Skip to main content
SpringerLink
Log in

Strategic Discovery and Sharing of Vulnerabilities in Competitive Environments

  • Conference paper
Decision and Game Theory for Security (GameSec 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8840))

Included in the following conference series:

Abstract

We investigate the incentives behind investments by competing companies in discovery of their security vulnerabilities and sharing of their findings. Specifically, we consider a game between competing firms that utilise a common platform in their systems. The game consists of two stages: firms must decide how much to invest in researching vulnerabilities, and thereafter, how much of their findings to share with their competitors. We fully characterise the Perfect Bayesian Equilibria (PBE) of this game, and translate them into realistic insights about firms’ strategies. Further, we develop a monetary-free sharing mechanism that encourages both investment and sharing, a missing feature when sharing is arbitrary or opportunistic. This is achieved via a light-handed mediator: it receives a set of discovered bugs from each firm and moderate the sharing in a way that eliminates firms’ concerns on losing competitive advantages. This research provides an understanding of the origins of inefficiency and paves the path towards more efficient sharing of cyber-intelligence among competing entities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Press-Release: Government launches information sharing partnership on cyber security (March 27, 2013), http://www.gov.uk

  2. of Homeland Security Department.: National cybersecurity and communications integration center, http://www.us-cert.gov/nccic (accessed, June 2014)

  3. Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. Intl. J. of Electronic Commerce 9(1), 70–104 (2004)

    Google Scholar 

  4. Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11(3), 431–448 (2003)

    Google Scholar 

  5. Goel, S., Shawky, H.A.: Estimating the market impact of security breach announcements on firm values. Information & Management 46(7), 404–410 (2009)

    Article  Google Scholar 

  6. Lovells, H.: DOJ and FTC clarify antitrust implications of cybersecurity information sharing (April 22, 2014), http://www.hoganlovells.com/

  7. Netcraft: Half a million widely trusted websites vulnerable to heartbleed bug (April 08, 2014), http://www.news.netcraft.com

  8. Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6), 461–485 (2003)

    Article  Google Scholar 

  9. Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Information Systems Research 16(2), 186–208 (2005)

    Article  Google Scholar 

  10. Hausken, K.: Income, interdependence, and substitution effects affecting incentives for security investment. J. of Accounting and Public Policy 25(6), 629–665 (2006)

    Article  Google Scholar 

  11. Hausken, K.: Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy 26(6), 639–688 (2007)

    Article  Google Scholar 

  12. Liu, D., Ji, Y., Mookerjee, V.: Knowledge sharing and investment decisions in information security. Decision Support Systems 52(1), 95–107 (2011)

    Article  Google Scholar 

  13. Liu, C.Z., Zafar, H., Au, Y.A.: Rethinking fs-isac: An it security information sharing network model for the financial services sector. Communications of the Association for Information Systems 34(1), 2 (2014)

    Google Scholar 

  14. Xiong, Q., Chen, X.: Incentive mechanism design based on repeated game theory in security information sharing. In: 2nd International Conference on Science and Social Research (ICSSR 2013). Atlantis Press (2013)

    Google Scholar 

  15. Gao, X., Zhong, W., Mei, S.: Security investment and information sharing under an alternative security breach probability function. Inf. Systems Frontiers, 1–16

    Google Scholar 

  16. Gal-Or, E.: Information sharing in oligopoly. Econometrica: Journal of the Econometric Society, 329–343 (1985)

    Google Scholar 

  17. Shapiro, C.: Exchange of cost information in oligopoly. The Review of Economic Studies 53(3), 433–446 (1986)

    Article  MathSciNet  MATH  Google Scholar 

  18. Vives, X.: Trade association disclosure rules, incentives to share information, and welfare. RAND Journal of Economics 21(3), 409–430 (1990)

    Article  MathSciNet  Google Scholar 

  19. Katz, M.L., Shapiro, C.: R and d rivalry with licensing or imitation. The American Economic Review, 402–420 (1987)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Security Group, Royal Holloway, University of London, UK

    M. H. R. Khouzani, Viet Pham & Carlos Cid

Authors
  1. M. H. R. Khouzani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Viet Pham
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Carlos Cid
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Electrical Engineering Department, Network Securitiy Lab, University of Washington, Box 352500, 98195-2055, Seattle, WA, USA

    Radha Poovendran

  2. Department of Electrical and Computer Engineering, Virginia Tech, Whittmore Hall 302, 1185 Perry Street, 24061, Blacksburg, VA, USA

    Walid Saad

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Khouzani, M.H.R., Pham, V., Cid, C. (2014). Strategic Discovery and Sharing of Vulnerabilities in Competitive Environments. In: Poovendran, R., Saad, W. (eds) Decision and Game Theory for Security. GameSec 2014. Lecture Notes in Computer Science, vol 8840. Springer, Cham. https://doi.org/10.1007/978-3-319-12601-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12601-2_4

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12600-5

  • Online ISBN: 978-3-319-12601-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation