Security teams know they should be sharing threat intelligence with each other. The idea makes sense: if one bank spots a new malware variant, warn the others. If a hospital gets hit by ransomware, the hospital down the street should know what’s coming. The concept isn’t controversial, yet for a variety of reasons adoption is limited.
Replica Cyber’s research asked 200 cybersecurity leaders what prevents them from sharing threat intelligence and malware samples with peers. The answers weren’t about motivation or goodwill. They were about infrastructure, legal exposure, and a basic lack of trust in how sharing happens today.
Legal Fears Come First
Twenty-six percent of respondents cited the risk of accidentally leaking sensitive internal data as a barrier to sharing threat intelligence. Twenty-five and a half percent cited legal or liability concerns, the fear that sharing could expose the organization to a lawsuit or regulatory action. Twenty-four percent cited data protection regulations specifically. The organizations most willing to share are being stopped by their own legal and compliance infrastructure.
There’s No Safe Way to Share
Twenty-one percent of respondents said they have no secure way to share threat intelligence without exposing their own infrastructure or methods. Another 23% said they lack an adequate audit trail or chain of custody for shared artifacts.
This is the Exception Economy applied to collective defense. The work of sharing intelligence, collaborating on threat response, and strengthening each other is valuable. But the belief is that the environment to do it safely doesn’t exist. So…the sharing and collaborating and working together doesn’t happen, or it happens in ways that create new exposure.
Market expansion is paying the price
Seventeen and a half percent of respondents said they don’t trust how other organizations will handle shared artifacts. Twenty-three percent said they don’t know who to share with or how to find the right counterparts. Nineteen percent said it’s unclear who would have access to what they share, or what recipients would do with it. Trust, accountability, and visibility are the very foundations of any functioning sharing ecosystem, and they are absent for a significant portion of the organizations that need them most.
The irony is that surveys consistently show 80-90% of security leaders say they’d share more threat intelligence if they could do so safely and anonymously. But actual participation in formal sharing programs such as ISACs, government exchanges, and industry platforms hovers around 40-60%. And many of those participants consume intel without contributing much back. [citations link]
That disparity – between what security leaders say they’d do and what they actually do – has stuck around for nearly a decade. Good intentions are slowed down by multiple angles of operational reality: legal teams that won’t sign off, tools that don’t connect, and platforms that don’t feel secure enough to risk it.
Collective Defense Requires Collective Infrastructure
The organizations that do share successfully tend to operate in tightly controlled environments: sector-specific ISACs with legal protections, anonymized platforms where identity is stripped before submission, or small trusted circles where relationships have been built over years.
The common thread is infrastructure that addresses the core concerns: anonymity, auditability, legal safe harbor, and control over who sees what. When those elements are in place, sharing happens. When they’re missing, it doesn’t – no matter how much everyone agrees it should.
The full Exception Economy report shows why security teams can’t share the intelligence they need to defend themselves, and what it would take to change that.
Citations:
Ponemon Institute studies:
- Third Annual (2017): https://www.ponemon.org/local/upload/file/2017%20Inflobox%20Report%20V6.pdf
- Fourth Annual (2021): https://ponemonsullivanreport.com/2021/05/the-fourth-annual-global-study-on-exchanging-cyber-threat-intelligence-there-has-to-be-a-better-way/
Cybersecurity Insiders/Cyware 2024:
RSA Conference 2025 (Cyware survey):
IronNet/Vanson Bourne 2019:
