Spam Shaming to Improve Cybersecurity
The effects of hacking can be dire for a company’s finances and reputation, but firms are loath to invest in the expensive software to prevent it — until they’re shamed into acting.
By Steve Brooks
When high-tech visionaries paint the future, they see smart homes, robotic servants, and self-driving cars. When Professor Andrew Whinston looks ahead, he sees something else: disasters in the making, if the integrated technology we’ve come to rely on is easily hacked.
“If we go to driverless cars, imagine the things that could happen,” says Whinston, director of McCombs’ Center for Research in Electronic Commerce.
“Someone could hijack your car and crash it into buildings. Everyone’s excited about artificial intelligence, but artificial intelligence is going nowhere unless there’s better management of cybersecurity.”
But though potential losses sound staggering — Target’s 2013 data breach cost it $162 million — they’re tiny compared to sales, says Whinston, and many companies still pinch pennies on protecting their networks. If numbers don’t motivate them to fortify their firewalls, what else might work?
An alternative inducement, he thought, might be peer pressure. Companies already use it when they hold sales contests, he notes. “If you’re the worst, you’re going to feel peer pressure to improve.”
Could the same psychology work to improve cybersecurity? If consumers could see that a firm was more vulnerable than its competitors, he theorized, it might feel shamed into tightening up.
Spam Levels and Security Leaks
To compare peers, though, he needed a measuring stick. He chose one that’s already monitored by multiple organizations: the unsolicited emails known as spam. Worldwide, 90 percent of it comes from infected computers, churned out by malicious programs known as bots. If an organization is sending out large quantities, it can be a sign of weak security.
Conversely, when firms plug security leaks, spam levels should drop. “They go directly to the affected machines and eliminate the spam,” he says. “Or they decide that they probably have other problems, too, and they ought to tighten up everything.”
In an earlier project, Whinston helped create a website, spamrankings.net, which exposes the world’s top 10 spamming organizations each month. This time around, he looked at a much larger list: 7,919 companies, all in the U.S.
With colleagues Shu He of the University of Connecticut, Gene Lee of UT Arlington, and Sukjin Han of UT Austin, he broke the firms down into clusters of three, and firms in each cluster were matched by industry and size. Each got a different treatment:
- One firm, as a control, was not contacted at all.
- Another company was emailed a private report, including its spam volume, a partial list of offending internet addresses, and its spam rank compared to its peers.
- The third organization received a similar report but was told that its statistics could be searched by anyone on a public website.
For six months after sending the reports, the researchers monitored all three groups of businesses. They found that sending private reports had no effect. Firms that received them did not reduce their spam volumes compared to the control group.
The outcome was different for the third group, whose reports were visible to the world. Smaller spammers likely did not cut their output, says Whinston, because the amounts were too minor to worry about. But the biggest culprits — the top 25 percent — throttled their flows by a third.
The lesson, he says, is that:
“Simply pointing out security shortcomings doesn’t move companies to action, but bad publicity does. The bigger the spammer, the more likely that peer pressure will inspire it to tackle its problems.”
Reducing Threats and Improving Customer Perception
The most responsive organizations, he notes, were concentrated in two kinds of industries: service and tech. Service companies retain massive amounts of personal data and include institutions such as banks, hospitals, universities, and public administration offices. Technology firms include hardware manufacturers, software developers, and telecommunications. Says Whinston, “For a high-tech company, it doesn’t look good for its reputation if it can’t control spam.”
However, spam is just one possible sign of weak security, says Whinston, and it’s not foolproof. He’d like to monitor other indicators as well. With the City University of Hong Kong, he’s running a similar experiment for phishing — emails that try to trick recipients into sharing personal information by posing as legitimate companies like banks. Whinston hopes to learn how both different businesses and countries (such as China, Singapore, and Malaysia) react when they’re notified that they’re sending out phishing emails.
Ultimately, he’d like the federal government to set up a third-party institution to track cybersecurity. It would monitor businesses using several different indicators and report on the worst offenders to the general public. “People don’t like the perception that a company they are dealing with is not secure,” says Whinston. “The government should spend money to make people more aware.” By prodding organizations to boost their defenses, he says, they can also make computer crime less profitable.
“We’re never going to eliminate our cybersecurity problems.”
“It’s a question of being able to manage it more effectively, to reduce the amount of money these people can make.”
The Study
How Would Information Disclosure Influence Organizations’ Outbound Spam Volume? Evidence from a Field Experiment was published in the Journal of Cybersecurity.
Originally published at www.texasenterprise.utexas.edu on April 26, 2017.
