Reputation as Public Policy for Internet Security

11 Pages Posted: 30 Mar 2012 Last revised: 18 Aug 2012

See all articles by Leigh L. Linden

Leigh L. Linden

The University of Texas at Austin; National Bureau of Economic Research; Jameel Poverty Action Lab; Innovations for Poverty Action; Institute for the Study of Labor (IZA); Bureau for Research and Economic Analysis of Development (BREAD)

John S. Quarterman

Quarterman Creations

Qian Tang

Singapore Management University - School of Information Systems

Andrew B. Whinston

University of Texas at Austin - Department of Information, Risk and Operations Management

Date Written: September 22, 2012

Abstract

Supported by NSF grant no. 0831338; the usual disclaimers apply.

Insufficient resource allocation causes an Internet information security (infosec) problem that public policy could improve. Lack of transparency lets organizations avoid addressing internal risks, leaving vulnerabilities that are exploited by botnets, threatening information security of other Internet participants. Their protection provides no economic benefit to the firm, so this negative externality causes underinvestment in infosec. Public policy could provide a partial solution by adding incentives for organizations to have well-configured infosec. Specifically, mandatory reporting of security issues plus presenting this information to the public, can impose shame and fame on organizations through publicity and peer influence by comparison with major competitors. Outbound spam is a prominent symptom of poor infosec that this project uses as a proxy for overall security, mapping anti-spam blocklist IP addresses to organizations (Quarterman et al. 2011). Selected top outbound spam rankings publicized through SpamRankings.net have already produced positive pilot test results. Next we use field experiments to test the effects of information disclosure and the relative effectiveness of different information presentations.

As the first of two objectives, we determine whether public ranking of spam can be an effective mechanism for encouraging firms to reduce outbound spam. Second, we explore the most effective ways of presenting information to the public to improve infosec. Our study serves as an assessment for the public policy of mandatory information disclosure. We use field experiments to aggregate company information within and between industries and analyze the results of presenting such information to the public. Field experiments have been used extensively in the analysis of public policy programs (Udry 2011, Duflo et al. 2010). The experiments include design of an information system for public information disclosure and presentation to get public attention, to observe reactions, and to analyze the underlying mechanisms. This information system design can be extended to other problems to provide incentives for the decision makers of externality problems, such as pollution, energy saving, etc. A public information system enables inferring internal infosec based on observed outcome, and thus makes such information transparent and induces reputation for the decision makers: shame for producing negative externalities or fame for fixing or preventing them. Reputation internalizes externalities, encouraging decision makers to take socially optimal behavior.

Because of the positive pilot test results, we propose conducting a full-scale randomized controlled trial based on the SpamRankings.net initiative. The purpose of a randomized controlled trial is to experimentally create individual research groups that are generally similar except that the groups receive different experimental treatments. So any differences that arise between the research groups subsequent to the treatments are due to the respective treatment. Randomized experiments thus avoid selection bias, producing high internal validity.

For two full-scale experiments, we will identify a sample of companies by geographic units for which we have outgoing spam data, and randomly assign the companies by geographic unit to different groups. In the first experiment, we will randomly assign the companies to one of two groups: a treatment group whose spam statistics will be widely publicized and a control group without publicizing any spam information. This initial evaluation can examine whether the proposed policy can induce firms to reduce spam. Assuming success of the first experiment, the second will explore the most effective policy intervention, by randomly assigning company groups to different information presentations including absolute spam volume, ranking per country, and ranking per industry, to see what granularity of peer comparison has the most effect.

This will be the first publication of the details and the behavioral economics context of these experiments.

References Duflo, E., R. Hanna, and S. P. Ryan, 2010: Incentives work: Getting teachers to come to school. American Economic Review, http://econ-www.mit.edu/files/5582. Udry, C., 2011: Esther Duflo: 2010 John Bates Clark medalist. Journal of Economic Perspectives, 25(3), 197–216. Quarterman, J.S., Sayin, S., Whinston, A.B., 2011: Rustock botnet and ASNs, TPRC, September 2011, http://www.spamrankings.net/about/publications/publications/tprc2011/ Biography Leigh L. Linden is an Assistant Professor in the Department of Economics at the University of Texas at Austin with a joint appointment in the Lyndon B. Johnson School of Public Affairs. He earned a PhD in Economics from MIT in 2004 and received a Bachelor of Science in Mathematics and a Bachelor of Arts in Economics from the University of Texas at Austin in 1997. He specializes in the use of large-scale randomized controlled trials. His research has been published in the American Economic Review, the Quarterly Journal of Economics, and the Applied Economic Journal: Applied Economics. It has also been featured in several popular press publications including The New York Times, The Washington Post, The Economist, The Financial Times, and The Christian Science Monitor. He is affiliated with the National Bureau of Economic Research (NBER) and the Bureau for Research and Economic Analysis of Development (BREAD).

John S. Quarterman worked for BBN, the prime contractor on the ARPANET, in the early days of the Internet. He is currently Principal of Quarterman Creations and CEO of InternetPerils, Inc., an Internet business risk management intelligence agency that provides automated quantification and visualization products. He founded the first Internet consulting firm in Texas. He founded one of the first local ISPs in Texas and sold it at a profit. He founded the first Internet performance metrics company in the world, which drew the first maps of the Internet, and which received substantial venture capital investment. He is the author of seven books related to the Internet, as well as numerous articles, presentations, and patents.

Qian Tang is a Ph.D. student in the Information, Risk, and Operation Management Department at the McCombs School of Business at the University of Texas at Austin. She received a Master of Science in Management in 2008 and a Bachelor of Business Administration in 2006 from Tsinghua University in Beijing, China.

Andrew B. Whinston received his Ph.D. at CarnegieMellon University and is currently a professor at The University of Texas at Austin where he holds the Hugh Roy Cullen Centennial Chair in Business Administration and is the director of the Center for Research in Electronic Commerce. He has published extensively on resource allocation issues and is currently working on Internet security. He has completed numerous research projects that investigate economics, Internet technology, and operations research in the study of information systems issues. In 2011 he was rated as the most influential scholar in the Information Systems field by the h-index which measures scholarly influence.

Keywords: policy, infosec, peer effects, measurement, modeling, spam, phishing, reputation system, economic incentive, behavioral economics

JEL Classification: C93, E61, L14, P41

Suggested Citation

Linden, Leigh L. and Quarterman, John S. and Tang, Qian and Whinston, Andrew B., Reputation as Public Policy for Internet Security (September 22, 2012). 2012 TRPC, Available at SSRN: https://ssrn.com/abstract=2030288 or http://dx.doi.org/10.2139/ssrn.2030288

Leigh L. Linden

The University of Texas at Austin ( email )

Austin, TX 78712
United States
+1 (512) 475-8556 (Phone)

HOME PAGE: http://www.leighlinden.com

National Bureau of Economic Research ( email )

1050 Massachusetts Avenue
Cambridge, MA 02138
United States

HOME PAGE: http://www.leighlinden.com

Jameel Poverty Action Lab ( email )

30 Wadsworth Street, E53-320
77 Massachusetts Avenue
Cambridge, MA 02142
United States

HOME PAGE: http://www.leighlinden.com

Innovations for Poverty Action ( email )

1731 Connecticut Ave, 4th floor
New Haven, CT 20009
United States

HOME PAGE: http://www.leighlinden.com

Institute for the Study of Labor (IZA) ( email )

P.O. Box 7240
Bonn, D-53072
Germany

Bureau for Research and Economic Analysis of Development (BREAD) ( email )

Duke University
Durham, NC 90097
United States

HOME PAGE: http://www.leighlinden.com

John S. Quarterman (Contact Author)

Quarterman Creations ( email )

3338 Country Club Road #L336
Valdosta, GA 31605
United States
512-563-5647 (Phone)

HOME PAGE: http://www.quarterman.com

Qian Tang

Singapore Management University - School of Information Systems ( email )

80 Stamford Road
Singapore, 178902
Singapore

Andrew B. Whinston

University of Texas at Austin - Department of Information, Risk and Operations Management ( email )

CBA 5.202
Austin, TX 78712
United States
512-471-8879 (Phone)

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
110
Abstract Views
1,299
PlumX Metrics