Abstract
Various measures have been proposed to mitigate the underinvestment problem in cybersecurity. Investment models have theoretically demonstrated the potential application of security information sharing (SIS) to Critical Infrastructure Protection (CIP). However, the free rider problem remains a major pitfall, preventing the full potential benefits of SIS from being realised. This paper closes an important research gap by providing a theoretical framework linking incentives and voluntary SIS. This framework was applied to CIP through a case study of the Swiss Reporting and Analysis Centre for Information Security. The SIS model was used to analyse the incentive mechanisms that most effectively support SIS for CIP. Our work contribute to an understanding of the free rider problem that plagues the provision of the public good that is cybersecurity, and offer clues to its mitigation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In our study we use the term “cybersecurity” as a synonym for “information security,” referring to the protection of information that is transmitted over the Internet or any other computer network.
- 2.
“security information sharing” SIS can be defined as the mutual exchange of cybersecurity-relevant information on vulnerabilities, phishing, malware, and data breaches, as well as threat intelligence, best practices, early warnings, and expert advices and insights.
- 3.
In particular the 2002 Sarbanes-Oxley Act (SOX) and the 2015 Cybersecurity Information Sharing Act (CISA).
- 4.
In December 2015, the European Parliament and Council agreed on the first EU-wide legislation on cybersecurity, adopting the EU Network and Information Security (NIS) Directive.
- 5.
An ISAC is a generally a nonprofit organisation that provides a platform for SIS between the government and CIs.
- 6.
Unlike ISACs, ISAOs are not directly tied to CIs and offer a flexible and voluntary approach for SIS.
- 7.
A fusion center is an information sharing center designed to promote information sharing between different agencies.
- 8.
The TPI technology helps organizations to analyze and aggregate real-time threat data in order to support defensive actions.
- 9.
The interconnected 2008 global financial crisis bears several resemblances to what could happen in a major cyber “risk nexus” scenario.
- 10.
The goal of this platform is to bring together CI stakeholders to improve SIS at the international level.
References
Alcaraz, C., Balastegui, A., Lopez, J.: Early warning system for cascading effect control in energy control systems. In: Xenakis, C., Wolthusen, S. (eds.) CRITIS 2010. LNCS, vol. 6712, pp. 55–66. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21694-7_5
Anderson, R., Fuloria, S.: Security economics and critical national infrastructure. In: Moore, T., Pym, D., Ioannidis, C. (eds.) Economics of Information Security and Privacy, pp. 55–66. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-6967-5_4
Anderson, R., Moore, T.: Information security: where computer science, economics and psychology meet. Philos. Trans. A Math. Phys. Eng. Sci. 367(1898), 2717–2727 (2009)
Anderson, R., Moore, T., Nagaraja, S., Ozment, A.: Incentives and information security. In: Algorithmic Game Theory, pp. 633–649. Cambridge University Press, New York (2007)
Aviram, A., Tor, A.: Overcoming impediments to information sharing. Alabama Law Rev. 55, 231 (2003–2004)
Bauer, J.M., Van Eeten, M.J.: Cybersecurity: stakeholder incentives, externalities, and policy options. Telecommun. Policy 33(10), 706–719 (2009)
Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J. Comput. Secur. 11(3), 431–448 (2003)
De Bruijne, M., Van Eeten, M.: Systems that should have failed: critical infrastructure protection in an institutionally fragmented environment. J. Contingencies Crisis Manag. 15(1), 18–29 (2007)
Dunn Cavelty, M.: Cybersecurity in Switzerland. SpringerBriefs in Cybersecurity. Springer, Cham (2014)
Dunn-Cavelty, M., Suter, M.: Public-private partnerships are no silver bullet: an expanded governance model for critical infrastructure protection. Int. J. Crit. Infrastruct. Prot. 2(4), 179–187 (2009)
ENISA: Good Practice Guide on Information Sharing. Report/study (2009)
ENISA: Incentives and Barriers to Information Sharing. Report/study (2010)
ENISA: Economic Efficiency of Security Breach Notification. Report/study (2011)
ENISA: Cyber Security Information Sharing: An Overview of Regulatory and Non-regulatory Approaches. Report/study (2015)
ENISA: Information sharing and common taxonomies between CSIRTs and Law Enforcement. Report/study (2016)
Vazquez, D.F., et al.: Conceptual framework for cyber defense information sharing within trust relationships, June 2012
Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Inf. Syst. Res. 16(2), 186–208 (2005)
Ghernaouti, S.: Cyber Power: Crime, Conflict and Security in Cyberspace. EPFL Press, Burlington (2013)
Gordon, L., Loeb, M., Sohail, T.: Market value of voluntary disclosures concerning information security. Manag. Inf. Syst. Q. 34(3), 567–594 (2010)
Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Sharing information on computer systems security: an economic analysis. J. Account. Public Policy 22(6), 461–485 (2003)
Gordon, L.A., Loeb, M.P., Lucyshyn, W., Sohail, T.: The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities. J. Account. Public Policy 25(5), 503–530 (2006)
Gordon, L.A., Loeb, M.P., Lucyshyn, W., Zhou, L.: Externalities and the magnitude of cyber security underinvestment by private sector firms: a modification of the Gordon-Loeb model. J. Inf. Secur. 06(01), 24–30 (2015)
Gordon, L.A., Loeb, M.P., Lucyshyn, W., Zhou, L.: Increasing cybersecurity investments in private sector firms. J. Cybersecur. 1(1), 3–17 (2015)
Grudzien, W., Hämmerli, B.: Voluntary information sharing. Technical report, Networking Information Security, Chapter 3 Voluntary Information Sharing (2014)
Haemmerli, B., Raaum, M., Franceschetti, G.: Trust networks among human beings. In: Multimedia Computing, Communication and Intelligence, May 2013
Harrison, K., White, G.: Information sharing requirements and framework needed for community cyber incident detection and response, November 2012
Hausken, K.: Information sharing among firms and cyber attacks. J. Account. Public Policy 26(6), 639–688 (2007)
Laube, S., Böhme, R.: The economics of mandatory security breach reporting to authorities. In: Proceedings of the 14th Workshop on the Economics of Information Security (WEIS), Delft, Netherlands (2015)
Leu, P.O., Peter, D.: Case study: information flow resilience of a retail company with regard to the electricity scenarios of the Sicherheitsverbundsübung Schweiz (Swiss Security Network Exercise) SVU 2014. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds.) CRITIS 2015. LNCS, vol. 9578, pp. 159–170. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33331-1_13
Liu, C., Zafar, H., Au, Y.: Rethinking FS-ISAC: an IT security information sharing network model for the financial services sector. Commun. Assoc. Inf. Syst. 34(1), 15–36 (2014)
Moran, T., Moore, T.: The phish-market protocol: securely sharing attack data between competitors. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 222–237. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14577-3_18
PricewaterhouseCoopers: information sharing and analysis organizations: putting theory into practice. Technical report (2016)
Suter, M.: The Governance of Cybersecurity: An Analysis of Public-Private Partnerships in a New Field of Security Policy. ETH, Zürich (2012)
von Hippel, E., von Krogh, G.: Open source software and the “Private-Collective” innovation model. Organ. Sci. 14(2), 208–223 (2003)
Weiss, E.: Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis
Xiong, L., Liu, L.: PeerTrust: supporting reputation-based trust for peer-to-peer electronic communities. IEEE Trans. Knowl. Data Eng. 16(7), 843–857 (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Mermoud, A., Keupp, M.M., Ghernaouti, S., Percia David, D. (2017). Using Incentives to Foster Security Information Sharing and Cooperation: A General Theory and Application to Critical Infrastructure Protection. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds) Critical Information Infrastructures Security. CRITIS 2016. Lecture Notes in Computer Science(), vol 10242. Springer, Cham. https://doi.org/10.1007/978-3-319-71368-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-71368-7_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71367-0
Online ISBN: 978-3-319-71368-7
eBook Packages: Computer ScienceComputer Science (R0)