Tuesday, 3 January 2012

Knowledge sharing and investment decisions in information security Knowledge sharing and investment decisions in information security

an article by Dengpan Liu (University of Alabama in Huntsville, USA), Yonghua Ji (University of Alberta, Canada) and Vijay Mookerjee (University of Texas at Dallas, USA) published in Decision Support Systems Volume 52 Issue 1 (December 2011)

Abstract

We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary or substitutable, plays a crucial role in influencing these decisions. In the complementary case, we show that the firms have a natural incentive to share security knowledge and no external influence to induce sharing is needed. However, the investment levels chosen in equilibrium are lower than optimal, an aberration that can be corrected using coordination mechanisms that reward the firms for increasing their investment levels. In the substitutable case, the firms fall into a Prisoners’ Dilemma trap where they do not share security knowledge in equilibrium, despite the fact that it is beneficial for both of them to do so. Here, the beneficial role of a social planner to encourage the firms to share is indicated. However, even when the firms share in accordance to the recommendations of a social planner, the level of investment chosen by the firms is sub-optimal. The firms either enter into an “arms race” where they over-invest or re-enact the under-investment behaviour found in the complementary case. Once again, this sub-optimal behaviour can be corrected using incentive mechanisms that penalise for over-investment and reward for increasing the investment level in regions of under-investment. The proposed coordination schemes, with some modifications, achieve the socially optimal outcome even when the firms are risk-averse. Implications for information security vendors, firms, and social planner are discussed.


No comments: