https://orcid.org/0000-0003-4950-8481
![Sample our Information Science journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5940/TOC-Subject-Sample-2021-Communication-Studies.jpg"})
ABSTRACT
This paper investigates how the awareness of a security vulnerability index affects firms’ security protection strategy and how the information awareness effect interacts with firm incentives and country-wide information technology (IT) development level. The security index is constructed based on outgoing spams and phishing website hosting, which may serve as an indicator of a firm’s security controls. To study whether security vulnerability awareness causes firms to improve their security, we conducted a randomized field experiment on 1,262 firms in six Pan-Asian countries and regions. Among 631 randomly selected treated firms, we alerted them of their security vulnerability index and their relative rankings compared to their peers via advisory emails and websites. Difference-in-differences analyses show that compared with the controls, the treated firms improve their security over time, with a statistically significant reduction of outgoing spam volume according to one of the data sources but not phishing website hosting. However, a statistically significant reduction in phishing website hosting was observed among non-web hosting firms, suggesting that firms’ underlying incentives play an important role in the treatment effect. Lastly, exploiting the multi-country nature of the data, we found that firms in countries with high information and communications technology (ICT) development are more responsive to our intervention because they have higher IT capabilities and more resources to resolve security issues. Our study provides cybersecurity policymakers with useful insights on how firm incentives and ICT environments play roles in firms’ security measure adoption.
Acknowledgements
The authors are grateful to the guest editors, Robert J. Kauffman and Thomas A. Weber, and three anonymous reviewers for their excellent comments and suggestions. They are indebted to Anandhi Bharadwaj, Arun Rai, H. R. Rao, Raghu Santanam, and the participants at the WITS 2017, IS OneWorld and Annual Security Conference 2017, WEIS 2018, BIGS 2018, CityU IS Summer Workshop 2018, and HICSS 2020 for their valuable suggestions to improve the working paper. The authors thank Mark Varga, Markus Iivonon, Jessie Ma, and Ishwara Manjunath Hegde for their excellent research assistance. The authors are solely responsible for the content and any issues that may arise from the article.
Supplemental Material
Supplemental data for this article can be accessed on the publisher’s website.
Notes
1. An analogy to adoption of security technology is vaccinating children against a contagious disease. A parent may choose not to vaccinate their children and freeride on others in the same community who have already done so.
2. Such uncertainty may lead to the problem of “market for lemons” or information asymmetry [Citation3].
3. An example is that a consumer is more willing to spend $20 to buy anti-virus software to prevent virus from contaminating his/her own hard disk rather than spending the same amount of money to prevent virus attacks on someone else.
4. Origin refers to firms whose servers may be compromised to send undesired content to the Internet and the firm owners may or may not be aware of such a problem and have control of it [Citation33].
5. Note that the term “spam mail” in this paper includes advertisement, phishing mail, and malware attached email.
6. Note that phishing, in this paper, exclusively refers to website-related incidents, and we only focus on the firms who are actually hosting the phishing websites on their own server. All email-related attacks including phishing emails are included in our spam data.
7. We acknowledge that other cyberattacks (e.g., DDoS and identity thefts) can also serve the purpose if the related data sources are publicly available.
12. We recognize that some IP prefixes are geographically located in countries that are different from the ASN’s countries. To address this possible country mismatch issue, we used Team Cymru data that provides IP prefix level country code (https://www.team-cymru.com/IP-ASN-mapping.html).
13. WHOIS is a database system to which maintains who is responsible for a domain name or an IP address. The website is: https://whois.icann.org/en
14. Sendgrid: https://sendgrid.com/
15. Specifically, using CBL spam volume as an example, the dependent variable used in the analysis is .
16. The different result across CBL and PSBL is probably due to the different data collection processes. CBL lists IP addresses “exhibiting characteristics which are specific to open proxies of various sorts (https://www.abuseat.org)”, while Spamikaze (the system that PSBL is using) “does not tests for open proxy or open relay vulnerabilities (https://spamikaze.org/AboutSpamikaze).” An open proxy is “a non-email server that can be tricked into sending emails to third parties” (https://www.abuseat.org/faq.html).
17. One may argue that outbound spam data may have similar firm incentive issues if the email senders are deliberately sending massive emails. However, CBL and PSBL pay special attention not to flag any legitimate email sending servers. Below are quotes from the data sources: “virtually all listees are the victims of a virus or other compromise, not deliberately spamming (https://www.abuseat.org)” and “an IP address gets added to the PSBL when it sends email to a spamtrap, that email is not identified as non-spam and the IP address is not a known mail server (https://psbl.org).”
18. Because of the small sample size, we also used bootstrap method to calculate the standard deviation, which does not require distributional assumption and can provide more accurate inferences when the sample size is small [Citation20]. The result is consistent.
19. In our 2SLS analysis, we have adopted a Wu-Hausman test and the Hansen J statistic for the CBL as the dependent variable is 6.434 (Chi-sq p-value is 0.0112). The results support that the variable email_open is not exogenous.
20. As we are using an RFE to find the treatment effects, being in the treatment group for a firm is exogenous to a firm’s security conditions, which are the dependent variables. Besides, a firm can only open an email if it is in the treatment group, which makes the treatment dummy a valid IV for the analysis.
Additional information
Funding
Notes on contributors
Yunhui Zhuang
Yunhui Zhuang ([email protected]) is a Postdoctoral Fellow in the Department of Information Systems at College of Business, City University of Hong Kong. He received his Ph.D. in Computer Science from that university. Dr. Zhuang’s research interests lie at the intersection of economics and information security. In particular, he is interested in applied cryptography, security and privacy of mobile payments, financial technology, business analytics, applied econometrics, and e-learning.
Yunsik Choi
Yunsik Choi ([email protected]) is the Head of Technical Sales and Research Scientist at AITRICS. He received his Ph.D. in Computer Science from the University of Texas at Austin. His research interests include artificial intelligence and security. Dr. Choi provides deep-learning and machine-learning solutions and consulting services to companies that need to implement AI technologies for their products.
Shu He
Shu He ([email protected]) is an Assistant Professor at the Department of Operations and Information Management, School of Business, University of Connecticut. She earned her Ph.D. in Economics from the University of Texas at Austin. Dr. He’s research interests include social media, platform, online advertising, and cybersecurity. Her work has appeared in Information Systems Research, MIS Quarterly, and Journal of Cybersecurity. She has received a National Science Foundation grant to support her research.
Alvin Chung Man Leung
Alvin Chung Man Leung ([email protected]) is an Associate Professor at the Department of Information Systems, College of Business, City University of Hong Kong. He received his Ph.D. in Information, Risk, and Operations Management from McCombs School of Business, the University of Texas at Austin. His research interests include IT business value, information security, and FinTech. His work has appeared in Management Science, Information Systems Research, MIS Quarterly, and Decision Support Systems.
Gene Moo Lee
Gene Moo Lee ([email protected]; corresponding author) is an Assistant Professor of Information Systems at the Sauder School of Business, University of British Columbia, Canada. He received his Ph.D. in Computer Science from the University of Texas at Austin. Dr. Lee’s research program takes big data analytics approaches to study online platforms, tech ecosystems, and unintended consequences of technology. His works have appeared in Information Systems Research, Journal of Management Information Systems, MIS Quarterly, and Journal of Business Ethics. He has industry experiences at Samsung, AT&T, Intel, and Goldman Sachs, and holds 11 patents in mobile technology.
Andrew Whinston
Andrew B. Whinston ([email protected]) is the Hugh Cullen Chair Professor in the Department of Information, Risk, and Operation Management at the McCombs School of Business at the University of Texas at Austin. He is also Director at the Center for Research in Electronic Commerce. Dr. Whinston has published over 300 papers in major economic and management journals and has co-authored 27 books. His Erdös number is 2.