On the Role of Public and Private Assessments in Security Information Sharing Agreements

In recent years, sharing of security information among organizations, particularly information on both successful and failed security breaches, has been proposed as a method for improving the state of cybersecurity. However, there is a conflict between individual and social goals in these agreements: despite the benefits of making such information available, the associated disclosure costs (e.g., drop in market value and loss of reputation) act as a disincentive for firms' full disclosure. In this work, we take a game theoretic approach to understanding firms' incentives for disclosing their security information given such costs. We propose a repeated game formulation of these interactions, allowing for the design of inter-temporal incentives (i.e., conditioning future cooperation on the history of past interactions). Specifically, we show that a rating/assessment system can play a key role in enabling the design of appropriate incentives for supporting cooperation among firms. We further show that in the absence of a monitor, similar incentives can be designed if participating firms are provided with a communication platform, through which they can share their beliefs about others' adherence to the agreement.