In this paper, we investigate the role of incentives for Security Information Sharing (SIS)
between human agents working in institutions. We present an incentive-based SIS system model
that is empirically tested with an exclusive dataset. The data was collected with an online
questionnaire addressed to all participants of a deployed Information Sharing and Analysis
Center (ISAC) that operates in the context of critical infrastructure protection (N=262). SIS is
measured with a multidimensional approach (intensity, frequency) and regressed on five
specific predicators (reciprocity, value of information, institutional barriers, reputation, trust)
that are measured with psychometric scales. We close an important research gap by providing,
to the best of our knowledge, the first empirical analysis on previous theoretical work that
assumes SIS to be beneficial. Our results show that institutional barriers have a strong
influence on our population, i.e., SIS decision makers in Switzerland. This lends support to a
better institutional design of ISACs and the formulation of incentive-based policies that can
avoid non-cooperative and free-riding behaviours. Both frequency and intensity are influenced
by the extent to which decision makers expect to receive valuable information in return for SIS,
which supports the econometric structure of our multidimensional model. Finally, our policy
recommendations support the view that the effectiveness of mandatory security-breach
reporting to authorities is limited. Therefore, we suggest that a conducive and lightly regulated
SIS environment – as in Switzerland – with positive reinforcement and indirect suggestions can
“nudge” SIS decision makers to adopt a productive sharing behaviour
