Cyberattacks, Operational Disruption and Investment in Resilience Measures

60 Pages Posted: 24 Mar 2022

See all articles by Terrence August

Terrence August

University of California, San Diego (UCSD) - Rady School of Management

Daehoon Noh

University of California, San Diego (UCSD)

Noam Shamir

Tel-Aviv University

Hyoduk Shin

University of California, San Diego (UCSD)

Date Written: February 11, 2022

Abstract

With the increased frequency and magnitude of cyberattacks, policymakers and the private sector search for ways to counter this threat. One of the main initiatives suggested to achieve this goal is sharing cyber-related information. While the general belief is that information sharing can increase both industry pro t and social welfare, it is unclear whether firms would voluntarily share such information. Some policymakers even advocate passing legislation that mandates firms do so. In this paper, we examine the incentives of firms to share cyber-related information, how information sharing impacts investments in cyber resilience, and the aggregate impact on welfare. We demonstrate that the incentives to voluntarily share information depend on two main factors: competitiveness in the market and the extent of operational disruption from cyberattacks. In less competitive markets, when the impact of the disruption is high, firms voluntarily choose to share information, which also increases welfare. Thus, there are cases in which information sharing can be achieved even without policy intervention. However, in all other cases, firms choose not to share information, although information can increase welfare. To facilitate information sharing, we investigate an exclusionary policy (i.e., sharing must be mutual) and demonstrate market conditions under which this policy incentivizes information sharing. Finally, we show that information-sharing mandates can serve a useful role when exclusionary policies are ineffective. However, in competitive markets with less impactful cyberattacks, policymakers should avoid mandates because they ultimately depress welfare.

Keywords: cybersecurity, information sharing, operational disruption, security investment, cybersecurity policy

Suggested Citation

August, Terrence and Noh, Daehoon and Shamir, Noam and Shin, Hyoduk, Cyberattacks, Operational Disruption and Investment in Resilience Measures (February 11, 2022). Available at SSRN: https://ssrn.com/abstract=4032257 or http://dx.doi.org/10.2139/ssrn.4032257

Terrence August (Contact Author)

University of California, San Diego (UCSD) - Rady School of Management ( email )

9500 Gilman Drive
Rady School of Management
La Jolla, CA 92093
United States

HOME PAGE: http://management.ucsd.edu/faculty/directory/august/

Daehoon Noh

University of California, San Diego (UCSD) ( email )

9500 Gilman Drive
Mail Code 0502
La Jolla, CA 92093-0112
United States

Noam Shamir

Tel-Aviv University ( email )

P.O. Box 39010
Ramat Aviv, Tel Aviv, 69978
Israel

Hyoduk Shin

University of California, San Diego (UCSD) ( email )

9500 Gilman Drive
Mail Code 0502
La Jolla, CA 92093-0112
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
47
Abstract Views
198
PlumX Metrics