Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia

1 Nov 2020
Research

Information Systems

Alvin Chung Man Leung, Yunhui Zhuang, Yunsik Choi, Shu He, Gene Moo Lee, Andrew Whinston 

Published in Journal of Management Information Systems, November 2020 

Information security is one of the most important areas for any business. However, despite numerous efforts from government bureaus, many firms still under-invest in this area. How to effectively motivate firms to adopt better security measures? Such a question has long plagued cybersecurity policymakers. In this research, Dr Alvin Chung Man Leung of the Department of Information Systems and co-authors tried to find an answer. Implementing a field experiment in the Pan-Asian region, they found empirical evidence that the security under-investment problem was rooted in a lack of awareness, incentives, and external support. 

To promote information security, first and foremost, firms should be aware that their information security has problems and neglecting those problems may hinder their business growth and adversely affect their customers and business partners,” says Leung. 

“Therefore, firms need an expert system that can tell them the loopholes existed in their internal information systems.”  

Second, firms need to see justifications that their efforts to remediate the weaknesses of their information systems are economical. In their field experiment, Leung and co-authors developed a vulnerability index and built a public website so that firms can identify their ranking in terms of security vulnerabilities when compared with their peers in the same industry.  

Third, even when firms are aware of their vulnerabilities and have strong incentives to fix them, capability is another hurdle to overcome. To tackle security underinvestment, developing a strong ICT environment is crucial. In their field experiment, Leung and his co-authors find that due to an inferior ICT environment, some firms cannot do anything to curb known security vulnerabilities even though they have a strong desire to do so. 

“We find that awareness, incentives, and external support are three important elements to motivate firms to adopt better security measures and improve their information security over time,” says Leung.  

They are not independent of each other but required to exist simultaneously. With existence of all three elements, they find that the treatment firms in their field experiment take a more proactive approach to tackle information security problems and improve their security performance over time.

Dr. LEUNG Chung Man Alvin

Dr. LEUNG Chung Man Alvin

Dr. Alvin Chung Man Leung is an Associate Professor at Department of Information Systems, City University of Hong Kong. He received his PhD in Information Management from McCombs School of Business, the University of Texas at Austin. His current research primarily focuses on information security, IT business value, business analytics and financial technology (FinTech). His works have been published in leading business and information systems journals such as Management Science, Management Information Systems Quarterly, Information Systems Research, and Journal of Management Information Systems. Dr. Leung received many research and teaching awards, for example, The President's Award, Dean's Research Excellence Award, AIS Early Career Award, UGC Early Career Award, IS Teaching Excellence Award, BBA First Year Lecture Teaching Award, College Teaching Excellence Award, and Assurance of Learning Award. He currently serves as an Associate Editor for Decision Support Systems and Communications for the Association for Information Systems. He is also a deputy programme leader of BSc in Computational Finance and Financial Technology and a stream advisor in Financial Technology. 

Read the full paper
Related articles
Research Insights