1
Maryam Amaador (11766247) – Maryam_a@live.nl Supervisor/Examiner: Prof. dr. T.M. van Engers
Second examiner: Drs. A.W. Abcouwer
MSc Information Studies - Business Information Systems Faculty of Science - University of Amsterdam (UvA)
The collaborative sharing of
cyber threat information
Submission date: 16-07-2018 Abstract
Isolated cyber defenses are no longer effective to deal with the rapidly evolving cyber threats. Therefore, several researchers and governmental institutions have emphasized the need for collaboration, in which the sharing of Cyber Threat Information (CTI) is central. Through the sharing of CTI, organizations are enabled
to take proactive countermeasures against cyber threats. Furthermore, sharing CTI provide more insights in the dynamic threat landscape in which organizations operate. However, in order to achieve CTI-sharing collaborations, insights are needed into the factors that could influence the willingness of organizations, to
participate in such collaborations. As current theories lack explanation of the latter, this research have contributed to the theory by examining the factors that influence the collaborative sharing of CTI. First, a literature study has been performed on the conditions that are required for the establishment of information
sharing collaborations and on the factors that could influence the willingness of organizations, to share information. These theories served as a basis for the empirical part of this research, which examined whether
these factors apply in practice and whether new factors could be identified. Cybersecurity professionals, of which some participate in CTI sharing collaborations, and CTI-experts have been interviewed in this regard.
From the results it has been shown that trust seems to be the most influencing factor, which could either positively or negatively influence the collaborative sharing of CTI. Furthermore, other types of factors have
been indicated which have not been mentioned in theory, such as ‘information overload’, ‘difference in maturity level’ and ‘the presence of bad guys’.
Keywords: Cyber Threat Information – Collaborative sharing of CTI – Willingness to share information – Cyber threats – Cybersecurity
2
IntroductionIn the past few years several organizations have become the target of different types of cyber-attacks. Financial institutions had to deal with DDoS-attacks, which disrupted their services for a certain amount of time (van Harten, 2018). Furthermore, new types of ransomware (e.g. Petya and WannaCry) have occurred, which have affected several organizations across the globe (Bogaard, 2018). Recent cyber-attacks have also lead to many data breaches. The Dutch authority of personal data has received more than 5700 reports of data breaches in the first quarter of 2017, from which 12% are caused by cybersecurity incidents (NCSC, 2017). According to several authors, cyber threats are becoming even more sophisticated, targeted and coordinated (Tankard, 2011; Choo, 2011; Fransen et al., 2015; Skopik et al., 2016).
Through the increased interconnectedness and complexity of IT-infrastructures, ensuring cybersecurity has become a more challenging task for organizations (Kumar, Srivastava, Lazarevic, 2006; Hauskens; 2007; Huang et al., 2011; Skopik et al., 2016; Tounsi & Rais, 2017). Dealing as single defenders with the rapidly evolving cyber-threats, has become almost impossible for organizations (Johnson et al., 2016; Mohaisen et al., 2017). This has also been emphasized by Hernandez-Ardieta et al. (2013), which have stated that ‘’it is virtually impossible for any organization to prepare for and respond to cyber incidents without leveraging various collaboration instruments with other partners and allies’’. Furthermore, isolated cybersecurity mechanisms seems to be ineffective against the constantly changing methods of cyber attackers (Tosh et al., 2015).
To stay ahead of the evolving cyber threats, several governmental authorities and researchers have emphasized the need for collaboration, in which the sharing of cyber threat information (CTI) is central (Vázquez et al., 2012; Andrian et al., 2013; Luiijf & Kernkamp, 2015; Hathaway & Spidalieri, 2017; Mohaisen et al., 2017; NCSC, 2017; Al-Ibrahim et al. 2017; Johnson, 2017). Sharing CTI is seen as a plausible technique for defending, in an effective and efficient manner, against the evolving threat level (Andrian et al., 2013; Skopik et al., 2016). It is also seen as a crucial step towards the creation of a better understanding of large scale cyber-attacks (Skopik et al., 2016).
Although many organizations agree on the importance of sharing CTI (Haass et al., 2015), it is still limited done in practice (Sengupta et al., 2014; Tosh et al., 2015; Skopik et al., 2016; Mutemwa et al., 2017). The Dutch Cyber Security Assessment has shown that although investments have been made to become cyber ready, sharing cybersecurity related information is still a point of improvement (NCSC, 2017; Hathaway & Spidalieri, 2017). According to Hausken (2007) & Fawcett et al. (2007), incentives for information sharing seems to be harder to achieve than those for investing in security technology. Furthermore, most of the studies are focused on the technological aspect of information sharing instead on the factors that influence the willingness of organizations, to actually share information (Cachon and Fisher, 2000; Lee et al., 2000; Frohlich, 2002; Fiala, 2005; Fawcett et al., 2009). The latter seems to be overlooked in theory (Gorden, Loeb & Lucyshyn, 2003; Loeb & Lucyshyn, 2003; Fawcett et al., 2007; Vázquez et al., 2012). However, neglecting the willingness to share information, has a major impact on the success of information sharing practices (Fawcett et al., 2007; Tamjidyamcholo et al. 2014). Therefore, researchers and practitioners have a common interest in achieving a better understanding of the drivers
3
that underlie the choice of organizations, to share CTI (Hausken, 2007; Chen and Hung, 2010; Reinholt et al., 2011). This research will contribute to this by identifying the factors that influence the willingness of organizations, to share CTI. This will be done by examining the following research question:
‘’What factors influence the collaborative sharing of cyber threat information?’’ The research question is divided into two sub-question, of which the first focuses on the stimulating factors and the second on the barriers:
1. What factors stimulate the collaborative sharing of CTI? 2. What factors form a barrier to the collaborative sharing of CTI?
This research is carried out on behalf of the University of Amsterdam and KPMG IT Assurance and Advisory. Besides that this research will contribute to the literature on CTI sharing, it is also of practical relevance. Cyber security has taken an
increasingly important role in the work of IT-auditors. To assess the risks in this area, IT-auditors have to identify the efforts that organizations have made in this regard. This research provides insight into the challenges that organizations face in investing in cybersecurity. With a better understanding of these challenges, opportunities can be created that are needed to improve the cybersecurity practices of organizations.
This report consists of a number of chapters. The first chapter presents several theories, which will serve as a basis for the research. The second chapter will explain the applied research methodology. After that, the results and findings will be presented, followed by the discussion and conclusion. Finally, the advice, the limitations and suggestions for future research will be presented.
1. Literature review
This chapter is dedicated to scientific theories. First, the empirical state of knowledge will be presented, followed by the theoretical framework. The conclusion of the theoretical framework will be presented in paragraph 1.3. After that, the conceptual framework will be presented, which shows the relationship between the described theories. Finally, paragraph 1.4 will discuss the application of the theory.
1.1. Empirical state of knowledge
For an efficient and effective defence against cyber threats, several authors have emphasized the need for the collaborative sharing of CTI (Vázquez et al., 2012; Andrian et al., 2013; Hathaway & Spidalieri, 2017; NCSC, 2017; Johnson, 2017; Mohaisen et al., 2017; Al-Ibrahim et al. 2017). CTI, as an academic subject, is still in its infancy (Tounsi & Rais, 2017). Most of the existing theories on CTI are
approaching this concept from a technical point of view, in which the focus lies on the development of standard formats and protocols for the facilitation of the information sharing process (Fawcett et al., 2007; Vázquez et al., 2012). However, less attention has been paid on the social aspect of CTI, which includes the willingness of organizations to share this kind of information (Fawcett et al, 2007; Popovič et al., 2014). Neglecting the willingness to share information is seen as something
4
problematic, since it determines the extent and quality of information sharing (Fawcett et al., 2007). According to Gorden et al. (2003), theories lack appropriate incentive mechanisms for the sharing of information. The information sharing incentives that have been identified so far in theory, are not adequate to achieve the benefits at an organizational level (Gordon, Loeb & Lucyshyn, 2003). Furthermore, research on incentive networks, and especially in information sharing collaborations, seems to be quite new (Vázquez et al., 2012). Safa & Von Solms (2015) have even mentioned that there is a scant research on information security collaborations.
Since the importance of the collaborative sharing of threat information is increasing, understanding the factors that could influence the willingness of
organizations to participate in such collaborations, is critical. As current theories lack a proper understanding of the underlying drivers to share CTI, there is a need to apply interdisciplinary theories to explore the influencing factors. By taking the combination of the concepts ‘CTI’, ‘Information Sharing Collaborations’ and
‘Information/Knowledge sharing’ into consideration, a better understanding can be created of CTI sharing collaborations and the factors that could influence the willingness of organizations to participate in such collaborations.
1.2. Theoretical framework
This chapter exist of an overview of scientific theories, which form the basis for this research. First, a description will be given of CTI at a tactical/technical level. As information sharing requires collaboration, paragraph 2.2.2 will present the conditions for the establishment of information sharing collaborations. An important requirement for these collaborations, is the willingness of organizations to share information. Therefore, the last paragraph (2.2.3) will give an overview of the factors that could influence the willingness.
1.2.1. Cyber threat information
CTI can be defined as ‘information that has been aggregated, transformed, analyzed, interpreted or enriched to provide the necessary context for decision-making processes’ (Johnson et al., 2017). CTI is used by organizations for the identification, assessment, monitoring and response of cyber threats (Johnson et al., 2016). It is seen as a crucial method for the analysis of risks within networks and for the enhancement of cyber security (Qamar et al., 2017). Furthermore, one of the promises of CTI is that it could turns unknown threats, into known threats (Chismon & Ruks, 2015).
Several authors have indicated the following as the major types of threat information (Johnson et al., 2016; Qamar, 2017; Tounsi & Rais, 2017):
Indicators: Technical artefacts or events that provide information about the development of cyber-attacks. Indicators can be used for the detection and defence of potential cyber threats. Examples of indicators are Internet Protocol (IP) addresses of suspected commands and control servers and subject line texts of malicious e-mail messages.
5
Tactics, techniques, and procedures (TTPs) – TTPs provide information about the behaviour of an actor on different levels, varying from high-level descriptions to highly detailed descriptions.
Security alerts – Involves technical alerts about current vulnerabilities, exploits and other security related issues.
Threat intelligence reports – Reports including information about TTPs, actors and other threat-related information. These reports include, among others, information about malware variants, network traffics and suspicion URL’s (Shackleford, 2016)
Tool configurations – Recommendations for the use and development of tools that assist the (automated) collection, exchange, processing, analysis and use of threat information.
The gathering and understanding of threat information is seen as a quite challenging task (Andrian et al., 2017; Mohaisen et al., 2017). Andrian et al. (2017) have stated the following in this regard: ‘Due to the size and complexity of the task, no single network defender unit, because of resource constraints, can afford to go alone and therefore must rely on the collaboration with other groups to achieve a more complete understanding of the threat landscape’’. However, in order to establish an information sharing collaboration, a number of conditions must be met which will be discussed in the next paragraph.
1.2.2. Information sharing collaborations
Collaboration occurs when information is exchanged between two or more dependent parties, with the aim to solve problems that cannot be solved individually (Gray, 1985; Simatupang & Sridharan, 2002; Greer, 2017). Several authors have identified the conditions that contribute to the success of information sharing collaborations (Mattessich, Murray-Close & Monsey, 2001; Huxham & Vangen, 2005; Li & Lin, 2006; Du et al. 2012). The first condition has to do with partnership coordination. According to Narus and Anderson (1987) ‘’successful working partnerships are marked by coordinated actions, directed at mutual objectives that are consistent across
organizations’’. Several coordination mechanisms could be applied for this purpose (Evans & Dion, 1991; Way, Jones & Busing, 2000), which are among others, focused on the specification of the information sharing process (Gualati & Zhelyazkov, 2012). Commitment has also been identified as one of the conditions and is achieved when efforts are made on behalf of the collaboration (Porter et al., 1974; Monczka et al., 1998; Kotlarsky & Oshri, 2005; Yang et al., 2008). Through join efforts, the continuity of the collaboration is ensured and the relationship between the collaborating parties is strengthen (Angle and Perry, 1981; Cheng-Min et al., 2013).
Another condition, which seems to be the most important one for the establishment and maintenance of collaborations, is trust (Wilson & Vlosky, 1998; Hardy, Phillips, Lawrence, 1998; Li & Lin, 2006). Trust is achieved when parties are able to rely on the efforts of one another (Monczka & al., 1998; Spekman, Kamauff & Myrh, 1998) and when expectations formed, also become fulfilled (Barber, 1983; Sitkin & Roth, 1993; Luo, 2012; Greer; 2017). Regular contact/interaction with the collaborative parties seems also to contribute to the building of trust (ENISA, 2010; Greer, 2017). In addition to
6
trust, participation does also belong to the conditions of information sharing collaborations. Participation is about the extent to which the collaborative parties engage in the planning and goal setting (Mohr and Spekman, 1994; Johnson et al., 2017). Joint planning enables the establishment of the expectations between the collaborative parties and specifies the cooperative efforts (Mohr and Spekman, 1994). Finally, joint problem solving has also indicated as one of the conditions. The first step for this condition, is to agree on the existence of a problem (Bunniss, Gray & Kelly, 2011; Greer, 2017). After identifying the problem, the collaborative parties should have a common goal towards the solution (Senge et al., 1994), which should have the support and commitment of all the collaborative parties (Ales et al., 2011).
All of above-mentioned conditions, contribute to the success of information sharing collaborations. However, in order to establish information sharing collaborations, willingness to share information is required (Du et al., 2012; Fawcett et al., 2007). Several factors have been identified, which could influence the latter. These factors will be discussed in the next paragraph.
1.2.3. Factors that influence the willingness to share information/knowledge Willingness can be defined as the openness of organizations to share relevant information to other parties, at an honest and frequent base (Fawcett et al., 2007; Mentzer et al, 2001). One the most important factors that influence the willingness to share information, has to do with reputation (Choo, 2011; Chismon & Ruks, 2015; Skopik et al., 2016; Mohaisen et al. 2017). Reputation can be related to the quality of the provided services, the level of customer service or to the possession of personal data by organizations (ENISA, 2010). Organizations are fearing to share CTI, since there is a chance that it could lead to negative publicity, which could impact their competitive position (Choo, 2011). On the other hand, information sharing could also have a positive influence on reputation, as it could enhance the status of organizations (Wasko & Faraj, 2005). Legislation and privacy matters do also influence the sharing of information. Organizations are cautious about reporting incidents, as they are not sure about the information that they are allowed to share (Johnson, 2017; ENISA, 2010). Legislations could also differ from organization to organization (Tounsi & Rais, 2017), which could make the sharing of threat information a more complex task. Besides legislations, the information should also meet certain quality requirements. According to Dalziel (2004) and Choo (2011), CTI should be relevant (related to an organizations and/or its objectives), actionable (specified in such a way that it makes it possible to take action, to provide response or to make decisions) and valuable (contributes to useful business outcomes). The relevancy could also be determined by the type of information that is shared, the way the information is shared and the collaborative parties with whom the information is shared (Johnson et al., 2016; Henderson, 2002; Mentzer et al., 2001).
Motivation does also influence the willingness of organizations to share knowledge/information (Ipe, 2003; Zboralski et al., 2006). Motivation is determined by several factors, which are divided into internal and external factors. The internal factors are related to power and reciprocity. Power around knowledge is created through the importance that organizations assign to it and by the value that has been assigned to the individuals owning the right kind of knowledge (Ipe, 2003). According to Davenport (1997), Fawcett et al., (2007) & Ardichvili (2008), individuals who have perceived power originated from knowledge, are more likely to hoard the knowledge, instead of sharing it. This has to do with the perception that sharing information, could place an organizations at a competitive disadvantage (Fawcett et al., 2007). Furthermore, sharing
7
knowledge/information it is also seen as a loss of power (Gill-Garcia et al., 2007; Hendarty et al., 2014). Reciprocity is also an influencing factor. Sharing information with the expectation to receive something in return, stimulates the willingness of organizations to share information (Ipe, 2003; Schultz, 2001; Homans, 1984; Emerson, 1976). A downside of reciprocity is the anxiety that organizations experience when they are requested to share valuable knowledge, when there is a chance that they will receive little or even nothing beneficial in return. Unequal contributions can lead to free rider behavior, which can have a negative impact on the sharing of information. (Al Ibrahim et al., 2017; Vakilinia & Sengupta, 2017; ENISA, 2010).
The external factors that influence motivation, are related to the relationship with the recipient and the rewards for sharing. The relationship with the recipient determines the degree of sharing (Du et al., 2012). According to Ipe (2003), this relationship is influenced by two critical elements. The first element, trust, is seen as the most important factor that could influence the willingness to share information/knowledge (Bock et al., 2005; Ardichvill et al., 2003; Ipe, 2003). Barriers for trust emerge, among others, by the perception that not everyone will contribute the same amount of knowledge to other cooperating organizations. ‘’Trust exist when a party believes that its partner is reliable and benevolent’’ (Chae et al., 2005). Organizations are not willing to share sensitive (threat) information with other organizations of whom the trustworthiness is not clear (Hernandez-Ardieta et al., 2013). In addition to trust, the power and status of the recipient also influences the motivation to share knowledge. According to Huber (1982), sharing information with others that have more power and status is more common, than passing the information downwards, to those with less power and status (Huber, 1982
).
Furthermore, rewards for sharing has also been mentioned as an influencing factor. The probability of information sharing is positively related to the reward and negatively related to the penalties that organizations expect to receive by sharing knowledge/information (O’Reilly & Pondy, 1980; Hovindarajan, 2000). Finally, the existing opportunities to share knowledge (Hammer, 2004; Johnson, 2017) has also indicated as an influencing factor. The opportunities for knowledge sharing can be both formal and informal in nature. Technology-based systems and training programs belong to the formal opportunities of knowledge sharing, while personal relationships and social networks belong to the informal opportunities (Ipe, 2003). The formal opportunities are providing structured environments for knowledge sharing. In addition, through these opportunities, a lot of parties could be connected to one another. However, informal settings allow the sharing of a greater amount of knowledge (Truran, 1998). This is because face-to-face communication contribute to the building of trust, which could have a huge influence on the choice to share knowledge.
1.3 Conclusion literature review
As can be concluded from the above, the gathering and understanding of CTI could be a quite challenging task. One of the methods to gather CTI, is by collaboration. Through information sharing collaborations, a better understanding can be gained of cyber threats. However, in order to establish an information sharing collaboration, the willingness of organizations is required. From the theory it has been shown that several factors could influence the willingness of organizations to share information and thus affect the actual establishment of information sharing collaborations.
8
1.4 Conceptual frameworkFrom the theory, it has been shown that through the sharing of CTI, organizations are enabled to create a better understanding of their threat landscape. This contributes to the development of effective and efficient defenses against cyber threats. However, sharing CTI requires both information sharing collaborations and the willingness to share information within these collaborations. The success of information sharing collaborations is determined by several conditions, which after all require the willingness of organizations to share information. The latter is also influenced by a number of factors. As both ‘information sharing collaborations’ and ‘willingness to share
information’ are related to one another, they could either positively or negatively influence each other. The relationship between the concepts and
corresponding variables is presented in figure 1.
Figure 1: Conceptual model – CTI sharing * +/- either positively or negatively influenced
1.5 Application theory
In order to identify the factors that influence the collaborative sharing of CTI, theory on ‘information sharing collaborations’ and ‘willingness to share information’ will serve as a basis. The conditions and factors that are associated with these theories, have been operationalized in appendix 1. Based on the operationalization, interview questions have been developed. With the use of these theories, it will be examined whether the theory apply in practice and whether new factors exist in the CTI-sharing context.
2 Methodology
This chapter describes the applied research methodology and the context in which the research has been carried out.
2.1 Context of the research
This research is carried out in behalf of the University of Amsterdam and KPMG IT Assurance & Advisory. The research is conducted within a period of four months (April till July 2018). Most of the research has been conducted from the UvA-library and the office of KPMG.
2.2 Research strategy
This research has been conducted with the use of a qualitative approach. To gain a better understanding of the research topic, a literature study has been performed. Relevant theories have been collected through the online library of the UvA and Google Scholar. To ensure a targeted search process, the following search queries have
9
been used: ‘’Cyber Threat Intelligence’’, ‘’Threat Information Sharing’’, ‘’Knowledge sharing’’ and ‘’Information Sharing Collaborations’’. In addition to the literature study, an empirical research has been conducted. Data has been collected in order to examine whether the factors mentioned in theory, apply in practice. Therefore it can be stated that a deductive approach has been applied (Bryman, 2008).
2.3 Data Collection & Analysis
For the collection of the empirical data, semi-structured interviews have been
conducted. Semi-structured interviews seem to be helpful in the generation of detailed information about a particular case (Bryman, 2008). Furthermore, these kinds of interviews provided the opportunity to gather more in-depth information, as there was the possibility to respond on the answers of the interviewees.
The interview data has been analyzed with a mix of open and selective coding. The selective coding has been done with the use of pre-defined coding labels, which originated from theory (see Appendix 1 & 2). Open coding has been performed to categorize all other factors that relate to the research question and which have not been identified in the conceptual framework.
2.4 Sampling design
For the selection of the interviewees, a purposive sampling approach has been applied. This approach allow to select interviewees that have a direct reference to the research question (Bryman, 2008). To determine the factors that influence the collaborative sharing of CTI, cybersecurity professionals and specialists (Certified Information Systems Security Professionals) within several organizations have been approached, of which some operate within CTI-sharing collaborations and of which some have a representative role in these collaborations. In addition, two experts within the CTI-field have been interviewed. These persons provided insight into the challenges of CTI and how these challenges manifest themselves in the sharing of CTI. These insights are based on the experiences with their clients and collaborative partners.
The interviewees have been reached through a snowball sampling approach, whereby colleagues within KPMG and the thesis supervisor served as the first point of contact. The sample size depended on the achievement of theoretical saturation, which has been achieved by the conduction of 8 interviews. The interviewees and the organizations/collaborations they represent, have been anonymized due to the request and privacy of these parties.
2.5 Trustworthiness and Authenticity
According to Bryman (2008), qualitative studies should be evaluated according to their trustworthiness and authenticity. The trustworthiness of this research is determined by its credibility, dependability, confirmability and transferability. For the credibility of this research, all the interviewees have been asked to validate the transcription/coding-tables of their interviews. This is also called responded validation. In addition, the comparison of interview results and theory has helped in drawing the right conclusions. The dependability of this research have been ensured by describing the whole research process within the methodology and by attaching the interview guides and coding tables in the appendices. Furthermore, theory is used as a basis for the formulation of the interview questions. All of the sources that has been used for the theory, are
10
included in the reference list. Whether this method will produce the same results, is a matter of time. For a collaboration that has existed for years, trust can play a different role than when it has just been set up. In behalf of the confirmability of the research, the interview questions have been formulated as neutral as possible. Also the invitations for the interviews, has been formulated as neutral as possible to prevent prejudice from both sides As qualitative research is more oriented to the contextual uniqueness and significance of the studied phenomena (Bryman, 2008), transferability could be an empirical issue (Lincoln & Guba, 1985). However, based on a thick description of the research context, the transferability could be judged (Lincoln & Guba, 1985; Bryman, 2008).
For the authenticity of this research, different viewpoints have been gathered in regard to the research questions. This has been done by approaching cybersecurity professionals which operate within different sectors and by gathering insights from CTI-experts, which also share CTI beyond the boundaries of their organizations. Furthermore, this research will provide a better understanding of the circumstances in which the sharing of CTI is stimulated and in which it is not. Therefore ‘catalytic authenticity’ applies, which engage members to take action based on the circumstances (Lincoln & Guba, 1985).
3. Results
This chapter presents the results that have been collected through interviews. The results have been analyzed with the use of coding tables (see Appendix 2). For privacy reasons, the respondents are referred as interviewee 1# till 8#.
3.1 What factors stimulate the collaborative sharing of threat information? According to the interviewees, there are several factors that stimulate the
collaborative sharing of CTI. One of the most important factor, has to do with trust. All of the interviewees that participate within information sharing collaborations, make use of confidentially agreements to ensure trust. Examples of these agreements are the Traffic Light Protocol (TLP), the Gentlemen’s Agreement and the Non-Disclosure Agreement (NDA). These agreements make it possible to share sensitive information within a trusted environment. In addition to these agreements, trust is also build by having regular contact with the collaborative partners. According to 4 of the 8 interviewees, seeing the same person over and over again has a positive influence on trust.
Having a common goal is also seen as a stimulating factor. As indicated by 5 of the 8 interviewees, having a common goal ensures the involvement of all participating organizations. In these kinds of cases, discussions about an equal input of CTI, plays a less important role. However, this is more common in cases in which there is a collaborations between governmental institutions or public-private organizations (3#, 4#, 7#). Commitment does also stimulate the sharing of CTI as it provides the ability to rely on the efforts and expertise of the collaborative partners. This is especially the case for organizations for whom it is impossible to tackle cyber threats individually.3 of the 8 interviewees have mentioned that receiving information has contributed to their own
11
knowledge base and saved time, as certain matters have already been investigated by their collaborative partners.
Standardized techniques for the sharing of CTI, such as STIX, do also stimulate the information sharing process (1#, 2#, 6#). Through this opportunity, it became easier to transfer information to other organizations. Furthermore, three interviewees have indicated that having a party that facilitates the collaboration (e.g. by providing administrative support), stimulates the sharing of CTI. Interviewee 8# have stated that, through a lack of partnership coordination, finding cybersecurity specialist of chain partners, became a quite challenging task. Currently, account managers have the lead in coordinating the communication with chain partners. Since the participating
organizations do not have the time themselves, having the collaboration facilitated by others is highly appreciated (#4, #7, 8#).
Finally, the collaborative sharing of CTI is also stimulated by rewards. Only one of the interviewees have indicated that they make use of a specific reward mechanism, to stimulate the sharing of CTI. Through this mechanism, organizations could receive points based on the information that they deliver. This mechanism excludes freeride behavior and ensures trust (1#).
3.2 What factors form a barrier to the collaborative sharing of CTI?
From the interviews, several factors have been mentioned which could more or less form a barrier for collaborative sharing of CTI. The most mentioned factor, has to do with trust. When there is a lack of trust, no cooperation can be established (all interviewees). Also, extending a partnership has a negative impact on trust. Information that is shared within a larger group is more difficult to manage (2#, 4#, 7#). Trust does also have a role in the selection of potential partners (1#, 7#). As stated by one of the interviewees ‘’It should not be the case that someone at the back, shares the
information with the bad guys''.
Information overload can also influence the willingness to share CTI. 5 of the 8 interviewees have mentioned that dealing with CTI is seen as a quite challenging task. This is because it is often delivered in large quantities (e.g. in threat feeds), which makes it a difficult task for organizations to extract the relevant information from it (3#, 4#). One of the interviewees indicated that they find it quite challenging to determine the information that they could share, as they assume that the CTI that they own, is only relevant to their own business (8#). Also, the way to share this
information, is seen as a quite challenging task for interviewee 8. Furthermore, CTI received from threat feeds, is not always valuable (1#, 4#). In the time that the feed is passed to others, IP addresses within the feeds can be registered as a legitimate, what makes them no longer a cyber threat (#2, 6#). This cause false-positives within the feeds, which requires a lot of efforts from organizations to recognize or distinguish from the rest of the information (2#).
The type of relationship could also form a barrier (4#, 5#, 7#). When there is no business relationship, cooperation occurs more easily than in the case in which there is a customer-supplier relationship or economic dependencies (4#, 5#). Discussing sensitive information with competitors, remains a difficult task for most of the
12
which participate in CTI-sharing collaborations, mention that the parties with whom they share CTI, are more or less from the same maturity level. This is also one of the issues that organizations consider when expanding a partnership. Organizations prefer to work with others that use, among others, the same type of systems (4#, 7#). When there is a difference in systems, there may also be a difference in the cyber threats that they face (7#).
3 of the 8 interviewees indicated that the information that other parties offer, influences their willingness to cooperate. It does not always make sense to continue a relationship with a party, which has little value in terms of input. The latter is not the case for less contributing chain partners or smaller organizations (1#, 4#, 5#, 7#). According to interviewee 4#, it does not solely depend on the type of organization but also on the person who represents the organization. Cybersecurity representatives that do not have something beneficial to offer could influence their willingness to cooperate with. This is because the cybersecurity representative are mostly responsible for the quality and relevancy of the shared information (4#).
Perceiving knowledge as power, also forms a barrier for the collaborative sharing of CTI. According to interviewee 1#, 2# and #5, organizations with a commercial interest are more likely to hoard information, as they perceive the information as a competitive advantage. Analyzing threat information is also seen as a time-consuming process which requires a lot of efforts (4#, 6#, 7#). Therefore, organizations are more cautious about sharing information, as they want to prevent others to benefit from their efforts (1#, 2#). 3 of the 8 interviewees have stated that, successes achieved by the use of CTI, could not be proved. According to interviewee 2#, CTI is still based on human insights and knowledge and does not yet have an academic base, therefore ‘’you do not know, what you know’’. This may prevent others from working with it.
The Wet Openbaarheid van Bestuur (WOB, informally translated in Law for Open Public Administration), which gives the right to request information from
governmental institutions, does also influence the willingness of organizations to share CTI. With this regulation, organizations are more cautious about sharing information, as there is a chance that it will be accessible for parties outside the collaboration (4#, 5#, 7#). Furthermore, with the arrival of the GDPR, the discussion has also arisen around IP addresses. 3 of the 8 interviewees indicate that it is not clear whether this belongs to personal data.
Differences in culture has also been mentioned as an impeding factor. One of the interviewees, who operates within two different CTI-collaborations, has noticed a difference in terms of openness and communication style in the different sectors (2#). One-sided communication is more common in collaborations in which a closed culture prevails and in which there is a strict confidentiality agreement. Furthermore,
organizations in which safety is not a point of consideration, could have more difficulty with creating awareness for cybersecurity (4#). Commitment is also required in this regard (2#, 7#). One of the interviewees have mentioned that collaborating with cybersecurity representatives who are assessed on the number of tickets they handle, do not have the incentive to actually deploy CTI (2#). A lack of resources and capabilities forms also a barrier (4#, 8#). One of the interviewees have mentioned that not all of their chain partners have the required human and technical capacities to participate in
13
CTI-collaborations (4#). Due to a lack of time and resources, it is not possible (yet) for one of the interviewees, to participate within an information sharing collaboration (8#). Reputation have also been mentioned as a barrier. As indicated by interviewee 4#, the sharing of information may allow another image to be created about how
organizations deal with personal data. When negatively, this could harm the reputation of the organization of whom the information originates. Furthermore, leakage of information could not only cause damage but also influence the continuity of the collaboration (5#). Finally, the presence of bad guys keeps the sharing of CTI limited. Organizations are cautious about sharing CTI, since there is a chance that it will reach the bad guys, which could make bad use of it (#1, #2).
4. Discussion
As has been shown from the theory, the sharing of CTI requires both ‘information sharing collaborations’ and ‘the willingness to share information’. The empirical part of this research has shown that the factors that have been mentioned by the
interviewees, are related to both of these concepts. However, not all of the factors that have been indicated in theory, apply in practice. Reciprocity is not always considered as an influencing factor. From the interviews it has been shown that participating in a collaboration, means also sharing information. Therefore, sharing and receiving information is considered self-evident, especially if there is a common goal. The factor ‘rewards’ seems also to be different in practice. Only one of the interviewees could respond to the question whether there are rewards for the sharing of CTI. According to theory, rewards do either stimulate or impede the sharing of information. From the interviews it has been shown that sharing CTI, is mostly stimulated by ensuring trust. There are no specific reward-mechanisms. Furthermore, privacy seems also to be an influencing factor according to theory. However, most of the interviewees have mentioned that privacy does not have an important role in the sharing of CTI, as most of the information does not contain personal data at all. Organizations must adhere to privacy regulations, but it does not form a barrier to the sharing of CTI. Finally, other factors have been mentioned by the interviewees, which have not been indicated in theory. These factors involve ‘Information overload’, ‘Maturity level’, ‘A lack of resources and capabilities’, ‘Not provable successes with the use of CTI’, ‘Differences in culture’ and the ‘Presence of bad guys’. However, interdisciplinary theories have been used to study the research question, as there was a lack of theories on the sharing of CTI. This explains the difference between the factors identified in theory and the once identified in practice. Moreover, the factors that have been identified in this research may differ in a couple of years. The building of trust requires time. For a collaboration that has just started, trust could have a more important role than in collaborations in which people have been exchanging information for years. Also, increased awareness around cybersecurity could make many of the factors of less importance.
14
5. ConclusionThis research has been carried out in order to answer the following research question: ‘’What factors influence the collaborative sharing of CTI?’’. It can be concluded that trust is the most influencing factor, which could either stimulate or impede the collaborative sharing of CTI. Trust in the CTI sharing context is currently under the attention of scientists. Research projects are carried out to investigate the role of trust in the establishment of cyber alliances (Gommans, 2014; Gommans et al., 2015). In addition to trust, collaborating with partners that have a common goal, does also stimulate the sharing of CTI. With a common goal, efforts are made in behalf of the collaboration, which increases the commitment of the participating parties. The use of standardized techniques (e.g. STIX and TAXII) also act as a stimulus, since it became easier to pass information to others. Furthermore, partnership coordination seems to be highly appreciated, as organizations lack time to coordinate the collaboration
themselves. A less mentioned factor is ‘rewards for sharing’ and is used to ensure trust and to exclude free rider behavior. In addition to the stimulating factors, the sharing of CTI could also be influenced by a number of barriers. Information overload makes the sharing of CTI quite challenging, as it requires a lot of effort to deal with. Furthermore, the type of relationship has also been mentioned as a barrier. Sharing sensitive CTI with parties where economic dependencies exist, seems to be difficult task for organizations. Differences in maturity level could also form a barrier as most of the interviewees have the preference to collaborate with partners of more or less the same maturity level. This makes the communication more effective, as the collaborative partners have things in common, such as the systems they use. The quality of CTI could also form a barrier. If the information is irrelevant, there is not always the need to continue the relationship. Moreover, perceiving knowledge as power does also
influence the collaborative sharing of CTI. Organizations with a commercial interest are more likely to hoard information, as it is seen as a competitive advantage. Also, when a lot of efforts have been made to analyze CTI, organizations are more likely to hoard the information. The WOB-legislation does also limit the collaborative sharing of CTI. With this legislation, organizations deal more consciously with the information they share. Finally, the less mentioned barriers have to do with ‘’differences in culture’, ‘a lack of resources and capabilities’, ‘reputation’ and the ‘presence of bad guys’ (See overview factors in table 1).
Factors that stimulate the collaborative sharing of CTI
Factors that form a barrier to the collaborative sharing of CTI
Trust (8) Common goal (5) Shared efforts (3)
Opportunities to share – standardized techniques (3)
Partnership coordination (3) Rewards for sharing (1)
Lack of trust (8) Information overload (5) Type of relationship (3) Maturity level (3)
Relevancy of the information offered by others (3) Perceiving knowledge as power (3)
Not provable successes with the use of CTI (3) Legislation – WOB (3)
Differences in culture (2)
A lack of resources and capabilities (2) Reputation (2)
Presence of bad guys (2)
15
6. AdviceIn order to encourage the collaborative sharing of CTI, the barriers that have been identified within this research, have to be bridged. First of all, awareness around cybersecurity should be created, as this may underlie many barriers. By being aware of the importance of cybersecurity, commitment of the business could be achieved, which will make the organizations more inclined to make investments in this regard.
Investments in time and the cybersecurity capabilities of employees, will eventually increase the incentives to actually deploy CTI. This will also improve the practices within CTI collaborations. In addition, from the results it has been shown that having the collaboration facilitated by others, is highly appreciated. More initiatives have to be created to facilitate collaboration in the field of CTI. These facilitating parties should also pay attention on the linkage of chain partners, as sharing CTI in this context will provide a better understanding of the threat landscape of the organization in question. Finally, organizations seem to be confronted with an overload of CTI. The possession of threat feeds are not enough to take advantage of the benefits of threat information. Investments are needed in techniques that enables the refinement of information, based on the threat-landscape of organizations. This will make the information sharing process more valuable, which will stimulates others to participate.
7. Limitations
This research has been carried out with a number of limitations. First, little research has been found on CTI, as it seems to be a quite recent concept in academic literature. The articles that have been published so far, do not always have a high scientific rate. Therefore, the scientific rate of the publishers had to be critically assessed. In addition, is it still not known what kind of CTI the interviewees actually share. CTI seems to be a quite sensitive topic for a couple of interviewees. Because of this, no detailed information could be requested. Furthermore, one of the interviews could not be completed due to privacy reasons. Finally, a number of findings require further explanation. Due to a limited time span and the permitted number of words for this report, it was not possible to provide a thorough description of it.
8. Further research
The aim of this study is to identify the factors that influence the collaborative sharing of CTI. Theory on ‘information sharing collaborations’ and ‘the willingness to share information’ served as a basis to identify whether the associated factors, apply in practice and whether new factors could be identified. Further research is needed to examine the relationship between the identified factors, as this may provide an explanation of their occurrence in certain circumstances. In addition, trust has been mentioned multiple times as an influencing factor. As trust is a concept on its own, research should be performed on the role of trust within the CTI-sharing context. Finally, it has been shown that the interviewees could not provide clear examples of the results that have been achieved by the use of CTI. Further research is needed in order to
16
examine the effectiveness of threat information, as this could be a reason for organizations to refrain from exploiting CTI.
References
Al-Ibrahim, O., Mohaisen, A., Kamhoua, C., Kwiat, K., & Njilla, L. (2017). Beyond Free Riding: Quality of Indicators for Assessing Participation in Information Sharing for Threat Intelligence. arXiv
preprint
Ales, M. W., Rodrigues, S. B., Snyder, R., & Conklin, M. (2011). Developing and implementing an effective framework for collaboration: The experience of the CS2day collaboration. Journal of Continuing Education in the Health Professions, 31(S1), S13–S20. https://doi.org/10.1002/chp.20144 Andrian, J., Kamhoua, C., Kiat, K., & Njilla, L. (2017, February). Cyber Threat Information sharing: A
category-theoretic approach. In Mobile and Secure Services (MobiSecServ), 2017 Third
International Conference on (pp. 1-5). IEEE.
Angle, H. and J. Perry (March 1981). 'An empirical assessment of organizational commitment and organizational effectiveness', Administrative Science Quarterly, 26, pp. 1-14.
Ardichvill, A., Page, V., & Wentling, T. (2003). Motivation and barriers to participation in virtual knowledge sharing communities or practice. Journal of Knowledge Management, 7(1), 64−77.
Ardichvili, A. (2008). Learning and knowledge sharing in virtual communities of practice: Motivators, barriers, and enablers. Advances in developing human resources, 10(4), 541-554
Bock, G.W., Zmud, R.W., Kim, Y.G. and Lee, J.N. (2005), “Behavioral intention formation in Knowledge sharing: examining the roles of extrinsic motivators, social-psychological forces, and organizational climate”, MIS Quarterly, Vol. 29 No. 1, pp. 87-111. Bogaard, L. (2018, April 5). Delta Air Lines slachtoffer cyberaanval. ANP. Retrieved from
http://academic.lexisnexis.eu.proxy.uba.uva.nl:2048/?lni=5S1W-1KJ1-JCV2-F37B&csi=263237&oc=00240&perma=true
Brown, S., Gommers, J., & Serrano, O. (2015, October). From cyber security information sharing to threat management. In Proceedings of the 2nd ACM workshop on information sharing and collaborative
security (pp. 43-49). ACM.
Buldyrev, S. V., Parshani, R., Paul, G., Stanley, H. E., & Havlin, S. (2010). Catastrophic cascade of failures in interdependent networks. Nature, 464(7291), 1025.
Chae, S., Gray, F., & Kelly, D. (2011). Collective learning, change and improvement in health care: Trialling a facilitated learning initiative with general practice teams. Journal of Evaluation in Clinical Practice, 18, 630–636. https://doi.org/10.1111/j.1365- 2753.2011.01641.x Cachon, G.P. and Fisher, M. (2000), “Supply chain inventory management and value of shared
information”, Management Science, Vol. 46 No. 8, pp. 1032-48
Chae, B., Yen, H. R., & Sheu, C. (2005). Information technology and supply chain collaboration: Moderating effects of existing relationships between partners. IEEE transactions on engineering management,
52(4), 440-448.
Chen, C.J. and Hung, S.W. (2010), “To give or to receive? Factors influencing members’ knowledge sharing and community promotion in professional virtual communities”, Information and Management, Vol. 47 No. 4, pp. 226-236
Chismon, D., & Ruks, M. (2015). Threat intelligence: Collecting, analysing, evaluating. MWR InfoSecurity
Ltd.
Choo, K. K. R. (2011). The cyber threat landscape: Challenges and future research directions. Computers &
Security, 30(8), 719-731.
Cyber Security Council. (2017). Towards a nationwide system of information exchanges. Advice on information sharing in the field of cyber security and cybercrime. (CSR advisory document 2017, No. 2). Retrieved from https://www.cybersecurityraad.nl/binaries/CSR_Advies
_Informatieuitwisseling_ENG_tcm107314534.pdf
Dalziel, H. (2015). How to Define and Build an Effective Cyber Threat Intelligence Capability. Retrieved From
https://universalflowuniversity.com/Books/Computer%20Programming/Security%20and%20Cyb er%20Warfare/How%20to%20Define%20and%20Build%20an%20Effective%20Cyber%20Threa t%20Intelligence%20Capability.pdf
Davenport, T. H., & Prusak, L. (1998). Working knowledge: How organizations manage what they know. Boston: Harvard Business School Press.
Du, T.C., Lai, V.S., Cheung, W. and Cui, X. (2012), “Willingness to share information in a supply chain: a partnership-data-process perspective”, Information & Management, Vol. 49 No. 2, pp. 89-98.
17
Emerson, R.M. (1976), “Social exchange theory”, Annual Review of Sociology, Vol. 2 No. 1, pp. 335 362.
ENISA. (2013). Detect, SHARE, Protect. Solutions for Improving Threat Data Exchange among CERTs. Retrieved from www.enisa.europa.eu.
ENISA. (2010). Incentives and Challenges for Information Sharing in the Context of
Network and Information Security. Retrieved from https://www.enisa.europa.eu/publications/ incentives-and-barriers-to-information-sharing
Evans, C. R., & Dion, K. L. (1991). Group cohesion and Performance. A meta-analysis. Small Group Research, 22, 175 – 186
Fawcett, S.E. and Magnan, G.N. (2001), Achieving World-class Supply Chain Alignment: Benefits, Barriers, and Bridges, Institute for Supply Management, Tempe, AZ.
Fawcett, S.E., Osterhaus, P., Magnan, G.M., Brau, J.C. and McCarter, M.W. (2007), “Information sharing and supply chain performance: the role of connectivity and willingness”, Supply Chain Management: An International Journal, Vol. 12 No. 1, pp. 358-368.
Fawcett, S. E., Wallin, C., Allred, C., & Magnan, G. (2009). Supply chain information-sharing: benchmarking a proven path. Benchmarking: An International Journal, 16(2), 222-246. Fiala, P. (2005), “Information sharing in supply chains”, Omega: The International Journal of
Management Science, Vol. 33 No. 5, pp. 419-23.
Fransen, F., Smulders, A., & Kerkdijk, R. (2015). Cyber security information exchange to gain insight into the effects of cyber threats and incidents. e & i Elektrotechnik und Informationstechnik, 132(2), 106-112.
Frohlich, M.T. (2002), “E-integration ration in the supply chain: barriers and performance”, Decision Sciences, Vol. 33 No. 4, pp. 537-5
Gil-Garcia, J.R., Chengalur-Smith, I.S. and Duchessi, P. (2007), “Collaborative e-Government: impediments and benefits of information-sharing projects in the public sector”, European Journal of Information Systems, Vol. 16 No. 2, pp. 121-133.
Gommans, L. H. M. (2014). Multi-domain authorization for e-Infrastructures.
Gommans, L., Vollbrecht, J., Gommans-de Bruijn, B., & de Laat, C. (2015). The service provider group framework: A framework for arranging trust and power to facilitate authorization of network services. Future Generation Computer Systems, 45, 176-192.
Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22(6), 461-485.
Greer, P. A. (2017). Elements of effective interorganizational collaboration: A mixed methods
study (Doctoral dissertation, Antioch University).
Haass, J. C., Ahn, G. J., & Grimmelmann, F. (2015, October). ACTRA: A case study for threat information sharing. In Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative
Security (pp. 23-26). ACM.
Hammer, M. (2004), “Deep change: How operational innovation can transform your company?”, Harvard
Business Review, Vol. 82 No. 4, pp. 84-96
Hardy, C., Phillips, N. and Lawrence, T.B. (2003), “Resources, knowledge and influence: the organizational effects of interorganizational collaboration”, Journal of Management Studies, Vol. 40 No. 2, pp. 321-47.
Hardy, C., Lawrence, T. B., & Grant, D. (2005). Discourse and collaboration: The role of conversations and collective identity. Academy of management review, 30(1), 58-77.
Hathaway, M., & Spidalieri, F. (2017). CYBER READINESS AT A GLANCE.
Hathaway, O. A., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W., & Spiegel, J. (2012). The law of cyber-attack. California Law Review, 817-885.
Hausken, K. (2007). Information sharing among firms and cyber attacks. Journal of Accounting and Public
Policy, 26(6), 639-688.
Hendarty, H., Bard, G., Foretay, O. and Jie, F. (2014), “Information sharing and information quality at a chocolate firm”, International Journal of Information, Business and Management, Vol. 6 No. 4, pp. 73-86.
Hernandez-Ardieta, J. L., Tapiador, J. E., & Suarez-Tangil, G. (2013, June). Information sharing models for cooperative cyber defence. In Cyber Conflict (CyCon), 2013 5th International Conference on (pp. 1-28). IEEE.
Homans, G.C. (1984), Coming to My Senses: the Autobiography of a Sociologist, Transaction Publishers, New Brunswick and London.
Huang, X., Gao, J., Buldyrev, S. V., Havlin, S., & Stanley, H. E. (2011). Robustness of interdependent networks under targeted attack. Physical Review E, 83(6), 065101.
18
Huber, G. (1982). Organizational information systems: Determinants of their performance and behavior. Management Science, 28(2), 138-155.
Huxham, C., & Vangen, S. (2005). Managing to collaborate. New York, NY: Routledge.
Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016). Guide to cyber threat information sharing. NIST special publication, 800, 150.
Kotlarsky, J., & Oshri, I. (2005). Social ties, knowledge sharing and successful collaboration in globally distributed system development projects. European Journal of Information Systems, 14(1), 37-48. Kumar, K., & Van Dissel, H. G. (1996). Sustainable collaboration: managing conflict and cooperation in
interorganizational systems. Mis Quarterly, 279-300.
Kumar, V., Srivastava, J., & Lazarevic, A. (Eds.). (2006). Managing cyber threats: issues, approaches, and
challenges (Vol. 5). Springer Science & Business Media
Lee, H.L., Padmanabhan, V. and Whang, S. (1997), “The bullwhip effect in supply chains”, Sloan Management Review, Vol. 38 No. 3, pp. 93-102
Li, S., & Lin, B. (2006). Accessing information sharing and information quality in supply chain management. Decision support systems, 42(3), 1641-1656.
Jones, C., Hesterly, W. S., & Borgatti, S. P. (1997). A general theory of network governance: Exchange conditions and social mechanisms. Academy of management review, 22(4), 911-945. Luiijf, E., & Kernkamp, A. (2015). Sharing Cyber Security Information. Retrieved from
https://www.thehaguesecuritydelta.com/media/com_hsd/report/40/document/Sharing-Cyber-Security-Information-GCCS-2015.pdf
Luo, X. (2002), “Trust production and privacy concerns on the internet: a framework based on relationship marketing and social exchange theory”, Industrial Marketing Management, Vol. 31 No. 2, pp. 111-118.
Mattessich, P., Murray-Close, M., & Monsey, B. (2001). Collaboration: What makes it work (2nd ed.). Nashville, TN: Fieldstone Alliance.
Mentzer, J.T., Dewitt, W., Keebler, J.S., Min, S., Nix, N.W., Smith, C.D. and Zacharia, Z.G. (2001), “Defining supply chain management”, Journal of Business Logistics, Vol. 22 No. 2, pp. 125.
Mohaisen, A., Al-Ibrahim, O., Kamhoua, C., Kwiat, K., & Njilla, L. (2017). Rethinking information sharing for actionable threat intelligence. arXiv preprint arXiv:1702.00548.
Mohr, J., & Spekman, R. (1994). Characteristics of partnership success: partnership attributes, communication behavior, and conflict resolution techniques. Strategic management
journal, 15(2), 135-152.
Monczka, R. M., Petersen, K. J., Handfield, R. B., & Ragatz, G. L. (1998). Success factors in strategic supplier alliances: the buying company perspective. Decision sciences, 29(3), 553-577 Mutemwa, M., Mtsweni, J., & Mkhonto, N. (2017, March). Developing a cyber threat intelligence sharing
platform for South African organisations. In Information Communication Technology and Society
(ICTAS), Conference on (pp. 1-6). IEEE.
Narus, J. A., & Anderson, J. C. (1987). Distributor contributions to partnerships with manufacturers. Business horizons, 30(5), 34-42.
O’Reilly, C., & Pondy, L. (1980). Organizational communication. In S. Kerr (Ed.), Organizational behavior. Popovič, A., Hackney, R., Coelho, P.S. and Jaklič, J. (2014), “How information-sharing values
influence the use of information systems: an investigation in the business intelligence systems context”, The Journal of Strategic Information Systems, Vol. 23 No. 4, pp. 270-283.
Porter, L., R. Steers, R. Mowday, and P. Boulian (1974). 'Organizational commitment, job satisfaction, and turnover among psychiatric technicians', Journal of Applied Psychology, 59, pp. 603-609.
Qamar, S., Anwar, Z., Rahman, M. A., Al-Shaer, E., & Chu, B. T. (2017). Data-driven analytics for cyber threat intelligence and information sharing. Computers & Security, 67, 35-58.
Safa, N. S., & Von Solms, R. (2016). An information security knowledge sharing model in organizations.
Computers in Human Behavior, 57, 442-451.
Senge, P. (1994). Building learning organizations. The training and development sourcebook, 379.
Simatupang, T.M. and Sridharan, R. (2002), “The collaborative supply chain”, The International Journal of Logistics Management, Vol. 13 No. 1, pp. 15-30.
Sitkin, S. B., & Roth, N. L. (1993). Explaining the limited effectiveness of legalistic “remedies” for trust/distrust. Organization science, 4(3), 367-392.
Skopik, F., & Li, Q. (2013, July). Trustworthy incident information sharing in social cyber defense alliances. In Computers and Communications (ISCC), 2013 IEEE Symposium on (pp. 000233-000239). IEEE.
19
www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767. Schultz, M. (2001). The uncertain relevance of newness: Organizational learning and knowledge
flows. Academy of Management Journal, 44(4), 661-681.
Tamjidyamcholo, A., Baba, M. S. B., Shuib, N. L. M., & Rohani, V. A. (2014). Evaluation model for knowledge sharing in information security professional virtual community. Computers &
Security, 43, 19-34.
Tankard, C. (2011). Advanced persistent threats and how to monitor and deter them. Network security,
2011(8), 16-19.
Tosh, D., Sengupta, S., Kamhoua, C., Kwiat, K., & Martin, A. (2015, June). An evolutionary game-theoretic framework for cyber-threat information sharing. In Communications (ICC), 2015 IEEE
International Conference on (pp. 7341-7346). IEEE
Tounsi, W., & Rais, H. (2017). A survey on technical threat intelligence in the age of sophisticated cyber attacks. Computers & Security.
Truran,W. R. (1998). Pathways for knowledge: How companies learn through people. Engineering
Management Journal, 10(4), 15-20.
Van Harten, D. (2018, March 10). Urenlange storing ABN Amro na DDoS-aanval. ANP. Retrieved from
http://academic.lexisnexis.eu.proxy.uba.uva.nl:2048/?lni=5RV3-YJT1-F094-555R&csi=280434&oc=00240&perma=true
Vakilinia, I., & Sengupta, S. (2017, October). A coalitional game theory approach for cybersecurity information sharing. In Military Communications Conference,(MILCOM). IEEE.
Vázquez, D. F., Acosta, O. P., Spirito, C., Brown, S., & Reid, E. (2012, June). Conceptual framework for cyber defense information sharing within trust relationships. In Cyber conflict (CYCON), 2012 4th
international conference on (pp. 1-17). IEEE.
Wasko, M. M., & Faraj, S. (2005). Why should I share? Examining social capital and knowledge contribution in electronic networks of practice. MIS quarterly, 35-57.
Way, D. O., Jones, L., & Busing, N. (2000). Implementation strategies: Collaboration in primary care-family doctors & nurse practitioners delivering shared care. The Ontario College of Family Physicians. Yang, J. (2008), “The determinants of supply chain alliance performance: an empirical study”,
International Journal of Production Research, Vol. 47 No. 4, pp. 1055-1069.
Zboralski, K., Salomo, S. and Gemuenden, H.G. (2006), ‘‘Organizational benefits of communities of practice: a two-stage information processing model’’, Cybernetics and Systems: An International Journal, Vol. 37 No. 6, pp. 533-552.
Appendices
Appendix 1: Theory operationalization table
Concept: Information Sharing Collaborations
Conditions Description Indicators Interview question References Partnershi p coordinati on Partnership coordination involves the coordination of actions based on the mutual objectives of the participating organizations
Mutual objectives have been defined and agreed. It is clear who is
responsible for coordination in the partnership.
There is a clear view of the rationale for participation for each participant. It is clear who is in
charge of partnership activity on behalf of the participating
organizations.
Hoe wordt de samenwerking gecoördineerd? (zijn er regels met betrekking tot de deling van informatie etc.)? Narus and Anderson, 1987; Gualati and Zhelyazkov, 2012 Welke personen zijn er aangesteld voor het coördineren van de samenwerking? Hoe wordt het contact met de partners onderhouden? Op welke wijze worden afspraken met betrekking tot de deling van
20
gemaakt en vastgelegd? Commitme nt Commitment is achieved when partners make efforts on behalf of the collaboration Actions are taken that represent the interests of all participating organizations.
Wat is jullie belang bij het delen van informatie en welke acties ondernemen jullie om deze belangen te behartigen? (achterhalen of dit eigenbelang of groepsbelang betreft) Yang et al., 2008; Monczka et al.,1998; Porter et al., 1974 Trust Trust in collaborations is achieved when parties are able to rely on the efforts of one another and through interaction. The expectations of each other are also fulfilled. The participating
organizations have regular contact with each other.
In hoeverre kunnen jullie vertrouwen op de inbreng van andere partijen en visa versa? / Wat zijn de verwachtingen ten aanzien van het delen van bedreigingsinformatie? Monczka & al., 1998; Spekman, Kamauff & Myrh, 1998; Greer, 2017. Welke maatregelen worden er genomen om in vertrouwen bedreigingsinformatie te kunnen delen? Hoe verloopt het communicatieproces? (welke communicatiemiddele n worden er ingezet en hoe frequent?) Participati on Participation is about the extent to which the collaborative parties engage in the planning and goal setting. All participating organizations are engaged in the planning activities.
All the participating organizations are engage in the goal-setting.
In welke mate zijn jullie betrokken bij het opstellen van een planning die ten behoeve van het samenwerkingsverban d wordt opgesteld? / Wat is jullie rol daarin? Johson et al., 2017; Mohr and Spekman, 1994 Werken jullie gezamenlijk naar de oplossing toe of is dit voor ieder een individuele aanpak? Johson et al., 2017; Mohr and Spekman, 1994 Joint problem solving The agreement on the existence of a problem and a shared goal.
Every participant has an understanding of the shared problem. Every participant works
towards the goal.
Welk probleem of vraagstuk staat centraal binnen jullie samenwerkingsverban d en is dit voor iedereen duidelijk? Bunniss, Gray & Kelly, 2011; Greer, 2017; Johnson et al., 2017; Senge et al, 1994 Werken jullie gezamenlijk aan de oplossing van het probleem/de vraagstuk of pakt ieder van jullie dit individueel op?
21
Concept: Willingness to share (threat) information
Factors Description Indicators Interview questions References
Perceiving knowledge / informatio n as power Power around knowledge is created through the importance that organizations assign to it and by the value that has been assigned to the individuals owning the right kind of knowledge The possession of threat information is considered a competitive advantage. Sharing threat information is considered as a loss of power.
Wat voor rol speelt cyber bedreigings-informatie binnen jullie organisatie? Ipe, 2003; Davenport, 1997; Ardichvili, 2008; Hendarty et al., 2014; Gill-Garcia et al., 2007 Wat voor risico’s zie
jullie in het delen van informatie en hoe gaan jullie hiermee om?
Reciprocit y Sharing information with the expectation to receive ssomething in return
The sharing of threat information is seen as mutual process for all the participating organizations.
Wat zijn jullie verwachtingen van andere deelnemende partijen qua de deling van informatie? Ipe, 2003 and Homans, 1984 Relationsh ip with recipient The relationship with the recipient influences the sharing of information. The participating organizations trust each other.
Power and status of others influence the choice of organizations to share threat information.
Hoe waarborgen jullie het wederzijde vertrouwen binnen het samenwerkingsverban d? Du et al., 2012; Ipe, 2003; Chae et al., 2005; Gommans et al., 2015 Welke criteria nemen
jullie in afweging in de selectie van
organisaties met wie jullie informatie zouden willen delen?
Ipe, 2003; Hernandez-Ardieta et al., 2013; Huber, 1982 Rewards for sharing The probability of information sharing is positively related to the reward and negatively related to the penalties that organizations expect to receive by sharing knowledge/in formation The participating organizations make use of a reward
mechanisms for the sharing of information. There are no penalties
for the sharing of information.
Hoe wordt de deling van informatie gestimuleerd? O’Reilly & Pondy, 1980; Gupta & Hovindarajan, 2000 In hoeverre wordt jullie de ruimte geboden om actief informatie te delen met andere partijen?
Opportuni ties to share Involves all the formal and informal opportunities that enables the sharing of information The participating organizations have the opportunity to share information. Welke mogelijkheden hebben jullie om informatie te delen en volstaan deze? Ipe, 2003;
