Reputation as Public Policy for Internet Security

摘要: Insufficient resource allocation causes an Internet information security (infosec) problem that public policy could improve. Lack of transparency lets organizations avoid ad- dressing internal risks, leaving vulnerabilities are exploited by botnets, threatening other participants. Their protection provides no economic benefit to the firm, so this negative externality underinvestment in infosec. Public provide a partial solution adding incentives for have well-configured in- fosec. Specifically, mandatory reporting issues plus presenting public, can impose shame and fame on through publicity peer influence comparison with major competitors. Outbound spam is prominent symptom poor infosec project uses as proxy overall security, mapping anti-spam blocklist IP addresses (1). Selected top outbound rankings publicized SpamRankings.net already produced positive pilot test results. Next we use field experiments effects disclosure relative effectiveness different presentations. As first two objectives, determine whether ranking be effective mechanism encouraging firms reduce spam. Second, explore most ways improve Our study serves assessment disclosure. We aggregate company within between industries analyze results such pub- lic. Field been used extensively analysis programs (2) (3). The include design system presentation get attention, observe reactions, underlying mechanisms. This extended problems decision makers problems, pollution, energy saving, etc. A enables inferring based observed outcome, thus makes transparent induces reputation makers: producing externalities or fixing preventing them. Reputation internalizes externalities, take socially optimal behavior. Because results, propose conducting full-scale randomized controlled trial Spam- Rankings.net initiative. purpose experimentally create individual research groups generally similar except receive experimental treatments. So any differences arise subsequent treatments due respective treatment. Randomized selection bias, high validity. For experiments, will identify sample companies geographic units which outgoing data, randomly assign unit groups. In experiment, one groups: treatment group whose statistics widely control without publicizing information. initial evaluation examine proposed induce Assuming success second intervention, assigning presentations including absolute volume, per country, industry, see what granularity has effect. publication details behavioral economics context these experiments. Supported NSF grant no. 0831338; usual disclaimers apply.