UBC study: Publicizing a firm's security levels may strengthen security over time

September 27, 2018

Cyberattacks grow in prominence each and every day; in fact, 2017 was the worst year to-date for data breaches, with the number of cyber incidents targeting businesses nearly doubling from 2016 to 2017.

Now, new research from the UBC Sauder School of Business has quantified the security levels of more than 1,200 Pan-Asian companies in order to determine whether increased awareness of one's security levels leads to improved defense levels against cybercrime.

The study found that when cyberattacks were less likely to directly harm a company, organizations were unlikely to prioritize security improvements. Firms were more likely to fix issues related to spam emails originating from their compromised computers, but failed to act when they were found to host phishing websites on their servers. Most of the firms with phishing websites are actually hosting service providers.

The researchers conducted a randomized field experiment on organizations in Hong Kong, China, Singapore, Macau, Malaysia and Taiwan - which were chosen for their significant economic development as well as rapid adoption of technologies. The experiment evaluated each organization's preparedness against two distinct security issues: spam emissions and phishing website hosting. Spam usually consists of unsolicited bulk messages sent out by compromised "zombie" computers controlled by cyber attackers, while phishing refers to fraudulently obtaining sensitive information, such as passwords and credit card details for malicious reasons.

"For companies hosting phishing websites, there were fewer incentives to crack down on the sites since they were operated by paying customers and the sites failed to negatively impact the company itself," explains Gene Moo Lee, study co-author and assistant professor of Accounting and Information Systems at the UBC Sauder School of Business.

The researchers developed and assigned an information security score, similar to the idea of Moody's and Standard and Poor's credit ratings, to each organization. The score can be used as an indicator of each organization's security vulnerabilities.

The security results from each company were then published online. According to Lee, publicizing firms' security levels not only leads to greater transparency, but it could also be used to strengthen their security over time. In addition, organizations with poor performance could face greater pressure from their customers and a loss of reputation.

"The ever-increasing number of cyberattacks motivated my co-authors and I to explore a more effective way to enhance the security awareness of organizations and the general public," explains Lee. "By establishing a ranking scheme of firms against online scams, we hope this will heighten firms' awareness to address suboptimal security issues."

For Lee, cybersecurity is an international concern that needs to be managed more effectively. "Many organizations don't understand the threats posed by emerging, sophisticated cyberattacks and usually adopt a wait-and-see approach in security investments until a huge security incident affects them significantly," he said. "Our hope with this research is that companies improve their security levels to prevent the potential of cyberattacks from happening in the first place. And, ultimately, the goal of our research is to provide insights for cybersecurity policy makers."
"Information Disclosure and Security Policy Design: A Large-Scale Randomization Experiment in Pan-Asia" was recently presented at the Workshop on Economics of Information Security. It was co-authored by Yun-Sik Choi and Andrew B. Whinston from the University at Texas in Austin, Shu He from the University of Connecticut, and Yunhui Zhuang and Alvin Chung Man Leung from the City University of Hong Kong.

University of British Columbia - Sauder School of Business

Related Cybersecurity Articles from Brightsurf:

Computer scientists' new tool fools hackers into sharing keys for better cybersecurity
Instead of blocking hackers, a new cybersecurity defense approach developed by University of Texas at Dallas computer scientists actually welcomes them.

Cultural differences account for global gap in online regulation -- study
Differences in cultural values have led some countries to tackle the specter of cyber-attacks with increased internet regulation, whilst others have taken a 'hands-off' approach to online security -- a new study shows.

Study finds companies may be wise to share cybersecurity efforts
Research finds that when one company experiences a cybersecurity breach, other companies in the same field also become less attractive to investors.

$4.6 million award creates program to train cybersecurity professionals
A five-year, $4.63 million award from the National Science Foundation will enable a multi-disciplinary team of researchers at the University of Arkansas to create a program to recruit, educate and train the next generation of cybersecurity professionals.

First cyber agility framework to train officials developed to out-maneuver cyber attacks
To help train government and industry organizations on how to prevent cyberattacks, as part of a research project for the US Army, scientists at The University of Texas at San Antonio, developed the first framework to score the agility of cyber attackers and defenders.

Cyber of the fittest: Researchers develop first cyber agility framework to measure attacks
The framework proposed by the researchers will help government and industry organizations visualize how well they out-maneuver attacks over time.

Army researchers identify new way to improve cybersecurity
Researchers at the US Army Combat Capabilities Development Command's Army Research Laboratory, the Army's corporate research laboratory also known as ARL, and Towson University may have identified a new way to improve network security.

How susceptible are hospital employees to phishing attacks?
A multicenter study finds high click rate for simulated phishing emails, potential benefit in phishing awareness training.

A Georgia State cybersecurity study of the dark web exposes vulnerability to machine identities
A thriving marketplace for SSL and TLS certificates -- small data files used to facilitate confidential communication between organizations' servers and their clients' computers -- exists on a hidden part of the Internet, according to new research by Georgia State University's Evidence-Based Cybersecurity Research Group (EBCS) and the University of Surrey.

Army scientists revolutionize cybersecurity through quantum research
Army scientists have found a novel way to safeguard quantum information during transmission.

Read More: Cybersecurity News and Cybersecurity Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.