Back to the Roots

Abstract

In a world where cybersecurity can be reduced to a race for information, defenders with different information sets can benefit from sharing what they observe and know. However, defenders supposedly share less than what is socially desirable, thereby leaving parts of society insufficiently protected. The reason for this behavior is almost certainly not a lack of technology to facilitate information exchange. Even an occasional mismatch between information needs and information supply cannot fully explain why defenders share so little information. The key obstacle is economics: defenders often have few incentives to share security information. Back in the 1980s, economists have extensively studied general information sharing between firms, often with the involvement of intermediaries, such as trade associations. These models have been taken up in the 2000s when information security emerged as a new application domain for economic reasoning. The bottom line of most economic models is that information sharing is very fragile, which concurs with our perception of reality. As current policy initiatives seek to improve information sharing, and the topic has gained enough attention to merit a specialized workshop in its third year, I take the opportunity and revisit the old models, their assumptions and implications, in order to derive possible new directions for future research. After all, security information is a very special good, which might call for tailored models: maybe there are better ways to conceptualize Information Sharing Analysis Centers (ISACs) than reducing them to trade associations?