With the rapid development of the digital economy, there has been an explosion in the amount of data generated. Data have become a vital resource for nations, just as tangible assets and human capital are crucial factors of production. Consequently, protecting digital security has become paramount. However, the increasing frequency of various data security incidents in recent years has exposed issues such as inadequate platform governance, lack of government regulation, and incomplete digital security governance (DSG) mechanisms. This study aims to create a healthy and open digital ecosystem and proposes a new digital security governance framework. It subdivides traditional government departments into local governments and the central government. Together with third-party platforms, they are analyzed as participants in an evolutionary game. The study examines the evolutionary stability of strategy choices made by each party and explores the relationship between key factors such as negative externalities, data security incident probabilities, and their impacts on strategy selection using numerical simulations. The research findings indicate the following. (1) Key parameters such as implicit benefits, government subsidies, and negative externalities play a significantly positive role in the development of the digital ecosystem. (2) The central government consistently tends towards emergency response, considering the overall societal perspective, as long as it is capable of bearing the costs. (3) Local governments may exhibit free-riding behavior during the governance process. To address this, it is important to increase the willingness of third-party platforms to govern and oversee the participation of local governments, which is an effective way to prevent data crises. The study also identifies different governance models in various environments: (1) a digital security governance model in a stable market environment, involving increased central government intervention and supervision of local governments’ participation; and (2) a digital security governance model in the event of a data crisis, where the central government establishes subsidies that exceed the governance costs of local governments to enhance the willingness of third-party platforms to govern. Finally, recommendations and strategies are presented to enhance the level of digital security governance.

1. Introduction

Digital ecology has become an important means for social progress and economic prosperity and thus is an important pillar in the construction of Digital China [1]. China’s digital ecological construction is on the ascendant, as a large amount of data came into being, and the problem of data insecurity followed. For example, the employees of Ping An Life Insurance Company Limited illegally sold 40,000 pieces of customer information, and Super Star Learning Link software leaked over 170 million pieces of private data, damaging personal information. Unbridled data collection, excessive data mining and misuse, and cyberattacks have become increasingly commonplace [2]. Platform enterprises characterized by digital drive and network collaboration have commonly deposited huge amounts of data during development, and problems such as data monopoly, data security, and personal information protection have emerged [3]. If digital security governance (DSG) is not strengthened, data and information can be arbitrarily collected, tampered with, trafficked, and disseminated, severely undermining the national and public interests. DSG is the key to improving the security level of contemporary organizations [4, 5] as it embeds security into the organizational structure and all relevant business dimensions and factors across the organization, helping to capture strategic objectives and appropriately manage security risks [5]. Implementing DSG and establishing strong safeguards and dynamic and constant security protection mechanisms enable the proper protection and secure use of sensitive data. This strategy allows for continuous security and protection of organizational assets [6, 7].

However, due to the late start of DSG in China [8], there are still issues concerning data security measures, interdepartmental collaboration, digital infrastructure development, industry regulation, and digital national sovereignty [8]. Although a preliminary institutional framework for DSG has been formed, regulating behaviors directly on various platforms is still challenging, and the government mainly requires them to abide by their obligations rather than exercising its regulatory duties [9]. Escalating user concerns about privacy and data security has posed new challenges to DSG, and therefore, continuously updated research is needed to adapt to these changes. Meanwhile, the DSG literature is primarily descriptive, focusing on normative standards, generic frameworks, and the individual level [10, 11] while ignoring the complexity of the interactions between different subjects. It should be noted that DSG is not an endeavor that can be carried out by one party alone, and multiple governance roles, responsibilities, and strategies are key pillars in developing robust governance and security processes and procedures [12, 13]. However, current studies investigate the game between platforms and local governments [14, 15]. However, as the highest level of responsibility for data security, the central government has not been considered yet. It is important as the central government plays a key role in DSG, and its responsibilities include regulation-making, regulatory enforcement, and policy formulation. Introducing central government into the tripartite evolutionary game can strengthen the risk management capabilities of digital security governance systems. First and foremost, this expansion facilitates a more comprehensive consideration of interests. Local governments and central governments represent distinct sets of stakeholders with diverse priorities and concerns. Local governments emphasize regional development, while central governments focus on national security, strategic imperatives, and citizen welfare. By incorporating these various perspectives, the dynamics of the game become enriched, allowing for a more nuanced understanding of the competing interests at play. Moreover, this expansion clarifies the delineation of responsibilities and promotes orderly coordination among stakeholders. By defining the roles and responsibilities of platforms, local governments, and central governments in digital security governance, stakeholders can minimize confusion, duplication of efforts, and jurisdictional conflicts. Clear lines of accountability facilitate effective decision making, streamline operational processes, and enhance the overall efficiency and effectiveness of governance mechanisms. Therefore, it is necessary to conduct an in-depth study of DSG while considering digital ecology and from the perspective of game theory and centered on data security, with the participation of third-party platforms, local governments, and the central government.

This paper constructs a cross-industry and cross-domain DSG model and a more comprehensive, integrated, and flexible conceptual framework that reveals the DSG mechanism in digital ecology. This study contributes to the construction of a theoretical system of DSG and provides an in-depth understanding of the roles, relationships, and responsibilities of governments, enterprises, and individuals in data security. In addition, this study helps to predict future development trends, formulate corresponding governance strategies in advance, and assist decision makers in better understanding the problems, predicting risks, and formulating specific and effective policies, regulations, and data security strategies. Nevertheless, a continuous feedback mechanism between theory and application is required to better respond to the ever-changing data security challenges.

2. Literature Review

2.1. DSG Study

“DSG” was first proposed by Gartner, who claimed that DSG is a complete chain from the decision-making level to the technical level, from the management system to the tool support, and runs through the whole organizational structure from top to bottom [16]. Some scholars have expanded on this connotation, arguing that strategic security considerations in the digital environment are called DSG [5, 10, 11, 17]. Furthermore, they aimed to maintain the confidentiality, integrity, and availability of data assets [16], achieving the goals and the proper management of security risks [5, 18] in response to the increasing number of cyberattacks [6]. Although different scholars have different definitions of “DSG,” the core is to coordinate the rights and interests of the various stakeholders and protect the entire data life security cycle. Throughout the data security legislation and governance practices of countries worldwide, the DSG model has roughly passed through three stages, from responsive governance focusing on guidance and regulation to centralized governance with institutional and mandatory, and then to agile governance with the participation of multiple governance subjects and the flexible use of a variety of governance tools [12]. In the current stage of multiple governance, the three-party evolution game is an effective model for studying game relationships between various subjects.

Previous works have always paid attention to DSG. On the one hand, the widespread use of digital technologies has provided new opportunities and challenges for various industries. Indeed, some researchers have explored the transformative impact of DSG on various aspects of public health [19], higher education [20], government information assets [21], and supply chain finance [22, 23], which can enhance their risk management capabilities, protect privacy, and promote open information sharing and service improvement. On the other hand, some works have conducted theoretical or empirical studies from the subdivisions of DSG regarding cross-border data flow supervision [24], personal privacy protection [25], and data opening and sharing. For example, Li et al. [26] built a binary network model and an associated network to identify the risk of the cross-border flow of important data and provided a quantitative method for early warning management for cross-border data. However, the DSG literature is primarily descriptive, focusing mostly on prescriptive standards and generic frameworks [10, 11] or analyzing problems using the DSG process, such as inadequate data privacy protection and legal security systems [27]. Specifically, current works lack a holistic, top-down analysis of the DSG system. Although there are strong interconnections between these areas, both cross-border and open sharing of data involve privacy protection issues, and a healthy and effective DSG framework needs to balance these aspects to ensure the secure data flow and protection of individual privacy while simultaneously facilitating the openness and data sharing to promote innovation and sustainable development in society.

2.2. Platform DSG Research

Third-party platforms often collect and process large amounts of personal data as a constituent feature of their business model [28]. There are many studies on data security in platform companies, mainly based on the profit-seeking nature of the platforms. Data misuse and public opinion dissemination can be divided into two main categories. The former manifests itself in the excessive collection of user data by platforms [29, 30], the implementation of big data price discrimination [31], and the unauthorized use of information [32]. The latter manifests in disseminating false information by platforms [33, 34] and manipulating public opinion [7, 35]. For example, Hou et al. [14] argued that there is an information inequality between platforms and individuals, and Yao [3] analyzed the “big data-based price discrimination” by constructing a game model among consumers, platform enterprises, and the government. They started with the misuse of data by platforms and examined the regulatory mechanisms among users, platforms, and governments.

However, third-party platforms allow any account to register and log freely and express their views, which has resulted in a large and generally low-quality data of the online information ecosystem. At the same time, users can influence the dissemination and use of information through retweeting, liking, and commenting. Thus, third-party platforms act as a medium or tool carrier in their own right rather than subjective actors. For example, some users send spam through Weibo [36], and in Brazil, WhatsApp has been used for virtual kidnapping and fraudulent extortion [37].

2.3. Summary

The literature presented above highlights that current research on DSG mainly focuses on the theoretical level. Specifically, these studies focus on a specific area of the DSG challenges, exploring its current situation, problems, and optimization paths. In addition, most scholars have focused on the active behavior of third-party platforms when studying the formation of data hazards, while relatively little consideration has been given to the factor of their passively becoming a channel of abuse. Similarly, the central government’s role in the DSG process has been somewhat neglected. Given this situation, this paper explores DSG from the perspectives of various stakeholders, such as policy promulgation, call for response, and implementation, to build an evolutionary game model of the central government, local governments, and third-party platforms, analyze their possible behavioral strategies, and make the corresponding suggestions.

3. Construction of the Evolutionary Game Model

3.1. Theoretical Framework
3.1.1. The Subject of DSG

The proposed DSG is a comprehensive management strategy involving multiple actors that protects and maintains data confidentiality, integrity, and availability. In DSG, the central government has the overall coordination and regulatory responsibilities at the national level, and local governments and third-party platforms take measures to fulfill their governance obligations jointly.

The central government is the leader and policy maker of the DSG process. It is responsible for coordinating major national data security matters and important work, establishing a national data security coordination mechanism, supervising and managing the data security policies and regulations of various departments, institutions, and organizations, and protecting the basic rights and interests of individuals and organizations in terms of data security. Various localities and enterprises may have different interests and governance standards, requiring the central government to act as a coordinator and establish nationwide consistent standards and norms to ensure consistent and controllable data security. DSG by all parties cannot spontaneously reach a state of equilibrium, and the involvement of the central government in supervision and management is an important factor in promoting active action by platforms and local governments. Furthermore, the central government possesses broader resources and power, allowing for the swift allocation of necessary technological, financial, and human resources when data security incidents occur. Particularly in responding to large-scale or severe data security events, a significant amount of resources and cross-departmental coordination are required, which local governments may struggle to handle independently. For example, the central government can rely on national-level security agencies and expert teams to quickly diagnose issues, assess risks, and formulate effective response measures. Therefore, within the overall national context, the central government assumes the ultimate role in emergency response.

Local governments are facilitators and important participants in the DSG process and belong to “dispatched agencies” of the central government. Local governments have the responsibility to assume the responsibility of DSG within their duties and formulate data security behavior norms and group standards according to the law. They should conduct self-examination and cooperate with third-party platforms to ensure the development and utilization of data and industrial development in the region with data security. The central government supervises local governments and undertakes the obligation to reduce illegal data acquisition and utilization.

Third-party platforms are the executors and policy implementers of the DSG process, with data analysis as the main business or data as a production factor [15], providing fast information aggregation and circulation channels. As an important carrier of data flow, the platforms must handle a large amount of data, including user-generated data, server logs, and application data. These data are the basis for the platforms’ operation and the key to its services and functions. Platforms can analyze data to discover user behavior patterns, understand user needs, optimize services, and attract more users to gain revenue. This requires the platforms to take appropriate technical and management measures to ensure the security of the data in the process of use and to avoid eavesdropping, tampering, and interception.

3.1.2. Analysis of the Subject Benefits

As a data aggregation and diffusion center, the platforms can set up access control mechanisms [25] using keywords [38] to block, delete [39], or restrict the flow of sensitive or offending content. Local governments give platforms the responsibility as market regulators to monitor the quality, combat infringement, and control prices [9]. Note that local governments can become platforms’ users to discover, search, and review illegal information on the platforms. Besides, the central government provides policy support and guidance to local governments or platforms and can issue bans or penalties to local governments or platforms based on data breaches. In regulating the implementation of a data security regime, the central government represents the public’s interests, emphasizing how to maximize society’s overall interest and general welfare. In contrast, local governments mainly consider the interests of local authorities, and platforms are essentially profit-making organizations, which may deviate from the central government’s interests and form a bargaining game. Hence, promoting the cooperation between local governments and third-party platforms, where the two jointly review the content of Internet information from different aspects, can compensate for the deficiencies in government regulation, improve the efficiency of the government, and force the platforms to carefully review the various information data flowing in the platforms to avoid penalties for distorted information. Thus, it is a collaborative gaming process between the two sides.

Unlike traditional game theory, evolutionary game theory assumes humans are finitely rational and usually reach game equilibrium through trial and error. Due to the asymmetry or incompleteness of information, the subject will waver in different strategies to obtain the maximum benefit, and the surrounding subjects or game parties very easily influence its strategy choice. Thus, there is a dynamic adjustment and imitation of the process of others. Interests drive these three parties and eventually make a scientific evolutionary game strategy fit for purpose and operable [40]. Combined with practical research, the evolution process of DSG requires the participation of the central government, local governments, and platforms, the impossibility of complete rationality of each subject of interest, and the mutual influence of their strategic choices, which is a dynamic evolution of the behavior of all parties adjusting each other under certain rules [41]. Therefore, this paper adopts evolutionary game theory and numerical simulation to analyze the dynamic game process of DSG. Constructing a three-party evolutionary game model of the central government, local governments, and platforms determines the evolutionary and stabilization strategies of the three parties to reach the ideal state in different situations. It provides decision-making references for creating a good digital ecology.

3.2. Model Construction
3.2.1. Participants

This study assumes that the game involves three players, i.e., the central government, the local governments, and the third-party platforms, and that all three parties are finite and rational participants who continuously adjust their strategic choices over time to maximize their benefits.

3.2.2. Behavioral Strategies

From the platforms’ perspective, there are two primary strategies for implementing cybersecurity measures: “active governance” and “negative governance.” Active governance means they may implement cyberspace security strategies, strengthen the process of collecting, transmitting, storing, using, sharing, and destroying relevant data in the platforms’ daily operation, actively manage hidden dangers in data, and eliminate environmental externalities generated by themselves. On the other hand, negative governance means they may neglect the effective protection and reasonable use of the organization’s data to save governance costs.

From the local governments’ perspective, adopting a “participation” strategy involves monitoring and auditing the implementation of data security regulations, policies, and norms on platforms, intervening when necessary to address issues like data theft and illegal transactions. This approach aims to reduce the frequency of data security incidents and minimize the impact of negative public opinion, thereby enhancing government credibility. However, if regulatory intervention is not timely due to technological immaturity or high costs, a “non-participation” strategy may be chosen.

From the central government’s perspective, the “emergency response” strategy serves as the last line of defense for digital security governance. This involves implementing emergency measures to counter data security threats and attacks promptly. While this strategy aims to minimize the negative impact of data security incidents, it may face limitations due to the complexity and ambiguity of data issues. In such cases, a “non-emergency response” strategy might be adopted after weighing factors like government image, economic interests, and social stability, opting for a more moderate approach instead of immediate emergency action.

The relationship among the digital ecosystem and platforms adopting proactive governance strategies, local governments implementing participatory management strategies, and the central government employing emergency response strategies for data crises is one of interdependence and collaboration. Each entity plays a distinct yet complementary role in fostering an open, healthy, and secure digital environment.

Platforms’ Governance Strategies. Platforms’ proactive governance strategies contribute to maintaining a healthy digital ecosystem by implementing measures such as self-regulation, enhancing data protection, and optimizing algorithms and content moderation. These efforts aim to prevent issues before they escalate, reducing the need for intervention by local or central governments.

Local Governments’ Participatory Management Strategies. Local governments engage in participatory management to provide tailored, region-specific governance within the digital ecosystem. Strategies may include promoting digital literacy, strengthening local regulatory capacities, and assisting platforms in enforcing national policies. This collaborative approach complements efforts by central authorities and platforms.

Central Government’s Emergency Response to Data Crises. In the event of data breaches, cyberattacks, or other emergencies, the central government’s role becomes pivotal. With greater resources and authority, the central government can swiftly address cross-platform and cross-regional issues, safeguarding public interests and national security.

The stability of this framework depends on effective implementation, communication, and coordination among the involved parties. While inherently stable in theory, its practical stability hinges on factors such as adaptability to evolving challenges and the establishment of robust communication channels and coordination mechanisms. Continuous monitoring, evaluation, and strategy refinement are essential for maintaining stability within the digital ecosystem. The DSG tripartite game strategy constructed in this paper is shown in Figure 1.

3.2.3. Model Hypothesis
H1. All interested parties are finitely rational. Third-party platforms have two strategies: “active governance” and “negative governance,” with the probabilities being and , respectively. The local governments and the central government also have two strategies: the former is “participation” and “non-participation,” with a probability of and , while the latter is “emergency response” and “non-emergency response,” with probabilities of and , where .H2. The probability of a data security incident is , which will lead to platforms’ loss (including direct income loss and compensation payable) and local governments’ fine . At the same time, the central government will also collect a fine from local governments due to poor management.H3. When platforms neglect the importance of data security by adopting a passive governance strategy, it incurs its usual revenue and cost, denoted as and , respectively. However, if the platforms actively engage in digital security governance, it incurs additional costs in technology, management, operations, and maintenance, denoted as . Alongside this, there are implicit benefits such as enhanced security, reputation, and access to political resources, denoted as , resulting in positive externalities that boost the credibility of local governments () and overall societal benefits (). During collaborative efforts between local governments and platforms to review data information, there are costs involved in terms of manpower, resources, and finances (), partly offset by subsidies provided by the central government (). In the event of a data security incident with relatively moderate impact and importance, or if the central government deems it unnecessary for urgent intervention after considering factors like governmental image, economic interests, and social stability, it may opt for a “non-emergency response” strategy and handle the situation according to routine plans. However, if the central government chooses not to respond urgently from a broader perspective, it may lead to misunderstandings and dissent among other stakeholders, resulting in disharmony, destabilization of society, and reputational damage, denoted as environmental negative externalities (). On the other hand, if there is damage to critical data compromising public or national interests, the central government would need to implement an emergency response strategy. In addition to the usual “non-emergency response,” this might require additional funding for specialized data recovery and repair work, including costs for data recovery software, services, hiring external consultants, and experts for technical support and consultancy, denoted as . However, this would also help mitigate losses for the platforms and local and central governments, denoted as and , respectively.

Table 1 reports the parameters of the above assumptions, and Table 2 presents the game benefit matrix for the DSG process of the platforms, local governments, and central government.

4. Analysis of the Evolutionary Stability Strategy

4.1. Stability Analysis of Subjects
4.1.1. Third-Party Platforms

The expected benefits of the platforms preferring to select “active governance” strategies are .

The expected benefits of the platforms select “negative governance” strategies are .

The average expected benefits of the platforms are .

Therefore, according to Taylor’s model [42], the replicator dynamic equation is as follows:

Based on the stability theorem of the differential equation, the conditions that make the probability of the platforms choosing active governance in a steady state are and . Therefore, solving for the first-order derivative of reveals that when , , , and , so is the stable point. When , , , and , so is the only ESS.

4.1.2. Local Governments

The expected earnings when local governments choose “participation” strategies are .

The expected earnings when local governments choose “non-participation” strategies are .

The average earnings for local governments are .

The replicator dynamic equation is as follows:

If , then for any , , and thus axis is in a stable state, and any governance strategy of local governments is a stable strategy. If , then we solve for and the derivative of , for two solutions and of equation (8), .When , , , is the only ESS, and the stability strategy of the local governments is not to participate in the DSG process of the third-party platforms. When , , , is the only ESS, and the local governments choose to participate in the DSG process.

4.1.3. Central Government

Let and , respectively, denote the expected benefits of the central government’s choice of “emergency” and “non-emergency” strategies.

The average expected benefits of the platforms are .

The replicator dynamic equation is as follows:

If , then for an arbitrary , , and then axis is in a stable state, and any response strategy of the central government is a stable strategy. If , then we solve for and the derivative of , for two solutions and of equation (12), . When , , , is the only ESS, and the stability strategy of the central government is to respond to possible data security issues promptly. When , , , is the only ESS, and the central government does not respond in time.

4.2. Stability Analysis of the System

The research object of the replication dynamic equations in an evolutionary game is a certain group, and thus, a single group’s evolutionary stability strategy (ESS) cannot represent the whole system. Hence, the Jacobian matrix is constructed. Specifically, we find the partial derivatives of , , and about , , and , respectively, and then the construct the Jacobian matrix of the tripartite game, as presented below:

Let , , and , which can provide eight pure strategy equilibria as well as two mixed strategy equilibria: , , , , , , , , , and . According to the Lyapunov stability condition, the equilibrium point is asymptotically stable when the real parts of the eigenvalues of the Jacobi matrix are less than zero [37]. Calculating the Jacobi matrix’s eigenvalues for each equilibrium point separately provides the condition that each equilibrium point is an evolutionary game ESS, as reported in Table 3.

Because and , , , , and do not satisfy the conditions of ESS. To sum up, in the tripartite evolutionary game model, only , , , , , and can be transformed into a stabilization strategy under certain conditions, while the decision-making behavior of third-party platforms, local governments, and central government is determined by and . Besides, denotes the excess profit between the hidden benefits derived from active governance by the third-party platforms and the costs paid, is the excess profit between the subsidies received by the local governments for participating in governance, the fines collected, and the cost of its inputs, and represents the difference between the losses recovered and the costs incurred by the central government in responding to the data crisis in time. Table 3 highlights that the values of may fall within the three intervals: , , and , while the interval ranges of and are both .(1)When , for third-party platforms, the additional benefits of choosing active governance are less than the technical, management, operational, and other costs invested in this area in the early stage. At this point, negative governance will become the platforms’ priority choice. When , the hidden benefits of active governance are higher than the costs involved, and the platforms are more inclined to active governance.Therefore, safeguarding the governance benefits of third-party platforms can effectively prevent platforms from treating data security issues negatively and instead take preventive measures to strengthen the management and governance of data security, making the stable decision-making level of platforms from to . The government can increase the net income of platforms governance by giving subsidies or awarding them through official websites or media reports to expand the reputation of the platforms, increase their willingness to actively govern, effectively prevent improper data processing practices, better protect the security of national digital assets, further improve the quality and efficiency of digital services, and promote the construction of digital ecological security.(2)When , the subsidies received and the fines collected by local governments for participating in the DSG process are higher than the costs they pay. Thus, participation in governance is the best strategy for local governments. When , the expected penalty imposed on the local governments by the central government in response to a data breach is higher than the cost paid by the local governments for participating in governance. Thus, participation in governance will be the optimal choice to avoid punishment at a higher level. When , the participation cost is higher than the potential penalties, and the local governments’ stabilization strategy becomes “non-participation,” which is not conducive to the stable development of the digital ecology.When the benefits of the local governments’ refusal to participate in governance are greater, the central government should strengthen the penalties for the local government’s negligence. Higher administrative penalties can encourage them to strictly fulfill their data governance responsibilities and improve local governments’ governance. In addition, through the appropriate use of financial subsidy policies, it can alleviate local conflicts caused by interest relations, improve the motivation of local governments, increase their intention to participate, and make local governments’ stable decisions from to evolution, thus effectively ensuring the availability and security of local data resources, thereby maintaining the stable operation of the digital ecology and public security.(3)When , if the cost for the central government to take emergency measures against an occurring data security problem is much higher than its negative externality loss, then the central government will tend to adopt a non-emergency strategy. When , the severity of the set of consequences caused by a data security problem far outweighs the cost to the central government of activating an emergency response. The central government will pay more attention to the emergency response process of a data security incident to achieve prevention and control of cyberattacks, disinformation, and other digital risks and reduce the damage caused to the digital ecology.

To sum up, there are six possible stability points in the DSG game system, of which is the ideal stability point, corresponding to the ideal strategy combination of “active governance, participation, and emergency response.” Different conditions correspond to different combinations of strategies. Obviously, in order for to be ESS, it must satisfy three conditions simultaneously: , , and , i.e., the cost of maintaining data security for the platforms is less than the hidden benefits they receive, the cost of participating in governance for the local governments is less than the subsidies and fines, and the cost of emergency responding to a data security incident for the central government is less than the negative externalities caused by the continued fermentation of the incident.

5. Numerical Simulation and Discussion

In order to discuss the sensitivity of the parameters and verify the model’s accuracy, we used MATLAB 2022b to simulate the dynamic evolutionary trajectory of the evolving system. Considering the research hypothesis of this paper, by drawing on [40, 4345] and based on the evolutionary stability strategies (active governance, participation, and emergency response), the parameters of the diverse cases are set as follows: . In the previous discussion, we have analyzed how the decision making of third-party platforms, local governments, and the central government is determined by factors such as . It is evident that and , as well as and , represent conflicting interests. For instance, an increase in implies a decrease in , both indicating an increase in benefits. These factors are essentially of the same nature, with their evolutionary states in the simulation graph being inversely related. Therefore, focusing on factors of different nature, let us now primarily examine how , and influence the evolutionary trajectory of the digital security governance system. When analyzing the sensitivity of a certain parameter, the values of other parameters remain the same.

5.1. Implicit Benefits

Let be 1, 9, and 15, respectively, and we observe the simulation results of its evolution from the initial time 0 to 50. According to Figure 2, when , converges from 0.2 to 0, and the DSG system degrades to , which means a poor state. As increases, the willingness of the platforms to govern grows gradually. In other words, converges from 0.2 to 1 after a long period of evolution. Finally, the system evolves to This is because when the platforms are actively governed, they effectively safeguard the security of commercial secrets, personal privacy, and other information, reducing legal risks and increasing user trust and stickiness, improving the platforms’ reputation, influence, and market competitiveness. Therefore, the benefits of governance positively affect the behavioral choices of the platforms, and the more cost-effective the platforms’ governance investment is, the greater the probability of active governance is.

5.2. Government Subsidies

Figure 3 highlights that the probability of the local governments choosing the participation strategy converges to 0 when and converges to 1 when . The simulation results indicate that increasing the number of local government subsidies significantly improves their willingness to participate in governance and positively affects the development of data ecology. Therefore, as rational economic agents, local governments may take advantage of the governance benefits if the governance costs are too high and share the economic benefits of governance brought by other parties without actively taking precautionary measures. Meanwhile, the system degenerates to the unstable state of . When the central government, whose subsidies are in the medium to high range, supports local governments in maintaining data information security, local governments will actively participate in the DSG process.

5.3. Contingency Costs and Negative Externality Losses

Let C3 be 3, 8, and 20 while T be 5, 20, and 35. These values represent the observed effects of three different strategies on three participants, as illustrated in Figures 4(a) and 4(b). Figure 4 reveals that when or , rapidly converges from 0.2 to 1 after evolution, and the convergence rate increases significantly. Undoubtedly, the central government tends to adopt the emergency response strategy, which means the system has evolved to an ideal stable state that continuously promotes the healthy development of digital ecology. When increases or decreases, the probability of adopting an emergency response strategy decreases, but does not reduce below its initial willingness probability. Unless the cost of response is much higher than the negative externality loss and the amount tends to infinity, the system will degrade to the poor stability . The central government has sufficient financial capacity to bear the lower costs. Moreover, based on the overall welfare of society, the central government will not let data problems exist due to the loss of its interests. Even if coping costs are increasing, it will respond in time. However, when the emergency cost increases excessively, far below the negative externalities caused by the risk of data leakage, which seriously affects the allocation of national financial resources, the central government will tend to be an emergency response.

5.4. Probability of Data Security Events

Let be 0.1, 0.2, 0.4, and 0.6, and we observe its influence on the strategy choice of the three subjects, and the relevant situation can be obtained in Figure 5, in which the horizontal axis indicates the growth of time, and the vertical axis indicates the probability that the platforms, local governments, and the central government choose to adopt the corresponding strategy. Figure 5 reveals that has significantly different degrees of impact on platforms, local governments, and central government. Overall, when or (low range), the probability of data security incidents positively affects the platforms and central government behavior and negatively affects the governance behavior of local governments, whose states are unstable. When or (middle to high range), the three entities have reached the positive stable state, suggesting that a higher data crisis will prompt all parties to interrupt threatening events actively. Besides, as increases, the strategy evolution of the platforms remains unchanged, and rapidly converges from 0.2 to 1 after evolution, while first rises and then decreases and then gradually converges from 0 to 1.

This highlights that after the platforms enable satisfactory returns through active governance, regardless of the crisis probability, they will take the initiative to assume the main responsibility of DSG and build a solid foundation for a good data ecological environment. Although the local governments will obtain more self-interest benefits by choosing non-participation, as the probability of data security problems increases, platforms alone may not provide security for data assets in the domain. Therefore, local governments tend to participate in governance. Given that the time to reach the steady state will gradually shorten, at low crisis probabilities, the central government can involve local governments in the governance process through standard controls, official media coverage, punitive interventions [46], or coercive measures to reduce the phenomenon of “free-riding.”

5.5. Chapter Summary

Through an extensive review of literature, research reports, and numerical simulation, this study has summarized the theoretical outcomes of digital security governance. Previous studies on data security mainly focused on stakeholders such as government regulators and data attackers like hackers or internal employees. In contrast, this study primarily analyzes the governance entities. Key factors that influence behavior strategies were also considered, including the cost of investment and the severity of penalties, which are common to previous research. However, due to the different stakeholders considered, the key factors influencing behavior strategies also differ. The innovations in this study are as follows:(1)Innovative Research Focus. Traditional studies often viewed the government as a single entity, while this study introduces the concepts of central and local governments. It builds a novel tripartite evolutionary game model consisting of “third-party platforms, local governments, and the central government,” aiming to better consider the unique responsibilities and roles of different levels of government in digital security governance. By defining the roles and responsibilities of local and central governments in digital security governance, stakeholders can minimize confusion, duplication of effort, and jurisdictional conflicts. This approach aids in effective decision making, streamlining operational processes, and enhancing the overall efficiency and effectiveness of governance mechanisms. Moreover, this study not only explores the interaction between the government and other stakeholders but also considers the game relationship within the government. By incorporating internal dynamics of the government, this analysis method increases the complexity of the game, enabling a more nuanced analysis of factors that influence internal decision-making processes and policy formulation. By considering the roles and interactions among these government entities, this study provides a new perspective on the dynamics of digital security governance.(2)Innovative Factors of Influence. This study specifically focuses on key factors influencing the behavior strategies of the central government, aiming to accurately assess its decision-making process and understand its actions in the context of digital security governance. Firstly, it considers the environmental negative externalities associated with adopting “non-emergency responses.” In the process of digital security governance, the central government may need to weigh the potential negative impacts of security incidents or threats against the benefits of implementing emergency response measures. Secondly, it considers the additional technological and manpower costs associated with adopting “emergency response” strategies. After a sudden data security incident, the central government may need to allocate significant resources for developing technical tools, training personnel, and engaging in activities related to incident response. Lastly, this study also focuses on the losses that can be recovered by adopting “emergency response” strategies. When the central government takes swift action to respond to data security incidents, it may mitigate or even prevent economic, reputational, and trust losses for stakeholders. This study innovatively analyzes the impacts of these sensitive factors on the central government’s decision-making process from the perspectives of environmental negative externalities, emergency response costs, and recoverable losses. These research innovations aim to provide government decision makers with comprehensive and accurate information to formulate targeted and feasible digital security governance strategies, promoting sustainable development in data security.

6. Conclusions and Implications

6.1. Conclusions

Data security is the foundation of the digital ecology, without which the digital ecology will not function properly. Indeed, DSG can effectively protect the country’s digital assets, prevent risks such as data leakage, tampering, and damage, improve the ability of each subject to respond to information security risks, and reduce the occurrence of security incidents to guarantee the stable development of each subject. This paper carefully examines the heterogeneous impact of different factors on DSG in China based on the current context of creating a digital ecology. Furthermore, this study helps to promote the benign construction of digital ecology and reform the DSG mechanism in China. In addition, it has important practical significance and application value for protecting the interests of individuals and organizations, preventing data leakage and abuse, and maintaining social order and stability.

Research indicates that key parameters such as implicit benefits, government subsidies, and negative externalities play a significantly positive role in the development of digital ecosystems within the framework of digital security governance. These parameters, within certain ranges, can positively support the ideal behavior strategies of various stakeholders, evolving to a stable state:(i)Increasing implicit benefits can promote third-party platforms to actively govern data security. Therefore, enhancing the benefits of platforms digital security governance and reducing governance costs is an effective way to prevent platforms from relaxing governance efforts.(ii)Financial subsidies from the central government to local governments can effectively enhance the latter’s participation in governance, which is crucial for its stability. However, for subsidies to be effective, the subsidy amount must exceed the sum of the costs incurred by local governments in governing data security and the fines they receive, ensuring the safeguarding of data security in an evolving and stable market environment.(iii)Low negative externalities and high emergency costs reduce the probability of the central government opting for an emergency response to data security threats. However, as the central government is responsible for protecting public interests and national security, as long as emergency costs are within its capacity, the central government will tend to adopt an “emergency response” strategy.

Additionally, the probability of data security incidents also affects digital ecosystems, leading to two main scenarios:(i)When the probability is low, indicating a stable market environment with a low likelihood of data security incidents, platform strategies lean towards active governance, while local governments adopt a passive governance approach, and the central government’s strategy remains undecided.(ii)When the probability is moderate to high, indicating a volatile market environment with a higher likelihood of data security incidents, all three parties adopt positive behavioral strategies, namely, active governance, participation in management, and emergency response.

Based on the two scenarios described, two different approaches to governance can be discerned. Specifically, (1) Local governments should be regulated more in a stable market environment with a low risk of data crises. The central government’s response costs to different data crisis events are different. The higher the emergency response cost, the lower the chance of adopting an emergency response strategy, but the central government is always willing to bear the cost within a certain range due to the consideration of the overall welfare of the society. A secure data environment creates a positive externality whereby local governments will use the resources of others or other organizations for free to achieve their benefits, i.e., the phenomenon of “free-riding.” The central government can involve local governments in governance through standard control, official media reports, and punitive interventions or coercive measures. (2) The willingness of platforms and local governments to govern should be increased in a data crisis. The implicit benefits of platforms should be increased, and the amount of subsidies established should exceed the cost of governance for local governments. The platforms’ governance strategy choice is positively related to the hidden benefits of security, word-of-mouth reputation, and political resources brought by governance, and its role is significantly more dynamic. In a changing data environment, the higher the invisible gains, the stronger the willingness to govern. Moreover, it is significant for the central government to adopt certain subsidy incentives to increase local willingness to participate in governance and maintain data security. The central government’s reward and punishment policies will affect local governments’ strategic choices. If the policy subsidies can balance the benefits and costs of governance, the chance of local government’s participation in governance is greater, and the more favorable it is to the healthy development of the digital ecology.

There are areas for improvement in this study. Firstly, the game mechanism is relatively simple, without including netizens and other participating subjects; the strategy space is also simplified to a certain extent, and the local government’s regulatory obligation is set as the degree of participation in governance without more detailed and in-depth construction, and the complex interaction mechanism behind it is not studied in depth. Moreover, the game participants’ behavior analysis validity may be biased since the simulation values are conducted under simulation conditions.

6.2. Implications
6.2.1. Managerial Implication

This paper innovatively substitutes the negative externality loss and the probability of data security events into the cost-benefit matrix and introduces the central government as an important role in improving the governance organizational structure. The evolutionary game of DSG under digital ecological objectives is explored in depth, and by analyzing the interactions and influences between third-party platforms, local governments, and only the central government, it can reveal the key issues and challenges of DSG in the digital era and provide corresponding solutions. Specifically, this study promotes in-depth thinking on important topics such as information sharing, privacy protection, and cybersecurity among different subjects in the digital ecosystem. In addition, exploring the evolutionary game model can help understand and predict the evolutionary trend of DSG mechanisms and provide decision makers with a scientific basis for formulating relevant policies and norms. Besides, it can deepen our understanding of DSG under the goal of digital ecology, promote the development of related fields, and provide useful references for social governance and sustainable development in the digital era.

6.2.2. Practical/Social Implications
(1)The role of invisible benefits such as reputation should be emphasized, and a credit assessment system for data security should be established [47]. For instance, Deephouse [48] used theoretical and empirical analyses to show that reputation is a resource that leads to competitive advantage. Trust and reputation systems are important in providing decision support for Internet intermediary services [49], as DSG efforts can be recorded and fed back in real time and deter ethical risks [50].Credit information can be disclosed to the public by setting tasks and goals related to DSG and evaluating them based on security reports, virus scans, vulnerability discoveries, and other information released by governors. The platforms will be prompted to pay more attention to DSG, thereby promoting the sustained and healthy development of the digital ecology.(2)Strengthen the research and development of cutting-edge data security technologies to reduce the probability of data security incidents. Digital technology is an indispensable part of DSG, which can improve the efficiency of the supply chain, reduce operating costs, and provide a more optimal decision-making basis for the digital ecological development strategy [51]. It can also design a more intelligent protection system to achieve full-platform data monitoring, such as content validation, tracing, copyright tracking, and desensitization [52]. It helps enterprises better manage data and protect its security, integrity, and privacy. This can narrow the existence time of security vulnerabilities, reduce the system risk level, optimize the efficiency of data governance and management, and improve data security and protection.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest.


We would like to acknowledge the support and assistance received during the course of this research. We are grateful for the resources provided by the National Social Science Foundation of China that facilitated our work. Additionally, we appreciate the collaboration and contributions of colleagues and partners who helped make this study possible. This research was funded by the National Social Science Foundation of China (21BGJ037).