Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls

Laube, S; Böhme, R

Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls

Laube S, Böhme R

Abstract
New regulations mandating firms to share information on security breaches and security practices with authorities are high on the policy agenda around the globe. These initiatives are based on the hope that authorities can effectively advise and warn other firms, thereby strengthening overall defense and response to cyberthreats in an economy. If this mechanism works (as assumed in this paper with varying effectiveness), it has consequences on security investments of rational firms. We devise an economic model that distinguishes between investments in detective and preventive controls, and analyze its Nash equilibria. The model suggests that firms subject to mandatory security information sharing 1) over-invest in security breach detection as well as under-invest in breach prevention, and 2), depending on the enforcement practices, may shift investment priorities from detective to preventive controls. We also identify conditions where the regulation increases welfare.

Publication type

Research article in proceedings (conference)

Peer reviewed

Yes

Publication status

Published

Year

2015

Conference

ACM Conference on Computer and Communication Security (ACM CCS), 2nd Workshop on Information Sharing and Collaborative Security

Venue

Denver, Colorado

Language

English

DOI

https://doi.org/10.1145/2808128.2808132

Full text

LB2015_SecurityInformationSharing_Controls-WISCS.pdf