How Would Information Disclosure Influence Organizations' Outbound Spam Volume? Evidence from a Field Experiment

Journal of Cybersecurity, 2(1), 99-118, 2016

56 Pages Posted: 28 Aug 2016 Last revised: 5 Jan 2017

See all articles by Shu He

Shu He

University of Florida - Warrington College of Business Administration

Gene Moo Lee

University of British Columbia (UBC) - Sauder School of Business

Sukjin Han

University of Texas at Austin - Department of Economics

Andrew B. Whinston

University of Texas at Austin - Department of Information, Risk and Operations Management

Date Written: December 26, 2016

Abstract

Cyber-insecurity is a serious threat in the digital world. In the present paper, we argue that a suboptimal cybersecurity environment is partly due to organizations’ underinvestment and a lack of suitable policies. The motivation for this paper stems from a related policy question: how to design policies for governments and other organizations that can ensure a sufficient level of cybersecurity. We address the question by exploring a policy devised to alleviate information asymmetry and to achieve transparency in cybersecurity information sharing practice. We introduce a cybersecurity evaluation agency along with regulations on information disclosure. To empirically evaluate the effectiveness of such an institution, we conduct a large-scale randomized field experiment on 7,919 U.S. organizations. Specifically, we generate organizations’ security reports based on their outbound spam relative to the industry peers, then share the reports with the subjects in either private or public ways. Using models for heterogeneous treatment effects and machine learning techniques, we find evidence that the security information sharing combined with publicity treatment has significant effects on spam reduction for original large spammers. Moreover, significant peer effects are observed among industry peers after the experiment.

Keywords: Cybersecurity, policy design, randomized field experiments, information asymmetry, peer effects, regression tree, random forest, heterogeneous treatment effects

Suggested Citation

He, Shu and Lee, Gene Moo and Han, Sukjin and Whinston, Andrew B., How Would Information Disclosure Influence Organizations' Outbound Spam Volume? Evidence from a Field Experiment (December 26, 2016). Journal of Cybersecurity, 2(1), 99-118, 2016, Available at SSRN: https://ssrn.com/abstract=2830359

Shu He

University of Florida - Warrington College of Business Administration ( email )

PO Box 117165, 201 Stuzin Hall
Gainesville, FL
United States

Gene Moo Lee (Contact Author)

University of British Columbia (UBC) - Sauder School of Business ( email )

2053 Main Mall
Vancouver, BC V6T 1Z2
Canada

Sukjin Han

University of Texas at Austin - Department of Economics ( email )

Austin, TX 78712
United States

Andrew B. Whinston

University of Texas at Austin - Department of Information, Risk and Operations Management ( email )

CBA 5.202
Austin, TX 78712
United States
512-471-8879 (Phone)

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
123
Abstract Views
1,199
Rank
456,283
PlumX Metrics