Abstract
We investigate the incentives behind investments by competing companies in discovery of their security vulnerabilities and sharing of their findings. Specifically, we consider a game between competing firms that utilise a common platform in their systems. The game consists of two stages: firms must decide how much to invest in researching vulnerabilities, and thereafter, how much of their findings to share with their competitors. We fully characterise the Perfect Bayesian Equilibria (PBE) of this game, and translate them into realistic insights about firms’ strategies. Further, we develop a monetary-free sharing mechanism that encourages both investment and sharing, a missing feature when sharing is arbitrary or opportunistic. This is achieved via a light-handed mediator: it receives a set of discovered bugs from each firm and moderate the sharing in a way that eliminates firms’ concerns on losing competitive advantages. This research provides an understanding of the origins of inefficiency and paves the path towards more efficient sharing of cyber-intelligence among competing entities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Press-Release: Government launches information sharing partnership on cyber security (March 27, 2013), http://www.gov.uk
of Homeland Security Department.: National cybersecurity and communications integration center, http://www.us-cert.gov/nccic (accessed, June 2014)
Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. Intl. J. of Electronic Commerce 9(1), 70–104 (2004)
Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11(3), 431–448 (2003)
Goel, S., Shawky, H.A.: Estimating the market impact of security breach announcements on firm values. Information & Management 46(7), 404–410 (2009)
Lovells, H.: DOJ and FTC clarify antitrust implications of cybersecurity information sharing (April 22, 2014), http://www.hoganlovells.com/
Netcraft: Half a million widely trusted websites vulnerable to heartbleed bug (April 08, 2014), http://www.news.netcraft.com
Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6), 461–485 (2003)
Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Information Systems Research 16(2), 186–208 (2005)
Hausken, K.: Income, interdependence, and substitution effects affecting incentives for security investment. J. of Accounting and Public Policy 25(6), 629–665 (2006)
Hausken, K.: Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy 26(6), 639–688 (2007)
Liu, D., Ji, Y., Mookerjee, V.: Knowledge sharing and investment decisions in information security. Decision Support Systems 52(1), 95–107 (2011)
Liu, C.Z., Zafar, H., Au, Y.A.: Rethinking fs-isac: An it security information sharing network model for the financial services sector. Communications of the Association for Information Systems 34(1), 2 (2014)
Xiong, Q., Chen, X.: Incentive mechanism design based on repeated game theory in security information sharing. In: 2nd International Conference on Science and Social Research (ICSSR 2013). Atlantis Press (2013)
Gao, X., Zhong, W., Mei, S.: Security investment and information sharing under an alternative security breach probability function. Inf. Systems Frontiers, 1–16
Gal-Or, E.: Information sharing in oligopoly. Econometrica: Journal of the Econometric Society, 329–343 (1985)
Shapiro, C.: Exchange of cost information in oligopoly. The Review of Economic Studies 53(3), 433–446 (1986)
Vives, X.: Trade association disclosure rules, incentives to share information, and welfare. RAND Journal of Economics 21(3), 409–430 (1990)
Katz, M.L., Shapiro, C.: R and d rivalry with licensing or imitation. The American Economic Review, 402–420 (1987)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Khouzani, M.H.R., Pham, V., Cid, C. (2014). Strategic Discovery and Sharing of Vulnerabilities in Competitive Environments. In: Poovendran, R., Saad, W. (eds) Decision and Game Theory for Security. GameSec 2014. Lecture Notes in Computer Science, vol 8840. Springer, Cham. https://doi.org/10.1007/978-3-319-12601-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-12601-2_4
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12600-5
Online ISBN: 978-3-319-12601-2
eBook Packages: Computer ScienceComputer Science (R0)