Computers & Security 87 (2019) 101589

Contents lists available at ScienceDirect

Computers & Security

journal homepage: www.elsevier.com/locate/cose

Cyber threat intelligence sharing: Survey and research directions

Thomas D. Wagner∗, Khaled Mahbub, Esther Palomar, Ali E. Abdallah
Birmingham City University, Curzon Street, Birmingham, B4 7XG, UK

a r t i c l e i n f o a b s t r a c t

Article history: Cyber Threat Intelligence (CTI) sharing has become a novel weapon in the arsenal of cyber defenders to
Received 6 May 2018 proactively mitigate increasing cyber attacks. Automating the process of CTI sharing, and even the basic
Revised 22 January 2019
consumption, has raised new challenges for researchers and practitioners. This extensive literature survey
Accepted 6 August 2019
explores the current state-of-the-art and approaches different problem areas of interest pertaining to the
Available online 6 August 2019
larger field of sharing cyber threat intelligence. The motivation for this research stems from the recent
Keywords: emergence of sharing cyber threat intelligence and the involved challenges of automating its processes.
Advanced persistent threat This work comprises a considerable amount of articles from academic and gray literature, and focuses on
Cyber threat intelligence technical and non-technical challenges. Moreover, the findings reveal which topics were widely discussed,
Threat sharing and hence considered relevant by the authors and cyber threat intelligence sharing communities.
Relevance
Trust © 2019 Elsevier Ltd. All rights reserved.
Anonymity
Literature survey

1. Introduction it challenging (Vazquez et al., 2012). Nevertheless, manual sharing

is a widely used approach to exchange information about vulner-
Cyber Threat Intelligence (CTI) sharing promises to be a new abilities. I.e., stakeholder to stakeholder sharing where a trusted
method to create situation awareness among sharing stakehold- relationship already exists or sharing through trusted groups such
ers (Sigholm and Bang, 2013). Moreover, it is seen as a necessity as an Information Sharing and Analysis Center (ISAC).1 The goal
to survive current and future attacks by working proactively in- is to create situation awareness among stakeholders and to be
stead of only reactive. It may become obligatory for organizations alerted about a threat as quickly as possible. Although, a man-
to have a threat intelligence program being part of proactive cyber ual approach to sharing CTI may be ineffective for several reasons.
security and share their information. Stakeholders may be held re- For instance, slow sharing of new threats, human error rate dur-
sponsible in the future for not sharing known threats that affected ing processing, or subjective relevance filtering. Consequently, au-
others and resulted in a breach. The core idea behind threat intelli- tomating some of the processes may increase the effectiveness of
gence sharing is to create situation awareness among stakeholders CTI sharing. CTI sharing occurs on a global scale and every coun-
through sharing information about the newest threats and vulner- try has different laws and regulations regarding what information
abilities, and to swiftly implement the remedies. Furthermore, CTI attribute is considered private; for example, what can be legally
can aid stakeholders in making tactical decisions. It is a challenging shared and what has to be anonymized. This literature survey fo-
task for practitioners to implement a CTI program that consumes cuses on current challenges that may impede the sharing process.
and disseminates the information in a timely fashion. Moreover, Actionability of threat information is discussed by various sources
stakeholders struggle to implement a system that properly con- which reflect the following attributes: trust, reputation, relevance,
sumes CTI and makes the information relevant. The biggest chal- anonymity, timeliness, and data interoperability. Trust is a funda-
lenge that most practitioners may face, before sharing their own mental pillar of any information sharing program, therefore trusted
CTI, is how to make use of information, i.e., how to comprehend relationships have to be established before any critical threat in-
the information and implement its remedy. The literature reveals telligence is shared. Governance, management, policies, and legal
that stakeholders would like to participate in an effective and au- factors were analyzed that may support or impede CTI sharing.
tomated sharing process, but insufficient models and tools render Threat intelligence is mostly shared on a national level but interna-
tional exchanges are gaining momentum, especially between larger
organizations that operate worldwide. Nevertheless, some groups
∗
Corresponding author.
E-mail addresses: [email protected] (T.D. Wagner),
[email protected] (K. Mahbub), [email protected] (E. Palomar),
1
[email protected] (A.E. Abdallah). Information Sharing and Analysis Center: https://tinyurl.com/ybxqtk56.

https://doi.org/10.1016/j.cose.2019.101589
0167-4048/© 2019 Elsevier Ltd. All rights reserved.
2 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589

to successful CTI sharing but there are no mechanisms available

to automate large-scale information sharing (Dandurand and Ser-
rano, 2013). Current threat intelligence platforms provide limited
E-Mails mechanisms for automation (Sauerwein et al., 2017). According to
the Ponemon Institute survey conducted in 2014, 39% of partici-
pants answered that slow and manual sharing processes impede
full CTI exchange participation. 24% answered that slow and man-
Meengs Phone Calls ual sharing processes keep them from sharing at all (LLC, 2014).
For example, slow and manual processes may be copying and past-
ing spreadsheets or meeting other peers to share information. Data
processing is mainly done manually because analysts have to eval-
Stakeholder uate the problem (Pawlinski et al., 2014), implement the solution,
and share the information. Manual data preparation is labor inten-
sive and time consuming, and renders information rapidly obso-
Shared lete. The analyst has to prepare the information for sharing with
Data Feeds
Databases trusted stakeholders. Not only the outgoing information has to be
manually prepared, but also the incoming intelligence has to be
analyzed regarding content relevance, trust in source and stake-
Web holder, impact, and other factors relevant to the stakeholders. For
Portals example, the risk priority at the end of the analysis defines the
triage of the CTI. Human errors, such as miscommunication, are
limited through automation (Rutkowski et al., 2010). The analyst
can, in the near future, not be completely replaced, but support
Fig. 1. Manual threat intelligence sharing: This figure illustrates various ways of
manual CTI sharing.
systems for automated exchange, analysis, and decision making en-
hance the efficiency of sharing and thus, thwarting cyber attacks.
Automated data analysis, collaboration, and sharing of CTI
strictly share on a national level, such as the Cyber Security Infor- is imperative to cope with current and future cyber attacks
mation Sharing Partnership (CiSP)2 in the United Kingdom. The hu- (Vazquez et al., 2012). The aim of automated CTI exchange is to
man behavior, as well as cultural and language barriers regarding simplify and speed up the sharing process, documentation, assess-
CTI sharing are briefly discussed to emphasize the challenges faced ment, and remediation of security information (Kampanakis, 2014).
among international stakeholders. Incentives are offered by various Stakeholders are having different resources available on how much
authors to encourage stakeholders to participate in a threat sharing they can spend on detection and defense. Ergo, inequality in the
model. The major challenge is for organizations to understand how quantity and quality of the intelligence is predictable. The course
important a CTI sharing program is and will be in the future, and of action is therefore important to stakeholders who do not pos-
then consequently, invest time and money to build such a program. sess the financial requirements to further analyze threat infor-
Due to the relatively recent emerge of CTI sharing and automating mation. Tagging and classification during the collection are es-
its processes, and the resulting limited availability of academic lit- sential for effective search and discovery as well as identifying
erature, gray literature has therefore been included in the survey. trends through statistics, more advanced data analytics, and visu-
The rest of the paper is organized as follows: Section 2 generi- alization (Brown et al., 2015). The scarcity of experts to analyze
cally elaborates on CTI sharing. Section 3 discusses the actionabil- the gargantuan supply of threats (Moriarty, 2013) and the result-
ity of CTI. Section 4 presents the regulations. Section 5 provides a ing increase of data (Cormack, 2011) emphasizes the need for au-
summary. Lastly, Section 6 concludes our work. tomation. Promising and widely accepted protocols in the commu-
nity developed by the US Government and Mitre are the Struc-
2. Cyber threat intelligence sharing tured Threat Information Expression (STIX)3 and the Trusted Au-
tomated eXchange of Indicator Information (TAXII)4 . It addresses
In this section we are going to discuss about different aspects structured cyber security needs such as, analyzing cyber threats,
of CTI sharing including automation, collaboration, indicators, in- specifying indicator patterns, managing response activities, and
dustry sector sharing, benefits, risks, human role, and cultural and sharing of cyber threat information (Appala et al., 2015). The Euro-
language barriers. pean Telecommunications Standards Institute (ETSI) follows up on
the European Union Agency for Network and Information Security
(ENISA) recommendation5 for European Union member states to
2.1. Automated sharing of CTI
implement the globally accepted CTI sharing standards STIX/TAXII
(Rutkowski and Compans, 2017). Nevertheless, other languages to
CTI is not simply information it is information that has been an-
describe and share CTI have been published (Rutkowski and Com-
alyzed and is actionable (Farnham and Leune, 2013). Current shar-
pans, 2018). Table 1 lists some of the most popular languages for
ing methods are heavily based on manual input and therefore la-
CTI description and sharing.
bor intensive. As shown in Fig. 1, current CTI sharing is conducted
A note on priority, actionable intelligence is appreciated
through e-mails, phone calls, web-community portals (Sander and
but automated defense in response to intelligence is preferred
Hailpern, 2015), shared databases, and data feeds (Brown et al.,
(Moriarty, 2013).
2015). Automation is a necessity to cope with the flood of inter-
The following use case depicts automated sharing:
nal alerts and externally received information about vulnerabilities
(Kijewski and Pawliński, 2014). Recent years have demonstrated a
trend towards the building of communities for the semi-automated 3
Structured Threat Information Expression (STIX): https://tinyurl.com/ybjgmoc7.
exchange of CTI (Sillaber et al., 2016). Automation is the key 4
Trusted Automated eXchange of Indicator Information (TAXII): https://tinyurl.
com/ybjgmoc7.
5
The Directive on security of network and information systems (NIS Directive):
2
Cyber Security Information Sharing Partnership: https://tinyurl.com/h5r6sv5. https://tinyurl.com/jpw7kqz.
 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589 3

Table 1
CTI protocols.

Title Description URL

Structured Threat Structured language for CTI sharing (human and machine readable in JSON) https:
Information eXpression //tinyurl.com/ybjgmoc7
Trusted Automated Language to share CTI (open transport mechanism with native support for HTTP and HTTPS) https:
eXchange of Indicator //tinyurl.com/ybjgmoc7
Information
Open Threat Partner Open source language that supports machine-readable threat intelligence sharing in JSON https:
Exchange (OpenTPX) //tinyurl.com/yd5uopkc
Malware Attribution A standardized langauge for sharing structured information about malware (human and machine readable https:
Enumeration and in XML) //tinyurl.com/yb35uj9k
Characterization (MAEC)
Incident Object Framework for sharing computer security incidents in XML https:
Description Exchange //tinyurl.com/ych8ekus
Format (IODEF)
Vocabulary for Event Language to describe structured security events https:
Recoding and Incident //tinyurl.com/y9uvh9yx
Sharing (VERIS)

Stakeholder Stakeholder Stakeholder

Peer to Peer Sharing

Stakeholder
Stakeholder

Stakeholder Re
Repository
ry Stakeholder
Stakeholder Re ry
Repository Stakeholder

Stakeholder
Stakeholder
Stakeholder

Hybrid Sharing
Peer to Repository Sharing
Fig. 2. Sharing models: This figure visualizes the 3 common models in CTI sharing. Peer-Peer allows for direct CTI sharing. Peer-Repository (hub-spoke) enables peers to
subscribe to published events. Hybrid sharing combines the aforementioned models.

• Organization A is setting up a threat intelligence sharing tions to be coordinated within and among communities of devices
program to gather information about relevant vulnerabili- (McConnell, 2011).
ties. A Threat Intelligence Platform (TIP) is used to con- To effectively exchange CTI, stakeholders need to use an ex-
nect to CTI repositories, visualize their content, and corre- change model which is realistically coupled to technology. Most
late archived information with newly sourced one. Organiza- stakeholders would like to share cyber intelligence, but success-
tion A received information about the “Ursnif bank ing mal- ful models are missing (Vazquez et al., 2012) or are incomplete.
ware downloaders” which install further malware from “http:// To be effective, CTI should be exchanged globally, but cultural dif-
mondaynightfundarts[.]com/images/Nu48djdi ”. The stakeholder ferences may impede the threat exchange. Challenges lie in the
can now search for affected downloaders in the system and communication, in the language itself, and comprehension of spe-
block the malware site before it becomes infected. cialized words. Members usually come from different backgrounds
and even speak different languages which can negatively effect the
2.2. CTI sharing collaboration quality of the knowledge (Abouzahra and Tan, 2014). A common
reason why organizations do not share their CTI is that they be-
A CTI sharing collaboration is being built between stakeholders, lieve they do possess nothing worth sharing and that competi-
as a peer-to-peer, peer-to-hub, or a hybrid exchange (Fig. 2). tors use the information against them (Chismon and Ruks, 2015).
These stakeholders share similar interests in attack patterns or Very limited support for efficient collaboration is presently avail-
belong to the same industry sector. To be more effective, future able (Dandurand and Serrano, 2013). Mandatory CTI exchange may
cyber ecosystems should include security capabilities built into be enforced by various governments to enhance sharing and im-
cyber devices that allow preventive and defensive course of ac- prove CTI quality. Benefits of mandatory sharing are the advise
4 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589

from authorities on how to effectively invest in preventive and de- mised hosts and malware (Ciobanu et al., 2014). CTI libraries that
tective measures, and authorities can warn firms regarding ongoing store indicators are used to link historic indicators to newly discov-
threats (Laube and Böhme, 2015). Organizations that have been tar- ered ones using big data technologies (Chismon and Ruks, 2015).
geted by state-sponsored attacks require a closer sharing and col- CTI indicators focus on enterprise IT and neglect newer fields such
laboration with the government (Zheng and Lewis, 2015). as the Internet of Things (IoT), Industrial Internet of Things (IIoT)
According to the European Union Agency for Network and In- and the automotive area. Nevertheless, these devices, or embedded
formation Security (ENISA), 80 initiatives and organizations and devices, are connected to the back end and may benefit from CTI
more than 50 national and governmental Computer Security In- indicators that were intended for the enterprise IT.
cident Response Teams (CSIRTs) are involved in CTI sharing at
European Union (EU) and European Economic Area (EEA) level
2.4. Industry sector sharing
(Deloitte et al., 2015). Many organizations have discovered that
CTI exchange is a necessity to survive future attacks rather than a
Governments and organizations have created industry specific
fad. Governments, including EU member states, the United States,
sharing groups such as in the, inter alia, finance, retail, academia,
Japan, and Korea, have made efforts to enhance and expand in-
automotive, electricity, and industrial sectors to share specific CTI.
formation sharing (Goodwin et al., 2015). According to a survey
These groups are trying to mitigate sector specific vulnerabilities
from 2012, 35% of Computer Emergency Response Teams (CERTs)
(Burger et al., 2014) such as card payment vulnerabilities in the
share their incident data, 33% automatically correlate incidents,
financial and retail sector, and car software bugs in the automotive
and 40% use the shadowserver foundation as an external source
sector. The following use case describes a threat in the automotive
(Kijewski and Pawliński, 2014). In the United Kingdom, the Cyber
sector and how to mitigate the threat through CTI sharing:
Security Information Sharing Partnership (CiSP) initiative had 777
organizations and 2223 individuals joined by 2014 to share knowl- • The infotainment system is a critical part of the car. It can
edge about security incidents (Murdoch and Leaver, 2015). On the be accessed through a cell phone, and may contain Person-
negative side, collaborated CTI exchange can also be a privacy risk ally Identifiable Information (PII). A vulnerability inside the cell
when data is shared on an application level. It may contain pri- phone’s application was detected by Stakeholder A, a member
vate information that could be sold on the dark web (Sharma et al., of the AUTO-ISAC, who shared the information immediately.
2014). If an organization does not participate in any form of threat Stakeholder B, a further member, used the provided informa-
intelligence sharing or consumption, the increasing attacks may tion to detect a vulnerability in a similar application. The vul-
damage an entity beyond oblivion. This may be mitigated by pro- nerability was ameliorated before it could be abused.
ducing and consuming threat intelligence. The loss or damage of
assets can be devastating to an organization, but also the resulting The research in Ahrend et al. (2016) describes the sharing
reputation and brand damage can provoke further damages and across the domains as “boundary objects”, which span the bound-
thus, act as an incentive (Bauer and Van Eeten, 2009). aries of the practices of communities that are commonly under-
The research in Edwards et al. (2001) presented a U.S. stood by all communities. “Boundary objects” means that infor-
patent pertaining to the collection, analysis, and distribution mation can be used by different communities (Star and Griese-
of CTI in 2002. This was one of the first frameworks to mer, 1989), or CTI sharing industry sectors. The advantage of sec-
share information about security vulnerabilities. The research in tor sharing is that a problem can be solved together in real time
Kamhoua et al. (2015) presented a game theoretic model for CTI (Goodwin et al., 2015). Furthermore, CTI is more relevant to stake-
sharing in the cloud. The model focused on trade-offs between holders due to similar systems and vulnerabilities. Organizations
the security and risks of sharing CTI. Furthermore, the model cal- and institutions are heterogeneous and represent different inter-
culates the motivation of stakeholders to share CTI when they ests (Leszczyna and Wróbel, 2014). Hence, with sharing sectors and
are easy to discover. The work in Andrian et al. (2017) intro- groups a common interest in threats and vulnerabilities can be
duced a category theory based approach to share threat intelli- achieved.
gence using STIX. Furthermore, the authors extend their model by According to Shackleford (2015), 56% of stakeholders receive
using the Functional Query Language (FQL) to make their model CTI from vendors, 54% collect intelligence from public CTI feeds,
more practical. The research in Mutemwa et al. (2017) presented and 53% gather CTI from open source feeds. The work in
a threat sharing model for developing countries, i.e., South Africa. Moriarty (2013) describes the core elements of CTI sharing in two
The platform focuses on the collection, analysis, and classification steps. CTI exchange has to be relevant and actionable, the threat
of CTI. Including the integration of external tools such as anti-virus sharing model has to be speedy, scalable, and automated. The re-
software and intrusion detection systems. The 4 previously pre- search in McConnell (2011) describes the core elements of CTI
sented works contributing to CTI collaboration from various per- sharing as secure, environmentally sustainable, and rapidly cus-
spectives. Where Edwards et al. (2001), Kamhoua et al. (2015), and tomizable. Information exchange can become challenging if stake-
Andrian et al. (2017) are applicable to generic CTI collaboration; holders use different data formats, structures, labeling options,
Mutemwa et al. (2017) focus on specific CTI sharing collaboration and turning data into knowledge comprehensible to everyone.
pertaining to environmental needs, i.e., country specific. Knowledge can be externalized and reconceptualized before being
shared (Vazquez et al., 2012). A healthy CTI exchange implies a se-
2.3. CTI indicators cure exchange, environmentally sustainable, rapidly customizable
(McConnell, 2011), correct labeling, anonymity, relevance, trust,
CTI contains various attributes which renders it into actual in- and confidentiality. CTIs tactical intelligence exchange includes
telligence. Malicious IP addresses or hashes on their own are not Techniques, Tactics, and Procedures (TTP) and IoCs. IoC may con-
considered CTI but may be part of it. Attributes may include de- tain information about malicious IP addresses which are trivial to
scriptions of threat actors, campaigns, motivation and Indicators of share (Farnham and Leune, 2013) compared to, for instance, infor-
Compromise (IoC) which can be shared with trusted stakeholders. mation about the techniques of an adversary. Nevertheless, strate-
IoCs are one of the easiest actionable CTI attributes and are the fo- gic intelligence is rarely shared because it could reveal information
cus of most tools (Farnham and Leune, 2013). Actionable CTI IoCs about the stakeholders strategic plans (Chismon and Ruks, 2015).
are commonly used in applications such as Intrusion Detection The researchers in Dog et al. (2016) presented a use case for strate-
Systems (IDS), website blocking, blackholing, identifying compro- gic CTI sharing from Intrusion Detection System (IDS) logs. The
 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589 5

Table 2
Threat intelligence platforms.

TIP Focus URL

Malware Information Sharing Platform (MISP) General CTI sharing https://tinyurl.com/y9zgp67g

NC4 CTX/Soltra Edge Financial CTI sharing https://tinyurl.com/yajjrjfk
ThreatConnect General CTI sharing https://tinyurl.com/yaywybkm
AlienVault General CTI sharing https://tinyurl.com/yajehh6e
IBM X-Force Exchange General CTI sharing https://tinyurl.com/yc45dbdl
Anomali General CTI sharing https://tinyurl.com/y86volhm
Facebook ThreatExchange General CTI sharing https://tinyurl.com/yc6xsqxp
CrowdStrike General CTI sharing https://tinyurl.com/y9zkc5wy
ThreatQuotient General CTI sharing https://tinyurl.com/y7xd7kjv
EclecticIQ General CTI sharing https://tinyurl.com/ydfckucr

data was collected from sources such as, honeypots, incident re- tion from the threat sharing community. If an entity decides not
ports, and logs. to share, and only consume, CTI, then the punishment process will
Groups of common interest or industry sector are built to revoke permission rights. If the stakeholder decides to rejoin the
share specific CTI. For example, the FI-ISAC requires stakeholders threat sharing community, then he will only be able to contribute
to attend meetings, members may be excluded if they fail to at- intelligence for a specified time until consumption may commence
tend three successive meetings (Deloitte et al., 2015). The work in again. The US Congress proposed a tax credit act (Cyber Informa-
Kijewski and Pawliński (2014) suggest that it may be reasonable to tion Sharing Tax Credit Act (USA)) which is a financial incentive in
assume that stakeholders do not come to an agreement to use a form of a tax credit for organizations which share CTI with other
single CTI exchange standard. Which would mean that a Threat In- Stakeholders. The act was introduced by Senator Kirsten Gillibrand
telligence Platform (TIP) would need to be adoptable to different in July 2014 (Act, 2014). Providing a trusted environment for stake-
standards. holders is a key attribute for CTI sharing. Therefore, trust man-
TIPs have flooded the market and made it challenging for prac- agement may be an incentive to establish collaborations between
titioners to decide which one to implement. The TIPs in Table 2 stakeholders (Garrido-Pelaz et al., 2016).
are some platforms that currently establish their position in the
CTI sharing world. The platforms differ slightly in layout, never- 2.6. Risks of sharing CTI
theless, offer similar functionalities to visualize CTI records, corre-
lation, tagging, feeds, and data format support. CTI sharing promises to be another tool in the cyber defense
system, nevertheless, it comes along with certain risks. Sharing
2.5. Benefits of CTI sharing CTI with unauthorized stakeholders, or even inside the organiza-
tion, may become a risk which could deter stakeholders from au-
Some organizations still hesitate to share their CTI because tomation (Vazquez et al., 2012). According to a case study from
of missing incentives (Liu et al., 2014), but expect to receive Haass et al. (2015), some organizations were concerned that they
knowledge from other peers in the community (Abouzahra and might become a target if they were discovered as active CTI ex-
Tan, 2014). Once an organization was the victim of a cyber at- change members. This worry has not been proven yet by any aca-
tack, the loss of reputation and the resulting brand damage may demic research and no cases are known that would confirm an at-
encourage stakeholders to invest more into cyber security and tack based on these concerns. The authors in Tosh et al. (2015) de-
sharing CTI (Bauer and Van Eeten, 2009). Automation itself can fined three implications stakeholders may face when sharing CTI.
act as an incentive or a financial model could be implemented Sharing CTI with competitors might encourage free riding and not
(Vazquez et al., 2012). Another incentive emanates from the cost sharing information with the stakeholder or collective, trust might
savings of CTI sharing by knowing the threat before the attack hap- be violated, and negative publicity may affect market value and
pens (Feledi et al., 2013). A successfully defended network may stock price. The researchers in Haustein et al. (2013) raised con-
contribute to the up-time and continuity of the service. The re- cerns that the disclosure of internal information related to an in-
searchers in Tamjidyamcholo et al. (2014) are discussing the effect cident may harm a stakeholder’s reputation. Internal information
that joy, enthusiasm, energy, and happiness can have on sharing may include e-mail addresses, names, and other PII. CTI that was
activities. The work in Naghizadeh and Liu (2016) conducted re- intercepted by an adversary could be used to attack stakeholders
search into the incentives for revealing security information. The who have not yet patched their system (Al-Ibrahim et al., 2017;
research uses a prisoner’s dilemma scenario which revealed that Mohaisen et al., 2017). Every shared information should have a risk
the disclosure costs lead organizations to exhibit free-riding be- calculation according to its sensitivity and impact. The CTI sharing
havior. Nevertheless, organizations would prefer full disclosure of model in Kokkonen et al. (2016) has risk level values between 1
CTI on both sides. Organizations are naturally heterogeneous and (low risk) and 20 (high risk) and eradicates links between stake-
capabilities of generating and sharing intelligence differ. Hence, an holders if the risk level is unacceptable. For instance, if stakehold-
equal amount or quality of knowledge is unrealistic. ers share CTI cross-border, then a higher risk level is automatically
Involving organizations into a threat sharing collaboration can applied than to a stakeholder from the same country.
be a tedious task for several reasons. Inappropriate threat shar-
ing models, sharing with competitors might deter stakeholders, 2.7. The human role in CTI sharing
one-way flow of information (Zheng and Lewis, 2015), revealing
data breaches, and investing time and money into a threat in- To render CTI sharing more effective, pertaining processes have
telligence team may seem inappropriate pertaining to the return to be automated as much as possible. Nevertheless, this ambition
on investment at first sight. It is surmised that members increase may not be completely fulfilled in the near future. The identifica-
their contribution in expectation to be rewarded for it in form tion, remediation, and prevention process still requires a human
of reciprocity (Abouzahra and Tan, 2014). The work in Xiong and user in the operation (Sander and Hailpern, 2015). Analysts still
Chen (2013) suggested a punishment model which inclines isola- have a lot of copying and pasting to do which limits the time
6 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589

available to focus on threat analytics. Furthermore, tacit knowl-

edge about cyber threats is onerous to share with other stake-
holders (Tamjidyamcholo et al., 2014). Tacit knowledge is inside Trustworthi
the analyst’s mind and hence challenging to capture and automate. ness
The way one stakeholder sees a threat might not be the same for Relevance Timeliness
another one (Mann et al., 2011). Stakeholders have diverse am-
bitions and behaviors regarding CTI sharing. The researchers in
Anceaume et al. (2005) define behavior in two categories, obedi- Completen
Priority
ent or malicious. Obedient stakeholders follow the regulations and ess
policies, malicious do not. Malicious stakeholders may use the col-
lected CTI to attack an obedient stakeholder. Face to face meetings Aconable
contribute to trust establishment between stakeholders. This may
be a necessity at the beginning but may not be seen as efficient if Ingesbility CTI Industry
the sharing process is not automated (Murdoch and Leaver, 2015).
The work of Safa and Von Solms (2016) analyzed the human be-
havior during CTI sharing. The theory of planned behavior was
used to characterize employee commitment towards CTI sharing.
Accuracy Guidance
Furthermore, humans may withhold facts about threats because
they think it is not safe for sharing for fear of being exposed
IImplement
(Abrams et al., 2003). The research in Park et al. (2014) illustrates Context
aon
that information-seeking stakeholders turn to the information of
weak peers if information from strong peers is unavailable. It is
mentioned that heterogeneous information from weak peers may
be more useful than homogeneous information from strong peers. Fig. 3. Actionable Cyber Threat Intelligence. Green denotes ENISAs definition; blue
denotes Ponemon’s definition; light green denotes ENISAs and Ponemon’s overlap-
ping definition. (For interpretation of the references to color in this figure legend,
2.8. Cultural and language barriers
the reader is referred to the web version of this article.)

CTI exchange is performed globally and can cause cultural

and language barriers between stakeholders. A sharing language, affect the actionability outcome. Accuracy of the information can
most likely English, has to be defined and cultural aspects have only be evaluated after the analysis but should tell the stakeholder
to be understood and respected. The differences may nega- or the machine how to proceed exactly to remedy the vulnerabil-
tively affect the quality of knowledge (Abouzahra and Tan, 2014). ity. To complete the actionability, the risk level priority has to be
Speaking the same tongue may encourage stakeholders to share defined. This depends on the organization’s system and is subjec-
their intelligence and can boost the knowledge sharing process tive to the stakeholder’s mindset or the machine’s program. The
(Tamjidyamcholo et al., 2013). Non-native speakers may face chal- types of CTI consumers are different and so is the relevant infor-
lenges to explain threats in appropriate English. Certain core at- mation to each one. The research in Brown et al. (2015) identi-
tributes may be lost in translation and could decrease the CTIs fied four stakeholders who work with CTI. Namely high level ex-
quality and relevance. If the language is not understood by the ecutives, threat managers, threat analysts, and incident response
stakeholder than a time consuming translation has to be initi- teams. CTIs data quality may differ by sharing stakeholder or
ated. The work in Flores et al. (2014) conducted research into source. The Quality may be evaluated by the correctness, relevance,
the behavior of CTI sharing in the US American and Swedish cul- timeliness, usefulness, and uniqueness (Al-Ibrahim et al., 2017).
ture. The findings revealed that US American organizations tend to Furthermore, a member of the CTI sharing community who has al-
a stronger association to structure and control than coordinating ways shared useful and timely information may be labeled as a
processes pertaining to CTI sharing; oppositely Swedish organiza- quality stakeholder (Mohaisen et al., 2017).
tions tend to prefer coordinated processes and CTI sharing.
3.1. Timeliness of sharing CTI
3. Actionable cyber threat intelligence
Some cyber attacks occur in seconds at various sites using the
Receiving and submitting information about vulnerabilities re- same or similar attack patterns. A swift information sharing pro-
quires several processes before CTI can be called actionable. ENISA cess is an important attribute of CTI exchange because of the nar-
defines actionable CTI that fulfills five criteria: relevance, time- row response time frame (Pawlinski et al., 2014). The sharing and
liness, accuracy, completeness, and ingestibility (Pawlinski et al., reacting processes have to be adequate according to the limited
2014). Equivalent to the previous definition by the Ponemon Insti- time frame. The threat environment changes quickly and thus, CTI
tute, actionability stands for timeliness, priority, implementation, must be acted upon quickly. The importance of sharing in a speedy
trustworthiness of the source, relevance to the industry, clear guid- manner can be observed when the value of CTI goes to zero in days
ance to resolve the threat, and sufficient context (Institute, 2014) or even hours (Farnham and Leune, 2013). As shown in previous
(Fig. 3). These attributes define the current actionability of CTI. research, 60% of malicious domains have a life span of one hour
From these two definitions we can derive that relevance of the or less (Alliance, 2015). Timeliness does not only focus on age, but
information is one part of the actionability. Relevance most likely also on frequency of updates to threat activities, changes, or evolu-
stems from the content relevance, meaning the threat is a risk to tion in capability or infrastructure (ThreatConnect, 2015). The fol-
the system. Relevance may be a synonym for completeness and lowing use case illustrates the importance of timeliness:
trust, because if the stakeholder is not trustworthy and the in-
formation is incomplete, then it may not be considered relevant. • Scenario A: Organization A immediately shared CTI within the
Timeliness is mentioned by both sources which stands for sharing trusted repository after detection. The shared information was
and receiving up-to-date information in a timely fashion. Timeli- received in a timely manner, but due to the incomplete Course
ness is subjective to every single stakeholder and can therefore of Action (CoA), stakeholders were unable to make use of it.
 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589 7

• Scenario B: Organization B detected an indicator (Locky Down- tionships is that they are mostly built between individuals and
loaders) about a malicious link inside an e-mail that, once not companies. Thus, if the responsible employee for CTI sharing
clicked on, downloads a Trojan horse onto the victim’s machine decides to leave the organization, then all of her contacts may
and stays undetected by conventional anti-virus programs. The leave too. The work in Goodwin et al. (2015) defines the trust
information was shared in a matter of seconds within the base as stakeholder contribution, collective actions, and shared ex-
trusted circle of peers. The stakeholders were able to promptly periences. The research in Tavakolifard and Almeroth (2012) out-
mitigate the risk by blocking the e-mail and link. lines the trust evaluation process in two ways: as situation specific
where trust is established regarding a specific type of information;
3.2. Trust establishment of CTI sharing person specific regarding the judgment of two stakeholders on the
same matter. Moreover, stakeholders have to indicate their individ-
Establishing a CTI sharing collaboration requires a comprehen- ual degree of confidence in the credibility and accuracy of the CTI
sive trust relationship between stakeholders. Trust is normally es- (ISO27010, 0 0 0 0).
tablished over time and in face-to-face meetings. The challenge The following scenario describes a “sleeper” attack scenario
here lies in trust establishment amongst decentralized stakehold- which builds up trust over time only to exploit it at the right mo-
ers. Trust is a key attribute in the CTI exchange ecosystem and ment.
challenging to rebuild when broken (Feledi et al., 2013). It is con-
• Scenario A: 423 Stakeholders have established a trusted rela-
sidered the most difficult attribute in the threat intelligence shar-
tionship with focus on the retail industry and its vulnerabili-
ing ecosystem (Kokkonen et al., 2016). CTI can contain informa-
ties. CTI sharing has been conducted for several years without
tion that should only be revealed to trusted stakeholders or not
any trust conflict and stakeholders have revealed system spe-
at all, such as PII which is irrelevant to create situation aware-
cific details pertaining to vulnerabilities. One of the stakehold-
ness. Information about a successful attack getting into the wrong
ers had a malicious intent to exploit the other stakeholders.
hands can have a disastrous impact on the reputation of the stake-
They waited for several years to enhance the trust level and to
holder. It can be used against the organization if the counter-
access classified CTI. Open vulnerabilities were exploited by the
measure has not been implemented yet. The trustworthiness of a
“trusted” stakeholder as a result of the long term gained trust.
stakeholder is evaluated through trust and reputation, where trust
is established through direct contact and reputation from opin- Lessons learned: Sharing systems need to have a continuous
ions of other peers (Meng et al., 2015). According to ENISA (2017), vetting process in place to detect malicious peers at an early
three trust relationships were identified: Organizations trust plat- stage. Furthermore, stakeholders should anonymize their content
form providers that (1) confidential data is not exposed to unau- as much as possible and hide system specific details.
thorized stakeholders; (2) correct handling of information, such
as TLP labeling; (3) Shared information is credible and reliable. 3.3. Stakeholder reputation
The research in Sauerwein et al. (2017) showed that there are
two possible perspectives on trust, the organization perspective Stakeholders have to build up their reputation to become
and the provider perspective. Stakeholders may show a benign trusted members of a threat sharing community. Reputation is
behavior at the beginning and later on start to abuse the trust. built over time by sharing high quality and actionable threat in-
Thus, it is onerous to identify peers with benevolent or mali- formation, and conforming to threat sharing policies. There are
cious intents (Wang and Vassileva, 2003). The work of Dondio and many ways to build up a reputation to earn credibility amongst
Longo (2014) identified a trust scheme which is applicable to vir- other stakeholders. To increase the credibility, stakeholders have
tual identities: reputation, past outcomes, degree of activity, degree to continuously share CTI, correlate various sources, and respond
of connectivity, regularity, stability, and accountability. The work in to questions by the community pertaining to the shared intelli-
Xu et al. (2013) elaborated further on the reputation scheme that gence (Feledi et al., 2013). On the contrary, once a bad reputation
identifies slander attacks where malicious nodes intentionally pro- has been entrenched it is challenging to reverse the effect. To the
vide negative evaluations to normal nodes and collusion attacks best of our knowledge, no research has been conducted regarding
where acquainted nodes give each other positive evaluations. The negative reputation in CTI sharing. Thus, research from neighbor-
research in Abouzahra and Tan (2014) discusses the three dimen- ing fields is considered. One such field is the online retail sector
sions for trust: ability, benevolence, and integrity based on the where sellers and buyers rate each other according to the quality
work in Butler Jr (1991). Trust relationships may be managed by of product, deliver speed, communication, payment, and accuracy
trusted third parties such as threat intelligence vendors or may of description. The quality of the bought tangible product can be
be outsourced by utilizing a trust manager to handle reputation matched to the quality of the shared CTI; the delivery speed of
(Cha and Kim, 2010). Trust concerns can arise when the govern- the mailed product may be compared to the sharing speed of CTI;
ment is involved in CTI exchange or the development of tools and seller/buyer communication can be correlated to questions by the
protocols. For example, STIX and the Trusted Automated eXchange consuming peer regarding a set of CTI; and accuracy of product de-
of Indicator Information (TAXII) have been developed by the Mitre scription can be paralleled to the description of CTI indicators. If a
group with the support of the US Government. This collabora- seller or buyer has received negative feedback, other peers may be
tion could deter stakeholders from countries other than the US encouraged to negatively comment as well, having received simi-
to trust these protocols (Burger et al., 2014). Since the tendency lar poor service (Nusrat and Vassileva, 2011). This process is called
of not trusting the government in the United States is prevalent stoning and helps to separate good from bad peers (Resnick and
amongst US citizens, it may even keep US companies from adopt- Zeckhauser, 2002).
ing these tools. Low level risk threat intelligence can be shared
in centralized form but decentralized exchange requires a greater 3.4. Relevance of CTI
degree of trust (Zheng and Lewis, 2015), or a limit to the num-
ber of participating stakeholders (Deloitte et al., 2015). According Due to the uncountable number of threat indicators an analyst
to Pawlinski et al. (2014), the three trust levels are defined as: would be completely overwhelmed by all the data. Therefore, a
high level of confidence from trusted and fully verified channels, scalable relevance filter has to be used by stakeholders. Sharing too
medium level of confidence for reliable channels, and low con- much information is as bad as sharing too little. Hence, suitable
fidence for unverified data sources. Another aspect of trust rela- filtering methods have to be implemented (ISO27010, 0 0 0 0). The
8 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589

work in Pawlinski et al. (2014) defines relevance as that CTI must an important asset to protect (Garrido-Pelaz et al., 2016). Another
be applicable to the stakeholder’s area of responsibility, including aspect of anonymity is the encryption of CTI when shared be-
networks, software, and hardware. Furthermore, data relevance is tween stakeholders. A Man-in-the-Middle attack could intercept
an important factor of data quality (Brown et al., 2015). Current the shared information. A protocol for encrypting CTI called PRACIS
relevance filtering is based on manually selecting high level CTI was presented in de Fuentes et al. (2016). PRACIS enables privacy
which is seen as important and browse/search functions are en- preserving data forwarding and aggregation for semi-trusted mes-
abled in TIPs and online platforms. Stakeholders have to under- sage oriented middleware. The work in Best et al. (2017) presented
stand and define which CTI is relevant to their system by know- an architecture to compute privacy risk scores over CTI. The re-
ing their inventory. Threat types should be analyzed whether they search discusses the privacy risks of extracting personal informa-
are targeting stakeholder assets. Business processes ought to be tion from threat intelligence reports. Both presented works may be
mapped according to geographical, political, and industry sector merged to enhance privacy in a CTI program.
(ThreatConnect, 2015). Irrelevant information is not shared with Anonymous sharing is imperative in certain circumstances
other stakeholders, but it is stored in the local knowledge base when a stakeholder does not want to reveal yet that their sys-
and correlated with new information (Ahrend et al., 2016). The tem was breached, but wants to share the information with other
research in Rao et al. (2012) presented a scalable content filter- stakeholders. Further, when trust has not been established yet then
ing and disseminating system which could be implemented into anonymous threat sharing is desirable. Anonymity of CTI has to be
a CTI sharing environment. Another area of information filter- established within the content, meta data, and data transfer. The
ing is SPAM filtering, where Almeida and Yamakami (2010) con- content should not contain any PII about the organization, employ-
tributed a content based SPAM filter. The relation between SPAM ees, and its clients. The current method of content anonymization
and CTI is that stakeholders do not want to receive SPAM e- is manual screening for PII that should not leave the organization’s
mails, but only genuine messages. The same statement is valid premises, or even be read by unauthorized internal employees. Au-
for CTI, where stakeholders only want to receive relevant infor- tomating the anonymization process can be achieved by using reg-
mation (genuine e-mails) and not irrelevant information (SPAM). ular expressions to find PII (Johnson et al., 2016). Every stakeholder
Stakeholders should have full control over what type of CTI ap- has a different perception of anonymity. What might be sensitive
pears on their feed. In comparison, social networks are flooded information for one stakeholder might be trivial for another. Ergo,
with information but only a fraction of it is actually relevant to adjustment of masking criteria and scalability are important factors
the user (Dong and Agarwal, 2016). On these platforms users have for appropriate anonymization. Sharing raw data could reveal sen-
direct control over which messages are posted on their walls by sitive information about individuals or about the operation context
customizing the filtering criteria (Vanetti et al., 2010). The work of (Mohaisen et al., 2017).
Tryfonopoulos et al. (2014) researched the problem of information Moreover, anonymizing the content is not enough to provide
filtering in peer-to-peer networks. The focus here lies on the in- sufficient privacy. The connection has to be anonymized as well
formation filtering functionality with low message traffic and la- and one possible approach is to route the connection through the
tency. The research in Mittal et al. (2016) presented the Cyber- TOR network (Applebaum et al., 2010). The server should not have
Twitter framework which collects Open Source Intelligence (OSINT) been connected previously to the clearnet, which could have left
from Twitter feeds. The evaluation of the tool comprised the qual- traces on the server that could identify the stakeholder. Addition-
ity of the threat intelligence and whether relevant information was ally, the browsing behavior has to be adjusted to avoid accidental
missed. disclosure of the identity. The research in Xu et al. (2002) concen-
trated on preserving IP address anonymization using a canonical
• Scenario A: Stakeholder A receives 15,0 0 0 threat alerts per
form and a novel cryptography based scheme, which could be ap-
week from its monitoring system. 400 alerts are considered rel-
plied to anonymous CTI sharing. Encrypting CTI could prevent crit-
evant and 60 are investigated due to an employee shortage.
ical information to be revealed and used against stakeholders be-
Moreover, the stakeholder receives further 10,0 0 0 threat alerts
fore the vulnerability was remedied. This is called implicit privacy
that are considered high risk but may not be relevant to the
where the attacker cannot directly use the information, it would
system.
have to be analyzed first (Meng et al., 2015), or decrypted. In-
• Scenario B: Stakeholder B receives about the same amount of
formation consists out of different attributes and with contrast-
alerts per week and has similar capabilities to investigate as
ing levels of sensitivity. Further, knowledge of the existence of CTI
stakeholder A. Nevertheless, the stakeholder uses a tagging sys-
can have a different level of sensitivity than its content (ISO27010,
tem to render the CTI content relevant to its system. This ap-
0 0 0 0). The following two scenarios provide an insight into anony-
proach saves time and makes CTI sharing more effective.
mous CTI sharing:
Lessons learned: CTI has to be rendered relevant to individ-
ual stakeholders because of the heterogeneity of systems. A tag- • Scenario A: Stakeholder A does not use any form of anonymity
ging system may provide the necessary basis to render CTI content in its CTI sharing process. Hence, PII is constantly revealed
more relevant. Content relevance is one of the attributes of rele- to other CTI sharing stakeholders. The stakeholder connects to
vance. trusted sources but also to repositories which do not have a
vetting process in place. Besides, the CTI may contain details
3.5. Privacy & anonymity about unremedied vulnerabilities that linger inside the system.
A malicious stakeholder was able to collect various CTI from
Organizations have to prioritize privacy of clients by sharing stakeholder A over a couple of months. The correlated informa-
CTI only with trusted stakeholders and/or anonymize the con- tion revealed the identity of stakeholder A and where they are
tent. Several matrices were developed to anonymize the content vulnerable. The attacker was therefore in the position to suc-
of information such as k-Anonymity (Sweeney, 2002), l-Diversity cessfully exploit the vulnerabilities.
(Machanavajjhala et al., 2007), t-Closeness (Li et al., 2007),  - • Scenario B: Stakeholder B anonymizes its content by masking
Differential privacy (Dwork, 2008), and Pseudonymization (Biskup PII such as e-mails, company name, and IP addresses. Moreover,
and Flegel, 2001; Neubauer and Heurix, 2011; Riedl et al., 2007). shared CTI is exchanged in encrypted form to enhance privacy.
Stakeholders are still reluctant to share information about breaches A Man-in-the-Middle attack intercepted the shared information
because of fear that it could damage their reputation which is which contained highly classified details about the organiza-
 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589 9

tion’s system and how to exploit it if the vulnerability is not

remedied. Due to the encrypted data, it took the attacker sev- Stakeholder
eral months to crack the encryption which rendered the infor-
mation useless. Until then, the majority of stakeholders already
remedied their systems against this specific attack. Informaon
Data Sharing Agreement ISO/IEC
Exchange
Lessons learned: Stakeholders have to ensure that a certain de- (DSA) 27010:2015
Policies (IEP)
gree of anonymity is provided when CTI is shared. This depends on
the criticality of the information and with whom it is shared.
EU General Data US Electronic
US Execuve Order
UK Data Protecon Act Protecon Regulaon Communicaons Privacy
13636
(GDPR) Act (ECPA)
3.6. Data interoperability
Fig. 4. Regulation hierarchy for cyber threat intelligence sharing.
A note on interoperability, numerous organizations want to
share their CTI but a globally common format for CTI exchange is
absent (Rutkowski et al., 2010). Data formats have to be compat-
addresses are personal information in some cases.6 Organizations
ible with stakeholders contrasting systems. Therefore, a common
have to ensure that they comply with country privacy laws and
format has to be agreed on by all stakeholders. According to an
when CTI is shared with foreign stakeholders. Depending on the
ENISA study from 2014, there are 53 different information sharing
country, organizations may face penalties for not sharing security
standards that have been adopted by the community (Dandurand
breaches with the authorities and affected individuals (Laube and
et al., 2014). Unnecessary data transformation has to be avoided
Böhme, 2015). For instance, in Slovenia based on the Electronic
which could impede the timely exchange of CTI. Standards have to
Communication Act, the Communications Networks and Services
be developed (Vazquez et al., 2012) and accepted by the commu-
Agency (AKOS) is obliged to notify vulnerabilities to the na-
nity. According to Moriarty (2013), interoperability is becoming im-
tional and governmental CSIRT (SI-CERT). In Belgium, public elec-
portant but not necessary the desired default state because it gives
tronic communications services have to report vulnerabilities to
developers the diversity in data formats. The Mitre group devel-
the national regulator of electronic communications (Deloitte et al.,
oped the STIX format to render CTI exchange interoperable (Appala
2015). Legal action may also be taken against Stakeholders who
et al., 2015; Burger et al., 2014). It has become the most widely
do not act on CTI and thus are breached. Stakeholders who do
accepted standard for threat intelligence sharing. Besides the data
not participate in threat sharing programs could also be punished
format interoperability, the information sharing infrastructure has
(Haass et al., 2015). Nevertheless, legal constraints may impede
to be flexible enough to cope with a variety of implementations
stakeholders from sharing their intelligence (Pawlinski et al., 2014).
(Janssen and Tan, 2014).
For example, internal data protection policies and country specific
data protection may obstruct the sharing process. In the US, the
4. Cyber threat intelligence sharing regulations Electronic Communications Privacy Act (ECPA) and the Foreign In-
telligence Surveillance Act (FISA) have contributed to a confusion
Sharing information about cyber threats requires a combina- regarding whether CTI can be shared. The acts prohibit communi-
tion of technical and policy methods (Fisk et al., 2015). If an or- cations provider from voluntary disclosure of communications con-
ganization decides to share their CTI, a clausal for information tent (Zheng and Lewis, 2015). Nevertheless, the executive order
has to be included or updated in existing policies (Sander and (EO13636) in the US was published in 2013 to increase informa-
Hailpern, 2015). All information exchange with other stakeholders tion sharing (Fischer et al., 2013; Skopik et al., 2016). Fig. 4 vi-
has to go through the Information Exchange Policies (IEP) which is sualizes the regulations for CTI sharing based on Europe and the
an internal document (Dandurand and Serrano, 2013). The research United States. The work of Schwartz et al. (2016) researched the le-
in Serrano et al. (2014) identified the following elements that have gal aspect of automated CTI sharing between government and non-
to be included in the IEP: purpose, scope, participants, procedure governmental institutions, and the evolution of threat intelligence
for new stakeholders, information about handling of received data, sharing which lead to the current Cybersecurity Information Shar-
procedure for IEP modification, requirement for data sharing, uses ing Act (CISA). The work in Bhatia et al. (2016) discussed the pri-
of exchanged data, mechanisms, and intellectual property rights. vacy risks of CTI sharing in the US between the government and
The research in Martinelli et al. (2012) analyzed the Data Sharing organizations. The research comprises a survey which was held
Agreement’s (DSA) defining terms: data quality, custodial respon- among 76 security practitioners. The results visualize which threats
sibility, trust domain, and the security infrastructure. The British security practitioners are willing to share. I.e., 24 participants were
Standard ISO/IEC 27010:2015 Information technology – Security willing to share IP addresses and 3 were unwilling to share key-
techniques – Information security management for inter-sector and logging data.
inter-organizational communications provides guidance for stake- CTI sharing has to be conducted with as many stakeholders as
holders to share their information (ISO27010, 0 0 0 0). Ethics in data possible who share actionable threat intelligence to be more effec-
sharing has to be part of the information sharing policy. Stakehold- tive. Cyber attacks do not know any borders, therefore, CTI sharing
ers have to define for which purpose the CTI is used, who can ac- should ideally not be impeded by various country regulations. A
cess it, retention periods and destruction, and condition of publi- harmonized CTI sharing process may have to be adopted by var-
cation (Dietrich et al., 2014). ious countries to make full use of the intelligence. Stakeholders
are still analyzing the processes involved for effective threat intelli-
4.1. Laws and regulations of CTI sharing gence sharing, and are yet in doubt what can or should be shared,
and with whom. The GDPR (General Data Protection Regulation)
CTI is exchanged globally which means that laws and regula- will render it mandatory to report incidents within 72 hours in
tions of various countries have to be considered. CTI can contain the Europe Union. For example, the GDPR states that security in-
information that is legal to share in one country but illegal in an- cidents have to be reported within 72 hours. The time starts from
other (Kampanakis, 2014). For instance, according to the UK Data
Protection Act, IP addresses are not considered personal informa-
tion. Quite the contrary, a German court decided in 2016 that IP 6
https://tinyurl.com/yanfkqct.
10 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589

Table 3 Table 4
Literature type. Literature focus.

Type Amount Focus Amount

Conferences, Journals, Symposiums, or Workshops 75 Current Threat Sharing Methods 11

Technical Reports 23 Automation 7
Government Bills 1 Actionable CTI 6
Patent 1 Collaboration 19
Guidelines 2 Sharing 15
Timeliness 4
Trust 17
Reputation 10
when the incident was considered a positive breach by the analyst. Relevance 4
The research in Sullivan and Burger (2017) investigated whether Privacy & Anonymity 17
Interoperability 7
static and dynamic IP addresses are personal details according to
Policies & Guidelines 7
the GDPR. The findings revealed the if IP addresses are shared as Legal 9
threat intelligence then it can be justified in the public interest un- Human Behavior 8
der Article 6 (1)(e) of the GDPR. Cultural & Language Barriers 3
Incentives 12
Risks 8
5. Summary

The aim of this literature survey was to identify the current

20
State-of-the-Art and set future research directions for CTI shar-
ing and its attributes. The literature search was conducted through
journal databases, university catalogs, and scholarly search engines. 15

Articles
The research topics addressed in this survey stem from real world
problems that stakeholders currently face. The literature survey is 10
intended to give the reader a larger spectrum of diverse problems
pertaining to CTI sharing. Various authors thought ahead and ad- 5
dressed research stages in CTI sharing that have not been reached
yet by the majority of practitioners. Basic hurdles still have to be
overcome, such as elementary implementations of a CTI program
0
and convincing the responsible to invest into it. Furthermore, the
20 1
20 2
20 3
20 4
20 5
20 6
20 7
08
20 9
20 0
11
20 2
20 3
20 4
20 5
20 6
20 7
18
0
0
0
0
0
0
0

0
1

1
1
1
1
1
1
20

20

20
harmonization of monitoring and detection tools with threat in-
telligence platforms is a challenge in itself. Once consumption and Fig. 5. Literature timeline.
exchange starts, stakeholders are generally overwhelmed with the
sheer amount of information and ponder how to render it relevant.
Various vendors offer threat intelligence platforms which may be Table 4 illustrates where the focus on the analyzed topics lies.
the first step into the CTI world by using crowdsourced intelli- The most attention was on collaborations with 19 articles, where
gence from CTI repositories. The current literature trend focuses the authors analyzed collaborations in form of establishing a threat
on, inter alia, how to identify and establish a successful and long sharing program with decentralized stakeholders. The focus was on
lasting collaboration between decentralized stakeholders, and to what information can be shared, with whom, and how to auto-
automate some of the sharing processes. The literature addresses mate some of the collaboration processes. Trust has been analyzed
that threat sharing has gained the interest of many organizations by 17 articles and various approaches were presented to define
to work more proactive instead of only reactive. The aim of CTI and identify trust relationships between stakeholders. Trust in peer
sharing is creating situation awareness in a timely fashion among to peer sharing has been thoroughly researched in the past, but
stakeholders by being informed about potential risks to the stake- new challenges have arisen with the sharing of CTI. For instance,
holder’s infrastructure or IoT products. Automation is a preferred trust relationships between competitors and sharing information
method by stakeholders, i.e., indicators are automatically captured, about vulnerabilities and security breaches. Privacy & Anonymity
prepared, shared (with a trusted stakeholder), and automatically was also a highly sought after research topic and 17 articles of the
implemented. Some tools support the semi-automated sharing of analyzed literature dedicated their priority to it. The main topics
indicators, such as malicious IP addresses and hashes. Significant focused on CTI anonymisation, encrypting the data, and present-
work has been established with Mitre’s STIX and TAXII to push the ing privacy risk scores. These topics have also been previously re-
community towards one protocol for threat intelligence description searched for related areas in cyber security. Nevertheless, the CTI
and sharing. Table 1 listed other languages to describe and share environment has changed the game for these research areas. For
CTI. instance, anonymity may not be a desired function if trust has to
Actionability is the term used by separate sources to describe be established between stakeholders, but in certain circumstances,
quality attributes of threat intelligence. The main attributes are rel- anonymity may be enabled to report vulnerabilities that have not
evance, timeliness, trustworthiness, completeness, and accuracy of been remedied yet. Incentives also earned the interest of many au-
CTI. Nevertheless, actionable CTI has different attributes depending thors with 12 articles. They are the basis of bringing stakehold-
on the literature sources. ers together who may not have met before and should share criti-
We analyzed 102 articles, reports, and government bills with fo- cal information about security breaches. Nevertheless, some stake-
cus on CTI sharing or related areas. The tables depict a quantitative holders may not yet see the need to participate in a threat sharing
overview of the literature grouped into types in Table 3, focus in program.
Table 4, and Fig. 5 visualizes the amount of articles published per The graph in Fig. 5 portrays the amount and year of published
year. The types of literature are mostly academic followed by tech- work pertaining to CTI sharing. We analyzed what we thought rel-
nical reports from the industry, 1 government bill, 1 patent, and 2 evant literature until April 2018. Works published after that date
guidelines complete the list. are not included. We are aware that there may be further excel-
 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589 11

lent published work available that we did not include in this lit- Cha, B.R., Kim, J.W., 2010. Handling fake multimedia contents threat with col-
erature survey. Summarizing the literature timeline, between 2001 lective intelligence in p2p file sharing environments. In: P2P, Parallel, Grid,
Cloud and Internet Computing (3PGCIC), 2010 International Conference on. IEEE,
and 2009, the interest in sharing threat information was at an em- pp. 258–263.
bryonic stage and academics and practitioners started to become Chismon, D., Ruks, M., 2015. Threat Intelligence: Collecting, Analysing, Evaluating.
interested in this emerging topic more towards 2010. 2013 has MWR Infosecurity, UK Cert, United Kingdom.
CISTC Act, 2014. S 2717. 113th Congress (2013–2014)).
seen an increase of published literature and 2014 seemed to be Ciobanu, C., Dandurand, M., Luc Davidson, Grobauer, B., Kacha, P., Kaplan, A., Kom-
the year with the most publications related to CTI sharing or re- panek, A., Van Horenbeeck, M., 2014. Actionable Information for Security Inci-
lated areas. 2015 to 2018 have seen a slight decline in published dent Response. Technical Report.
Cormack, A., 2011. Incident Response and Data Protection.
work.
Dandurand, L., Kaplan, A., Kacha, P., Kadobayashi, Y., Kompanek, A., Lima, T., Mil-
lar, T., Nazario, J., Perlotto, R., Young, W., 2014. Standards and Tools for Exchange
6. Conclusion and Processing of Actionable Information. Technical Report.
Dandurand, L., Serrano, O.S., 2013. Towards improved cyber security information
sharing. In: Cyber Conflict (CyCon), 2013 5th International Conference on. IEEE,
New methods have to be developed to thwart the steady in- pp. 1–16.
crease of cyber attacks. CTI sharing is establishing itself to become de Fuentes, J.M., González-Manzano, L., Tapiador, J., Peris-Lopez, P., 2016. PRACIS:
a powerful weapon to defend against adversaries. This literature privacy-preserving and aggregatable cybersecurity information sharing. Comput.
Secur..
survey outlined newly emerged challenges due to an increased in- Deloitte, B., De Muynck, J., Portesi, S., 2015. Cyber Security Information Sharing : An
terest and necessity of CTI sharing. We analyzed a comprehensive Overview of Regulatory and Non-Regulatory Approaches.
amount of literature related to CTI sharing and neighboring areas Dietrich, S., Van Der Ham, J., Pras, A., van Rijswijk Deij, R., Shou, D., Sperotto, A., Van
Wynsberghe, A., Zuck, L.D., 2014. Ethics in data sharing: developing a model
where similar requirements exist. This work focused on actionable
for best practice. In: Security and Privacy Workshops (SPW), 2014 IEEE. IEEE,
attributes and elaborated further with use cases. Regulations were pp. 5–9.
discussed which support a steady threat intelligence sharing pro- Dog, S.E., Tweed, A., Rouse, L., Chu, B., Qi, D., Hu, Y., Yang, J., Al-Shaer, E., 2016.
Strategic cyber threat intelligence sharing: a case study of IDs logs. In: Com-
cess. Furthermore, we evaluated and grouped the contributions to
puter Communication and Networks (ICCCN), 2016 25th International Confer-
analyze which topics were most relevant to the authors. ence on. IEEE, pp. 1–6.
Dondio, P., Longo, L., 2014. Computing trust as a form of presumptive reasoning.
Declaration of Competing Interest In: Proceedings of the 2014 IEEE/WIC/ACM International Joint Conferences on
Web Intelligence (WI) and Intelligent Agent Technologies (IAT)-Volume 02. IEEE
Computer Society, pp. 274–281.
The authors have no financial conflicts of interest. Dong, C., Agarwal, A., 2016. A relevant content filtering based framework for
data stream summarization. In: International Conference on Social Informatics.
References Springer, pp. 194–209.
Dwork, C., 2008. Differential privacy: a survey of results. In: International Confer-
Abouzahra, M., Tan, J., 2014. The effect of community type on knowledge sharing ence on Theory and Applications of Models of Computation. Springer, pp. 1–19.
incentives in online communities: a meta-analysis. In: System Sciences (HICSS), Edwards, C., Migues, S., Nebel, R., Owen, D., 2001. System and Method of Data Col-
2014 47th Hawaii International Conference on. IEEE, pp. 1765–1773. lection, Processing, Analysis, And annotation for Monitoring Cyber-Threats and
Abrams, L.C., Cross, R., Lesser, E., Levin, D.Z., 2003. Nurturing interpersonal trust in the Notification Thereof to Subscribers. US Patent App. 09/950,820.
knowledge-sharing networks. Acad. Manag. Exec. 17 (4), 64–77. ENISA, 2017. Exploring the Opportunities and Limitations of Current Threat Intelli-
Ahrend, J.M., Jirotka, M., Jones, K., 2016. On the collaborative practices of cyber gence Platforms. Technical Report.
threat intelligence analysts to develop and utilize tacit threat and defence Farnham, G., Leune, K., 2013. Tools and Standards for Cyber Threat Intelligence
knowledge. In: Cyber Situational Awareness, Data Analytics And Assessment Projects.
(CyberSA), 2016 International Conference On. IEEE, pp. 1–10. Feledi, D., Fenz, S., Lechner, L., 2013. Toward web-based information security knowl-
Al-Ibrahim, O., Mohaisen, A., Kamhoua, C., Kwiat, K., Njilla, L., 2017. Beyond free edge sharing. Inf. Secur. Tech. Rep. 17 (4), 199–209.
riding: quality of indicators for assessing participation in information sharing Fischer, E.A., Liu, E.C., Rollins, J., Theohary, C.A., 2013. The 2013 cybersecurity ex-
for threat intelligence. arXiv:1702.00552. ecutive order: overview and considerations for congress. Congres. Res. Serv.
Alliance, H.I.T., 2015. Health Industry Cyber Threat Information Sharing and Analy- 7–5700.
sis. Technical Report. Fisk, G., Ardi, C., Pickett, N., Heidemann, J., Fisk, M., Papadopoulos, C., 2015. Privacy
Almeida, T.A., Yamakami, A., 2010. Content-based spam filtering. In: Neural Net- principles for sharing cyber security data. In: 2015 IEEE Symposium on Secu-
works (IJCNN), The 2010 International Joint Conference on. IEEE, pp. 1–7. rity and Privacy Workshops, SPW 2015, San Jose, CA, USA, May 21–22, 2015,
Anceaume, E., Gradinariu, M., Ravoaja, A., 2005. Incentives for P2P fair resource pp. 193–197.
sharing. In: Fifth IEEE International Conference on Peer-to-Peer Computing Flores, W.R., Antonsen, E., Ekstedt, M., 2014. Information security knowledge shar-
(P2P’05). IEEE, pp. 253–260. ing in organizations: investigating the effect of behavioral information security
Andrian, J., Kamhoua, C., Kiat, K., Njilla, L., 2017. Cyber threat information sharing: governance and national culture. Comput. Secur. 43, 90–110.
a category-theoretic approach. In: Mobile and Secure Services (MobiSecServ), Garrido-Pelaz, R., González-Manzano, L., Pastrana, S., 2016. Shall we collaborate? A
2017 Third International Conference on. IEEE, pp. 1–5. model to analyse the benefits of information sharing. In: Proceedings of the
Appala, S., Cam-Winget, N., McGrew, D., Verma, J., 2015. An actionable threat intelli- 2016 ACM on Workshop on Information Sharing and Collaborative Security.
gence system using a publish-subscribe communications model. In: Proceedings ACM, pp. 15–24.
of the 2nd ACM Workshop on Information Sharing and Collaborative Security. Goodwin, C., Nicholas, J.P., Bryant, J., Ciglic, K., Kleiner, A., Kutterer, C., Sullivan, K.,
ACM, pp. 61–70. 2015. A Framework for Cybersecurity Information Sharing and Risk Reduction.
Applebaum, B., Ringberg, H., Freedman, M.J., Caesar, M., Rexford, J., 2010. Collabora- Technical Report. Technical report, Microsoft Corporation.
tive, privacy-preserving data aggregation at scale. In: International Symposium Haass, J.C., Ahn, G.-J., Grimmelmann, F., 2015. Actra: a case study for threat informa-
on Privacy Enhancing Technologies Symposium. Springer, pp. 56–74. tion sharing. In: Proceedings of the 2nd ACM Workshop on Information Sharing
Bauer, J.M., Van Eeten, M.J., 2009. Cybersecurity: stakeholder incentives, externali- and Collaborative Security. ACM, pp. 23–26.
ties, and policy options. Telecommun. Policy 33 (10), 706–719. Haustein, M., Sighart, H., Titze, D., Schoo, P., 2013. Collaboratively exchanging warn-
Best, D.M., Bhatia, J., Peterson, E.S., Breaux, T.D., 2017. Improved cyber threat indi- ing messages between peers while under attack. In: Availability, Reliability and
cator sharing by scoring privacy risk. In: Technologies for Homeland Security Security (ARES), 2013 Eighth International Conference on. IEEE, pp. 726–731.
(HST), 2017 IEEE International Symposium on. IEEE, pp. 1–5. Institute, P., 2014. Exchanging Cyber Threat Intelligence: There has to be a Better
Bhatia, J., Breaux, T.D., Friedberg, L., Hibshi, H., Smullen, D., 2016. Privacy risk in Way.
cybersecurity data sharing. In: Proceedings of the 2016 ACM on Workshop on ISO27010, 2015. ISO/IEC 27010:2015 Information Technology – Security Techniques
Information Sharing and Collaborative Security. ACM, pp. 57–64. – Information Security Management for Inter-Sector and Inter-Organizational
Biskup, J., Flegel, U., 2001. On pseudonymization of audit data for intrusion detec- Communications. http://www.iso27001security.com/html/27010.html. Accessed
tion. In: Designing Privacy Enhancing Technologies. Springer, pp. 161–180. on: 2017-04-04
Brown, S., Gommers, J., Serrano, O., 2015. From cyber security information sharing Janssen, M., Tan, Y.-H., 2014. Dynamic capabilities for information sharing: Xbrl
to threat management. In: Proceedings of the 2nd ACM Workshop on Informa- enabling business-to-government information exchange. In: System Sciences
tion Sharing and Collaborative Security. ACM, pp. 43–49. (HICSS), 2014 47th Hawaii International Conference on. IEEE, pp. 2104–2113.
Burger, E.W., Goodman, M.D., Kampanakis, P., Zhu, K.A., 2014. Taxonomy model for Johnson, C., Badger, L., Waltermire, D., Snyder, J., Skorupka, C., 2016. Guide to Cyber
cyber threat intelligence information exchange technologies. In: Proceedings of Threat Information Sharing, vol. 800. NIST Special Publication, p. 150.
the 2014 ACM Workshop on Information Sharing & Collaborative Security. ACM, Kamhoua, C., Martin, A., Tosh, D.K., Kwiat, K.A., Heitzenrater, C., Sengupta, S., 2015.
pp. 51–60. Cyber-threats information sharing in cloud computing: a game theoretic ap-
Butler Jr, J.K., 1991. Toward understanding and measuring conditions of trust: evo- proach. In: Cyber Security and Cloud Computing (CSCloud), 2015 IEEE 2nd In-
lution of a conditions of trust inventory. J. Manag. 17 (3), 643–663. ternational Conference on. IEEE, pp. 382–389.
12 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589

Kampanakis, P., 2014. Security automation and threat information-sharing options. ing platforms: an exploratory study of software vendors and research perspec-
Secur. Priv. 12 (5), 42–51. tives. Towards Thought Leadership in Digital Transformation: 13. Internationale
Kijewski, P., Pawliński, P., 2014. Proactive detection and automated exchange of net- Tagung Wirtschaftsinformatik, WI 2017, St.Gallen, Switzerland, February 12–15,
work security incidents. Abgerufen Am 20. 2017..
Kokkonen, T., Hautamäki, J., Siltanen, J., Hämäläinen, T., 2016. Model for sharing the Schwartz, A., Shah, S.C., MacKenzie, M.H., Thomas, S., Potashnik, T.S., Law, B., 2016.
information of cyber security situation awareness between organizations. In: Automatic threat sharing: how companies can best ensure liability protection
Telecommunications (ICT), 2016 23rd International Conference on. IEEE, pp. 1–5. when sharing cyber threat information with other companies or organizations.
Laube, S., Böhme, R., 2015. Mandatory security information sharing with author- Univ. Mich. J. Law Reform 50, 887.
ities: implications on investments in internal controls. In: Proceedings of the Serrano, O., Dandurand, L., Brown, S., 2014. On the design of a cyber security data
2nd ACM Workshop on Information Sharing and Collaborative Security. ACM, sharing system. In: Proceedings of the 2014 ACM Workshop on Information
pp. 31–42. Sharing & Collaborative Security. ACM, pp. 61–69.
Leszczyna, R., Wróbel, M.R., 2014. Security information sharing for smart grids: de- Shackleford, D., 2015. Who’s Using Cyberthreat Intelligence and How?. SANS Insti-
veloping the right data model. In: 9th International Conference for Internet tute, p. 2016.
Technology and Secured Transactions, ICITST 2014, London, United Kingdom, Sharma, V., Bartlett, G., Mirkovic, J., 2014. Critter: Content-rich traffic trace reposi-
December 8–10, 2014, pp. 163–169. tory. In: Proceedings of the 2014 ACM Workshop on Information Sharing & Col-
Li, N., Li, T., Venkatasubramanian, S., 2007. t-closeness: privacy beyond k-anonymity laborative Security. ACM, pp. 13–20.
and l-diversity. In: Proceedings of the 23rd International Conference on Data Sigholm, J., Bang, M., 2013. Towards offensive cyber counterintelligence: adopting a
Engineering, ICDE 2007, The Marmara Hotel, Istanbul, Turkey, April 15–20, 2007, target-centric view on advanced persistent threats. In: Intelligence and Security
pp. 106–115. Informatics Conference (EISIC), 2013 European. IEEE, pp. 166–171.
Liu, C.Z., Zafar, H., Au, Y.A., 2014. Rethinking FS-ISAC: an IT security informa- Sillaber, C., Sauerwein, C., Mussmann, A., Breu, R., 2016. Data quality challenges and
tion sharing network model for the financial services sector. Commun. Assoc. future research directions in threat intelligence sharing practice. In: Proceed-
Inf.Syst. 34 (1), 2. ings of the 2016 ACM on Workshop on Information Sharing and Collaborative
LLC, P.I., 2014. Exchanging Cyber Threat Intelligence: There Has to Be a Better Way Security. ACM, pp. 65–70.
Sponsored by IID Independently conducted by Ponemon Institute LLC. Skopik, F., Settanni, G., Fiedler, R., 2016. A problem shared is a problem halved: a
Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M., 2007. L-diversity: survey on the dimensions of collective cyber defense through security informa-
privacy beyond k-anonymity. TKDD 1 (1), 3. tion sharing. Comput. Secur. 60, 154–176.
Mann, D., Brooks, J., DeRosa, J., 2011. The Relationship Between Human and Ma- Star, S., Griesemer, J., 1989. Translations’ and boundary objects: amateurs and pro-
chine-Oriented Standards and the Impact to Enterprise Systems Engineering. fessioals in Berkeley’s museum of vertebrate zoology 1907-39. Inst. Ecol. 19 (3).
The MITRE Corporation, Bedford, MA. Sullivan, C., Burger, E., 2017. “in the public interest”: the privacy implications of
Martinelli, F., Matteucci, I., Petrocchi, M., Wiegand, L., 2012. A formal support for international business-to-business sharing of cyber-threat intelligence. Comput.
collaborative data sharing. In: International Conference on Availability, Reliabil- Law Secur. Rev. 33 (1), 14–29.
ity, and Security. Springer, pp. 547–561. Sweeney, L., 2002. k-anonymity: a model for protecting privacy. Int. J. Uncertain.
McConnell, B., 2011. Enabling distributed security in cyberspace. Secur. Autom. 8. Fuzziness Knowl. Based Syst. 10 (5), 557–570.
Meng, G., Liu, Y., Zhang, J., Pokluda, A., Boutaba, R., 2015. Collaborative security: a Tamjidyamcholo, A., Baba, M.S.B., Shuib, N.L.M., Rohani, V.A., 2014. Evaluation model
survey and taxonomy. ACM Comput. Surv. 48 (1), 1. for knowledge sharing in information security professional virtual community.
Mittal, S., Das, P.K., Mulwad, V., Joshi, A., Finin, T., 2016. Cybertwitter: using twitter Comput. Secur. 43, 19–34.
to generate alerts for cybersecurity threats and vulnerabilities. In: Advances in Tamjidyamcholo, A., Baba, M.S.B., Tamjid, H., Gholipour, R., 2013. Information securi-
Social Networks Analysis and Mining (ASONAM), 2016 IEEE/ACM International ty–professional perceptions of knowledge-sharing intention under self-efficacy,
Conference on. IEEE, pp. 860–867. trust, reciprocity, and shared-language. Comput. Educ. 68, 223–232.
Mohaisen, A., Al-Ibrahim, O., Kamhoua, C., Kwiat, K., Njilla, L., 2017. Rethinking in- Tavakolifard, M., Almeroth, K.C., 2012. A taxonomy to express open challenges in
formation sharing for actionable threat intelligence. CoRR. arXiv:1702.00548. trust and reputation systems. J. Commun. 7 (7), 538–551.
Moriarty, K. M., 2013. Transforming Expectations for Threat-Intelligence Sharing. ThreatConnect, 2015. Threat Intelligence Platforms - Everything You’ve Ever Wanted
Murdoch, S., Leaver, N., 2015. Anonymity vs. trust in cyber-security collaboration. to Know But Didn’t Know to Ask. Technical Report.
In: Proceedings of the 2nd ACM Workshop on Information Sharing and Collab- Tosh, D.K., Molloy, M., Sengupta, S., Kamhoua, C.A., Kwiat, K.A., 2015. Cyber-invest-
orative Security. ACM, pp. 27–29. ment and cyber-information exchange decision modeling. In: High Performance
Mutemwa, M., Mtsweni, J., Mkhonto, N., 2017. Developing a cyber threat intelligence Computing and Communications (HPCC), 2015 IEEE 7th International Sympo-
sharing platform for South African organisations. In: Information Communica- sium on Cyberspace Safety and Security (CSS), 2015 IEEE 12th International
tion Technology and Society (ICTAS), Conference on. IEEE, pp. 1–6. Conferen on Embedded Software and Systems (ICESS), 2015 IEEE 17th Interna-
Naghizadeh, P., Liu, M., 2016. Inter-temporal incentives in security information shar- tional Conference on. IEEE, pp. 1219–1224.
ing agreements. Position paper for the AAAI Workshop on Artificial Intelligence Tryfonopoulos, C., Idreos, S., Koubarakis, M., Raftopoulou, P., 2014. Distributed
for Cyber-Security. large-scale information filtering. In: Transactions on Large-Scale Data-and
Neubauer, T., Heurix, J., 2011. A methodology for the pseudonymization of medical Knowledge-Centered Systems XIII. Springer, pp. 91–122.
data. Int. J. Med. Inform. 80 (3), 190–204. Vanetti, M., Binaghi, E., Carminati, B., Carullo, M., Ferrari, E., 2010. Content-based
Nusrat, S., Vassileva, J., 2011. Recommending services in a trust-based decentralized filtering in on-line social networks. In: International Workshop on Privacy and
user modeling system. In: International Conference on User Modeling, Adapta- Security Issues in Data Mining and Machine Learning. Springer, pp. 127–140.
tion, and Personalization. Springer, pp. 230–242. Vazquez, D.F., Acosta, O.P., Spirito, C., Brown, S., Reid, E., 2012. Conceptual frame-
Park, J.H., Gu, B., Leung, A.C.M., Konana, P., 2014. An investigation of informa- work for cyber defense information sharing within trust relationships. In: 4th
tion sharing and seeking behaviors in online investment communities. Comput. International Conference on Cyber Conflict, CyCon 2012, Tallinn, Estonia, June
Hum. Behav. 31, 1–12. 5–8, 2012, pp. 1–17.
Pawlinski, P., Jaroszewski, P., Kijewski, P., Siewierski, L., Jacewicz, P., Zielony, P., Zu- Wang, Y., Vassileva, J., 2003. Trust and reputation model in peer-to-peer networks.
ber, R., 2014. Actionable information for security incident response. European In: Peer-to-Peer Computing, 20 03.(P2P 20 03). Proceedings. Third International
Union Agency for Network and Information Security, Heraklion, Greece. Conference on. IEEE, pp. 150–157.
Rao, W., Chen, L., Hui, P., Tarkoma, S., 2012. Move: a large scale keyword-based Xiong, Q., Chen, X., 2013. Incentive mechanism design based on repeated game the-
content filtering and dissemination system. In: Distributed Computing Systems ory in security information sharing. In: 2nd International Conference on Science
(ICDCS), 2012 IEEE 32nd International Conference on. IEEE, pp. 445–454. and Social Research (ICSSR 2013). Atlantis Press.
Resnick, P., Zeckhauser, R., 2002. Trust among strangers in internet transactions: Xu, H., Liu, Y., Qi, S., Shi, Y., 2013. A novel trust model based on probability
empirical analysis of ebay’s reputation system. In: The Economics of the Inter- and statistics for peer to peer networks. In: Quality, Reliability, Risk, Main-
net and E-commerce. Emerald Group Publishing Limited, pp. 127–157. tenance, and Safety Engineering (QR2MSE), 2013 International Conference on.
Riedl, B., Neubauer, T., Goluch, G., Boehm, O., Reinauer, G., Krumboeck, A., 2007. A IEEE, pp. 2047–2050.
secure architecture for the pseudonymization of medical data. In: Availability, Xu, J., Fan, J., Ammar, M.H., Moon, S.B., 2002. Prefix-preserving ip address
Reliability and Security, 2007. ARES 2007. The Second International Conference anonymization: measurement-based security evaluation and a new cryptogra-
on. IEEE, pp. 318–324. phy-based scheme. In: Network Protocols, 2002. Proceedings. 10th IEEE Inter-
Rutkowski, A., Kadobayashi, Y., Furey, I., Rajnovic, D., Martin, R., Takahashi, T., national Conference on. IEEE, pp. 280–289.
Schultz, C., Reid, G., Schudel, G., Hird, M., et al., 2010. Cybex: the cybersecurity Zheng, D.E., Lewis, J.A., 2015. Cyber Threat Information Sharing: Recommendations
information exchange framework (x. 1500). ACM SIGCOMM Comput. Commun. for Congress and the Administration.
Rev. 40 (5), 59–64.
Rutkowski, T., Compans, S., 2017. ETSI TR 103 456 v1.1.1 ”CYBER; Implementation of Mr. Thomas D. Wagner Thomas received his bachelor of science degree from Lon-
the Network and Information Security (NIS) Directive”. Technical Report. don South Bank University completing a course in Electronic Business Information
Rutkowski, T., Compans, S., 2018. ETSI TR 103 331 v1.2.1 (Draft)”CYBER; Structured Technology in 2009. In 2011, he completed his Master of Science degree with dis-
threat information sharing”. Technical Report. tinction in Information Assurance at the same institution. Thomas worked for T-
Safa, N.S., Von Solms, R., 2016. An information security knowledge sharing model in Systems in Sao Paulo, Brazil as an Application Support Analyst from 2011 to 2014.
organizations. Comput. Hum. Behav. 57, 442–451. He started his PhD at Birmingham City University in September 2014, where he
Sander, T., Hailpern, J., 2015. Ux aspects of threat information sharing platforms: an researches the field of cyber threat intelligence. He currently studies his PhD part-
examination & lessons learned using personas. In: Proceedings of the 2nd ACM time and works full time as a Threat Analyst at ETAS (Bosch Group) in Stuttgart,
Workshop on Information Sharing and Collaborative Security. ACM, pp. 51–59. Germany.
Sauerwein, C., Sillaber, C., Mussmann, A., Breu, R., 2017. Threat intelligence shar-
 T.D. Wagner, K. Mahbub and E. Palomar et al. / Computers & Security 87 (2019) 101589 13

Dr. Khaled Mahbub Khaled Mahbub (PhD, MEng, BEng) is a senior lecturer in soft- search interests include design, analysis and implementation of cooperation-based
ware engineering at Birmingham City University. His research interests are in the cryptographic protocols for fully decentralised networks and applications in emerg-
area of Automated Software Engineering, focusing on some key technical issues for ing areas ranging from Internet of Things, smart cities, assisted living, and smart
the effective realization of service based systems and cloud based systems, includ- transportation. She regularly serves as reviewer for a number of international jour-
ing run-time security monitoring and secure system design. In the past Khaled has nals and technical program committee member of conferences on computer science.
worked in several EU funded projects including, CUMULUS (Certification Infrastruc- She has published a number of peer reviewed conference and journal articles.
ture for Multi-Layer Cloud Services, EU FP7, STREP Project), ASSERT4SOA (Advanced
Security Service cERTificate for SOA, EU FP7, STREP Project), S-CUBE (The Software Prof. Ali E. Abdallah Ali E. Abdallah is a professor of information security at Birm-
Services and Systems Network - FP7 EU Project), Gredia (Grid enabled access to rich ingham City University. Prior to current appointment, he was a professor of infor-
media content - FP6 EU Project), Serenity (System Engineering for Security & De- mation assurance at London South Bank University, a lecturer in computer science
sign, FP6 EU Project), SeCSE (Service Centric System Engineering, FP6 EU Project). at the University of Reading and a research officer at Oxford University Comput-
He has published more than 30 papers in different international journals and con- ing Laboratory. He lectures in information security, information risk management,
ference proceedings with more than 800 citations. software security, distributed systems and formal methods. His research interests
are closely linked to his teaching and strongly emphasize the relevant theoretical
Dr. Esther Palomar Esther Palomar is reader in Cyber Security in CEBE at Birm- underpinnings. He leads “information security” research at BCU focusing on topics
ingham City University since September 2013. She has a PhD in computer science ranging from identity management, access control and privacy to securing shared
(2008) from University Carlos III of Madrid where she worked as Assistant Lecturer information in virtual organisations and the development of high assurance secure
for nine years. Esther was invited as Visiting Professor at INRIA in Paris (2009) and and resilient software.
Simula Research Laboratory in Oslo (2012) for 6-month period each. Her main re-