Abstract
Empirical studies have analyzed the incentive mechanisms for sharing security information between human agents, a key activity for critical infrastructure protection. However, recent research shows that most Information Sharing and Analysis Centers do not perform optimally, even when properly regulated. Using a meso-level of analysis, we close an important research gap by presenting a theoretical framework that links institutional economics and security information sharing. We illustrate this framework with a dataset collected through an online questionnaire addressed to all critical infrastructures (N = 262) operating at the Swiss Reporting and Analysis Centre for Information Security (MELANI). Using descriptive statistics, we investigate how institutional rules offer human agents an institutional freedom to self-design an efficient security information sharing artifact. Our results show that a properly designed artifact can positively reinforces human agents to share security information and find the right balance between three governance models: (A) public-private partnership, (B) private, and (C) government-based. Overall, our work lends support to a better institutional design of security information sharing and the formulation of policies that can avoid non-cooperative and free-riding behaviors that plague cybersecurity.
Full paper submitted for double-blind peer-review to the 13th International Conference on Critical Information Infrastructure Security (CRITIS 2018) under topic 2: Advances in C(I)IP organization: Policies, good practices and lessons learned. Economics, investments and incentives for C(I)IP.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
SIS is an activity consisting of human agents exchanging cybersecurity-relevant information on vulnerabilities, malware, data breaches, as well as threat intelligence analysis, best practices, early warnings, expert advice and general insights.
- 2.
ISACs are non-profit organizations that provide a central resource for gathering information on cyber threats by providing a two-way sharing process, often involving both the private and the public sector.
- 3.
Pareto efficiency describes a state of allocation of resources from which it is impossible to reallocate so as to make any human agent better off without making at least one human agent worse off.
- 4.
Some EU legislation nourishes the existing ISACs and the creation of new ones. For example, in December 2015, the European Parliament and Council agreed on the first EU-wide legislation on cybersecurity, adopting the EU Network and Information Security (NIS) Directive. The EU General Data Protection Regulation (GDPR) aims to harmonize and unify existing EU privacy-breach reporting obligations. On the other hand, some regulations, such as the US Freedom of Information Act might represent a barrier to SIS.
- 5.
A PPP is a cooperation between two or more private and public sectors. In this study, we do not differentiate whether the public or the private sector are owning and/or managing the PPP.
- 6.
The full questionnaire with items and scales is available from the corresponding author or can be downloaded at the following address https://drive.switch.ch/index.php/s/DgYt2lWZcgVSyMP.
- 7.
T-test and analysis of variance (ANOVA) were performed in order to analyze the differences and statistical significance among group means. The detail of those analysis and proxies selection are available upon request from the corresponding author.
References
Bauer, J., van Eeten, M.: Cybersecurity: stakeholder incentives, externalities, and policy options. Telecommun. Policy 33(10–11), 706–719 (2009)
Boettke, P., Coyne, C., Leeson, P.: Comparative historical political economy. J. Inst. Econ. 9(3), 285–301 (2013)
Eden, P., et al.: A cyber forensic taxonomy for SCADA systems in critical infrastructure. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds.) CRITIS 2015. LNCS, vol. 9578, pp. 27–39. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33331-1_3
European Union Agency for Network and Information Security (ENISA): Cyber Security Information Sharing: An Overview of Regulatory and Non-regulatory Approaches. Report/Study, Heraklion (2015)
European Union Agency for Network and Information Security (ENISA): Information Sharing and Common Taxonomies Between CSIRTs and Law Enforcement. Report/Study, Heraklion (2016)
European Union Agency for Network and Information Security (ENISA): Information Sharing and Analysis Center (ISACs) - Cooperative Models. Technical report, Heraklion (2018)
European Union Agency for Network and Information Security (ENISA): Public Private Partnerships (PPP) - Cooperative models. Report/Study, Heraklion (2018)
Furubotn, E., Richter, R.: Institutions and Economic Theory: The Contribution of the New Institutional Economics. University of Michigan Press, Ann Arbor (2005)
Gordon, L., Loeb, M., Lucyshyn, W., Zhou, L.: Externalities and the magnitude of cyber security underinvestment by private sector firms: a modification of the Gordon-Loeb model. J. Inf. Secur. 06(01), 24–30 (2015)
Gregor, S., Hevner, A.: Positioning and presenting design science research for maximum impact. MIS Q. 37(2), 337–356 (2013). https://doi.org/10.25300/MISQ/2013/37.2.01
Hayek, F.: The Road to Serfdom. Institute of Economic Affairs, London (2005)
Laube, S., Böhme, R.: The economics of mandatory security breach reporting to authorities. J. Cybersecur. 2(1), 29–41 (2016)
Laube, S., Böhme, R.: Strategic aspects of cyber risk information sharing. ACM Comput. Surv. 50(5), 77:1–77:36 (2017)
Luiijf, E., Kernkamp, A.: Sharing cyber security information: good practice stemming from the Dutch public-private-participation approach (2015)
Luiijf, E., Klaver, M.: On the sharing of cyber security information. In: Rice, M., Shenoi, S. (eds.) ICCIP 2015. IAICT, vol. 466, pp. 29–46. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26567-4_3
Luiijf, E., Nieuwenhuijs, A., Klaver, M., van Eeten, M., Cruz, E.: Empirical findings on critical infrastructure dependencies in Europe. In: Setola, R., Geretshuber, S. (eds.) CRITIS 2008. LNCS, vol. 5508, pp. 302–310. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03552-4_28
Mermoud, A., Keupp, M.M., Ghernaouti, S., Percia David, D.: Using incentives to foster security information sharing and cooperation: a general theory and application to critical infrastructure protection. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds.) CRITIS 2016. LNCS, vol. 10242, pp. 150–162. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71368-7_13
Mermoud, A., Keupp, M.M., Huguenin, K., Palmié, M., Percia David, D.: Incentives for human agents to share security information: a model and an empirical test. In: 17th Workshop on the Economics of Information Security (WEIS), Innsbruck, Austria, pp. 1–22, June 2018
Percia David, D., Keupp, M.M., Ghernaouti, S., Mermoud, A.: Cyber security investment in the context of disruptive technologies: extension of the Gordon-Loeb model and application to critical infrastructure protection. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds.) CRITIS 2016. LNCS, vol. 10242, pp. 296–301. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71368-7_25
PricewaterhouseCoopers (PwC): study and considerations on information sharing and analysis organizations. Technical report (2015)
PricewaterhouseCoopers (PwC): Information sharing and analysis organizations: putting theory into practice. Technical report (2016)
Prieto, D.: Information sharing with the private sector: history, challenges, innovation, and prospects. In: Seeds of Disaster, Roots of Response: How Private Action Can Reduce Public Vulnerability (2006)
Richter, R.: Essays on New Institutional Economics. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-14154-1
van Eeten, M., Nieuwenhuijs, A., Luiijf, E., Klaver, M., Cruz, E.: The state and the threat of cascading failure across critical infrastructures: the implications of empirical evidence from media incident reports. Publ. Adm. 89(2), 381–400 (2011)
Weiss, E.: Legislation to facilitate cybersecurity information sharing: economic analysis. Technical report, Congressional Research Service, June 2015
Zenger, T., Lazzarini, S.G., Poppo, L.: Informal and formal organization in new institutional economics. Technical report, Social Science Research Network, September 2002
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Mermoud, A., Keupp, M.M., Percia David, D. (2019). Governance Models Preferences for Security Information Sharing: An Institutional Economics Perspective for Critical Infrastructure Protection. In: Luiijf, E., Žutautaitė, I., Hämmerli, B. (eds) Critical Information Infrastructures Security. CRITIS 2018. Lecture Notes in Computer Science(), vol 11260. Springer, Cham. https://doi.org/10.1007/978-3-030-05849-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-05849-4_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05848-7
Online ISBN: 978-3-030-05849-4
eBook Packages: Computer ScienceComputer Science (R0)