Analysis of Digital Security Governance under the Objectives of Digital Ecology: A Three-Party Evolutionary Game Approach

,


Introduction
Digital ecology has become an important means for social progress and economic prosperity and thus is an important pillar in the construction of Digital China [1].China's digital ecological construction is on the ascendant, as a large amount of data came into being, and the problem of data insecurity followed.For example, the employees of Ping An Life Insurance Company Limited illegally sold 40,000 pieces of customer information, and Super Star Learning Link software leaked over 170 million pieces of private data, damaging personal information.Unbridled data collection, excessive data mining and misuse, and cyberattacks have become increasingly commonplace [2].Platform enterprises characterized by digital drive and network collaboration have commonly deposited huge amounts of data during development, and problems such as data monopoly, data security, and personal information protection have emerged [3].If digital security governance (DSG) is not strengthened, data and information can be arbitrarily collected, tampered with, trafcked, and disseminated, severely undermining the national and public interests.DSG is the key to improving the security level of contemporary organizations [4,5] as it embeds security into the organizational structure and all relevant business dimensions and factors across the organization, helping to capture strategic objectives and appropriately manage security risks [5].Implementing DSG and establishing strong safeguards and dynamic and constant security protection mechanisms enable the proper protection and secure use of sensitive data.Tis strategy allows for continuous security and protection of organizational assets [6,7].
However, due to the late start of DSG in China [8], there are still issues concerning data security measures, interdepartmental collaboration, digital infrastructure development, industry regulation, and digital national sovereignty [8].Although a preliminary institutional framework for DSG has been formed, regulating behaviors directly on various platforms is still challenging, and the government mainly requires them to abide by their obligations rather than exercising its regulatory duties [9].Escalating user concerns about privacy and data security has posed new challenges to DSG, and therefore, continuously updated research is needed to adapt to these changes.Meanwhile, the DSG literature is primarily descriptive, focusing on normative standards, generic frameworks, and the individual level [10,11] while ignoring the complexity of the interactions between diferent subjects.It should be noted that DSG is not an endeavor that can be carried out by one party alone, and multiple governance roles, responsibilities, and strategies are key pillars in developing robust governance and security processes and procedures [12,13].However, current studies investigate the game between platforms and local governments [14,15].However, as the highest level of responsibility for data security, the central government has not been considered yet.It is important as the central government plays a key role in DSG, and its responsibilities include regulation-making, regulatory enforcement, and policy formulation.Introducing central government into the tripartite evolutionary game can strengthen the risk management capabilities of digital security governance systems.First and foremost, this expansion facilitates a more comprehensive consideration of interests.Local governments and central governments represent distinct sets of stakeholders with diverse priorities and concerns.Local governments emphasize regional development, while central governments focus on national security, strategic imperatives, and citizen welfare.By incorporating these various perspectives, the dynamics of the game become enriched, allowing for a more nuanced understanding of the competing interests at play.Moreover, this expansion clarifes the delineation of responsibilities and promotes orderly coordination among stakeholders.By defning the roles and responsibilities of platforms, local governments, and central governments in digital security governance, stakeholders can minimize confusion, duplication of eforts, and jurisdictional conficts.Clear lines of accountability facilitate efective decision making, streamline operational processes, and enhance the overall efciency and efectiveness of governance mechanisms.Terefore, it is necessary to conduct an in-depth study of DSG while considering digital ecology and from the perspective of game theory and centered on data security, with the participation of third-party platforms, local governments, and the central government.
Tis paper constructs a cross-industry and cross-domain DSG model and a more comprehensive, integrated, and fexible conceptual framework that reveals the DSG mechanism in digital ecology.Tis study contributes to the construction of a theoretical system of DSG and provides an in-depth understanding of the roles, relationships, and responsibilities of governments, enterprises, and individuals in data security.In addition, this study helps to predict future development trends, formulate corresponding governance strategies in advance, and assist decision makers in better understanding the problems, predicting risks, and formulating specifc and efective policies, regulations, and data security strategies.Nevertheless, a continuous feedback mechanism between theory and application is required to better respond to the ever-changing data security challenges.

Literature Review
2.1.DSG Study."DSG" was frst proposed by Gartner, who claimed that DSG is a complete chain from the decisionmaking level to the technical level, from the management system to the tool support, and runs through the whole organizational structure from top to bottom [16].Some scholars have expanded on this connotation, arguing that strategic security considerations in the digital environment are called DSG [5,10,11,17].Furthermore, they aimed to maintain the confdentiality, integrity, and availability of data assets [16], achieving the goals and the proper management of security risks [5,18] in response to the increasing number of cyberattacks [6].Although diferent scholars have diferent defnitions of "DSG," the core is to coordinate the rights and interests of the various stakeholders and protect the entire data life security cycle.Troughout the data security legislation and governance practices of countries worldwide, the DSG model has roughly passed through three stages, from responsive governance focusing on guidance and regulation to centralized governance with institutional and mandatory, and then to agile governance with the participation of multiple governance subjects and the fexible use of a variety of governance tools [12].In the current stage of multiple governance, the three-party evolution game is an efective model for studying game relationships between various subjects.
Previous works have always paid attention to DSG.On the one hand, the widespread use of digital technologies has provided new opportunities and challenges for various industries.Indeed, some researchers have explored the transformative impact of DSG on various aspects of public health [19], higher education [20], government information assets [21], and supply chain fnance [22,23], which can enhance their risk management capabilities, protect privacy, and promote open information sharing and service improvement.On the other hand, some works have conducted theoretical or empirical studies from the subdivisions of DSG regarding cross-border data fow supervision [24], 2 Complexity personal privacy protection [25], and data opening and sharing.For example, Li et al. [26] built a binary network model and an associated network to identify the risk of the cross-border fow of important data and provided a quantitative method for early warning management for crossborder data.However, the DSG literature is primarily descriptive, focusing mostly on prescriptive standards and generic frameworks [10,11] or analyzing problems using the DSG process, such as inadequate data privacy protection and legal security systems [27].Specifcally, current works lack a holistic, top-down analysis of the DSG system.Although there are strong interconnections between these areas, both cross-border and open sharing of data involve privacy protection issues, and a healthy and efective DSG framework needs to balance these aspects to ensure the secure data fow and protection of individual privacy while simultaneously facilitating the openness and data sharing to promote innovation and sustainable development in society.

Platform DSG Research.
Tird-party platforms often collect and process large amounts of personal data as a constituent feature of their business model [28].Tere are many studies on data security in platform companies, mainly based on the proft-seeking nature of the platforms.Data misuse and public opinion dissemination can be divided into two main categories.Te former manifests itself in the excessive collection of user data by platforms [29,30], the implementation of big data price discrimination [31], and the unauthorized use of information [32].Te latter manifests in disseminating false information by platforms [33,34] and manipulating public opinion [7,35].For example, Hou et al. [14] argued that there is an information inequality between platforms and individuals, and Yao [3] analyzed the "big data-based price discrimination" by constructing a game model among consumers, platform enterprises, and the government.Tey started with the misuse of data by platforms and examined the regulatory mechanisms among users, platforms, and governments.However, third-party platforms allow any account to register and log freely and express their views, which has resulted in a large and generally low-quality data of the online information ecosystem.At the same time, users can infuence the dissemination and use of information through retweeting, liking, and commenting.Tus, third-party platforms act as a medium or tool carrier in their own right rather than subjective actors.For example, some users send spam through Weibo [36], and in Brazil, WhatsApp has been used for virtual kidnapping and fraudulent extortion [37].
2.3.Summary.Te literature presented above highlights that current research on DSG mainly focuses on the theoretical level.Specifcally, these studies focus on a specifc area of the DSG challenges, exploring its current situation, problems, and optimization paths.In addition, most scholars have focused on the active behavior of third-party platforms when studying the formation of data hazards, while relatively little consideration has been given to the factor of their passively becoming a channel of abuse.Similarly, the central government's role in the DSG process has been somewhat neglected.Given this situation, this paper explores DSG from the perspectives of various stakeholders, such as policy promulgation, call for response, and implementation, to build an evolutionary game model of the central government, local governments, and thirdparty platforms, analyze their possible behavioral strategies, and make the corresponding suggestions.

Construction of the Evolutionary
Game Model Te central government is the leader and policy maker of the DSG process.It is responsible for coordinating major national data security matters and important work, establishing a national data security coordination mechanism, supervising and managing the data security policies and regulations of various departments, institutions, and organizations, and protecting the basic rights and interests of individuals and organizations in terms of data security.Various localities and enterprises may have diferent interests and governance standards, requiring the central government to act as a coordinator and establish nationwide consistent standards and norms to ensure consistent and controllable data security.DSG by all parties cannot spontaneously reach a state of equilibrium, and the involvement of the central government in supervision and management is an important factor in promoting active action by platforms and local governments.Furthermore, the central government possesses broader resources and power, allowing for the swift allocation of necessary technological, fnancial, and human resources when data security incidents occur.Particularly in responding to large-scale or severe data security events, a signifcant amount of resources and cross-departmental coordination are required, which local governments may struggle to handle independently.For example, the central government can rely on nationallevel security agencies and expert teams to quickly diagnose issues, assess risks, and formulate efective response measures.Terefore, within the overall national context, the central government assumes the ultimate role in emergency response.
Local governments are facilitators and important participants in the DSG process and belong to "dispatched agencies" of the central government.Local governments have the responsibility to assume the responsibility of DSG within their duties and formulate data security behavior norms and group standards according to the law.Tey should conduct self-examination and cooperate with third-party platforms to ensure the development and utilization of data and industrial development in the region with data security.Te central government supervises local governments and undertakes the obligation to reduce illegal data acquisition and utilization.
Tird-party platforms are the executors and policy implementers of the DSG process, with data analysis as the main business or data as a production factor [15], providing fast information aggregation and circulation channels.As an important carrier of data fow, the platforms must handle a large amount of data, including user-generated data, server logs, and application data.Tese data are the basis for the platforms' operation and the key to its services and functions.Platforms can analyze data to discover user behavior patterns, understand user needs, optimize services, and attract more users to gain revenue.Tis requires the platforms to take appropriate technical and management measures to ensure the security of the data in the process of use and to avoid eavesdropping, tampering, and interception.

Analysis of the Subject Benefts.
As a data aggregation and difusion center, the platforms can set up access control mechanisms [25] using keywords [38] to block, delete [39], or restrict the fow of sensitive or ofending content.Local governments give platforms the responsibility as market regulators to monitor the quality, combat infringement, and control prices [9].Note that local governments can become platforms' users to discover, search, and review illegal information on the platforms.Besides, the central government provides policy support and guidance to local governments or platforms and can issue bans or penalties to local governments or platforms based on data breaches.In regulating the implementation of a data security regime, the central government represents the public's interests, emphasizing how to maximize society's overall interest and general welfare.In contrast, local governments mainly consider the interests of local authorities, and platforms are essentially proft-making organizations, which may deviate from the central government's interests and form a bargaining game.Hence, promoting the cooperation between local governments and third-party platforms, where the two jointly review the content of Internet information from diferent aspects, can compensate for the defciencies in government regulation, improve the efciency of the government, and force the platforms to carefully review the various information data fowing in the platforms to avoid penalties for distorted information.Tus, it is a collaborative gaming process between the two sides.
Unlike traditional game theory, evolutionary game theory assumes humans are fnitely rational and usually reach game equilibrium through trial and error.Due to the asymmetry or incompleteness of information, the subject will waver in diferent strategies to obtain the maximum beneft, and the surrounding subjects or game parties very easily infuence its strategy choice.Tus, there is a dynamic adjustment and imitation of the process of others.Interests drive these three parties and eventually make a scientifc evolutionary game strategy ft for purpose and operable [40].Combined with practical research, the evolution process of DSG requires the participation of the central government, local governments, and platforms, the impossibility of complete rationality of each subject of interest, and the mutual infuence of their strategic choices, which is a dynamic evolution of the behavior of all parties adjusting each other under certain rules [41].Terefore, this paper adopts evolutionary game theory and numerical simulation to analyze the dynamic game process of DSG.Constructing a three-party evolutionary game model of the central government, local governments, and platforms determines the evolutionary and stabilization strategies of the three parties to reach the ideal state in diferent situations.It provides decision-making references for creating a good digital ecology.

3.2.1.
Participants.Tis study assumes that the game involves three players, i.e., the central government, the local governments, and the third-party platforms, and that all three parties are fnite and rational participants who continuously adjust their strategic choices over time to maximize their benefts.

Behavioral Strategies.
From the platforms' perspective, there are two primary strategies for implementing cybersecurity measures: "active governance" and "negative governance."Active governance means they may implement cyberspace security strategies, strengthen the process of collecting, transmitting, storing, using, sharing, and destroying relevant data in the platforms' daily operation, actively manage hidden dangers in data, and eliminate environmental externalities generated by themselves.On the other hand, negative governance means they may neglect the efective protection and reasonable use of the organization's data to save governance costs.
From the local governments' perspective, adopting a "participation" strategy involves monitoring and auditing the implementation of data security regulations, policies, and norms on platforms, intervening when necessary to address issues like data theft and illegal transactions.Tis approach aims to reduce the frequency of data security incidents and minimize the impact of negative public opinion, thereby enhancing government credibility.However, if regulatory intervention is not timely due to technological immaturity or high costs, a "non-participation" strategy may be chosen.
From the central government's perspective, the "emergency response" strategy serves as the last line of defense for digital security governance.Tis involves implementing emergency measures to counter data security threats and attacks promptly.While this strategy aims to minimize the negative impact of data security incidents, it may face limitations due to the complexity and ambiguity of data issues.In such cases, a "non-emergency response" strategy might be adopted after weighing factors like government With greater resources and authority, the central government can swiftly address cross-platform and cross-regional issues, safeguarding public interests and national security.
Te stability of this framework depends on efective implementation, communication, and coordination among the involved parties.While inherently stable in theory, its practical stability hinges on factors such as adaptability to evolving challenges and the establishment of robust communication channels and coordination mechanisms.Continuous monitoring, evaluation, and strategy refnement are essential for maintaining stability within the digital ecosystem.Te DSG tripartite game strategy constructed in this paper is shown in Figure 1.

Model Hypothesis
H1.All interested parties are fnitely rational.Tirdparty platforms have two strategies: "active governance" and "negative governance," with the probabilities being x and 1 − x, respectively.Te local governments and the central government also have two strategies: the former is "participation" and "nonparticipation," with a probability of y and 1 − y, while the latter is "emergency response" and "nonemergency response," with probabilities of z and 1 − z, where 0 ≤ x, y, z ≤ 1.
H2. Te probability of a data security incident is p, which will lead to platforms' loss q (including direct income loss and compensation payable) and local governments' fne f.At the same time, the central government will also collect a fne e from local governments due to poor management.H3.When platforms neglect the importance of data security by adopting a passive governance strategy, it incurs its usual revenue and cost, denoted as R0 and C0, respectively.However, if the platforms actively engage in digital security governance, it incurs additional costs in technology, management, operations, and maintenance, denoted as C1.Alongside this, there are implicit benefts such as enhanced security, reputation, and access to political resources, denoted as R, resulting in positive externalities that boost the credibility of local governments (w) and overall societal benefts (A).During collaborative eforts between local governments and platforms to review data information, there are costs involved in terms of manpower, resources, and fnances (C2), partly ofset by subsidies provided by the central government (n).In the event of a data security incident with relatively moderate impact and importance, or if the central government deems it unnecessary for urgent intervention after considering factors like governmental image, economic interests, and social stability, it may opt for a "non-emergency response" strategy and handle the situation according to routine plans.However, if the central government chooses not to respond urgently from a broader perspective, it may lead to misunderstandings and dissent among other stakeholders, resulting in disharmony, destabilization of society, and reputational damage, denoted as environmental negative externalities (T).On the other hand, if there is damage to critical data compromising public or national interests, the central government would need to implement an emergency response strategy.In addition to the usual "nonemergency response," this might require additional funding for specialized data recovery and repair work, including costs for data recovery software, services, hiring external consultants, and experts for technical support and consultancy, denoted as C3.However, this would also help mitigate losses for the platforms and local and central governments, denoted as u1, u2, and u3, respectively.Table 1 reports the parameters of the above assumptions, and Table 2 presents the game beneft matrix for the DSG process of the platforms, local governments, and central government.

Analysis of the Evolutionary Stability Strategy
Te expected benefts of the platforms select "negative governance" strategies are U12.
Te average expected benefts of the platforms are U1.
Terefore, according to Taylor's model [42], the replicator dynamic equation is as follows: Based on the stability theorem of the diferential equation, the conditions that make the probability of the platforms choosing active governance in a steady state are F(x) � 0 and (dF(x)/dx) < 0. Terefore, solving for the frst-order derivative of F(x) reveals that when C1 < R,

Local Governments.
Te expected earnings when local governments choose "participation" strategies are U21.
Te expected earnings when local governments choose "non-participation" strategies are U22.
Te average earnings for local governments are U2.
Te replicator dynamic equation is as follows:

U31 � xy(
Te average expected benefts of the platforms are U3.

Stability Analysis of the System.
Te research object of the replication dynamic equations in an evolutionary game is a certain group, and thus, a single group's evolutionary stability strategy (ESS) cannot represent the whole system.Hence, the Jacobian matrix is constructed.Specifcally, we fnd the partial derivatives of F(x), F(y), and F(z) about x, y, and z, respectively, and then the construct the Jacobian matrix of the tripartite game, as presented below: J � j 11 j 12 j 13 j 21 j 22 j 23 j 31 j 32 j 33
(1) When R − C1 ∈ − ∞, 0, for third-party platforms, the additional benefts of choosing active governance are less than the technical, management, operational, and other costs invested in this area in the early stage.At this point, negative governance will become the platforms' priority choice.When R − C1 ∈ 0, +∞, the hidden benefts of active governance are higher than the costs involved, and the platforms are more inclined to active governance.
Terefore, safeguarding the governance benefts of third-party platforms can efectively prevent platforms from treating data security issues negatively and instead take preventive measures to strengthen the management and governance of data security, making the stable decision-making level of platforms from x � 0 to x � 1. Te government can increase the net income of platforms governance by giving subsidies or awarding them through ofcial websites or media reports to expand the reputation of the platforms, increase their willingness to actively govern, efectively prevent improper data processing practices, better protect the security of national digital assets, further improve the quality and efciency of digital services, and promote the construction of digital ecological security.(2) When C2 − n − fp ∈ − ∞, 0, the subsidies received and the fnes collected by local governments for participating in the DSG process are higher than the costs they pay.Tus, participation in governance is the best strategy for local governments.When C2 − n − fp ∈ − ∞, 0 ∪ 0, ep, the expected penalty imposed on the local governments by the central government in response to a data breach is higher than the cost paid by the local governments for participating in governance.Tus, participation in governance will be the optimal choice to avoid punishment at a higher level.When C2 − n − fp ∈ ep, +∞, the participation cost is higher than the potential penalties, and the local governments' stabilization strategy becomes "nonparticipation," which is not conducive to the stable development of the digital ecology.
When the benefts of the local governments' refusal to participate in governance are greater, the central government should strengthen the penalties for the local government's negligence.Higher administrative penalties can encourage them to strictly fulfll their data governance responsibilities and improve local governments' governance.In addition, through the appropriate use of fnancial subsidy policies, it can alleviate local conficts caused by interest relations, improve the motivation of local governments, increase their intention to participate, and make local governments' stable decisions from y � 0 to y � 1 evolution, thus efectively ensuring the availability and security of local data resources, thereby maintaining the stable operation of the digital ecology and public security.(3) When Tp − C3 + pu3 ∈ − ∞, 0, if the cost for the central government to take emergency measures against an occurring data security problem is much higher than its negative externality loss, then the central government will tend to adopt a nonemergency strategy.When Tp − C3 + pu3 ∈ 0, +∞, the severity of the set of consequences caused by a data security problem far outweighs the cost to the central government of activating an emergency response.Te central government will pay more attention to the emergency response process of a data security incident to achieve prevention and control of cyberattacks, disinformation, and other digital risks and reduce the damage caused to the digital ecology.
To sum up, there are six possible stability points in the DSG game system, of which E(1, 1, 1) is the ideal stability point, corresponding to the ideal strategy combination of "active governance, participation, and emergency response."Diferent conditions correspond to diferent combinations Complexity of strategies.Obviously, in order for E(1, 1, 1) to be ESS, it must satisfy three conditions simultaneously: C1 − R < 0, C2 − n − fp − ep < 0, and C3 − pu3 − Tp < 0, i.e., the cost of maintaining data security for the platforms is less than the hidden benefts they receive, the cost of participating in governance for the local governments is less than the subsidies and fnes, and the cost of emergency responding to a data security incident for the central government is less than the negative externalities caused by the continued fermentation of the incident.

Numerical Simulation and Discussion
In order to discuss the sensitivity of the parameters and verify the model's accuracy, we used MATLAB 2022b to simulate the dynamic evolutionary trajectory of the evolving system.Considering the research hypothesis of this paper, by drawing on [40,[43][44][45] and based on the evolutionary stability strategies (active governance, participation, and emergency response), the parameters of the diverse cases are set as follows: R � 9, C1 � 8, p � 0.4, C2 � 5, n � 4, f � 2, T � 20, C3 � 8, u3 � 4, e � 6.In the previous discussion, we have analyzed how the decision making of third-party platforms, local governments, and the central government is determined by factors such as R − C1, n + fp − C2, and Tp − C3 + pu3.It is evident that R and C1, as well as n and f, represent conficting interests.For instance, an increase in R implies a decrease in C1, both indicating an increase in benefts.Tese factors are essentially of the same nature, with their evolutionary states in the simulation graph being inversely related.Terefore, focusing on factors of different nature, let us now primarily examine how R, n, p, T, and C3 infuence the evolutionary trajectory of the digital security governance system.When analyzing the sensitivity of a certain parameter, the values of other parameters remain the same.

Implicit Benefts.
Let R be 1, 9, and 15, respectively, and we observe the simulation results of its evolution from the initial time 0 to 50.According to Figure 2, when R < 9, x converges from 0.2 to 0, and the DSG system degrades to E(0, 1, 1), which means a poor state.As R increases, the willingness x of the platforms to govern grows gradually.In other words, x converges from 0.2 to 1 after a long period of evolution.Finally, the system evolves to E(1, 1, 1).Tis is because when the platforms are actively governed, they efectively safeguard the security of commercial secrets, personal privacy, and other information, reducing legal risks and increasing user trust and stickiness, improving the platforms' reputation, infuence, and market competitiveness.Terefore, the benefts of governance positively afect the behavioral choices of the platforms, and the more cost-efective the platforms' governance investment is, the greater the probability of active governance is. 3 highlights that the probability of the local governments choosing the participation strategy converges to 0 when n < 5 and converges to 1 when n > 5. Te simulation results indicate that increasing the number of local government subsidies signifcantly improves their willingness to participate in governance and positively afects the development of data ecology.Terefore, as rational economic agents, local governments may take advantage of the governance benefts if the governance costs are too high and share the economic benefts of governance brought by other parties without actively taking precautionary measures.Meanwhile, the system degenerates to the unstable state of E(1, 0, 1).When the central government, whose subsidies are in the medium to high range, supports local governments in maintaining data information security, local governments will actively participate in the DSG process.

Contingency Costs and Negative Externality Losses.
Let C3 be 3, 8, and 20 while T be 5, 20, and 35.Tese values represent the observed efects of three diferent strategies on three participants, as illustrated in Figures 4(a) and 4(b).Figure 4 reveals that when C3 ≤ 8 or T > 20, y rapidly converges from 0.2 to 1 after evolution, and the convergence rate increases signifcantly.Undoubtedly, the central government tends to adopt the emergency response strategy, which means the system has evolved to an ideal stable state E(1, 1, 1) that continuously promotes the healthy development of digital ecology.When C3 increases or T decreases, the probability of adopting an emergency response strategy decreases, but z does not reduce below its initial willingness 10 Complexity probability.Unless the cost of response is much higher than the negative externality loss and the amount tends to infnity, the system will degrade to the poor stability E(1, 1, 0).Te central government has sufcient fnancial capacity to bear the lower costs.Moreover, based on the overall welfare of society, the central government will not let data problems exist due to the loss of its interests.Even if coping costs are increasing, it will respond in time.However, when the emergency cost increases excessively, far below the negative externalities caused by the risk of data leakage, which seriously afects the allocation of national fnancial resources, the central government will tend to be an emergency response.

Probability of Data Security Events.
Let p be 0.1, 0.2, 0.4, and 0.6, and we observe its infuence on the strategy choice of the three subjects, and the relevant situation can be (middle to high range), the three entities have reached the positive stable state, suggesting that a higher data crisis will prompt all parties to interrupt threatening events actively.Besides, as p increases, the strategy evolution of the platforms remains unchanged, and z rapidly converges from 0.2 to 1 after evolution, while y frst rises and then decreases and then gradually converges from 0 to 1. Tis highlights that after the platforms enable satisfactory returns through active governance, regardless of the crisis probability, they will take the initiative to assume the main responsibility of DSG and build a solid foundation for a good data ecological environment.Although the local governments will obtain more self-interest benefts by choosing non-participation, as the probability of data security problems increases, platforms alone may not provide security for data assets in the domain.Terefore, local governments tend to participate in governance.Given that the time to reach the steady state will gradually shorten, at low crisis probabilities, the central government can involve local governments in the governance process through standard controls, ofcial media coverage, punitive interventions [46], or coercive measures to reduce the phenomenon of "free-riding."5.5.Chapter Summary.Trough an extensive review of literature, research reports, and numerical simulation, this study has summarized the theoretical outcomes of digital security governance.Previous studies on data security mainly focused on stakeholders such as government regulators and data attackers like hackers or internal employees.In contrast, this study primarily analyzes the governance entities.Key factors that infuence behavior strategies were also considered, including the cost of investment and the severity of penalties, which are common to previous research.However, due to the diferent stakeholders considered, the key factors infuencing behavior strategies also difer.Te innovations in this study are as follows: (   12 Complexity efectiveness of governance mechanisms.Moreover, this study not only explores the interaction between the government and other stakeholders but also considers the game relationship within the government.By incorporating internal dynamics of the government, this analysis method increases the complexity of the game, enabling a more nuanced analysis of factors that infuence internal decisionmaking processes and policy formulation.Research indicates that key parameters such as implicit benefts, government subsidies, and negative externalities play a signifcantly positive role in the development of digital ecosystems within the framework of digital security governance.Tese parameters, within certain ranges, can positively support the ideal behavior strategies of various stakeholders, evolving to a stable state: (i) Increasing implicit benefts can promote third-party platforms to actively govern data security.Terefore, enhancing the benefts of platforms digital security governance and reducing governance costs is an efective way to prevent platforms from relaxing governance eforts.(ii) Financial subsidies from the central government to local governments can efectively enhance the latter's participation in governance, which is crucial for its stability.However, for subsidies to be effective, the subsidy amount must exceed the sum of the costs incurred by local governments in governing data security and the fnes they receive, ensuring the safeguarding of data security in an evolving and stable market environment.(iii) Low negative externalities and high emergency costs reduce the probability of the central government opting for an emergency response to data security threats.However, as the central government is responsible for protecting public interests and national security, as long as emergency costs are within its capacity, the central government will tend to adopt an "emergency response" strategy.
Additionally, the probability of data security incidents also afects digital ecosystems, leading to two main scenarios: (i) When the probability is low, indicating a stable market environment with a low likelihood of data security incidents, platform strategies lean towards active governance, while local governments adopt a passive governance approach, and the central government's strategy remains undecided.(ii) When the probability is moderate to high, indicating a volatile market environment with a higher likelihood of data security incidents, all three parties adopt positive behavioral strategies, namely, active governance, participation in management, and emergency response.
Based on the two scenarios described, two diferent approaches to governance can be discerned.Specifcally, (1) Local governments should be regulated more in a stable market environment with a low risk of data crises.Te central government's response costs to diferent data crisis events are diferent.Te higher the emergency response cost, the lower the chance of adopting an emergency response strategy, but the central government is always willing to bear the cost within a certain range due to the consideration of the overall welfare of the society.A secure data environment creates a positive externality whereby local governments will use the resources of others or other organizations for free to achieve their benefts, i.e., the phenomenon of "free-riding."Te central government can involve local governments in governance through standard control, ofcial media reports, and punitive interventions or coercive measures.(2) Te willingness of platforms and local governments to govern should be increased in a data crisis.Te implicit benefts of platforms should be increased, and the amount of subsidies established should exceed the cost of governance for local governments.Te platforms' governance strategy choice is positively related to the hidden benefts of security, word-ofmouth reputation, and political resources brought by governance, and its role is signifcantly more dynamic.In a changing data environment, the higher the invisible gains, the stronger the willingness to govern.Moreover, it is signifcant for the central government to adopt certain subsidy incentives to increase local willingness to participate in governance and maintain data security.Te central government's reward and punishment policies will afect local governments' strategic choices.If the policy subsidies can balance the benefts and costs of governance, the chance of local government's participation in governance is greater, and the more favorable it is to the healthy development of the digital ecology.
Tere are areas for improvement in this study.Firstly, the game mechanism is relatively simple, without including netizens and other participating subjects; the strategy space 14 Complexity is also simplifed to a certain extent, and the local government's regulatory obligation is set as the degree of participation in governance without more detailed and in-depth construction, and the complex interaction mechanism behind it is not studied in depth.Moreover, the game participants' behavior analysis validity may be biased since the simulation values are conducted under simulation conditions.
6.2.Implications 6.2.1.Managerial Implication.Tis paper innovatively substitutes the negative externality loss and the probability of data security events into the cost-beneft matrix and introduces the central government as an important role in improving the governance organizational structure.Te evolutionary game of DSG under digital ecological objectives is explored in depth, and by analyzing the interactions and infuences between third-party platforms, local governments, and only the central government, it can reveal the key issues and challenges of DSG in the digital era and provide corresponding solutions.Specifcally, this study promotes in-depth thinking on important topics such as information sharing, privacy protection, and cybersecurity among different subjects in the digital ecosystem.In addition, exploring the evolutionary game model can help understand and predict the evolutionary trend of DSG mechanisms and provide decision makers with a scientifc basis for formulating relevant policies and norms.Besides, it can deepen our understanding of DSG under the goal of digital ecology, promote the development of related felds, and provide useful references for social governance and sustainable development in the digital era.

Practical/Social Implications
(1) Te role of invisible benefts such as reputation should be emphasized, and a credit assessment system for data security should be established [47].
For instance, Deephouse [48] used theoretical and empirical analyses to show that reputation is a resource that leads to competitive advantage.Trust and reputation systems are important in providing decision support for Internet intermediary services [49], as DSG eforts can be recorded and fed back in real time and deter ethical risks [50].Credit information can be disclosed to the public by setting tasks and goals related to DSG and evaluating them based on security reports, virus scans, vulnerability discoveries, and other information released by governors.Te platforms will be prompted to pay more attention to DSG, thereby promoting the sustained and healthy development of the digital ecology.(2) Strengthen the research and development of cuttingedge data security technologies to reduce the probability of data security incidents.Digital technology is an indispensable part of DSG, which can improve the efciency of the supply chain, reduce operating costs, and provide a more optimal decision-making basis for the digital ecological development strategy [51].It can also design a more intelligent protection system to achieve full-platform data monitoring, such as content validation, tracing, copyright tracking, and desensitization [52].It helps enterprises better manage data and protect its security, integrity, and privacy.Tis can narrow the existence time of security vulnerabilities, reduce the system risk level, optimize the efciency of data governance and management, and improve data security and protection.

Figure 1 :
Figure 1: Structure of the tripartite game of DSG.

Figure 4 :
Figure 4: Sensitivity analysis of contingency costs and negative externality losses.(a) Sensitivity of contingency costs and (b) sensitivity of negative externality losses.

4
Complexityimage, economic interests, and social stability, opting for a more moderate approach instead of immediate emergency action.Te relationship among the digital ecosystem and platforms adopting proactive governance strategies, local governments implementing participatory management strategies, and the central government employing emergency response strategies for data crises is one of interdependence and collaboration.Each entity plays a distinct yet complementary role in fostering an open, healthy, and secure digital environment.Local governments engage in participatory management to provide tailored, region-specifc governance within the digital ecosystem.Strategies may include promoting digital literacy, strengthening local regulatory capacities, and assisting platforms in enforcing national policies.Tis collaborative approach complements eforts by central authorities and platforms.

Table 1 :
Parameter setting of the tripartite game model.

Table 2 :
Beneft matrix for the three-party game.

Table 3 :
Equilibrium point and eigenvalue of the system.
Data security is the foundation of the digital ecology, without which the digital ecology will not function properly.Indeed, DSG can efectively protect the country's digital assets, prevent risks such as data leakage, tampering, and damage, improve the ability of each subject to respond to information security risks, and reduce the occurrence of security incidents to guarantee the stable development of each subject.Tis paper carefully examines the heterogeneous impact of diferent factors on DSG in China based on the current context of creating a digital ecology.Furthermore, this study helps to promote the benign construction of digital ecology and reform the DSG mechanism in China.In addition, it has important practical signifcance and application value for protecting the interests of individuals and organizations, preventing data leakage and abuse, and maintaining social order and stability.