Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalpeer-review

2 Scopus Citations
View graph of relations

Author(s)

  • Yunhui Zhuang
  • Yunsik Choi
  • Shu He
  • Gene Moo Lee
  • Andrew Whinston

Detail(s)

Original languageEnglish
Pages (from-to)668-693
Number of pages26
Journal / PublicationJournal of Management Information Systems
Volume37
Issue number3
Online published18 Nov 2020
Publication statusPublished - 2020

Abstract

This paper investigates how the awareness of a security vulnerability index affects firms’ security protection strategy and how the information awareness effect interacts with firm incentives and country-wide information technology (IT) development level. The security index is constructed based on outgoing spams and phishing website hosting, which may serve as an indicator of a firm’s security controls. To study whether security vulnerability awareness causes firms to improve their security, we conducted a randomized field experiment on 1,262 firms in six Pan-Asian countries and regions. Among 631 randomly selected treated firms, we alerted them of their security vulnerability index and their relative rankings compared to their peers via advisory emails and websites. Difference-in-differences analyses show that compared with the controls, the treated firms improve their security over time, with a statistically significant reduction of outgoing spam volume according to one of the data sources but not phishing website hosting. However, a statistically significant reduction in phishing website hosting was observed among non-web hosting firms, suggesting that firms’ underlying incentives play an important role in the treatment effect. Lastly, exploiting the multi-country nature of the data, we found that firms in countries with high information and communications technology (ICT) development are more responsive to our intervention because they have higher IT capabilities and more resources to resolve security issues. Our study provides cybersecurity policymakers with useful insights on how firm incentives and ICT environments play roles in firms’ security measure adoption.

Research Area(s)

  • cybersecurity, firm incentives, ICT development, information security index, Pan-Asia, randomized field experiment, security awareness

Citation Format(s)

Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia. / Zhuang, Yunhui; Choi, Yunsik; He, Shu; Leung, Alvin Chung Man; Lee, Gene Moo; Whinston, Andrew.

In: Journal of Management Information Systems, Vol. 37, No. 3, 2020, p. 668-693.

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalpeer-review