Cyberattacks, Operational Disruption and Investment in Resilience Measures
60 Pages Posted: 24 Mar 2022
Date Written: February 11, 2022
With the increased frequency and magnitude of cyberattacks, policymakers and the private sector search for ways to counter this threat. One of the main initiatives suggested to achieve this goal is sharing cyber-related information. While the general belief is that information sharing can increase both industry prot and social welfare, it is unclear whether firms would voluntarily share such information. Some policymakers even advocate passing legislation that mandates firms do so. In this paper, we examine the incentives of firms to share cyber-related information, how information sharing impacts investments in cyber resilience, and the aggregate impact on welfare. We demonstrate that the incentives to voluntarily share information depend on two main factors: competitiveness in the market and the extent of operational disruption from cyberattacks. In less competitive markets, when the impact of the disruption is high, firms voluntarily choose to share information, which also increases welfare. Thus, there are cases in which information sharing can be achieved even without policy intervention. However, in all other cases, firms choose not to share information, although information can increase welfare. To facilitate information sharing, we investigate an exclusionary policy (i.e., sharing must be mutual) and demonstrate market conditions under which this policy incentivizes information sharing. Finally, we show that information-sharing mandates can serve a useful role when exclusionary policies are ineffective. However, in competitive markets with less impactful cyberattacks, policymakers should avoid mandates because they ultimately depress welfare.
Keywords: cybersecurity, information sharing, operational disruption, security investment, cybersecurity policy
Suggested Citation: Suggested Citation