Skip to main content
SpringerLink
Log in

Using Incentives to Foster Security Information Sharing and Cooperation: A General Theory and Application to Critical Infrastructure Protection

  • Conference paper
  • First Online:
Critical Information Infrastructures Security (CRITIS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10242))

Abstract

Various measures have been proposed to mitigate the underinvestment problem in cybersecurity. Investment models have theoretically demonstrated the potential application of security information sharing (SIS) to Critical Infrastructure Protection (CIP). However, the free rider problem remains a major pitfall, preventing the full potential benefits of SIS from being realised. This paper closes an important research gap by providing a theoretical framework linking incentives and voluntary SIS. This framework was applied to CIP through a case study of the Swiss Reporting and Analysis Centre for Information Security. The SIS model was used to analyse the incentive mechanisms that most effectively support SIS for CIP. Our work contribute to an understanding of the free rider problem that plagues the provision of the public good that is cybersecurity, and offer clues to its mitigation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In our study we use the term “cybersecurity” as a synonym for “information security,” referring to the protection of information that is transmitted over the Internet or any other computer network.

  2. 2.

    “security information sharing” SIS can be defined as the mutual exchange of cybersecurity-relevant information on vulnerabilities, phishing, malware, and data breaches, as well as threat intelligence, best practices, early warnings, and expert advices and insights.

  3. 3.

    In particular the 2002 Sarbanes-Oxley Act (SOX) and the 2015 Cybersecurity Information Sharing Act (CISA).

  4. 4.

    In December 2015, the European Parliament and Council agreed on the first EU-wide legislation on cybersecurity, adopting the EU Network and Information Security (NIS) Directive.

  5. 5.

    An ISAC is a generally a nonprofit organisation that provides a platform for SIS between the government and CIs.

  6. 6.

    Unlike ISACs, ISAOs are not directly tied to CIs and offer a flexible and voluntary approach for SIS.

  7. 7.

    A fusion center is an information sharing center designed to promote information sharing between different agencies.

  8. 8.

    The TPI technology helps organizations to analyze and aggregate real-time threat data in order to support defensive actions.

  9. 9.

    The interconnected 2008 global financial crisis bears several resemblances to what could happen in a major cyber “risk nexus” scenario.

  10. 10.

    The goal of this platform is to bring together CI stakeholders to improve SIS at the international level.

References

  1. Alcaraz, C., Balastegui, A., Lopez, J.: Early warning system for cascading effect control in energy control systems. In: Xenakis, C., Wolthusen, S. (eds.) CRITIS 2010. LNCS, vol. 6712, pp. 55–66. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21694-7_5

    Chapter  Google Scholar 

  2. Anderson, R., Fuloria, S.: Security economics and critical national infrastructure. In: Moore, T., Pym, D., Ioannidis, C. (eds.) Economics of Information Security and Privacy, pp. 55–66. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-6967-5_4

    Chapter  Google Scholar 

  3. Anderson, R., Moore, T.: Information security: where computer science, economics and psychology meet. Philos. Trans. A Math. Phys. Eng. Sci. 367(1898), 2717–2727 (2009)

    Article  Google Scholar 

  4. Anderson, R., Moore, T., Nagaraja, S., Ozment, A.: Incentives and information security. In: Algorithmic Game Theory, pp. 633–649. Cambridge University Press, New York (2007)

    Google Scholar 

  5. Aviram, A., Tor, A.: Overcoming impediments to information sharing. Alabama Law Rev. 55, 231 (2003–2004)

    Google Scholar 

  6. Bauer, J.M., Van Eeten, M.J.: Cybersecurity: stakeholder incentives, externalities, and policy options. Telecommun. Policy 33(10), 706–719 (2009)

    Article  Google Scholar 

  7. Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J. Comput. Secur. 11(3), 431–448 (2003)

    Article  Google Scholar 

  8. De Bruijne, M., Van Eeten, M.: Systems that should have failed: critical infrastructure protection in an institutionally fragmented environment. J. Contingencies Crisis Manag. 15(1), 18–29 (2007)

    Article  Google Scholar 

  9. Dunn Cavelty, M.: Cybersecurity in Switzerland. SpringerBriefs in Cybersecurity. Springer, Cham (2014)

    Book  Google Scholar 

  10. Dunn-Cavelty, M., Suter, M.: Public-private partnerships are no silver bullet: an expanded governance model for critical infrastructure protection. Int. J. Crit. Infrastruct. Prot. 2(4), 179–187 (2009)

    Article  Google Scholar 

  11. ENISA: Good Practice Guide on Information Sharing. Report/study (2009)

    Google Scholar 

  12. ENISA: Incentives and Barriers to Information Sharing. Report/study (2010)

    Google Scholar 

  13. ENISA: Economic Efficiency of Security Breach Notification. Report/study (2011)

    Google Scholar 

  14. ENISA: Cyber Security Information Sharing: An Overview of Regulatory and Non-regulatory Approaches. Report/study (2015)

    Google Scholar 

  15. ENISA: Information sharing and common taxonomies between CSIRTs and Law Enforcement. Report/study (2016)

    Google Scholar 

  16. Vazquez, D.F., et al.: Conceptual framework for cyber defense information sharing within trust relationships, June 2012

    Google Scholar 

  17. Gal-Or, E., Ghose, A.: The economic incentives for sharing security information. Inf. Syst. Res. 16(2), 186–208 (2005)

    Article  Google Scholar 

  18. Ghernaouti, S.: Cyber Power: Crime, Conflict and Security in Cyberspace. EPFL Press, Burlington (2013)

    Book  Google Scholar 

  19. Gordon, L., Loeb, M., Sohail, T.: Market value of voluntary disclosures concerning information security. Manag. Inf. Syst. Q. 34(3), 567–594 (2010)

    Article  Google Scholar 

  20. Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Sharing information on computer systems security: an economic analysis. J. Account. Public Policy 22(6), 461–485 (2003)

    Article  Google Scholar 

  21. Gordon, L.A., Loeb, M.P., Lucyshyn, W., Sohail, T.: The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities. J. Account. Public Policy 25(5), 503–530 (2006)

    Article  Google Scholar 

  22. Gordon, L.A., Loeb, M.P., Lucyshyn, W., Zhou, L.: Externalities and the magnitude of cyber security underinvestment by private sector firms: a modification of the Gordon-Loeb model. J. Inf. Secur. 06(01), 24–30 (2015)

    Google Scholar 

  23. Gordon, L.A., Loeb, M.P., Lucyshyn, W., Zhou, L.: Increasing cybersecurity investments in private sector firms. J. Cybersecur. 1(1), 3–17 (2015)

    Google Scholar 

  24. Grudzien, W., Hämmerli, B.: Voluntary information sharing. Technical report, Networking Information Security, Chapter 3 Voluntary Information Sharing (2014)

    Google Scholar 

  25. Haemmerli, B., Raaum, M., Franceschetti, G.: Trust networks among human beings. In: Multimedia Computing, Communication and Intelligence, May 2013

    Google Scholar 

  26. Harrison, K., White, G.: Information sharing requirements and framework needed for community cyber incident detection and response, November 2012

    Google Scholar 

  27. Hausken, K.: Information sharing among firms and cyber attacks. J. Account. Public Policy 26(6), 639–688 (2007)

    Article  Google Scholar 

  28. Laube, S., Böhme, R.: The economics of mandatory security breach reporting to authorities. In: Proceedings of the 14th Workshop on the Economics of Information Security (WEIS), Delft, Netherlands (2015)

    Google Scholar 

  29. Leu, P.O., Peter, D.: Case study: information flow resilience of a retail company with regard to the electricity scenarios of the Sicherheitsverbundsübung Schweiz (Swiss Security Network Exercise) SVU 2014. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds.) CRITIS 2015. LNCS, vol. 9578, pp. 159–170. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33331-1_13

    Google Scholar 

  30. Liu, C., Zafar, H., Au, Y.: Rethinking FS-ISAC: an IT security information sharing network model for the financial services sector. Commun. Assoc. Inf. Syst. 34(1), 15–36 (2014)

    Google Scholar 

  31. Moran, T., Moore, T.: The phish-market protocol: securely sharing attack data between competitors. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 222–237. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14577-3_18

    Chapter  Google Scholar 

  32. PricewaterhouseCoopers: information sharing and analysis organizations: putting theory into practice. Technical report (2016)

    Google Scholar 

  33. Suter, M.: The Governance of Cybersecurity: An Analysis of Public-Private Partnerships in a New Field of Security Policy. ETH, Zürich (2012)

    Google Scholar 

  34. von Hippel, E., von Krogh, G.: Open source software and the “Private-Collective” innovation model. Organ. Sci. 14(2), 208–223 (2003)

    Article  Google Scholar 

  35. Weiss, E.: Legislation to Facilitate Cybersecurity Information Sharing: Economic Analysis

    Google Scholar 

  36. Xiong, L., Liu, L.: PeerTrust: supporting reputation-based trust for peer-to-peer electronic communities. IEEE Trans. Knowl. Data Eng. 16(7), 843–857 (2004)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Swiss Cybersecurity Advisory and Research Group (SCARG), University of Lausanne, 1015, Lausanne, Switzerland

    Alain Mermoud, Solange Ghernaouti & Dimitri Percia David

  2. Department of Defence Management, Military Academy at ETH Zurich, 8903, Birmensdorf, Switzerland

    Alain Mermoud, Marcus Matthias Keupp & Dimitri Percia David

  3. Institute of Technology Management, University of St. Gallen, Dufourstrasse 40a, 9000, St. Gallen, Switzerland

    Marcus Matthias Keupp

Authors
  1. Alain Mermoud
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marcus Matthias Keupp
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Solange Ghernaouti
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dimitri Percia David
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alain Mermoud .

Editor information

Editors and Affiliations

  1. International Union of Railways, Paris, France

    Grigore Havarneanu

  2. University Campus Bio-Medico, Rome, Italy

    Roberto Setola

  3. Ecole des Ingénieurs de la Ville de Paris (EIVP), Paris, France

    Hypatia Nassopoulos

  4. Royal Holloway, University of London, London, United Kingdom

    Stephen Wolthusen

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mermoud, A., Keupp, M.M., Ghernaouti, S., Percia David, D. (2017). Using Incentives to Foster Security Information Sharing and Cooperation: A General Theory and Application to Critical Infrastructure Protection. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds) Critical Information Infrastructures Security. CRITIS 2016. Lecture Notes in Computer Science(), vol 10242. Springer, Cham. https://doi.org/10.1007/978-3-319-71368-7_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-71368-7_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-71367-0

  • Online ISBN: 978-3-319-71368-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation