Information Security Decisions with Consideration of Hacker Intrusion Propagation

The spread of network attacks is extremely harmful, which poses a great threat to the assets and reputation of firms. Therefore, making a scientific information security strategy is an important task for the continued and stable development of the firms. This paper develops the SIR model of hacker intrusion propagation and then analyzes the evolution trend of hacker intrusion propagation and the conditions of strategy transfer. The research shows that when immune failure and strategy transfer are not considered, the threshold of hacker intrusion propagation is negatively correlated with the probability of invasion, whereas it is positively correlated with the probability of defense success and the externality during outsourcing. In the case of immune failure, there will always be infected firms in the network, where the threshold of hacker intrusion propagation is affected by the proportion of the infected state and the probability of immune failure. When immune failure and strategy transfer occur simultaneously if the externality is positive and high, information security outsourcing can improve firms’ security benefits; if the externality is negative, the firms should stop cooperating with the managed security service provider (MSSP).


Introduction
With the rapid development of economic globalization, collaboration between firms has become usual. However, cooperation improves the efficiency, it also brings potential risks to firms' information security. The interdependence among different information systems is exploited by hackers to attack affiliated firms. For example, software of the firms' information systems increasingly relies on the development tools or software modules of the third-party development platform. Once there are security vulnerabilities in these tools or modules (especially open-source software), hackers will successfully invade the third-party development platform and then attack the firms' information system. Positive Technologies reported that hackers penetrated one firm's network and used it as a gangplank that pointed to penetrate the other firms' information systems [1]. To address the complex network security problems, firms usually enhance their security through two measures, i.e., autonomous defense and outsourcing information security services [2].
Compared with autonomous defense, although outsourcing information security services have certain advantages in more professional technology and lower management cost, the firms' information systems security will rely on MSSP's security protection system. Once the information systems of MSSP or firms are invaded, hackers will attack the affiliated organizations based on this interdependence, which will lead to security externalities [3]. For example, if MSSP prevents hackers from invading one customer firm, it has the successful preventing experience for such attacks so as to better serve other firms that purchase its outsourced services, which is a positive security externality from outsourcing information security strategy. Therefore, some firms are more willing to shift from autonomous defense to outsourcing strategy. However, if hackers successfully invade the firms or MSSP, the interdependence among different information systems will increase the security risk of affiliated organizations, which is a negative security externality from outsourcing information security strategy; thus, some firms may give up the corporations with MSSP.
Nowadays, studies on hacker intrusion behavior and firms' information security strategies have recently become a research hotspot in complex network environments.
Hackers' intrusion behavior includes embedding computer viruses [4], disseminating malware distribution [5], and launching DDOS attacks [6]. The influences of hacker intrusion on firms' information sharing decision from the perspective of economics are studied recently. Gao and Zhong [7] explored the effect of attack level, firms' information sharing and security technology investment on profits, and customer needs under hackers' targeted attacks. Hausken [8] showed that the attack level is irrelevant with the efficiency of information sharing, but hackers' information sharing level decreases with the increase of firm's security investment [9]. On the basis, he also concluded that hackers improve their attack level by sharing vulnerability information of the firms' information systems. In addition, there are some studies concentrated on the hackers' intrusion behavior based on cellular automata. For example, Gagliardi and Alves [10] studied the influence of the small world on the effect of hacking behavior by structuring the CA model. The propagation behavior of network malware was studied based on the CA model as well [11,12]. However, the CA model cannot reflect the average trend of hacker intrusion propagation and cannot make general predictions [13]. To sum up, the current research mainly focuses on analyzing hacker intrusion behavior by game model and CA model but lacks the mechanism of hacker intrusion diffusion. SIR model is a classical model to describe the mechanism of information diffusion. It can not only study the dynamics diffusion process but also position the key nodes and analyze the threshold of virus propagation [14][15][16][17]. The diffusion characteristics of computer network viruses are similar to those of biological viruses, which are latent, infectious, and destructive; thus, the evolution of virus infection among network nodes can be considered, and the SIR model is used to analyze the computer virus diffusion [18][19][20][21][22]. SIR model is introduced to study the mechanism of hacker intrusion diffusion, which has certain innovative significance.
Prior research on the information security strategy largely focuses on information security investment behavior, technology configuration, and security service outsourcing. For example, Qian et al. [23] developed an information security investment game model of affiliated firms considering the different probabilities of hacker intrusion. He also examined the optimal information security investment strategy based on security insurance [24]. Research in many domains has addressed information security technology configuration, such as IDS, firewall, and honeypot. For example, in economics, Smirnova and Smirnova [25] proposed the optimal configuration of intrusion detection systems when firms chose the strategy of autonomous defense and showed that the impact of IDS quality, cost structure, and strategic behavior of hackers are the main factors in the defense effect. Since security outsourcing is an emerging strategy in the field of information security management, there are few researches on this topic at present. Wu et al. [26]. discussed the impact of positive and negative externalities on the information security effect and proposed an information security outsourcing contract. Some scholars concentrated on the incentive mechanism of security outsourcing and the risk of information disclosure, and discussed the security game between hackers, MSSP, and firms [27,28]. The existing research on information security decision-making mainly focuses on the decision-making of information security within the firm and rarely considers the evolution of information security strategy between affiliated organizations due to the externality of information security outsourcing caused by interdependence. In fact, with the dynamic changes of hacker intrusion diffusion and security externality, the evolution of firms' security status leads to adjust their security strategies. SIR model can effectively analyze the decision interaction of agents in network systems. Therefore, considering the conditions of hacker intrusion diffusion and security externalities, we develop an extended SIR model to analyze the evolution trend of hacker intrusion diffusion and the conditions of choosing strategy transfer, which is another innovation of this paper. Based on our results, it has theoretical supplementary value to the economics of information security.
This study is presented as follows. Section 2 explains the assumptions of the SIR model and introduces hacker intrusion propagation. Section 3 studies three information security strategies: without considering immune failure and strategy transfer, only considering immune failure, and considering both immune failure and strategy transfer. Section 4 presents numerical simulations to extend the conclusions. Managerial implications are discussed in Section 5.

Description of the Model.
Based on the SIR model, network security includes susceptible state (S), infected state (I), and recovered state (R), in which S indicates that firms have not been invaded but are at risk of being invaded, I indicates that firms have been invaded, and R indicates that firms have successfully defended against cyberattacks or recovered from attacks to a safe state. Firms choose one of two information security strategies, autonomous defense or outsourcing, to prevent the attacks. S 1 , I 1 , and R 1 denote the firms' susceptible state, infected state, and recovered state, respectively, when they implement autonomous defense; S 2 , I 2 , and R 2 denote the firms' susceptible state, infected state, and recovered state, respectively, when they choose information security outsourcing.
Suppose that there are N nodes in the network, and each node represents a firm. If firms choose the strategy of autonomous defense, the probability of invasion is λ 1 , where the firms' security state changes from S 1 to I 1 after successful invasion. In this case, the probability of resisting invasion is 1 − λ 1 , where the firms' security state changes from S 1 to R 1 after successful defense. After firms have been invaded, the probability of information systems recovery is β 1 , where the firms' security state changes from I 1 to R 1 . After firms successfully defend against intrusion or recover their information systems, hackers can still target them and continue to attack. In this situation, the probability of reinvasion is c 1 , where the firms' security state changes from R 1 to I 1 . We define "firms' immune failure" as the security state change from "immune" to "infection." Likewise, if firms choose the strategy of information security outsourcing, there are similar explanations for parameters such as λ 2 , β 2 , and c 2 and changes of security states. Furthermore, the security externality θ(− 1 ≤ θ ≤ 1) is a phenomenon coming from the interdependence between information systems. To be specific, positive externality θ > 0 or negative externality θ < 0, respectively, has a positive or negative effect on information security levels. When the strategy of information security outsourcing is implemented, the probability of invasion under the condition of externality is (1 − θ)λ 2 , where firms' security state changes from S 2 to I 2 .
Similarly, the probability of state transfer from S 2 to R 2 is (1 + θ)(1 − λ 2 ), the probability of state transfer from I 2 to R 2 is (1 + θ)β 2 , and the probability of state transfer from R 2 to I 2 is (1 − θ)c 2 . It is worth noting that the service ability of MSSP determines the quality of firms' security products which affect the probability of invasion λ 2 , the probability of information systems recovery β 2 , the probability of re-invasion c 2 , and the security externality θ. After firms are invaded, they are dissatisfied with the existing security strategy and may change their information security strategy. We call this process of strategy change "strategy transfer." φ 1 is the proportion of firms transferring from autonomous defense to outsourcing strategy after hackers invade; φ 2 is the proportion of firms transferring from the strategy of outsourcing to autonomous defense. Based on the above, Figure 1 shows the state evolution of process firms after hacker intrusion.

SIR Model of Hacker Intrusion Propagation.
According to the model assumptions and the rules of state transfer, invaded firms and their affiliated firms constitute a social network. The SIR model of intrusion propagation can be expressed as follows: (2) (3) where S 1 (t), I 1 (t), and R 1 (t), respectively, represents the proportion of susceptible state, infected state, or recovered state relative to the total firms in the network when they implement the strategy of autonomous defense at the time t; similarly, S 2 (t), I 2 (t), and R 2 (t), respectively, represent that of when they implement the strategy of information security outsourcing at the time t, where S 1 (t) + I 1 (t)+ R 1 (t) + S 2 (t) + I 2 (t) + R 2 (t) � 1.

Steady-State Analysis without considering Immune Failure and Strategy
Transfer. First, we assume that the strategy of autonomous defense can resist attacks successfully. In other words, the firms' security state does not change from R to I. Meanwhile, firms will not change their minds after adopting this strategy. In this case, there are c 1 � c 2 � 0 and φ 1 � φ 2 � 0, and substitute them into equations (1), (2), (4), and (5). We can yield where S 0 and I 0 , respectively, represent the proportion of initial susceptible state and infected state relative to total firms in the network when they are at the beginning of the invasion. Then, the variation trend of I 1 with S 1 , and I 2 with S 2 is studied, and the threshold of intrusion propagation is calculated subsequently. Next, it is necessary to analyze the monotonicity of f(S 1 ) and f(S 2 ). Let f ′ (S 1 ) > 0 and f ′ (S 2 ) > 0, and the monotonicity of Based on reality, the intrusion will propagate only when the proportion of infected firms increases. The threshold of intrusion propagation is β 1 /λ 1 when firms implement the strategy of autonomous defense; i.e., the intrusion will propagate only when S 0 > β 1 /λ 1 . Similarly, the threshold of intrusion propagation is (1 + θ)β 2 /(1 − θ)λ 2 when firms implement the strategy of outsourcing; i.e., the intrusion will propagate only when S 0 > (1 + θ)β 2 /(1 − θ)λ 2 . We can derive that f(S 1 ) and f(S 2 ) tend to be 0 with decreasing S 0 . Furthermore, the firms' ability to resist risk will increase with a higher threshold of intrusion propagation. Meanwhile, the threshold of intrusion propagation is positively correlated with both the probability of information systems recovery β 1 (or β 2 ) and the externality θ, and is negatively correlated with the probability of invasion λ 1 or λ 2 . This means that if the MSSP has a high level of service ability to provide the firms high quality of security products, it can effectively reduce the probability of successful intrusion by hackers, improve the probability of successful repair after intrusion, and increase the positive security externality, so as to increase the threshold of intrusion propagation and enhance the ability of firms to resist risks.
Hereafter, we compare the thresholds of intrusion propagation with the two different security strategies. Let We can obtain that 2θβ/(1 − θ)λ > 0 if θ > 0 and vice versa. In other words, when the externality is positive, the strategy of outsourcing will increase the threshold of intrusion propagation; otherwise, it will decrease the threshold of intrusion propagation.
To conclude this section, we came to the following conclusions without considering immune failure and strategy transfer. Conclusion 1. If firms implement the strategy of autonomous defense, the threshold of intrusion propagation is β 1 /λ 1 ; if firms implement the strategy of outsourcing, the threshold of intrusion propagation is Only when the propagation of the initial susceptible state is beyond the threshold, the intrusion will propagate. Furthermore, regardless of whether the intrusion propagates or not, the final proportion of firms in the infected state is 0. Conclusion 2. When the externality is positive, the strategy of outsourcing can better restrain hacker intrusion propagation. Compared with the strategy of autonomous defense, the threshold of intrusion propagation increases by 2θβ/(1 − θ)λ. On the other hand, when the externality is negative, the strategy of outsourcing hard attains to expect the result. Compared with the strategy of autonomous defense, the threshold of intrusion propagation decreases by 2θβ/(1 − θ)λ.

Steady-State Analysis considering Immune Failure.
Based on the SIR model in Section 3.1, we consider the situation of immune failure; that is, the security state can change from "immune state" to "infected state." However, it is still not considered of information security strategy transfer (φ 1 � φ 2 � 0).c 1 is the probability of immune failure, in which the security state may change from R 1 to I 1 , and c 2 is the probability of immune failure, in which the security state may change from R 2 to I 2 . Then, the SIR model is Similarly, to analyze the threshold of intrusion propagation when immune failure occurs, it is necessary to discuss the monotonicity of equation (7). According to d(I 1 )/d(S 1 ) > 0, we obtain that The threshold of intrusion propagation is changing with the variation of λ 1 I 1 − c 1 , c 1 , and (β 1 + c 1 )I 1 . Hence, we need to examine the following six situations, respectively. Situation 1. If λ 1 I 1 < (β 1 + c 1 )I 1 < c 1 , formula (13) can be simplified to (β 1 + c 1 )I 1 − c 1 /(λ 1 I 1 − c 1 ) < S 1 < 1, and we have the threshold of intrusion propagation η � (β 1 + c 1 )I 0 − c 1 /(λ 1 I 0 − c 1 ). When S 0 > η, the intrusion does not propagate. Situation 2. If λ 1 I 1 < c 1 < (β 1 + c 1 )I 1 , formula (13) can be simplified to (β 1 + c 1 )I 1 − c 1 /(λ 1 I 1 − c 1 ) < S 1 < 1. In this situation, no matter what the value S 0 is, the intrusion will never propagate. Situation 3. If c 1 < λ 1 I 1 < (β 1 + c 1 )I 1 , formula (13) can be simplified to S 1 < (β 1 + c 1 )I 1 − c 1 /(λ 1 I 1 − c 1 ), and we have the threshold of intrusion propagation η � (β 1 + c 1 )I 0 − c 1 /(λ 1 I 0 − c 1 ) > 1. In this situation, no matter what the value S 0 is, the intrusion will never propagate.
Similarly, when firms choose the strategy of outsourcing, we can discuss the similar six situations, respectively.
no matter what the value S 0 is, the intrusion will never propagate.
To conclude this section, we can drive the following conclusions when considering immune failure (c > 0). Conclusion 3. Infected firms always exist in the network when c > 0. Conclusion 4. When externality is positive, the overall trend of intrusion propagation is not changed, but if MSSP security ability prevents hackers from continuing attacks on affiliated organizations by the positive externality, it can reduce the proportion of infected firms and the scale of intrusion propagation. Conclusion 5. If the strategy of autonomous defense is implemented, the intrusion will propagate when (β 1 + c 1 )I 0 < c 1 < λ 1 I 0 or (β 1 + c 1 )I 0 < λ 1 I 0 < c 1 . On the contrary, the intrusion will not propagate when λ 1 I 1 < c 1 < (β 1 + c 1 )I 1 , or c 1 < (β 1 + c 1 )I 1 < λ 1 I 1 ,or λ 1 I 1 < (β 1 + c 1 )I 1 < c 1 and S 0 > η,or c 1 < (β 1 + c 1 ) I 1 < λ 1 I 1 and S 0 < η. Conclusion 6. If the strategy of outsourcing is implemented, the intrusion will propagate when On the contrary, the intrusion will not propagate when

Steady-State Analysis considering Immune Failure and Strategy Transfer.
Based on the SIR model in Section 3.2, we consider the situation of both immune failure and strategy transfer. In reality, firms compare the strategy advantages of autonomous defense and outsourcing combining the situation of intrusion propagation and then dynamically adjust the information security strategy to ensure information system security. For example, if intrusion propagation occurs, the externality is positive (θ > 0), and firms may change their strategy from autonomous defense to outsourcing, which achieves the positive effects of externality. Alternatively, the externality is negative (θ < 0), and firms may stop cooperating with MSSP to avoid the negative effects of externality.

Steady-State Analysis When the Externality Is Positive.
Let φ 2 � 0, θ > 0, the other parameters are unequal zero, and we can yield Let d(I 1 )/d(S 1 ) � 0, d(I 2 )/d(S 2 ) � 0, and when firms choose the strategy of autonomous defense, the threshold of intrusion propagation is

Mathematical Problems in Engineering
When firms choose the strategy of outsourcing, the threshold of intrusion propagation is Suppose that all parameters are equal except θ, the security level increases after the strategy transfer, and it should be satisfied η 2 > η 1 , that is, Then, the strategy transfer from autonomous defense to outsourcing will improve the security level of the firms.

Steady-State Analysis When the Externality Is Negative.
Let φ 1 � 0, θ < 0, the other parameters are unequal zero, and when firms choose the strategy of autonomous defense, the threshold of intrusion propagation is When firms choose the outsourcing strategy, the threshold of intrusion propagation is Suppose that all parameters are equal except θ, the security level increases after the strategy transfer, and it should be satisfied η 1 > η 2 . We can examine that η 1 > η 2 is always true, which shows that when the externality is negative, firms should stop information security outsourcing.
To conclude this section, we can derive the following conclusions when considering immune failure and strategy transfer simultaneously: Conclusion 7. When the externality is positive and θ > 2φ 1 (1 − c − β)/2β − 2φ 1 c + φ 1 , the invaded firms should choose the strategy of outsourcing to protect their information security. Conclusion 8. When the externality is negative, the decision factors of the information security strategy are not correlated with φ and θ. In other words, invaded firms should choose the strategy of outsourcing for better security level.
According to the above conclusions, we summarize the conditions of hacker intrusion propagation or nonpropagation under different information security strategies (Table 1), in which Case I indicates that immune failure and strategy transfer are not considered, Case II indicates that only immune failure is considered, and Case III indicates that immune failure and strategy transfer are considered at the same time. Firms and MSSP could adjust their own information security strategy or network security level due to the conditions of hacker intrusion propagation or nonpropagation in the case of autonomous defense or outsourcing information security.
For example, we discuss the situations when firms choose autonomous defense strategy. In Case I, hacker intrusion propagation is related to the probability that the firm is invaded and the probability that the systems are successfully repaired after being invaded, while in Case II, hacker intrusion propagation is also affected by the probability of immune failure and the proportion of infected states in network nodes. Besides in Case III, hacker intrusion propagation is restricted by the probability of immune failure, the proportion of infected states in network nodes together with the proportion of strategy transfer.
To sum up, firms will choose the security technology according to the above influencing factors and improve their security levels. In addition, the proportion of susceptible states should be controlled in the range of hacker intrusion nonpropagation. For instance, in Case I, compared with the firms choosing autonomous defense, if the information security outsourcing strategy is implemented, hacker intrusion propagation is affected by the security externalities. Similarly, MSSP should also adjust its own security service level according to the network environment to control the proportion of susceptible state in the range of hacker intrusion nonpropagation.

Numerical Analysis
To better understand the conclusions of steady-state analysis, numerical simulation is a valid means to clarify the analytical process of the overall and local details. We set simulation parameters which accord with the numerical range in Section 2.1.

Numerical Simulation without considering Immune
Failure and Strategy Transfer. Let λ 1 � λ 2 � 0.5, β 1 � β 2 � 0.2, S 0 � 0.6, and the externalities are θ � − 0.1 and θ � 0.1, the phase trajectory of I 2 with S 2 when firms choose the strategy of outsourcing, and the phase trajectory of I 1 with S 2 when firms choose the strategy of autonomous defense.
Firms in the susceptible state tend to turn into I or R, and the proportion of the susceptible state decreases. Figure 2 shows that with the decline of the proportion of susceptible firms, the proportion of infected firms first increases, then decreases, and eventually tends to be 0. Due to hackers having invaded certain firms and copied successful experiences to invade the affiliated firms, the proportion of infected firms is increased. However, firms will develop Table  1: Conditions of hacker intrusion propagation or nonpropagation.

Autonomous defense
Outsourcing information security

Conditions of hacker intrusion propagation
Conditions of hacker intrusion nonpropagation effective security defense strategies that increase the number of immunized firms in the network. In addition, the above discussion is an ideal case, in which the negative impact of the immune failure on the security level is not considered. Therefore, firms in the infected state will eventually change to the recovered state as long as the defense is successful. Figure 2 also shows that if the proportion of susceptible firms is less than the threshold, the proportion of infected firms will decrease, which is consistent with Conclusion 1.
Next, we study the impact of externality on the security state of firms. Let λ 1 � λ 2 � 0.5, β 1 � β 2 � 0.2, S 0 � 0.4, and I 1 � I 2 � 0.1. Figures 3 and 4 show the security transfer if firms choose different security strategies, when positive externality or negative externality occurs during outsourcing, in which S 1 , I 1 , R 1 is the security state when firms choose the strategy of autonomous defense; in this situation, the externality is 0. Figure 3 shows S 2 , I 2 , R 2 is the security state curve when firms choose the strategy of information outsourcing with the positive externality (θ � 0.3). Figure 4 shows S 2 , I 2 , R 2 is the security state curve when firms choose the strategy of outsourcing with negative externality (θ � − 0.3).
When θ � 0.3, we obtain that and satisfy the condition that the intrusion does not propagate in Conclusion 1, which is consistent with the declining trend of I 1 and I 2 in Figure 3. When θ � − 0.3, we obtain that (1 + θ)β 2 /(1 − θ)λ 2 � 0.21 < S 0 and satisfy the condition that the intrusion propagates in Conclusion 1, which is consistent with the trend of I 2 that first increases and then declines in Figure 4. In addition, Figure 3 shows that when the externality is positive, the declining trend of I 2 (t) is faster than that of I 1 (t). On the other hand, Figure 4 shows that when the externality is negative, the declining trend of I 1 (t) is faster than that of I 2 (t), which is consistent with Conclusion 2.  Figure 6 shows the variation curves of the proportion of infected firms with t when the firms choose the strategy of outsourcing if the externality is 0.2. Figures 5 and 6, respectively, show the variation curves of the proportion of infected firms when they choose the strategy of autonomous defense and outsourcing. When immune failure occurs, whichever security strategy firms choose, there are always invaded firms, and the variation trend of the proportion of infected firms is the same. Specifically, the proportion of infected firms in situation 1, situation 5, and situation 6 shows an increasing trend, while the proportion of infected firms in situation 2, situation 3, and situation 4 shows a declining trend. In addition, comparing Figures 5 and 6, we derive when firms choose the strategy of outsourcing and the externality is positive, the proportion of infected firms as well as the scale of intrusion propagation can be decreased in the network.

Numerical Simulation considering Immune Failure and
Strategy Transfer. In this section, regardless of whether externality is positive or negative, let λ 1 � λ 2 � 0.5, β 1 � β 2 � 0.3, c 1 � c 2 � 0.5, and φ 2 � 0.2. Figures 7 and 8(a) show that I 1 (t) is the variation curve of infected firms when the strategy of autonomous defense is chosen. The remaining four curves I 2 (t), respectively, correspond to the variation curves of infected firms when they transfer the strategy from autonomous defense to that of outsourcing with gradually increasing externality.
In addition, to clarify how the strategy transfer affects the information security strategy, we compare the trends of I 1 (t) and I 2 (t) under a certain negative externality in Figure 8(b) (i.e., let θ � − 0.4). Figure 7 shows that the strategy of outsourcing is inferior to that of autonomous defense when 2φ 1 (1 − c − β)/ 2β − 2φ 1 c + φ 1 ≈ 0.13, which implies that θ � 0.1 < 0.13. With the continuous increase of positive externality (i.e., θ � 0.2, θ � 0.3, θ � 0.4), the scale of invaded firms in the network decreases after implementing the strategy of outsourcing. And the greater impact of positive externality leads to a lower proportion of infected firms. This demonstrates that if the MSSP plays an active role through positive externality, strategy transfer can better ensure the firms' security. Therefore, firms have more motivation to transfer from the strategy of autonomous defense to that of outsourcing, which is consistent with Conclusion 7. show that in the case of negative externality, no matter how the externality influences and the proportion of strategy transfer varies, the proportion of infected firms when choosing the strategy of autonomous defense is always less than that of outsourcing. This demonstrates that the strategy of autonomous defense can better protect the firms' security.

Conclusion
In this paper, the SIR model of intrusion propagation in complex networks is established under different information security states. The threshold conditions of intrusion propagation are studied by steady-state analysis when firms choose different security strategies. The influences of externalities on the scale of intrusion propagation and strategy transfer are also discussed. We showed that (i) without considering immune failure and strategy transfer, the intrusion will propagate if the initial proportion of susceptible firms is greater than the threshold of intrusion propagation; firms can effectively resist the intrusion propagation only if the externality is positive. (ii) Considering immune failure, there are always infected firms in the network. When the externality is positive, it will not change the fact of intrusion propagation if firms choose the strategy of outsourcing; however, it can reduce the propagation speed. The probability of intrusion propagation is influenced by the proportion of the initial infected state, the probability of invasion, and the probability of immune failure. (iii) Considering both immune failure and strategy transfer, if the externality is positive and greater than a certain threshold, invaded firms can seek the help of outsourcing; otherwise, firms should stop outsourcing information security as soon as possible.
In addition, the conclusions of this paper also provide guidance when firms encounter hacker intrusion.
First, if the hacking damage is not serious or the firms' defense is successful and can resist the same type of attack again, the ratio between the effect of recovering information systems and the probability of invasion should be comprehensively considered. And the probability of intrusion propagation can be judged by the proportion of firms that have not been invaded relative to the total firms in the network. If firms choose the strategy of outsourcing, the MSSP must play an active role in ensuring information systems security by positive externality of intrusion event associative processing.
Secondly, if the hacking methods are upgraded, which probably leads to the immune failure, firms need to be prepared for a long battle with hackers. And the probability of intrusion propagation can be comprehensively judged by the proportion of infected firms in total and the probability of immune failure. If the quality of the MSSP's security service is relatively high, the strategy of outsourcing can slow down the speed of hacker intrusion propagation, which reduces the scale of invaded firms.
Finally, when the firms transfer their information security strategy after they are invaded, then collaborating with the MSSP is a better choice only if the MSSP may collect hackers' information by analysis tools to develop personalized defense measures, dynamically respond to security threats, and maximize security benefits. On the contrary, if the MSSP cannot effectively detect system vulnerabilities and ignore the potential risk of the threat to affiliated firms, which reduces the hackers' cost of copying intrusion experience, leading to a poor outsourcing service quality, firms should stop outsourcing security service as soon as possible.  Figure 8: (a) Curve of I 1 (t) and I 2 (t)(θ < 0). (b) Curve of I 1 (t) and I 2 (t)(θ < 0).

Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.