On the Provision of Public Goods on Networks: Incentives, Exit Equilibrium, and Applications to Cyber .

Attempts to improve the state of cyber-security have been on the rise over the past years. The importance of incentivizing better security decisions by users in the current landscape is two-fold: it not only helps users protect themselves against attacks, but also provides positive externalities to others interacting with them, as a protected user is less likely to become compromised and be used to propagate attacks against other entities. Therefore, security can be viewed as a public good. This thesis takes a game-theoretic approach to understanding the theoretical underpinnings of users' incentives in the provision of public goods, and in particular, cyber-security. We analyze the strategic interactions of users in the provision of security as a non-excludable public good. We propose the notion of exit equilibrium to describe users' outside options from mechanisms for incentivizing the adoption of better security decisions, and use it to highlight the crucial effect of outside options on the design of incentive mechanisms for improving the state of cyber-security. We further focus on the general problem of public good provision games on networks. We identify necessary and sufficient conditions on the structure of the network for the existence and uniqueness of the Nash equilibrium in these games. We show that previous results in the literature can be recovered as special cases of our result. We provide a graph-theoretical interpretation of users' efforts at the Nash equilibria, Pareto efficient outcomes, and semi-cooperative equilibria of these games, by linking users' effort decisions to their centralities in the interaction network. Using this characterization, we separate the effects of users' dependencies and influences (outgoing and incoming edges, respectively) on their effort levels, and uncover an alternating effect over walks of different length in the network. We also propose the design of inter-temporal incentives in a particular type of security games, namely, security information sharing agreement. We show that either public or private assessments can be used in designing incentives for participants to disclose their information in these agreements. Finally, we present a method for crowdsourcing reputation that can be useful in attaining assessments of users' efforts in security games.PhDElectrical Engineering: SystemsUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/133328/1/naghizad_1.pd

Incentives for Human Agents to Share Security Information: a Model and an Empirical Test

In this paper, we investigate the role of incentives for Security Information Sharing (SIS) between human agents working in institutions. We present an incentive-based SIS system model that is empirically tested with an exclusive dataset. The data was collected with an online questionnaire addressed to all participants of a deployed Information Sharing and Analysis Center (ISAC) that operates in the context of critical infrastructure protection (N=262). SIS is measured with a multidimensional approach (intensity, frequency) and regressed on five specific predicators (reciprocity, value of information, institutional barriers, reputation, trust) that are measured with psychometric scales. We close an important research gap by providing, to the best of our knowledge, the first empirical analysis on previous theoretical work that assumes SIS to be beneficial. Our results show that institutional barriers have a strong influence on our population, i.e., SIS decision makers in Switzerland. This lends support to a better institutional design of ISACs and the formulation of incentive-based policies that can avoid non-cooperative and free-riding behaviours. Both frequency and intensity are influenced by the extent to which decision makers expect to receive valuable information in return for SIS, which supports the econometric structure of our multidimensional model. Finally, our policy recommendations support the view that the effectiveness of mandatory security-breach reporting to authorities is limited. Therefore, we suggest that a conducive and lightly regulated SIS environment – as in Switzerland – with positive reinforcement and indirect suggestions can “nudge” SIS decision makers to adopt a productive sharing behaviour

Exploring Incentives and Challenges for Cybersecurity Intelligence Sharing (CIS) across Organizations: A Systematic Review

Cybersecurity intelligence sharing (CIS) has gained significance as an organizational function to protect critical information assets, manage cybersecurity risks, and improve cybersecurity operations. However, few studies have synthesized accumulated scholarly knowledge on CIS practices across disciplines. Synthesizing the pertinent literature through a structured literature review, we investigated the incentives and challenges that influence organizations around adopting CIS practices. We used the overarching TOE framework to categorize these factors and propose a theoretical framework to establish common ground for future studies. We also developed a holistic and inclusive definition for cybersecurity intelligence that we present in the paper. We found 46 papers on CIS in different disciplines and analyzed them to answer our research questions. We identified 35 factors that we classified according to the TOE framework. With this paper, we facilitate further theory development by overviewing theories that researchers can use as a basis for CIS studies, suggesting future directions, providing a reference source, and developing a reference CIS framework for IS scholars

Cyber threat intelligence sharing: Survey and research directions

Cyber Threat Intelligence (CTI) sharing has become a novel weapon in the arsenal of cyber defenders to proactively mitigate increasing cyber attacks. Automating the process of CTI sharing, and even the basic consumption, has raised new challenges for researchers and practitioners. This extensive literature survey explores the current state-of-the-art and approaches different problem areas of interest pertaining to the larger field of sharing cyber threat intelligence. The motivation for this research stems from the recent emergence of sharing cyber threat intelligence and the involved challenges of automating its processes. This work comprises a considerable amount of articles from academic and gray literature, and focuses on technical and non-technical challenges. Moreover, the findings reveal which topics were widely discussed, and hence considered relevant by the authors and cyber threat intelligence sharing communities

THREE ARTICLES ON THE BEHAVIORAL ECONOMICS OF SECURITY INFORMATION SHARING: A THEORETICAL FRAMEWORK, AN EMPIRICAL TEST, AND POLICY RECOMMENDATIONS

This thesis presents a behavioral economics contribution to the security of information systems. It focuses on security information sharing (SIS) between operators of critical infrastructures, such as systemic banks, power grids, or telecommunications. SIS is an activity by which these operators exchange cybersecurity-relevant information, for instance on vulnerabilities, malwares, data breaches, etc. Such information sharing is a low-cost and efficient way by which the defenders of such infrastructures can enhance cybersecurity. However, despite this advantage, economic (dis)incentives, such as the free-rider problem, often reduce the extent to which SIS is actually used in practice. This thesis responds to this problem with three published articles. The first article sets out a theoretical framework that proposes an association between human behavior and SIS outcomes. The second article further develops and empirically tests this proposed association, using data from a self-developed psychometric survey among all participants of the Swiss Reporting and Analysis Centre for Information Assurance (MELANI). SIS is measured by a dual approach (intensity and frequency), and hypotheses on five salient factors that are likely associated with SIS outcomes (attitude, reciprocity, executional cost, reputation, trust) are tested. In the third article, policy recommendations are presented in order to reduce executional costs, which is found to be significantly and negatively associated with SIS. In conclusion, this thesis proposes multiple scientific and practical contributions. It extends the scientific literature on the economics of cybersecurity with three contributions on the human factor in SIS. In addition, regulators will find many recommendations, particularly in the area of governance, to support SIS at the legislative level. This thesis also offers many avenues for practitioners to improve the efficiency of SIS, particularly within Information Sharing and Analysis Centers (ISACs) in charge of producing Cyber Threat Intelligence in order to anticipate and prevent cyberrisks. Cette thèse présente une contribution de l'économie comportementale à la sécurité des systèmes d'information. Elle s’intéresse au mécanisme incitatif permettant de favoriser le partage de l’information utile à la cybersécurité (Security Information Sharing – SIS) entre opérateurs d’infrastructures critiques, telles que les banques systémiques, les réseaux électriques ou de télécommunications. Le SIS est une activité par laquelle ces opérateurs échangent des informations relatives aux cybermenaces, par exemple sur les vulnérabilités, les logiciels malveillants, les violations de données, etc. Ce partage d'informations est un moyen peu coûteux et efficace par lequel les défenseurs de ces infrastructures peuvent renforcer la cybersécurité. Toutefois, malgré ces avantages, les (mauvaises) incitations économiques, telles que le problème du passager clandestin, réduisent souvent l’utilité pratique du SIS. Cette thèse répond à ce problème avec trois articles publiés. Le premier article présente un cadre théorique qui propose une association entre le comportement humain et les résultats du SIS. Le deuxième article développe et teste empiriquement cette proposition d'association à l'aide des données d'une enquête psychométrique développée avec les participants de la Centrale d'enregistrement et d'analyse pour la sûreté de l'information (MELANI). Le SIS est mesuré avec une double approche (intensité et fréquence), et des hypothèses sur cinq facteurs importants, probablement associés aux résultats du SIS (attitude, réciprocité, coût d'exécution, réputation, confiance), sont testées. Dans le troisième article, des recommandations politiques sont présentées afin de réduire les coûts d'exécution, qui s'avèrent être associés de manière significative et négative au SIS. En conclusion, cette thèse propose de multiples contributions scientifiques et pratiques. Ses résultats élargissent la littérature scientifique sur l'économie de la cybersécurité avec trois contributions sur le facteur humain dans le SIS. En outre, les régulateurs trouveront de nombreuses recommandations, en particulier dans le domaine de la gouvernance, pour soutenir le SIS au niveau législatif. Cette thèse offre également de nombreux moyens aux praticiens pour améliorer son efficacité, notamment au sein des Information Sharing and Analysis Center (ISACs) chargés de produire du renseignement sur les cybermenaces (Cyber Threat Intelligence) afin d'anticiper et prévenir les cyberrisques