Rating Companies’ Cybersecurity Preparedness May Lead to Stronger Sites

Increased awareness about certain types of cybersecurity breaches leads companies to make improvements, says a new study co-authored by a UConn researcher.

Hacker wearing hoody standing behind binary code. (Getty Images)

Increased awareness about certain types of cybersecurity breaches leads companies to make improvements, says a new study co-authored by a UConn researcher. (Getty Images)

Increased awareness about certain types of cybersecurity breaches leads companies to make improvements, according to a new international study by a University of Connecticut researcher and her counterparts.

The study quantified the  levels of more than 1,200 Pan-Asian companies in order to determine preparedness against cybercrime. Researchers conducted the randomized field experiment on organizations in Hong Kong, China, Singapore, Macau, Malaysia, and Taiwan – chosen for their significant economic development, as well as rapid adoption of technologies.

They evaluated organizations’ preparedness against two distinct security issues – spam emissions and phishing website hosting – and assigned an information security score, similar to the idea of Moody’s and Standard and Poor’s credit ratings. The score offered an indication of each organization’s security vulnerabilities.

Then the group of researchers, including Shu He, an assistant professor of operations and information management in the UConn School of Business, published the rankings online to determine whether or not the public nature of the data resulted in any changes to firm practices.

Spam usually consists of unsolicited bulk messages sent out by compromised “zombie” computers controlled by cyberattackers, while phishing refers to fraudulently obtaining sensitive information, such as passwords and  for malicious reasons.

When cyberattacks were less likely to directly harm a company, such as spam and phishing, organizations were unlikely to prioritize security improvements. Yet researchers found that their information disclosure successfully motivated companies to fix issues related to spam emails and non-hosting companies to solve the phishing problems.

The study says cyberattacks grow in prominence every day, noting that 2017 was the worst year to date for data breaches.

Publicizing firms’ security levels not only leads to greater transparency, but it could also be used to strengthen their security over time. In addition, organizations with poor performance could face greater pressure from their customers and a loss of reputation, say the researchers.

“The ever-increasing number of cyberattacks motivated my co-authors and I to explore a more effective way to enhance the security awareness of organizations and the general public,” says co-author Gene Moo Lee of the Sauder School of Business at the University of British Columbia. “By establishing a ranking scheme of firms against online scams, we hope this will heighten firms’ awareness to address suboptimal security issues.”

After presenting their study at the Workshop on Economics of Information Security, the researchers plan to expand it to begin to share the information not just online, but across social media platforms that are closely followed by customers and strategic partners, and determine if that leads to further change by companies.

Ultimately, the researchers say, their work may provide insights for cybersecurity policymakers.

In addition to He and Lee, co-authors include Yun-Sik Choi and Andrew B. Whinston from the University at Texas in Austin, and Yunhui Zhuang and Alvin Chung Man Leung from the City University of Hong Kong.

The work was supported by grants from the National Science Foundation (NSF Award: 1718360) and the Public Policy Research Funding Scheme from the Hong Kong Special Administrative Region Government (Project: 2015.A1.030.16A).