research-article

Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls

Authors:

Rainer BöhmeAuthors Info & Claims

WISCS '15: Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security

Pages 31 - 42

https://doi.org/10.1145/2808128.2808132

Published: 12 October 2015 Publication History

Abstract

New regulations mandating firms to share information on security breaches and security practices with authorities are high on the policy agenda around the globe. These initiatives are based on the hope that authorities can effectively advise and warn other firms, thereby strengthening overall defense and response to cyberthreats in an economy. If this mechanism works (as assumed in this paper with varying effectiveness), it has consequences on security investments of rational firms. We devise an economic model that distinguishes between investments in detective and preventive controls, and analyze its Nash equilibria. The model suggests that firms subject to mandatory security information sharing 1) over-invest in security breach detection as well as under-invest in breach prevention, and 2), depending on the enforcement practices, may shift investment priorities from detective to preventive controls. We also identify conditions where the regulation increases welfare.

References

[1]

R. Abrams. Target puts data breach costs at $148 million, and forecasts profit drop, 2014. Access: http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-million.html. Last accessed: 27.07.2015.

[2]

R. Anderson, R. Böhme, R. Clayton, and T. Moore. Security economics and the internal market. Technical report, European Union Agency for Network and Information Security (ENISA), 2008.

[3]

J. M. Bauer and M. van Eeten. Cybersecurity: Stakeholder incentives, externalities, and policy options. Telecommunications Policy, 33(10):706--719, 2009.

Digital Library

[4]

R. Böhme. Security audits revisited. In A. Keromytis, editor, Proceedings of Financial Cryptography and Data Security, volume 7397 of Lecture Notes in Computer Science, pages 129--147, Berlin, Heidelberg, 2012. Springer.

[5]

H. Cavusoglu, B. Mishra, and S. Raghunathan. A model for evaluating IT security investments. Communications of the ACM, 47(7):87--92, 2004.

Digital Library

[6]

H. Cavusoglu, B. Mishra, and S. Raghunathan. The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1):70--104, 2004.

Digital Library

[7]

H. Cavusoglu, B. Mishra, and S. Raghunathan. The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16(1):28--46, 2005.

Digital Library

[8]

D. M. Dekker, C. Karsberg, and B. Daskala. Cyber incident reporting in the EU -- An overview of security articles in EU legislation. Technical report, European Union Agency for Network and Information Security (ENISA), 2012.

[9]

Deutscher Bundestag. Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz). Bundesgesetzblatt, I(31):1324--1331, 2015.

[10]

European Commission. Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union. COM (2013) 48 final, 2013.

[11]

E. Gal-Or and A. Ghose. The economic incentives for sharing security information. Information Systems Research, 16(2):186--208, 2005.

Digital Library

[12]

L. A. Gordon and M. P. Loeb. The economics of information security investment. ACM Transactions on Information and System Security, 5(4):438--457, 2002.

Digital Library

[13]

L. A. Gordon, M. P. Loeb, and W. Lucyshyn. Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22(6):461--485, 2003.

[14]

K. Hausken. Information sharing among firms and cyber attacks. Journal of Accounting and Public Policy, 26(6):639--688, 2007.

[15]

M. Khouzani, V. Pham, and C. Cid. Strategic discovery and sharing of vulnerabilities in competitive environments. In R. Poovendran and W. Saad, editors, Decision and Game Theory for Security, volume 8840 of Lecture Notes in Computer Science, pages 59--78, Berlin, Heidelberg, 2014. Springer.

[16]

H. Kunreuther and G. Heal. Interdependent security. Journal of Risk and Uncertainty, 26(2/3):231--249, 2003.

[17]

S. Laube and R. Böhme. The economics of mandatory security breach reporting to authorities. In Workshop on the Economics of Information Security (WEIS), Delft, 2015.

[18]

National Conference of State Legislatures. State security breach notification laws, 2014. Access: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. Last accessed: 27.07.2015.

[19]

H. Ögüt, N. Memon, and S. Raghunathan. Cyber insurance and IT security investment: Impact of interdependent risk. In Workshop on the Economics of Information Security (WEIS), Harvard, 2005.

[20]

PricewaterhouseCoopers. Managing Cyber risks in an interconnected world: Key findings from the global state of information security survey 2014. Technical report, PricewaterhouseCoopers, 2014.

[21]

S. Romanosky, R. Sharp, and A. Acquisti. Data breaches and identity theft: When is mandatory disclosure optimal? In Workshop on Economics of Information Security (WEIS), Harvard, 2010.

Cited By

Feng NZhang YRen BDou RLi M(2023)How Industrial Internet Platforms guide high-quality information sharing for semiconductor manufacturing? An evolutionary game modelComputers & Industrial Engineering10.1016/j.cie.2023.109449183(109449)Online publication date: Sep-2023
https://doi.org/10.1016/j.cie.2023.109449
Menges FPutz BPernul G(2020)DEALER: decentralized incentives for threat intelligence reporting and exchangeInternational Journal of Information Security10.1007/s10207-020-00528-1Online publication date: 9-Dec-2020
https://doi.org/10.1007/s10207-020-00528-1
Pala AZhuang J(2019)Information Sharing in Cybersecurity: A ReviewDecision Analysis10.1287/deca.2018.0387Online publication date: 6-Aug-2019
https://doi.org/10.1287/deca.2018.0387
Show More Cited By

Index Terms

Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls
1. Social and professional topics
  1. Computing / technology policy
    1. Government technology policy

Recommendations

Economic incentives in security information sharing: the effects of market structures

The past few years have witnessed numerous information security incidents throughout the world, which unfortunately become increasingly tough to be completely addressed just by technology solutions such as advanced firewalls and intrusion detection ...
Knowledge sharing and investment decisions in information security

We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary or ...
Information security breaches and IT security investments: Impacts on competitors
Abstract
In current business climate, a firm’s information systems security is no longer independent from the industry’s broader security environment. A question arises, then, whether stock market values reflect the interdependence of security ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WISCS '15: Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security

October 2015

84 pages

ISBN:9781450338226

DOI:10.1145/2808128

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Tomas Sander
HP, USA
,
Moti Yung
Columbia University and Google, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12, 2015

Colorado, Denver, USA

Acceptance Rates

WISCS '15 Paper Acceptance Rate 6 of 16 submissions, 38%;

Overall Acceptance Rate 23 of 58 submissions, 40%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
252
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)5

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Feng NZhang YRen BDou RLi M(2023)How Industrial Internet Platforms guide high-quality information sharing for semiconductor manufacturing? An evolutionary game modelComputers & Industrial Engineering10.1016/j.cie.2023.109449183(109449)Online publication date: Sep-2023
https://doi.org/10.1016/j.cie.2023.109449
Menges FPutz BPernul G(2020)DEALER: decentralized incentives for threat intelligence reporting and exchangeInternational Journal of Information Security10.1007/s10207-020-00528-1Online publication date: 9-Dec-2020
https://doi.org/10.1007/s10207-020-00528-1
Pala AZhuang J(2019)Information Sharing in Cybersecurity: A ReviewDecision Analysis10.1287/deca.2018.0387Online publication date: 6-Aug-2019
https://doi.org/10.1287/deca.2018.0387
Laube SBöhme R(2017)Strategic Aspects of Cyber Risk Information SharingACM Computing Surveys10.1145/312439850:5(1-36)Online publication date: 13-Nov-2017
https://dl.acm.org/doi/10.1145/3124398
Bisogni F(2016)Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?Journal of Information Policy10.5325/jinfopoli.6.2016.1546:1(154-205)Online publication date: 1-Jun-2016
https://doi.org/10.5325/jinfopoli.6.2016.154
Bisogni F(2016)Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?Journal of Information Policy10.5325/jinfopoli.6.2016.01546(154-205)Online publication date: 1-Jun-2016
https://doi.org/10.5325/jinfopoli.6.2016.0154
Böhme RMoore T(2016)The “Iterated Weakest Link” Model of Adaptive Security InvestmentJournal of Information Security10.4236/jis.2016.7200607:02(81-102)Online publication date: 2016
https://doi.org/10.4236/jis.2016.72006
Davidson AFenn GCid CKatzenbeisser SWeippl EBlass EKerschbaum F(2016)A Model for Secure and Mutually Beneficial Software Vulnerability SharingProceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security10.1145/2994539.2994547(3-14)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2994539.2994547
Garrido-Pelaz RGonzález-Manzano LPastrana SKatzenbeisser SWeippl EBlass EKerschbaum F(2016)Shall We Collaborate?Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security10.1145/2994539.2994543(15-24)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2994539.2994543
Böhme RKatzenbeisser SWeippl EBlass EKerschbaum F(2016)Back to the RootsProceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security10.1145/2994539.2994540(1-2)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2994539.2994540
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents