IDEAS home Printed from https://ideas.repec.org/p/wpa/wuwpio/0503004.html
   My bibliography  Save this paper

The Economic Incentives for Sharing Security Information

Author

Listed:
  • Esther Gal-Or

    (Katz School, University of Pittsburgh)

  • Anindya Ghose

    (Stern School, New York University)

Abstract

Given that Information Technology (IT) security has emerged as an important issue in the last few years, the subject of security information sharing among firms, as a tool to minimize security breaches, has gained the interest of practitioners and academics. To promote the disclosure and sharing of cyber-security information among firms, the US federal government has encouraged the establishment of many industry based Information Sharing & Analysis Centers (ISACs) under Presidential Decision Directive 63. Sharing security vulnerabilities and technological solutions related to methods for preventing, detecting and correcting security breaches, is the fundamental goal of the ISACs. However, there are a number of interesting economic issues that will affect the achievement of this goal. Using game theory, we develop an analytical framework to investigate the competitive implications of sharing security information and investments in security technologies. We find that security technology investments and security information sharing act as ``strategic complements'' in equilibrium. Our results suggest that information sharing is more valuable when product substitutability is higher, implying that such sharing alliances yield greater benefits in more competitive industries. We also highlight that the benefits from such information sharing alliances increase with the size of the firm. We compare the levels of information sharing and technology investments obtained when firms behave independently (Bertrand-Nash) to those selected by an ISAC which maximizes social welfare or joint industry profits. Our results help us predict the consequences of establishing organizations such as ISACs, CERT or InfraGard by the federal government.

Suggested Citation

  • Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Industrial Organization 0503004, EconWPA.
    • Handle: RePEc:wpa:wuwpio:0503004
    Note: Type of Document - pdf; pages: 41
    as

    Download full text from publisher

    File URL: https://econwpa.ub.uni-muenchen.de/econ-wp/io/papers/0503/0503004.pdf
    Download Restriction: no

    Other versions of this item:

    References listed on IDEAS

    as
    1. d'Aspremont, Claude & Jacquemin, Alexis, 1988. "Cooperative and Noncooperative R&D in Duopoly with Spillovers," American Economic Review, American Economic Association, vol. 78(5), pages 1133-1137, December.
    2. Roger B. Myerson, 1978. "Optimal Auction Design," Discussion Papers 362, Northwestern University, Center for Mathematical Studies in Economics and Management Science.
    3. Milgrom, Paul, 1994. "Comparing Optima: Do Simplifying Assumptions Affect Conclusions?," Journal of Political Economy, University of Chicago Press, vol. 102(3), pages 607-615, June.
    4. Gal-Or, Esther, 1985. "Information Sharing in Oligopoly," Econometrica, Econometric Society, vol. 53(2), pages 329-343, March.
    5. Timothy W. McGuire & Richard Staelin, 1983. "An Industry Equilibrium Analysis of Downstream Vertical Integration," Marketing Science, INFORMS, vol. 2(2), pages 161-191.
    6. Myerson, Roger B, 1979. "Incentive Compatibility and the Bargaining Problem," Econometrica, Econometric Society, vol. 47(1), pages 61-73, January.
    7. Myerson, Roger B. & Satterthwaite, Mark A., 1983. "Efficient mechanisms for bilateral trading," Journal of Economic Theory, Elsevier, vol. 29(2), pages 265-281, April.
    8. Bulow, Jeremy I & Geanakoplos, John D & Klemperer, Paul D, 1985. "Multimarket Oligopoly: Strategic Substitutes and Complements," Journal of Political Economy, University of Chicago Press, vol. 93(3), pages 488-511, June.
    9. Narasimhan, Chakravarthi, 1988. "Competitive Promotional Strategies," The Journal of Business, University of Chicago Press, vol. 61(4), pages 427-449, October.
    10. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    11. Groves, Theodore & Loeb, Martin, 1975. "Incentives and public inputs," Journal of Public Economics, Elsevier, vol. 4(3), pages 211-226, August.
    12. Carl Shapiro, 1986. "Exchange of Cost Information in Oligopoly," Review of Economic Studies, Oxford University Press, vol. 53(3), pages 433-446.
    13. Groves, Theodore, 1973. "Incentives in Teams," Econometrica, Econometric Society, vol. 41(4), pages 617-631, July.
    Full references (including those not matched with items on IDEAS)

    Citations

    Blog mentions

    As found by EconAcademics.org, the blog aggregator for Economics research:
    1. How can we co-operate to tackle phishing?
      by Tyler Moore in Light Blue Touchpaper on 2008-10-27 17:47:06

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. repec:wsi:igtrxx:v:19:y:2017:i:02:n:s0219198917500104 is not listed on IDEAS
    2. Schilling, Andreas & Werners, Brigitte, 2016. "Optimal selection of IT security safeguards from an existing knowledge base," European Journal of Operational Research, Elsevier, vol. 248(1), pages 318-327.
    3. Xing Gao & Weijun Zhong & Shue Mei, 2013. "Information Security Investment When Hackers Disseminate Knowledge," Decision Analysis, INFORMS, vol. 10(4), pages 352-368, December.
    4. Huseyin Cavusoglu & Hasan Cavusoglu, 2007. "Assessing the Value of Network Security Technologies: The Impact of Configuration and Interaction on Value," Working Papers 07-19, NET Institute, revised Aug 2007.
    5. repec:spr:infosf:v:9:y:2007:i:5:d:10.1007_s10796-007-9052-5 is not listed on IDEAS
    6. repec:eee:reensy:v:100:y:2012:i:c:p:19-27 is not listed on IDEAS
    7. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    8. Alfredo Garcia & Barry Horowitz, 2007. "The potential for underinvestment in internet security: implications for regulatory policy," Journal of Regulatory Economics, Springer, vol. 31(1), pages 37-55, February.
    9. repec:spr:infosf:v:17:y:2015:i:2:d:10.1007_s10796-013-9411-3 is not listed on IDEAS
    10. Xing Gao & Weijun Zhong, 2016. "Economic incentives in security information sharing: the effects of market structures," Information Technology and Management, Springer, vol. 17(4), pages 361-377, December.
    11. Yosra Miaoui & Noureddine Boudriga, 0. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 0, pages 1-40.
    12. Hausken, Kjell, 2008. "Strategic defense and attack for series and parallel reliability systems," European Journal of Operational Research, Elsevier, vol. 186(2), pages 856-881, April.
    13. Nizovtsev, Dmitri & Thursby, Marie, 2007. "To disclose or not? An analysis of software user behavior," Information Economics and Policy, Elsevier, vol. 19(1), pages 43-64, March.
    14. repec:spr:jglopt:v:70:y:2018:i:2:d:10.1007_s10898-017-0585-y is not listed on IDEAS
    15. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    16. Fabio BISOGNI & Simona CAVALLINI & Sara DI TROCCHIO, 2011. "Cybersecurity at European Level: The Role of Information Availability," Communications & Strategies, IDATE, Com&Strat dept., vol. 1(81), pages 105-124, 1st quart.
    17. Azimian, Alireza & Kilgour, D. Marc & Noori, Hamid, 2016. "Mitigating contagion risk by investing in the safety of rivals," European Journal of Operational Research, Elsevier, vol. 254(3), pages 935-945.
    18. repec:gam:jgames:v:8:y:2017:i:2:p:23-:d:99623 is not listed on IDEAS
    19. Charles Z. Liu & Humayun Zafar & Yoris A. Au, 2013. "Rethinking Fs-Isac: An It Security Information Sharing Model For The Financial Services Sector," Working Papers 0209is, College of Business, University of Texas at San Antonio.

    More about this item

    Keywords

    Technology Investment; Information Sharing; Security Breaches; Externality Benefit; Spillover Effect; Social Welfare;

    JEL classification:

    • L - Industrial Organization

    NEP fields

    This paper has been announced in the following NEP Reports:

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wpa:wuwpio:0503004. See general information about how to correct material in RePEc.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: (EconWPA). General contact details of provider: http://econwpa.repec.org .

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service hosted by the Research Division of the Federal Reserve Bank of St. Louis . RePEc uses bibliographic data supplied by the respective publishers.