Information sharing vs. privacy: A game theoretic analysis

Abstract

A game model for deciding on level of information sharing when privacy is a concern.Finding threshold in which gain of information sharing outweighs the privacy risk.Two mechanisms for encouraging the firms to reach socially optimal outcome. Sharing cyber security information helps firms to decrease cyber security risks, prevent attacks, and increase their overall resilience. Hence it affects reducing the social security cost. Although previously cyber security information sharing was being performed in an informal and ad hoc manner, nowadays through development of information sharing and analysis centers (ISACs), cyber security information sharing has become more structured, regular, and frequent. This is while, the privacy risk and information disclosure concerns are still major challenges faced by ISACs that act as barriers in activating the potential impacts of ISACs.This paper provides insights on decisions about security investments and information sharing in consideration of privacy risk and security knowledge growth. By the latest concept i.e. security knowledge growth, we mean fusing the collected security information, adding prior knowledge, and performing extra analyses to enrich the shared information. The impact of this concept on increasing the motivation of firms for voluntarily sharing their sensitive information to authorities such as ISACs has been analytically studied for the first time in this paper. We propose a differential game model in which a linear fusion model for characterizing the process of knowledge growth via the ISAC is employed. The Nash equilibrium of the proposed game including the optimized values of security investment, and the thresholds of data sharing with the price of privacy are highlighted. We analytically find the threshold in which the gain achieved by sharing sensitive information outweighs the privacy risks and hence the firms have natural incentive to share their security information. Moreover, since in this case the threshold of data sharing and the security investment levels chosen in Nash equilibrium may be lower than social optimum, accordingly we design mechanisms which would encourage the firms and lead to a socially optimal outcome. The direct impact of the achieved results is on analyzing the way ISACs can convince firms to share their security information with them.