sharing game and can be computed in polynomial time.
The proof of Proposition 4.7 relies on the convexity of the game and the characterization of the core of convex games as developed by Shapley (1971). Further, we demonstrate that the extreme core points of the interdependent security cost sharing game can be computed in polynomial time, thereby, allowing us to identify easily computable and stable security cost sharing arrangements. However, it can easily be seen that extreme core allocations as identified in Proposition 4.7 do not satisfy a basic notion of fairness as embodied in the symmetry property introduced earlier.
Proposition 4.8
The security costsharing allocation does not satisfy the symmetry property.
Our discussion, thus far, uncovers what appears to be an “impossible” trilemma: stability, fairness, and implementability. That is, when we simultaneously require a security costsharing arrangement to be stable (i.e., it must be individually and coalitionally rational), fair (in terms of a basic symmetry property), and implementable (in terms of ease of computability), it already proves to be too restrictive. Descriptively, this suggests why, although the welfare gains achieved by networkwide security cooperation can, in principle, be stably shared, we may still not observe such cooperation in practice. In the next section, we will delve deeper into implementability concerns. Further, and importantly, we will also attempt to find a satisfactory reconciliation of the divergence between stability, fairness, and implementability of security costsharing arrangements.
5 Bilateral Implementation
In §4, we considered a narrow version of implementability. Specifically, we presumed a security costsharing mechanism that is easily computable is implementable. However, implementing costsharing mechanisms via transfer payments across the network, even between firms that are not direct partners, is administratively challenging, perhaps even infeasible. Firms often have limited visibility let alone an ability to enter into costsharing arrangements with indirect network members. Therefore, in this section, we are prompted to study whether there exist stable and fair costsharing mechanisms that can be implemented via transfer payments only involving firms that are direct partners in the network. Indeed, since alliance networks are often comprised of a series of bilateral alliances in the first place, we develop a realistic bilateral implementation framework that can allow firms to sustain networkwide security cooperation against interdependent risks. ^{12}^{12}12Furthermore, a purely cooperativegame theoretic approach to costsharing problems on occasion faces some criticism, as for example, in Feng et al. (2021), of providing ”no implication for implementation in terms of how firms interact in the network and how financial payments are made among the firms.”
To this end, we define the bilateral implementability of a costsharing allocation as follows. A costsharing allocation is bilaterally implementable if and only if for a given network and associated cost parameter vectors , there exist differentiable functions for each player such that,
(10) 
for cost parameters belonging to an open ball centred at of radius for some . That is, qualitatively, the security cost apportioned to each player can be supported via verifiable and linear transfer payments between only direct partners in the network. As discussed before, bilateral implementability obviates the need for transfer payments between firms not direct partners in the network. And consequently, since typically alliance networks expand via bilateral alliances, it also allows for sustaining networkwide cooperative security as the network structure evolves.^{13}^{13}13In related work, we note that Ma et al. (2008) also employ a notion similar to bilateral implementability, as defined here, in a disparate context involving internet service providers cooperating to provide access to users and show that a Shapleyvalue based revenue sharing can be implemented via bilateral payments.
First, we examine the bilateral implementability of the Shapley value based security cost sharing allocation discussed in §4. We introduce some definitions. For a given player , a set of players is said to be a coalitionally rational security set for if is secured in the coalitional optimal security strategy for the coalition , i.e., . We denote the set of all minimal^{14}^{14}14 is said to be minimal if it is a coalitionally rational security set for but no subset of is. coalitionally rational security sets for player by and further, .
Theorem 5.1
Consider the Shapley value based security cost sharing allocation .
i) is bilaterally implementable if for all players , for all such that .
ii) is not bilaterally implementable if there exists a player such that for some such that .
Theorem 5.1 provides characterizing conditions for when the Shapley value based cost sharing arrangement is bilaterally implementable. Observe that minimal coalitionally rational security sets formalize the externalities that secured players induce on other players in the network. Therefore, roughly speaking, the above theorem demonstrates that as the extent of positive externalities of security in the network increases, the Shapley value based security cost sharing fails to be bilaterally implementable. As a corollary, we observe that for the special case discussed in Theorem 4.6, the Shapley value costsharing mechanism is bilaterally implementable.
Corollary 5.2
If for all , i.e., if , then, the Shapley value based security cost allocation is bilaterally implementable.
Theorem 5.1, in conjunction with Theorem 4.5, arguably also demonstrates the impracticality of adopting a Shapleyvalue based security cost sharing arrangement in all but a narrow class of networks. Specifically, since it is neither computable efficiently nor bilaterally implementable, in general, we argue that this renders it contextually untenable. Since extreme core allocations described in Proposition 4.7 are computable in polynomial time, we therefore now examine their bilateral implementability.
Extreme Core Allocations and the Agreeable Allocation.
In light of Lemma 4.4, we limit our attention to networks where all firms are secured in the grand coalition. We further recall the previously defined indicator function for player that indicates whether player is secured under the coalition optimal security strategy for . That is, , where and denote the optimal solutions to (4.2). We now recursively define a finite family of mutually exclusive sets of players in the network where . For , we define recursively as,
(11) 
where . In other words, contains the players that are secured even under the independent security strategy, i.e., it is optimal for these players to secure themselves even when operating independently. Further, contains players that will be secured conditional on being in a coalition with players in , and so forth. Also note that if is a null set, then, so is . Suppose there exists such that , then the recursive procedure generating the family of sets terminates. Denote for . Then, any permutation of the players in such that is a permutation of players in , is a permutation of players in , and so on up to, is a permutation of players in is defined as an agreeable permutation.
We note that it is possible in certain networks and associated cost parameter vectors for no to exist such that . In these cases, consequently, no agreeable permutation of the players in will exist either. Nevertheless, when the players in can be partitioned into the family of sets as described above, or equivalently, when an agreeable permutation of the players exists, we can demonstrate, as will be shown during the course of proving Theorem 5.3, that the extreme core allocation corresponding to each agreeable permutation of is bilaterally implementable.
Furthermore, recall that extreme core allocations are not symmetric therefore, arguably, violating a basic notion of fairness. To remedy this, we are now in a position to propose our novel security cost sharing mechanism, the agreeable allocation, that is defined as the average of those extreme core allocations induced by all agreeable permutations of .
Theorem 5.3
The agreeable allocation of networkwide security costs, when it exists, (i) belongs to the core, and is, (ii) polynomialtime computable, (iii) symmetric, and (iv) bilaterally implementable. Further, it also satisfies, (v) marginality, and the (vi) null player property. Moreover, the security cost allocated to player by the agreeable allocation is given by,
Observe that the networkwide security cost apportioned to each player by the agreeable allocation depends only on its own security cost parameters and that of its direct partners, and therefore, it is bilaterally implementable. Also, importantly, we note that the agreeable allocation attempts to resolve the tension between stability, fairness, and implementability. Since, it belongs to the core, when it exists, it is a stable allocation of security costs. Further, in contrast to extreme core allocations, since it satisfies symmetry and marginality, it is in accordance with basic axiomatic descriptions of fairness. Further, in contrast to the Shapley value based cost sharing arrangement, since the agreeable allocation is computable in polynomial time, and saliently, is bilaterally implementable, it also fares well with respect to implementability concerns. Finally, the closedform expression for the agreeable allocation provided above allows for transparency in the manner in which it allocates the networkwide security costs to each individual firm. In fact, the algorithm to compute the agreeable allocation and the closedform expression lend themselves naturally to a straightforward implementation mechanism.
We also remark that for the case considered in corollary 5.2, i.e., when , the agreeable allocation exists and coincides with the Shapley value.
However, we reiterate that the chief deficiency of the agreeable allocation is that, in general, depending on the structure of the interfirm network, or the associated security costs, it may not exist. This, to the extent that an agreeable allocation is viewed as desirable for its fairness, bilateral implementability, and other properties as documented in Theorem 5.3, offers a rationale for when interfirm networks will find it challenging to cooperatively secure themselves. We now, in order to examine the role of the network structure on the existence of the agreeable allocation, consider quasihomogeneous networks as networks wherein the costs of securing against intrinsic risks for firm , , are identical for all firms. Similarly, we also assume costs of securing against extrinsic risks, , are identical across all links in the network, and the expected penalties faced by players in the event of a realized risk are also equal. Formally, a network is said to be quasihomogeneous if and for all , and, for all . Analyzing quasihomogenous networks permits us to isolate the effects of the network structure on the existence of the agreeable allocation. A priori, it is qualitatively unclear what the role of network structure would be on the existence of the bilaterally implementable agreeable allocation. For instance, considering network density, while denser networks can render it easier for efficient and stable cost sharing arrangements to be bilaterally implementable since there are more bilateral links, however, denser networks may also result in larger positive externalities to securing oneself.
We now introduce some graphtheoretic definitions that aid us in identifying when quasihomogenous networks admit and do not admit an agreeable allocation of security costs. We define a kcore of network as an induced subgraph of such that the indegree of all nodes in is at least .^{15}^{15}15Conventionally, cores are defined on undirected graphs. Herein, we consider a natural analogue for directed graphs. Then, a core is a core of such that, if denotes the maximum outdegree of a node in to the nodes in , then . Therefore, while a core is an induced subgraph that is sufficiently dense, a core is an induced subgraph that is sufficiently dense internally and simultaneously sparse in its connections with other nodes in the graph.
Theorem 5.4
Consider a quasihomogeneous network with security cost parameters given by and .
i. admits an agreeable allocation if does not contain a kcore where .
ii. does not admit an agreeable allocation if contains a core where .
The two parts of Theorem 5.4 provide distinct sufficient and necessary conditions, respectively, for the existence of the agreeable allocation in quasihomogeneous networks. From a descriptive standpoint, it implies qualitatively that the agreeable allocation is guaranteed to exist in (quasihomogeneous) networks so long as they are not sufficiently locally dense. This refines our earlier intuition on the role of interfirm network structure on the existence of the agreeable allocation. Further, in graphs that contain sufficiently dense and sufficiently local clusters, the agreeable allocation is guaranteed to not exist.
5.1 Numerical Case Study
In this section, we present a case study analyzing the feasibility of cost sharing mechanisms to sustain networkwide cooperative security in realworld interfirm networks that can face interdependent risks. Specifically, we use the Refinitiv SDC Alliance database to extract all alliances in the food manufacturing sector formed between 2006 to 2020. We refer the interested reader to Schilling (2009) for a careful description of alliance databases and their limitations. The database contains 2339 alliances formed between 3073 unique firms in our industry of interest. Typically, these are bilateral alliances formed between two firms, while, on occasion, alliances are formed between more than two firms. For example, one of the alliances in the database is between Optibiotix Health Plc, a biotechnology company that manufactures SlimBiome, a weight management supplement, and John Morley (Importers) Ltd, which manufactures prepared perishable foods. Optibiotix Health would supply the weight management supplement to be included in prepared muesli packs manufactured by John Morley Ltd within the UK. In this example, the presence of an interdependent risk is evident.
Over time, larger alliance networks arise and we identify 792 distinct interfirm networks. Of these, the largest connected network of firms, i.e., the largest connected component contains 1092 firms. The other networks are smaller, and we remove all networks consisting of only two firms since these networks trivially permit bilaterally implementable cost sharing mechanisms. We in fact restrict our attention to alliance networks that are of size at least five and we obtain exactly 50 such alliance networks.^{16}^{16}16We also observe that 28 of these 50 alliance networks are trees. We depict two of these networks in Figure 2.
We leverage the algorithmic and implementation results obtained in the previous section to numerically test whether the agreeable allocation exists, and when it exists, compute the networkwide security cost apportioned by the allocation.^{17}^{17}17Code available upon request. These results are meant to be illustrative since the existence of the agreeable allocation naturally depends on the precise security cost parameter specifications. However, the security cost parameters and the penalties in are simulated in a systematic manner. Across all simulated networks, we set the parameter for all firms , and for all links between firms and , , . Further, for all , , where . That is, we assume that firms with more partners are larger firms and thus, also likely to incur higher reputation costs. Based on 1000 simulated runs for each of the 50 alliance networks, we make the following observations.
First, we observe that in 56.7% of the simulated networks, the agreeable allocation exists. In contrast, in only 0.79% of the simulated networks, the Shapley value based security cost sharing allocation is of the form given by Theorem 4.6 and hence, bilaterally implementable. This, in conjunction with the straightforward implementation mechanism described in §5, demonstrates the practical relevance of our proposed security cost sharing allocation. Second, we find, interestingly, that the alliance network permitting the agreeable allocation to exist with the highest likelihood of 74.3%, is a star network. Finally, we observe that the networks which rarely permit the existence of the agreeable allocation, in only 2.6% and 4% of the simulations, respectively, are both completely connected networks, i.e., cliques of size six. This lends further evidence in support of Theorem 5.4 that densely connected networks preclude the existence of the agreeable allocation.
6 Concluding Remarks
Networked firms are exposed to a variety of interdependent, or contagion, risks such as supply chain contamination, deliberate adulteration, or cybersecurity threats and data breaches. The fundamental distinction that sets apart these risks from other types of risks faced by firms is their transferable nature. An interdependent risk faced by a firm can then be decomposed into an intrinsic risk (from its own operations) and an extrinsic risk (transferred from its partners). Firms therefore, in response, have access to two broad security strategies: either they can independently eliminate both intrinsic and transfer risks by securing their links with partners, or alternatively, firms can cooperate with partners to eliminate all sources of risk in the network. In this paper, we develop a network model to study the cooperative management of interdependent, or contagion, risks by networked firms. Our key contributions in this paper can be summarized as follows:
(i) The networkwide cooperative security strategy in our interdependent risk model can be computed in polynomial time via a minimumweight cut network flow algorithm.
(ii) We define a cooperative game, the interdependent security cost sharing game, that permits the analysis of cost sharing mechanisms to apportion the total cost of cooperative network security among the firms in the network. We find that the interdependent security cost sharing game is convex, hence, the core is nonempty, and therefore there exist stable security costsharing mechanisms that can sustain networkwide cooperation. Further, a natural candidate, the Shapley value based costsharing mechanism belongs to the core. However, it is hard to compute even for very simple network structures.
(iii) Alongside computational concerns, introducing the notion of bilateral implementability, we also uncover a fundamental trilemma between stability, fairness, and implementability of network security costsharing mechanisms. We propose a novel cost sharing mechanism, the agreeable allocation, which attempts to find a balance between the three notions. Namely, the agreeable allocation, when it exists, belongs to the core, is formalizably fair, easily computable, and is also implementable via a series of bilateral cost sharing agreements. However, the agreeable allocation may not always exist. This, we argue, once again, demonstrates that, although costsharing mechanisms belonging to the core can be identified, sustaining networkwide security cooperation with suitable costsharing mechanisms is still challenging and therefore, may not always be possible in practice.
(iv) Moreover, to study the role of network structure on the existence of the agreeable allocation, we consider quasihomogenous networks (i.e., networks with homogeneous costs of security and expected penalties in case of realized risk), and find that networks without sufficiently dense clusters admit an agreeable allocation. Whereas, networks containing sufficiently dense and local clusters do not permit an agreeable allocation of networkwide security costs.
(v) Finally, using the SDC alliance database, we extract all alliances formed in the food manufacturing sector between 2006 to 2020. We recover 2339 alliances and 50 alliance networks for analysis. We demonstrate that our proposed security cost sharing mechanism exists in a majority of networks for a range of cost parameters demonstrating the practical feasibility of implementing bilateral security cost sharing arrangements in realworld alliances to sustain networkwide cooperative security against interdependent risks.
A majority of the interdependent security literature adopts a noncooperative gametheoretic perspective. This circumvents issues of cooperation in networks and the problem of when and how cooperation can be sustained. In contrast, this is the central focus of our paper. This work develops, to the best of our knowledge, for the first time, an economic theory of cooperative security against interdependent risks in networks. Certainly, there are several questions that remain to be answered, such as, for instance, the question of the general existence (or nonexistence) of a bilaterally implementable cost sharing mechanism that belongs to the core. We conjecture that, for a given network, if the agreeable allocation does not exist, then no bilaterally implementable core allocation of security costs exists.
Further, in this work, we assume that the considered networks are static whereas, in reality, networks tend to change dynamically, with new alliances being formed, and existing alliances being broken over time. Bilaterally implementable costsharing mechanisms, in particular, are wellsuited to sustain cooperation in dynamic alliances, as we have noted earlier. Consequently, a careful analysis of the dynamic setting is also suggested as a topic for further inquiry.
Acknowledgment.
We thank Amitabh Basu of Johns Hopkins University for helpful private communication pertaining to Theorem 5.4.
References
 Acemoglu et al. (2016) Daron Acemoglu, Azarakhsh Malekian, and Asu Ozdaglar. Network security and contagion. Journal of Economic Theory, 166:536–585, 2016.
 ASEM (2013) ASEM. The Vienna Declaration. 2013. URL https://cdn.aseminfoboard.org/documents/10th_ASEM_DGs__FINAL_VIENNA_DECLARATION_yQ7Aiyl.pdf.
 Aydinliyim and Vairaktarakis (2010) Tolga Aydinliyim and George L Vairaktarakis. Coordination of outsourced operations to minimize weighted flow time and capacity booking costs. Manufacturing & Service Operations Management, 12(2):236–255, 2010.
 Babich and Tang (2012) Volodymyr Babich and Christopher S Tang. Managing opportunistic supplier product adulteration: Deferred payments, inspection, and combined mechanisms. Manufacturing & Service Operations Management, 14(2):301–314, 2012.
 Bondy and Murty (2008) JA Bondy and USR Murty. Graph Theory. Graduate Texts in Mathematics, 2008.
 Cai and Vairaktarakis (2012) Xiaoqiang Cai and George L Vairaktarakis. Coordination of outsourced operations at a thirdparty facility subject to booking, overtime, and tardiness costs. Operations Research, 60(6):1436–1450, 2012.
 Caro et al. (2018) Felipe Caro, Prashant Chintapalli, Kumar Rajaram, and Chris S Tang. Improving supplier compliance through joint and shared audits with collective penalty. Manufacturing & Service Operations Management, 20(2):363–380, 2018.
 Caro et al. (2021) Felipe Caro, Leonard Lane, and Anna Saez de Tejada Cuenca. Can brands claim ignorance? unauthorized subcontracting in apparel supply chains. Management Science, 67(4):2010–2028, 2021.
 Chan and Ortiz (2014) Hau Chan and Luis E Ortiz. Computing nash equilibria in generalized interdependent security games. Advances in Neural Information Processing Systems, 27:2735–2743, 2014.
 Chan et al. (2012) Hau Chan, Michael Ceyko, and Luis E Ortiz. Interdependent defense games: Modeling interdependent security under deliberate attacks. arXiv preprint arXiv:1210.4838, 2012.
 Chen et al. (2020) Jiayu Chen, Anyan Qi, and Milind Dawande. Supplier centrality and auditing priority in socially responsible supply chains. Manufacturing & Service Operations Management, 22(6):1199–1214, 2020.
 Chen and Yin (2010) Rachel R Chen and Shuya Yin. The equivalence of uniform and shapley valuebased cost allocations in a specific game. Operations Research Letters, 38(6):539–544, 2010.
 Dawande and Qi (2021) Milind Dawande and Anyan Qi. Auditing, inspections, and testing for social responsibility in supply networks. In Responsible Business Operations, pages 243–259. Springer, 2021.
 Dhingra and Krishnan (2021) Vibhuti Dhingra and Harish Krishnan. Managing reputation risk in supply chains: The role of risk sharing under limited liability. Management Science, 67(8):4845–4862, 2021.
 Ergun et al. (2014) Özlem Ergun, Luyi Gui, Jessica L Heier Stamm, Pinar Keskinocak, and Julie Swann. Improving humanitarian operations through technologyenabled collaboration. Production and Operations Management, 23(6):1002–1014, 2014.
 Fang and Cho (2020) Xin Fang and SooHaeng Cho. Cooperative approaches to managing social responsibility in a market with externalities. Manufacturing & Service Operations Management, 22(6):1215–1233, 2020.
 Feng et al. (2021) Qi Feng, Chengzhang Li, Mengshi Lu, and J George Shanthikumar. Implementing environmental and social responsibility programs in supply networks through multiunit bilateral negotiation. Management Science, 2021.
 Goldberg and Tarjan (1988) Andrew V Goldberg and Robert E Tarjan. A new approach to the maximumflow problem. Journal of the ACM (JACM), 35(4):921–940, 1988.
 Gopalakrishnan et al. (2021a) Sanjith Gopalakrishnan, Daniel Granot, and Frieda Granot. Consistent allocation of emission responsibility in fossil fuel supply chains. Management Science, 2021a.
 Gopalakrishnan et al. (2021b) Sanjith Gopalakrishnan, Daniel Granot, Frieda Granot, Greys Sošić, and Hailong Cui. Incentives and emission responsibility allocation in supply chains. Management Science, 67(7):4172–4190, 2021b.
 Granot and Sošić (2003) Daniel Granot and Greys Sošić. A threestage model for a decentralized distribution system of retailers. Operations research, 51(5):771–784, 2003.
 Gui et al. (2018) Luyi Gui, Atalay Atasu, Özlem Ergun, and L Beril Toktay. Design incentives under collective extended producer responsibility: A network perspective. Management Science, 64(11):5083–5104, 2018.
 Heal and Kunreuther (2007) Geoffrey Heal and Howard Kunreuther. Modeling interdependent risks. Risk Analysis: An International Journal, 27(3):621–634, 2007.
 Huang et al. (2020) Lu Huang, JingSheng Jeannette Song, and Robert Swinney. Managing social responsibility in multitier supply chains. Available at SSRN 2837332, 2020.
 Huang et al. (2016) Xiao Huang, Tamer Boyacı, Mehmet Gümüş, Saibal Ray, and Dan Zhang. United we stand or divided we stand? strategic supplier alliances under order default risk. Management Science, 62(5):1297–1315, 2016.

Kearns and Ortiz (2003)
Michael J Kearns and Luis E Ortiz.
Algorithms for interdependent security games.
In NIPS
, pages 561–568. Citeseer, 2003.
 KemahlıoğluZiya and Bartholdi III (2011) Eda KemahlıoğluZiya and John J Bartholdi III. Centralizing inventory in supply chains by using shapley value to allocate the profits. Manufacturing & Service Operations Management, 13(2):146–162, 2011.
 Kleinberg and Weiss (1985) Norman L Kleinberg and Jeffrey H Weiss. A new formula for the shapley value. Economics Letters, 17(4):311–315, 1985.
 Kunreuther and Heal (2003) Howard Kunreuther and Geoffrey Heal. Interdependent security. Journal of risk and uncertainty, 26(2):231–249, 2003.
 Laszka et al. (2014) Aron Laszka, Mark Felegyhazi, and Levente Buttyan. A survey of interdependent information security games. ACM Computing Surveys (CSUR), 47(2):1–38, 2014.
 Lawrence (2013) Felicity Lawrence. Horsemeat scandal: the essential guide. The Guardian, February 15, 2013.
 Lee and Li (2018) HsiaoHui Lee and Cuihong Li. Supplier quality management: Investment, inspection, and incentives. Production and Operations Management, 27(2):304–322, 2018.
 Leng and Parlar (2009) Mingming Leng and Mahmut Parlar. Allocation of cost savings in a threelevel supply chain with demand information sharing: A cooperativegame approach. Operations Research, 57(1):200–213, 2009.
 Levi et al. (2020) Retsef Levi, Somya Singhvi, and Yanchong Zheng. Economically motivated adulteration in farming supply chains. Management Science, 66(1):209–226, 2020.
 Ma et al. (2008) Richard TB Ma, Dahming Chiu, John CS Lui, Vishal Misra, and Dan Rubenstein. Interconnecting eyeballs to content: A shapley value perspective on isp peering and settlement. In Proceedings of the 3rd international workshop on Economics of networked systems, pages 61–66, 2008.
 Maschler et al. (2013) Michael Maschler, Eilon Solan, and Shmuel Zamir. Game theory. Cambridge University Press, 2013.
 McAfee (2015) McAfee. Target breach reveals risk of business partners. April 28, 2015. URL https://www.mcafee.com/blogs/enterprise/cloudsecurity/targetbreachrevealsriskofbusinesspartners/.
 Mu et al. (2016) Liying Mu, Milind Dawande, Xianjun Geng, and Vijay Mookerjee. Milking the quality test: Improving the milk supply chain under competing collection intermediaries. Management Science, 62(5):1259–1277, 2016.
 Mu et al. (2019) Liying Mu, Milind Dawande, and Vijay Mookerjee. Shaping the values of a milk cooperative: theoretical and practical considerations. Production and Operations Management, 28(9):2259–2278, 2019.
 Nagarajan and Sošić (2008) Mahesh Nagarajan and Greys Sošić. Gametheoretic analysis of cooperation among supply chain agents: Review and extensions. European journal of operational research, 187(3):719–745, 2008.
 Neville (2013) Simon Neville. Sainsbury’s warns Tesco over ownbrand price promise. The Guardian, March 19, 2013.
 Plambeck and Taylor (2016) Erica L Plambeck and Terry A Taylor. Supplier evasion of a buyer’s audit: Implications for motivating supplier social and environmental responsibility. Manufacturing & Service Operations Management, 18(2):184–197, 2016.
 Pollach (2011) Irene Pollach. Online privacy as a corporate social responsibility: an empirical study. Business Ethics: A European Review, 20(1):88–102, 2011.
 RodríguezPereira et al. (2021) Jessica RodríguezPereira, Burcu Balcik, MarieÈve Rancourt, and Gilbert Laporte. A costsharing mechanism for multicountry partnerships in disaster preparedness. Production and Operations Management, 2021.
 Roughgarden (2010) Tim Roughgarden. Computing equilibria: a computational complexity perspective. Economic Theory, 42(1):193–236, 2010.
 Schilling (2009) Melissa A Schilling. Understanding the alliance data. Strategic Management Journal, 30(3):233–260, 2009.
 Seals (2014) Tara Seals. Home Depot: Massive data breach happened via third party vendor credentials. Infosecurity Magazine, November 7, 2014. URL https://www.infosecuritymagazine.com/news/homedepotbreachthirdparty/.
 Shapley (1953) Lloyd S Shapley. A value for nperson games. Annals of Mathematics Study, 28:307–317, 1953.
 Shapley (1971) Lloyd S Shapley. Cores of convex games. International journal of game theory, 1(1):11–26, 1971.
 Sošić (2006) Greys Sošić. Transshipment of inventories among retailers: Myopic vs. farsighted stability. Management science, 52(10):1493–1508, 2006.
 Tian et al. (2020) Fang Tian, Greys Sošić, and Laurens Debo. Stable recycling networks under the extended producer responsibility. European Journal of Operational Research, 287(3):989–1002, 2020.
 WesterinkDuijzer et al. (2020) Lotty E WesterinkDuijzer, Loe PJ Schlicher, and Marieke Musegaas. Core allocations for cooperation problems in vaccination. Production and Operations Management, 29(7):1720–1737, 2020.
 Zhang et al. (2021) Han Zhang, Goker Aydin, and Rodney P Parker. Social responsibility auditing in supply chain networks. Management Science, 2021.
Appendix I. Proofs and Technical Results
Proof of Proposition 3.1. Consider a player . First, note that under the independent security strategy, the worstcase security state of player as a function of its information set and security actions is given by,
Therefore, if and only if for all . Further, if , then is minimized when for all . We now analyze these two cases in succession. If , then the minimum worstcase expected cost . If , then . Therefore, player is independently secured, i.e., belongs to when is minimized at . That is, if and only if .
Proof of Proposition 3.2. Suppose that player is secured under the independent security strategy. We will now show that will remain secured under the networkoptimal security strategy. Consider and let , for denote the network optimal security actions by any player . Suppose, to the contrary, that is unsecured in the networkoptimal security strategy, that is, for . Consider an alternate security strategy such that and for all and , and for . Then, it is clear from (1) that the security state of every player remains the same except for who is now secured under the new security strategy. Therefore,
The inequality follows from Proposition 3.1 yielding a contradiction to the minimality of . Therefore, has to remain secured under the networkoptimal security strategy. Consequently, .
Proof of Proposition 4.1. Suppose and let , denote the set of secured players under the coalition optimal security strategies of coalitions and , respectively. Then, let denote , , and . Then, if is an empty set, then our proof is complete, since, then . Therefore, suppose is not an empty set. Then, consider the change in the coalition optimal security cost if the nodes in were also secured. The change in the coalition optimal security cost will be given by, . By the optimality of the coalition optimal security cost, . Now, consider the change in the coalition optimal security cost if the set of players in were to be unsecured. Then, the change in is given by, . Similarly, from the optimality of , . This implies, from the nonnegativity of the security cost parameters. This yields a contradiction, and therefore, has to be an empty set. Thus, and any player secured under the coalition optimal security strategy for , i.e., , is also secured under the coalition optimal security strategy for , i.e., . This completes the proof.
Proof of Proposition 4.2. Consider , as defined in (4.2), and let denote the coalition optimal security state of player in coalition . For all such that , . That is, denotes the set of players in that are secured under the coalition optimal security strategy. Further, let us denote by , and for , the coalition optimal security actions by player . We note that for all , from (1), and for all . Further, for all , since, if players and are both secured, it is not optimal (with respect to (4.2)) to secure the links between them. Moreover, similarly, for , that is when is unsecured under the coalition optimal security strategy, it is not optimal to partially secure from intrinsic or extrinsic risks. Therefore, for , and for all . Thus,
Now, consider the auxiliary network and the minimum weight directed cut separating the node and the node set in with and sink . This constrained minimum weight directed cut in this network identifies and such that the sum of weights on arcs directed from to is minimized. The sum of weights of these arcs is given by,
From comparing the expressions, and are simultaneously minimized when and . This completes the proof.
Proof of Theorem 4.3. Consider coalitions and such that