Sharing Information on Computer Systems Security: An Economic Analysis
39 Pages Posted: 16 Jul 2007
Abstract
The US federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. As information security is paramount to accurate financial reporting and the provision of timely and relevant managerial accounting reports for decision-making, the issue of sharing information on computer systems security has direct relevance to accounting, as well as to public policy. This paper presents a model to examine the welfare economic implications of this movement. In the absence of information sharing, each firm independently sets its information security expenditures at a level where the marginal benefits equal the marginal costs. It is shown that when information is shared, each firm reduces the amount spent on information security activities. Nevertheless, information sharing can lead to an increased level of information security. The paper provides necessary and sufficient conditions for information sharing to lead to an increased (decreased) level of information security. The level of information security that would be optimal for a firm in the absence of information sharing can be attained by the firm at a lesser cost when computer security information is shared. Hence, sharing provides benefits to each firm and total welfare also increases. However, in the absence of appropriate incentive mechanisms, each firm will attempt to free ride on the security expenditures of other firms (i.e., renege from the sharing agreement and refuse to share information). This latter situation results in the underinvestment of information security. Thus, appropriate incentive mechanisms are necessary for increases in both firm-level profits and social welfare to be realized from information sharing arrangements.
Keywords: Information sharing, Cyber security, Information security economics, Homeland security
Suggested Citation: Suggested Citation
Do you have a job opening that you would like to promote on SSRN?
Recommended Papers
-
The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities
By Lawrence A. Gordon, Martin P. Loeb, ...
-
Information Security Expenditures and Real Options: A Wait-and-See Approach
By Lawrence A. Gordon, Martin P. Loeb, ...
-
The Economic Incentives for Sharing Security Information
By Anindya Ghose and Esther Gal-or
-
By Joseph Canada, J. Randel Kuhn, ...
-
SOX: Unintended Dilemmas for Auditing
By Jonathan E. Duchac, Edward B. Douthett, ...
-
Optimal Risk Sharing with Limited Liability
By Semyon Malamud, Huaxia Rui, ...
-
A Strategic Analysis of Information Sharing Among Cyber Attackers
By Anindya Ghose and Kjell Hausken
-
Assessing the Value of Network Security Technologies
By Huseyin Cavusoglu and Hasan Cavusoglu
-
Experiences and Challenges with Using CERT Data to Analyze International Cyber Security
By Stuart Madnick, Xitong Li, ...
-
Information Disclosure and Regulatory Compliance: Economic Issues and Research Directions