Kwan Im Thong Hood Cho Temple Professor and Professor of Business Policy and Economics, the National University of Singapore; Professorial Fellow of the IP Academy of Singapore; Associate Editor, Management Science
We compare alternative information security policies--facilitating end-user precautions and enforcement against attackers. The context is mass and targeted attacks, taking account of strategic interactions between end users and attackers. For both mass and targeted attacks, facilitating end-user precautions reduces the expected loss of end users. However, the impact of enforcement on expected loss depends on the balance between deterrence and slackening of end-user precautions. Facilitating end-user precautions is more effective than enforcement against attackers when the cost of precautions and the cost of attacks are lower. With targeted attacks, facilitating end-user precautions is more effective for users with relatively high valuation of information security, while enforcement against attackers is more effective for users with relatively low valuation of security.
We adapt the event study methodology from research in financial economics to study the impact of government enforcement and economic opportunities on information security attacks. We found limited evidence that domestic enforcement deters attacks within the country. However, we found compelling evidence of a displacement effect: U.S. enforcement substantially increases attacks originating from other countries. We also found strong evidence that attackers are economically motivated in that the number of attacks is increasing in the U.S. unemployment rate. Our findings were robust to differences in the effective time window of enforcement and the measurement of vulnerabilities.
The advent of the Internet has made the transmission of personally identifiable information more common and often unintended by the user. As personal information becomes more accessible, individuals worry that businesses misuse the information that is collected while they are online. Organizations have tried to mitigate this concern in two ways: (1) by offering privacy policies regarding the handling and use of personal information and (2) by offering benefits such as financial gains or convenience. In this paper, we interpret these actions in the context of the information-processing theory of motivation. Information-processing theories, also known as expectancy theories in the context of motivated behavior, are built on the premise that people process information about behavior--outcome relationships. By doing so, they are forming expectations and making decisions about what behavior to choose. Using an experimental setting, we empirically validate predictions that the means to mitigate privacy concerns are associated with positive valences resulting in an increase in motivational score. In a conjoint analysis exercise, 268 participants from the United States and Singapore face trade-off situations, where an organization may only offer incomplete privacy protection or some benefits. While privacy protections (against secondary use, improper access, and error) are associated with positive valences, we also find that financial gains and convenience can significantly increase individuals' motivational score of registering with a Web site. We find that benefits--monetary reward and future convenience--significantly affect individuals' preferences over Web sites with differing privacy policies. We also quantify the value of Web site privacy protection. Among U.S. subjects protection against errors, improper access, and secondary use of personal information is worth $30.49--$44.62. Finally, our approach also allows us to identify three distinct segments of Internet...