Sciweavers

CCS
2015
ACM

Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls

8 years 7 months ago
Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls
New regulations mandating firms to share information on security breaches and security practices with authorities are high on the policy agenda around the globe. These initiatives are based on the hope that authorities can effectively advise and warn other firms, thereby strengthening overall defense and response to cyberthreats in an economy. If this mechanism works (as assumed in this paper with varying effectiveness), it has consequences on security investments of rational firms. We devise an economic model that distinguishes between investments in detective and preventive controls, and analyze its Nash equilibria. The model suggests that firms subject to mandatory security information sharing 1) over-invest in security breach detection as well as under-invest in breach prevention, and 2), depending on the enforcement practices, may shift investment priorities from detective to preventive controls. We also identify conditions where the regulation increases welfare. Categories...
Stefan Laube, Rainer Böhme
Added 17 Apr 2016
Updated 17 Apr 2016
Type Journal
Year 2015
Where CCS
Authors Stefan Laube, Rainer Böhme
Comments (0)