Computers in Human Behavior

We investigate how human beliefs are associated with the absorption of specialist knowledge that is required to produce cyber-security. We ground our theorizing in the knowledge-based view of the firm and transaction-cost economics. We test our hypotheses with a sample of 262 members of an information-sharing and analysis center who share sensitive information related to cyber-security. Our findings suggest that resource belief, usefulness belief, and reciprocity belief are all positively associated with knowledge absorption, whereas reward belief is not. The implications of these findings for practitioners and future research are discussed.


Introduction
For both public and private organizations, effective cyber-security is required to prevent business interruption and thus to ensure operational continuity (Fransen, Smulders, & Kerkdijk, 2015;Furnell & Clarke, 2012;Gordon, Loeb, & Zhou, 2016;Luiijf & Klaver, 2015;Skopik, Settanni, & Fiedler, 2016;Tounsi & Rais, 2018). The production of such cyber-security is a knowledge-intensive task (Ben-Asher & Gonzalez, 2015;Jakobson, 2011). Despite the fact that hardware and software components required for this defense are relatively homogeneous and readily available at low cost or even for free (Anderson, 2001;Hofmann & Ramaj, 2011), highly specialist knowledge is required to combine and deploy these components effectively for organizational defense -for instance, by designing resilient systems architectures and implementing them efficiently (Etzioni, 2011;Lee, Bagheri, & Kao, 2015). Hence, cyber-security is a complex capability that is not readily created by the purchasing of technological components; rather, it is the skilled knowledge of how to organize and orchestrate these components that creates the actual defense (Anderson, 2001;Hofmann & Ramaj, 2011;Solms & Niekerk, 2013). Furthermore, due to the swift technological evolution and short technology life-cycles of these components, knowledge required to produce cyber-security becomes obsolete (Casas et al., 2017;Chen, Chiang, & Storey, 2012;Mahmood & Afzal, 2013;Wang et al., 2014). Organizations are hence under continuous pressure to update existing and acquire novel knowledge to keep up with the evolution of individual action and cyber-security outcomes is studied (Anderson, 2001;Anderson & Fuloria, 2010;Anderson & Moore, 2006;Gordon, Loeb, & Lucyshyn, 2003;Laube & Böhme, 2017). However, few such studies exist to date. A recent overview of the related literature by Laube and Böhme (2017) suggests that almost all research on cybersecurity information exchange (and subsequent knowledge absorption) is characterized by the following limitations. First, the overwhelming majority of this literature does not analyze individuals, but analyzes impersonal information such as log-files (Flegel, 2002;Forte, 2004;Maillart et al., 2017;Masud et al., 2008;Moore & Clayton, 2011). Much literature is also restricted to pure game theory or simulation (Cavusoglu, Raghunathan, & Yue, 2008;Fielder et al., 2014;Gal-Or & Ghose, 2005;Gordon et al., 2003;Grossklags, Christin, & Chuang, 2008;Hausken, 2007;Kunreuther & Heal, 2003;Manshaei et al., 2013;Shiva, Roy, & Dasgupta, 2010). Second, a cyber-security context often requires sensitive and classified information that is unlikely to be shared or disseminated by public channels (Bisogni, 2015;Gal-Or & Ghose, 2005;Hausken, 2007;Laube & Böhme, 2017;Moran & Moore, 2010;Weiss, 2014). Third, the knowledge required to build cybersecurity is expert knowledge and hence is highly tacit, i.e., bound in personal experience. Such tacit knowledge is not only hard to describe objectively (e.g., by documentation in manuals or textbooks), but it can also not readily be transferred among individuals, unless by intense social interaction between sender and recipient (Nonaka & Takeuchi, 1995;Polanyi, 1962;Siesfeld, Cefola, & Neef, 2009). Although some work on cyber-security studies the transfer of explicit knowledge that can be documented in forums and databases (e.g., Yan et al. (2016) and Safa and Von Solms (2016)), we are not aware of any empirical work that would analyze the transfer and absorption of tacit knowledge in a cyber-security context. This lack of attention constitutes an important research gap (Wang & Noe, 2010). Fourth and finally, even if the absorption of tacit knowledge requires human interaction, the social process alone does not necessarily imply that knowledge is actually absorbed. Human interaction can be futile if the possessor of any knowledge is unable or unwilling to transfer it to other individuals. To the best of our knowledge, the existing literature focuses on attitudes, motivations and contexts that influence an individual's propensity to (not) share information (Jeon, Kim, & Koh, 2011;Naghizadeh & Liu, 2016;Pi, Chou, & Liao, 2013;Safa & Von Solms, 2016;Ter Wal, Criscuolo, & Salter, 2017;Tosh et al., 2017;Wagner et al., 2018;Wang & Hou, 2015;Zibak & Simpson, 2019). In contrast, we are not aware of any contribution that measures the extent to which (i.e., the success with which) actual knowledge absorption for cyber-security has occurred as a result of social interaction.
The purpose of our paper is to address all of these limitations. We study the extent to which an individual successfully absorbs knowledge in a private, collaborative setting in which sensitive, non-public and tacit knowledge required to build cyber-security is absorbed through information sharing. Hence, both the focus and the unit of analysis are on the individual level. Recent work has highlighted that the study of such collaborative-information sharing should lead to a better understanding of cyber-security (Laube & Böhme, 2017). We go one step further by not only studying elements associated with such information sharing, but also its outcomes in terms of individual knowledge absorption.
We first build a framework that is anchored in the knowledgebased view of the firm, arguing that the absorption of tacit knowledge is associated with human beliefs (Section 2). Using ordered probit regression, we then test this model with psychometric data from 262 members of the closed user group of MELANI-net, the national information sharing and analysis center (ISAC) in Switzerland (Section 3). Our results suggest that resource belief, usefulness belief, and reciprocity belief are positively associated with knowledge absorption, whereas belief in hard rewards is not (Section 4). We discuss the implications of our findings and provide recommendations for future research and managerial practice (Section 5).

Theoretical framework and hypotheses
In this section, we present our hypotheses related to potential associations between human beliefs and knowledge absorption.
The knowledge-based view of the firm suggests that knowledge is a valuable, scarce, and imperfectly imitable resource and hence is a significant source of competitive advantage for organizations (Barney, 1991;Foss, 1996;Grant, 1996aGrant, , 1996bKogut, 2000;Nickerson & Zenger, 2004;Phelan & Lewin, 2000;Spender, 1996). More specifically, specialist knowledge is a significant contributor to product, process and service innovation (Grant, 1996a(Grant, , 1996bScarbrough, 2003;Schilling, 2010;Tether & Tajar, 2008). Hence, an organization must continuously absorb specialist knowledge to be able to generate innovations that can provide cyber-security for its IT components and systems architecture.
Organizational knowledge absorption is the result of individual (i.e., human) learning. An organization absorbs knowledge only by the learning of its current members, or by the inclusion of new members (Grant, 1996a(Grant, , 1996bMarch, 1991;Simon, 1991). In this article, we focus on the learning of existing organization members. 1 In this perspective, novel organizational knowledge is created by the individual knowledge absorption of these members (Bock & Kim, 2002).
However, for any individual member, knowledge absorption from beyond the boundary of the organization is not a free activity. Typically, an individual incurs significant transaction costs before any economic exchange is completed. Such costs include time spent and financial resources dedicated to receiving information, making decisions, and the process of interacting with others (Williamson, 1981). In the context of an ISAC, these costs are incurred once the individual begins to interact with others, as intensive social interaction is required for a successful transfer of tacit knowledge between any two individuals (Kogut & Zander, 1993;Nonaka & Takeuchi, 1995;Polanyi, 1962;Teece, 1977Teece, , 1983. Prior research also suggests that if information sharing takes too much time, is too laborious, or requires too much effort, an individual engages less in knowledge transfer, and the amount of knowledge transferred is reduced (ENISA, 2010(ENISA, , 2018Luiijf & Klaver, 2015;Yan et al., 2016). Furthermore, the knowledge may be classified or irrelevant from the individual's perspective. We therefore propose that before making any specific assessment, the individual might estimate whether or not the knowledge present in the ISAC is generally worth the transaction cost required to absorb this knowledge. Unless this assessment is positive, the individual is unlikely to engage in any profound interaction at all.

H1: Resource belief
When individuals must make such considerations, they typically use cues and heuristics to simplify the decision-making process (Gabaix et al., 2006;Petty & Cacioppo, 1986). By such cues, objective and impersonal assessment is replaced by a subjective, belief-based assessment of whether or not the information to be received is useful at all (Bosch, Volberda, & Boer, 1999;Kogut & Zander, 1993;Polanyi, 1962). Whenever such a belief is present, individuals are more prone to engage in social interactions that precede knowledge absorption (Lichtenthaler & Ernst, 2007). Hence, knowledge absorption might be positively associated with the extent to which the individual believes the knowledge available in the ISAC constitutes a valuable, rare, and imperfectly imitable asset -i.e., a resource (Barney, 1991) -that is worth absorbing (resource belief). Hence, H1: Knowledge absorption is positively associated with resource belief. 1 We consider the discussion of recruiting strategies for novel members beyond our scope, because this context would transcend both the individual level of analysis and the boundary of the firm. H1 is therefore related to the individual's belief that the transaction costs of knowledge sharing will be outweighed by the benefits that will come from such a social interaction (i.e., knowledge sharing); such benefits being concertized by knowledge absorption resulting from knowledge sharing.

H2: Usefulness belief
While this resource belief may induce the individual to interact with others at all, it does not necessarily imply the knowledge available is directly applicable for the specific job tasks the individual is charged with. For example, ISAC participants may exchange information that is useful to the industry or the organization in general, but that information may offer no specific guidance for any particular job task.
Prior research suggests that individuals do not necessarily act altruistically -i.e., only in the interest of the organization (Nagin et al., 2002). Goal-alignment theory suggests that individual and organizational goals are not necessarily congruent (Hume, 2000;Lindenberg & Foss, 2011). Consequently, an individual would not only consider the general usefulness of any knowledge available from other ISAC members -i.e., whether or not this knowledge constitutes a resource that is worth the transaction cost -but also the extent to which this knowledge is specifically useful for any particular job task.
As the job performance evaluation of the individual might be considered as a specific contribution to organizational cyber-security, the individual has an incentive to study the specific usefulness of any information with this job-related assessment in mind (Feldman & March, 1981;Luiijf & Klaver, 2015;Nagin et al., 2002). Hence, knowledge absorption might be positively associated with the extent to which individuals believe the knowledge available in the ISAC specifically contributes to fulfilling their job tasks (usefulness belief). Hence,

H2: Knowledge absorption is positively associated with usefulness belief.
If H1 is related to the individual's fundamental assessment that determines if engaging in knowledge sharing is worth it (i.e., the transaction costs of such a social interaction will be outweighed by the benefits coming from the resulting knowledge absorption in general), H2 reaches one step further by suggesting that knowledge absorption might be useful for the individual's job tasks.

H3: Reward belief
Further, goal alignment theory also suggests that the individual may choose to not disclose the specialist knowledge absorbed to other members of the organization. Typically, individuals align their behavior with their return goals; hence they expect to be rewarded whenever they exhibit behavior that is in the organization's interest (Nagin et al., 2002).
Unless individuals believe that the organization will provide such rewards, they may choose to exploit their ISAC membership on an individual basis (e.g., by hoarding knowledge to make oneself irreplaceable in the organization, by starting up a firm or by selling private consultancy services to the industry). Hence, the individual would not absorb knowledge in the interest of the organization, but rather in the interest of private business. To solve this incentivization problem, organizations typically offer -hard reward so whenever knowledge is absorbed and shared for the benefit of the organization. Such rewards include job promotions, greater job security, salary increases, or more power and responsibility in the organization (Bock & Kim, 2002;Centers & Bugental, 1966;Kalleberg, 1977;Ryan & Deci, 2000). For example, Buckman Laboratories distinguishes its 100-top informationsharers at an annual conference located at a resort (Singh, 2005). Lotus Development, an IBM division, rewards employees for information sharing activities (Davenport & Glaser, 2002). Prior research suggests that such rewards positively contribute to individuals' hours worked, dedication, and performance (Encinosa, Gaynor, & Rebitzer, 2007;Gaynor, Rebitzer, & Taylor, 2001).
Therefore, the more individuals believe they will receive such -'hard rewards' for successful knowledge absorption (reward belief), the more they should be likely to concentrate on realizing such absorption. Hence,

H3: Knowledge absorption is positively associated with reward belief.
If H2 is related to the individual's assessment that determines if engaging in knowledge sharing will help the fulfillment of their job tasks (i.e., the transaction costs of such a social interaction will be outweighed by the benefits coming from the resulting knowledge absorption in terms of job tasks fulfillment), H3 suggests that knowledge absorption might be fostered if such absorption is compensated by rewards delivered by the organization.

H4: Reciprocity belief
Given that knowledge is a valuable, scarce and imperfectly imitable resource, the value of a unit of cyber-security knowledge is proportional to the incremental cyber-security enhancement that this unit is supposed to provide (Bodin et al., 2018;Gordon, Loeb, Lucyshyn, & Zhou, 2015). As individuals are probably aware that any knowledge they share delivers such benefits to others, they may expect to receive adequate knowledge in return. Typically, humans prefer such equitable exchanges over any other arrangement (Andreoni, 1995;Bolton & Ockenfels, 2000;Kolm & Mercier-Ythier, 2006), and they punish those who defect from this principle of equity or refuse to reciprocate when another individual provides something valuable (Brosnan & Waal, 2003;Fehr & Gächter, 2000Tricomi et al., 2010). For example, reciprocal fairness is an important variable in the design of peer-selection algorithms in peer-to-peer (P2P) networks. As a result, the operators of such networks have developed ways to remove -'leechers' who demand information without providing any (Wang et al., 2011). The extent to which an individual can absorb tacit knowledge by social exchange might depend on the extent to which this individual is willing to reciprocate whenever they receive information from others (Xiong & Liu, 2004).
Therefore, unless the individual believes that original knowledge sharing will be reciprocated (reciprocity belief), they might terminate social interaction with others. As such interaction is a prerequisite of effective absorption, any prior level of knowledge absorption would significantly decrease. Hence, H4: Knowledge absorption is positively associated with reciprocity belief.
The following illustration summarizes the different constructsi.e., the set of independent variables and their respective hypothesis -, and emphasizes their potential association with the dependent variable, i.e., knowledge absorption.
By testing the above-mentioned model, we suggest to explore with which intensity (if at all) the variable of knowledge absorption is associated with the individual's beliefs.

Data and methods
In this section, we present the sampling context and population of this study, how we measured our independent variable, items and constructs, how we implemented the questionnaire in order to measure our items and constructs, as well as how we proceeded with our analysis.

Sampling context and population
As our theoretical reasoning focuses on knowledge absorption by social interaction, the sampling context must fit this research interest. We therefore collected our data from the closed user-group of MELANI-net -the Swiss national information sharing and analysis center (ISAC). An ISAC is a nonprofit organization that brings together cyber-security managers in person to facilitate interpersonal information exchange between critical-infrastructure providers (CIP). 2 Both the survey and the related dataset we exploit are identical to those described in Mermoud et al. (2019).
This setting is particularly useful for our context as individuals in the closed user-group participate on behalf of their organizations, share highly sensitive and classified information in a private and exclusive setting, and interact socially as they share and absorb tacit knowledge. The 424 members of the closed user-group are all managers and specialists who must provide cyber-security for their respective organizations. They come from both private and public CIP. They have to undergo government identification and clearance procedures, as well as background checks before being admitted for ISAC membership. There is no interaction whatsoever between these members and the public, and no external communication to the public or any publication of relevant knowledge is made. Hence, this setting matches our proposition that the knowledge needed to produce cyber-security is not only classified and difficult to identify, but also tacit and grounded in personal experience, such that social interaction between individuals is required to transfer it.
Whenever a particular individual has shared information about a threat that is of interest to other members of this closed user group, individuals can contact each other by an internal message board. They do so by commenting on the initial information shared, in order to establish a first contact that then leads to further social exchange between the individuals. Once contact is made by a short reply about the threat information, to share detailed security information, the individuals involved in the conversation meet on their own initiative (e.g., informally over lunch, in group meetings, or small industryspecific conferences, but always from an individual to another). Each individual decides for themselves if they want to meet, with whom, and by what means. They also freely decide about the extent of the information shared (if any). MELANI-net officials neither force nor encourage individuals to interact; both in terms of social interaction in general and regarding the sharing of any particular unit of information.

Measures
Our study follows individuals who self-report about their beliefs. We therefore chose a psychometric approach to operationalize our constructs (Nunnally & Bernstein, 2017).
We introduce a novel ordinal indicator to capture individual knowledge absorption. It asks respondents to state which amount of exclusive information they receive through security information exchange with the other participants inside the ISAC.
To measure the different beliefs we hypothesized, extant psychometric scales were used. Adaptions of these scales to our population context were kept to a minimum. Table 1 details all constructs, their sources, item composition and wording, dropped items (if any), factor loadings; and Cronbach alphas.
To capture respondent heterogeneity, we controlled for gender, age, and education level. Gender was coded dichotomously (male, female). Age was captured by four mutually exclusive categories (21-30, 31-40, 41-50, 50+ years). Education level was captured by six mutually exclusive categories (none, bachelor, diploma, master, PhD, other). 3 We further captured the respondent's hierarchical position in the organization (employee, chief employee -i.e., intermediary supervisor position -, middle management, management, member of the board, other), as this position may influence both the propensity of sharing knowledge as such, and the intensity with which knowledge is actually shared (Cai et al., 2013).
We also controlled for the number of years the individual had experience with collaborative-information sharing (prior information sharing experience: not in charge, less than 1, 1 to 3, 3 to 6, over 6), as such experience is significantly associated with information sharing intention (Lee & Ma, 2012).
Further, the extent to which the respondent can absorb knowledge can co-evolve with the length of ISAC membership, as individuals gain more insight over time and develop interpersonal relationships. Hence, we controlled for membership duration and calculated it as the difference between 2017 and the year the individual became an ISAC member.
Also, individual experience from past social interactions can influence the respondent's beliefs (Haemmerli, Raaum, & Franceschetti, 2013;Vázquez et al., 2012). We therefore asked respondents to state whether or not they had already participated in prior ISAC meetings and events (dichotomously coded yes/no).
Sympathy and antipathy in peer relations might influence the extent to which individuals interact and learn; hence, the quality of any peer relation may influence the extent to which knowledge absorption can occur (Chow & Chan, 2008;Coolahan et al., 2000). We therefore asked respondents to rate their individual perception of the personal relationships they had with their peers among ISAC members (very friendly, friendly, neutral, unfriendly, very unfriendly).
We also asked respondents to rate their potential individual contribution by indicating the extent to which they felt they (generally) had much information to share (strongly agree, agree, neutral, disagree, strongly disagree). We insert this control into the model as an individual's intention to share knowledge might be associated with how much the individual knows already. Further, individuals who have little to share might receive less information from their peers as these feel less compelled to reciprocate if they receive little in the first place (Chang & Chuang, 2011;Davenport, Prusak, et al., 1998).
Finally, we controlled for the industry heterogeneity (government, banking/finance, energy, health, all other industries) by logging each respondent's self-reported affiliation. This information was used to construct dichotomous indicators ('dummy variables') that group respondents into the five industry categories, government, banking & finance, energy, health, and all other industries. Each dummy variable takes on the value 1 if a respondent is affiliated with a particular industry, and has a value of 0 otherwise.

Implementation
Data for all variables was collected from individual respondents by a questionnaire instrument. We followed the procedures and recommendations of Dillman, Smyth, and Christian (2014) for questionnaire design, pretest, and implementation. Likert-scaled items were anchored at -'strongly disagree' (1) and -'strongly agree' (5) with 'neutral' as the midpoint (3). The questionnaire was first developed as a paper instrument. It was pretested with seven different focus groups from academia and the cyber-security industry. The feedback obtained was used to improve the visual presentation of the questionnaire and to add additional explanations. This feedback also indicated that respondents could make valid and reliable assessments. Within the closed usergroup, both MELANI-net officials and members communicate with each other in English. Switzerland has four official languages, none of which is English, and all constructs we used for measurement were originally published in English. We therefore chose to implement the questionnaire in English to rule out any back-translation problems. Before implementation, we conducted pretests to make sure respondents had the necessary language skills. The cover page of the survey informed respondents about the research project and our goals, and it also made clear that we had no financial or business-related interests. We followed Podsakoff, MacKenzie, et al. (2003), as far as this was possible for a cross-sectional research design, to alleviate common method bias concerns from the onset.
The paper instrument was then implemented as a web-based survey by using the Select-Survey software provided by the Swiss Federal Institute of Technology Zurich (ETH). For reasons of data security, the survey was hosted on the proprietary servers of this university. The management of MELANI-net invited all closed user-group members to respond to the survey by sending an anonymized access link, such that the anonymity of respondents was guaranteed at all times. Respondents could freely choose whether or not to reply. As a reward for participation, respondents were offered, free of charge, a research report that summarized the responses. Respondents could freely choose to save intermediate questionnaire completions and to return to the survey and complete it at a later point in time.
The online questionnaire and the reminders were sent to the population by the Deputy Head of MELANI-net, together with a letter of endorsement. The survey link was sent in an e-mail describing the authors, the data, contact details for IT support, the offer of a free report, and the scope of our study. Data collection began on October 12, 2017 and ended on December 1, 2017. Two reminders were sent on October 26 and November 9, 2017. Of all 424 members, 262 had responded when the survey was closed, for a total response rate of 62%.

Analysis
Upon completion of the survey, the data were exported from the survey server, manually inspected for consistency, and then converted into a STATA dataset (Vol. 15) on which all further statistical analysis was performed. Post-hoc tests suggested no significant influence of response time on any measure. There was no significant over-representation of individuals affiliated with any particular organization, thus suggesting no need for a nested analytical design.
By calculating item-test, item-rest, and average inter-item correlations, the validity of each construct was tested (Hair, 2006). The reliability was measured by Cronbach alpha. We performed iterative principal component factor analysis with oblique rotation until total variance explained was maximized and each item clearly loaded on one factor. During this process, four items were dropped because they did not meet these criteria. Table 2 details the results of this procedure, and  Table 1 documents the dropped items. The high direct factor-loadings and low cross-loadings of the final four factors we identified indicate a high degree of convergent validity (Hair, 2006). All of these have an eigenvalue above unity. The first factor explained 19.1% of the total variance, suggesting the absence of significant common method variance in the sample (Podsakoff & Organ, 1986). To construct the scale values, individual item scores were added, and this sum was divided by the number of items in the scale (Reinholt, Pedersen, & Foss, 2011;Trevor & Nyberg, 2008).
Our dependent construct is ordered and categorical, therefore we estimated an ordered probit model. A comparison with an alternative ordered logit estimation confirmed the original estimations and indicated that the ordered probit model slightly better fit the data. The model was estimated with robust standard errors to neutralize any potential heteroscedasticity. For the controls age, industry, and education, a benchmark category was automatically selected during estimation (cf. footnote b of Table 5). Consistent with the recommendation of Cohen et al. (2002), we incrementally built all models by entering only the controls in a baseline model first, then, we added the main effects. In both estimations, we mean-centered all measures before entering them into the analysis. Model fit was assessed by repeated comparisons of Akaike and Bayesian information criteria between different specifications. Table 3 provides summarized descriptive statistics. 95% of respondents are male, 32% are below and 68% above the age of 40. Practitioners without a formal degree constitute 20% of the sample, whereas 68% have a certificate of competence or a bachelor degree. Only 4.6% have a master degree or a PhD. The majority of the sample is composed of two groups: employees or intermediate supervisors (42% of respondents), and middle or line managers (51%). Only 2.7% are top managers or board members. 43% of respondents have up to three years of experience with collaborative information sharing, and 48% have more than three years of such experience. 52% had already participated in one of more prior ISAC meetings or event.

Results
Since our dependent variable is ordinal, a monotonic correlation analysis is necessary. Moreover, data for ordinal variables need not be distributed normally. Table 4 therefore provides Spearman rather than Pearson correlations. For the sake of brevity, correlates for controls are omitted. Table 5 documents the final best-fitting model, together with its diagnostic measures.
H1 is supported. Resource belief is positively associated with knowledge absorption at < 0.05. This suggests that whenever an individual believes valuable knowledge can be acquired, they are more willing to invest the transaction cost for tacit knowledge absorption and are able to absorb such knowledge to a greater extent.
H2 is supported. Usefulness belief is positively associated with knowledge absorption at < 0.01. This finding is in line with our theoretical expectation that individuals seek knowledge absorption not for its own sake, but in order to augment the efficiency and effectiveness of their cyber-security production.
H3 is not supported. Reward belief is not significantly associated with knowledge absorption. In context with the above findings for H1 and H2, this signals that the individual's decision to participate in a knowledge-transfer process is primarily intrinsically motivated. Moreover, this non-finding might be due to the fact that Wang and Hou (2015) introduce their measure of reward belief (which we adapted for our study) in the context of public information-sharing and absorption, implying that in a private setting of knowledge absorption, intrinsic motivations for absorption might outweigh extrinsic ones.
H4 is supported. Reciprocity belief is significantly associated with the extent to which the individual absorbs knowledge at < 0.01. This finding is in line with our theoretical expectation that knowledge absorption is ultimately the result of reciprocated human interaction.
Although all control variables and industry dummy variables capture variance, only one of them is significant at < 0.05. We find that knowledge absorption is not associated with an individual's job position, prior information-sharing experience, size of the organization  that employs an individual, quality of peer relationships, potential individual contribution, an individual's gender, age, education level, industry affiliation, or length of ISAC membership. These non-findings do not only alleviate concerns about unobserved heterogeneity among respondents, but the non-significance of the industry dummies also alleviates concerns of over-representation of a particular industry or firm among the responses. The one significant effect we do find suggests that participation in prior ISAC events (such as group meetings, conferences, and industryspecific talks) is positively associated with knowledge absorption. This finding suggests that knowledge absorption positively evolves over time, as individuals build social relationships during such events.

Discussion
In this last section, we present our concluding comments, the policy recommendations resulting from concluding comments, we discuss the limitations of this study and suggest paths for further research.
In this article, we argue that the production of organizational cybersecurity is associated with the extent to which the members of this organization, i.e., human beings, can absorb the tacit knowledge required for this production. Framing this argument in the knowledgebased view of the firm and transaction cost economics, we empirically show that human beliefs are significantly associated with the extent to which an individual absorbs knowledge.
To the best of our knowledge, our study is the first empirical contribution that analyzes knowledge absorption in a private setting, where sensitive knowledge required for cyber-security products and services is shared and absorbed. Prior to our approach, scholars analyzed human interaction in the context of cyber-security, but almost exclusively in public settings. We develop this empirical literature by focusing on tacit knowledge-transfer in a private setting, thus suggesting this research design corresponds more closely with both the type of knowledge required to produce cyber-security and the transmission channels by which this sensitive and classified knowledge is shared.
We also contribute to filling the significant gap that Laube and Böhme (2017) note in their tabulation of the recent literature. Through this research, we help to extend the literature on the economics of information security by suggesting that cyber-security is not solely a technical issue. Whereas many technological solutions to cyber-security have been proposed, few of these are successful unless an economic perspective is adopted (Anderson, 2001;Anderson & Moore, 2006). Our study therefore strengthens the proposition that interdisciplinary approaches which attempt to integrate thinking from economics and psychology when considering cyber-security are useful (Anderson & Moore, 2006;Furnell & Clarke, 2012). For the same reason, we suggest that a proper understanding of subjective human beliefs and behaviors can complement the analysis of objective data such as log files. We argue that humans consider the transaction costs of knowledge absorption before they engage in any related activities. We therefore caution future research from depicting humans as neutral -'tools' that work only for the production of a public good or social welfare (Gordon et al., 2015). Instead, in this study, we contribute to resolving the paradox that humans are often reluctant to provide cyber-security knowledge, despite the fact that they are aware that the absorption of this knowledge by others is conducive to producing individual and collective cyber-security (ENISA, 2010(ENISA, , 2018Gal-Or & Ghose, 2005;Gordon et al., 2003;Naghizadeh & Liu, 2016).
We propose to interpret effective knowledge absorption as the result of a multi-stage decision-making process. Our findings suggest that individuals first consider the transaction cost of social exchange that precedes knowledge absorption (resource belief). If this decision is affirmative, they begin social interaction, absorb some first knowledge elements, and assess the extent to which these are relevant for their job tasks (usefulness belief). Once they believe so, they likely adapt their social behavior in order to facilitate further knowledge absorption, i.e., they reciprocate to maintain the exchange process (reciprocity belief). As a result, collaborative and collective knowledge sharing perpetuates. While we can only propose such a process, and while we cannot establish any sequential or causal order with the data we have, future research may test this proposition from a longitudinal perspective.
Much prior research analyzed associations between human attitudes and intentions on the one hand and human behavior on the other hand (Jeon et al., 2011;Pi et al., 2013;Safa & Von Solms, 2016;Wang & Hou, 2015). Although this research is useful, our study goes one step further by associating beliefs with a performance outcome on the individual level, i.e., the extent to which an individual has effectively absorbed knowledge as a result of the social exchange with other ISAC D. Percia David et al. participants. Future studies could continue our line of work by expanding our setting to the organizational level of analysis, studying how and why tacit knowledge, individually absorbed, contributes to the production of organizational cyber-security. Furthermore, the organizational context could moderate or even impede this production as the -'notinvented-here' syndrome could obstruct the integration of knowledge from beyond the boundary of the firm into the internal cyber-security production processes (Antonelli, 1998;Antons & Piller, 2015;Huber, 2001;Katz & Allen, 1982;Lichtenthaler & Ernst, 2006), as could political divergences, processual impediments, and organizational bureaucracy. Today, the microfoundations of the organizational processes by which individually acquired tacit cyber-security knowledge is combined with other knowledge assets and material resources into actual cyber-security are largely unknown. Future research might study both the resource configuration and the combination process of these assets to a greater extent in order to bridge the research gap between individual knowledge absorption and organizational cyber-security. Our dependent construct is an ordinal indicator, and its ability to measure effective knowledge absorption is limited. Receiving exclusive information through security information exchange is a necessary but not a sufficient condition for effective knowledge absorption, since both the integration of this information with prior individual knowledge and the transfer of this integrated knowledge to the organization is required for a full performance analysis (Hiebert & Lefevre, 1986;Knight & Liesch, 2002;Li & Kettinger, 2006;Nonaka & Takeuchi, 1995). 4 Since such a multi-step process of absorption cannot be readily measured by psychometric methods, our dependent measure should be seen as a first step towards providing such full measurement, and we invite future research to develop more complex measure that can consider the absorption process more comprehensively.
We suggest that any such future measures should be conceptualized on the individual level of analysis, as individual learning typically precedes organizational learning. While our ordinal indicator of knowledge absorption is far from being exhaustive, it is worthwhile to note that few empirical measures study individual absorption. Much work still uses measures defined at the organizational level, such as R&D intensity (Camisón & Forés, 2010;Cohen & Levinthal, 1989, 1990Griffith, Redding, & Reenen, 2003;Liao, Fei, & Chen, 2007;Schmidt, 2010), patent cross-citation indicators Peri, 2005), or the number of engineers the firm employs (Jane Zhao & Anand, 2009).
Our results also have implications for ISAC managers. The organizational design of an ISAC is relevant as it influences the behavior of the participants (Sedenberg & Dempsey, 2018). ISAC managers can attempt to increase participation rates by emphasizing that, in their ISAC, transaction costs of participation are low, participants bring valuable knowledge assets to the table, and interpersonal exchange is facilitated. At the same time, they should be careful to reduce transaction costs by only novel, technology-enabled forms of organization. For example, recommendations to construct distributed ISACs by adopting methods from cryptology and secure distributed computation (e.g., Ezhei and Ladani (2017)) might be useful if the goal is the quick absorption of explicit knowledge. However, the high demands that tacit knowledge absorption puts on the intensity of social, i.e., close interactions of individuals might reduce the value of such technology-based solutions. Hence, and somewhat ironically, the more sensitive the technological knowledge is to cyber-security, the less likely this knowledge will be shared inside the cyber-sphere.
Also, the specialists who absorb knowledge by participating in ISAC meetings and other forms of social exchange do not need to be the same people as those who are generally in charge of organizing the production of cyber-security. Our results should caution those who organize the production of cyber-security to not rely on monetary or career incentives as they attempt to give incentives to the group. Although many organizations have created reward systems to encourage their employees to share information with others (Bartol & Srivastava, 2002), we find no support for the hypothesis that knowledge absorption is associated with reward belief. Hence, goal alignment between individual and organizational interests is unlikely to be produced by the promise of monetary and career rewards. Hence, managers should concentrate on measures that reduce transaction cost by facilitating social exchange, helping to establishing long-term human relationships, and emphasizing the usefulness of knowledge absorption for the individual's personal job.
Finally, our research design has some limitations that future research could help relax. First, we studied a single, centrally organized ISAC in one country. Hence, future research should generalize our approach to alternative models of ISAC organizations and explore diverse national and cultural settings by replicating our study with different ISACs and nation states. We believe our approach is conducive to such generalization as neither our theoretical framework, nor any one of our measurement constructs, nor the empirical measures we used to operationalize these are context specific to any particular national or cultural context. Our measures and the theory in which they are grounded represent fundamental aspects of human economic decisionmaking that, in our view, should apply globally. At the same time, this focus implies a limitation of scope. Our study does not deliver a multidimensional account of information sharing, nor do we attempt to introduce dynamic or dyadic settings. Our perspective is that of an individual who self-reports on the extent to which they have realized knowledge absorption. Future work could therefore build on our approach by studying the context and dynamics of human knowledge absorption over time.