Using Incentives to Foster Security Information Sharing and Cooperation: A General Theory and Application to Critical Infrastructure Protection

  • Alain MermoudEmail author
  • Marcus Matthias Keupp
  • Solange Ghernaouti
  • Dimitri Percia David
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10242)


Various measures have been proposed to mitigate the underinvestment problem in cybersecurity. Investment models have theoretically demonstrated the potential application of security information sharing (SIS) to Critical Infrastructure Protection (CIP). However, the free rider problem remains a major pitfall, preventing the full potential benefits of SIS from being realised. This paper closes an important research gap by providing a theoretical framework linking incentives and voluntary SIS. This framework was applied to CIP through a case study of the Swiss Reporting and Analysis Centre for Information Security. The SIS model was used to analyse the incentive mechanisms that most effectively support SIS for CIP. Our work contribute to an understanding of the free rider problem that plagues the provision of the public good that is cybersecurity, and offer clues to its mitigation.


  1. 1.
    Alcaraz, C., Balastegui, A., Lopez, J.: Early warning system for cascading effect control in energy control systems. In: Xenakis, C., Wolthusen, S. (eds.) CRITIS 2010. LNCS, vol. 6712, pp. 55–66. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  2. 2.
    Anderson, R., Fuloria, S.: Security economics and critical national infrastructure. In: Moore, T., Pym, D., Ioannidis, C. (eds.) Economics of Information Security and Privacy, pp. 55–66. Springer, Boston (2010). CrossRefGoogle Scholar
  3. 3.
    Anderson, R., Moore, T.: Information security: where computer science, economics and psychology meet. Philos. Trans. A Math. Phys. Eng. Sci. 367(1898), 2717–2727 (2009)CrossRefGoogle Scholar
  4. 4.
    Anderson, R., Moore, T., Nagaraja, S., Ozment, A.: Incentives and information security. In: Algorithmic Game Theory, pp. 633–649. Cambridge University Press, New York (2007)Google Scholar
  5. 5.
    Aviram, A., Tor, A.: Overcoming impediments to information sharing. Alabama Law Rev. 55, 231 (2003–2004)Google Scholar
  6. 6.
    Bauer, J.M., Van Eeten, M.J.: Cybersecurity: stakeholder incentives, externalities, and policy options. Telecommun. Policy 33(10), 706–719 (2009)CrossRefGoogle Scholar
  7. 7.
    Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J. Comput. Secur. 11(3), 431–448 (2003)CrossRefGoogle Scholar
  8. 8.
    De Bruijne, M., Van Eeten, M.: Systems that should have failed: critical infrastructure protection in an institutionally fragmented environment. J. Contingencies Crisis Manag. 15(1), 18–29 (2007)CrossRefGoogle Scholar
  9. 9.
    Dunn Cavelty, M.: Cybersecurity in Switzerland. SpringerBriefs in Cybersecurity. Springer, Cham (2014)CrossRefGoogle Scholar
  10. 10.
    Dunn-Cavelty, M., Suter, M.: Public-private partnerships are no silver bullet: an expanded governance model for critical infrastructure protection. Int. J. Crit. Infrastruct. Prot. 2(4), 179–187 (2009)CrossRefGoogle Scholar
  11. 11.
    ENISA: Good Practice Guide on Information Sharing. Report/study (2009)Google Scholar
  12. 12.
    ENISA: Incentives and Barriers to Information Sharing. Report/study (2010)Google Scholar
  13. 13.
    ENISA: Economic Efficiency of Security Breach Notification. Report/study (2011)Google Scholar
  14. 14.
    ENISA: Cyber Security Information Sharing: An Overview of Regulatory and Non-regulatory Approaches. Report/study (2015)Google Scholar
  15. 15.
    ENISA: Information sharing and common taxonomies between CSIRTs and Law Enforcement. Report/study (2016)Google Scholar
  16. 16.
    Vazquez, D.F., et al.: Conceptual framework for cyber defense information sharing within trust relationships, June 2012Google Scholar
  17. 17.
    Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Inf. Syst. Res. 16(2), 186–208 (2005)CrossRefGoogle Scholar
  18. 18.
    Ghernaouti, S.: Cyber Power: Crime, Conflict and Security in Cyberspace. EPFL Press, Burlington (2013)CrossRefGoogle Scholar
  19. 19.
    Gordon, L., Loeb, M., Sohail, T.: Market value of voluntary disclosures concerning information security. Manag. Inf. Syst. Q. 34(3), 567–594 (2010)CrossRefGoogle Scholar
  20. 20.
    Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Sharing information on computer systems security: an economic analysis. J. Account. Public Policy 22(6), 461–485 (2003)CrossRefGoogle Scholar
  21. 21.
    Gordon, L.A., Loeb, M.P., Lucyshyn, W., Sohail, T.: The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities. J. Account. Public Policy 25(5), 503–530 (2006)CrossRefGoogle Scholar
  22. 22.
    Gordon, L.A., Loeb, M.P., Lucyshyn, W., Zhou, L.: Externalities and the magnitude of cyber security underinvestment by private sector firms: a modification of the Gordon-Loeb model. J. Inf. Secur. 06(01), 24–30 (2015)Google Scholar
  23. 23.
    Gordon, L.A., Loeb, M.P., Lucyshyn, W., Zhou, L.: Increasing cybersecurity investments in private sector firms. J. Cybersecur. 1(1), 3–17 (2015)Google Scholar
  24. 24.
    Grudzien, W., Hämmerli, B.: Voluntary information sharing. Technical report, Networking Information Security, Chapter 3 Voluntary Information Sharing (2014)Google Scholar
  25. 25.
    Haemmerli, B., Raaum, M., Franceschetti, G.: Trust networks among human beings. In: Multimedia Computing, Communication and Intelligence, May 2013Google Scholar
  26. 26.
    Harrison, K., White, G.: Information sharing requirements and framework needed for community cyber incident detection and response, November 2012Google Scholar
  27. 27.
    Hausken, K.: Information sharing among firms and cyber attacks. J. Account. Public Policy 26(6), 639–688 (2007)CrossRefGoogle Scholar
  28. 28.
    Laube, S., Böhme, R.: The economics of mandatory security breach reporting to authorities. In: Proceedings of the 14th Workshop on the Economics of Information Security (WEIS), Delft, Netherlands (2015)Google Scholar
  29. 29.
    Leu, P.O., Peter, D.: Case study: information flow resilience of a retail company with regard to the electricity scenarios of the Sicherheitsverbundsübung Schweiz (Swiss Security Network Exercise) SVU 2014. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds.) CRITIS 2015. LNCS, vol. 9578, pp. 159–170. Springer, Cham (2016). Google Scholar
  30. 30.
    Liu, C., Zafar, H., Au, Y.: Rethinking FS-ISAC: an IT security information sharing network model for the financial services sector. Commun. Assoc. Inf. Syst. 34(1), 15–36 (2014)Google Scholar
  31. 31.
    Moran, T., Moore, T.: The phish-market protocol: securely sharing attack data between competitors. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 222–237. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  32. 32.
    PricewaterhouseCoopers: information sharing and analysis organizations: putting theory into practice. Technical report (2016)Google Scholar
  33. 33.
    Suter, M.: The Governance of Cybersecurity: An Analysis of Public-Private Partnerships in a New Field of Security Policy. ETH, Zürich (2012)Google Scholar
  34. 34.
    von Hippel, E., von Krogh, G.: Open source software and the “Private-Collective” innovation model. Organ. Sci. 14(2), 208–223 (2003)CrossRefGoogle Scholar
  35. 35.
    Weiss, E.: Legislation to Facilitate Cybersecurity Information Sharing: Economic AnalysisGoogle Scholar
  36. 36.
    Xiong, L., Liu, L.: PeerTrust: supporting reputation-based trust for peer-to-peer electronic communities. IEEE Trans. Knowl. Data Eng. 16(7), 843–857 (2004)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Alain Mermoud
    • 1
    • 2
    Email author
  • Marcus Matthias Keupp
    • 2
    • 3
  • Solange Ghernaouti
    • 1
  • Dimitri Percia David
    • 1
    • 2
  1. 1.Swiss Cybersecurity Advisory and Research Group (SCARG)University of LausanneLausanneSwitzerland
  2. 2.Department of Defence ManagementMilitary Academy at ETH ZurichBirmensdorfSwitzerland
  3. 3.Institute of Technology ManagementUniversity of St. GallenSt. GallenSwitzerland

Personalised recommendations