[go: up one dir, main page]
IDEAS home Printed from https://ideas.repec.org/a/bla/popmgt/v29y2020i2p410-427.html
   My bibliography  Save this article

Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment

Author

Listed:
  • Qian Tang
  • Andrew B. Whinston
Abstract
Security negligence, a major cause of data breaches, occurs when an organization's information technology management fails to adequately address security vulnerabilities. By conducting a field quasi‐experiment using outgoing spam as a focal security issue, this study investigates the effectiveness of reputational sanctions in reducing security negligence in a global context. In the quasi‐experiment, a reputational sanction mechanism based on outgoing spam was established for four countries, and for each country, reputational sanctions were imposed on the 10 organizations with the largest outgoing spam volumes—that is, these organizations were listed publicly. We find that because of our reputational sanction mechanism, organizations in the four countries, including those that were not listed, reduced outgoing spam significantly compared to those in similar countries. Within each country, the listed organizations, whose reputations were actually sanctioned, reduced spam to a greater extent than those that were not listed. The spam reduction in the not‐listed organizations is mainly driven by increased security awareness, while the reduction in the listed organizations is primarily due to reputation effect. Among the listed organizations, those ranked lower were more responsive to the reputational sanctions. Moreover, we find that reputational sanctions have a stronger effect on large organizations and important organizations that provide network access and transit to others.

Suggested Citation

  • Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    • Handle: RePEc:bla:popmgt:v:29:y:2020:i:2:p:410-427
    DOI: 10.1111/poms.13119
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/poms.13119
    Download Restriction: no
    File URL: https://libkey.io/10.1111/poms.13119?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Anat Hovav & John D'Arcy, 2003. "The Impact of Denial‐of‐Service Attack Announcements on the Market Value of Firms," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 6(2), pages 97-121, September.
    2. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    3. Paul Resnick & Richard Zeckhauser & John Swanson & Kate Lockwood, 2006. "The value of reputation on eBay: A controlled experiment," Experimental Economics, Springer;Economic Science Association, vol. 9(2), pages 79-101, June.
    4. Arellano, Manuel & Bover, Olympia, 1995. "Another look at the instrumental variable estimation of error-components models," Journal of Econometrics, Elsevier, vol. 68(1), pages 29-51, July.
    5. Justin M. Rao & David H. Reiley, 2012. "The Economics of Spam," Journal of Economic Perspectives, American Economic Association, vol. 26(3), pages 87-110, Summer.
    6. Imbens, Guido W. & Lemieux, Thomas, 2008. "Regression discontinuity designs: A guide to practice," Journal of Econometrics, Elsevier, vol. 142(2), pages 615-635, February.
    7. Gong, Jing & Smith, Michael D. & Telang, Rahul, 2015. "Substitution or Promotion? The Impact of Price Discounts on Cross-Channel Sales of Digital Movies," Journal of Retailing, Elsevier, vol. 91(2), pages 343-357.
    8. Armour, John & Mayer, Colin & Polo, Andrea, 2017. "Regulatory Sanctions and Reputational Damage in Financial Markets," Journal of Financial and Quantitative Analysis, Cambridge University Press, vol. 52(4), pages 1429-1448, August.
    9. Willison , Robert, 2006. "Understanding the Perpetration of Employee Computer Crime in the Organisational Context," Working Papers 2006-4, Copenhagen Business School, Department of Informatics.
    10. Sebastian Calonico & Matias D. Cattaneo & Rocio Titiunik, 2014. "Robust Nonparametric Confidence Intervals for Regression‐Discontinuity Designs," Econometrica, Econometric Society, vol. 82, pages 2295-2326, November.
    11. Blundell, Richard & Griffith, Rachel & Windmeijer, Frank, 2002. "Individual effects and dynamics in count data models," Journal of Econometrics, Elsevier, vol. 108(1), pages 113-131, May.
    12. Angharad H. Porteous & Sonali V. Rammohan & Hau L. Lee, 2015. "Carrots or Sticks? Improving Social and Environmental Compliance at Suppliers Through Incentives and Penalties," Production and Operations Management, Production and Operations Management Society, vol. 24(9), pages 1402-1413, September.
    13. Ashish Arora & Anand Nandkumar & Rahul Telang, 2006. "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, Springer, vol. 8(5), pages 350-362, December.
    14. Murphy, Deborah L. & Shrieves, Ronald E. & Tibbs, Samuel L., 2009. "Understanding the Penalties Associated with Corporate Misconduct: An Empirical Examination of Earnings and Risk," Journal of Financial and Quantitative Analysis, Cambridge University Press, vol. 44(1), pages 55-83, February.
    15. Mathios, Alan D, 2000. "The Impact of Mandatory Disclosure Laws on Product Choices: An Analysis of the Salad Dressing Market," Journal of Law and Economics, University of Chicago Press, vol. 43(2), pages 651-677, October.
    16. Blundell, Richard & Bond, Stephen, 1998. "Initial conditions and moment restrictions in dynamic panel data models," Journal of Econometrics, Elsevier, vol. 87(1), pages 115-143, August.
    17. Henriques, Irene & Sadorsky, Perry, 1996. "The Determinants of an Environmentally Responsive Firm: An Empirical Approach," Journal of Environmental Economics and Management, Elsevier, vol. 30(3), pages 381-395, May.
    18. Gregory DeAngelo & Gary Charness, 2012. "Deterrence, expected cost, uncertainty and voting: Experimental evidence," Journal of Risk and Uncertainty, Springer, vol. 44(1), pages 73-100, February.
    19. Alberto Abadie & Javier Gardeazabal, 2003. "The Economic Costs of Conflict: A Case Study of the Basque Country," American Economic Review, American Economic Association, vol. 93(1), pages 113-132, March.
    20. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    21. Andreas Billmeier & Tommaso Nannicini, 2013. "Assessing Economic Liberalization Episodes: A Synthetic Control Approach," The Review of Economics and Statistics, MIT Press, vol. 95(3), pages 983-1001, July.
    22. Hausman, Jerry & Hall, Bronwyn H & Griliches, Zvi, 1984. "Econometric Models for Count Data with an Application to the Patents-R&D Relationship," Econometrica, Econometric Society, vol. 52(4), pages 909-938, July.
    23. Hema Yoganarasimhan, 2013. "The Value of Reputation in an Online Freelance Marketplace," Marketing Science, INFORMS, vol. 32(6), pages 860-891, November.
    24. Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2017. "Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions," Production and Operations Management, Production and Operations Management Society, vol. 26(5), pages 860-879, May.
    25. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    26. Karpoff, Jonathan M & Lott, John R, Jr & Wehrly, Eric W, 2005. "The Reputational Penalties for Environmental Violations: Empirical Evidence," Journal of Law and Economics, University of Chicago Press, vol. 48(2), pages 653-675, October.
    27. Detmar W. Straub, 1990. "Effective IS Security: An Empirical Study," Information Systems Research, INFORMS, vol. 1(3), pages 255-276, September.
    28. Marianne Bertrand & Esther Duflo & Sendhil Mullainathan, 2004. "How Much Should We Trust Differences-In-Differences Estimates?," The Quarterly Journal of Economics, President and Fellows of Harvard College, vol. 119(1), pages 249-275.
    29. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    30. Chris Forman & Anindya Ghose & Batia Wiesenfeld, 2008. "Examining the Relationship Between Reviews and Sales: The Role of Reviewer Identity Disclosure in Electronic Markets," Information Systems Research, INFORMS, vol. 19(3), pages 291-313, September.
    31. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    32. Houser, Daniel & Xiao, Erte & McCabe, Kevin & Smith, Vernon, 2008. "When punishment fails: Research on sanctions, intentions and non-cooperation," Games and Economic Behavior, Elsevier, vol. 62(2), pages 509-532, March.
    33. Abadie, Alberto & Diamond, Alexis & Hainmueller, Jens, 2010. "Synthetic Control Methods for Comparative Case Studies: Estimating the Effect of California’s Tobacco Control Program," Journal of the American Statistical Association, American Statistical Association, vol. 105(490), pages 493-505.
    34. Gediminas Adomavicius & Jesse C. Bockstedt & Shawn P. Curley & Jingjing Zhang, 2013. "Do Recommender Systems Manipulate Consumer Preferences? A Study of Anchoring Effects," Information Systems Research, INFORMS, vol. 24(4), pages 956-975, December.
    35. David Weil & Archon Fung & Mary Graham & Elena Fagotto, 2006. "The effectiveness of regulatory disclosure policies," Journal of Policy Analysis and Management, John Wiley & Sons, Ltd., vol. 25(1), pages 155-181.
    36. Terrence August & Tunay I. Tunca, 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions," Information Systems Research, INFORMS, vol. 19(1), pages 48-70, March.
    37. Sasha Romanosky & Rahul Telang & Alessandro Acquisti, 2011. "Do data breach disclosure laws reduce identity theft?," Journal of Policy Analysis and Management, John Wiley & Sons, Ltd., vol. 30(2), pages 256-286, March.
    38. Daniel Houser & John Wooders, 2006. "Reputation in Auctions: Theory, and Evidence from eBay," Journal of Economics & Management Strategy, Wiley Blackwell, vol. 15(2), pages 353-369, June.
    39. John D'Arcy & Anat Hovav & Dennis Galletta, 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, INFORMS, vol. 20(1), pages 79-98, March.
    40. Greene, William, 2008. "Functional forms for the negative binomial model for count data," Economics Letters, Elsevier, vol. 99(3), pages 585-590, June.
    41. Christian Terwiesch & Z. Justin Ren & Teck H. Ho & Morris A. Cohen, 2005. "An Empirical Analysis of Forecast Sharing in the Semiconductor Equipment Supply Chain," Management Science, INFORMS, vol. 51(2), pages 208-220, February.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Suyuan Luo & Tsan‐Ming Choi, 2022. "E‐commerce supply chains with considerations of cyber‐security: Should governments play a role?," Production and Operations Management, Production and Operations Management Society, vol. 31(5), pages 2107-2126, May.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    2. Jaehyeon Ju & Daegon Cho & Jae Kyu Lee & Jae‐Hyeon Ahn, 2021. "Can It Clean Up Your Inbox? Evidence from South Korean Anti‐spam Legislation," Production and Operations Management, Production and Operations Management Society, vol. 30(8), pages 2636-2652, August.
    3. Bruno Ferman & Cristine Pinto & Vitor Possebom, 2020. "Cherry Picking with Synthetic Controls," Journal of Policy Analysis and Management, John Wiley & Sons, Ltd., vol. 39(2), pages 510-532, March.
    4. Chuku Chuku & Mustafa Yasin Yenice, 2021. "Working Paper 356 - Eurobonds, debt sustainability and macroeconomic performance in Africa: Synthetic controlled experiments," Working Paper Series 2482, African Development Bank.
    5. Bibek Adhikari & Romain Duval & Bingjie Hu & Prakash Loungani, 2018. "Can Reform Waves Turn the Tide? Some Case Studies using the Synthetic Control Method," Open Economies Review, Springer, vol. 29(4), pages 879-910, September.
    6. Benjamin Friedrich, 2015. "Trade Shocks, Firm Hierarchies and Wage Inequality," Economics Working Papers 2015-26, Department of Economics and Business Economics, Aarhus University.
    7. Guido W. Imbens & Jeffrey M. Wooldridge, 2009. "Recent Developments in the Econometrics of Program Evaluation," Journal of Economic Literature, American Economic Association, vol. 47(1), pages 5-86, March.
    8. Amitava Dutta & Rahul Roy, 2008. "Dynamics of organizational information security," System Dynamics Review, System Dynamics Society, vol. 24(3), pages 349-375, September.
    9. Su, Hsin-Ning & Moaniba, Igam M., 2017. "Does innovation respond to climate change? Empirical evidence from patents and greenhouse gas emissions," Technological Forecasting and Social Change, Elsevier, vol. 122(C), pages 49-62.
    10. Nauro Campos & Fabrizio Coricelli & Luigi Moretti, 2015. "Norwegian Rhapsody? The Political Economy Benefits of Regional Integration," Working Papers halshs-01267252, HAL.
    11. Gordon Burtch & Anindya Ghose & Sunil Wattal, 2013. "An Empirical Examination of the Antecedents and Consequences of Contribution Patterns in Crowd-Funded Markets," Information Systems Research, INFORMS, vol. 24(3), pages 499-519, September.
    12. Yoshitsugu Kitazawa, 2012. "An improved theoretical ground for the linear feedback model and a new indicator," Discussion Papers 58, Kyushu Sangyo University, Faculty of Economics.
    13. Gharehgozli, Orkideh, 2021. "An empirical comparison between a regression framework and the Synthetic Control Method," The Quarterly Review of Economics and Finance, Elsevier, vol. 81(C), pages 70-81.
    14. David Gilchrist & Thomas Emery & Nuno Garoupa & Rok Spruk, 2023. "Synthetic Control Method: A tool for comparative case studies in economic history," Journal of Economic Surveys, Wiley Blackwell, vol. 37(2), pages 409-445, April.
    15. Peter Ganong & Simon Jäger, 2018. "A Permutation Test for the Regression Kink Design," Journal of the American Statistical Association, Taylor & Francis Journals, vol. 113(522), pages 494-504, April.
    16. Alice Lépissier & Matto Mildenberger, 2021. "Unilateral climate policies can substantially reduce national carbon pollution," Climatic Change, Springer, vol. 166(3), pages 1-21, June.
    17. Dmitry Arkhangelsky & Guido Imbens, 2023. "Causal Models for Longitudinal and Panel Data: A Survey," Papers 2311.15458, arXiv.org, revised Jun 2024.
    18. Bibek Adhikari & James Alm, 2016. "Evaluating the Economic Effects of Flat Tax Reforms Using Synthetic Control Methods," Southern Economic Journal, John Wiley & Sons, vol. 83(2), pages 437-463, October.
    19. Andrew C. Johnston & Alexandre Mas, 2018. "Potential Unemployment Insurance Duration and Labor Supply: The Individual and Market-Level Response to a Benefit Cut," Journal of Political Economy, University of Chicago Press, vol. 126(6), pages 2480-2522.
    20. Andrzej Cieślik & Mehmet Burak Turgut, 2021. "Estimating the Growth Effects of 2004 Eastern Enlargement of the European Union," JRFM, MDPI, vol. 14(3), pages 1-15, March.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:bla:popmgt:v:29:y:2020:i:2:p:410-427. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: http://onlinelibrary.wiley.com/journal/10.1111/(ISSN)1937-5956 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.