The Economic Incentives for Sharing Security Information

Gal‐Or, Esther; Ghose, Anindya

doi:10.1287/isre.1050.0053

Cited by 308 publications

(144 citation statements)

References 22 publications

Supporting

Mentioning

143

Contrasting

Order By: Relevance

“…In their paper, they also provide an overview for developing economic models to study issues such as free-riding, which Varian (2002) has recognized as an important element in the information security space. Two other papers- Gordon et al (2003) and Gal-Or and Ghose (2003)-have followed up on this idea and developed game-theoretic models to study the economic consequences of sharing security information in ISACs. The focus of Gordon et al (2003) is on how information sharing affects the overall level of information security by examining the effect of security investment on expected security costs.…”

Section: Literature Reviewmentioning

confidence: 99%

“…The focus of Gordon et al (2003) is on how information sharing affects the overall level of information security by examining the effect of security investment on expected security costs. Gordon et al (2003) focus on the cost-side, and Gal-Or and Ghose (2003) focus on the demand side effects of security breaches and information sharing.…”

Section: Literature Reviewmentioning

confidence: 99%

See 1 more Smart Citation

Market for Software Vulnerabilities? Think Again

2005

View full text Add to dashboard Cite

S oftware vulnerability disclosure has become a critical area of concern for policymakers. Traditionally, a Computer Emergency Response Team (CERT) acts as an infomediary between benign identifiers (who voluntarily report vulnerability information) and software users. After verifying a reported vulnerability, CERT sends out a public advisory so that users can safeguard their systems against potential exploits. Lately, firms such as iDefense have been implementing a new market-based approach for vulnerability information. The marketbased infomediary provides monetary rewards to identifiers for each vulnerability reported. The infomediary then shares this information with its client base. Using this information, clients protect themselves against potential attacks that exploit those specific vulnerabilities.The key question addressed in our paper is whether movement toward such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Our analysis demonstrates that an active unregulated market-based mechanism for vulnerabilities almost always underperforms a passive CERT-type mechanism. This counterintuitive result is attributed to the market-based infomediary's incentive to leak the vulnerability information inappropriately. If a profit-maximizing firm is not allowed to (or chooses not to) leak vulnerability information, we find that social welfare improves. Even a regulated market-based mechanism performs better than a CERT-type one, but only under certain conditions. Finally, we extend our analysis and show that a proposed mechanism-federally funded social planner-always performs better than a market-based mechanism.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Section: Literature Reviewmentioning

confidence: 99%

Market for Software Vulnerabilities? Think Again

2005

View full text Add to dashboard Cite

show abstract

“…Previous relevant work includes in the literature on oligopolies, cooperative relationships, joint ventures, and trade associations (Gal-Or 1986, Kirby 1988, Novshek and Sonnenschein 1982, Shapiro 1986, Vives 1990). More recently, information sharing among firms to defend against cyber attacks has been analyzed by Gordon, Loeb and Lucyshyn (2003), Gal-Or and Ghose (2005), and Hausken (2007Hausken ( , 2009). The focus of is on how information sharing affects the overall level of information security.…”

Section: Introductionmentioning

confidence: 99%

“…They highlight the tradeoff that firms face between improved information security and the potential for free riding, which can lead to under-investment in security expenditures. While focus on the cost side effects of security breaches and information sharing, Gal-or and Ghose (2005) focus on the demand side effects and highlight the strategic implication of competition in the product market on information sharing and security technology investment levels. Hausken (2007) sharing and security investment for two firms are inverse U shaped in the aggregate attack, and interlinked through the interdependence between firms and the firm's unit cost of security investment.…”

Section: Introductionmentioning

confidence: 99%

A Strategic Analysis of Information Sharing Among Cyber Attackers

Hausken¹

2015

JISTEM

View full text Add to dashboard Cite

We build a game theory model where the market design is such that one firm invests in security to defend against cyber attacks by two hackers. The firm has an asset, which is allocated between the three market participants dependent on their contest success. Each hacker chooses an optimal attack, and they share information with each other about the firm's vulnerabilities. Each hacker prefers to receive information, but delivering information gives competitive advantage to the other hacker. We find that each hacker's attack and information sharing are strategic complements while one hacker's attack and the other hacker's information sharing are strategic substitutes. As the firm's unit defense cost increases, the attack is inverse U-shaped and reaches zero, while the firm's defense and profit decrease, and the hackers' information sharing and profit increase. The firm's profit increases in the hackers' unit cost of attack, while the hackers' information sharing and profit decrease. Our analysis also reveals the interesting result that the cumulative attack level of the hackers is not affected by the effectiveness of information sharing between them and, moreover, is also unaffected by the intensity of joint information sharing. We also find that as the effectiveness of information sharing between hackers increases relative to the investment in attack, the firm's investment in cyber security defense and profit are constant, the hackers' investments in attacks decrease, and information sharing levels and hacker profits increase. In contrast, as the intensity of joint information sharing increases, while the firm's investment in cyber security defense and profit remain constant, the hackers' investments in attacks increase, and the hackers' information sharing levels and profits decrease. Increasing the firm's asset causes all the variables to increase linearly, except information sharing which is constant. We extend our analysis to endogenize the firm's asset and this analysis largely confirms the preceding analysis with a fixed asset. We use the software Mathematica 10.1 (www.wolfram.com) to program the model mathematically with equilibrium constraints, and perform numerical analysis illustrated graphically.

show abstract

“…Past work has, for example, considered the role of intermediaries such as Information Sharing & Analysis Centers to create incentives for exchanging and disclosing data between companies. Researchers investigated under which conditions organizations are willing to contribute to an information pool about security breaches and investments when (negative) competitive effects may result from this cooperation [9,12]. In different contexts disclosure is not always voluntary and companies may question how much profit they squander when undesirable information is released.…”

Section: Introductionmentioning

confidence: 99%

The Price of Uncertainty in Security Games

Großklags

Johnson

Christin

2010

Economics of Information Security and Privacy

View full text Add to dashboard Cite

In the realm of information security, lack of information about other users' incentives in a network can lead to inefficient security choices and reductions in individuals' payoffs. We propose, contrast and compare three metrics for measuring the price of uncertainty due to the departure from the payoffoptimal security outcomes under complete information. Per the analogy with other efficiency metrics, such as the price of anarchy, we define the price of uncertainty as the maximum discrepancy in expected payoff in a complete information environment versus the payoff in an incomplete information environment. We consider difference, payoff-ratio, and cost-ratio metrics as canonical nontrivial measurements of the price of uncertainty.We conduct an algebraic, numerical, and graphical analysis of these metrics applied to different well-studied security scenarios proposed in prior work (i.e., best shot, weakest-link, and total effort). In these scenarios, we study how a fully rational expert agent could utilize the metrics to decide whether to gather information about the economic incentives of multiple nearsighted and naïve agents. We find substantial differences between the various metrics and evaluate the appropriateness for security choices in networked systems.

show abstract

The Economic Incentives for Sharing Security Information

Cited by 308 publications

References 22 publications

Market for Software Vulnerabilities? Think Again

Market for Software Vulnerabilities? Think Again

A Strategic Analysis of Information Sharing Among Cyber Attackers

The Price of Uncertainty in Security Games

Contact Info

Product

Resources

About