How would information disclosure influence organizations’ outbound spam volume? Evidence from a field experiment

He, Shu; Lee, Gene Moo; Han, Sukjin; Whinston, Andrew B.

doi:10.1093/cybsec/tyw011

Cited by 16 publications

(16 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This setting enables us to observe organizations' natural reactions to our treatment and to collect data for empirical analyses. Similar to Hui et al (2017), we adopt an international perspective and perform a quasi-experiment on multiple countries, extending the existing empirical studies on information security that consider only US organizations (e.g., He et al 2016, Romanosky et al 2011). The existing literature on security-related public policies focuses on information sharing and disclosure, whereas we focus on reputational sanctions, particularly in the form of a top-10 list, which has been shown to significantly influence consumer preferences Zhang 2016, Adomavicius et al 2013).…”

Section: Resultsmentioning

confidence: 99%

“…For instance, in addition to informing consumers, data breach disclosure laws are expected to generate a reputational effect, motivating firms to improve data protection (Romanosky et al 2011). He et al (2016) propose information disclosure to reduce the outbound spam volumes of US organizations and observe an insignificant effect of sharing information privately and a significant effect of public disclosure. Tang and Whinston (2015) also emphasize information disclosure at the country level.…”

Section: Information Securitymentioning

confidence: 99%

See 1 more Smart Citation

Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment

Tang

Whinston

2020

Production and Operations Management

Self Cite

View full text Add to dashboard Cite

Security negligence, a major cause of data breaches, occurs when an organization's information technology management fails to adequately address security vulnerabilities. By conducting a field quasi‐experiment using outgoing spam as a focal security issue, this study investigates the effectiveness of reputational sanctions in reducing security negligence in a global context. In the quasi‐experiment, a reputational sanction mechanism based on outgoing spam was established for four countries, and for each country, reputational sanctions were imposed on the 10 organizations with the largest outgoing spam volumes—that is, these organizations were listed publicly. We find that because of our reputational sanction mechanism, organizations in the four countries, including those that were not listed, reduced outgoing spam significantly compared to those in similar countries. Within each country, the listed organizations, whose reputations were actually sanctioned, reduced spam to a greater extent than those that were not listed. The spam reduction in the not‐listed organizations is mainly driven by increased security awareness, while the reduction in the listed organizations is primarily due to reputation effect. Among the listed organizations, those ranked lower were more responsive to the reputational sanctions. Moreover, we find that reputational sanctions have a stronger effect on large organizations and important organizations that provide network access and transit to others.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Information Securitymentioning

confidence: 99%

Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment

Tang

Whinston

2020

Production and Operations Management

Self Cite

View full text Add to dashboard Cite

show abstract

“…To evaluate the effectiveness of such approach, we conduct a large-scale randomized field experiment (RFE) in Pan Asia, which is characterized by blooming e-commerce markets and heterogeneous juridical systems. Furthermore, our research addresses several limitations of a similar study by [12]. First, to our knowledge, we are among the first to implement RFE in Pan Asia, which is not restricted by one single jurisdiction on cybercrime.…”

Section: Introductionmentioning

confidence: 86%

“…The diversification of data may increase the robustness of our proposed security vulnerability index. Fourth, He et al [12] has a relatively short treatment window (from January to March 2014) and analyzed the pre-and posttreatment in a 6-month window. We send out treatment emails three times (July, September, and November 2017) and use a more concise window of one month to measure the gradual security performance changes of firms over time prior to and after individual treatments.…”

Section: Introductionmentioning

confidence: 99%

Information Disclosure and Security Vulnerability Awareness: A Large-Scale Randomized Field Experiment in Pan-Asia

Zhuang

Choi

et al. 2018

SSRN Journal

Self Cite

View full text Add to dashboard Cite

This paper investigates how the disclosure of a security vulnerability index based on outgoing spams and phishing website hosting, which may serve as an indicator of a firm's inadequate security controls, affects companies' security protection strategy. Our core objective is to study whether firms improve their security when they become aware of their vulnerabilities and such information is publicized. To achieve this goal, we conduct a randomized field experiment on 1,262 firms in six Pan-Asian countries and regions. For the treatment group of 631 firms, we alert them of their security vulnerability index and ranking over time, and their relative performance compared to their peers via emails and a public advisory website. Compared with the control group without being informed of their security vulnerability index, the treatment group improved their security over time, with a significant reduction of outgoing spam volume. A marginally significant improvement in reducing phishing hosting websites is also observed among non-web hosting firms in the treatment group. The security improvement may be attributed to firms' proactive reaction to the security vulnerability information. Our study provides cybersecurity policy makers with useful insights on how to motivate firms to adopt better security measures.

show abstract

“…naming, shaming and praising -can be scale to transnational networks or even global markets. One experimental study found it might (He et al, 2016), but this is a subject of future work.…”

Section: Comparing the Case Studiesmentioning

confidence: 93%

Patching security governance: an empirical view of emergent governance mechanisms for cybersecurity

Eeten

2017

DPRG

View full text Add to dashboard Cite

If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service information about how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information. About Emerald www.emeraldinsight.comEmerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online products and additional customer resources and services.Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

show abstract

How would information disclosure influence organizations’ outbound spam volume? Evidence from a field experiment

Cited by 16 publications

References 23 publications

Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment

Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment

Information Disclosure and Security Vulnerability Awareness: A Large-Scale Randomized Field Experiment in Pan-Asia

Patching security governance: an empirical view of emergent governance mechanisms for cybersecurity

Contact Info

Product

Resources

About