Information sharing among firms and cyber attacks

Abstract

As the Sarbanes-Oxley Act strengthens internal controls, and the government encourages information sharing, accounting gains significance through secure representation, storage, and transfer of information, and by laying the foundation for assessing costs and benefits. Information sharing and security investment for two firms are inverse U shaped in the aggregate attack, and interlinked through the interdependence and the firm’s unit cost of security investment. Both increase in the interdependence (e.g. US telecommunications industry). With given security investment, social welfare is inverse U shaped in information sharing. Individual optimization implies free riding. A social planner is introduced controlling information sharing, security investment, or both, in simultaneous and two period games. Two period games where the social planner moves first are realistic when the social planner is highly respected. For the simultaneous game, a social planner controlling information sharing (security investment) imposes unreasonably high sharing (security investment). Firms free ride in the variable they control. The social planner imposes more moderate levels in the two period games. A social planner controlling both information sharing and security investment in a two period game where the social planner moves first is the most beneficial control scenario when the firms’ defense efficiencies are high. If these are sufficiently high, the attack is deterred altogether.