Threat intelligence sharing between cybersecurity vendors: Network, dyadic, and agent views


The world is facing the continuous challenge of fighting cyber threats from offenders motivated by cybercrime, cyberwarfare, and cyberterrorism. When engaging a target, attackers have many asymmetric characteristics that work to their benefit. A notable example is the use of knowledge sharing between attackers to establish technological and time-to-market advantages, while in many cases the defenders operate in silos.


Technology and culture allow sharing between people and organizations, from social networks, through collaborative code writing, to crowdsourcing in the cybersecurity space. One of the emerging implementations of this trend is the sharing of real-time actionable information referred to as Cyber Threat Intelligence (CTI).


Although there are many deployments of threat intelligence sharing across different sectors, the relationships formed between cybersecurity vendors have an interesting attribute. Since the shared information is closely related to the core business of the firms, it presents a unique challenge of combining collaboration with competition, which has been referred to as coopetition.


This research aims to improve the understanding of threat intelligence sharing between cybersecurity vendors through an empirical study of the organizational characteristics, the dyadic relationships, and the network structure of the formed ecosystem. The insights provided are increasingly relevant given the growing trend of CTI sharing and the evolving number of vendor relationships. Some of the questions asked and answered in this article are: What insights can be derived from the network structure properties of the formed ecosystem? What are the characteristics of the established relationships and how do they reflect on the industry? Are there any properties common to sharing firms or associations between sharing behaviors and real-world market success?


The paper considers the three theoretical constructs of network structure, coopetition, and information sharing, viewed from the three complementary perspectives of industry, relationship, and firm, respectively. The study analyzes a uniquely collected and coded dataset of vendors and their announced threat-sharing relationships utilizing a deductive reasoning top-down approach, which is used to extract hypotheses from existing literature theories and match data-driven observations based on network (graph) theory and statistics against them. The findings are discussed in the context of the researched domain and transformed into conclusions.

Tel Aviv University, P.O. Box 39040, Tel Aviv 6997801, Israel
UI/UX Basch_Interactive