survey

Strategic Aspects of Cyber Risk Information Sharing

Authors:

Rainer BöhmeAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 50, Issue 5

Article No.: 77, Pages 1 - 36

https://doi.org/10.1145/3124398

Published: 13 November 2017 Publication History

Abstract

Cyber risk management largely reduces to a race for information between defenders of ICT systems and attackers. Defenders can gain advantage in this race by sharing cyber risk information with each other. Yet, they often exchange less information than is socially desirable, because sharing decisions are guided by selfish rather than altruistic reasons. A growing line of research studies these strategic aspects that drive defenders’ sharing decisions. The present survey systematizes these works in a novel framework. It provides a consolidated understanding of defenders’ strategies to privately or publicly share information and enables us to distill trends in the literature and identify future research directions. We reveal that many theoretical works assume cyber risk information sharing to be beneficial, while empirical validations are often missing.

References

[1]

Lillian Ablon, Paul Heaton, Diana Lavery, and Sasha Romanosky. 2016. Consumer attitudes toward data breach notifications and loss of personal information. In Workshop on the Economics of Information Security (WEIS). Berkeley, CA, USA.

[2]

Alessandro Acquisti, Allan Friedman, and Rahul Telang. 2006. Is there a cost to privacy breaches? An event study. In Proceedings of the Workshop on the Economics of Information Security (WEIS’06). University of Cambridge, UK.

[3]

Alessandro Acquisti and Hal R. Varian. 2005. Conditioning prices on purchase history. Market. Sci. 24, 3 (2005), 367--381.

Digital Library

[4]

Ross Anderson. 2001. Why information security is hard—An economic perspective. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’01). New Orleans, LA.

Digital Library

[5]

Ross Anderson, Rainer Böhme, Richard Clayton, and Tyler Moore. 2008. Security Economics and the Internal Market. Technical Report. European Network and Information Security Agency (ENISA).

[6]

Ross Anderson and Tyler Moore. 2006. The economics of information security. Science 314, 5799 (2006), 610--613.

[7]

Ashish Arora, Jonathan P. Caulkins, and Rahul Telang. 2006a. Research note: Sell first, fix later: Impact of patching on software quality. Manage. Sci. 52, 3 (2006), 465--471.

Digital Library

[8]

Ashish Arora, Chris Forman, Anand Nandkumar, and Rahul Telang. 2010a. Competition and patching of security vulnerabilities: An empirical analysis. Inf. Econ. Policy 22, 2 (2010), 164--177.

[9]

Ashish Arora, Ramayya Krishnan, Rahul Telang, and Yubao Yang. 2010b. An empirical analysis of software vendors’ patch release behavior: Impact of vulnerability disclosure. Inf. Syst. Res. 21, 1 (2010), 115--132.

Digital Library

[10]

Ashish Arora, Anand Nandkumar, and Rahul Telang. 2006b. Does information security attack frequency increase with vulnerability disclosure? An empirical analysis. Inf. Syst. Front. 8, 5 (2006), 350--362.

Digital Library

[11]

Ashish Arora, Rahul Telang, and Hao Xu. 2008. Optimal policy for software vulnerability disclosure. Manage. Sci. 54, 4 (2008), 642--656.

Digital Library

[12]

Terrence August and Tunay I. Tunca. 2008. Let the pirates patch? An economic analysis of software security patch restrictions. Inf. Syst. Res. 19, 1 (2008), 48--70.

Digital Library

[13]

Tridib Bandyopadhyay, Vijay S. Mookerjee, and Ram C. Rao. 2009. Why IT managers don’t go for cyber-insurance products. Commun. ACM 52, 11 (2009), 68--73.

Digital Library

[14]

Sean Barnum. 2012. Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX™). Technical Report. MITRE Corporation.

[15]

Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, and Chris Wright. 2002. Timing the application of security patches for optimal uptime. In Proceedings of the USENIX Systems Administration Conference (LISA’02). Philadelphia, PA, 233--242.

Digital Library

[16]

Elisa Bertino, Kim-Kwang R. Choo, Dimitrios Georgakopolous, and Surya Nepal. 2016. Internet of things (IoT): Smart and secure service delivery. ACM Trans. Internet Technol. 16, 4 (2016), 22.

Digital Library

[17]

Fabio Bisogni. 2016. Proving limits of state data breach notification laws: Is a federal law the most adequate solution? J. Inf. Policy 6 (2016), 154--205.

[18]

Rainer Böhme. 2006. A comparison of market approaches to software vulnerability disclosure. In Proceedings of the Emerging Trends in Information and Communication Security (ETRICS’06), Günter Müller (Ed.), Lecture Notes in Computer Science, Vol.3995. Springer, Berlin, 298--311.

Digital Library

[19]

Katherine Campbell, Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou. 2003. The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. J. Comput. Secur. 11 (2003), 431--448.

Digital Library

[20]

Richard A. Caralli, James F. Stevens, Lisa R. Young, and William R. Wilson. 2007. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Technical Report. Software Engineering Institute, Carnegie Mellon University.

[21]

Nicholas G. Carr. 2003. IT doesn’t matter. Harv. Bus. Rev. May (2003), 5--12.

[22]

Hasan Cavusoglu, Huseyin Cavusoglu, and Srinivasan Raghunathan. 2007. Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans. Softw. Eng. 33, 3 (2007), 171--185.

Digital Library

[23]

Hasan Cavusoglu, Huseyin Cavusoglu, and Jun Zhang. 2008. Security patch management: Share the burden or share the damage? Manage. Sci. 54, 4 (2008), 657--670.

Digital Library

[24]

Huseyin Cavusoglu, Birendra Mishra, and Srinivasan Raghunathan. 2004a. The effect of Internet security breach announcements on market value: Capital market reactions for breached firms and Internet security developers. Int. J. Electron. Commerce 9, 1 (2004), 69--104.

Digital Library

[25]

Huseyin Cavusoglu, Birendra Mishra, and Srinivasan Raghunathan. 2004b. A model for evaluating IT security investments. Commun. ACM 47, 7 (2004), 87--92.

Digital Library

[26]

Orcun Cetin, Mohammad Hanif Jhaveri, Carlos Gañán, Michel van Eeten, and Tyler Moore. 2016. Understanding the role of sender reputation in abuse reporting and cleanup. J. Cybersecur. 2, 1 (2016), 83--98.

[27]

Jay P. Choi, Chaim Fershtman, and Neil Gandal. 2010. Network security: Vulnerabilities and disclosure policy. J. Industr. Econ. LVIII, 4 (2010), 868--894.

[28]

Michael Collins, Carrie Gates, and Gaurav Kataria. 2006. A model for opportunistic network exploits: The case of P2P worms. In Proceedings of the Workshop on the Economics of Information Security (WEIS’06). University of Cambridge, UK.

[29]

Robert F. Dacey. 2003. Progress made, but challenges remain to protect federal systems and the nation’s critical infrastructures. Testimony. (2003).

[30]

Zakir Durumeric, James Kasten, David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicolas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer, and others. 2014. The matter of heartbleed. In Proceedings of the Internet Measurement Conference (IMC’14). 475--488.

Digital Library

[31]

Benjamin Edelman. 2011. Adverse selection in online “trust” certifications and search results. Electron. Commerce Res. Appl. 10, 1 (2011), 17--25.

Digital Library

[32]

Serge Egelman, Cormac Herley, and Paul C. van Oorschot. 2013. Markets for zero-day exploits: Ethics and implications. In Proceedings of the New Security Paradigms Workshop (NSPW’13). 41--46.

Digital Library

[33]

Matthew Finifter, Devdatta Akhawe, and David Wagner. 2013. An empirical study of vulnerability rewards programs. In Proceedings of the USENIX Security Symposium.273--288.

Digital Library

[34]

Simone Fischer-Hübner. 2001. IT-security. In IT-Security and Privacy: Design and Use of Privacy-enhancing Security Mechanisms, Gerhard Goos, Juris Hartmanis, andJan van Leeuwen (Eds.),Lecture Notes in Computer Science, Vol.1958. Springer, Berlin, 35--105.

[35]

Stefan Frei, Dominik Schatzmann, Bernhard Plattner, and Brian Trammell. 2010. Modeling the security ecosystem -- The dynamics of (in)security. In Economics of Information Security and Privacy, Tyler Moore, David Pym, andChristosIoannidis (Eds.). Springer, New York, 79--106.

[36]

Felix Freiling and Bastian Schwittay. 2007. A common process model for incident response and digital forensics. In Proceedings of the IMF 2007: IT-Incident Management 8 IT-Forensics, Sandra Frings, Oliver Göbel, Detlef Günther, Hardo G. Hase, Jens Nedon, Dirk Schadt, andArslan Brömme (Eds.), Lecture Notes in Informatics, Vol.114. Gesellschaft für Informatik, Stuttgart, Germany, 13--40.

[37]

Esther Gal-Or and Anindya Ghose. 2005. The economic incentives for sharing security information. Inf. Syst. Res. 16, 2 (2005), 186--208.

Digital Library

[38]

Kevin M. Gatzlaff and Kathleen A. McCullough. 2010. The effect of data breaches on shareholder wealth. Risk Manage. Ins. Rev. 13, 1 (2010), 61--83.

[39]

Sebastien Gay. 2016. Strategic news bundling and privacy breach disclosures. In Proceedings of the Workshop on the Economics of Information Security (WEIS’16). Berkeley, CA.

[40]

Lawrence A. Gordon and Martin P. Loeb. 2002. The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5, 4 (2002), 438--457.

Digital Library

[41]

Lawrence A. Gordon, Martin P. Loeb, and William Lucyshyn. 2003. Sharing information on computer systems security: An economic analysis. J. Account. Publ. Policy 22, 6 (2003), 461--485.

[42]

Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Lei Zhou. 2015. The impact of information sharing on cybersecurity underinvestment: A real options perspective. J. Account. Publ. Policy 34, 5 (2015), 509--519.

[43]

Lawrence A. Gordon, Martin P. Loeb, and Tashfeen Sohail. 2010. Market value of voluntary disclosures concerning information security. MIS Quart. 34, 3 (2010), 567--594.

Digital Library

[44]

Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou. 2011. The impact of information security breaches: Has there been a downward shift in costs? J. Comput. Secur. 19, 1 (2011), 33--56.

Digital Library

[45]

Kjell Hausken. 2007. Information sharing among firms and cyber attacks. J. Account. Publ. Policy 26, 6 (2007), 639--688.

[46]

Kjell Hausken. 2015. A strategic analysis of information sharing among cyber attackers. J. Inf. Syst. Technol. Manage. 12, 2 (2015), 245--270.

[47]

Anat Hovav and John D’Arcy. 2004. The impact of virus attack announcements on the market value of firms. Inf. Syst. Secur. 13, 3 (2004), 32--40.

[48]

Masaki Ishiguro, Hideyuki Tanaka, Kanta Matsuura, and Ichiro Murase. 2006. The effect of information security incidents on corporate values in the Japanese stock market. In Proceedings of the International Workshop on the Economics of Securing the Information Infrastructure (WESII’06). Washington, DC.

[49]

Mohammad H. Jhaveri, Orcun Cetin, Carlos Gañán, Tyler Moore, and Michel van Eeten. 2017. Abuse reporting and the fight against cybercrime. ACM Comput. Surv. 49, 4 (2017).

Digital Library

[50]

Morton I. Kamien, Eitan Muller, and Israel Zang. 1992. Research joint ventures and R&D cartels. Am. Econ. Rev. 82, 5 (1992), 1293--1306.

[51]

Panos Kampanakis. 2014. Security automation and threat information-sharing options. IEEE Secur. Privacy 12, 5 (2014), 42--51.

[52]

Karthik Kannan, Jackie Rees, and Sanjay Sridhar. 2007. Market reactions to information security breach announcements: An empirical analysis. Int. J. Electron. Commerce 12, 1 (2007), 69--91.

Digital Library

[53]

Karthik Kannan and Rahul Telang. 2005. Market for software vulnerabilities? Think again. Manage. Sci. 51, 5 (2005), 726--740.

Digital Library

[54]

Sachin Katti, Balachander Krishnamurthy, and Dina Katabi. 2005. Collaborating against common enemies. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (IMC’05). Berkeley, CA, 365--378.

Digital Library

[55]

Arman M. H. R. Khouzani, Viet Pham, and Carlos Cid. 2014. Strategic discovery and sharing of vulnerabilities in competitive environments. In Decision and Game Theory for Security, Radha Poovendran andWalid Saad (Eds.),Lecture Notes in Computer Science, Vol.8840. Springer International Publishing, 59--78.

[56]

Alison J. Kirby. 1988. Trade associations as information exchange mechanisms. RAND J. Econ. 29, 1 (1988), 138--146.

[57]

Myung Ko and Carlos Dorantes. 2006. The impact of information security breaches on financial performance of the breached firms: An empirical investigation. J. Inf. Technol. Manage. 17, 2 (2006), 13--22.

[58]

Erka Koivunen. 2012. “Why wasn’t I notified?”: Information security incident reporting demystified. In Information Security Technology for Applications, Tuomas Aura, Kimmo Järvinen, andKaisa Nyberg (Eds.),Lecture Notes in Computer Science, Vol.7127. Springer, Berlin, 55--70.

Digital Library

[59]

Olaf Kruidhof. 2014. Evolution of national and corporate CERTs—Trust, the key factor. In Best Practices in Computer Network Defense: Incident Detection and Response, Melissa E. Hathaway (Ed.).81--96.

[60]

Howard Kunreuther and Goeffrey Heal. 2003. Interdependent security. J. Risk Uncertainty 26, 2/3 (2003), 231--249.

[61]

Juhee Kwon and M. Eric Johnson. 2015. The market effect of healthcare security: Do patients care about data breaches? In Proceedings of the Workshop on the Economics of Information Security (WEIS’15).

[62]

Carl E. Landwehr, Alan R. Bull, John P. McDermott, and William S. Choi. 1994. A taxonomy of computer program security flaws. ACM Comput. Surv. 26, 3 (1994), 211--254.

Digital Library

[63]

Harold D. Lasswell. 1948. The structure and function of communication in society. In The Communication of Ideas: A Series of Addresses, Lyman Bryson (Ed.). Harper and Brothers, New York, 37--51.

[64]

Aron Laszka, Mark Felegyhazi, and Levente Buttyan. 2014. A survey of interdependent information security games. ACM Comput. Surv. 47, 2 (2014).

Digital Library

[65]

Stefan Laube and Rainer Böhme. 2015. Mandatory security information sharing with authorities: Implications on investments in internal controls. In Proceedings of the ACM Conference on Computer and Communication Security Workshop on Information Sharing and Collaborative Security (ACM CCS’15). Denver, CO.

Digital Library

[66]

Stefan Laube and Rainer Böhme. 2016. The economics of mandatory security breach reporting to authorities. J. Cybersecur. 2, 1 (2016), 29--41.

[67]

Pu Li and H. Raghav Rao. 2007. An examination of private intermediaries’ roles in software vulnerabilities disclosure. Inf. Syst. Front. 9, 5 (2007), 531--539.

Digital Library

[68]

Dengpan Liu, Yonghua Ji, and Vijay Mookerjee. 2011. Knowledge sharing and investment decisions in information security. Dec. Supp. Syst. 52, 1 (2011), 95--107.

Digital Library

[69]

A. Craig MacKinlay. 1997. Event studies in economics and finance. J. Econ. Lit. 35, 1 (1997), 13--39.

[70]

Thomas Maillart and Didier Sornette. 2010. Heavy-tailed distribution of cyber-risks. Eur. Phy. J. B 75, 3 (2010), 357--364.

[71]

Thomas Maillart, Mingyi Zhao, Jens Grossklags, and John Chuang. 2016. Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs. In Proceedings of the Workshop on the Economics of Information Security (WEIS’16). Berkeley, CA.

[72]

Guozhu Meng, Yang Liu, Jie Zhang, Alexander Pokluda, and Raouf Boutaba. 2015. Collaborative security: A survey and taxonomy. ACM Comput. Surv. 48, 1 (2015).

Digital Library

[73]

Leigh Metcalf and Jonathan M. Spring. 2014. Blacklist Ecosystem Analysis Update: 2014. Technical Report. Carnegie Mellon University.

[74]

Sabyasachi Mitra and Sam Ransbotham. 2015. Information disclosure and the diffusion of information security attacks. Inf. Syst. Res. 26, 3 (2015), 565--584.

Digital Library

[75]

Daniel L. Moody and Peter Walsh. 1999. Measuring the value of information -- An asset valuation approach. In Proceedings of the European Conference on Information Systems (ECIS’99).

[76]

Tyler Moore and Richard Clayton. 2008. The consequence of non-cooperation in the fight against phishing. In Proceedings of the APWG eCrime Researchers Summit.

[77]

Tyler Moore and Richard Clayton. 2011. The impact of public information on phishing attack and defense. Commun. Strat. 1, 81 (2011), 45--68.

[78]

Tyler Moore, Allan Friedman, and Ariel D. Procaccia. 2010. Would a ‘cyber warrior’ protect us: Exploring trade-offs between attack and defense of information systems. In Proceedings of the New Security Paradigms Workshop (NSPW’10). 85--94.

Digital Library

[79]

Trevor Moores. 2005. Do consumers understand the role of privacy seals in e-commerce? Commun. ACM 48, 3 (2005), 86--91.

Digital Library

[80]

Parinaz Naghizadeh and Mingyan Liu. 2016. Inter-temporal incentives in security information sharing agreements. In Proceedings of the AAAI-16 Workshop on Artificial Intelligence for Cyber Sercurity (AICS’16).

[81]

John F. Nash. 1950. Non-cooperative games. Ph.D. Dissertation. Princeton University, NJ.

[82]

National Concil of ISACs. 2017. The Reach of Information Sharing and Analysis Centers. Technical Report. National Concil of Information Sharing and Analysis Centers (ISACs).

[83]

NIST. 2011. Specification for Asset Identification 1.1. Technical Report 7693. National Institute of Standards and Technology (NIST).

[84]

NIST. 2012. Guide for Conducting Risk Assessments. Technical Report 800-30 Rev 1. National Institute of Standards and Technology (NIST).

[85]

Dmitri Nizovtsev and Marie Thursby. 2007. To disclose or not? An analysis of software user behavior. Inf. Econ. Policy 19, 1 (2007), 43--64.

[86]

Hulisi Öğüt, Huseyin Cavusoglu, and Srinivasan Raghunathan. 2008. Intrusion-detection policies for IT security breaches. INFORMS J. Comput. 20, 1 (2008), 112--123.

Digital Library

[87]

Hulisi Öğüt, Nirup Memon, and Srinivasan Raghunathan. 2005. Cyber insurance and IT security investment: Impact of interdependent risk. In Proceedings of the Workshop on the Economics of Information Security (WEIS’05).

[88]

Andy Ozment. 2007. Improving vulnerability discovery models. In Proceedings of the ACM Conference on Computer and Communication Security Workshop on Quality of Protection (ACM CCS’07).

Digital Library

[89]

Andy Ozment and Stuart E. Schechter. 2006. Milk or wine: Does software security improve with age? In Proceedings of the USENIX Security Symposium.93--104.

Digital Library

[90]

Sam Ransbotham and Sabyasachi Mitra. 2013. The impact of immediate disclosure on attack diffusion and volume. In Economics of Information Security and Privacy III, Bruce Schneier (Ed.). Springer, New York, 1--12.

[91]

Sam Ransbotham, Sabyaschi Mitra, and Jon Ramsey. 2012. Are markets for vulnerabilities effective? MIS Quart. 36, 1 (2012), 43--64.

Digital Library

[92]

Eric Rescorla. 2003. Security holes ...who cares? In Proceedings of the USENIX Security Symposium.

Digital Library

[93]

Sasha Romanosky. 2016. Examining the costs and causes of cyber incidents. J. Cybersecur. 2, 2 (2016), 121--135.

[94]

Sasha Romanosky, David Hoffman, and Alessandro Acquisti. 2014. Empirical analysis of data breach litigation. J. Empir. Legal Stud. 11, 1 (2014), 74--104.

[95]

Sasha Romanosky, Richard Sharp, and Alessandro Acquisti. 2010. Data breaches and identity theft: When is mandatory disclosure optimal? In Proceedings of the Workshop on the Economics of Information Security (WEIS’10).

[96]

Sasha Romanosky, Rahul Telang, and Alessandro Acquisti. 2011. Do data breach disclosure laws reduce identity theft? J. Policy Anal. Manage. 30, 2 (2011), 256--286.

[97]

Stuart E. Schechter. 2004. Computer Security Strength 8 Risk: A Quantitative Approach. Ph.D. Dissertation. Harvard University, MA.

Digital Library

[98]

Bruce Schneier. 2000. Secret 8 Lies: Digital Security in a Networked World. John Wilesy 8 Sons, 318--333.

Digital Library

[99]

Muhammad Shahzad, Muhammad Z. Shafiq, and Alex X. Liu. 2012. A large scale exploratory analysis of software vulnerability life cycles. In Proceedings of the International Conference on Software Engineering (ICSE’12). 771--781.

Digital Library

[100]

Carl Shapiro and Hal R. Varian. 1998. Information Rules: A Strategic Guide to the Network Economy. Harvard Business Review Press.

Digital Library

[101]

Florian Skopik, Giuseppe Settanni, and Roman Fiedler. 2016. A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Comput. Secur. 60 (2016), 154--176.

Digital Library

[102]

Qian Tang, Leigh Linden, John S. Quarterman, and Andrew B. Whinston. 2013. Improving Internet security through social information and social comparison: A field quasi-experiment. In Proceedings of the Workshop on the Economics of Information Security (WEIS’13).

[103]

Rahul Telang and Sunil Wattal. 2007. An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Trans. Softw. Eng. 33, 8 (2007), 544--557.

Digital Library

[104]

Kurt Thomas, Rony Amira, Adi Ben-Yoash, Ori Folger, Amir Hardon, Ari Berger, Elie Bursztein, and Michael Bailey. 2016. The abuse sharing economy: Understanding the limits of threat exchanges. In Research in Attacks, Intrusions, and Defenses, Fabian Monrose, Marc Dacier, Gregory Blanc, and Joaquin Garcia-Alfaro (Eds.), Lecture Notes in Computer Science, Vol. 9854. Springer International Publishing, 143--164.

[105]

Hal R. Varian. 2002. System reliability and free riding. In Economics of Information Security, L. Jean Camp and Stephen Lewis (Eds.), Advances in Information Security, Vol. 12. Springer, New York, 1--15.

[106]

Marie Vasek and Tyler Moore. 2012. Do malware reports expedite cleanup? An experimental study. In Proceedings of the Workshop on Cyber Secrurity Experimentation and Test (CSET’12).

Digital Library

[107]

Marie Vasek, Matthew Weeden, and Tyler Moore. 2016. Measuring the impact of sharing abuse data with web hosting providers. In Proceedings of the ACM Conference on Computer and Communication Security Workshop on Information Sharing and Collaborative Security (ACM CCS’16).

Digital Library

[108]

Emmanouil Vasilomanolakis, Shankar Karuppayah, Max Muehlhaeuser, and Mathias Fischer. 2015. Taxonomy and survey of collaborative intrusion detection. ACM Comput. Surv. 47, 4 (2015).

Digital Library

[109]

John von Neumann and Oskar Morgenstern. 1944. Theory of Games and Economic Behavior. Princeton University Press.

[110]

Cynthia Wagner, Alexandre Dulaunoy, Gérard Wagener, and Andras Iklody. 2016. MISP: The design and implementation of a collaborative threat intelligence sharing platform. In Proceedings of the ACM Conference on Computer and Communication Security Workshop on Information Sharing and Collaborative Security (ACM CCS’16).

Digital Library

[111]

Tawei Wang, Karthik N. Kannan, and Jackie R. Ulmer. 2013. The association between the disclosure and the realization of information security risk factors. Inf. Syst. Res. 24, 2 (2013), 201--218.

[112]

Moira West-Brown, Don Stikvoort, Klaus-Peter Kossakowski, Georgia Killcrece, Robin Ruefle, and Mark Zajicek. 2003. Handbook for Computer Security Incident Response Teams (CSIRTs). Technical Report. Carnegie Mellon Software Engineering Institute.

[113]

Mingyi Zhao, Jens Grossklags, and Peng Liu. 2015. An empirical study of web vulnerability discovery ecosystems. In Proceedings of the ACM Conference on Computer and Communication Security (ACM CCS’15).

Digital Library

[114]

Cliff C. Zou, Weibo Gong, and Don Towsley. 2002. Code red worm propagation modeling and analysis. In Proceedings of the ACM Conference on Computer and Communication Security (ACM CCS’02).

Digital Library

Cited By

Woods DBöhme RWolff JSchwarcz DCalandrino JTroncoso C(2023)Lessons lostProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620364(2259-2273)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620364
Gillard SPercia David DMermoud AMaillart T(2023)Efficient collective action for tackling time-critical cybersecurity threatsJournal of Cybersecurity10.1093/cybsec/tyad0219:1Online publication date: 7-Nov-2023
https://doi.org/10.1093/cybsec/tyad021
Dykstra JGordon LLoeb MZhou L(2023)Maximizing the benefits from sharing cyber threat intelligence by government agencies and departmentsJournal of Cybersecurity10.1093/cybsec/tyad0039:1Online publication date: 3-Apr-2023
https://doi.org/10.1093/cybsec/tyad003
Show More Cited By

Index Terms

Strategic Aspects of Cyber Risk Information Sharing
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Economics of security and privacy

Recommendations

Risks of Sharing Cyber Incident Information
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

Incident information sharing is being encouraged and mandated as a way of improving overall cyber intelligence and defense, but its take up is slow. Organisations may well be justified in perceiving risks in sharing and disclosing cyber incident ...
Cyber Threat Information Sharing: Perceived Benefits and Barriers
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

The literature on cyber security information sharing enumerates an extensive list of potential benefits for organisations in both the public and private sectors. However, despite the potential benefits, successful cyber security information sharing has ...
A model of Cyber Threat Information Sharing with the Novel Network Topology
IAIT '21: Proceedings of the 12th International Conference on Advances in Information Technology

The digitized environments are particularly vulnerable to various attacks. In such a situation of a security attack, detecting and responding to attacks require effective actions. One of the most significant ways to improve resilience to security ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 50, Issue 5

September 2018

573 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3145473

Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering / University of Florida / Gainesville, FL 32611

Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2017

Accepted: 01 July 2017

Revised: 01 June 2017

Received: 01 March 2017

Published in CSUR Volume 50, Issue 5

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
1,497
Total Downloads

Downloads (Last 12 months)133
Downloads (Last 6 weeks)23

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Woods DBöhme RWolff JSchwarcz DCalandrino JTroncoso C(2023)Lessons lostProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620364(2259-2273)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620364
Gillard SPercia David DMermoud AMaillart T(2023)Efficient collective action for tackling time-critical cybersecurity threatsJournal of Cybersecurity10.1093/cybsec/tyad0219:1Online publication date: 7-Nov-2023
https://doi.org/10.1093/cybsec/tyad021
Dykstra JGordon LLoeb MZhou L(2023)Maximizing the benefits from sharing cyber threat intelligence by government agencies and departmentsJournal of Cybersecurity10.1093/cybsec/tyad0039:1Online publication date: 3-Apr-2023
https://doi.org/10.1093/cybsec/tyad003
Kang Y(2023)Development of Large-Scale Farming Based on Explainable Machine Learning for a Sustainable Rural Economy: The Case of Cyber Risk Analysis to Prevent Costly Data BreachesApplied Artificial Intelligence10.1080/08839514.2023.222386237:1Online publication date: 15-Jun-2023
https://doi.org/10.1080/08839514.2023.2223862
Percia David DMaréchal LLacube WGillard STsesmelis MMaillart TMermoud A(2023)Measuring security development in information technologies: A scientometric framework using arXiv e-printsTechnological Forecasting and Social Change10.1016/j.techfore.2023.122316188(122316)Online publication date: Mar-2023
https://doi.org/10.1016/j.techfore.2023.122316
Barreto CReinert OWiesinger TFranke U(2023)Duopoly insurers’ incentives for data quality under a mandatory cyber data sharing regimeComputers and Security10.1016/j.cose.2023.103292131:COnline publication date: 1-Aug-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103292
Jollès EGillard SPercia David DStrohmeier MMermoud A(2023)Building Collaborative Cybersecurity for Critical Infrastructure Protection: Empirical Evidence of Collective Intelligence Information Sharing Dynamics on ThreatFoxCritical Information Infrastructures Security10.1007/978-3-031-35190-7_10(140-157)Online publication date: 8-Jun-2023
https://doi.org/10.1007/978-3-031-35190-7_10
Fischer PGillard S(2023)Next Generation ISACs: Simulating Crowdsourced Intelligence for Faster Incident ResponseCyberdefense10.1007/978-3-031-30191-9_4(49-66)Online publication date: 20-Sep-2023
https://doi.org/10.1007/978-3-031-30191-9_4
Gillard SMaillart TKeupp M(2023)Reducing Time to Response in Cyber Defense: An Agent-based ModelCyberdefense10.1007/978-3-031-30191-9_2(11-25)Online publication date: 20-Sep-2023
https://doi.org/10.1007/978-3-031-30191-9_2
Sajjad SMufti MYousaf MAslam WAlshahrani RNemri NAfzal HKhan MChen C(2022)Detection and Blockchain-Based Collaborative Mitigation of Internet of Things BotnetsWireless Communications & Mobile Computing10.1155/2022/11948992022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/1194899
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents