Factors Amplifying or Inhibiting Cyber Threat Intelligence Sharing

Abstract

The increasing frequency of cyberattacks by criminal and state-sponsored actors, has elevated the importance of cyber threat intelligence for organisations. We are interested to understand why practitioner share cyber threat intelligence and the impediments that prevent sharing. This paper addresses practitioners' perceptions of factors that influence cyber threat intelligence sharing. To find out the factors that influence why cyber security practitioners share or don't share. We conducted research interviews with nine cyber security practitioners using a semi-structured, open-ended interview guide which were recorded and transcribed. We also analysed the data using an approach informed by grounded theory. We coded the data, organised the data into themes, and used constant comparison to check our code's consistency and accuracy. Furthermore, we developed memos, from which our theory emerged. Ultimately, our analysis revealed a new phenomenon, which we call Cir-cumstantial Sharing. In circumstantial sharing, practitioners may rigorously discover and mitigate cyber threats and inform top management. However, practitioners my experience pressure from management not to share cyber threat intelligence with external organisations. This is significant because cyber threat intelligence sharing is an important weapon to resist future malicious cyber-attacks. We observed three main impediments to cyber threat intelligence sharing: fear of potential penalties imposed by regulatory authorities, concerns about sharing cyber threat findings with competitors or adversaries and the financial cost of sharing cyber threat intelligence. It is our hypothesis that overcoming the impediments we have observed will facilitate increased cyber threat intelligence sharing and hence help resistance to future cyber-attack.