Sharing Information on Computer Systems Security: An Economic Analysis

39 Pages Posted: 16 Jul 2007

See all articles by Lawrence A. Gordon

Lawrence A. Gordon

University of Maryland - Department of Accounting & Information Assurance

Martin P. Loeb

University of Maryland - Robert H. Smith School of Business

William Lucyshyn

University of Maryland - Center for Public Policy and Private Enterprise

Abstract

The US federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. As information security is paramount to accurate financial reporting and the provision of timely and relevant managerial accounting reports for decision-making, the issue of sharing information on computer systems security has direct relevance to accounting, as well as to public policy. This paper presents a model to examine the welfare economic implications of this movement. In the absence of information sharing, each firm independently sets its information security expenditures at a level where the marginal benefits equal the marginal costs. It is shown that when information is shared, each firm reduces the amount spent on information security activities. Nevertheless, information sharing can lead to an increased level of information security. The paper provides necessary and sufficient conditions for information sharing to lead to an increased (decreased) level of information security. The level of information security that would be optimal for a firm in the absence of information sharing can be attained by the firm at a lesser cost when computer security information is shared. Hence, sharing provides benefits to each firm and total welfare also increases. However, in the absence of appropriate incentive mechanisms, each firm will attempt to free ride on the security expenditures of other firms (i.e., renege from the sharing agreement and refuse to share information). This latter situation results in the underinvestment of information security. Thus, appropriate incentive mechanisms are necessary for increases in both firm-level profits and social welfare to be realized from information sharing arrangements.

Keywords: Information sharing, Cyber security, Information security economics, Homeland security

Suggested Citation

Gordon, Lawrence A. and Loeb, Martin P. and Lucyshyn, William, Sharing Information on Computer Systems Security: An Economic Analysis. Journal of Accounting and Public Policy, Vol. 22, No. 6, 2003, Available at SSRN: https://ssrn.com/abstract=1000369

Lawrence A. Gordon (Contact Author)

University of Maryland - Department of Accounting & Information Assurance ( email )

Robert H. Smith School of Business
College Park, MD 20742-9157
United States

Martin P. Loeb

University of Maryland - Robert H. Smith School of Business ( email )

Robert H. Smith School of Business
College Park, MD 20742-1815
United States
301-405-2209 (Phone)
301-314-9157 (Fax)

William Lucyshyn

University of Maryland - Center for Public Policy and Private Enterprise ( email )

College Park, MD 20742-1815
United States
301 405-8257 (Phone)

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
650
Abstract Views
4,242
Rank
84,447
PlumX Metrics