به اشتراک گذاری اطلاعات در سیستم های کامپیوتری امنیتی : تجزیه و تحلیل اقتصادی

The US federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. As information security is paramount to accurate financial reporting and the provision of timely and relevant managerial accounting reports for decision-making, the issue of sharing information on computer systems security has direct relevance to accounting, as well as to public policy. This paper presents a model to examine the welfare economic implications of this movement. In the absence of information sharing, each firm independently sets its information security expenditures at a level where the marginal benefits equal the marginal costs. It is shown that when information is shared, each firm reduces the amount spent on information security activities. Nevertheless, information sharing can lead to an increased level of information security. The paper provides necessary and sufficient conditions for information sharing to lead to an increased (decreased) level of information security. The level of information security that would be optimal for a firm in the absence of information sharing can be attained by the firm at a lesser cost when computer security information is shared. Hence, sharing provides benefits to each firm and total welfare also increases. However, in the absence of appropriate incentive mechanisms, each firm will attempt to free ride on the security expenditures of other firms (i.e., renege from the sharing agreement and refuse to share information). This latter situation results in the underinvestment of information security. Thus, appropriate incentive mechanisms are necessary for increases in both firm-level profits and social welfare to be realized from information sharing arrangements.

The Internet revolution has dramatically changed the way individuals, firms, and the government communicate and conduct business. For example, the telecommunications, banking and finance, energy, and transportation industries, as well as the military and other essential government services, all depend on the Internet and networked computer systems to conduct most of their day-to-day operations. However, this widespread interconnectivity has increased the vulnerability of computer systems––and more importantly, of the critical infrastructures they support––to information security breaches. According to the Report of the President’s Commission on Critical Infrastructure (1997, p. ix), “This interconnectivity has created a new dimension of vulnerability, which, when combined with an emerging constellation of threats, poses unprecedented national risk.” In response to this new vulnerability, organizations have created an arsenal of technical weapons to combat computer security breaches. This arsenal includes firewalls, encryption techniques, access control mechanisms, and intrusion detection systems. The federal government has responded with a major reorganization (forming the Department of Homeland Security, which is responsible for cyber security and infrastructure protection), and is developing a National Strategy to Secure Cyber Space. Unfortunately, to date these measures have met with only limited success. This limited success is highlighted by Richardson (2003, p. 21) in the Executive Overview of the 2003 survey conducted by the Computer Security Institute and Federal Bureau of Investigation, “the most important conclusion one must draw form the survey remains that the risk of cyber attacks continues to be high. Even organizations that have deployed a wide range of security technologies can fall victim to significant losses.” Campbell et al. (2003) found empirical evidence that some security breaches result in statistically significant decreases in the market value of firms. Further evidence of the continuing problems associated with computer security breaches is provided by the fact that Representative Stephen Horn, in his third annual report card on computer security, found little improvement within the federal government and gave the federal agencies an overall average grade of F (Matthews, 2002). The United States General Accounting Office (GAO) has also been critical of the computer security activities of federal agencies (GAO/AIMD-98-68; GAO/AIMD-00-33). It is generally presumed that one desirable way of supplementing the technical solutions to security problems is for organizations to share information related to computer security breaches, as well as to unsuccessful breach attempts. The sharing of information related to methods for preventing, detecting and correcting security breaches is also presumed desirable because it helps to prevent organizations from falling prey to security breaches experienced or stopped by other organizations. Additionally, such information helps organizations respond more quickly with focused remedies should an actual breach occur. As a consequence of the presumed benefits of information sharing, the federal government has been at the center of a movement toward developing security-based information sharing organizations (SB/ISOs) such as the CERT Coordination Center (CERT/CC), INFRAGARD, Information Sharing Analysis Centers (ISACs), Secret Service Electron Crimes Task Force, and Chief Security Officers Round Tables (CSORTs).1 By encouraging the sharing of information among organizations, the government could facilitate warnings of homeland security threats or attacks even before such threats or attacks are seen by a government agency. The Homeland Security Act of 2002 (which established the federal government’s new Department of Homeland Security) also highlights the importance of information sharing (Public Law 107-296, 2002). Unfortunately, this movement toward information sharing related to security breaches has ignored a large body of research that points out the need to create economic incentive mechanisms to facilitate the effective use of such sharing. Nowhere is the absence of these incentive mechanisms more apparent than in the federal government’s recent initiatives to help protect critical infrastructure assets owned and operated in the private sector (e.g., in the formation of ISACS). The purpose of this paper is to analyze economic incentives and economic welfare aspects of information sharing among SB/ISOs.2 Issues associated with information security are numerous and diverse. Many information security issues are directly related to both the fields of accounting and public policy, and to their intersection (as well as to a number of other disciplines, including computer science and engineering). Since the concepts of information or information systems is central to the very definition of accounting, a number of links between accounting and information security immediately come to mind. First, information security is paramount to accurate financial reporting and the provision of timely and relevant managerial accounting reports for decision-making. Second, since information, like other organizational assets, is valuable and should be protected, information security comes under the purview of the internal control system designed and monitored by accountants. Third, whether viewed as capital expenditures or current expenditures, managerial accountants have a role in planning and monitoring information security expenditures to help the firm gain a competitive advantage (i.e., spending too much or too little on information security puts the firm at a competitive disadvantage).3 Thus, this paper’s analysis has clear relevance to the above noted links between accounting and information security. Some links between public policy and information security are also clear. The security and reliability of the entire Internet is affected by the security measures taken by all users of the Internet (Anderson, 2001; Varian, 2002). Hence, externalities play an important role in the study of information security. This fact, together with the threat of cyber terrorism aimed at shutting down critical infrastructure industries, has brought information security to the forefront of the public policy agenda. In the United States, for example, there have been numerous legislative acts and executive directives/orders that are focused on providing an environment conducive to facilitating information security among public and private organizations (e.g., The Computer Security Act of 1987; Presidential Decision Directive 63, May 1998; Executive Order 13231, 2001; Homeland Security Act of 2002). By examining the costs and benefits of information sharing as a means of reducing information security breaches and increasing social welfare, this paper has important public policy implications. Using the modeling framework of Gordon and Loeb (2002), we examine the welfare economic implications of sharing information related to the incidence and prevention of information security breaches. In the absence of information sharing, each firm independently sets its information expenditures at a level where the marginal benefits equals the marginal costs. We show that when firms are mandated to share security information, each firm spends less on information security. Nevertheless, the level of information security may increase, decrease, or remain at the optimal no-sharing level, depending on the ease of substitution between the firm’s expenditures on information security and those of information sharing partner firms. Since sharing results in the cost of providing any given level of information security to decrease, sharing provides benefits to each firm, so total social welfare increases. However, due to free-riding on the security expenditures of other firms, decentralized information security decisions result in firms underinvesting in information security activities unless appropriate economic incentive mechanisms are put into place. In other words, while mandated information sharing offers the potential to increase each firm’s profits and total welfare, without additional incentive mechanisms this potential is unlikely to be realized. This is because each firm will be motivated to renege on any sharing agreement, provide less information to other firms, and reap individual benefits. The remainder of the paper is organized as follows. In Section 2, we review the economics-based literature on information sharing. Section 3 contains the presentation of our basic model. Section 4 examines how sharing affects levels of information security and levels of information security expenditures. Section 5 contains an analysis of the incentives to share information. Some implications of our model are discussed in Section 6. Concluding comments are offered in the paper’s final section.

Sharing of information about threats and breaches of computer security lowers the overall costs of achieving any particular level of information security, and thus has been promoted as an important tool in enhancing social welfare. As a result, the federal government has been at the center of a movement to develop SB/ISOs such as ISACs. However, while our analysis shows that information sharing does indeed offer the potential to reduce overall information security costs and raise social welfare, some pitfalls exist that may well prevent the realization of the full potential benefits. These pitfalls revolve around the need to create economic incentives to facilitate effective information sharing. The two pitfalls described in this paper are noted below. First, even if firms could be trusted to voluntarily share computer breach information, the firms would have an incentive to free-ride on the information security expenditures of the other members of an SB/ISO. Such free riding will lead to levels of information security expenditures below the level that maximizes social welfare. Second, and more importantly, without providing additional incentives for a firm to fully and truthfully reveal security breach information, firms will have an incentive not to share information, so that all benefits to information sharing disappear. Although only one incentive mechanism, a member-funded subsidy was examined in this paper, other potential incentive mechanisms that include variable SB/ISO fee structures, government subsidized insurance, and government regulation are possible. The design and analysis of such alternative incentive mechanisms awaits further research.