M. H. R. Khouzani, Viet Pham, Carlos Cid


We investigate the incentives behind investments by competing companies in discovery of their security vulnerabilities and sharing of their findings. Specifically, we consider a game between competing firms that utilise a common platform in their systems. The game consists of two stages: firms must decide how much to invest in researching vulnerabilities, and thereafter, how much of their findings to share with their competitors. We fully characterise the Perfect Bayesian Equilibria (PBE) of this game, and translate them into realistic insights about firms’ strategies. Further, we develop a monetary-free sharing mechanism that encourages both investment and sharing, a missing feature when sharing is arbitrary or opportunistic. This is achieved via a light-handed mediator: it receives a set of discovered bugs from each firm and moderate the sharing in a way that eliminates firms’ concerns on losing competitive advantages. This research provides an understanding of the origins of inefficiency and paves the path towards more efficient sharing of cyber-intelligence among competing entities. Date: November 6-7, 2014 Presented: Decision and Game Theory for Security: 5th International Conference, Gamesec 2014, Los Angeles, CA, USA, November 6-7, 2014 Published: Lecture Notes in Computer Science Volume 8840, 2014, pp 59-78. Publisher: Springer Full Text: http://link.springer.com/chapter/10.1007%2F978-3-319-12601-2_4