Governance Models Preferences for Security Information Sharing: An Institutional Economics Perspective for Critical Infrastructure Protection

  • Alain MermoudEmail author
  • Marcus Matthias Keupp
  • Dimitri Percia David
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11260)


Empirical studies have analyzed the incentive mechanisms for sharing security information between human agents, a key activity for critical infrastructure protection. However, recent research shows that most Information Sharing and Analysis Centers do not perform optimally, even when properly regulated. Using a meso-level of analysis, we close an important research gap by presenting a theoretical framework that links institutional economics and security information sharing. We illustrate this framework with a dataset collected through an online questionnaire addressed to all critical infrastructures (N = 262) operating at the Swiss Reporting and Analysis Centre for Information Security (MELANI). Using descriptive statistics, we investigate how institutional rules offer human agents an institutional freedom to self-design an efficient security information sharing artifact. Our results show that a properly designed artifact can positively reinforces human agents to share security information and find the right balance between three governance models: (A) public-private partnership, (B) private, and (C) government-based. Overall, our work lends support to a better institutional design of security information sharing and the formulation of policies that can avoid non-cooperative and free-riding behaviors that plague cybersecurity.


Economics of information security Security information sharing New Institutional Economics Information Sharing and Analysis Center Critical infrastructure protection Information assurance 


  1. 1.
    Bauer, J., van Eeten, M.: Cybersecurity: stakeholder incentives, externalities, and policy options. Telecommun. Policy 33(10–11), 706–719 (2009)CrossRefGoogle Scholar
  2. 2.
    Boettke, P., Coyne, C., Leeson, P.: Comparative historical political economy. J. Inst. Econ. 9(3), 285–301 (2013)Google Scholar
  3. 3.
    Eden, P., et al.: A cyber forensic taxonomy for SCADA systems in critical infrastructure. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds.) CRITIS 2015. LNCS, vol. 9578, pp. 27–39. Springer, Cham (2016). Scholar
  4. 4.
    European Union Agency for Network and Information Security (ENISA): Cyber Security Information Sharing: An Overview of Regulatory and Non-regulatory Approaches. Report/Study, Heraklion (2015)Google Scholar
  5. 5.
    European Union Agency for Network and Information Security (ENISA): Information Sharing and Common Taxonomies Between CSIRTs and Law Enforcement. Report/Study, Heraklion (2016)Google Scholar
  6. 6.
    European Union Agency for Network and Information Security (ENISA): Information Sharing and Analysis Center (ISACs) - Cooperative Models. Technical report, Heraklion (2018)Google Scholar
  7. 7.
    European Union Agency for Network and Information Security (ENISA): Public Private Partnerships (PPP) - Cooperative models. Report/Study, Heraklion (2018)Google Scholar
  8. 8.
    Furubotn, E., Richter, R.: Institutions and Economic Theory: The Contribution of the New Institutional Economics. University of Michigan Press, Ann Arbor (2005)CrossRefGoogle Scholar
  9. 9.
    Gordon, L., Loeb, M., Lucyshyn, W., Zhou, L.: Externalities and the magnitude of cyber security underinvestment by private sector firms: a modification of the Gordon-Loeb model. J. Inf. Secur. 06(01), 24–30 (2015)Google Scholar
  10. 10.
    Gregor, S., Hevner, A.: Positioning and presenting design science research for maximum impact. MIS Q. 37(2), 337–356 (2013). Scholar
  11. 11.
    Hayek, F.: The Road to Serfdom. Institute of Economic Affairs, London (2005)Google Scholar
  12. 12.
    Laube, S., Böhme, R.: The economics of mandatory security breach reporting to authorities. J. Cybersecur. 2(1), 29–41 (2016)CrossRefGoogle Scholar
  13. 13.
    Laube, S., Böhme, R.: Strategic aspects of cyber risk information sharing. ACM Comput. Surv. 50(5), 77:1–77:36 (2017)CrossRefGoogle Scholar
  14. 14.
    Luiijf, E., Kernkamp, A.: Sharing cyber security information: good practice stemming from the Dutch public-private-participation approach (2015)Google Scholar
  15. 15.
    Luiijf, E., Klaver, M.: On the sharing of cyber security information. In: Rice, M., Shenoi, S. (eds.) ICCIP 2015. IAICT, vol. 466, pp. 29–46. Springer, Cham (2015). Scholar
  16. 16.
    Luiijf, E., Nieuwenhuijs, A., Klaver, M., van Eeten, M., Cruz, E.: Empirical findings on critical infrastructure dependencies in Europe. In: Setola, R., Geretshuber, S. (eds.) CRITIS 2008. LNCS, vol. 5508, pp. 302–310. Springer, Heidelberg (2009). Scholar
  17. 17.
    Mermoud, A., Keupp, M.M., Ghernaouti, S., Percia David, D.: Using incentives to foster security information sharing and cooperation: a general theory and application to critical infrastructure protection. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds.) CRITIS 2016. LNCS, vol. 10242, pp. 150–162. Springer, Cham (2017). Scholar
  18. 18.
    Mermoud, A., Keupp, M.M., Huguenin, K., Palmié, M., Percia David, D.: Incentives for human agents to share security information: a model and an empirical test. In: 17th Workshop on the Economics of Information Security (WEIS), Innsbruck, Austria, pp. 1–22, June 2018Google Scholar
  19. 19.
    Percia David, D., Keupp, M.M., Ghernaouti, S., Mermoud, A.: Cyber security investment in the context of disruptive technologies: extension of the Gordon-Loeb model and application to critical infrastructure protection. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds.) CRITIS 2016. LNCS, vol. 10242, pp. 296–301. Springer, Cham (2017). Scholar
  20. 20.
    PricewaterhouseCoopers (PwC): study and considerations on information sharing and analysis organizations. Technical report (2015)Google Scholar
  21. 21.
    PricewaterhouseCoopers (PwC): Information sharing and analysis organizations: putting theory into practice. Technical report (2016)Google Scholar
  22. 22.
    Prieto, D.: Information sharing with the private sector: history, challenges, innovation, and prospects. In: Seeds of Disaster, Roots of Response: How Private Action Can Reduce Public Vulnerability (2006)Google Scholar
  23. 23.
    Richter, R.: Essays on New Institutional Economics. Springer, Cham (2015). Scholar
  24. 24.
    van Eeten, M., Nieuwenhuijs, A., Luiijf, E., Klaver, M., Cruz, E.: The state and the threat of cascading failure across critical infrastructures: the implications of empirical evidence from media incident reports. Publ. Adm. 89(2), 381–400 (2011)CrossRefGoogle Scholar
  25. 25.
    Weiss, E.: Legislation to facilitate cybersecurity information sharing: economic analysis. Technical report, Congressional Research Service, June 2015Google Scholar
  26. 26.
    Zenger, T., Lazzarini, S.G., Poppo, L.: Informal and formal organization in new institutional economics. Technical report, Social Science Research Network, September 2002Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Information Systems, Faculty of Business and Economics (HEC Lausanne)University of Lausanne (UNIL)LausanneSwitzerland
  2. 2.Department of Defense ManagementMilitary Academy at ETH ZurichBirmensdorfSwitzerland
  3. 3.Institute of Technology ManagementUniversity of St. Gallen (HSG)St. GallenSwitzerland

Personalised recommendations