Reputation as Public Policy for Internet Security

Insufficient resource allocation causes an Internet information security (infosec) problem that public policy could improve. Lack of transparency lets organizations avoid addressing internal risks, leaving vulnerabilities that are exploited by botnets, threatening information security of other Inter...

Full description

Saved in:
Bibliographic Details
Main Authors: Linden, Leigh L., Quarterman, John S., TANG, Qian, Whinston, Andrew B.
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2012
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/1845
https://ink.library.smu.edu.sg/context/sis_research/article/2844/viewcontent/ReputationPublicPolicyInternetSecurity_2012_TPRC.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
Description
Summary:Insufficient resource allocation causes an Internet information security (infosec) problem that public policy could improve. Lack of transparency lets organizations avoid addressing internal risks, leaving vulnerabilities that are exploited by botnets, threatening information security of other Internet participants. Their protection provides no economic benefit to the firm, so this negative externality causes underinvestment in infosec. Public policy could provide a partial solution by adding incentives for organizations to have well-configured infosec. Specifically, mandatory reporting of security issues plus presenting this information to the public, can impose shame and fame on organizations through publicity and peer influence by comparison with major competitors. Outbound spam is a prominent symptom of poor infosec that this project uses as a proxy for overall security, mapping anti-spam blocklist IP addresses to organizations (Quarterman et al. 2011). Selected top outbound spam rankings publicized through SpamRankings.net have already produced positive pilot test results. Next we use field experiments to test the effects of information disclosure and the relative effectiveness of different information presentations. As the first of two objectives, we determine whether public ranking of spam can be an effective mechanism for encouraging firms to reduce outbound spam. Second, we explore the most effective ways of presenting information to the public to improve infosec. Our study serves as an assessment for the public policy of mandatory information disclosure. We use field experiments to aggregate company information within and between industries and analyze the results of presenting such information to the public. Field experiments have been used extensively in the analysis of public policy programs (Udry 2011, Duflo et al. 2010). The experiments include design of an information system for public information disclosure and presentation to get public attention, to observe reactions, and to analyze the underlying mechanisms. This information system design can be extended to other problems to provide incentives for the decision makers of externality problems, such as pollution, energy saving, etc. A public information system enables inferring internal infosec based on observed outcome, and thus makes such information transparent and induces reputation for the decision makers: shame for producing negative externalities or fame for fixing or preventing them. Reputation internalizes externalities, encouraging decision makers to take socially optimal behavior. Because of the positive pilot test results, we propose conducting a full-scale randomized controlled trial based on the SpamRankings.net initiative. The purpose of a randomized controlled trial is to experimentally create individual research groups that are generally similar except that the groups receive different experimental treatments. So any differences that arise between the research groups subsequent to the treatments are due to the respective treatment. Randomized experiments thus avoid selection bias, producing high internal validity. For two full-scale experiments, we will identify a sample of companies by geographic units for which we have outgoing spam data, and randomly assign the companies by geographic unit to different groups. In the first experiment, we will randomly assign the companies to one of two groups: a treatment group whose spam statistics will be widely publicized and a control group without publicizing any spam information. This initial evaluation can examine whether the proposed policy can induce firms to reduce spam. Assuming success of the first experiment, the second will explore the most effective policy intervention, by randomly assigning company groups to different information presentations including absolute spam volume, ranking per country, and ranking per industry, to see what granularity of peer comparison has the most effect. This will be the first publication of the details and the behavioral economics context of these experiments.