Conference Proceeding Article
Insufficient resource allocation causes an Internet information security (infosec) problem that public policy could improve. Lack of transparency lets organizations avoid addressing internal risks, leaving vulnerabilities that are exploited by botnets, threatening information security of other Internet participants. Their protection provides no economic benefit to the firm, so this negative externality causes underinvestment in infosec. Public policy could provide a partial solution by adding incentives for organizations to have well-configured infosec. Specifically, mandatory reporting of security issues plus presenting this information to the public, can impose shame and fame on organizations through publicity and peer influence by comparison with major competitors. Outbound spam is a prominent symptom of poor infosec that this project uses as a proxy for overall security, mapping anti-spam blocklist IP addresses to organizations (Quarterman et al. 2011). Selected top outbound spam rankings publicized through SpamRankings.net have already produced positive pilot test results. Next we use field experiments to test the effects of information disclosure and the relative effectiveness of different information presentations. As the first of two objectives, we determine whether public ranking of spam can be an effective mechanism for encouraging firms to reduce outbound spam. Second, we explore the most effective ways of presenting information to the public to improve infosec. Our study serves as an assessment for the public policy of mandatory information disclosure. We use field experiments to aggregate company information within and between industries and analyze the results of presenting such information to the public. Field experiments have been used extensively in the analysis of public policy programs (Udry 2011, Duflo et al. 2010). The experiments include design of an information system for public information disclosure and presentation to get public attention, to observe reactions, and to analyze the underlying mechanisms. This information system design can be extended to other problems to provide incentives for the decision makers of externality problems, such as pollution, energy saving, etc. A public information system enables inferring internal infosec based on observed outcome, and thus makes such information transparent and induces reputation for the decision makers: shame for producing negative externalities or fame for fixing or preventing them. Reputation internalizes externalities, encouraging decision makers to take socially optimal behavior. Because of the positive pilot test results, we propose conducting a full-scale randomized controlled trial based on the SpamRankings.net initiative. The purpose of a randomized controlled trial is to experimentally create individual research groups that are generally similar except that the groups receive different experimental treatments. So any differences that arise between the research groups subsequent to the treatments are due to the respective treatment. Randomized experiments thus avoid selection bias, producing high internal validity. For two full-scale experiments, we will identify a sample of companies by geographic units for which we have outgoing spam data, and randomly assign the companies by geographic unit to different groups. In the first experiment, we will randomly assign the companies to one of two groups: a treatment group whose spam statistics will be widely publicized and a control group without publicizing any spam information. This initial evaluation can examine whether the proposed policy can induce firms to reduce spam. Assuming success of the first experiment, the second will explore the most effective policy intervention, by randomly assigning company groups to different information presentations including absolute spam volume, ranking per country, and ranking per industry, to see what granularity of peer comparison has the most effect. This will be the first publication of the details and the behavioral economics context of these experiments.
policy, infosec, peer effects, measurement, modeling, spam, phishing, reputation system, economic incentive, behavioral economics
Computer Sciences | Information Security
Information Systems and Management
TPRC 2012 Papers: Research Conference on Communication, Information and Internet Policy, September 21-23, 2012, Arlington, VA
Linden, Leigh L.; Quarterman, John S.; TANG, Qian; and Whinston, Andrew B..
Reputation as Public Policy for Internet Security. (2012). TPRC 2012 Papers: Research Conference on Communication, Information and Internet Policy, September 21-23, 2012, Arlington, VA. 1-11. Research Collection School Of Information Systems.
Available at: http://ink.library.smu.edu.sg/sis_research/1845
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.