To share or not to share: a behavioral perspective on human participation in security information sharing

Security information sharing (SIS) is an activity whereby individuals exchange information that is relevant to analyze or prevent cybersecurity incidents. However, despite technological advances and increased regulatory pressure, individuals still seem reluctant to share security information. Few contributions have addressed this conundrum to date. Adopting an interdisciplinary approach, our study proposes a behavioral framework that theorizes how and why human behav- ior and SIS may be associated. We use psychometric methods to test these associations, analyzing a unique sample of human Information Sharing and Analysis Center members who share real se- curity information. We also provide a dual empirical operationalization of SIS by introducing the measures of SIS frequency and intensity. We find significant associations between human behavior and SIS. Thus, the study contributes to clarifying why SIS, while beneficial, is underutil- ized by pointing to the pivotal role of human behavior for economic outcomes. It therefore extends the growing field of the economics of information security. By the same token, it informs managers and regulators about the significance of human behavior as they propagate goal alignment and shape institutions. Finally, the study defines a broad agenda for future research on SIS.

[1]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[2]  I. Ajzen,et al.  Prediction of goal directed behaviour: Attitudes, intentions and perceived behavioural control , 1986 .

[3]  N. Emler A Social Psychology of Reputation , 1990 .

[4]  T. Pedersen,et al.  Why a Central Network Position Isn't Enough: The Role of Motivation and Ability for Knowledge Sharing in Employee Networks , 2011 .

[5]  Kee-Young Kwahk,et al.  The effects of network sharing on knowledge-sharing activities and job performance in enterprise social media environments , 2016, Comput. Hum. Behav..

[6]  Paul W. Paese,et al.  When an Adversary is Caught Telling the Truth: Reciprocal Cooperation Versus Self-Interest in Distributive Bargaining , 2000 .

[7]  N. E. Weiss Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis [December 11, 2014] , 2014 .

[8]  Mark S. Granovetter Economic Action and Social Structure: The Problem of Embeddedness , 1985, American Journal of Sociology.

[9]  Chun-Ming Chang,et al.  Knowledge sharing behavior in virtual communities: The relationship between trust, self-efficacy, and outcome expectations , 2007, Int. J. Hum. Comput. Stud..

[10]  Wanying Zhao,et al.  A collaborative information sharing framework for Community Cyber Security , 2012, 2012 IEEE Conference on Technologies for Homeland Security (HST).

[11]  John T. Cacioppo,et al.  The Elaboration Likelihood Model of Persuasion , 1986, Advances in Experimental Social Psychology.

[12]  Robert A. Margo,et al.  Understanding the Process of Economic Change , 2005 .

[13]  K. Hausken,et al.  A Strategic Analysis of Information Sharing Among Cyber Attackers , 2015 .

[14]  David Gefen,et al.  Some antecedents and effects of trust in virtual communities , 2002, J. Strateg. Inf. Syst..

[15]  Jacob Cohen,et al.  Applied multiple regression/correlation analysis for the behavioral sciences , 1979 .

[16]  Gary E. Bolton,et al.  ERC: A Theory of Equity, Reciprocity, and Competition , 2000 .

[17]  Icek Ajzen,et al.  The directive influence of attitudes on behavior. , 1996 .

[18]  A. Tversky,et al.  Prospect theory: analysis of decision under risk , 1979 .

[19]  E. Fehr A Theory of Fairness, Competition and Cooperation , 1998 .

[20]  O. Williamson The Economics of Organization: The Transaction Cost Approach , 1981, American Journal of Sociology.

[21]  Rainer Böhme,et al.  Strategic Aspects of Cyber Risk Information Sharing , 2017, ACM Comput. Surv..

[22]  A. Gouldner THE NORM OF RECIPROCITY: A PRELIMINARY STATEMENT * , 1960 .

[23]  Serge-Christophe Kolm,et al.  Handbook of the Economics of Giving, Altruism and Reciprocity , 2006 .

[24]  Araújo,et al.  An Evolutionary theory of economic change , 1983 .

[25]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[26]  J. Bargh,et al.  The psychology of action : linking cognition and motivation to behavior , 1999 .

[27]  G. White,et al.  Information sharing requirements and framework needed for community cyber incident detection and response , 2012, 2012 IEEE Conference on Technologies for Homeland Security (HST).

[28]  David I. Laibson,et al.  Costly Information Acquisition: Experimental Analysis of a Boundedly Rational Model , 2006 .

[29]  Ladislav Moták,et al.  Toward explicit measures of intention to predict information system use: An exploratory study of the role of implicit attitudes , 2018, Comput. Hum. Behav..

[30]  K. Hausken Information sharing among firms and cyber attacks , 2007 .

[31]  T. Chandola,et al.  The measurement of effort-reward imbalance at work: European comparisons. , 2004, Social science & medicine.

[32]  E. Smith,et al.  Evolutionary Ecology and Human Behavior , 1992 .

[33]  Rossouw von Solms,et al.  An information security knowledge sharing model in organizations , 2016, Comput. Hum. Behav..

[34]  Georg von Krogh,et al.  Open Source Software and the "Private-Collective" Innovation Model: Issues for Organization Science , 2003, Organ. Sci..

[35]  S. Chaiken,et al.  The psychology of attitudes. , 1993 .

[36]  Hsin Hsin Chang,et al.  Social capital and individual motivations on knowledge sharing: Participant involvement as a moderator , 2011, Inf. Manag..

[37]  N. Foss,et al.  Managing Joint Production Motivation: The Role of Goal Framing and Governance Mechanisms , 2011 .

[38]  A. Tversky,et al.  Advances in prospect theory: Cumulative representation of uncertainty , 1992 .

[39]  S. Chaiken Heuristic versus systematic information processing and the use of source versus message cues in persuasion. , 1980 .

[40]  Anindya Ghose,et al.  The Economic Consequences of Sharing Security Information , 2004, Economics of Information Security.

[41]  Colin Camerer,et al.  Neural evidence for inequality-averse social preferences , 2010, Nature.

[42]  Jiahai Yang,et al.  A study on key strategies in P2P file sharing systems and ISPs’ P2P traffic management , 2011, Peer-to-Peer Netw. Appl..

[43]  R. Baumeister,et al.  The need to belong: desire for interpersonal attachments as a fundamental human motivation. , 1995, Psychological bulletin.

[44]  H. Simon,et al.  Administrative Behavior: A Study of Decision-Making Processes in Administrative Organization. , 1959 .

[45]  Richard McElreath,et al.  Reputation and the evolution of conflict. , 2003, Journal of theoretical biology.

[46]  Myriam Dunn Cavelty Cybersecurity in Switzerland , 2014, SpringerBriefs in Cybersecurity.

[47]  Jolene D. Smyth,et al.  Internet, Phone, Mail, and Mixed‐Mode Surveys , 2014 .

[48]  T. L. Schwartz The Logic of Collective Action , 1986 .

[49]  Ling Liu,et al.  PeerTrust: supporting reputation-based trust for peer-to-peer electronic communities , 2004, IEEE Transactions on Knowledge and Data Engineering.

[50]  Sabrina M. Tom,et al.  The Neural Basis of Loss Aversion in Decision-Making Under Risk , 2007, Science.

[51]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[52]  Charles D. Barrett Understanding Attitudes and Predicting Social Behavior , 1980 .

[53]  Tyler Moore,et al.  Economics of Information Security and Privacy , 2014 .

[54]  M. Tomasello,et al.  Understanding and sharing intentions: The origins of cultural cognition , 2005, Behavioral and Brain Sciences.

[55]  M. Olson,et al.  The Logic of Collective Action , 1965 .

[56]  Detmar W. Straub,et al.  Trust and TAM in Online Shopping: An Integrated Model , 2003, MIS Q..

[57]  Iman Vakilinia,et al.  Evolving sharing strategies in cybersecurity information exchange framework , 2017, GECCO.

[58]  S. Brosnan,et al.  Monkeys reject unequal pay , 2003, Nature.

[59]  J. Hair Multivariate data analysis , 1972 .

[60]  A. Tversky,et al.  Loss Aversion in Riskless Choice: A Reference-Dependent Model , 1991 .

[61]  T. Penelhum A Treatise of Human Nature (review) , 2000 .

[62]  Rainer Böhme Back to the Roots: Information Sharing Economics and What We Can Learn for Security , 2016, WISCS@CCS.

[63]  Andreas Eckhardt,et al.  The attitude cube - A three-dimensional model of situational factors in IS adoption and their impact on the attitude-behavior relationship , 2015, Inf. Manag..

[64]  Tyler Moore,et al.  The economics of cybersecurity: Principles and policy options , 2010, Int. J. Crit. Infrastructure Prot..

[65]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[66]  Fabio Bisogni,et al.  Data Breaches and the Dilemmas in Notifying Customers , 2015, WEIS.

[67]  J. Tirole,et al.  Incentives and Prosocial Behavior , 2004 .

[68]  Lawrence A. Gordon,et al.  Investing in Cybersecurity: Insights from the Gordon-Loeb Model , 2016 .

[69]  Han Zhang,et al.  Knowledge sharing in online health communities: A social exchange theory perspective , 2016, Inf. Manag..

[70]  Anthony J. Nyberg,et al.  Keeping Your Headcount When All About You Are Losing Theirs: Downsizing, Voluntary Turnover Rates, and The Moderating Role of HR Practices , 2008 .

[71]  Rainer Böhme,et al.  The Economics of Mandatory Security Breach Reporting to Authorities , 2016, WEIS.

[72]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[73]  H. Gintis,et al.  Human Motivation and Social Cooperation: Experimental and Analytical , 2007 .

[74]  N. Babchuk,et al.  The Quest for Institutional Recognition: A Longitudinal Analysis of Scholarly Productivity and Academic Prestige among Sociology Departments , 1998 .

[75]  Ross J. Anderson,et al.  Security Economics and Critical National Infrastructure , 2009, WEIS.

[76]  Wei Li,et al.  Institutions, Institutional Change, and Economic Performance , 2009, SSRN Electronic Journal.

[77]  J. Andreoni Cooperation in Public-Goods Experiments: Kindness or Confusion? , 1995 .

[78]  Eric A. M. Luiijf,et al.  On the Sharing of Cyber Security Information , 2015, Critical Infrastructure Protection.

[79]  E. Fehr,et al.  Fairness and Retaliation: The Economics of Reciprocity , 2000, SSRN Electronic Journal.

[80]  Wei-Tsong Wang,et al.  Motivations of employees' knowledge sharing behaviors: A self-determination perspective , 2015, Inf. Organ..

[81]  Paul A. Pavlou,et al.  Evidence of the Effect of Trust Building Technology in Electronic Markets: Price Premiums and Buyer Behavior , 2002, MIS Q..

[82]  Parinaz Naghizadeh Ardabili,et al.  Inter-temporal incentives in security information sharing agreements , 2016, 2016 Information Theory and Applications Workshop (ITA).

[83]  Avishalom Tor,et al.  Overcoming Impediments to Information Sharing , 2003 .

[84]  Behrouz Tork Ladani,et al.  Information sharing vs. privacy: A game theoretic analysis , 2017, Expert Syst. Appl..

[85]  Tyler Moore,et al.  The Phish-Market Protocol: Securely Sharing Attack Data between Competitors , 2010, Financial Cryptography.

[86]  P. Pettit,et al.  The Economy of Esteem , 2005 .

[87]  Lawrence A. Gordon,et al.  Cybersecurity insurance and risk-sharing , 2018, Journal of Accounting and Public Policy.

[88]  S. Winter,et al.  An evolutionary theory of economic change , 1983 .

[89]  Mason Rice,et al.  Critical Infrastructure Protection IX , 2015, IFIP Advances in Information and Communication Technology.

[90]  J. Nunnally Psychometric Theory (2nd ed), New York: McGraw-Hill. , 1978 .

[91]  Deepak Malhotra,et al.  Trust and reciprocity decisions: The differing perspectives of trustors and trusted parties , 2004 .

[92]  Angela Titi Amayah Determinants of knowledge sharing in a public sector organization , 2013, J. Knowl. Manag..

[93]  P. Oliver Rewards and Punishments as Selective Incentives for Collective Action: Theoretical Investigations , 1980, American Journal of Sociology.

[94]  Robert W. Zmud,et al.  Behavioral Intention Formation in Knowledge Sharing: Examining the Roles of Extrinsic Motivators, Social-Psychological Factors, and Organizational Climate , 2005, MIS Q..

[95]  Lawrence A. Gordon,et al.  Market Value of Voluntary Disclosures Concerning Information Security , 2010, MIS Q..

[96]  Scott B. MacKenzie,et al.  Working memory: theories, models, and controversies. , 2012, Annual review of psychology.

[97]  P. M. Podsakoff,et al.  Self-Reports in Organizational Research: Problems and Prospects , 1986 .

[98]  Bin Gu,et al.  An investigation of information sharing and seeking behaviors in online investment communities , 2014, Comput. Hum. Behav..

[99]  W. Baumol Entrepreneurship: Productive, Unproductive, and Destructive , 1990, Journal of Political Economy.

[100]  P. Watzlawick,et al.  Pragmatics of human communication , 1975 .

[101]  Lawrence A. Gordon,et al.  The impact of information sharing on cybersecurity underinvestment: A real options perspective , 2015 .

[102]  Johannes M. Bauer,et al.  Cybersecurity: Stakeholder incentives, externalities, and policy options , 2009 .

[103]  Akbar Zaheer,et al.  Trust as an Organizing Principle Bill McEvily , 2003 .

[104]  M. Bazerman Judgement in Managerial Decision Making , 2003 .

[105]  Lei Zhou,et al.  Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model , 2015 .

[106]  E. Fehr,et al.  Altruistic punishment in humans , 2002, Nature.

[107]  G. Kalyanaram,et al.  Nudge: Improving Decisions about Health, Wealth, and Happiness , 2011 .