Incentives for Human Agents to Share Security Information: a Model and an Empirical Test

Alain Mermoud (alain.mermoud@unil.ch), Marcus Keupp (marcus.keupp@milak.ethz.ch), Kévin Huguenin (kevin.huguenin@eleve.bretagne.ens-cachan.fr), Maximilian Palmié (maximilian.palmie@unisg.ch) and Dimitri Percia David (dimitri.perciadavid@unil.ch)
Additional contact information
Alain Mermoud: ETH Zürich - Eidgenössische Technische Hochschule - Swiss Federal Institute of Technology [Zürich], HEC Lausanne - Faculté des Hautes Etudes Commerciales (HEC Lausanne)
Marcus Keupp: ETH Zürich - Eidgenössische Technische Hochschule - Swiss Federal Institute of Technology [Zürich], ITEM - Institute of Technology Management [St. Gallen] - HSG - University of St.Gallen
Kévin Huguenin: HEC Lausanne - Faculté des Hautes Etudes Commerciales (HEC Lausanne)
Maximilian Palmié: ITEM - Institute of Technology Management [St. Gallen] - HSG - University of St.Gallen
Dimitri Percia David: ETH Zürich - Eidgenössische Technische Hochschule - Swiss Federal Institute of Technology [Zürich], HEC Lausanne - Faculté des Hautes Etudes Commerciales (HEC Lausanne)

Post-Print from HAL

Abstract: In this paper, we investigate the role of incentives for Security Information Sharing (SIS) between human agents working in institutions. We present an incentive-based SIS system model that is empirically tested with an exclusive dataset. The data was collected with an online questionnaire addressed to all participants of a deployed Information Sharing and Analysis Center (ISAC) that operates in the context of critical infrastructure protection (N=262). SIS is measured with a multidimensional approach (intensity, frequency) and regressed on five specific predicators (reciprocity, value of information, institutional barriers, reputation, trust) that are measured with psychometric scales. We close an important research gap by providing, to the best of our knowledge, the first empirical analysis on previous theoretical work that assumes SIS to be beneficial. Our results show that institutional barriers have a strong influence on our population, i.e., SIS decision makers in Switzerland. This lends support to a better institutional design of ISACs and the formulation of incentive-based policies that can avoid non-cooperative and free-riding behaviours. Both frequency and intensity are influenced by the extent to which decision makers expect to receive valuable information in return for SIS, which supports the econometric structure of our multidimensional model. Finally, our policy recommendations support the view that the effectiveness of mandatory security-breach reporting to authorities is limited. Therefore, we suggest that a conducive and lightly regulated SIS environment – as in Switzerland – with positive reinforcement and indirect suggestions can "nudge" SIS decision makers to adopt a productive sharing behaviour.

Keywords: security information sharing; incentives; psychometrics; economics of information security; behavioural economics (search for similar items in EconPapers)
Date: 2018-06
Note: View the original document on HAL open archive server: https://hal.science/hal-01753984
References: View references in EconPapers View complete reference list from CitEc
Citations:

Published in 17th Workshop on the Economics of Information Security (WEIS), Jun 2018, Innsbruck, Austria. pp.22

Downloads: (external link)
https://hal.science/hal-01753984/document (application/pdf)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:hal:journl:hal-01753984

Access Statistics for this paper

More papers in Post-Print from HAL
Bibliographic data for series maintained by CCSD (hal@ccsd.cnrs.fr).