Reputation as Public Policy for Internet Security
11 Pages Posted: 30 Mar 2012 Last revised: 18 Aug 2012
Date Written: September 22, 2012
Abstract
Supported by NSF grant no. 0831338; the usual disclaimers apply.
Insufficient resource allocation causes an Internet information security (infosec) problem that public policy could improve. Lack of transparency lets organizations avoid addressing internal risks, leaving vulnerabilities that are exploited by botnets, threatening information security of other Internet participants. Their protection provides no economic benefit to the firm, so this negative externality causes underinvestment in infosec. Public policy could provide a partial solution by adding incentives for organizations to have well-configured infosec. Specifically, mandatory reporting of security issues plus presenting this information to the public, can impose shame and fame on organizations through publicity and peer influence by comparison with major competitors. Outbound spam is a prominent symptom of poor infosec that this project uses as a proxy for overall security, mapping anti-spam blocklist IP addresses to organizations (Quarterman et al. 2011). Selected top outbound spam rankings publicized through SpamRankings.net have already produced positive pilot test results. Next we use field experiments to test the effects of information disclosure and the relative effectiveness of different information presentations.
As the first of two objectives, we determine whether public ranking of spam can be an effective mechanism for encouraging firms to reduce outbound spam. Second, we explore the most effective ways of presenting information to the public to improve infosec. Our study serves as an assessment for the public policy of mandatory information disclosure. We use field experiments to aggregate company information within and between industries and analyze the results of presenting such information to the public. Field experiments have been used extensively in the analysis of public policy programs (Udry 2011, Duflo et al. 2010). The experiments include design of an information system for public information disclosure and presentation to get public attention, to observe reactions, and to analyze the underlying mechanisms. This information system design can be extended to other problems to provide incentives for the decision makers of externality problems, such as pollution, energy saving, etc. A public information system enables inferring internal infosec based on observed outcome, and thus makes such information transparent and induces reputation for the decision makers: shame for producing negative externalities or fame for fixing or preventing them. Reputation internalizes externalities, encouraging decision makers to take socially optimal behavior.
Because of the positive pilot test results, we propose conducting a full-scale randomized controlled trial based on the SpamRankings.net initiative. The purpose of a randomized controlled trial is to experimentally create individual research groups that are generally similar except that the groups receive different experimental treatments. So any differences that arise between the research groups subsequent to the treatments are due to the respective treatment. Randomized experiments thus avoid selection bias, producing high internal validity.
For two full-scale experiments, we will identify a sample of companies by geographic units for which we have outgoing spam data, and randomly assign the companies by geographic unit to different groups. In the first experiment, we will randomly assign the companies to one of two groups: a treatment group whose spam statistics will be widely publicized and a control group without publicizing any spam information. This initial evaluation can examine whether the proposed policy can induce firms to reduce spam. Assuming success of the first experiment, the second will explore the most effective policy intervention, by randomly assigning company groups to different information presentations including absolute spam volume, ranking per country, and ranking per industry, to see what granularity of peer comparison has the most effect.
This will be the first publication of the details and the behavioral economics context of these experiments.
References Duflo, E., R. Hanna, and S. P. Ryan, 2010: Incentives work: Getting teachers to come to school. American Economic Review, http://econ-www.mit.edu/files/5582. Udry, C., 2011: Esther Duflo: 2010 John Bates Clark medalist. Journal of Economic Perspectives, 25(3), 197–216. Quarterman, J.S., Sayin, S., Whinston, A.B., 2011: Rustock botnet and ASNs, TPRC, September 2011, http://www.spamrankings.net/about/publications/publications/tprc2011/ Biography Leigh L. Linden is an Assistant Professor in the Department of Economics at the University of Texas at Austin with a joint appointment in the Lyndon B. Johnson School of Public Affairs. He earned a PhD in Economics from MIT in 2004 and received a Bachelor of Science in Mathematics and a Bachelor of Arts in Economics from the University of Texas at Austin in 1997. He specializes in the use of large-scale randomized controlled trials. His research has been published in the American Economic Review, the Quarterly Journal of Economics, and the Applied Economic Journal: Applied Economics. It has also been featured in several popular press publications including The New York Times, The Washington Post, The Economist, The Financial Times, and The Christian Science Monitor. He is affiliated with the National Bureau of Economic Research (NBER) and the Bureau for Research and Economic Analysis of Development (BREAD).
John S. Quarterman worked for BBN, the prime contractor on the ARPANET, in the early days of the Internet. He is currently Principal of Quarterman Creations and CEO of InternetPerils, Inc., an Internet business risk management intelligence agency that provides automated quantification and visualization products. He founded the first Internet consulting firm in Texas. He founded one of the first local ISPs in Texas and sold it at a profit. He founded the first Internet performance metrics company in the world, which drew the first maps of the Internet, and which received substantial venture capital investment. He is the author of seven books related to the Internet, as well as numerous articles, presentations, and patents.
Qian Tang is a Ph.D. student in the Information, Risk, and Operation Management Department at the McCombs School of Business at the University of Texas at Austin. She received a Master of Science in Management in 2008 and a Bachelor of Business Administration in 2006 from Tsinghua University in Beijing, China.
Andrew B. Whinston received his Ph.D. at CarnegieMellon University and is currently a professor at The University of Texas at Austin where he holds the Hugh Roy Cullen Centennial Chair in Business Administration and is the director of the Center for Research in Electronic Commerce. He has published extensively on resource allocation issues and is currently working on Internet security. He has completed numerous research projects that investigate economics, Internet technology, and operations research in the study of information systems issues. In 2011 he was rated as the most influential scholar in the Information Systems field by the h-index which measures scholarly influence.
Keywords: policy, infosec, peer effects, measurement, modeling, spam, phishing, reputation system, economic incentive, behavioral economics
JEL Classification: C93, E61, L14, P41
Suggested Citation: Suggested Citation