The Economic Incentives for Sharing Security Information

Given that information technology (IT) security has emerged as an important issue in the last few years, the subject of security information sharing among firms, as a tool to minimize security breaches, has gained the interest of practitioners and academics. To promote the disclosure and sharing of cyber security information among firms, the U.S. federal government has encouraged the establishment of many industry-based Information Sharing and Analysis Centers (ISACs) under Presidential Decision Directive (PDD) 63. Sharing security vulnerabilities and technological solutions related to methods for preventing, detecting, and correcting security breaches is the fundamental goal of the ISACs. However, there are a number of interesting economic issues that will affect the achievement of this goal. Using game theory, we develop an analytical framework to investigate the competitive implications of sharing security information and investments in security technologies. We find that security technology investments and security information sharing act as "strategic complements" in equilibrium. Our results suggest that information sharing is more valuable when product substitutability is higher, implying that such sharing alliances yield greater benefits in more competitive industries. We also highlight that the benefits from such information-sharing alliances increase with the size of the firm. We compare the levels of information sharing and technology investments obtained when firms behave independently (Bertrand-Nash) to those selected by an ISAC, which maximizes social welfare or joint industry profits. Our results help us predict the consequences of establishing organizations such as ISACs, Computer Emergency Response Team (CERT), or InfraGard by the federal government.

[1]  Martin P. Loeb,et al.  INCENTIVES AND PUBLIC INPUTS , 1975 .

[2]  M. Satterthwaite,et al.  Efficient Mechanisms for Bilateral Trading , 1983 .

[3]  Roger B. Myerson,et al.  Optimal Auction Design , 1981, Math. Oper. Res..

[4]  J. Geanakoplos,et al.  Multimarket Oligopoly: Strategic Substitutes and Complements , 1985, Journal of Political Economy.

[5]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[6]  X. Vives Trade Association Disclosure Rules, Incentives to Share Information, and Welfare , 1990 .

[7]  Amir Ziv Information Sharing in Oligopoly: The Truth-Telling Problem , 1993 .

[8]  E. Muller,et al.  Research Joint Ventures and R&D Cartels , 1992 .

[9]  E. H. Clarke Multipart pricing of public goods , 1971 .

[10]  Theodore Groves,et al.  Incentives in Teams , 1973 .

[11]  E. Gal‐Or,et al.  Information Sharing in Oligopoly , 1985 .

[12]  E. Gal‐Or,et al.  First Mover and Second Mover Advantages , 1985 .

[13]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[14]  C. Narasimhan Competitive Promotional Strategies , 1988 .

[15]  William Vickrey,et al.  Counterspeculation, Auctions, And Competitive Sealed Tenders , 1961 .

[16]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[17]  C. Shapiro Exchange of Cost Information in Oligopoly , 1986 .

[18]  Paul Milgrom,et al.  Comparing Optima: Do Simplifying Assumptions Affect Conclusions? , 1994, Journal of Political Economy.

[19]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[20]  A. Jacquemin,et al.  Cooperative and Noncooperative R&D in Duopoly with Spillovers , 1988 .

[21]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[22]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[23]  R. Myerson Incentive Compatibility and the Bargaining Problem , 1979 .

[24]  Geoffrey G. Parker,et al.  Information Complements, Substitutes, and Strategic Product Design , 2000, ICIS.