Abstract
Effective cyber defense requires stakeholders to collaborate with each other and share cyber threat intelligence. Sharing such intelligence can improve the community’s cybersecurity posture, preventing others from being hacked or compromised. However, intelligence sharing is still relatively uncommon due in part to the associated costs as well as other legitimate concerns. In this paper, we ask how a central authority could employ monetary incentives to promote intelligence sharing among competitive firms. We propose a novel game-theoretic model of intelligence sharing and derive the minimal incentive payments which ensure that firms profitably share with their competitors. We investigate the value of being able to differentiate incentives among firms (i.e., paying a different amount to each firm), and show formally that the ability to differentiate is the most valuable when the network among firms is highly heterogeneous. Finally, we show that our results are sharp in an important sense: if the authority offers less than the minimal incentive to every firm, this can render no-sharing as the unique Nash equilibrium.
This work was supported in part by NSF Grants #2122631, #2115134 and #ECCS-2013779, ARO Grant #W911NF-17-1-0566, and Colorado State Bill 18-086.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Brown, S., Gommers, J., Serrano, O.S.: From cyber security information sharing to threat management. In: Proceedings of the 2nd ACM WISCS 2015, Denver, Colorado, USA, 12 October 2015, pp. 43–49 (2015)
Do, C.T., et al.: Game theory for cyber security and privacy. ACM Comput. Surv. 50(2), 30:1–30:37 (2017)
Ezhei, M., Ladani, B.T.: Information sharing vs. privacy: a game theoretic analysis. Expert Syst. Appl. 88, 327–337 (2017)
Finin, T., et al.: Assured information sharing life cycle. In: IEEE ISI 2009, Dallas, Texas, USA, 8–11 June 2009, Proceedings, pp. 307–309 (2009)
Fischer, E., Liu, E., Rollins, J., Theohary, C.: The 2013 cybersecurity executive order: Overview and considerations for congress, 15 December 2014
Gao, X., Zhong, W.: A differential game approach to security investment and information sharing in a competitive environment. IIE Trans. 48(6), 511–526 (2016)
Gao, X., Zhong, W., Mei, S.: A game-theoretic analysis of information sharing and security investment for complementary firms. J. Oper. Res. Soc. 65(11), 1682–1691 (2014)
Garrido-Pelaz, R., González-Manzano, L., Pastrana, S.: Shall we collaborate?: a model to analyse the benefits of information sharing. In: Proceedings of WISCS 2016, Vienna, Austria, 24–28 October 2016, pp. 15–24 (2016)
Hausken, K.: Information sharing among firms and cyber attacks. J. Account. Pub. Policy 26(6), 639–688 (2007)
Johnson, C., Badger, L., Waltermire, D., Snyder, J., Skorupka, C.: The NIST guide to cyber threat information sharing (NIST special publication 800–150), October 2016
Khouzani, M.H.R., Pham, V., Cid, C.: Strategic discovery and sharing of vulnerabilities in competitive environments. In: Poovendran, R., Saad, W. (eds.) Decision and Game Theory for Security. GameSec 2014, Los Angeles, CA, USA, 6–7 November 2014. Proceedings. LNCS, vol. 8840, pp. 59–78. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12601-2_4
Kiennert, C., Ismail, Z., Debar, H., Leneutre, J.: A survey on game-theoretic approaches for intrusion detection and response optimization. ACM Comput. Surv. (CSUR) 51(5), 1–31 (2018)
Layfield, R., Kantarcioglu, M., Thuraisingham, B.: Incentive and trust issues in assured information sharing. In: Bertino, E., Joshi, J.B.D. (eds.) Collaborative Computing: Networking, Applications and Worksharing, CollaborateCom 2008. LNICST, vol. 10, pp. 113–125. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03354-4_10
Luiijf, E., Klaver, M.: On the sharing of cyber security information. In: Rice, M., Shenoi, S. (eds.) Critical Infrastructure Protection IX, pp. 29–46. Springer International Publishing, Cham (2015). https://doi.org/10.1007/978-3-319-26567-4_3
Manshaei, M.H., Zhu, Q., Alpcan, T., Basar, T., Hubaux, J.: Game theory meets network security and privacy. ACM Comput. Surv. 45(3), 25:1–25:39 (2013)
Mermoud, A., Keupp, M.M., Huguenin, K., Palmié, M., David, D.P.: To share or not to share: a behavioral perspective on human participation in security information sharing. J. Cybersecurity 5(1), tyz006 (2019)
Pawlick, J., Zhu, Q.: Game Theory for Cyber Deception: From Theory to Applications. Springer Nature (2021)
Solak, S., Zhuo, Y.: Optimal policies for information sharing in information system security. Eur. J. Oper. Res. 284(3), 934–950 (2020)
Thakkar, A., Badsha, S., Sengupta, S.: Game theoretic approach applied in cybersecurity information exchange framework. In: IEEE CCNC 2020, Las Vegas, NV, USA, 10–13 January 2020, pp. 1–7 (2020)
Tosh, D.K., Sengupta, S., Kamhoua, C.A., Kwiat, K.A., Martin, A.P.: An evolutionary game-theoretic framework for cyber-threat information sharing. In: 2015 IEEE ICC 2015, London, United Kingdom, 8–12 June 2015, pp. 7341–7346 (2015)
Vakilinia, I., Sengupta, S.: A coalitional game theory approach for cybersecurity information sharing. In: 2017 IEEE MILCOM 2017, Baltimore, MD, USA, 23–25 October 2017, pp. 237–242 (2017)
Wagner, T.D., Mahbub, K., Palomar, E., Abdallah, A.E.: Cyber threat intelligence sharing: survey and research directions. Comput. Secur. 87, 101589 (2019)
Webster, G.D., Harris, R.L., Hanif, Z.D., Hembree, B.A., Grossklags, J., Eckert, C.: Sharing is caring: collaborative analysis and real-time enquiry for security analytics. In: 2018 iThings, IEEE GreenCom, IEEE Cyber, CPSCom and IEEE SmartData, pp. 1402–1409. IEEE (2018)
Xu, S., Sandhu, R., Bertino, E.: TIUPAM: a framework for trustworthiness-centric information sharing. In: Ferrari, E., Li, N., Bertino, E., Karabulut, Y. (eds.) Trust Management III , IFIPTM 2009. IAICT, vol. 300, pp. 164–175. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02056-8_11
Acknowledgement
We thank the reviewers for their useful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Collins, B., Xu, S., Brown, P.N. (2021). Paying Firms to Share Cyber Threat Intelligence. In: Bošanský, B., Gonzalez, C., Rass, S., Sinha, A. (eds) Decision and Game Theory for Security. GameSec 2021. Lecture Notes in Computer Science(), vol 13061. Springer, Cham. https://doi.org/10.1007/978-3-030-90370-1_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-90370-1_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90369-5
Online ISBN: 978-3-030-90370-1
eBook Packages: Computer ScienceComputer Science (R0)