The Economic Consequences of Sharing Security Information

Information technology (IT) security has emerged as an important issue in the last decade. To promote the disclosure and sharing of cyber-security information amongst firms, the US federal government has encouraged the establishment of many industry based Information Sharing & Analysis Centers(ISACs) under Presidential Decision Directive-63. We develop an analytical framework to investigate the competitive implications of sharing information about security breaches and investments in technologies which promote security. Using a game-theoretic model, we point out how firm and industry characteristics affect the incentives for information sharing amongst competing firms and their impact on firms’ profits. We find that security technologies and information sharing act as “strategic complements in equilibrium”. Our paper points out that by joining such alliances, firms can benefit from a “direct effect” which increases demand and a “strategic effect ” which alleviates price competition. Our results suggest that information sharing is more valuable when product substitutability is higher, suggesting that information is of greater value in more competitive industries. We also highlight that sharing security information is more valuable for larger firms and in larger industries. Finally we show that “demand-side spillover” effects boosts sharing levels and lead to higher prices. Conversely, “cost-based spillovers” might lead to lower sharing and lower technology investments.

[1]  A. Jacquemin,et al.  Cooperative and Noncooperative R&D in Duopoly with Spillovers , 1988 .

[2]  E. Gal‐Or,et al.  Information Sharing in Oligopoly , 1985 .

[3]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[4]  J. Geanakoplos,et al.  Multimarket Oligopoly: Strategic Substitutes and Complements , 1985, Journal of Political Economy.

[5]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[6]  C. Shapiro Exchange of Cost Information in Oligopoly , 1986 .

[7]  Dov Fried Incentives for Information Production and Disclosure in a Duopolistic Environment , 1984 .

[8]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[9]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[10]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[11]  E. Gal‐Or,et al.  First Mover and Second Mover Advantages , 1985 .

[12]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[13]  Paul Milgrom,et al.  Comparing Optima: Do Simplifying Assumptions Affect Conclusions? , 1994, Journal of Political Economy.