With more prominent data breaches and cybersecurity incidents, cyber insecurity is becoming a serious problem for every individual and the society. Such security incidents are partially due to the lack of relevant governmental polices and the insufficient security protection by organizations managing information assets. The investigators will design an independent Trans-Pacific cybersecurity evaluation institution that measures and reports organizations' security weaknesses. The proposed institution aims at effectively motivating organizations to achieve a desirable level of cybersecurity. An opt-in field experiment with a rigorous design will be employed to empirically evaluate the performance of organizations in the Trans-Pacific region to see how they will respond to the diversified security performance reports of malicious cybercrimes, including spam, phishing, and distributed denial of service (DDoS) attacks. Based on the experimental results, the project will provide practical and credible suggestions to policy makers and companies improve their security preparedness. As methods of data analyses, the researchers will employ potentially useful theoretical and empirical models: (i) a model that allows endogenous experiments, (ii) static and dynamic models with strategic interaction between defenders and attackers, and (iii) a cyber-insurance and reinsurance model which utilizes the PIs' comprehensive security evaluation metric. The PIs will estimate the policy relevant parameters in these models using both experimental and observational data. In addition to the existing dataset on defenders, important data sets that have been collected and will be used in the analyses of the data for attackers, such as data for phishing activity, outgoing spam mails, and real time DDoS information. Since the PIs seek to recover flexible heterogeneous effects of policies, as cybersecurity data typically exhibit a great deal of heterogeneity, they introduce semi-parametric identification and estimation methods developed in the recent econometrics literature. This work contributes to the literature on randomized field experiments in several ways: (i) to identify the problem of endogeneity in randomized field experiments due to the existence of external impact; (ii) in the context of cybersecurity, to redesign a previous experiment and by introducing empirical strategies that control for endogeneity using novel datasets on the attackers; (iii) to recover fully heterogeneous effects of treatments, which departs from a simple and restricted approach commonly taken in the literature; (iv) as some of the datasets are of high frequency (e.g., DDoS real time attack), to develop estimation methods that deal with big data issues. Theoretical models of this project contribute to cybersecurity literature by following novel features: (i) a dynamic cybersecurity game in the continuous-time framework by using stochastic analysis; (ii) a cyber-insurance model with reinsurance opportunity, and specification of the role of governments as the ultimate excessive risk taker, and a method for governments to control organization's cybersecurity investment level by altering the premium
SaTC: CORE: Small: Collaborative: Information Disclosure and Security Policy Design: A Large-Scale Randomization Experiment in Trans-Pacific Region