Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls

Laube S, Böhme R


Zusammenfassung
New regulations mandating firms to share information on security breaches and security practices with authorities are high on the policy agenda around the globe. These initiatives are based on the hope that authorities can effectively advise and warn other firms, thereby strengthening overall defense and response to cyberthreats in an economy. If this mechanism works (as assumed in this paper with varying effectiveness), it has consequences on security investments of rational firms. We devise an economic model that distinguishes between investments in detective and preventive controls, and analyze its Nash equilibria. The model suggests that firms subject to mandatory security information sharing 1) over-invest in security breach detection as well as under-invest in breach prevention, and 2), depending on the enforcement practices, may shift investment priorities from detective to preventive controls. We also identify conditions where the regulation increases welfare.



Publikationstyp
Forschungsartikel in Sammelband (Konferenz)

Begutachtet
Ja

Publikationsstatus
Veröffentlicht

Jahr
2015

Konferenz
ACM Conference on Computer and Communication Security (ACM CCS), 2nd Workshop on Information Sharing and Collaborative Security

Konferenzort
Denver, Colorado

Sprache
Englisch

DOI

Gesamter Text