What enables threat intelligence sharing? How can this be governed in a community of peers? This master thesis research was carried out at the National Cyber Security Center of the Netherlands, taking the National Detection Network as a case study.
Find the thesis document in the TU Delft repository.
Organizations benefit from improved cybersecurity threat detection capabilities if they share information in a community of their peers. However, organizations are unlikely to share the sensitive information that is most valuable as this poses individual risks. Information sharing in cybersecurity communities therefore forms a collective action problem.
Currently, cybersecurity information sharing is being studied primarily as a technological challenge. Drawing on theory from economics and the social sciences, this study proposes governance requirements to overcome individual interests and improve information sharing. These are used to design a governance structure for the case of the National Detection Network, a cybersecurity community initiated by the government of the Netherlands.
The proposed governance meets interests of parties through a process of interactive decision-making in four phases, while incentivizing sharing of cybersecurity information. Lessons are drawn from the case for cybersecurity communities in general.
Approach and conclusions
The research question of the thesis is: How can information sharing in the National Detection Network be incentivized?
Interviews were carried out with 8 participants in the National Detection Network, as well as stakeholders at the NCSC and AIVD. Furthermore, 8 domain experts were asked for an outside view on threat intelligence sharing in this community.
The NCSC can make collective goals of the NDN community explicit by involving participants in a process of interactive decision-making, where alike peers are motivated to share information in decentralized trust circles by instituting comparative reputational metrics.
A governance design of four phases is proposed by means of which the NCSC could transition the National Detection Network community to this state. It is described in Chapter 6. This governance design meets the six requirements formulated in the study of governance to improve cybersecurity information sharing:
- It must unite participants around a collective problem that is made explicit;
- It should have a clear legal framework for information sharing;
- Decisions should be reached collaboratively;
- It must decrease the costs of sharing information;
- It should increase the individual rewards of sharing information; and
- Large communities could be organized in nested enterprises.
Figure 4.2: Approximate volume of events shared in the NDN by the NCSC, by source
Figure 6.2: Actor analysis of CTI capability vs. engagement in NDN community