One key element in firms' reluctance to share incident information is that they fear negative impacts on their reputations, yes. Another element is that they are fearful of giving information away to adversaries (both black hats and competitors). Of course, at least in the US, there also is concern that too much sharing exposes them to accusations of anti-competitive behavior.

On the theoretical side, Kannan and Telang presented a paper at WEIS03 which analyzes vulnerability (not incident, but I don't think it matters to your point) disclosure. Their results suggest that a "federally-funded social planner" will outperform a competitive market from a social welfare standpoint.

While the paper I mention considers no empirical data, it is nonetheless germane to the current discussion in that the solution it suggests (based on an infomediary) would seem to eliminate the reputational and competitive advantage risks which currently suppress (in my opinion) so much potentially valuable information sharing.

Of course, giving away info - to the attacker so as to benefit others - is a prisoner's dilemma. It's still a better payoff, and the challenge is to move in that direction.

Giving away info to competitors - that bemuses me! I don't think I've ever come across a security breach where it gave any advantage to a competitor, and I've seen dozens of really embarrassing breaks. If anything, it puts the competitor in a conflict of interest, as they have to keep mum about it. So when people talk about that, I generally assume they are using competitive secrecy as an excuse to hide from their own fears. Same with NDAs.

Anti-competitive behaviour - I suppose in theory one could make a case. But in practice, explain it and go ahead. I'd call that one a risk you have to take.

For various reasons - I drift into that in that draft I mentioned - a regulated approach such as Kannan and Telang suggest may overcome the sharing discincentives on paper but it brings in another big drawback, herding. I doubt that will ever improve security, and I suspect it will lower security over time.

I had to refresh my memory on the "Prisoner's Dilemma" problem so thought I'd pass on the link to others: http://en.wikipedia.org/wiki/Prisoner's_dilemma