Internet miscreants cooperate for profit in identity theft, denial of service, etc. Â Meanwhile, defending organizations act separately and treat Internet information security (infosec) as a cost to be minimized. Customers could choose more wisely among competing Internet firms if they knew which had good or bad security, and such fame or shame would cause firms to improve security to retain and attract customers.
To verify such a policy of peer influence, this project uses a readily available stand-in for organizational infosec: outbound spam (unsolicited bulk email). Â Other security problems may not cause outbound spam, and this project makes no claims to solve all problems. Â However, just as a sneeze indicates disease, spam indicates poor infosec that could be exploited for even worse purposes (theft, denial of service, blackmail, etc.), and no organization wants to be seen to have such problems.
The project ranks similar organizations in SpamRankings.net, using daily data from multiple anti-spam blocklists, aggregating it from IP addresses into routing blocks (Autonomous Systems), and categorizing their owners by geography and type (hosting, medical, ISP, etc.). Â Field experiments, including the relative effects of different publicity strategies, seek to determine whether publishing information on a symptom of infosec (outbound spam) causes firms to improve that symptom.
Positive experimental results will serve as stepping stones to policy recommendations of legislative mandates of timely and publicly accessible incident disclosure to enable more third-party peer rankings for further infosec improvement. Â Minimal enforcement could thus catalyze significant improvements in Internet usability, profitability, and national security.
