Driving factors of organizations’ cyber-threat intelligence sharing behavior within a Cyber Threat Alliance

Driving factors of organizations’

cyber-threat intelligence sharing behavior within

a Cyber Threat Alliance

Student number: 11418613

University of Amsterdam Faculty of Science

Thesis Master Information Studies: Business Information Systems Final version: 09-07-2018

Supervisor: Prof. dr. Tom van Engers Examiner: Toon Abcouwer

Abstract. The researcher in this paper examines the environment pertaining to the

fast-growing phenomenon of cyber-threat alliances. The sophisticated and personalized character of the growing number of cyber-attacks has forced organizations to search for new innovative measures that prevent them from disruption. The lack of scientific research on the uprising nature of cyber-threat alliances and their potential of optimizing organizations’ awareness, detection and response capabilities needs further research. In this explorative research, a theory is developed that illustrates important factors influencing an organization’s intelligence sharing behavior. The Theory of Planned Behavior and the Motivation Theory were the fundamental theories applied to examine the participating organizations. The results showed that there is a clear difference in organizations motivations for joining an alliance and the constraints influencing their sharing behavior. Trust and safety of which the latter consist of the following two dimensions; anonymity and indemnification, significantly influence the organizations’ sharing behavior.

Keywords. ‘Motivation Theory’, ‘Theory of Planned Behavior’, ‘Security

Operation Center’, ‘Cyber Intelligence’, ‘Information Exchange’, ‘Cyber Security Information Sharing’, ‘Knowledge Sharing’, ‘Knowledge Management’, ‘Organizational Behavior’, ‘Intention’

1. Introduction

During the last decade, the internet landscape has fundamentally changed from hobby hacking towards well-organized cyber-crime. These cyber-attacks are carried out specifically for commercial reasons and in a coordinated and sophisticated manner to avoid security measures. Organizations have to deal with different forms of cyber-attacks that disrupt their services which leads to enormous losses of time and money [ CITATION ANP18 \l 1033 ]. The sophistication of cyber-attacks is clearly emphasized during the Petya and WannaCry viruses, that have caused a lot of damage across the globe[ CITATION Tec18 \l 1033 ].

New approaches are required to tackle the fast-changing character of the sophisticated cyber-attacks. One promising but new phenomena is the exchange of critical cyber-threat intelligence across organizational boundaries with strategic partners and national authorities[CITATION GHe15 \l 1033 ]. With the exchange of cyber security intelligence, a comprehensive threat landscape could be shaped. One that creates an extensive situational awareness, which is necessary to create effective security measures [CITATION Cha11 \l 1033 ]. Collaboration based on threat intelligence sharing is believed to be effective in a multitude of cyber security scenarios including financially driven cyber crimes, cyber war, hacktivism, and terrorism [CITATION Den15 \l 1033 ].

This research argues that since cyber-attacks are becoming more sophisticated and coordinated, organizations need sophisticated and coordinated counter measures. According to [ CITATION Tan11 \l 1033 ] typical virus scanners and firewall systems are incapable of sufficiently protecting against those cyber-threats. The rapidly growing complexity of today’s networks, the emergence of zero-day exploit markets [ CITATION GHe15 \l 1033 ] and often underestimated vulnerabilities, e.g., due to outdated software or policies, lead to novel forms of attacks appearing daily. Another underestimated vulnerability is the interoperating organizations which could cause negative effects on the business operations [CITATION Cha11 \l 1033 ]. Cyber-attacks aimed at one organization could easily end up in the disruption of other organizations. This development emphasizes ,even more, the urgency of sharing cyber-threat intelligence across organizational borders. It is almost impossible for organizations to deal as single defenders because of their interdependent character [ CITATION Che14 \l 1033 ]. Several studies have emphasized the need for a collaborative approach for the management and sharing of threats[ CITATION Fel13 \l 1033 ] [ CITATION Cho11 \l 1033 ][ CITATION Jeo11 \l 1033 ]. Threat intelligence sharing is seen as a crucial step to gain a thorough understanding of large-scale cyber-attacks [ CITATION Cab06 \l 1033 ]. However, the collaboration between cyber security centers are hard to establish and often neither governmental bodies or organizations are well prepared for the exchange of valuable cyber security information [CITATION Cha11 \l 1033 ]. The challenges are grounded in the fact that cyber-threat intelligence sharing requires a great deal of multidisciplinary research. Most researchers focus on addressing the technical aspects of sharing cyber-threat information, but not many scientists look into the legal, economic and social challenges.

This research contributes on the identification of sociological factors that need to be established within an alliance between different Security Operations Centers, which goal is to share cyber-threat intelligence to optimize the awareness, detection, and response of potential cyber-threats. The optimization of both, detection and response, will contribute to assessing the safety of the organization’s cyber security

landscape and result in the optimization of the business continuity. These insights are needed in order to answer the following research question:

What is/are the decisive factor(s) that influence Cyber Security Experts in sharing cyber-threat intelligence in a cyber-threat alliance?

The rest of the paper is organized as follows. In section 2, the theoretical backbone of the research is described. In section 3 the existing literature is examined in detail and in section 4 the methodology of the theory development is described. Section 5 deals with the analysis of the results. Section 6 concludes the research and section 7 describes the limitations and proposes further research.

2. Theoretical framework

The basis for the theoretical work on cyber-threat intelligence sharing described in this thesis is based upon two fundamental theories– the Theory of Planned Behavior and the Theory of Motivation. The Theory of Planned behavior explains how attitude, subjective norms, and perceived behavioral control affect the intentions of individuals towards behavior. The Motivation Theory encourages the individuals to develop a specific behavior and to act in a certain way. Chang and Chuang argue in their research that knowledge sharing is more likely to occur when individuals are motivated [ CITATION Ajz91 \l 1033 ] [CITATION Cha11 \l 1033 ].

Theory of Planned Behavior

The feelings, thoughts, actions, and behavior of individuals influencing the interaction with each other [ CITATION Saf15 \l 1033 ]. The Theory of Reasoned Action (TRA) formed the underlying theory for the creation of the theory of planned behavior and it describes the changes in human behavior based on social influence. The positive evaluation of behavior (indication of attitude) or their thoughts about others (labelled as important) want them to perform defined behavior; then these should automatically influence someone’s intention and, elaborating on that, their behavior [ CITATION Ajz91 \l 1033 ]. Researchers found out that arguments could be made against the direct relationships between intention and actual behavior. Some studies showed that intention could not be the exclusive determinant of behavior, where an individual’s control over their behavior is incomplete. The added value of the Theory of Planned Behavior on the Theory of Reasoned Action is that Ajzen [ CITATION Ajz91 \l 1033 ] added perceived behavioral control to the theory. With this addition, the theory of Planned Behavior can cover non-volitional behavior for predicting behavioral intention and actual behavior.

The Theory of Planned Behavior has been widely applied in the information security domain [ CITATION Saf15 \l 1033 ]. In several studies, the Theory of Planned Behavior is used to explain how attitude, perceived behavioral control and subjective norms contribute to knowledge sharing behavior. In this research, the Theory of Planned Behavior has been used to describe how participants in a cyber-threat alliance, from the organizations perspective, engage in sharing cyber-threat intelligence in order to optimize the detection and response on cyber security breaches in organizations.

The Motivation Theory

Motivation represents the different reasons for people's needs, desires, and actions. Previous studies have revealed that the motivations associated with the needs and expectations of individuals can encourage people to engage in a specific behavior [ CITATION Rya10 \l 1033 ]. Motivation defines the potential direction and the reasons

for a particular pattern in behavior. According to the research of Hung and Durcikova conducted in 2011, the lack of motivation is identified as one of the most important obstacles for knowledge sharing behavior, inconsiderate the type of knowledge to be shared [CITATION Hun11 \l 1033 ]. Intrinsic and extrinsic motivations play important roles in the domain of knowledge sharing in and between organizations [CITATION Cab13 \l 1033 ].

In this research, intrinsic and extrinsic motivations have been considered as important factors that affect cyber-threat intelligence sharing because of its influence on the organization's attitude towards the new phenomena. Both the motivational factors should be taken into account during the examination of the organization’s motivation for sharing cyber-threat intelligence. The reflection of the motivational factors should lead to a higher level of knowledge, which could be used in creating a proactive attitude amongst the participants.

3. Literature Review

This research investigates which factors should be established within a cyber-threat alliance and how those factors relate to each other. The Motivation Theory is used to deepen the understanding of intrinsic and extrinsic motivations and its relation with behavior. The Theory of Planned Behavior is used to deepen the understanding of cyber-threat intelligence sharing attitudes, subjective norms, and perceived behavioral control with cyber-threat intelligence sharing intention.

Firstly, the Motivational Theory is examined through a literature review which led to the development of interview questions based on the findings. To identify the relationships between the different factors, interview questions were created that relate to the motivational variables influencing an organizations attitude. Secondly, the Theory of Planned Behavior is examined with interview questions, which indicated the effect of attitude, subjective norms and perceived behavioral control on cyber-threat intelligence sharing intention. Thirdly, the last interview questions represent the effects of cyber-threat intelligence sharing intention with actual cyber-threat sharing behavior.

Examining the two fundamental theories should result in the identification of potential (a) decisive factor(s), which influences the organizations sharing behavior.

Intrinsic Motivation

Intrinsic motivation is the self-desire to seek out new things and new challenges, to analyze one's capacity, to observe and to gain knowledge[ CITATION Bet10 \l 1033 ]. It is driven by an interest or enjoyment in the task itself, and exists within the individual rather than relying on external pressures or a desire for consideration [ CITATION Ajz91 \l 1033 ]. Intrinsic motivation is a natural motivational tendency and is a critical element in cognitive, social, and physical development [CITATION Cha11 \l 1033 ]. The two necessary elements for intrinsic motivation are self-determination and an increase in perceived competence. In short, the cause of the behavior must be internal, and the individual who engages in the behavior must perceive that the task increases their competence [CITATION LDe13 \l 1033 ]. Intrinsic motivation can be self-sustaining and long-lasting, due to its satisfaction. The one intrinsic motivation is altruism. Altruism is derived from the intrinsic enjoyment of helping others (Kankanhalli et.al. 2005). In this research, satisfaction refers to an organization's desire to know more about cyber-threats. Cyber security experts will form a sense of self-esteem when they realize that their

contributions, positively influences the cyber-threat alliance and the resilience of their organization.

Extrinsic motivations:

An organization's motivation can, besides intrinsically, been determined by extrinsic motivation. Extrinsic motivation refers to behavior that is driven by external rewards such as fame, grades, money, and praise[CITATION Hun11 \l 1033 ]. Competition can be such type of motivation because it encourages the performer to win and to beat others. This type of motivation arises from the outside, as opposed to intrinsic motivation which originates from the inside. Furthermore, extrinsic motivation can occur when an organization wants to avoid punishment for showing misbehavior [CITATION LDe13 \l 1033 ]. Most people assume that intrinsic motivation is best while it is not always the case. In some situations, organizations simply have no internal desire to engage in a particular activity. [ CITATION Che14 \l 1033 ]. For example, organizations, in general, are not intrinsically motivated to share their cyber-threat intelligence because it is part of their distinctiveness in respect to their competitors.

Extrinsic motivations come from organizations benefits derived from knowledge sharing. These benefits could be in the shape of reputation and responsibilities [CITATION Cha11 \l 1033 ]. Within a cyber-threat alliance, this kind of motivations could be a kind of stimulus for the intelligence-provider. The reputation of an organization depends on the opinion of others, typically as a result of social evaluation on a set of criteria [ CITATION LDe13 \l 1033 ]. In this research, those sets of criteria’s could be based on the quality and quantity of the cyber-threat intelligence shared by an organization that the other participants ascribe to the organization (reputation). Organizations can build on their reputation and we assume that the better their reputation the more the protected organizations will depend on the knowledge and skills of the protecting organization. Frederick Herzberg’s argues in his two-factor theory that gaining more responsibilities by entities is part of the motivational factors that result in higher satisfaction[CITATION Fre \l 1033 ]. The question in this research is whether the same mechanism holds for organizations within a cyber-threat alliance. With this in mind, the researcher supposes that earning reputation and gaining responsibilities as external motivators will have a remarkable effect on the organization’s cyber-threat intelligence sharing.

Perceived behavioral control, Subjective norms and Attitude

Perceived behavioral control relates to the entities capability to perform a

defined behavior [ CITATION Ajz91 \l 1033 ]. Performing that particular behavior is a perception of the level of easiness or difficulty. An organization may or may not have the ability to perform the intended behavior and this will directly impact the organization’s intentions and actions. Cox and Konana argued both in different research that the ability and willingness to share are the two most important factors that affect knowledge sharing behavior [ CITATION Cox12 \l 1033 ][CITATION Par14 \l 1033 ]. Identifying the opposing and stimulating factors for organizations intelligence sharing behavior is important to find which of them is the decisive factor.

Subjective norms refer to the opinions of individuals towards particular

behavior. The essence of subjective norms is the way individuals, who are classified as important (e.g. parents, manager, teacher etc.), think about a given behavioral pattern [ CITATION Zha10 \l 1033 ]. Performing or not performing a particular behavior is

related to the social pressure an entity experiences. For an organization, law and regulations designed by the authorities or the cyber-threat alliance could be a form of social pressure that should result in particular behavior. While for employees, it could be the principles and procedures of their manager. Assuming that participants in a cyber-threat alliance perceive the shared cyber-threat intelligence as effective and helps in optimizing their cyber security awareness could be the indication of their positive evaluation of the sharing behavior. In other words, do the opinions of partner-organizations or internal colleagues influence the sharing behavior and what is their opinion based on.

A person's past and present experience is the basis of its attitude towards an object. This attitude could be in favor or disfavor of that object. The object can be anything in our environment, such as a person, an idea, a place or an event [CITATION Shr15 \l 1033 ]. The person's evaluation of an object could range from extremely positive to extremely negative. The same counts for the evaluation of particular behavior. In line with the latter, an organization's culture and policies, as well as personal factors, can influence the attitudes of cyber experts towards sharing cyber-threat intelligence. The paper of David researched the attitudes about intelligence sharing in a technical context [CITATION Wha \l 1033 ]. Their purpose was to better understand the attitudes and norms that will support or constrain intelligence sharing in technologically- advanced organizations. They found out that some organizations discourage information sharing because of the fear of industrial espionage or of diverting people’s attention from their own work or causing role conflicts. Other organizations encourage information sharing by promoting a culture of good citizenship and voluntary help. This encouragement takes the form of universalistic norms of support rather than particularistic rules about information sharing because particularistic rules are too hard to specify and to enforce [CITATION Hei \l 1033 ]. Contracts may specify that information gathered or generated at work is intellectual property and thereby belongs to the organization. Organizations cannot realistically check and sanction universalistic norms and general intelligence sharing policies. That is the reason why employees must internalize them as attitudes, according to David [ CITATION Wha \l 1033 ]. In this research, and based on the latter reasoning, the organization’s attitude towards cyber-threat intelligence sharing should be positive to be sure that cyber-threat experts intentions towards sharing their intelligence will be positively influenced.

Intention

The intention is a mental state that represents a commitment to carrying out an action or actions in the future. Intention involves mental activities such as planning and forethought. Mental mechanisms, including intention, explains behavior, in those individuals, are seen as actors who have desires and who attempt to achieve goals that are directed by beliefs[ CITATION Bet10 \l 1033 ]. Measuring the intention of the organizations sharing behavior is executed by examining their future plans.

Trust

Trust is a belief that something or someone is honest, good, reliable and effective [ CITATION Yin14 \l 1033 ]. Safa and Ismail argue in their research that trust is also defined as a perception of the desire to depend on something or someone for security [ CITATION Saf13 \l 1033 ]. Trust is one of the important factors within social groups and can be attributed to the relationship between the members of that

social group. Chen, lin & Yen argue that trust is the determination that plays a critical role in the development of relationships between individuals that facilitate knowledge sharing [ CITATION Yin14 \l 1033 ].

A review of the literature indicated that although there is no scarcity of studies on trust and its relationship to many aspects of human behavior in organizations [ CITATION Nur12 \l 1033 ], the literature on trust and information sharing during major cyber security incidents is particularly limited. Organizations’ trust has been found to be associated with information sharing or knowledge sharing [ CITATION Nur12 \l 1033 ]. A common view in offshore oil and gas and other high hazard industries is that trust is “associated with open communication characterized by knowledge sharing between organizational members” citing Bonacich and Schneider and Dirks and Ferrin [ CITATION Fli04 \l 1033 ].

Inter-organizational trust is one of the fundaments of partnerships, and feeds the intention of intelligence gathering and sharing outside organizational boundaries [ CITATION Che14 \l 1033 ]. Inter-organizational trust rests on the subjective belief and prediction that collaborative partners intend to meet obligations, it is the basis upon which organizations maintain strategic alliances and facilitate inter-organizational communication and interactions [ CITATION Lee10 \l 1033 ]. Based on trust, business partners determine the extent and nature of knowledge sharing [ CITATION LLI05 \l 1033 ]. In the context of a cyber-threat alliance, trust is critical to promoting strong partnerships, facilitating collaboration and knowledge sharing within the alliance. Inter-organizational trust not only influences the nature of a business relationship but more importantly impacts strategic alliance outcomes in terms of intelligence sharing.

4. Methodology:

This research was conducted between April 1st_{, 2018 and July 1}st_{, 2018. The aim of}

this research is to understand the relationship between cyber-threat intelligence and knowledge sharing because of its potential mitigating character. Preparing for this study I found very limited literature and research on sharing cyber-threat intelligence. Consequently, I chose to base my theoretical foundation on two well-known theories, the Theory of Planned Behavior and the Motivation Theory. I examined these two theories and based my initial conceptualization of the behavior of inter-organizational sharing of cyber-threat intelligence on them. The same theories were thoroughly examined and researched in the area of ‘Knowledge Sharing’ and ‘Knowledge Management’. The main difference is that this research is conducted in the context of organizations participating in a cyber-threat alliance and the sharing of cyber-threat intelligence instead of random knowledge-sharing in-and across organizational borders. Which resulted in answers representing the reality more accurately.

The research started with a literature study on relevant themes such as security operations center, cyber-threat intelligence, and information sharing. The main driver for studying the combined topics was to reach theoretical saturation and whether the decentralization of cyber security intelligence is the bottleneck in defending an organizations business continuity.

For the literature review, different sources were obtained from scientific literature indexes such as Catalogue Plus, Science Direct, and Google Scholar. Searches were initially conducted by using the different terms such as ‘Security Operation Center’, ‘Cyber Intelligence’, ‘Information Exchange’, ‘Cyber Security Information Sharing’.

The new concept of sharing threat intelligence amongst different organizations is underdeveloped and is confirmed by all the high-level scientific literature. Sources that

were used by the different papers were categorized and judged on their usefulness. In case the source was rated as important, it was included in this research [ CITATION Coo88 \l 1033 ]. Furthermore, different books, articles, and reports were consulted to understand the different concepts thoroughly.

Next, several semi-structured interviews were completed, with the goal of

validating and examining the findings from the literature review. The result of literature review, theoretical sampling and observations was the developed grounded-theory. The predefined semi-structured interview was strengthened with vignette questions during the interviews, which partially resulted in iteration. The non-probability approach of this research resulted in an in-depth qualitative research, which helped to understand the complex phenomena of cyber-threat intelligence sharing. The research sampling method was purposive sampling because of the selection criteria of units within the interviewed organizations and the in-depth nature of the acquired knowledge. The study existed of a total amount of n=5 organizations with a mean time of 28 minutes for the interviews. Open coding was used to identify and determine the value of factors.

The respondents of this research were partially identified through a snowball sampling method. Selection of organizations and cyber security experts is carried out based on their intelligence sharing experience and understandings. The identification of (an) organization(s) participating in a cyber-threat alliance would help to uncover the underlying mechanisms, namely the identification of (a) potential decisive factor(s).

5. Analysis and Results Safety

Perceived safety is the most remarkable finding derived from the collected data amongst cyber-threat experts and is not yet conceptualized thoroughly. The perceived safety of cyber-threat alliance participants concerns two dimensions of safety; their anonymity and their indemnification. Both observations and semi-structured interviews revealed a general consensus amongst cyber-threat alliance participants that there should be a guaranteed level of safety. However, the perceived safety did vary among organizations, which is examined in the following paragraph.

Observations found out that there was a consensus of doubt assigned to the overall perceived feeling of safety in respect to sharing new high-quality cyber-threat intelligence. The interviewed organizations confirmed that situations will indivertible occur where they are willing to share cyber-threat intelligence while they wish not to be known for their reported intelligence. Different reasons have been appointed, but all of the reasons are relatable to either commercial interests or organizations unwillingness for sharing intelligence within the alliance with competitors that could relate the shared intelligence with the sharing organization. For instance, respondent #1 stated; “You have to understand that the right to exist as a security operations center

has everything to do with our detection capabilities. Once we share detailed information about an incident from whom we suffered allot, we allow our competitors to take advantage […]”. This could result in organizations competitive disadvantage

and have a negative effect on their reputation. However, the respondents felt the urgency of sharing detailed cyber-threat intelligence within the cyber-threat alliance as respondent #3 stated; “We feel the urgency of sharing detailed information with the

community because the effectiveness of the cyber-threat alliance depends heavily on the quality of shared information […]”.

Organizations also mentioned the technical aspect of safety in relation to anonymity. The researcher found it worth mentioning because of the potential effect of incorporating anonymity during the design phase of a cyber-threat alliance platform. Respondent #4 mentioned: “[…]One of the most significant outcomes of a technical

change was the implementation of a new sharing-technique, which took into account the anonymity of participants […].” In addition, respondent #3 underlined the same

principle by mentioning the following: “[…] The shared information should not

contain any clues or additional data that might identify us. This feeling of trust will influence our sharing behavior”.

Besides the emerged factor of anonymity, the second important aspect is indemnification. Authorities holding organizations responsible for sharing privacy sensitive information and secondly, organizations are afraid of being blamed for dis-functioning which results again in financial and reputational damage. As of May 25th, 2018 the new GDPR-legislation is enforced which means that all of the participants in the cyber-threat alliances will have to become accustomed to new and different ways of working in order to ensure the existence of cyber-threat intelligence sharing.

Allot of research is conducted to identify which information should be shared to give a comprehensive detailed overview which improves the situational awareness of organizations, keeping ahead of bad actors. However, in an environment in which a combination of cyber-threat intelligence and intelligence sharing exists, the impact of the new GDPR-legislation is not yet clearly examined. This worrying development is mentioned and acknowledged by the interviewed organizations. Respondent #5 stated:

“The introduction of GDPR-legislation forced us to rethink our sharing behavior. Good cyber-threat intelligence consists of detailed information, which could lead to the identification of an individual […]”.

Organizations are afraid of being blamed for dis-functioning. All of the respondents recognized the risk of sharing intelligence based on incidents their organization experienced, which could indirectly uncover their unawareness. Respondent #2 stated: “[…] One of our concurrent discovered a potential threat in the

domain that we had to manage. Their intelligence originated from their participation in a cyber-threat alliance. The question of our customer raised and we had to report whether we recognized the threat. Our SOC-analysts did not recognize the threat because we did not have an active ‘use-case’. The result: the municipality had an intruder for a certain amount of time but fortunately, the intruder caused minimal damage.” This risk is recognized by almost all the respondents, either they experienced

a kind of like case or they are aware of its potential and must be captured in some sort of a code of conduct, which in its essence states that organizations should not be victimized by the findings of other alliance members. One of the respondents said:

“either you have been data breached or you just do not know that you have been data breached” which is somehow an indication that the risk could apply to every

organization. The question an organization should keep in mind is, whether a security operations center is incompetent in case they do not know that their customer(s) could potentially suffer a breach or the same security operations center is competent because of their participation in a cyber-threat alliance, which result is getting intelligence that helps them to discover the potential breach.

These two dimensions encompass the importance of the perceived feeling of safety amongst the participants. The perceived level of safety determines the quality and quantity of shared cyber-threat intelligence and is thereby one of the important influencing factors for organizations to share cyber-threat intelligence.

Intrinsic motivation

The majority of respondents mostly confirms the notion from the literature of altruism being an important intrinsic motivation of organizations to share cyber-threat intelligence. The literature and interviews did not provide with another aspect that influences the intrinsic motivation of organizations, besides economically driven necessity [ CITATION Hau13 \l 1033 ]. Respondent 2# stated: “We are one of the

leading cyber security centers which indirectly means that we have some sort of social obligations […].” Respondent #5 stated: “We deeply believe that sharing cyber-threat intelligence is one of the critical activities we have to undertake if we want to be relatively secure […]”

The second important part of the organizations’ intrinsic motivations has to do with the necessity of organizations budget to defend against cyber-threats. Respondent #4 stated: “[…] We have been successfully defending our organization against

cyber-threats but the changing nature and sophistication of cyber-cyber-threats become bigger than the amount of money we can spend. […]” To emphasize the important use of budget

and the sophistication of cyber-threats, respondent #1 stated: “We can’t continue

spending money on technology and finding its value is limited”

The respondents and observations showed that while the overall thought of altruism being the driving factor for organizations to share cyber-threat intelligence, it only holds for organizations which budget is sufficient. The vast majority of organizations are forced to reshape their cyber defense strategy and are convinced that participation in a cyber-threat alliance would lead to the optimization of their cyber security landscape.

Extrinsic Motivation

Besides intrinsic motivation, the literature provided us with ‘Reputation’ and ‘Responsibilities’ as important extrinsic motivational factors. From the perspective of the respondents, the role of responsibility was determined as an important factor for organizations to be part of a cyber-threat alliance but not necessarily important enough to make them participate in sharing cyber-threat intelligence. Responsibility should be interpreted as the feeling of being responsible for the organization’s clientage. Respondent #1 stated: “I do agree that the amount of responsibilities resting on our

shoulders forces us to continuously optimize our services. We see the cyber-threat alliance potential as an efficient and effective measure to gain intelligence that provides us with valuable insights. Insights that help us defending potential cyber-threat of our customers. But it is one of the many measures we have defined in our security strategy.” The organizations focus in this case on gathering cyber-threat

intelligence through their participation in the alliance instead of the responsibility feeling influencing their sharing behavior.

Reputation in contrary to responsibility is much more of a decisive nature and all of the respondents agreed on the importance of this factor. What is remarkable is that there is no consensus between the organizations about the influence of reputation on cyber-threat intelligence sharing behavior in contrary to the factor safety. The fairly ‘new’ market players attach much more value to reputation and they argue that the cyber-threat alliance is a unique platform for them to promote and show their specialism. Respondent #5 stated: “Our people are very good with forensics, not much

other security companies possess our forensic-capabilities. The cyber-threat alliance is a perfect platform for sharing cyber-threat intelligence that, without the right skills,

are hard to acquire […]” These security companies do suffer from their desire of

having a good reputation. Respondent #5 stated: “[…] Organizations within the

alliance recognize the skills of our employees. The security world is a small world and finding good skilled people is very hard. This simply means that bigger organizations with more money try to buy our employees […]” A potential solution to this problem is

anonymizing the shared intelligence from its supplier.

The mature organizations focus more on preventing negative publicity because they have relatively more to lose than a smaller security company does. Respondent #3 stated: “We do fear negative publicity and is thereby one of the major

reasons for not sharing all of our cyber-threat intelligence because it could lead up to financial damages and competitive disadvantage. […]”. We can conclude that this

reasoning directly influences the sharing behavior of large companies. The real bottleneck is the ability to connect the shared cyber-threat intelligence with the sharing organization. Which, again, leads us to the organization’s desire for sharing intelligence anonymously.

Perceived Behavioral control

Being motivated as an organization is, as we already noticed, important to join and participate in a cyber-threat alliance. Cyber-threat alliances are designed not only to join but also to participate for the higher purpose of optimizing the awareness, detection and response capabilities. There exist allot of cyber-threat alliances and all of them have their own rules, principles, and procedures. Legal rules and privacy issues are concerns of organizations and results in not sharing intelligence. Organizations may be reluctant to report an incident because they are often unsure about what sort of intelligence can be exchanged to avoid legal questions regarding data and privacy protection. Organizations from different sectors could have different rules while they are part of the same threat alliance. Which influences the quality of shared cyber-threat intelligence and could influence the alliance negatively. Organizations can experience the sharing behavior of participants negatively, while those organizations operate in a different domain and are simply not allowed to share particular cyber-threat intelligence.

Respondents all agree on the importance of aligning the latter and the organizations’ capabilities in performing in line with the defined behavior. Respondent #5 stated: “We do struggle with the problem of sharing sensitive intelligence because

we are not always aware of potential side effects. […]. We need for example more lawyers that are cyber-smart which can value the intelligence we want to share”. This

reasoning is shared amongst other respondents that represent a relatively small organization. The bigger players did suffer from this problem but their in-house compliance officers already developed their skills to be able to judge the intelligence.

Another aspect of performing in line with the defined behavior has everything to do with the quantity of shared cyber intelligence. Some of the alliances require organizations to share a minimum quantity of intelligence in case they want to be allowed on the platform. This makes it not very convenient for organizations to join those platforms. Respondent #1 stated: “[…] The one alliance we identified as

trustworthy because of its reputation asked a minimum amount of shared intelligence, which we were not yet able to comply with. […]It was quite disappointing but it was the trigger for us to develop our skills.”

Budgeting issues also appear to be a concern for organizations to limit building a valuable level of cooperation. Respondent #2 stated: “To be able to have

valuable real- time threat intelligence is very expensive for both obtaining and to sharing”. While the respondents already committed themselves to participate in a

cyber-threat alliance, they still recognize the issue of resources although it is not valued as a decisive factor for sharing intelligence. The respondents reason that the more resources they have to develop their skills, the more sensitive intelligence they would be able to share. This leads us to the already described dimensions of safety namely, reputation and indemnification.

Subjective Norms

According to the literature, the perception of subjective norms deals with the way individuals, who are classified as important think about sharing cyber-threat intelligence. According to the respondents, most of the time the CIO’s opinion in respect to the organizations sharing behavior determines their participation in a cyber-threat alliance. J.Q. Barden and W. Mitchell researched the influence of leaders within an inter-organizational exchange of experiences and found out that their influence is of significant level. Important leaders within an organization not only determine the sharing behavior of organizations but are able to influence the sharing behavior during the exchange of their experiences [ CITATION JQB07 \l 1033 ]. The respondents confirmed this and they also described the importance of their organizations-culture on the idea of sharing cyber-threat intelligence. Respondent #4 stated: “Within our

organization, we had to deal with the traditional thought about cyber security as being a technical […] but the truth is that cyber security is really not just a technical problem. It is also an economic problem and human psychology problem […]. We need to have a different mindset for how we treat cyber security […]” The way an

organization thinks about cyber security and cyber-threat intelligence sharing definitely influences the choice of joining and participating in an alliance. The research conducted by Antonio and Miguel confirm the significant influence of organizations-culture towards the commitment of employees behaving within the pre-defined behavior[ CITATION Ort13 \l 1033 ].

This is confirmed by all the respondents and formulated quite simple and clear by respondent #5: “Participating in a cyber-threat alliance askes more from the

organization than you could think of. Having CEO level attention on the issue is critically important”.

Some respondents do admit that it is hard to keep believing in the successfulness of cyber-threat alliances in case the challenge of quality will not be solved. According to the respondents, data quality has everything to do with accuracy, comparability, clarity, relevance, and timeliness. Respondent #5 stated: “Allot of the shared

intelligence is most of the time a bit old and does not add much value.” Respondent #2

stated: “To make decisions based on intelligence it is important that the intelligence is

detailed enough”. Cyber-attacks become more and more sophisticated because of their

increasingly personalized character. Thus even if organizations participate in a cyber-threat alliance and share data about an attack, the issue of personalized attacks do not help to defend other organizations. This requires the sharing of other types of intelligence. Intelligence helping organizations in the decision-making process[ CITATION All11 \l 1033 ]. In the end, at this time the quantity aspect clearly dominates the quality aspect, which is not desirable when the organization’s benefit derived from the participation is reviewed.

Attitude

In the previous section, the importance of the factor subjective norms and its influence on joining and participating in a cyber-threat alliance is described. In other words, the way organizations value a cyber-threat alliance is a very important first step to be able to join an alliance. Participating within an alliance is the next step and will periodically be evaluated. The results of the evaluation will depend on the organizations’ experiences and are of upmost importance to maintain an organizations willingness of sharing cyber-threat intelligence. In general, the respondents have a positive opinion about intelligence sharing but “there is still a lot of work to do” according to respondent #2. The organizations do believe that the cyber-threat alliance could become a very effective measure against cyber-threats. Although all of the respondents agree that the type of shared information should change. Respondent #2 stated: “Receiving and sharing evidence-based knowledge with context is very

valuable. In the beginning, we experienced a lot of negative thoughts about the alliance within the organization. […] because the gathered information was more raw data than real intelligence. […]After a while the alliance became more mature and information turned into real intelligence because different factors were combined and created more context. […]” The quality of the shared intelligence turns out to be very

important in protecting a positive attitude. Turning into a negative attitude would result in organizations withdrawing their participation. The same counts for the negative experience of organizations with time-consuming activities. Respondent #4 stated: “If

we did not had a manager that believed in this concept and had some real mandate at senior-level management, we would have withdrawn our participation back in those days. […] It costs us more than it yielded.” According to the respondents, the turning

point from organizations negative to a positive attitude started when the shared intelligence were received with information about resources, motivations and tactics. The combination of more specific pre-defined information turned out to be actionable hands-on intelligence. Although organizations already face the next challenge of personalized cyber-attacks they still do believe in finding a solution. Attitude is thereby an important factor which determines the organizations willingness to find a solution and on their feeling about sharing cyber intelligence. Their attitude depends generally speaking on how much they value the process of receiving intelligence and its added value to their organization instead of sharing the intelligence. The respondents already mentioned what holds them to share the real sensitive value adding intelligence and that is the reason for not labelling attitude as the decisive factor.

Intention

Describing an organization’s future plans and commitment towards sharing cyber-threat intelligence is very important to understand their intention. Interesting findings uncovered when the organizations were challenged about their strategy building. The results were very diverse. Respondent #5 stated: “Our maturity is a reflection of our

defined plans regarding our participation in the cyber-threat alliance. Our vision is to have a measurable impact on the alliance. We have developed this vision into a more year’s plan, which is divided into detailed actions […]” The maturity of the

organization in contrary to respondent three is very high. Respondent #3 stated: “We

are part of the alliance for almost a year. Within a couple of months we will evaluate our participation and from that point, it could either mean we stop, or we professionalize our participation and grow in our role as an alliance-member.” There

is a clear difference in priority for the cyber-threat alliance amongst the respondents. It is important to have the intention of a long-term participation and to create a clear vision and mission. This will be the driver to generate a roadmap, which gives the organization a comprehensive view of the grow-potential of the organization’s participation and the effectiveness of their membership. Thus, the intention contributes to the larger concept of participation and thereby influences the sharing behavior indirectly.

Trust:

Trust is one of the most valuable factors in collaborating settings, which is already researched and examined by science. While the literature did not provide with thorough research examining trust in a cyber-threat alliance it was obviously an important factor that needed more understanding. All the respondents were very clear about the factor of trust and the necessity of its presence. Respondent #2 stated:

“Without trust, there will be no meaningful collaboration”. They specifically referred

to the presence of distrust in ‘partners’ and the ‘shared intelligence’. Untrusted participants could be a really disturbing factor in effective collaboration and organizations sharing behavior.

Some of the respondents stated that trust is undermined when only a few participants actively share intelligence without getting much in return. Increasing the feeling of trust within a cyber-threat alliance depends heavily on the implementation of an effective governance structure. The respondents share the feeling of failure in case there is no clear governance, which the organizations have to comply with. Respondent #1 stated: “Without formalizing and implementing governance within the alliance

which is aligned with all the participating organizations, a security program could end up as a bottleneck.” According to the literature, the establishment of a shared vision

creates an effective organizational structure that supports any initiative that seeks to solve issues. Issues of, as already mentioned, only a few participants actively sharing intelligence while others do not. The cyber-threat alliance governance should be the combination of a set of tools, processes, and principles that enforces formalized threat-intelligence sharing. Respondent #5 stated: “A good governance structure exists of the

division of roles and responsibilities, clear processes and policies, standardized metrics and effective supervision.” Governance, according to the respondents, is a set

of documents, specifically standard guidelines, policies, and procedures but the most important aspect to make governance succeed is the allocation of resources as defined in the cyber-threat alliance-governance and agreed upon by the participants. The establishment of a good governance structure will facilitate the collaboration towards an acceptable level of intelligence sharing.

Trust building policies is another aspect mentioned by the respondents that could influence trust in the alliance. Respondents explained that on one hand, their trust depends on the feeling that the shared intelligence is protected and on the other hand, the platform should provide them with valuable intelligence. They also affirm the importance of face-to-face meetings throughout the year. Respondent #2 stated:

“Sharing the intelligence on a platform whilst not knowing with who it is shared is very difficult. […] One of the most effective measures which tackled this problem was simply meeting the people we collaborated with.” The meetings were positively

influencing their relationships because one of the activities during those meetings is highlighting the shared goals and defining what added value the alliance had until that moment. Respondent #4 stated: “It is because of the shared intelligence from a

participant that looked very innocent but resulted in the identification of a major vulnerability. We shared our findings and our solution and three other organizations benefited from it.” Another inspiring event that increased the level of trust was

according to respondent #5: “During one of the meetings an organization suffered from

a vulnerability they could not solve. They asked the members if they experienced such a vulnerability and if they had a solution. The results were 14 members looking into the problem for it to been solved at the end of the session.”

The grandiosity of the presence of trust in an alliance is very important and contributes to the actual behavior of sharing intelligence. According to the respondents, there is no tangible level of trust because of the diversity of all the different members and their interpretation of trust. What the members do know is that there is an indispensable connection between the level of trust and the quality and quantity of shared intelligence. Which leads us again to the safety factor and its decisive nature.

6. Conclusion:

During the research conducted a plethora of interesting findings regarding the motives of cyber-threat experts sharing cyber-threat intelligence within the cyber-threat alliance were identified. Some relevant factors were found and there with an answer to the research question: “What is/are the decisive factor(s) that influence Cyber Security

Experts in sharing cyber-threat intelligence in a cyber-threat alliance?” Analyzing the

existing literature, interviews and observations resulted in theoretical saturation. The triangulation of data-sources have formed the basis for the creation of the different factors and confirmed their importance. The literature provides us with the insights that knowledge sharing in organizations can work as an effective and efficient measure to mitigate risks of cyber-threats. Incorporating knowledge sharing in the organization’s culture is of value and confirmed by the respondents. In my research in order to deepen our understanding of the importance of sharing cyber-threat intelligence amongst organizations, and to identify the decisive factor(s), I focused on examining two fundamental theories: Motivational Theory and Theory of Planned Behavior.

The analysis of the Motivation Theory revealed a strong potential pattern amongst the respondents that questions the overall role of intrinsic and extrinsic motivations and its influence on the organization’s willingness to participate in a cyber-threat alliance. It is the predominant role of altruism among the more mature organizations and the predominant role of financial factors within the less mature organizations which leads them to participate in an alliance. While both internal and external motivational factors are captivating for organizations to participate in an alliance, it is not the decisive factor to share valuable sensitive intelligence.

The extraction of the Theory of Planned Behavior in the factors perceived behavioral control, attitude, subjective norms and their relation on the intention of an organization resulted in uncovering the cyber-threat alliance boundaries in which the organization’s room of maneuver influences their cyber-threat intelligence sharing. Recognizing those boundaries of the cyber-threat alliance resulted in a comprehensive in-depth understanding of the organization’s behavior. There is a clear relationship between the psychological and sociological factors and the organizations sharing behavior.

Regarding perceived behavioral control respondents clearly, suffer from interpretation-sensitive regulations. Not knowing which intelligence could result in serious organizational damage obstructs them from sharing. The analysis of subjective

norms shows that the respondents do confirm the importance of having a supportive organization and are a key driver for them to prove that the cyber-threat alliance is an effective measure. Although it is the key driver, it is not directly linked to their sharing behavior. The influence of the organization’s attitude on sharing intelligence is important but not the decisive factor. The results show that the cyber-threat experts acknowledge the alliance potential but the attitude is more important to stay involved rather than to share cyber-threat intelligence. The organization’s intention is an important long-term factor which establishment is clearly an indication of the organizations sharing behavior. Amongst the respondents, those who had long-term plans were clearly more involved in sharing cyber-threat intelligence than those who did not have long-term plans. The intention of the respondents made the difference in a pro-active or a re-active participation.

Nevertheless, all the respondents experienced the importance of the two factors ‘trust’ and ‘safety’ of which the latter is the most important. Sharing cyber-threat intelligence is as much of an ideological problem as it is a physical problem. Organizations carry a dogmatic perception of being unsafe when shared cyber-threat intelligence, which could result in economic damage. However, they acknowledge their future reliance on the potential authentic cutting-edge threat intelligence being shared in an alliance. Implementing measures, which take into account the organizations trust, anonymity and indemnification will, according to the respondents, boost the cyber-threat alliance potential. The lack of trust amongst the participants and the potential side effects with governmental agencies is the fundamental basis for the organizations cry for anonymity and indemnification.

7. Discussion Further Research

This study examined the organization’s intelligence sharing behavior in a cyber-threat alliance to uncover the most decisive factor(s). The goal of sharing the cyber-threat intelligence is to optimize the awareness of organizations and their detection and response capabilities. According to this goal, potential new measures should be developed or existing measures could be examined whether they are more effective than the cyber-threat alliance. The use of artificial intelligence and machine learning can both be interesting developments to research within the security domain. The contribution of artificial intelligence and machine learning could be in automating the sharing process and interpreting large amounts of data.

The respondents mentioned several times that the success of sharing cyber-threat intelligence depends heavily on the quality and quantity aspect. Further research should examine how the identified factors of ‘perceived trust’ and ‘perceived safety’ influence the quantity and quality of the shared intelligence. This because of the pronounced organizations fear the potential conflict between the need for sharers to keep anonymous while ensuring the recipients still trust the acquired intelligence.

According to Dejoo et al. trust is the fundamental element in any social network. They proposed a technique to evaluate the competence of the trustee in specific situations and infer the benevolence of the trustee towards the trustor when the trust evaluation is made. The technique takes into consideration the relationship between the trustor and the trustee which is of upmost importance in the context of cyber-threat alliances. Identifying the different stages of trust in the relationship

between intelligence-sharer and intelligence-receiver could potentially optimize the sharing-behavior in the alliance [CITATION Ame18 \l 1033 ].

The respondents also shared the same thought about the content of shared intelligence. While the cyber-threats become more sophisticated and personalized nowadays, the necessary intelligence-need becomes even more important. Future research should identify whether there are characteristics that could be shared regardless of the type of attack.

Limitations

Starting with the research methodology it is worth mentioning that the number of selected organizations could be improved. It was hard to find organizations participating in an alliance, who were willing to be interviewed and answered the questions without any constraints. Their awareness of the sensitivity of the subject and the information they would share resulted sometimes in question evasive behavior or superficial answers. Another limitation is the point of view in which this research gained its information. Only cyber security experts were interviewed while for example, the factor of subjective norms is questioned as well. The cyber security experts answered the questions based on what they thought, that important people, thought about sharing cyber-threat intelligence. The interviewed organizations where from different proportions and different backgrounds which could end up in results not being representative. Furthermore, this research is limited by the fact that the

interviewed organizations were participants of a cyber-threat alliance. Including a representative from a cyber-threat alliance would provide with more insights. This qualitative research has given a first indication on which factors influence the sharing behavior of organizations but executing the same research quantitative would probably result in more generalizable data because of its large-scale potential.

References 1. Bibliography

Ajzen, l. (1991). The Theory of Planned Behavior. Organizational behavior and

human decision.

Allen, D. (2011). Information behavior and decision making in time- constrained

practice: A dual-processing perspective. Journal of the American Society for Information Science and Technology.

Allen, N. H. (2012). Information sharing and trust during major incidents: Findings

from the oil industry .

ANP. (2018). Retrieved from

https://www.perssupport.nl/persbericht/170418106/botnets-remain-a-persistent-cyberthreat

Betram F. Malle, J. K. (2010). The Folk Concept of Intentionality.

Cabrera, A. C. (2006). Determinants of individual engagement in knowledge sharing. The international journal of Human Resources.

Cabrera, C. &., & Hau, K. L. (2013). Determinants of individual engagement in

Chang, C. &. (2011). Social capital and individual motivations on knowledge sharing:

Participant involvement as a moderator. Information & Management.

Chen, Y.-H. L.-P. (2014). How to facilitate inter-organizational knowledge sharing:

The impact of trust. Information & Management.

Choo, K.-K. R. (2011). The cyber threat landscape: challenges and future research. Cooper. (1988). Organizing knowledge syntheses: A taxonomy of literature reviews. Cox, J. (2012). Information systems user security: a structured model of the

knowing-doing gap.

Dacey, D. &. (2015). Retrieved from <http://www.dhs.gov/sites/default/ files/publications/ecs_final_factsheet_08182014.pdf>; 2013

David Constant, S. K. (1994). What's Mine Is Ours, or Is It? A Study of Attitudes about

Information Sharing.

Feledi, D. F. (2013). Toward web-based information security.

Flin, R. &. (2004). The role of trust in safety management. Human Factors and

Aerospace Safety.

Hau, Y. S.-G. (2013). The effects of individual motivations and social capital on

employees' tacit and explicit knowledge sharing intentions. .

Heimer, C. A. (1992). Doing Your Job and Helping Your Friends: Universalistic

Norms about Obligations to Particular Others in Networks," in Nitin Nohria and R. G. Eccles (Eds.), Networks and Organizations: Structure, Form and Action.

Herzberg, F. I. (1968). One More Time, How Do You Motivate Employees?

Hung, S.-Y. D.-M.-M. (2011). The influence of intrinsic and extrinsic motivation on

individuals'knowledge sharing behavior. . International journal of

Human-Computer Studies 69(9), 415e427.

Ismael, S. &. (2013). A customer loyalty formation model in electronic commerce. Jeon, S.-H. K.-G. (2011). Individual, social, and organizational contexts for active

knowledge sharing in communities of practice.

Konana, P. &. (2014). An investigation of information sharing and seeking behaviors

in online investment communities. Computers in Human Behavior.

L. Deci & Edward & Ryan, R. M. (2013). Intrinsic motivation and self-determination

in human behavior.

Lee, P. G. (2010). Leadership and trust: Their effect on knowledge sharing and team

performance.

LI, L. (2005). The effects of trust and shared vision on inward knowledge transfer in

subsidiaries. intra- and inter-organizational relationships.

Miguel, O.-P. A. (2013). Impact of perceived corporate culture on organizational

commitment.

Mitchell, J. B. (2007). Disentangling the influences of leaders’ relational

embeddedness on inter-organizational exchange.

Ryan, L. V. (2010). Motivation and autonomy in counseling, psychotherapy, and

behavior change: a look at theory and practice.

Sarathy, Z. &. (2010). Understanding compliance with internet use policy from the

perspective of rational choice theory. Decision Support Systems.

Shropshire, J. W. (2015). Personality, attitudes, and intentions: predicting initial

adoption of information security behavior.

Tangil, H.-A. J. (2015). Information sharing models for cooperative cyber defence. Tankard. (2011). Advanced persistent threat and how to monitor and detect them. The

TechRepublic. (2018). Retrieved from https://www.techrepublic.com/article/2017-was-worst-year-ever-in-data-breaches-and-cyberattacks-thanks-to-ransomware/ Yen, Y.-H. C.-P. (2014). How to facilitate inter-organizational knowledge sharing: