University of Münster
CRIS@UM
DE | EN

Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls

Laube S, Böhme R

Research article in edited proceedings (conference) | Peer reviewed

Abstract

New regulations mandating firms to share information on security breaches and security practices with authorities are high on the policy agenda around the globe. These initiatives are based on the hope that authorities can effectively advise and warn other firms, thereby strengthening overall defense and response to cyberthreats in an economy. If this mechanism works (as assumed in this paper with varying effectiveness), it has consequences on security investments of rational firms. We devise an economic model that distinguishes between investments in detective and preventive controls, and analyze its Nash equilibria. The model suggests that firms subject to mandatory security information sharing 1) over-invest in security breach detection as well as under-invest in breach prevention, and 2), depending on the enforcement practices, may shift investment priorities from detective to preventive controls. We also identify conditions where the regulation increases welfare.

Details about the publication

StatusPublished
Release year2015
Language in which the publication is writtenEnglish
ConferenceACM Conference on Computer and Communication Security (ACM CCS), 2nd Workshop on Information Sharing and Collaborative Security, Denver, Colorado, undefined
DOI10.1145/2808128.2808132
Link to the full texthttp://informationsecurity.uibk.ac.at/pdfs/LB2015_SecurityInformationSharing_Controls-WISCS.pdf

Authors from the University of Münster

Böhme, Rainer
IT Security Research Group (SECURITY)
Laube, Stefan
IT Security Research Group (SECURITY)