The Economic Incentives for Sharing Security Information

Authors:
Esther Gal-Or;Anindya Ghose
Affiliations:
-;-
Venue:
Information Systems Research
Year:
2005

Citing 0
Cited 23

Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment

Journal of Management Information Systems
Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems

Information Systems Research
Information Security: Facilitating User Precautions Vis-à-Vis Enforcement Against Attackers

Journal of Management Information Systems
Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest

Information Technology and Management
Nudge: intermediaries' role in interdependent network security

Proceedings of the 2010 ACM Symposium on Applied Computing
Information security economics - and beyond

CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
References

Dependability metrics
Nudge: intermediaries' role in interdependent network security

TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
Are security experts useful? Bayesian Nash equilibria for network security games with limited information

ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Security metrics and security investment models

IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Optimal information security investment with penetration testing

GameSec'10 Proceedings of the First international conference on Decision and game theory for security
Uncertainty in interdependent security games

GameSec'10 Proceedings of the First international conference on Decision and game theory for security
The impact of malicious agents on the enterprise software industry

MIS Quarterly
Knowledge sharing and investment decisions in information security

Decision Support Systems
Safe Contexts for Interorganizational Collaborations Among Homeland Security Professionals

Journal of Management Information Systems
Value Chain Linkages and the Spillover Effects of Strategic Information Technology Alignment: A Process-Level View

Journal of Management Information Systems
The phish-market protocol: securely sharing attack data between competitors

FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Towards understanding recurring large scale power outages: an endogenous view of inter-organizational effects

CRITIS'10 Proceedings of the 5th international conference on Critical Information Infrastructures Security
Learning from your elders: a shortcut to information security management success

SAFECOMP'07 Proceedings of the 26th international conference on Computer Safety, Reliability, and Security
A move in the security measurement stalemate: elo-style ratings to quantify vulnerability

Proceedings of the 2012 workshop on New security paradigms
Cyber security exercises and competitions as a platform for cyber security experiments

NordSec'12 Proceedings of the 17th Nordic conference on Secure IT Systems
Value Chain Linkages and the Spillover Effects of Strategic Information Technology Alignment: A Process-Level View

Journal of Management Information Systems
Growth and sustainability of managed security services networks: an economic perspective

MIS Quarterly

Quantified Score

Hi-index	0.00

Visualization

Abstract

Given that information technology (IT) security has emerged as an important issue in the last few years, the subject of security information sharing among firms, as a tool to minimize security breaches, has gained the interest of practitioners and academics. To promote the disclosure and sharing of cyber security information among firms, the U.S. federal government has encouraged the establishment of many industry-based Information Sharing and Analysis Centers (ISACs) under Presidential Decision Directive (PDD) 63. Sharing security vulnerabilities and technological solutions related to methods for preventing, detecting, and correcting security breaches is the fundamental goal of the ISACs. However, there are a number of interesting economic issues that will affect the achievement of this goal. Using game theory, we develop an analytical framework to investigate the competitive implications of sharing security information and investments in security technologies. We find that security technology investments and security information sharing act as "strategic complements" in equilibrium. Our results suggest that information sharing is more valuable when product substitutability is higher, implying that such sharing alliances yield greater benefits in more competitive industries. We also highlight that the benefits from such information-sharing alliances increase with the size of the firm. We compare the levels of information sharing and technology investments obtained when firms behave independently (Bertrand-Nash) to those selected by an ISAC, which maximizes social welfare or joint industry profits. Our results help us predict the consequences of establishing organizations such as ISACs, Computer Emergency Response Team (CERT), or InfraGard by the federal government.