{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,15]],"date-time":"2026-07-15T02:11:21Z","timestamp":1784081481703,"version":"3.55.0"},"reference-count":52,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2023,4,3]],"date-time":"2023-04-03T00:00:00Z","timestamp":1680480000000},"content-version":"vor","delay-in-days":92,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000005","name":"U.S. Department of Defense","doi-asserted-by":"publisher","award":["H98\u2009230-19-D-0003"],"award-info":[{"award-number":["H98\u2009230-19-D-0003"]}],"id":[{"id":"10.13039\/100000005","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,1,5]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The primary objective of the current study is to analytically examine the economic benefits an organization can obtain by receiving and processing cyber threat intelligence (CTI) shared by the US government. Our results show that the benefits from receiving CTI are closely associated with the difference between the threat level indicated by the CTI and the receiving organization\u2019s prior belief of the threat level. In addition, for the same difference between the threat levels indicated by the CTI and the organization\u2019s prior belief, our analyses show that the magnitude of adjustments to an organization\u2019s cybersecurity investments is inversely related to the organization\u2019s prior belief of the threat level. Thus, larger benefits can be obtained when the receiving organization\u2019s prior belief of a threat level is lower. Taken together, our results suggest that the common belief that it is optimal for a federal government agency or department to focus on sharing CTI related to vulnerabilities with the highest threat level is misguided. More generally, the benefits from CTI sharing can be improved if producers of CTI could develop a clearer understanding of the prior beliefs that organizations have concerning their threat level and focus on sharing CTI that is significantly different from those prior beliefs.<\/jats:p>","DOI":"10.1093\/cybsec\/tyad003","type":"journal-article","created":{"date-parts":[[2023,4,4]],"date-time":"2023-04-04T00:25:17Z","timestamp":1680567917000},"source":"Crossref","is-referenced-by-count":9,"title":["Maximizing the benefits from sharing cyber threat intelligence by government agencies and departments"],"prefix":"10.1093","volume":"9","author":[{"given":"Josiah","family":"Dykstra","sequence":"first","affiliation":[{"name":"Office of Innovation, National Security Agency, Ft. George G . Meade, MD 20755 , USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Lawrence A","family":"Gordon","sequence":"additional","affiliation":[{"name":"Department of Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland , College Park, MD 20742 , USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1175-6092","authenticated-orcid":false,"given":"Martin P","family":"Loeb","sequence":"additional","affiliation":[{"name":"Department of Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland , College Park, MD 20742 , USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Lei","family":"Zhou","sequence":"additional","affiliation":[{"name":"Department of Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland , College Park, MD 20742 , USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"286","published-online":{"date-parts":[[2023,4,3]]},"reference":[{"key":"2023040400250957300_","article-title":"The state of threat feed effectiveness in the United States and United Kingdom","author":"Ponemon Institute","year":"2021"},{"key":"2023040400250957300_","article-title":"Presidential Decision Directive 63\/NSC, 22 May 1998","author":"Clinton"},{"key":"2023040400250957300_","article-title":"Executive Order 13691. Promoting private sector cybersecurity information sharing, 13 February 2015","author":"Obama"},{"key":"2023040400250957300_","article-title":"What is an ISAC or ISAO? How these cyber threat information sharing organizations improve security, 26 July 2022","author":"Vijayan"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"172","DOI":"10.1287\/deca.2018.0387","article-title":"Information sharing in cybersecurity: a review","volume":"16","author":"Pala","year":"2019","journal-title":"Decis Anal"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"tyz006","DOI":"10.1093\/cybsec\/tyz006","article-title":"To share or not to share: a behavioral perspective on human participation in security information sharing","volume":"5","author":"Mermoud","year":"2019","journal-title":"J Cybersecur"},{"key":"2023040400250957300_","article-title":"Executive perspectives on cyber threat intelligence: understanding the options, the value, and the market","author":"Gartner","year":"2019"},{"key":"2023040400250957300_","article-title":"Five criteria for purchasing from threat intelligence providers, 2017","author":"Tittel"},{"key":"2023040400250957300_","article-title":"Threat intelligence: top companies providing threat intelligence solutions","author":"Threat Technology"},{"key":"2023040400250957300_","volume-title":"Information sharing and awareness","author":"CISA"},{"key":"2023040400250957300_","article-title":"Department of Homeland Security. DHS made limited progress to improve information sharing under the Cybersecurity Act in calendar year 2017 and 2018, September 2020","author":"Office of Inspector General (OIG)"},{"key":"2023040400250957300_","volume-title":"Automated indicator sharing","author":"CISA"},{"key":"2023040400250957300_","article-title":"Lessons from using the I-Corps methodology to understand cyber threat intelligence sharing","volume-title":"12th {USENIX} Workshop on Cyber Security Experimentation and Test ({CSET} 19)","author":"Dykstra","year":"2019"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1093\/cybsec\/tyac001","article-title":"Overcoming information challenges in cyber defense exercises","volume":"8","author":"Brilingaite","year":"2022","journal-title":"J Cybersecur"},{"key":"2023040400250957300_","article-title":"SANS cyber threat intelligence (CTI) survey","author":"Lee","year":"2020"},{"key":"2023040400250957300_","volume-title":"Success stories in cybersecurity information sharing","author":"Turetsky","year":"2020"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"180","DOI":"10.1177\/0165551508095781","article-title":"The dark side of information: overload, anxiety and other paradoxes and pathologies","volume":"35","author":"Bawden","year":"2009","journal-title":"J Inf Sci"},{"key":"2023040400250957300_","author":"CISA"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"383","DOI":"10.2307\/3003640","article-title":"Collusion and the incentives for information sharing","volume":"14","author":"Clarke","year":"1983","journal-title":"Bell J Econ"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"409","DOI":"10.2307\/2555617","article-title":"Trade association disclosure rules, incentives to share information, and welfare","volume":"21","author":"Vives","year":"1990","journal-title":"Rand J Econ"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"455","DOI":"10.2307\/2555968","article-title":"Information sharing in oligopoly: the truth-telling problem","volume":"24","author":"Ziv","year":"1993","journal-title":"Rand J Econ"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"33","DOI":"10.3233\/JCS-2009-0398","article-title":"The impact of information security breaches: has there been a downward shift in costs?","volume":"19","author":"Gordon","year":"2011","journal-title":"J Comput Secur"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"216","DOI":"10.1016\/j.cose.2015.12.006","article-title":"The impact of information security events to the stock market: a systematic literature review","volume":"58","author":"Spanos","year":"2016","journal-title":"Comput Secur"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"461","DOI":"10.1016\/j.jaccpubpol.2003.09.001","article-title":"Sharing information on computer systems security: an economic analysis","volume":"22","author":"Gordon","year":"2003","journal-title":"J Account Public Policy"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"186","DOI":"10.1287\/isre.1050.0053","article-title":"The economic incentives for sharing security information","volume":"16","author":"Gal-Or","year":"2005","journal-title":"Inf Syst Res"},{"key":"2023040400250957300_","first-page":"1219","article-title":"Cyber-investment and cyber-information exchange decision modeling","volume-title":"2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems 2015","author":"Tosh","year":"2015"},{"key":"2023040400250957300_","first-page":"1","article-title":"Inter-temporal incentives in security information sharing agreements","volume-title":"Workshops at the Thirtieth AAAI Conference on Artificial Intelligence","author":"Naghizadeh","year":"2016"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"327","DOI":"10.1016\/j.eswa.2017.06.042","article-title":"Information sharing vs. privacy: a game theoretic analysis","volume":"88","author":"Ezhei","year":"2017","journal-title":"Expert Syst Appl"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"361","DOI":"10.1007\/s10799-015-0253-1","article-title":"Economic incentives in security information sharing: the effects of market structures","volume":"17","author":"Gao","year":"2016","journal-title":"Inf Technol Manag"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"23","DOI":"10.3390\/g8020023","article-title":"Security investment, hacking, and information sharing between firms and between hackers","volume":"8","author":"Hausken","year":"2017","journal-title":"Games"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"154","DOI":"10.1007\/978-3-319-67540-4_14","article-title":"Risk management using cyber-threat information sharing and cyber-insurance","volume-title":"International Conference on Game Theory for Networks","author":"Tosh","year":"2017"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"509","DOI":"10.1016\/j.jaccpubpol.2015.05.001","article-title":"The impact of information sharing on cybersecurity underinvestment: a real options perspective","volume":"34","author":"Gordon","year":"2015","journal-title":"J Account Public Policy"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3124398","article-title":"Strategic aspects of cyber risk information sharing","volume":"50","author":"Laube","year":"2017","journal-title":"ACM Comput Surv (CSUR)"},{"key":"2023040400250957300_","first-page":"436","article-title":"Economic model for evaluating the value creation through information sharing within the cybersecurity information sharing ecosystem","volume-title":"Fut Gener Comput Sys","author":"Rashid","year":"2021"},{"key":"2023040400250957300_","article-title":"Executive Order 13356. Strengthening the sharing of terrorism information to protect Americans","author":"Bush","year":"2004"},{"key":"2023040400250957300_","article-title":"National strategy for information sharing and safeguarding","author":"The White House","year":"2012"},{"key":"2023040400250957300_","article-title":"Executive Order 13636","volume-title":"Improving Critical Infrastructure Cybersecurity","author":"Obama","year":"2013"},{"key":"2023040400250957300_"},{"key":"2023040400250957300_","author":"CISA"},{"key":"2023040400250957300_","volume-title":"Guide to Cyber Threat Information Sharing, NIST Special Publication 800-150","author":"National Institute of Standards and Technology (NIST)"},{"key":"2023040400250957300_"},{"key":"2023040400250957300_","first-page":"85","article-title":"The economics of sharing unclassified cyber threat intelligence by government agencies and departments","volume":"13","author":"Dykstra","year":"2022","journal-title":"J Inf Secur"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"53","DOI":"10.1016\/j.cose.2019.03.010","article-title":"Threat modeling\u2014a systematic literature review","volume":"84","author":"Xiong","year":"2019","journal-title":"Comput Secur"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"29","DOI":"10.1093\/cybsec\/tyw002","article-title":"The economics of mandatory security breach reporting to authorities","volume":"2","author":"Laube","year":"2016","journal-title":"J Cybersecur"},{"key":"2023040400250957300_","article-title":"The value of threat intelligence: annual study of North American & United Kingdom companies","author":"Ponemon Institute","year":"2019"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"199","DOI":"10.1016\/0361-3682(90)90005-F","article-title":"Information overload: a temporal approach","volume":"15","author":"Schick","year":"1990","journal-title":"Account Organ Soc"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"688","DOI":"10.1111\/j.1756-2171.2009.00085.x","article-title":"Information congestion","volume":"40","author":"Anderson","year":"2009","journal-title":"Rand J Econ"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"438","DOI":"10.1145\/581271.581274","article-title":"The economics of information security investment","volume":"5","author":"Gordon","year":"2002","journal-title":"ACM Trans Inf Syst Secur (TISSEC)"},{"key":"2023040400250957300_","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1007\/978-0-387-09762-6_5","article-title":"Productivity space of information security in an extension of the Gordon-Loeb\u2019s investment model","volume-title":"Managing Information Risk and the Economics of Security","author":"Matsuura","year":"2009"},{"key":"2023040400250957300_","doi-asserted-by":"publisher","first-page":"79","DOI":"10.1214\/aoms\/1177729694","article-title":"On information and sufficiency","volume":"22","author":"Kullback","year":"1951","journal-title":"Ann Math Stat"},{"key":"2023040400250957300_"},{"key":"2023040400250957300_","article-title":"Commission Statement and guidance on public company cybersecurity disclosure","author":"Securities and Exchange Commission","year":"2018"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/9\/1\/tyad003\/49736345\/tyad003.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/9\/1\/tyad003\/49736345\/tyad003.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,12,10]],"date-time":"2023-12-10T04:59:10Z","timestamp":1702184350000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyad003\/7100879"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,1,1]]},"references-count":52,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,1,5]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyad003","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2023,1,1]]},"published":{"date-parts":[[2023,1,1]]},"article-number":"tyad003"}}