The Department of Homeland Security (DHS) facilitates cybersecurity information sharing among federal government departments and agencies and critical infrastructure owners and operators to promote their security. Information sharing is deemed of critical importance to accomplish the department’s cybersecurity mission; indeed, information sharing is one of the central planks of Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which calls for greater cybersecurity information sharing between the government — not least DHS — and the private sector. But while the importance of information sharing in cybersecurity is intuitive — information that is relevant, timely, and accurate should help cyber defenders reduce vulnerabilities and mitigate threats — the impact of information sharing has not been empirically assessed. The lack of empirical support for information sharing raises two notable issues. First, information-sharing partners, particularly those in the private sector, are sometimes reluctant to participate in government-sponsored initiatives because of concerns about liability, resource costs, and return on investment. Absent empirical demonstration of the value of cybersecurity information-sharing efforts, DHS may be unable to better incentivize participation. Second, information-sharing efforts may, for a variety of reasons, be ineffective (not least due to a lack of participation or the dissemination of irrelevant information). Without assessing the relationship between information sharing and the number and severity (i.e., consequences) of cyber incidents, DHS may be unable to identify and improve poorly performing information sharing efforts. A previous Homeland Security Studies and Analysis Institute (HSSAI) study recommended a suite of metrics to measure various relevant inputs, processes, outputs, and outcomes for cyber information-sharing efforts (Fleming and Goldstein 2012). It did not, however, seek to suggest ways to empirically test the hypothesis that information sharing reduces the number or severity of cyber incidents (it was assumed to do so, per DHS guidance). Accordingly, building on the previous HSSAI research, the present paper sets forth views on use of the dependent variable (some measure of cyber incidents), primary independent variable (some measure of information sharing), control variables, and model specifications.
[1]
Barack Obama,et al.
Executive Order 13636: Improving Critical Infrastructure Cybersecurity
,
2013
.
[2]
Peter Reuter,et al.
Preventing Crime: What Works, What Doesn't, What's Promising. Research in Brief. National Institute of Justice.
,
1998
.
[3]
Eric Goldstein,et al.
Metrics for Measuring the Efficacy of Critical-Infrastructure-Centric Cybersecurity Information Sharing Efforts
,
2012
.
[4]
Steven D. Levitt,et al.
Using Electoral Cycles in Police Hiring to Estimate the Effect of Police on Crime: Comment
,
2002
.
[5]
Andrew Jaquith.
Security Metrics: Replacing Fear, Uncertainty, and Doubt
,
2007
.
[6]
Jeffrey M. Wooldridge,et al.
Introductory Econometrics: A Modern Approach
,
1999
.
[7]
Max Henrion,et al.
Uncertainty: A Guide to Dealing with Uncertainty in Quantitative Risk and Policy Analysis
,
1990
.
[8]
Jeffrey M. Wooldridge,et al.
Solutions Manual and Supplementary Materials for Econometric Analysis of Cross Section and Panel Data
,
2003
.
[9]
D. Campbell,et al.
EXPERIMENTAL AND QUASI-EXPERIMENT Al DESIGNS FOR RESEARCH
,
2012
.
[10]
Peter E. Kennedy.
A Guide to Econometrics
,
1979
.
[11]
Mark W. Lipsey,et al.
Evaluation: A Systematic Approach
,
1979
.
[12]
Lawrence B. Mohr.
Impact analysis for program evaluation
,
1988
.
[13]
Joshua D. Angrist,et al.
Mostly Harmless Econometrics: An Empiricist's Companion
,
2008
.
[14]
P. Gove.
Webster's Third New International Dictionary
,
1986
.
[15]
T. Cook,et al.
Quasi-experimentation: Design & analysis issues for field settings
,
1979
.
[16]
Jan Kmenta,et al.
Elements of econometrics
,
1988
.