Publicizing a firm's security levels may strengthen security over time, study finds

September 27, 2018, University of British Columbia
Credit: CC0 Public Domain

Cyberattacks grow in prominence each and every day; in fact, 2017 was the worst year to-date for data breaches, with the number of cyber incidents targeting businesses nearly doubling from 2016 to 2017.

Now, new research from the UBC Sauder School of Business has quantified the levels of more than 1,200 Pan-Asian companies in order to determine whether increased awareness of one's security levels leads to improved defense levels against cybercrime.

The study found that when cyberattacks were less likely to directly harm a company, organizations were unlikely to prioritize security improvements. Firms were more likely to fix issues related to spam emails originating from their compromised computers, but failed to act when they were found to host phishing websites on their servers. Most of the firms with phishing websites are actually hosting service providers.

The researchers conducted a randomized field experiment on organizations in Hong Kong, China, Singapore, Macau, Malaysia and Taiwan—which were chosen for their significant economic development as well as rapid adoption of technologies. The experiment evaluated each organization's preparedness against two distinct security issues: spam emissions and phishing website hosting. Spam usually consists of unsolicited bulk messages sent out by compromised "zombie" computers controlled by cyber attackers, while phishing refers to fraudulently obtaining sensitive information, such as passwords and for malicious reasons.

"For companies hosting phishing websites, there were fewer incentives to crack down on the sites since they were operated by paying customers and the sites failed to negatively impact the company itself," explains Gene Moo Lee, study co-author and assistant professor of Accounting and Information Systems at the UBC Sauder School of Business.

The researchers developed and assigned an information security score, similar to the idea of Moody's and Standard and Poor's credit ratings, to each organization. The score can be used as an indicator of each organization's security vulnerabilities.

The security results from each company were then published online. According to Lee, publicizing firms' security levels not only leads to greater transparency, but it could also be used to strengthen their security over time. In addition, organizations with poor performance could face greater pressure from their customers and a loss of reputation.

"The ever-increasing number of cyberattacks motivated my co-authors and I to explore a more effective way to enhance the security awareness of organizations and the general public," explains Lee. "By establishing a ranking scheme of firms against online scams, we hope this will heighten firms' awareness to address suboptimal security issues."

For Lee, cybersecurity is an international concern that needs to be managed more effectively. "Many organizations don't understand the threats posed by emerging, sophisticated cyberattacks and usually adopt a wait-and-see approach in security investments until a huge security incident affects them significantly," he said. "Our hope with this research is that companies improve their security levels to prevent the potential of cyberattacks from happening in the first place. And, ultimately, the goal of our research is to provide insights for cybersecurity policy makers."

"Information Disclosure and Security Policy Design: A Large-Scale Randomization Experiment in Pan-Asia" was recently presented at the Workshop on Economics of Information Security. It was co-authored by Yun-Sik Choi and Andrew B. Whinston from the University at Texas in Austin, Shu He from the University of Connecticut, and Yunhui Zhuang and Alvin Chung Man Leung from the City University of Hong Kong.

Explore further: Small businesses vulnerable to cyberattacks, then don't act

Related Stories

Evaluating system security by analyzing spam volume

July 24, 2014

The Center for Research on Electronic Commerce (CREC) at The University of Texas at Austin is working to protect consumer data by using a company's spam volume to evaluate its security vulnerability through the ...

Phishing Attacks in May Jumped More Than 200 Percent

June 30, 2005

The phishing season is officially open. Phishing – using fraudulent emails to try to dupe recipients into revealing personal or financial information -- reached its highest level in May, according to IBM. The month Global ...

Recommended for you

After a reset, Сuriosity is operating normally

February 23, 2019

NASA's Curiosity rover is busy making new discoveries on Mars. The rover has been climbing Mount Sharp since 2014 and recently reached a clay region that may offer new clues about the ancient Martian environment's potential ...

Study: With Twitter, race of the messenger matters

February 23, 2019

When NFL player Colin Kaepernick took a knee during the national anthem to protest police brutality and racial injustice, the ensuing debate took traditional and social media by storm. University of Kansas researchers have ...

Researchers engineer a tougher fiber

February 22, 2019

North Carolina State University researchers have developed a fiber that combines the elasticity of rubber with the strength of a metal, resulting in a tougher material that could be incorporated into soft robotics, packaging ...

A quantum magnet with a topological twist

February 22, 2019

Taking their name from an intricate Japanese basket pattern, kagome magnets are thought to have electronic properties that could be valuable for future quantum devices and applications. Theories predict that some electrons ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.