Using Private and Public Assessments in Security Information Sharing Agreements

TL;DR

This paper explores how private and public assessments can be used to create incentives for firms to cooperate in cybersecurity information sharing, using game theory to analyze the effectiveness of these mechanisms.

Contribution

It introduces a game-theoretic framework for designing inter-temporal incentives based on private and public assessments to promote cooperation in security information sharing agreements.

Findings

Private assessments enable sustained cooperation through inter-temporal incentives.

Public rating systems can similarly foster cooperation among firms.

Designing incentives based on assessments reduces disclosure costs and encourages information sharing.

Abstract

Information sharing among organizations has been gaining attention as a method for improving cybersecurity. However, the associated disclosure costs act as deterrents for firms' voluntary cooperation. In this work, we take a game-theoretic approach to understanding firms' incentives in these agreements. We propose the design of inter-temporal incentives (i.e. conditioning future cooperation on past interactions). Specifically, we show that incentives for full cooperation can be designed if firms share their private assessments of other firms' disclosure decisions through a common communication platform. We further show that similar incentives can be designed based on outcomes of a public rating/assessment system.