Sharing information on computer systems security: An economic analysis

Sharing information on computer systems security: An economic analysis

The US federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. As information security is paramount to accurate financial reporting and the...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Journal of accounting and public policy 2003-11, Vol.22 (6), p.461-485
Hauptverfasser: Gordon, Lawrence A., Loeb, Martin P., Lucyshyn, William
Format: Artikel
Sprache:eng
Schlagworte:
Accounting
Business accounting
Communications technology
Computers
Cyber security
Cybersecurity
Economic analysis
Economic models
Economic security
Economic theory
Expenditures
Financial reporting
Homeland security
Information
Information security economics
Information sharing
Information systems
Information technology
National security
Policy studies
Public policy
Security management
Studies
U.S.A
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 485
container_issue 6
container_start_page 461
container_title Journal of accounting and public policy
container_volume 22
creator Gordon, Lawrence A.
Loeb, Martin P.
Lucyshyn, William
description The US federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. As information security is paramount to accurate financial reporting and the provision of timely and relevant managerial accounting reports for decision-making, the issue of sharing information on computer systems security has direct relevance to accounting, as well as to public policy. This paper presents a model to examine the welfare economic implications of this movement. In the absence of information sharing, each firm independently sets its information security expenditures at a level where the marginal benefits equal the marginal costs. It is shown that when information is shared, each firm reduces the amount spent on information security activities. Nevertheless, information sharing can lead to an increased level of information security. The paper provides necessary and sufficient conditions for information sharing to lead to an increased (decreased) level of information security. The level of information security that would be optimal for a firm in the absence of information sharing can be attained by the firm at a lesser cost when computer security information is shared. Hence, sharing provides benefits to each firm and total welfare also increases. However, in the absence of appropriate incentive mechanisms, each firm will attempt to free ride on the security expenditures of other firms (i.e., renege from the sharing agreement and refuse to share information). This latter situation results in the underinvestment of information security. Thus, appropriate incentive mechanisms are necessary for increases in both firm-level profits and social welfare to be realized from information sharing arrangements.
doi_str_mv 10.1016/j.jaccpubpol.2003.09.001
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_miscellaneous_37851256</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0278425403000632</els_id><sourcerecordid>37851256</sourcerecordid><originalsourceid>FETCH-LOGICAL-c4311-a2f188711668055703d2a6e3ff89892014c743f817cfe75ec9f86fdde28e5aad3</originalsourceid><addsrcrecordid>eNqFkE2L1jAUhYMo-DrOfygu3LVz89Wk7sbBcZQBFzrrENMbJ6VtatIO9N-b8oqCG-GemyzOOVweQioKDQXaXg3NYJ1btu9LHBsGwBvoGgD6jJyoVrxmoOA5OQFTuhZMipfkVc4DACgm5Incfn20Kcw_qjD7mCa7hjhXZVyclm3FVOU9rzjlKqPbUlj3d9X1XKGLc5yCq-xsxz2H_Jq88HbMePn7vSAPtx--3dzV918-frq5vq-d4JTWlnmqtaK0bTVIqYD3zLbIvded7hhQ4ZTgXlPlPCqJrvO69X2PTKO0tucX5O25d0nx54Z5NVPIDsfRzhi3bLjSkjLZFuObf4xD3FK5NhtGhaBaallM-mxyKeac0Jslhcmm3VAwB10zmL90zUHXQGcK3RL9fI4mXND9ySHiYJfD_GS4Zays_fgcSW5DUVu0FImWGqGleVynUvb-XIYF3VPAZLILODvsQ0K3mj6G_1_0C5muoUw</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>214418585</pqid></control><display><type>article</type><title>Sharing information on computer systems security: An economic analysis</title><source>RePEc</source><source>PAIS Index</source><source>Elsevier ScienceDirect Journals</source><creator>Gordon, Lawrence A. ; Loeb, Martin P. ; Lucyshyn, William</creator><creatorcontrib>Gordon, Lawrence A. ; Loeb, Martin P. ; Lucyshyn, William</creatorcontrib><description>The US federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. As information security is paramount to accurate financial reporting and the provision of timely and relevant managerial accounting reports for decision-making, the issue of sharing information on computer systems security has direct relevance to accounting, as well as to public policy. This paper presents a model to examine the welfare economic implications of this movement. In the absence of information sharing, each firm independently sets its information security expenditures at a level where the marginal benefits equal the marginal costs. It is shown that when information is shared, each firm reduces the amount spent on information security activities. Nevertheless, information sharing can lead to an increased level of information security. The paper provides necessary and sufficient conditions for information sharing to lead to an increased (decreased) level of information security. The level of information security that would be optimal for a firm in the absence of information sharing can be attained by the firm at a lesser cost when computer security information is shared. Hence, sharing provides benefits to each firm and total welfare also increases. However, in the absence of appropriate incentive mechanisms, each firm will attempt to free ride on the security expenditures of other firms (i.e., renege from the sharing agreement and refuse to share information). This latter situation results in the underinvestment of information security. Thus, appropriate incentive mechanisms are necessary for increases in both firm-level profits and social welfare to be realized from information sharing arrangements.</description><identifier>ISSN: 0278-4254</identifier><identifier>EISSN: 1873-2070</identifier><identifier>DOI: 10.1016/j.jaccpubpol.2003.09.001</identifier><identifier>CODEN: JACPDN</identifier><language>eng</language><publisher>New York: Elsevier Inc</publisher><subject>Accounting ; Business accounting ; Communications technology ; Computers ; Cyber security ; Cybersecurity ; Economic analysis ; Economic models ; Economic security ; Economic theory ; Expenditures ; Financial reporting ; Homeland security ; Information ; Information security economics ; Information sharing ; Information systems ; Information technology ; National security ; Policy studies ; Public policy ; Security management ; Studies ; U.S.A</subject><ispartof>Journal of accounting and public policy, 2003-11, Vol.22 (6), p.461-485</ispartof><rights>2003 Elsevier Inc.</rights><rights>Copyright Elsevier Sequoia S.A. Nov/Dec 2003</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c4311-a2f188711668055703d2a6e3ff89892014c743f817cfe75ec9f86fdde28e5aad3</citedby><cites>FETCH-LOGICAL-c4311-a2f188711668055703d2a6e3ff89892014c743f817cfe75ec9f86fdde28e5aad3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.sciencedirect.com/science/article/pii/S0278425403000632$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,776,780,3537,3994,27843,27901,27902,65306</link.rule.ids><backlink>$$Uhttp://econpapers.repec.org/article/eeejappol/v_3a22_3ay_3a2003_3ai_3a6_3ap_3a461-485.htm$$DView record in RePEc$$Hfree_for_read</backlink></links><search><creatorcontrib>Gordon, Lawrence A.</creatorcontrib><creatorcontrib>Loeb, Martin P.</creatorcontrib><creatorcontrib>Lucyshyn, William</creatorcontrib><title>Sharing information on computer systems security: An economic analysis</title><title>Journal of accounting and public policy</title><description>The US federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. As information security is paramount to accurate financial reporting and the provision of timely and relevant managerial accounting reports for decision-making, the issue of sharing information on computer systems security has direct relevance to accounting, as well as to public policy. This paper presents a model to examine the welfare economic implications of this movement. In the absence of information sharing, each firm independently sets its information security expenditures at a level where the marginal benefits equal the marginal costs. It is shown that when information is shared, each firm reduces the amount spent on information security activities. Nevertheless, information sharing can lead to an increased level of information security. The paper provides necessary and sufficient conditions for information sharing to lead to an increased (decreased) level of information security. The level of information security that would be optimal for a firm in the absence of information sharing can be attained by the firm at a lesser cost when computer security information is shared. Hence, sharing provides benefits to each firm and total welfare also increases. However, in the absence of appropriate incentive mechanisms, each firm will attempt to free ride on the security expenditures of other firms (i.e., renege from the sharing agreement and refuse to share information). This latter situation results in the underinvestment of information security. Thus, appropriate incentive mechanisms are necessary for increases in both firm-level profits and social welfare to be realized from information sharing arrangements.</description><subject>Accounting</subject><subject>Business accounting</subject><subject>Communications technology</subject><subject>Computers</subject><subject>Cyber security</subject><subject>Cybersecurity</subject><subject>Economic analysis</subject><subject>Economic models</subject><subject>Economic security</subject><subject>Economic theory</subject><subject>Expenditures</subject><subject>Financial reporting</subject><subject>Homeland security</subject><subject>Information</subject><subject>Information security economics</subject><subject>Information sharing</subject><subject>Information systems</subject><subject>Information technology</subject><subject>National security</subject><subject>Policy studies</subject><subject>Public policy</subject><subject>Security management</subject><subject>Studies</subject><subject>U.S.A</subject><issn>0278-4254</issn><issn>1873-2070</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2003</creationdate><recordtype>article</recordtype><sourceid>X2L</sourceid><sourceid>7TQ</sourceid><recordid>eNqFkE2L1jAUhYMo-DrOfygu3LVz89Wk7sbBcZQBFzrrENMbJ6VtatIO9N-b8oqCG-GemyzOOVweQioKDQXaXg3NYJ1btu9LHBsGwBvoGgD6jJyoVrxmoOA5OQFTuhZMipfkVc4DACgm5Incfn20Kcw_qjD7mCa7hjhXZVyclm3FVOU9rzjlKqPbUlj3d9X1XKGLc5yCq-xsxz2H_Jq88HbMePn7vSAPtx--3dzV918-frq5vq-d4JTWlnmqtaK0bTVIqYD3zLbIvded7hhQ4ZTgXlPlPCqJrvO69X2PTKO0tucX5O25d0nx54Z5NVPIDsfRzhi3bLjSkjLZFuObf4xD3FK5NhtGhaBaallM-mxyKeac0Jslhcmm3VAwB10zmL90zUHXQGcK3RL9fI4mXND9ySHiYJfD_GS4Zays_fgcSW5DUVu0FImWGqGleVynUvb-XIYF3VPAZLILODvsQ0K3mj6G_1_0C5muoUw</recordid><startdate>200311</startdate><enddate>200311</enddate><creator>Gordon, Lawrence A.</creator><creator>Loeb, Martin P.</creator><creator>Lucyshyn, William</creator><general>Elsevier Inc</general><general>Elsevier</general><general>Elsevier Sequoia S.A</general><scope>DKI</scope><scope>X2L</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7TQ</scope><scope>8BJ</scope><scope>DHY</scope><scope>DON</scope><scope>FQK</scope><scope>JBE</scope></search><sort><creationdate>200311</creationdate><title>Sharing information on computer systems security: An economic analysis</title><author>Gordon, Lawrence A. ; Loeb, Martin P. ; Lucyshyn, William</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c4311-a2f188711668055703d2a6e3ff89892014c743f817cfe75ec9f86fdde28e5aad3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2003</creationdate><topic>Accounting</topic><topic>Business accounting</topic><topic>Communications technology</topic><topic>Computers</topic><topic>Cyber security</topic><topic>Cybersecurity</topic><topic>Economic analysis</topic><topic>Economic models</topic><topic>Economic security</topic><topic>Economic theory</topic><topic>Expenditures</topic><topic>Financial reporting</topic><topic>Homeland security</topic><topic>Information</topic><topic>Information security economics</topic><topic>Information sharing</topic><topic>Information systems</topic><topic>Information technology</topic><topic>National security</topic><topic>Policy studies</topic><topic>Public policy</topic><topic>Security management</topic><topic>Studies</topic><topic>U.S.A</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Gordon, Lawrence A.</creatorcontrib><creatorcontrib>Loeb, Martin P.</creatorcontrib><creatorcontrib>Lucyshyn, William</creatorcontrib><collection>RePEc IDEAS</collection><collection>RePEc</collection><collection>CrossRef</collection><collection>PAIS Index</collection><collection>International Bibliography of the Social Sciences (IBSS)</collection><collection>PAIS International</collection><collection>PAIS International (Ovid)</collection><collection>International Bibliography of the Social Sciences</collection><collection>International Bibliography of the Social Sciences</collection><jtitle>Journal of accounting and public policy</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Gordon, Lawrence A.</au><au>Loeb, Martin P.</au><au>Lucyshyn, William</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Sharing information on computer systems security: An economic analysis</atitle><jtitle>Journal of accounting and public policy</jtitle><date>2003-11</date><risdate>2003</risdate><volume>22</volume><issue>6</issue><spage>461</spage><epage>485</epage><pages>461-485</pages><issn>0278-4254</issn><eissn>1873-2070</eissn><coden>JACPDN</coden><abstract>The US federal government has fostered a movement toward sharing information concerning computer security, with particular emphasis on protecting critical infrastructure assets that are largely owned by the private sector. As information security is paramount to accurate financial reporting and the provision of timely and relevant managerial accounting reports for decision-making, the issue of sharing information on computer systems security has direct relevance to accounting, as well as to public policy. This paper presents a model to examine the welfare economic implications of this movement. In the absence of information sharing, each firm independently sets its information security expenditures at a level where the marginal benefits equal the marginal costs. It is shown that when information is shared, each firm reduces the amount spent on information security activities. Nevertheless, information sharing can lead to an increased level of information security. The paper provides necessary and sufficient conditions for information sharing to lead to an increased (decreased) level of information security. The level of information security that would be optimal for a firm in the absence of information sharing can be attained by the firm at a lesser cost when computer security information is shared. Hence, sharing provides benefits to each firm and total welfare also increases. However, in the absence of appropriate incentive mechanisms, each firm will attempt to free ride on the security expenditures of other firms (i.e., renege from the sharing agreement and refuse to share information). This latter situation results in the underinvestment of information security. Thus, appropriate incentive mechanisms are necessary for increases in both firm-level profits and social welfare to be realized from information sharing arrangements.</abstract><cop>New York</cop><pub>Elsevier Inc</pub><doi>10.1016/j.jaccpubpol.2003.09.001</doi><tpages>25</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 0278-4254
ispartof Journal of accounting and public policy, 2003-11, Vol.22 (6), p.461-485
issn 0278-4254
1873-2070
language eng
recordid cdi_proquest_miscellaneous_37851256
source RePEc; PAIS Index; Elsevier ScienceDirect Journals
subjects Accounting
Business accounting
Communications technology
Computers
Cyber security
Cybersecurity
Economic analysis
Economic models
Economic security
Economic theory
Expenditures
Financial reporting
Homeland security
Information
Information security economics
Information sharing
Information systems
Information technology
National security
Policy studies
Public policy
Security management
Studies
U.S.A
title Sharing information on computer systems security: An economic analysis
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-29T14%3A42%3A36IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Sharing%20information%20on%20computer%20systems%20security:%20An%20economic%20analysis&rft.jtitle=Journal%20of%20accounting%20and%20public%20policy&rft.au=Gordon,%20Lawrence%20A.&rft.date=2003-11&rft.volume=22&rft.issue=6&rft.spage=461&rft.epage=485&rft.pages=461-485&rft.issn=0278-4254&rft.eissn=1873-2070&rft.coden=JACPDN&rft_id=info:doi/10.1016/j.jaccpubpol.2003.09.001&rft_dat=%3Cproquest_cross%3E37851256%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=214418585&rft_id=info:pmid/&rft_els_id=S0278425403000632&rfr_iscdi=true