Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia
Alvin Chung Man Leung, Yunhui Zhuang, Yunsik Choi, Shu He, Gene Moo Lee, Andrew Whinston
Published in Journal of Management Information Systems, November 2020
Information security is one of the most important areas for any business. However, despite numerous efforts from government bureaus, many firms still under-invest in this area. How to effectively motivate firms to adopt better security measures? Such a question has long plagued cybersecurity policymakers. In this research, Dr Alvin Chung Man Leung of the Department of Information Systems and co-authors tried to find an answer. Implementing a field experiment in the Pan-Asian region, they found empirical evidence that the security under-investment problem was rooted in a lack of awareness, incentives, and external support.
To promote information security, first and foremost, firms should be aware that their information security has problems and neglecting those problems may hinder their business growth and adversely affect their customers and business partners,” says Leung.
“Therefore, firms need an expert system that can tell them the loopholes existed in their internal information systems.”
Second, firms need to see justifications that their efforts to remediate the weaknesses of their information systems are economical. In their field experiment, Leung and co-authors developed a vulnerability index and built a public website so that firms can identify their ranking in terms of security vulnerabilities when compared with their peers in the same industry.
Third, even when firms are aware of their vulnerabilities and have strong incentives to fix them, capability is another hurdle to overcome. To tackle security underinvestment, developing a strong ICT environment is crucial. In their field experiment, Leung and his co-authors find that due to an inferior ICT environment, some firms cannot do anything to curb known security vulnerabilities even though they have a strong desire to do so.
“We find that awareness, incentives, and external support are three important elements to motivate firms to adopt better security measures and improve their information security over time,” says Leung.
They are not independent of each other but required to exist simultaneously. With existence of all three elements, they find that the treatment firms in their field experiment take a more proactive approach to tackle information security problems and improve their security performance over time.