Sharing Security Information and the Prisoner's Dilemma

New paper: Dengpan Liu, Yonghua Ji, and Vijay Mookerjee (2011), "Knowledge Sharing and Investment Decisions in Information Security," Decision Support Systems, in press.

Abstract: We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary or substitutable, plays a crucial role in influencing these decisions. In the complementary case, we show that the firms have a natural incentive to share security knowledge and no external influence to induce sharing is needed. However, the investment levels chosen in equilibrium are lower than optimal, an aberration that can be corrected using coordination mechanisms that reward the firms for increasing their investment levels. In the substitutable case, the firms fall into a Prisoners' Dilemma trap where they do not share security knowledge in equilibrium, despite the fact that it is beneficial for both of them to do so. Here, the beneficial role of a social planner to encourage the firms to share is indicated. However, even when the firms share in accordance to the recommendations of a social planner, the level of investment chosen by the firms is sub-optimal. The firms either enter into an "arms race" where they over-invest or reenact the under-investment behavior found in the complementary case. Once again, this sub-optimal behavior can be corrected using incentive mechanisms that penalize for over-investment and reward for increasing the investment level in regions of under-investment. The proposed coordination schemes, with some modifications, achieve the socially optimal outcome even when the firms are risk-averse. Implications for information security vendors, firms, and social planner are discussed.

Posted on September 15, 2011 at 12:45 PM • 4 Comments

Comments

Somebody AnonSeptember 15, 2011 2:56 PM

Hi,

Hypothetical cases are being discussed ... are such cases remotely like anything real ? Do such case studies pan out in the real world ?

Sometimes, I guess, the academic world and the real world exist on different planes.

BrianSeptember 15, 2011 4:13 PM

You realize that thought experiments are often used to help design subsequent studies or experiments.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..