Improving Internet Security Through Mandatory Information Disclosure

Although disclosure has long been considered as a solution to internalize externalities, mandatory security information disclosure is still in debate. We propose a mandatory disclosure mechanism based on existing data. The information is disclosed as straightforward rankings of organizations for users to understand, interpret, and make comparisons. As a result, the disclosure can influence organizations through reputational effects. We created a public website to disclose information regularly and conducted a quasi-experiment on outgoing spam to test the effectiveness of our mechanism on four matched country groups. For each treated country, we released the ranking list of top 10 most spamming organizations every month, while for the control countries, no information was disclosed. We find that the treatment organizations subject to spam information disclosure reduced significantly more spam than comparison organizations.