Inter-temporal incentives in security information sharing agreements

Abstract

Sharing of security information among organizations has often been proposed as a method for improving the state of cyber-security for all. However, such disclosure entails costs for the reporting entity, including a drop in market value, loss of customer confidence, and bureaucratic burdens. By adopting a game-theoretic approach for understanding firms' incentives, we first show that in one shot interactions, disclosure costs act as disincentives for sharing, leading to no information sharing at equilibrium. We then consider a repeated game formulation that enables the use of inter-temporal incentives (i.e., the conditioning of future decisions on the history of past interactions) to support firms' cooperation on information sharing. We show that the nature of the monitoring available to firms greatly affects the possibility of sustaining nearly efficient outcomes through repeated interactions. Specifically, we first illustrate the limitations arising when firms' have independent and imperfect private monitoring technologies. We then consider the role of a public monitoring/assessment system, and show that despite using the same imperfect technology as the individual firms, the monitor can facilitate cooperation among participants. Our results therefore illustrate the impact of a public rating/reputation system on the viability of security information sharing agreements.