ACE Seminar: A Model for Secure and Mutually Beneficial Software Vulnerability Sharing in Competitive Environments

Speaker: Prof Carlos Cid

Date/Time: 02-Feb-2017, 16:00 UTC




In this talk we consider the incentives behind investments by companies in the discovery of cyber-security intelligence and sharing of their findings among competitors. Specifically, we propose a game theoretic model for conducting efficient and mutually beneficial information sharing between two competing entities, focusing on software vulnerability sharing. We initially describe a two-stage game, in which firms must decide how much to invest in researching vulnerabilities, and thereafter, how much of their findings to share with competitors. We fully characterise the Perfect Bayesian Equilibria of this game, and translate them into realistic insights about the firms’ strategies. We then consider a natural extension, by allowing security information to be associated with different categories and severities, while loosening some of the early player homogeneity assumptions. Further, we develop a monetary-free sharing mechanism that encourages both investment and sharing of information. This can be either achieved by a lightweight mediator, or via a novel private set operation (PSO) protocol that allows for bilateral trading between the two entities up to a mutually agreed threshold on the value of information shared, keeping all other input information secret. Our research helps understanding the origins of some observable inefficiencies in cyber intelligence information sharing, with the resulting model and protocol providing a framework for practical and secure cyber security information sharing between competing entities.
The talk is based on joint work with A. Davidson, G. Fenn, A. Khouzani and V. Pham, which appeared at GameSec 2014 and WISCS 2016.


Carlos Cid is a professor in the Information Security Group (ISG) at Royal Holloway, University of London. His main research interests are cryptology and cyber economics. Carlos has a PhD in Pure Mathematics (Brasilia, Brazil). In the early 2000s, he worked as a post-doctoral researcher at RWTH Aachen, and as software engineer in a network security start-up in Ireland. Carlos joined the ISG in 2003, and is currently the Director of Royal Holloway’s Centre for Doctoral Training in Cyber Security.

This page was last modified on 27 Mar 2014.