Evaluating the Impact of Cybersecurity Information Sharing on Cyber Incidents and Their Consequences
36 Pages Posted: 2 Apr 2014
Date Written: March 31, 2014
Abstract
The Department of Homeland Security (DHS) facilitates cybersecurity information sharing among federal government departments and agencies and critical infrastructure owners and operators to promote their security. Information sharing is deemed of critical importance to accomplish the department’s cybersecurity mission; indeed, information sharing is one of the central planks of Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which calls for greater cybersecurity information sharing between the government — not least DHS — and the private sector. But while the importance of information sharing in cybersecurity is intuitive — information that is relevant, timely, and accurate should help cyber defenders reduce vulnerabilities and mitigate threats — the impact of information sharing has not been empirically assessed. The lack of empirical support for information sharing raises two notable issues. First, information-sharing partners, particularly those in the private sector, are sometimes reluctant to participate in government-sponsored initiatives because of concerns about liability, resource costs, and return on investment. Absent empirical demonstration of the value of cybersecurity information-sharing efforts, DHS may be unable to better incentivize participation. Second, information-sharing efforts may, for a variety of reasons, be ineffective (not least due to a lack of participation or the dissemination of irrelevant information). Without assessing the relationship between information sharing and the number and severity (i.e., consequences) of cyber incidents, DHS may be unable to identify and improve poorly performing information sharing efforts. A previous Homeland Security Studies and Analysis Institute (HSSAI) study recommended a suite of metrics to measure various relevant inputs, processes, outputs, and outcomes for cyber information-sharing efforts (Fleming and Goldstein 2012). It did not, however, seek to suggest ways to empirically test the hypothesis that information sharing reduces the number or severity of cyber incidents (it was assumed to do so, per DHS guidance). Accordingly, building on the previous HSSAI research, the present paper sets forth views on use of the dependent variable (some measure of cyber incidents), primary independent variable (some measure of information sharing), control variables, and model specifications.
Keywords: information sharing, cybersecurity, homeland security, DHS
Suggested Citation: Suggested Citation