Cyberattacks, Operational Disruption, and Investment in Resilience Measures

Article

August, Terrence; Noh, Daehoon; Shamir, Noam; Shin, Hyoduk

University of California System; University of California San Diego; University of San Diego; Tel Aviv University

MANAGEMENT SCIENCE

0025-1909

10.1287/mnsc.2022.00430

2025

With the increased frequency and magnitude of cyberattacks, policymakers and the private sector search for ways to counter this threat. One of the main initiatives suggested to achieve this goal is sharing cybersecurity-related information. Although the general belief is that information sharing can increase both industry profit and social welfare, it is unclear whether firms would voluntarily share such information. In this paper, we examine the incentives of firms to share cybersecurity-related information, how information sharing impacts investments in cyber resilience, and the aggregate impact on welfare. We find that firms only voluntarily share information in less competitive markets when the impact of the disruption is high. In all other cases, firms elect not to share information, despite potential welfare benefits. To facilitate information sharing, we investigate an exclusionary policy (i.e., sharing must be mutual) and demonstrate market conditions under which this policy incentivizes information sharing. However, when competition is intense, even the exclusionary policy is ineffective because it reduces industry profit. To inform stronger interventions, we examine firms being mandated to disclose their private cyberthreat information. We demonstrate that an opportunity does exist for such disclosure, particularly when the cost of investing in cyber resilience is high. However, policymakers must use caution with such a policy because applying this intervention when investment costs are not high leads to a steep reduction in welfare.