The Economic Incentives for Sharing Security Information
39 Pages Posted: 10 Dec 2004
Date Written: August 2004
Abstract
Given that Information Technology (IT) security has emerged as an important issue in the last few years, the subject of security information sharing among firms, as a tool to minimize security breaches, has gained the interest of practitioners and academics. To promote the disclosure and sharing of cyber-security information among firms, the US federal government has encouraged the establishment of many industry based Information Sharing and Analysis Centers (ISACs). Sharing security vulnerabilities and technological solutions related to methods for preventing,detecting and correcting security breaches, is the fundamental goal of the ISACs. However, there are a number of interesting economic issues that will affect the achievement of this goal. Using game theory and IO, we develop an analytical framework to investigate the competitive implications of sharing security information and investments in security technologies. We find that security technology investments and security information sharing act as strategic complements in equilibrium. Our results suggest that information sharing is more valuable when product substitutability is higher, implying that such sharing alliances yield greater benefits in more competitive industries. We also highlight that the benefits from such information sharing alliances increase with the size of the firm. Importantly, we point out that the nature of the technology cost function plays a pivotal role in determining whether spillovers are beneficial or detrimental to firms' incentives to join an ISAC. Firms will benefit from joining an ISAC sequentially rather than simultaneously, since such sequentiality positively influences the levels of information sharing and technology investment. We compare the levels of information sharing and technology investments obtained when firms behave independently (Bertrand-Nash) to those selected by an ISAC which maximizes social welfare or joint industry profits. Our results help us predict the consequences of establishing centrally monitored organizations such as ISACs by the federal government.
Keywords: Security Technology Investment, Information Sharing, Externality Benefit, Spillover Effect, Social Welfare
JEL Classification: L13, L86, D43, L98
Suggested Citation: Suggested Citation
Do you have a job opening that you would like to promote on SSRN?
Recommended Papers
-
Sharing Information on Computer Systems Security: An Economic Analysis
By Lawrence A. Gordon, Martin P. Loeb, ...
-
The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities
By Lawrence A. Gordon, Martin P. Loeb, ...
-
Information Security Expenditures and Real Options: A Wait-and-See Approach
By Lawrence A. Gordon, Martin P. Loeb, ...
-
By Joseph Canada, J. Randel Kuhn, ...
-
SOX: Unintended Dilemmas for Auditing
By Jonathan E. Duchac, Edward B. Douthett, ...
-
Optimal Risk Sharing with Limited Liability
By Semyon Malamud, Huaxia Rui, ...
-
A Strategic Analysis of Information Sharing Among Cyber Attackers
By Anindya Ghose and Kjell Hausken
-
Assessing the Value of Network Security Technologies
By Huseyin Cavusoglu and Hasan Cavusoglu
-
Experiences and Challenges with Using CERT Data to Analyze International Cyber Security
By Stuart Madnick, Xitong Li, ...
-
Information Disclosure and Regulatory Compliance: Economic Issues and Research Directions