Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls

Laube S, Böhme R


Abstract
New regulations mandating firms to share information on security breaches and security practices with authorities are high on the policy agenda around the globe. These initiatives are based on the hope that authorities can effectively advise and warn other firms, thereby strengthening overall defense and response to cyberthreats in an economy. If this mechanism works (as assumed in this paper with varying effectiveness), it has consequences on security investments of rational firms. We devise an economic model that distinguishes between investments in detective and preventive controls, and analyze its Nash equilibria. The model suggests that firms subject to mandatory security information sharing 1) over-invest in security breach detection as well as under-invest in breach prevention, and 2), depending on the enforcement practices, may shift investment priorities from detective to preventive controls. We also identify conditions where the regulation increases welfare.



Publication type
Conference Paper

Peer reviewed
Yes

Publication status
Published

Year
2015

Conference
ACM Conference on Computer and Communication Security (ACM CCS), 2nd Workshop on Information Sharing and Collaborative Security

Venue
Denver, Colorado

Language
English

DOI

Full text