Exploring the management of multi-sectoral cybersecurity information-sharing networks

Abstract

This research explores why and how members of the Information Sharing and Analysis Center (ISAC) share cybersecurity information to prevent cyber threats in Taiwan, and factors that encourage or discourage this behavior. The literature on information sharing has traditionally emphasized the motives for doing so and/or the structure of the sharing platform/network, leaving a gap in our understanding on how its formal and informal network rules shape, influence, and collide. By applying Ostrom's (2007) institutional analysis and development framework to Taiwanese Regional- and Sectoral-ISACs to qualitative data from 40 in-depth interviews across central/local governments, private companies, state-owned enterprises, and non-governmental organizations, this paper analyzes the institutional rules-in-use at the operational, collective, and constitutional levels. Our qualitative empirical study aims to induct the various institutional rules-in-use embedded in the ISAC networks, and its findings regarding inter-organizational crisis-management information sharing may have implications for cross-boundary participation in other nations.