Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia

Journal of Management Information Systems, 37(3): 668-693

Posted: 8 Jan 2019 Last revised: 19 Nov 2020

See all articles by Vincent Y. Zhuang

Vincent Y. Zhuang

City University of Hong Kong (CityU) - Department of Information Systems

Yun-Sik Choi

University of Texas at Austin - Department of Computer Science

Shu He

University of Florida - Information Systems and Operations Management

Alvin Leung

City University of Hong Kong (CityU) - Department of Information Systems

Gene Moo Lee

University of British Columbia (UBC) - Sauder School of Business

Andrew B. Whinston

University of Texas at Austin - Department of Information, Risk and Operations Management

Date Written: November 18, 2020

Abstract

This paper investigates how the awareness of a security vulnerability index affects firms’ security protection strategy and how the information awareness effect interacts with firm incentives and country-wide IT development level. The security index is constructed based on outgoing spams and phishing website hosting, which may serve as an indicator of a firm’s security controls. To study whether security vulnerability awareness causes firms to improve their security, we conducted a randomized field experiment on 1,262 firms in six Pan-Asian countries and regions. Among 631 randomly selected treated firms, we alerted them of their security vulnerability index and their relative rankings compared to their peers via advisory emails and websites. Difference-in-differences analyses show that compared with the controls, the treated firms improve their security over time, with a statistically significant reduction of outgoing spam volume according to one of the data sources but not phishing website hosting. However, a statistically significant reduction in phishing website hosting was observed among non-web hosting firms, suggesting that firms’ underlying incentives play an important role in the treatment effect. Lastly, exploiting the multi-country nature of the data, we found that firms in countries with high information and communications technology (ICT) development are more responsive to our intervention because they have higher IT capabilities and more resources to resolve security issues. Our study provides cybersecurity policymakers with useful insights on how firm incentives and ICT environments play roles in firms’ security measure adoption.

Keywords: cybersecurity; information security index; randomized field experiment; security awareness; firm incentives; ICT development

Suggested Citation

Zhuang, Yunhui and Choi, Yun-Sik and He, Shu and Leung, Alvin and Lee, Gene Moo and Whinston, Andrew B., Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia (November 18, 2020). Journal of Management Information Systems, 37(3): 668-693, Available at SSRN: https://ssrn.com/abstract=3306192 or http://dx.doi.org/10.2139/ssrn.3306192

Yunhui Zhuang

City University of Hong Kong (CityU) - Department of Information Systems ( email )

83 Tat Chee Avenue
Kowloon
Hong Kong

Yun-Sik Choi

University of Texas at Austin - Department of Computer Science ( email )

2317 Speedway, Stop D9500
Austin, TX
United States

Shu He

University of Florida - Information Systems and Operations Management ( email )

Warrington College of Business
ISOM Department STZ
Gainesville, FL 32611-7169
United States

Alvin Leung

City University of Hong Kong (CityU) - Department of Information Systems ( email )

83 Tat Chee Avenue
Kowloon
Hong Kong

Gene Moo Lee (Contact Author)

University of British Columbia (UBC) - Sauder School of Business ( email )

2053 Main Mall
Vancouver, BC V6T 1Z2
Canada

Andrew B. Whinston

University of Texas at Austin - Department of Information, Risk and Operations Management ( email )

CBA 5.202
Austin, TX 78712
United States
512-471-8879 (Phone)

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
1,108
PlumX Metrics