Using Private and Public Assessments in Security Information Sharing Agreements
This work addresses cybersecurity information sharing among firms, offering a game-theoretic solution to a specific coordination problem, but it is incremental as it builds on existing incentive design approaches.
The paper tackles the problem of firms' reluctance to share cybersecurity information due to disclosure costs by proposing inter-temporal incentives based on private assessments or public ratings, showing that full cooperation can be achieved through these mechanisms.
Information sharing among organizations has been gaining attention as a method for improving cybersecurity. However, the associated disclosure costs act as deterrents for firms' voluntary cooperation. In this work, we take a game-theoretic approach to understanding firms' incentives in these agreements. We propose the design of inter-temporal incentives (i.e. conditioning future cooperation on past interactions). Specifically, we show that incentives for full cooperation can be designed if firms share their private assessments of other firms' disclosure decisions through a common communication platform. We further show that similar incentives can be designed based on outcomes of a public rating/assessment system.