This study examines a critical incentive alignment issue facing FS-ISAC (the information sharing alliance in the financial services industry). Failure to encourage members to share their IT security-related information has seriously undermined the founding rationale of FS-ISAC. Our analysis shows that many information sharing alliances’ membership policies are plagued with the incentive misalignment issue and may result in a “free-riding” or “no information sharing” equilibrium. To address this issue, we propose a new information sharing membership policy that incorporates an insurance option and show that the proposed policy can align members’ incentives and lead to a socially optimal outcome. Moreover, when a transfer payment mechanism is implemented, all member firms will be better off joining the insurance network. These results are demonstrated in a simulation in which IT security breach losses are compared both with and without participating in the proposed information sharing insurance plan.
Communications of the Association for Information Systems
Liu, Charles Zhechao; Zafar, Humayun; and Au, Yoris A., "Rethinking FS-ISAC: An IT Security Information Sharing Network Model for the Financial Services Sector" (2014). Faculty Publications. 3697.