The Economic Incentives for Sharing Security Information

Given that Information Technology (IT) security has emerged as an important issue in the last few years, the subject of security information sharing among firms, as a tool to minimize security breaches, has gained the interest of practitioners and academics. To promote the disclosure and sharing of cyber-security information among firms, the US federal government has encouraged the establishment of many industry based Information Sharing & Analysis Centers (ISACs) under Presidential Decision Directive 63. Sharing security vulnerabilities and technological solutions related to methods for preventing, detecting and correcting security breaches, is the fundamental goal of the ISACs. However, there are a number of interesting economic issues that will affect the achievement of this goal. Using game theory, we develop an analytical framework to investigate the competitive implications of sharing security information and investments in security technologies. We find that security technology investments and security information sharing act as ``strategic complements'' in equilibrium. Our results suggest that information sharing is more valuable when product substitutability is higher, implying that such sharing alliances yield greater benefits in more competitive industries. We also highlight that the benefits from such information sharing alliances increase with the size of the firm. We compare the levels of information sharing and technology investments obtained when firms behave independently (Bertrand-Nash) to those selected by an ISAC which maximizes social welfare or joint industry profits. Our results help us predict the consequences of establishing organizations such as ISACs, CERT or InfraGard by the federal government.Technology Investment, Information Sharing, Security Breaches, Externality Benefit, Spillover Effect, Social Welfare

The Economic Incentives for Sharing Security Information

Given that information technology (IT) security has emerged as an important issue in the last few years, the subject of security information sharing among firms, as a tool to minimize security breaches, has gained the interest of practitioners and academics. To promote the disclosure and sharing of cyber security information among firms, the U.S. federal government has encouraged the establishment of many industry-based Information Sharing and Analysis Centers (ISACs) under Presidential Decision Directive (PDD) 63. Sharing security vulnerabilities and technological solutions related to methods for preventing, detecting, and correcting security breaches is the fundamental goal of the ISACs. However, there are a number of interesting economic issues that will affect the achievement of this goal. Using game theory, we develop an analytical framework to investigate the competitive implications of sharing security information and investments in security technologies. We find that security technology investments and security information sharing act as “strategic complements” in equilibrium. Our results suggest that information sharing is more valuable when product substitutability is higher, implying that such sharing alliances yield greater benefits in more competitive industries. We also highlight that the benefits from such information-sharing alliances increase with the size of the firm. We compare the levels of information sharing and technology investments obtained when firms behave independently (Bertrand-Nash) to those selected by an ISAC, which maximizes social welfare or joint industry profits. Our results help us predict the consequences of establishing organizations such as ISACs, Computer Emergency Response Team (CERT), or InfraGard by the federal government.NYU, Stern School of Business, IOMS Department, Center for Digital Economy Researc

TRIDEnT: Building Decentralized Incentives for Collaborative Security

Sophisticated mass attacks, especially when exploiting zero-day vulnerabilities, have the potential to cause destructive damage to organizations and critical infrastructure. To timely detect and contain such attacks, collaboration among the defenders is critical. By correlating real-time detection information (alerts) from multiple sources (collaborative intrusion detection), defenders can detect attacks and take the appropriate defensive measures in time. However, although the technical tools to facilitate collaboration exist, real-world adoption of such collaborative security mechanisms is still underwhelming. This is largely due to a lack of trust and participation incentives for companies and organizations. This paper proposes TRIDEnT, a novel collaborative platform that aims to enable and incentivize parties to exchange network alert data, thus increasing their overall detection capabilities. TRIDEnT allows parties that may be in a competitive relationship, to selectively advertise, sell and acquire security alerts in the form of (near) real-time peer-to-peer streams. To validate the basic principles behind TRIDEnT, we present an intuitive game-theoretic model of alert sharing, that is of independent interest, and show that collaboration is bound to take place infinitely often. Furthermore, to demonstrate the feasibility of our approach, we instantiate our design in a decentralized manner using Ethereum smart contracts and provide a fully functional prototype.Comment: 28 page

Back to the Future: A Century of Compensation

What were the hot compensation issues and practices over the past century? Does history offer any lessons that may inform our compensation decisions in the future? To answer these questions, we reviewed newspapers and business publications from the past 100 years. To highlight changes in compensation systems during that time, we selected four topics to examine in detail in this paper: compensation\u27s role in the changing nature of the deal; the evolution of pay-for-performance; the emergence of benefits; and the bellwethers of compensation systems. Four lessons for the future are drawn. These include: End the search for the one right compensation strategy; Understand what in the context matters; Continue pragmatic experimentation, and Support continuous learning about compensation. Readers are invited to delve into the history of compensation to discover what they take away for the future

Confronting objections to performance pay: A study of the impact of individual and gain-sharing incentives on the job satisfaction of British employees

The increasing interest in incentive pay schemes in recent years has raised concerns regarding their potential damaging effect on intrinsic job satisfaction, or the security of employment. This study explores the impact of both individual and gain-sharing incentives on the overall job satisfaction of workers in the UK, as well as their satisfaction with various facets of jobs, namely total pay, job security, and the actual work itself. Using data from six waves (1998-2003) of the British Household Panel Survey (BHPS), and after correcting for the sorting problem that arises, no significant difference in overall job utility is found between those receiving performance-related pay (PRP) and those on other methods of compensation. In addition, non-economic arguments that PRP crowds-out the intrinsic satisfaction of jobs are also not supported, as are popular concerns regarding the adverse impact of PRP schemes on job security. An important asymmetry in the manner in which individual and gain-sharing incentives affect the utility of employees is nonetheless unearthed, as the latter are consistently found to have a positive effect on employee well-being