Does reputational sanctions deter negligence in information security management? A field quasi-experiment

Does reputational sanctions deter negligence in information security management? A field quasi-experiment

Security negligence, a major cause of data breaches, occurs when an organization’s information technology management fails to adequately address security vulnerabilities. By conducting a field quasi-experiment using outgoing spam as a focal security issue, this study investigates the effectiveness o...

Full description

Saved in:
Bibliographic Details
Main Authors: TANG, Qian, WHINSTON, Andrew B.
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2020
Subjects:
Field quasi-experiment
information security
reputational sanction
spam
Computer Sciences
Information Security
Online Access:https://ink.library.smu.edu.sg/sis_research/4864
https://ink.library.smu.edu.sg/context/sis_research/article/5867/viewcontent/ReputationSanction_av.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
Description
Summary:Security negligence, a major cause of data breaches, occurs when an organization’s information technology management fails to adequately address security vulnerabilities. By conducting a field quasi-experiment using outgoing spam as a focal security issue, this study investigates the effectiveness of reputational sanctions in reducing security negligence in a global context. In the quasi-experiment, a reputational sanction mechanism based on outgoing spam was established for four countries, and for each country, reputational sanctions were imposed on the 10 organizations with the largest outgoing spam volumes—that is, these organizations were listed publicly. We find that because of our reputational sanction mechanism, organizations in the four countries, including those that were not listed, reduced outgoing spam significantly compared to those in similar countries. Within each country, the listed organizations, whose reputations were actually sanctioned, reduced spam to a greater extent than those that were not listed. The spam reduction in the not-listed organizations is mainly driven by increased security awareness, while the reduction in the listed organizations is primarily due to reputation effect. Among the listed organizations, those ranked lower were more responsive to the reputational sanctions. Moreover, we find that reputational sanctions have a stronger effect on large organizations and important organizations that provide network access and transit to others.

Similar Items