Publication Type

Conference Paper

Version

acceptedVersion

Publication Date

6-2013

Abstract

Cybersecurity is a national priority in this big data era. Because of negative externalities and the resulting lack of economic incentives, companies often underinvest in security controls, despite government and industry recommendations. Although many existing studies on security have explored technical solutions, only a few have looked at the economic motivations. To fill the gap, we propose an approach to increase the incentives of organizations to address security problems. Specifically, we utilize and process existing security vulnerability data, derive explicit security performance information, and disclose the information as feedback to organizations and the public. We regularly release information on the organizations with the worst security behaviors, imposing reputation loss on them. The information is also used by organizations for self-evaluation in comparison to others. Therefore, additional incentives are solicited out of reputation concern and social comparison. To test the effectiveness of our approach, we conducted a field quasi-experiment for outgoing spam for 1,718 autonomous systems in eight countries and published SpamRankings.net, the website we created to release information. We found that the treatment group subject to information disclosure reduced outgoing spam approximately by 16%. We also found that the more observed outgoing spam from the top spammer, the less likely an organization would be to reduce its own outgoing spam, consistent with the prediction by social comparison theory. Our results suggest that social information and social comparison can be effectively leveraged to encourage desirable behavior. Our study contributes to both information architecture design and public policy by suggesting how information can be used as intervention to impose economic incentives.

Keywords

Internet Security, externality, social comparison, information disclosure, quasi-experiment, reputation, economic incentive

Discipline

Computer Sciences | Information Security

Research Areas

Information Systems and Management

Publication

Workshop on the Economics of Information Security 12th WEIS 2013, June 11-12

First Page

1

Last Page

43

City or Country

Washington, DC

Copyright Owner and License

Authors

Additional URL

https://www.econinfosec.org/archive/weis2013/papers/TangWEIS2013.pdf

Share

COinS