Improving Internet Security Through Information Disclosure: A Field Quasi-Experiment

Improving Internet Security Through Information Disclosure: A Field Quasi-Experiment

Cybersecurity is a national priority in this big data era. Because of negative externalities and the resulting lack of economic incentives, companies often underinvest in security controls, despite government and industry recommendations. Although many existing studies on security have explored tech...

Full description

Saved in:
Bibliographic Details
Main Authors: TANG, Qian, LINDEN, Leigh L., QUARTERMAN, John S., WHINSTON, Andrew B.
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2013
Subjects:
Internet Security
externality
social comparison
information disclosure
quasi-experiment
reputation
economic incentive
Computer Sciences
Information Security
Online Access:https://ink.library.smu.edu.sg/sis_research/1843
https://ink.library.smu.edu.sg/context/sis_research/article/2842/viewcontent/TangWEIS2013.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-2842
record_format dspace
spelling sg-smu-ink.sis_research-28422020-01-07T06:24:41Z Improving Internet Security Through Information Disclosure: A Field Quasi-Experiment TANG, Qian LINDEN, Leigh L. QUARTERMAN, John S. WHINSTON, Andrew B. Cybersecurity is a national priority in this big data era. Because of negative externalities and the resulting lack of economic incentives, companies often underinvest in security controls, despite government and industry recommendations. Although many existing studies on security have explored technical solutions, only a few have looked at the economic motivations. To fill the gap, we propose an approach to increase the incentives of organizations to address security problems. Specifically, we utilize and process existing security vulnerability data, derive explicit security performance information, and disclose the information as feedback to organizations and the public. We regularly release information on the organizations with the worst security behaviors, imposing reputation loss on them. The information is also used by organizations for self-evaluation in comparison to others. Therefore, additional incentives are solicited out of reputation concern and social comparison. To test the effectiveness of our approach, we conducted a field quasi-experiment for outgoing spam for 1,718 autonomous systems in eight countries and published SpamRankings.net, the website we created to release information. We found that the treatment group subject to information disclosure reduced outgoing spam approximately by 16%. We also found that the more observed outgoing spam from the top spammer, the less likely an organization would be to reduce its own outgoing spam, consistent with the prediction by social comparison theory. Our results suggest that social information and social comparison can be effectively leveraged to encourage desirable behavior. Our study contributes to both information architecture design and public policy by suggesting how information can be used as intervention to impose economic incentives. The usual disclaimers apply for NSF grants 1228990 and 0831338. 2013-01-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/1843 https://ink.library.smu.edu.sg/context/sis_research/article/2842/viewcontent/TangWEIS2013.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Internet Security externality social comparison information disclosure quasi-experiment reputation economic incentive Computer Sciences Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Internet Security
externality
social comparison
information disclosure
quasi-experiment
reputation
economic incentive
Computer Sciences
Information Security
spellingShingle Internet Security
externality
social comparison
information disclosure
quasi-experiment
reputation
economic incentive
Computer Sciences
Information Security
TANG, Qian
LINDEN, Leigh L.
QUARTERMAN, John S.
WHINSTON, Andrew B.
Improving Internet Security Through Information Disclosure: A Field Quasi-Experiment
description Cybersecurity is a national priority in this big data era. Because of negative externalities and the resulting lack of economic incentives, companies often underinvest in security controls, despite government and industry recommendations. Although many existing studies on security have explored technical solutions, only a few have looked at the economic motivations. To fill the gap, we propose an approach to increase the incentives of organizations to address security problems. Specifically, we utilize and process existing security vulnerability data, derive explicit security performance information, and disclose the information as feedback to organizations and the public. We regularly release information on the organizations with the worst security behaviors, imposing reputation loss on them. The information is also used by organizations for self-evaluation in comparison to others. Therefore, additional incentives are solicited out of reputation concern and social comparison. To test the effectiveness of our approach, we conducted a field quasi-experiment for outgoing spam for 1,718 autonomous systems in eight countries and published SpamRankings.net, the website we created to release information. We found that the treatment group subject to information disclosure reduced outgoing spam approximately by 16%. We also found that the more observed outgoing spam from the top spammer, the less likely an organization would be to reduce its own outgoing spam, consistent with the prediction by social comparison theory. Our results suggest that social information and social comparison can be effectively leveraged to encourage desirable behavior. Our study contributes to both information architecture design and public policy by suggesting how information can be used as intervention to impose economic incentives. The usual disclaimers apply for NSF grants 1228990 and 0831338.
format text
author TANG, Qian
LINDEN, Leigh L.
QUARTERMAN, John S.
WHINSTON, Andrew B.
author_facet TANG, Qian
LINDEN, Leigh L.
QUARTERMAN, John S.
WHINSTON, Andrew B.
author_sort TANG, Qian
title Improving Internet Security Through Information Disclosure: A Field Quasi-Experiment
title_short Improving Internet Security Through Information Disclosure: A Field Quasi-Experiment
title_full Improving Internet Security Through Information Disclosure: A Field Quasi-Experiment
title_fullStr Improving Internet Security Through Information Disclosure: A Field Quasi-Experiment
title_full_unstemmed Improving Internet Security Through Information Disclosure: A Field Quasi-Experiment
title_sort improving internet security through information disclosure: a field quasi-experiment
publisher Institutional Knowledge at Singapore Management University
publishDate 2013
url https://ink.library.smu.edu.sg/sis_research/1843
https://ink.library.smu.edu.sg/context/sis_research/article/2842/viewcontent/TangWEIS2013.pdf
_version_ 1770571625937240064

Similar Items