Post 5 references from the Journal of MIS that relate to Cyber Security.Provide a description of each article discussing how it relates to your research question.
Cyber Securityinformation governance
Information Security Control Theory:
Achieving a Sustainable Reconciliation
Between Sharing and Protecting the Privacy
of Information
CHAD ANDERSON, RICHARD L. BASKERVILLE, AND MALA KAUL
CHAD ANDERSON (andersonc16@nku.edu; corresponding author) is an assistant pro-
fessor of business and health informatics at Northern Kentucky University. He
received his Ph.D. in computer information systems from Georgia State
University. His research focuses on the role of information systems in the delivery
of health care, and his work has been published in MIS Quarterly, Journal of the
Association for Information Systems, Information and Organization, International
Journal of Medical Informatics, and others.
RICHARD L. BASKERVILLE (baskerville@acm.org) is Regents’ Professor and Board of
Advisors Professor in the Department of Computer Information Systems, Robinson
College of Business, Georgia State University and professor (partial appointment) in
the School of Information Systems at Curtin University, Perth, Australia. A chartered
engineer, he holds a Ph.D. in systems analysis from the University of London, and
doctorates honoris causa from the University of Pretoria and Roskilde University.
His research specializes in security of information systems, methods of information
systems design and development, and the interaction of information systems and
organizations. He is the author of Designing Information Systems Security (Wiley)
and more than 300 articles in scholarly journals, professional magazines, and edited
books. He serves on the editorial boards of several journals.
MALA KAUL (mkaul@unr.edu) is an assistant professor of information systems in the
College of Business at the University of Nevada, Reno. She received her Ph.D. from
the Robinson College of Business at Georgia State University. Her research focuses
on information systems design, cyber security and privacy, and health information
technology. She has extensive industry experience as an information systems profes-
sional. Her work has been published in MIS Quarterly, Harvard Business Review,
Journal of Database Management, and other journals.
ABSTRACT: Contemporary organizations operate in highly interconnected environ-
ments where they are frequently confronted by the challenge of balancing the
protection of information resources with the need for sharing information. This
tension between the expected benefits and the potential security risks inherent in
the information sharing process, exists in many domains, including business, health
care, law enforcement, and military—yet it is not well-understood. We propose an
information security control theory to explain and manage this tension. We evaluate
this theory through a longitudinal case study of the iterative development of the
Journal of Management Information Systems / 2017, Vol. 34, No. 4, pp. 1082–1112.
Copyright © Taylor & Francis Group, LLC
ISSN 0742–1222 (print) / ISSN 1557–928X (online)
DOI: https://doi.org/10.1080/07421222.2017.1394063
mailto:andersonc16@nku.edu
mailto:baskerville@acm.org
mailto:mkaul@unr.edu
https://crossmark.crossref.org/dialog/?doi=10.1080/07421222.2017.1394063&domain=pdf&date_stamp=2017-12-14
information security policies for a health information exchange in the western
United States. Our study shows that the theory offers a good framework through
which to understand the information security policy development process, and a way
to reconcile the tension between information sharing and information protection. The
theory has practical applicability to many business domains.
KEY WORDS AND PHRASES: ethical control, health care, health information exchange,
information security, security control theory, security exposure control, security
policy development.
Two opposing phenomena create an essential tension in information systems: the
need to share information and the need to protect information. Technological
advances have improved the ability to share and exchange information more effi-
ciently while also increasing the burden of securing this information. The ability to
share information between organizations is a broad, worldwide challenge today. In
the public arena, government-to-government data sharing includes information about
economic development, education, geography, health care, and law enforcement
[20], while in the private arena, organizational data sharing includes the exchange
of information between organizations, suppliers, and customers [45]. Traditional
roadblocks to information sharing have included incompatibility of different systems
and both organizational and legal authority to share information [14]. Such legal
controls included the boundaries of Freedom of Information laws, privacy protec-
tion, trade secrets, and separation of powers between government agencies [69].
Incongruity in commercial objectives has also limited past information sharing
(information integration) among firms [65].
However, the technical, organizational, and political benefits of shared infor-
mation are growing; in fact, information sharing has become the new goal,
enabled by technological advances that make information exchange easier [73].
Information sharing is also being driven by policy changes to promote efficiency
and reduce waste so that the main challenge to information sharing has shifted to
protecting information through cyber security [36]. Ironically, one of the most
prominent areas feverishly demanding better information sharing is cyber security
itself [62].
In this article, we focus on information sharing in health care because of the growth in
the generation and sharing of extremely sensitive health data and the ethical and legal
liability to protect the privacy of health information. The digital transformation of health
care is expected to improve care quality and reduce the costs of providing quality care
[8]. An important element of that process is interoperability (i.e., the ability of health-
care organizations to digitally exchange information). The National Coordinator for
Health Information Technology (HIT) asserts that, “interoperability is necessary for a
‘learning health system’ in which health information flows seamlessly and is available to
the right people, at the right place, at the right time” [52, p. iv]. The value of interoper-
ability has been recognized for some time with the development of community health
INFORMATION SECURITY CONTROL THEORY 1083
management information systems (CHMISs) in the early to mid-1990s, community
health information networks (CHINs) in the mid- to late 1990s, and regional health
information organizations (RHIOs) in the 2000s [67]. More recently, the 2009 HITECH
Act included nearly $550 million in federal funding for the development of health
information exchanges (HIEs) in every state and U.S. territory. However, the limited
success of these initiatives demonstrates that interoperability remains a challenge in the
interorganizational knowledge exchange of health information [46], and that the route to
effective and sustained interoperability is multifaceted and insufficiently understood
[17].
While integration of information systems is crucial for improving clinical, opera-
tional, and managerial outcomes in health care, security and privacy concerns have
been a significant barrier to adoption [41]. One of the main challenges for inter-
operability is maintaining the security and privacy of the protected health informa-
tion that is transmitted [17, 74]. According to the Identity Theft Resource Center, in
2015, the health-care sector experienced more than one-third of all publicly reported
data breaches [32]. Health-care data are attractive targets for cybercriminals since the
data contain not only sensitive personal information but also financial information.
Additionally, if credit card data are breached, credit cards can be canceled; unlike
credit card numbers, medical data are less perishable and therefore more valuable. In
2016 alone, there were 325 large-scale breaches of health information, which
compromised over 16 million patient records [55]. According to a recent report,
one in every four U.S. consumers have had health-care data breached [1]. Since the
risk of patient data disclosure is considered high, the medical industry is subject to
stricter laws to protect patient information confidentiality [59]. Security breaches can
have serious consequences, not only for patients, through identity theft or disclosure
of private health records, but also for the health-care organizations that stand to be
impacted financially, through loss of reputation, trust, and potential legal and
regulatory consequences.
If we were to compare the cost of a health information breach with other data
breaches, the average cost of a data breach is $4 million at $158 lost per record; the
average cost of a health information breach of just 10,000 records is $7 million
[54] and numerous providers have paid many times more. For example, the 2015
Anthem breach was settled at $115 million [4]. Hospitals, such as Hollywood
Presbyterian and Kansas Heart proved highly vulnerable to a 2016 spate of
ransomware attacks. In at least one case where a ransom was paid, the attackers
only partly restored hospital data, demanding further ransom [61]. A recent review
of security in health care found that the health-care industry is a major target for
information theft because it lags well behind other industries in securing vital data
[42]. Threats to the security of health information are expected to remain high
because of the value of medical records on the black market [19]. This underscores
the high stakes at play in the health-care context and the imperative need for
protecting health information. Therefore, a tension exists between the expected
value of facilitating interoperability and the potential threat of security breaches,
1084 ANDERSON, BASKERVILLE, AND KAUL
since the information exchange process could expose patients and providers to
significant harm.
Security controls must be sufficient to protect data, but not restrictive to the point
that they impede interoperability. Creating and sustaining an effective security
program is essential to the achievement of the goal of balancing security and
interoperability. A good security program starts with the development of an informa-
tion security policy [15, 70]. Information security policies have been richly dis-
cussed in the literature. There are studies that focus on security policy development
[22, 25, 37], implementation [39, 53], and effectiveness [23, 26, 29, 34]. However,
none have focused on the impact that the aforementioned tension plays in the policy
development process. Therefore, an important research question for understanding
and explaining what enables effective information exchange is: how is the develop-
ment of information security policies implicated in balancing the essential tension
between sharing and protecting information?
This research answers that question by proposing a theoretical framework that
provides a mechanism for balancing the tension between sharing and protecting
information. We evaluate the framework by investigating how an HIE in the
western United States addressed the tension between protecting and sharing
health information in the development of its information security policies. We
investigate the HIE’s iterative policy development process through the theoretical
lens of security controls reasoning and find that the framework is helpful in
understanding and developing information security policies to support the HIE’s
goal of interoperability, while maintaining the privacy and security of the infor-
mation managed by the exchange.
Fundamental goals for information security include the confidentiality, availability,
and integrity of data and the development of controls to support those goals [3, 21].
However, much of the published research on information security is limited in its
consideration of the theoretical foundations that underpin it, and where it does
consider these, it typically makes use of theories that are applicable to a very limited
range of the information security spectrum [60]. For example, economic theories
(i.e., return on investment, internal rate of return, etc.) have been used to explain the
financial value of controls and how that valuation is used to prioritize the decisions
to implement those controls [24]; while general deterrence theory (GDT) has been
used to explain human behavior and the design of controls to combat computer
crime and intentional abuse [64]. Global theories that could broadly explain a wide
range of phenomena in information security are lacking, either because they are not
highly valued, or because information security scholars have tended to focus on very
specific phenomena in their research. In addition, there is a general disconnect
between information security research that engages in security theory development
and empirical information security studies [60]. This research aims to address these
INFORMATION SECURITY CONTROL THEORY 1085
gaps in the literature by proposing a theoretical framework specific to information
security, yet one that is broadly applicable to a variety of security phenomena, and
then assessing that framework through an empirical investigation thus addressing
both rigor and relevance.
The essential tension identified in our study suggests forms of reasoning that
are neither financial nor deterrent. Rather, it is a tension between sharing and
protecting data. Sharing involves reasoning with an aim to expose sensitive
data to outsiders (i.e., other individuals or organizations). On the other hand,
protecting data is reasoning with an aim to seclude the data. Decision settings
where there may be multiple, conflicting aims and multiple forms of reasoning
have been noted in prior literature in decision analysis [40], health care [27],
education [57], and so on. The purpose of this research is not to replicate prior
research in multi-objective decision analysis, but to explore the two essential,
conflicting objectives in the context of information sharing and information
security. This is important because these conflicting objectives are unique to
information security, especially in health-care settings, where sharing of infor-
mation can provide enormous benefits, while also creating the burden of
information protection.
This research proposes that these conflicting objectives incorporate two interrelated
forms of security reasoning: exposure control reasoning and ethical control reasoning.
The theory is based on the premise that the decision to enact controls to protect
information systems is a fundamental and meaningful outcome of setting information
security policies. Therefore, the decision to adopt an information security policy is an
effective place to begin a search for explanations of otherwise unexplained informa-
tion security behaviors. Exposure and ethics are chosen as the two anchors of controls
policy reasoning because both concepts are prevalent and persistent in the information
security literature [13, 47]. These two forms of control reasoning are often treated
separately, although in most settings they combine to explain how decision makers
decide between which controls to set into policy and which ones to forgo because the
controls are too difficult or expensive to acquire or operate.
Exposure control reasoning is based on the fact that information assets (e.g., end-
user devices, servers, networks, etc.) are inherently exposed to threats (e.g.,
human error, hackers, fires, etc.) Threat exposure includes threats of any potential
exposure, disclosure, breach of confidentiality, or any form of risk exposures that
may arise from inadvertent disclosure [33], external threat sources, or insider
threats. Exposure control reasoning aims to manage those risk exposures [10, 58]
through the identification and placement of controls between assets and threats.
However, this process is complex and challenging because assets and threats may
be linked to each other in a multitude of ways. For example, computer viruses
are threats not only to desktop computing assets, but to computer-controlled
1086 ANDERSON, BASKERVILLE, AND KAUL
assets such as scanners, photocopiers, and so forth. Desktop computing assets are
threatened not only by viruses but also by physical theft and network-based
access penetration. Consequently, the addition of security requirements and con-
trols into an information system can be expected to increase the cost and
complexity of the system and its operation. This is why information security
researchers and practitioners must focus on both, the analysis of assets, and the
analysis of threats. Therefore, exposure control reasoning is an important com-
ponent of many formalized approaches to information security.
One form of exposure control reasoning is represented in Figure 1. This figure
represents an insecure system with the set of an organization’s information assets (A)
in relation to a set of information threats (T). The arrows represent edges between
the members of each set. In this case, the edges (T-A) are exposures [28].
Exposure control reasoning aims to control such exposures by creating a set of
controls (C) that protect organizational assets from security exposures. Each control
is inserted to eliminate the edges between threats and assets. The aim is to replace
each T-A edge with a T-C edge and a C-A edge (see Figure 2).
Figure 1. Threat-Asset Exposure Edges (Adapted from Hoffman et al. [28])
Figure 2. Threat-Control-Asset Edges (Adapted from Hoffman et al. [28])
INFORMATION SECURITY CONTROL THEORY 1087
Ethical reasoning is an area in psychology and management studies that deals
with the process of determining the difference between right and wrong. It is
related to information systems ethics, in our case, because decisions about
adopting security and privacy controls are often made as a rational process of
deciding what is the “right” thing to do: to invest in controls or risk the
compromise [72].
Ethical control reasoning arises in the need to make rational decisions about the
adoption of controls. These decisions rely on ethical reasoning because sometimes
controls are unavailable or too costly in relationship to the likelihood of threats and
the value of assets, or may even have perverse or unintended effects on the defense
of systems [71]. Ethical control reasoning can take a number of forms, but the most
common are utilitarian and deontological reasoning. Utilitarian reasoning focuses on
achieving the greatest good and relies on risk analysis to determine the degree of
hazard to important stakeholders [12]. Virtually all security design methodologies
adopt some form of risk analysis as a central activity for determining whether a
control is justified. Alternatively, deontological reasoning focuses on the moral duty
of adherence to rules, and is used as the basis for compliance with laws and
regulations [12]. For example, HIE privacy and security controls are currently
governed by the 2013 HIPAA Final Rule.
One prevalent form of ethical control reasoning is the typical risk treatment
framework, for example, Jones and Ashenden [35]. Such frameworks map risk
treatments (controls) into categories suitable for different values of threat frequency
and threat impact (see Figure 3). High frequency, low impact threats are given
Figure 3. Risk Treatment Framework (Adapted from Jones and Ashenden [35])
1088 ANDERSON, BASKERVILLE, AND KAUL
different treatments than low frequency, high impact threats, and so on. Such
treatment decisions are essentially a form of utilitarian ethical reasoning. Control
treatments are enacted where they do the greatest good, and not where they do little
good. For example, the risk of vandalism by an external hacker is a form of risk that
can be relatively high in frequency, but relatively low in impact. The implementation
of common self-protection mechanisms such as firewalls and VPN access for
external users is an effective response to that threat, whereas cutting off all access
from outside the organization will have little additional benefit, while significantly
impeding legitimate work. The goal is not to eliminate risk, but rather to shift it
down and to the left within the framework without enacting controls that are more
impediment than benefit.
Exposure control reasoning and ethical control reasoning interact with each other
in the formulation of information security policies. The creation of information
security policies is a fundamental action in information security as it provides the
basis for an organization’s approach to information security. It is also the founda-
tional document by which procedures and controls are selected and implemented
[6, 16]. Therefore, the application of both exposure and ethical control reasoning in
the development of an information security policy is essential to create a policy
that enables both the sharing and protection of information. Both forms of reason-
ing span consideration for the assets and threats for which security controls must
be implemented, the needs of relevant stakeholders, and the requirements of
requisite laws and regulations.
Research has considered the role [30], importance [68], structure [6], and content
[16] of the information security policy, as well as the relationship between informa-
tion security and compliance [43]. However, none have directly addressed the
essential tension between the need to both share and protect information that is
fundamental to organizations like an HIE. Our theoretical model addresses that
tension and we apply the model to an HIE to understand how the tension is managed
through the information security policy development process in such an
organization.
In formulating and applying security policies for an HIE, the policy developers
have to balance the requirements of ensuring interoperability and availability of
information to authorized parties, while at the same time ensuring confidenti-
ality, integrity, and overall security. Policy makers can adopt exposure control
reasoning for controlling the threat of any kind of malicious or accidental
exposure of information that may result in a security breach, including breach
of confidentiality. Similarly, they can use ethical control reasoning to
INFORMATION SECURITY CONTROL THEORY 1089
rationalize decisions on the appropriate level of controls. However, these two
forms of reasoning must be balanced to both enable the sharing of information
and protecting that information. Thus, exposure and ethical control reasoning,
correspond to the tension between the aims of “sharing” and “protection” in
creating an HIE security policy. Exposure control reasoning aims to develop
complete security and privacy, creating a path to ensure that we protect every-
thing. It offers a mathematical frame that is verifiably complete and secure.
Ethical control reasoning, in contrast, aims to make rational decisions about
what not to protect. It assumes that a fully protected system is expensive and
morally unreasonable. It accepts that there are trade-offs in security, such as the
trade-off between complete security and complete interoperability. It guides the
reasoning across a threshold where some exposures are acceptable. The occur-
rence of these risks is acceptable because such events can be insured, or they
are inexpensive, or they are avoidable in operation, or safeguards are suffi-
ciently effective.
Our identification of this theoretical tension is not intended as a normative sub-
stitute for existing theories and methods of multicriteria decision making. Rather,
this tension helps explicate the knowledge and preferences of the decision maker
[31] that is a necessary input to multicriteria decisions. It offers a clear frame for
illuminating the contradictory inputs to the decision process. Normatively, multi-
criteria decision theories, such as multiple attribute utility theory [7, 40] or the
analytical hierarchy process, can then be employed for the decision-making process
itself [56].
A qualitative case study was conducted to evaluate an HIE’s information security
policy development. The HIE in this study, henceforth to be known as WesternHIE,
is located in the western United States and includes participating health-care orga-
nizations across the entire state in which it operates. The HIE was initially formed in
2011 and continues to operate successfully with 129 health-care organizations
currently participating in the exchange, representing a sizable portion of the state’s
health-care community.
This was a longitudinal study that began as an exploration of the role that security
policy development plays in the success of an HIE. Therefore, a qualitative research
approach was employed because it provided the flexibility necessary to pursue
emergent avenues of inquiry as data collection progressed [48, 49]. Following the
first round of data collection, our analysis identified the tension between sharing and
protecting health information and a pattern of shifting focus in policy development
related to that tension. We conducted a second round of data collection almost two
1090 ANDERSON, BASKERVILLE, AND KAUL
years after the first, in order to confirm the patterns identified in our initial analysis.
We based our research process on Eisenhardt’s guidelines for building theory
through case study research [18].
Arrangements for data collection were coordinated through the HIE’s executive
director, who was known to the first author. Pursuant to the goals of the study, the
executive director arranged meetings or provided contact information for everyone
still with the organization, or still available for contact, who had participated or was
participating in the HIE’s information security policy development process. Within
that scope of access, semi-structured interviews were conducted, either in person or
over the phone, with HIE staff members and one external consultant.
In qualitative research, semi-structured interviews help guide the participants in
sharing their accounts of events and processes that are relevant to the research
focus, while enabling the researcher to follow new lines of inquiry as the
incoming data suggests. Therefore, while the initial questions (see Appendixes
A and B) were structured to the extent that they focused the conversation on the
security policy development process, subsequent questions were adapted to
pursue emerging ideas both within specific interviews and in subsequent inter-
views [48].
Interviews were conducted in two phases. The first phase took place in early
2015 and included interviews with six staff members and an external consul-
tant. The second phase took place at the end of 2016 where five staff members
were interviewed, only two of whom had been interviewed in the first phase,
the executive director and the project coordinator who had been an HIT intern
in 2015 (see Table 1). All interviews were audio-recorded with the exception of
one, in which the participant asked not to be recorded. For that interview, the
researchers made handwritten notes, as was also done for all recorded inter-
views. In addition to the interviews, documentation was collected and analyzed,
including the different versions of the security policies, policy development
timelines, and the document deliverables at each stage of the policy develop-
ment process.
Analysis of the data started immediately after the initial interview and con-
tinued throughout the data collection processes in both phases. Interview
Table 1. Study Participants
Phase 1 participants Phase 2 participants
Executive director Executive director
HIT director HIE director
Outreach director Assistant HIE director
QIO information security officer New QIO information security officer
Support specialist Project coordinator
HIT intern
External consultant
INFORMATION SECURITY CONTROL THEORY 1091
transcripts and document data were analyzed by all the authors in an iterative
process of data reduction and conclusion drawing [49] with the initial goal of
identifying elements of the information security development process that
explained how the HIE had been successful in developing and growing the
exchange. Each author would analyze the available data individually looking
for themes and then the group would come together to discuss those themes,
iterating the process until we collectively identified the tension between sharing
and protecting data that the HIE was addressing through controls reasoning that
shaped the development, implementation, and revision of their information
security policies. The second round of data collection served as an evaluation
of the security controls framework and a confirmation that the controls reason-
ing we were seeing in the first phase of interviews continued to hold over time.
The following account details the iterative process that WesternHIE took with
the development and revisions of its information security policies.
WesternHIE has gone through four distinct iterations of information security policy
development since the organization was created in 2011. Two of those iterations had
already occurred and the third was in process at the time of the first round of
interviews in early 2015. The fourth iteration was in process at the time of the
second round of interviews in late 2016 (see Figure 4).
Before delving into the details of the case study, we preface those details with a
summary of our findings (see Table 2 and Figure 5). Table 2 provides an overview of
the four iterations of policy development in the case, with quotes that exemplify the
emphasis on exposure control and ethical control reasoning that occurred in each
iteration.
Figure 5 illustrates that the tension between sharing and protecting information
was always present, but that the emphasis on exposure and ethical controls reasoning
shifted through the iterations.
Figure 4. Timeline of Information Security Policy Development Iterations and Study Phases
1092 ANDERSON, BASKERVILLE, AND KAUL
Table 2. Summary of Study Findings
Iteration Exposure control Ethical control
1st Bringing together community members
to identify threats.
Focusing on compliance with HIPAA
and state law to establish policies.
We’re taking down what you the
community member think.
(Executive director)
What I always go back to is, what is
the Rule? What is the Privacy Rule?
What is the Security Rule? (External
Consultant)
2nd Expanding policies to account for more
threats.
Focusing on NIST guidelines to
evaluate current policies.
Someone could hack into
[WesternHIE] and use it as a
backdoor into the QIO. (QIO ISO)
I assessed [WesternHIE’s] security
posture based on NIST standards.
(QIO ISO)
3rd Implementing a policy template for
more effective policy articulation.
Reducing policies to ease the burden
on participants to comply.
The first step was developing a
standard template, because there
was lots of variation [in how the
policies were written]. (Support
specialist)
We look for feedback [on the policies].
Is there anything we overlooked or
that would be a concern to them as
participants? (Policy intern)
4th Implementing an LMS to enable more
control over policy training and
compliance.
Further reducing policies to ease
burden on HIE staff to audit policy
compliance.
Now we have a way of enforcing it,
because we don’t give access [to
the HIE] until they complete these
particular training courses.
(Assistant HIE director)
We’re going through these motions
having to monitor this and it’s not
even a functionality that we support.
(HIE director)
Figure 5. Shifting Emphasis on Forms of Reasoning Across the Iterations
INFORMATION SECURITY CONTROL THEORY 1093
WesternHIE was created by the state’s Quality Improvement Organization (QIO).
The QIO had been approached by several individuals from the state’s health-care
community to take the lead in setting up an HIE for the state. They agreed, but
quickly decided to spin off the HIE both to avoid a conflict of interest and to
generate buy-in from the community because it required them to ask the community
for board members for the HIE. “What better way to get buy-in than to reach out to
our community and say, look, we need board members. You’re going to help shape
and move technology within the state” (HIT director).
The WesternHIE board contracts with the QIO to operationalize the exchange that
includes a management contract, which means that WesternHIE has no employees;
they are instead employees of the QIO. One result of this arrangement is that
WesternHIE does not have a dedicated information security officer (ISO), but instead
makes use of the QIO’s ISO as necessary. This had implications for the information
security policy development process at WesternHIE.
WesternHIE’s HIT director said that most HIEs would set up their governance
structure first, and then select a vendor to provide the hardware and software for the
exchange.
Most HIEs would establish their governance structure and organizational
structure and then go through a vendor selection. . . . We did not do that. We
made a conscious decision to run two parallel paths. One is governance and
how do we set up the infrastructure. The second was . . . we wanted to put the
vendor in place and start getting out to show physicians that this could actually
work. (HIT director)
This created a crossover in WesternHIE’s startup processes because they needed
certain things in place to operationalize the HIE (e.g., privacy and security policies).
Therefore, in the summer of 2011, eight task forces were established by the
WesternHIE board of directors to develop a plan for the major components of the
HIE (e.g., Privacy and Security and Data Use Agreement Task Force, Financial
Sustainability Task Force, Governance and Outreach Task Force, etc.).
The task-force development process was co-facilitated by the WesternHIE executive
director, and an external consultant who served as the expert on HHS Federal Policy.
The task forces comprised WesternHIE staff as well as members of the community
(e.g., the privacy and security task force comprised 13 members that included a
hospital privacy officer who was also an attorney, the director of health information
management at another hospital, the general counsel for a third hospital, a state
Medicaid administrator, the corporate compliance manager for a large physician’s
group, etc.). The diversity of participants was both a benefit and a challenge because,
while multiple perspectives produced a greater range of ideas, each participant also
had to consider others’ perspectives and think more broadly [9, 11].
The task forces met once in July 2011 and twice in August 2011 to discuss their
area of focus and develop a recommendation for how WesternHIE should proceed.
1094 ANDERSON, BASKERVILLE, AND KAUL
The privacy and security policy recommendations were driven by the HIPAA
Privacy Rule, Security Rule, and Breach and Notification Rule. There were 42
HIPAA standards that needed to be examined and addressed in the developed
policies. For example, the preamble to the HIPAA Final Rule specifically defines
an HIE as a Business Associate of a Covered Entity. Therefore, the policies had to be
developed keeping that structure in mind. “What I always go back to is, what is the
Rule? What is the Privacy Rule? What is the Security Rule? . . . and we mapped
standard by standard” (External consultant).
There were also state laws regarding security and privacy that the HIE would have
to follow, but those laws were not clear and well-developed at the time the HIE was
being set up. “We had bad statutes and zero regulations on any statutes” (HIE
director).
There was one interpretation of the statute that existed at the time that if you
took the literal language and tried to apply it you would have shut down
electronic exchange of any health data in the state. . . . Everything would have
had to revert to paper if you had taken it with that interpretation and there were
folks who looked at it that way and refused to participate in the HIE until that
got resolved. That, I think, was the one thing that stood out as the biggest
challenge for us in the early days. (HIE director)
In this early stage of the HIE, the tension between protecting and sharing data was
evident. One of the goals was to get the technology up and running, to quickly
generate buy-in from physicians that an exchange could work. At the same time, the
privacy and security task force recognized the need to create security policies based
on HIPAA regulations and state laws to protect the data that would be exchanged.
Both exposure and ethical control reasoning were employed in the parallel paths of
setting up the governance structure for the HIE and getting the exchange running as
a proof of concept for providers.
However, the consultant worried that the ethical reasoning over-excluded both
utilitarian reasoning and exposure reasoning. In other words, the aim to seclude data
was unnecessarily eclipsing the (more strategic) aim to expose or share data. For
example, she noted that with regard to HIPAA compliance by HIE participants,
Many of the hospitals in particular may have developed policies that are more
strict than HIPAA . . . and that can often become a problem because the point
of the HIE is to share the information and share the data in a secure way, but
also you don’t want to put up roadblocks to having providers and others being
able to access information when they need it. (External consultant)
She was not only conditioning the ethical reasoning, that is, filtering a dominant
deontological reasoning with a utilitarian lens. She was also reasoning about accep-
table levels of exposure. For example, there was a recognition that all participants in
an HIE together comprised a collective “weak-link phenomenon.” When one parti-
cipant suffers a data breach, all participants would suffer [51].
INFORMATION SECURITY CONTROL THEORY 1095
I initially put together several examples of data use agreements, because,
especially in an HIE, it’s very important to have an agreement that goes
beyond a business associate agreement so the HIE has clear written relation-
ships with their providers that are part of the HIE [so] each of those providers
is meeting their obligations to the HIE. (External consultant)
Each task force generated a report for its focus area. These were provided to the
external consultant in September 2011, for aggregation into a full report to the
WesternHIE board of directors. The final report generated by the external consultant
was completed and submitted to the board in October 2011, and represented a
roadmap for how to proceed in building out the HIE. WesternHIE then took that
roadmap and began developing the organizational structures to achieve the goals of
the roadmap. For privacy and security, that meant constructing the actual policies
and procedures.
There was a defined end-date for the initial task forces, but WesternHIE subse-
quently set up two new task forces, one for patient consent, which has since been
twilighted, and policies were written out of it, and one for compliance and audit,
which is an ongoing group. The compliance and audit group is an advisory group set
up by the board to make sure WesternHIE is doing audits appropriately and to
provide advice on what to do in regard to actionable items. The compliance and
audit group is the only community group still in place, but WesternHIE also has an
internal policy committee that meets a couple of times each month.
The initial set of privacy and security policies were written by WesternHIE staff
based on the roadmap constructed by the Privacy and Security and Data Use
Agreement Task Force. At this point, the reasoning shifted from predominantly
one of seclusion, which was deontological in nature, to a more utilitarian focus.
The HIT director noted that writing a policy is easy, but getting staff buy-in is
difficult. “Inevitably you get the GM nod from a lot of staff and then they go back to
doing what they have typically done in the past. . . . How do you take a policy and
make it part of the culture?” (HIT director).
Certain policies also had a more utilitarian focus with regard to the participant’s
needs because the participants would be most impacted by those particular policies.
The consent policy was one in which the participants would be responsible for
gaining consent from patients and therefore the policy development process took
more input from participants.
We met once a month for six months to bring the community back together to
say, okay, you’re going to be the ones getting the consents. Where would this
fit in the doctor’s office? How would you go about this? What would the flow
be? Developing the policy for that, developing the form, developing the fact
sheet that you give to somebody. (Executive director)
At this point, the information security officer, because of the relationship noted
earlier, had not been directly involved in the development of the information security
policies for WesternHIE.
1096 ANDERSON, BASKERVILLE, AND KAUL
In 2013 WesternHIE decided it needed some expert help to evaluate its existing
policies and the information security officer (ISO) offered to take charge of that
process, which kicked off on September 9, 2013. “We needed more [policies], we
needed to make sure what we had was correct . . . we wanted some confirmation,
some validation about what we had done because he’s the expert” (Executive
director).
In addition to the ISO, two other WesternHIE staff members were on the core
evaluation team along with a four-member project steering committee that included
the ISO. The ISO’s plan was to assess WesternHIE’s security posture using National
Institute of Standards and Technology (NIST) guidelines [63] for the evaluation, but
he also looked to outside sources to see what other HIEs around the country were
doing. He felt the evaluation process at WesternHIE was not as well-defined and
structured as he had experienced in other contexts and that the participants were
often distracted with other tasks and did not put enough importance on the evalua-
tion process. He also felt there was a limited awareness by the staff on how to carry
out the process, so he had to spend time educating the other participants on how to
properly conduct the evaluation.
There is a growing presence of exposure control reasoning as the need for
evaluation rises. There is also an introduction of NIST guidelines as a driver of
deontological reasoning to balance the early focus on HIPAA rules. Concerns that
reflect exposure control reasoning include worries that someone could hack a
partner organization in the HIE and use it as a backdoor to compromise other
partners. To overcome this risk exposure, all partners will need to be strong, and
their relationships need to be good enough to maintain a high level of security for
the HIE.
The evaluation included a gap assessment where HIPAA-required best practice
privacy and security policies were compared with WesternHIE’s existing policies.
For example, the policy on permitted use and disclosure existed, but it was con-
sidered “thin” and therefore the team concluded that it should be updated to reflect
the HIPAA Final Rule of 2013, while the policy on receiving and resolving
complaints and or concerns did not exist, and therefore the team concluded that a
policy and procedures should be developed using the best practice example. The
evaluation process lasted four weeks and was completed on October 3, 2013, which
then led to a period of policy writing and revising.
In late 2014, another round of policy evaluation took place, but this time the ISO
was not involved in the process and it was primarily carried out by a new set of staff
members who were not involved in the 2013 evaluation. “Here’s an area where we
could use some extra eyes and ears. We need to update, we need to review these
[privacy and security policies]” (Executive director).
INFORMATION SECURITY CONTROL THEORY 1097
At that point, WesternHIE had 60+ privacy and security policies, many of which
had been added as a result of the 2013 evaluation. The evaluation team started by
prioritizing the policies and removing those that were specific to certain procedures,
which helped to reduce the scope of their work. They also found that many were
written from the perspective of a covered entity. The HIE is not a covered entity, but
is instead a business associate of participating covered entities. Therefore, policies
that focused on the HIE as a covered entity could also be eliminated. Finally,
because of their relationship to the QIO, they found that many of the policies
were part of the QIO’s policies that WesternHIE could use indirectly. Therefore,
the ISO had indirect involvement in the process because he had authored many of
the QIO policies that were used in whole or in part by WesternHIE. In addition, they
found significant variation in how the policies were structured, so they developed a
standard template with clear instructions and examples for future policy writers. The
template was based on the experience that some of the team members had with
policy writing in other organizations.
The decision to develop and implement a policy template reflected ethical
control reasoning with a utilitarian focus because the goal was not to reanalyze
the policies from the perspective of threats and assets but to make the policies
easier to read and use by participants. Policy drafting started with the assignment
of a policy owner who could be the person who had identified the need, or
another person in that functional area. The owner of a policy was responsible for
writing the policy and the template made that responsibility much less daunting.
The revised policies were then sent out to the HIE participants for review.
Participants had 45 days to review the policy and submit questions. “We do
send these policies out after they are approved [by the compliance and audit
committee]. We look for feedback, is there anything we overlooked or that would
be a concern to them as participants?” (Policy intern).
This also reflects a focus on ethical control reasoning with a utilitarian goal of
understanding the needs of participants and incorporating those needs, as appro-
priate, into the policies. They originally anticipated that the process would take two
to three months but it ended up taking a year to complete. In the end, the policies
were reduced from 60+ to 14.
Through this process of developing, implementing, and revising the HIE’s
information security policies the list of participant organizations continued to
grow and by early 2015 included as active members of the HIE: 62 physician
offices, 9 acute care hospitals, 7 diagnostic services, and 1 health plan. With that
many participants, each of which is ultimately responsible for the health informa-
tion they share through the exchange, agreement and compliance with the HIE’s
information security policies has not been homogeneous, but the HIE contended
that the general perception and engagement with the process and the resulting
policies have been very positive from the perspective of active participants and the
community at large.
1098 ANDERSON, BASKERVILLE, AND KAUL
In 2016, WesternHIE again initiated an evaluation of their information security
policies. The QIO also replaced its information security officer in early 2016 and
the new ISO participated in this latest iteration of revisions. In this iteration, the
focus for policy development was to further clean and refine the existing policies.
The thought was that, while the policies had been significantly revised in the
previous iteration, they still retained significant verbiage from the second iteration
that could be a problem for the organization. “The verboseness of the security
policies, in my estimation, exposed the organization to unintended consequences”
(New ISO).
Specifically, the new ISO felt that the existing policies contained details that should
be reserved for procedures. He explained that the policies should be more general in
their wording because any litigation would focus on what the policies say and the
policies are what regulators would look at when auditing the organization. “It took us
about six months to wade through the policies, to weed out all of the extraneous
words, and to make it very concise and reflective of what we did” (New ISO).
The views of the new ISO reflect a focus on exposure control reasoning, but in the
opposite way that the first ISO had been focused on exposure control. The first ISO
had worried that the organization faced exposures from policies that were not
sufficiently comprehensive, while the new ISO worried that the verboseness of the
existing policies would expose the organization to litigation and audit penalties
because they would not able to follow everything included in those policies.
The level of detail in the policies was also adversely impacting the operationaliza-
tion of the HIE, because those details were requiring unnecessary work that drew
resources away from other parts of the exchange. For example, the audit and
compliance policy contained requirements to perform audits on elements of the
HIE that were not being used.
Our audit and compliance policy spelled out this list; you have to audit all of
these things, and some of them simply weren’t relevant. It doesn’t apply,
nobody does it, we’re going through these motions having to monitor this
and it’s not even a functionality that we support. Why are we explicitly having
to monitor and report on this month after month and quarter after quarter when
it’s never going to change? (HIE director)
In addition to reducing unnecessary work, streamlining the policies enabled the
HIE to take a more flexible approach to accomplishing their goals with regard to
security and privacy.
As we’ve started changing that model it gives us greater flexibility. Here’s the
goal, here’s what we’re trying to mitigate, here’s what we’re trying to monitor
for, here’s what we’re trying to accomplish. And then we have the flexibility at
that point to deploy a greater range of tools or skills sets amongst the team to
accomplish that. (HIT director)
INFORMATION SECURITY CONTROL THEORY 1099
Those views reflect an ethical controls reasoning with a focus on utilitarian
reasoning where the goal was to reduce the resource requirements for complying
with the written policies and to enable greater flexibility in achieving the goals of
privacy and security that were critical to the success of the HIE.
In 2016, the HIE had also decided to implement a learning management system
(LMS) to better document and control the training that was required by all partici-
pant users. Prior to 2016, the HIE privacy and security policies were given to each
participating organization as a paper or digital document and the organization was
asked to have each of its users read through the policies and acknowledge their
understanding of those policies as part of their HIE training. The organization would
inform WesternHIE when its users had completed the privacy and security policy
training and WesternHIE would then grant access to the HIE for all those users.
Because of that structure, WesternHIE could not confirm that each individual user
had read and sufficiently understood the policies, and they felt it would benefit the
security of the HIE if they could do so. The LMS became the way to enable that
ability because the training had to be completed by each user in the organization
through individual account-based access, which meant that WesternHIE could
enforce individual compliance with the training requirement. Specifically,
WesternHIE would send each user his or her individual HIE access credentials,
but those credentials would not be provided until the user had completed the
required training modules in the LMS, at which point the system would send the
user’s unique HIE credentials. “I think it will improve the end-users’ understanding
of the HIE’s policies, the HIE’s procedures, and our attention to privacy and security
issues and patient consent issues and I think it will bring those topics more into light
for the end-user than they are right now” (HIE director).
The LMS was implemented in February 2016 and WesternHIE began using it to
conduct compliance training as participating organizations added new users or came
up for their annual compliance renewal, although it was still being refined at the end
of 2016.
I think one of our biggest challenges will be, not the enforcement of the policy
course that we’re going to ask our HIE end users to take, but how is it going to
affect their use of the HIE? It is a challenge for us to make it informative, but
not daunting, and that we need to roll it out and maintain and insist that they
do this, without asking them to give up a whole chunk of their day going
through these policies and procedures and training courses. (Assistant HIE
director)
There was general agreement among the WesternHIE staff that the LMS was going
to be beneficial to HIE security. For example, the WesternHIE staff member in
charge of conducting audits explained that the LMS generated detailed data on
training completion whereas, before the LMS was implemented, that information
was only available from the people conducting the training. There was, however,
1100 ANDERSON, BASKERVILLE, AND KAUL
some concern about pushback from the participants if the training became too
burdensome.
A year from now we may be discussing, what were the challenges and how did
we overcome the insistence on having thousands of people go through these
policy and procedure trainings, and were we successful? It’s walking that thin
line where we need them to do it, but we don’t want to put them into a position
where they say, forget it, I don’t have time for it so I won’t use it. (Assistant
HIE director)
The LMS represented a focus on exposure control reasoning as WesternHIE
realized that its existing methods for confirming that HIE participants had read
and understood the privacy and security policies left it exposed to the potential for
many participant users to be using the HIE without being sufficiently aware of
important privacy and security behaviors and expectations. There was recognition
that implementing the LMS and forcing participants to complete the required train-
ing in a more regimented fashion could possibly drive some participants out of the
exchange; however, the benefits of exposure control outweighed the cost of losing
some participants.
In looking forward, as privacy and security become increasingly important to the
viability of an organization like WesternHIE, they are considering some organiza-
tional restructuring to improve their capabilities in this regard. “Because of all the
threats and the worries and, when is the breach going to come for us? Because it just
seems inevitable” (Executive director).
One planned change will be to hire an ISO for the HIE instead of continuing to
borrow time from the QIO’s information security officer. That will provide them
with a dedicated staff member with appropriate credentials and experience to
manage the security of the HIE. “For what the HIE needs to do is more than what
I can do part time” (New ISO).
They are also considering the need for a higher-level manager of privacy and
security and additional staff support for privacy and security tasks. For example, the
WesternHIE staff member currently in charge of conducting audits noted the need
for additional staff to support the audit process. “I’m doing all of these audits on my
own and it’s only a small portion of my time. I have a million other things to do as
well” (Project coordinator).
These considerations also reflect a focus on exposure control reasoning as the
organization realizes that not having the right personnel could increase its exposure
to the growing number of threats in the environment.
One other change in progress was a shift from being a directed exchange to
becoming a more query-based exchange. Directed exchange is when a participant
connects his or her electronic health record (EHR) to the exchange so that relevant
information can be automatically pulled into the exchange from the EHR or pushed
to the EHR from the exchange. Query-based exchange, in contrast, involves indivi-
dual searches for patient information on the exchange that simply requires a browser
INFORMATION SECURITY CONTROL THEORY 1101
and a patient identifier to conduct the search. That shift in focus requires changes in
the privacy and security policies.
As we’ve taken the strategy for the HIE into more query-based exchange, as
opposed to directed exchange, that query-based exchange now requires a
different level of auditing at the patient level. Who’s accessing who? When
are they accessing? What’s the appropriateness of access? What’s the reason
for access? Had we stayed very heavily in a directed exchange, had we chosen
a strategy that took us down a robust directed exchange methodology, that
would have impacted those policy requirements. (HIE director)
Here, ethical control reasoning with a utilitarian focus is driving the growth in
query-based exchange as WesternHIE recognizes the value of offering both directed
and query-based exchange to participants. However, exposure control reasoning is
again at play, as WesternHIE realizes that query-based exchange offers greater
opportunities for inappropriate search activity that could compromise the privacy
of patients. Therefore, additional auditing of participant activity will be necessary
going forward.
Information sharing is bringing new rewards to many fields, such as commerce,
education, health care, law enforcement, and so on. But perhaps nowhere other than
health care is the tension between sharing information and securing information as
prominent. Having immediate and complete information about a patient is critical for
the success of the health-care provider. But this critical availability can stand in
direct opposition to the need to protect the confidentiality of this information from
the prying eyes of an unauthorized intruder, or from accidental disclosure. A
theoretical framework for managing this tension, one that operates well in health
care, could be a valuable model for managing security of information sharing in
many other kinds of settings.
In order to evaluate our theoretical framework, we analyzed the tension between
sharing and protecting health information in WesternHIE’s information security
policy development process. For this, we considered the ways in which exposure
and ethical control reasoning were used by the members of the HIE to develop their
information security policies and assessed how those two forms of reasoning inter-
acted in the policy development process.
Exposure control reasoning is concerned with the implementation of controls to
separate assets from their associated threats. For WesternHIE this started with an
analysis of the assets and threats that would be relevant to an HIE. In creating the
initial task force for privacy and security, WesternHIE’s decision to include partici-
pants from the health-care and legal domains was predicated on the belief that
diversity would produce a range of perspectives to better identify the relevant assets
1102 ANDERSON, BASKERVILLE, AND KAUL
and threats for which controls would need to be defined in the information security
policies.
The second iteration of WesternHIE’s information security policies was initiated
on the belief that the expertise of the information security officer could help identify
gaps in the assets and threats for which the policies were written. Here the tension
between sharing and protecting was most pronounced as the ISO was focused on
protection, while the other members of the HIE were more focused on enabling their
participants to exchange data with fewer restrictions. The result of that assessment
and revision was the expansion of the information security policies to include
controls for additional assets and threats identified by the ISO.
The third iteration, which did not involve the ISO directly, was focused on refining
and consolidating the organization’s policies by applying a uniform template to all
policies and eliminating those that were focused too narrowly on specific procedures
or roles. The belief was that a high number of policies in nonstandard formats would
not be an effective mechanism for securing information assets, because the policies
would be less likely to be read and applied. In other words, reasoning that is focused
too heavily on exposure control can lead to a set of policies that appear to provide
comprehensive guidance on the implementation of controls to protect organizational
assets from security threats, but run the risk of being rarely consulted and therefore
ineffective.
In the fourth iteration, further refinement of the policies took place as the new ISO
recognized the threats associated with including too much detail in the policies.
Here, exposure control reasoning was focused on the threats of litigation and
regulatory audits that verbose policies would produce. The LMS implementation
also represented a focus on exposure control reasoning where the HIE was looking
for a mechanism to better document and control the training required for participant
users to be in compliance with HIE policies for privacy and security. There was
some concern with how the LMS and the training it was designed to enforce would
impact the use of the HIE by participants, but the expected value of improved
compliance and control of user training was substantial enough to not make that
concern a deterrent to implementing the LMS. Exposure control reasoning was also
part of the decision to bolster the security focus of the HIE by hiring a dedicated ISO
and other security-oriented staff members and the need for additional auditing as the
exchanged moved toward greater use of query-based exchange.
Ethical control reasoning is concerned with the rationale for how decisions are
made regarding information security controls. When WesternHIE was created, the
organization was deliberately set up to include board members from the health-care
community and taskforces were created that included a diversity of members from
the health-care community. This represents a focus on utilitarian reasoning in which
the goal was to form a group that would be best positioned to determine how the
HIE should be built to facilitate the greatest good for the community in which it
would operate. In addition, an external consultant was brought in to serve as an
expert on the legal requirements for HIE, which represents a focus on deontological
INFORMATION SECURITY CONTROL THEORY 1103
reasoning to make sure the HIE was going to be compliant with federal law,
specifically HIPAA and state law.
In the second iteration, the information security officer chose to assess the
information security policies using NIST guidelines for evaluation and followed a
structured approach that would produce a more rigorous and complete set of
policies. He was concerned that the system connections between the HIE and the
QIO would allow someone to hack into the HIE and use it as a backdoor into the
QIO. Therefore, a weak HIE was a vulnerability for the QIO for which he was
responsible. Consequently, the ethical control reasoning of the ISO was focused
primarily on a utilitarian perspective of what was best for the QIO.
The third iteration relied more heavily on deontological reasoning as the HIE staff
strove to work with participants to formulate policies that would work for them. The
consent policy was an example of this where the participants would be the ones
engaging in consent activities so they were consulted more directly on the consent
policy and forms. The goal was to produce a set of policies that were more
accessible to both HIE staff and participants.
In the fourth iteration, ethical control reasoning with a utilitarian focus was seen in
the efforts to remove unnecessary requirements from the policies that would reduce
the workload on HIE staff to be in compliance with those policies and enable the
HIE to have greater flexibility in how it operationalized the policies. Ethical control
reasoning was also driving the growth in query-based exchange as WesternHIE
realized the potential value of increasing its ability to offer access to the exchange
that did not require a full connection to a participant’s EHR.
For WesternHIE, the tension between sharing and protection in the development of
its information security policies was always present, but the reasoning applied to
manage that tension shifted from one iteration to the next. Figure 5, presented at the
beginning of the case study, illustrates how the emphasis on one or both forms of
reasoning shifted through the iterations. The first iteration was probably the most
balanced in terms of how exposure and ethical control reasoning was applied to the
policy development process as the privacy and security task force constructed a
roadmap for the HIE’s initial round of policy development. The second iteration was
much more focused on exposure control reasoning as the ISO attempted to bring
more rigor and a stronger security focus to the policy development process. The
third iteration shifted to ethical control reasoning as the HIE staff saw the number of
policies and their nonstandardized structure as impediments to the use of those
policies by staff and participants and a hindrance to participants in the use of the
HIE. The fourth iteration, like the first, was more balanced in the use of exposure
and ethical control reasoning. Exposure control reasoning drove the new ISO’s goal
of removing the verboseness in the policies to reduce exposure to not complying
with everything in the policies while at the same time that process invoked ethical
control reasoning as the staff recognized the need to reduce the workload-associated
policy compliance. The LMS was implemented to increase compliance and control
over participant training that was a source of exposure to the HIE. This aligns with
the literature that suggests that increased accountability reduces policy violations
1104 ANDERSON, BASKERVILLE, AND KAUL
[66]. The HIE was looking to hire additional security staff to better manage security
threats, but it were also increasing the use of query-based exchange to further drive
adoption of the HIE and increase the sharing of data. Thus the LMS was an
additional way for the HIE, beyond traditional security controls, to manage or
control exposure through compliance.
This framework therefore suggests that as organizations develop their information
security policies and more generally consider their information security program,
both exposure and ethical control reasoning are necessary to balance the tension
between protecting and sharing information. This means that focusing on one type of
reasoning over the other, while not necessarily a problem, will shift the focus of the
tension to either sharing or protection. While the tension may not be perfectly
balanced, leaning too far in one direction will often be detrimental to the organiza-
tion as either the ability to share information is weakened or the organization
becomes too exposed to potential threats. In the case of WesternHIE, an early
balance between protection and sharing gave way to an emphasis on protection
(i.e., exposure control reasoning dominates). This emphasis was followed by a
counterbalancing swing to an emphasis on sharing (i.e., ethical control reasoning
dominates). After these two points of emphasis, the balance was restored between
information protection and information sharing. These swings may occur because
too great a focus on protection could drive participants away from the exchange.
Overprotection becomes too much of a burden to participants. Too great a focus on
sharing could also drive participants away if that focus enabled the exchange to be
breached. These findings are important because, while the literature says that ISO
and NIST frameworks are mature, the findings in this study indicate that users cycle
between ISO and NIST frameworks and utilitarian reasoning.
Two additional things stood out as important factors across these four iterations of
policy development and organizational change at WesternHIE. First was the ongoing
process of evaluating and revising the privacy and security policies. The organiza-
tion has never been satisfied with what they have developed and implemented. They
recognize that as time progresses, there is a continual need to revisit and renew what
has been done in the past to make sure that what they have is still relevant, and to
make changes, as necessary, to address new circumstances and opportunities. This
need for ongoing evaluation of security policies and practices is evidenced in the
literature [2].
A second factor was that the executive director was a constant through all four
iterations. She was, in fact, the only person who had been involved through the
entire life cycle of policy development and revisions at WesternHIE. She was a
driver of change and supported the work of her staff in shaping and reshaping the
privacy and security policies, to maintain the balance between protecting the
exchange’s data and enabling the exchange to grow and provide access to that
data to an increasing number of participant organizations. The executive director
recognized the value in bringing together people with a diversity of ideas along with
useful skill sets to develop the exchange and to continue to revise and renew it.
INFORMATION SECURITY CONTROL THEORY 1105
The literature offers evidence for the value of effective leadership in IT adoption
and assimilation in general [5, 38, 50], but little has been studied on leadership in
information security in particular. This study provides evidence that leadership is an
important characteristic of effective privacy and security policy development. The
stability of leadership in the top position at WesternHIE, and their championing of
this effort, has provided balance in the organization’s ability to both protect and
share information as evidenced by continued growth in participation in the exchange
while maintaining a strong track record of security with no breaches to date. The role
of leadership in driving sustained and successful information security efforts offers
an important avenue for further research.
This research has focused on the tension between sharing and protecting health
information. Although interoperability is important for sharing information, our
examination regarded the security policies rather than the technical aspects of the
interoperability. A future study could examine the specific effect of system inter-
operability on security.
While this research was based on a single case, it was a longitudinal study with
multiple iterations that acted as new instances of organizational reflection and
change. Extending the study to additional sites would enable confirmation of the
theory in those additional settings, but the generalizability of this research is no less
valuable for its focus on one case [44].
The exchange of health information between providers is considered critical to the
improvement of health care both in better care quality and cost reduction. To
increase participation in health information exchange and sustain that participation
over time, health-care organizations and individual consumers must feel confident
that the information shared and accessed through the exchange is secure and private.
The inherent tension in this process between the need to share and desire to protect
health information has impacted the achievement of greater interoperability.
We introduce a theory of information security control that considers the development
of an information security policy, as a foundational and fundamental process in infor-
mation security, through the relationship between exposure control reasoning and ethical
control reasoning. We find that these two forms of reasoning can be used to balance the
tension between sharing and protecting information and that an effective information
security policy development process brings together stakeholders, experts, and prior
codified knowledge. This approach can provide an important foundation for a successful
HIE and help enable more secure information sharing in other arenas that similarly bear
the tension between sharing and protecting critical data.
Our investigation provides several novel contributions. First, we address a gap in the
information security field by offering a theoretically and empirically grounded policy-
making framework for addressing the tension between information sharing and infor-
mation protection. Second, our information sharing security theory bears special
1106 ANDERSON, BASKERVILLE, AND KAUL
significance to other industry domains where information sharing is governed by strict
laws due to the specifically sensitive nature of the information. Third, our findings
provide a way forward for promoting the notion of information exchanges that have
traditionally floundered due to the security concerns associated with information shar-
ing. Finally, our theory has strong practical implications for practitioners, both in health
care and other domains, who may use the learning from the iterative security policy
development process to aid their security policy development decisions. They can also
apply the theoretical framework to find a balance between openness and protection that
best aligns with their specific, local, information goals.
REFERENCES
1. Accenture. Digital trust: Are you one breach away from losing a healthcare consumer?
2017. Available at www.accenture.com/t20170411T012518__w__/us-en/_acnmedia/PDF-43/
Accenture-Health-Are-You-One-Breach-Away-From-Losing-a-Healthcare-Consumer
(accessed on September 4, 2017)
2. Alberts, C.J., and Dorofee, A. Managing Information Security Risks: The OCTAVE
Approach. Boston, MA: Addison-Wesley Longman, 2002.
3. Alsalamah, S.; Alsalamah, H.; Gray, A.W.; and Hilton, J. Information security threats in
patient-centered healthcare. In A. Moumtzoglou (ed.), M-Health Innovations for Patient-
Centered Care. Hershey, PA: IGI Global, 2016, pp. 298–318.
4. Anthem. 2015 cyber attack settlement agreement reached, 2016. Available at www.
anthemfacts.com/cyber-attack (accessed on September 4, 2017)
5. Armstrong, C.P., and Sambamurthy, V. Information technology assimilation in firms:
The influence of senior leadership and IT infrastructures. Information Systems Research, 10, 4
(1999), 304–327.
6. Baskerville, R., and Siponen, M. An information security meta-policy for emergent
organizations. Logistics Information Management, 15, 5/6 (2002), 337–346.
7. Belton, V., and Stewart, T. Multiple Criteria Decision Analysis: An Integrated
Approach. Dorchester, The Netherlands: Kluwer Academic, 2002.
8. Brailer, D.J. Decade of health information technology: Delivering consumer-centric and
information-rich health care. US Department of Health and Human Services, 2004. Available
at http://www.providersedge.com/ehdocs/ehr_articles/the_decade_of_hit-delivering_customer-
centric_and_info-rich_hc (accessed on March 19, 2017).
9. Brown, V.; Tumeo, M.; Larey, T.S.; and Paulus, P.B. Modeling cognitive interactions
during group brainstorming. Small Group Research, 29, 4 (1998), 495–526.
10. Conklin, A., and McLeod, A. Information security foundations for the interoperability
of electronic health records. International Journal of Healthcare Technology and
Management, 11, 1–2 (2010), 104–112.
11. Connolly, T.; Routhieaux, R.L.; and Schneider, S.K. On the effectiveness of group
brainstorming: Test of one underlying cognitive mechanism. Small Group Research, 24, 4
(1993), 490–503.
12. Conway, P., and Gawronski, B. Deontological and utilitarian inclinations in moral
decision making: A process dissociation approach. Journal of Personality and Social
Psychology, 104, 2 (2013), 216–235.
13. Courtney, R. Security risk assessment in electronic data processing. In AFIPS
Conference NCC, Dallas, TX, 1977, pp. 97–104.
14. Dawes, S.S. Interagency information sharing: Expected benefits, manageable risks.
Journal of Policy Analysis and Management, 15, 3 (1996), 377–394.
15. Doherty, N.F., and Fulford, H. Aligning the information security policy with the
strategic information systems plan. Computers and Security, 25, 1 (2006), 55–63.
INFORMATION SECURITY CONTROL THEORY 1107
http://www.accenture.com/t20170411T012518__w__/us-en/_acnmedia/PDF-43/Accenture-Health-Are-You-One-Breach-Away-From-Losing-a-Healthcare-Consumer
http://www.accenture.com/t20170411T012518__w__/us-en/_acnmedia/PDF-43/Accenture-Health-Are-You-One-Breach-Away-From-Losing-a-Healthcare-Consumer
http://www.anthemfacts.com/cyber-attack
http://www.anthemfacts.com/cyber-attack
http://www.providersedge.com/ehdocs/ehr_articles/the%5Fdecade%5Fof%5Fhit-delivering%5Fcustomer-centric%5Fand%5Finfo-rich%5Fhc
http://www.providersedge.com/ehdocs/ehr_articles/the%5Fdecade%5Fof%5Fhit-delivering%5Fcustomer-centric%5Fand%5Finfo-rich%5Fhc
16. Doherty, N.F.; Anastaskis, L.; and Fulford, H. The information security policy
unpacked: A critical study of the content of university policies. International Journal of
Information Management, 29 (2009), 449–457.
17. Eden, K.B.; Totten, A.M.; Kassakian, S.Z.; Gorman, P.N.; McDonagh, M.S.; Devine,
B.; Pappas, M.; Daeges, M.; Woods, S.; and Hersh, W.R. Barriers and facilitators to exchan-
ging health information: A systematic review. International Journal of Medical Informatics,
88 (2016), 44–51.
18. Eisenhardt, K.M. Building theories from case study research. Academy of Management
Review, 14, 4 (1989), 532–550.
19. Experian. Experian third annual 2016 Data Breach Industry Forecast, 2016. Available at
https://www.experian.com/assets/data-breach/white-papers/2016-experian-data-breach-indus
try-forecast (accessed on May 24, 2017)
20. Fan, J.; Zhang, P.; and Yen, D.C. G2G information sharing among government agen-
cies. Information and Management, 51, 1 (2014), 120–128.
21. Fernández-Alemán, J.L.; Señor, I.C.; Lozoya, P.Á.O.; and Toval, A. Security and
privacy in electronic health records: A systematic literature review. Journal of Biomedical
Informatics, 46, 3 (2013), 541–562.
22. Flowerday, S.V., and Tuyikeze, T. Information security policy development and imple-
mentation: The what, how and who. Computers and Security, 61 (2016), 169–183.
23. Goel, S., and Chengalur-Smith, I.N. Metrics for characterizing the form of security
policies. Journal of Strategic Information Systems, 19, 4 (2010), 281–295.
24. Gordon, L., and Loeb, M. Return on information security investments: Myths vs.
realities. Strategic Finance, 84 (2002), 26–31.
25. Gritzalis, D. A baseline security policy for distributed healthcare information systems.
Computers and Security, 16, 8 (1997), 709–719.
26. Herath, T., and Rao, H.R. Protection motivation and deterrence: A framework for
security policy compliance in organisations. European Journal of Information Systems, 18,
2 (2009), 106–125.
27. Higgs, J., and Jones, M.A. Clinical decision making and multiple problem spaces. In J.
Higgs, M. Jones, S. Loftus, and N. Christensen (eds.), Clincial Reasoning in the Health
Professions. Amsterdam, The Netherlands: Focal Press, 2008, pp. 3–18.
28. Hoffman, L., Michelman, E., and Clements, D. SECURATE – Security evaluation and
analysis using fuzzy metrics. In AFIPS National Computer Conference, 1978, pp. 531–540.
29. Höne, K., and Eloff, J. What makes an effective information security policy? Network
Security, 6 (2002), 14–16.
30. Hong, K.S.; Chi, Y.P.; Chao, L.R.; and Tang, J.H. An empirical study of information
security policy on information security elevation in Taiwan. Information Management and
Computer Security, 14, 2 (2006), 104–115.
31. Hwang, C.-L., and Masud, A.S.M. Multipe Objective Decision Making—Methods and
Applications: A State-of-the-Art Survey. Berlin, Germany: Springer-Verlag, 1979.
32. Identity Theft Resource Center (ITRC). Medical data breaches come with high risks,
2016, Available at http://www.idtheftcenter.org/Data-Breaches/medical-data-breaches-come-
with-high-risks.html (accessed on May 24, 2017)
33. Johnson, M.E. Information risk of inadvertent disclosure: An analysis of file-sharing
risk in the financial supply chain. Journal of Management Information Systems, 25, 2 (2008),
97–124.
34. Johnston, A.C.; Warkentin, M.; McBride, M.; and Carter, L. Dispositional and situa-
tional factors: Influences on information security policy violations. European Journal of
Information Systems, 25, 3 (2016), 231–251.
35. Jones, A., and Ashenden, D. Risk Management for Computer Security: Protecting Your
Network and Information Assets. Oxford, UK: Butterworth-Heinermann, 2005.
36. Kache, F., and Seuring, S. Challenges and opportunities of digital information at the
intersection of Big Data Analytics and supply chain management. International Journal of
Operations and Production Management, 37, 1 (2017), 10–36.
37. Kadam, A.W. Information security policy development and implementation.
Information Systems Security, 16, 5 (2007), 246–256.
1108 ANDERSON, BASKERVILLE, AND KAUL
https://www.experian.com/assets/data-breach/white-papers/2016-experian-data-breach-industry-forecast
https://www.experian.com/assets/data-breach/white-papers/2016-experian-data-breach-industry-forecast
http://www.idtheftcenter.org/Data-Breaches/medical-data-breaches-come-with-high-risks.html
http://www.idtheftcenter.org/Data-Breaches/medical-data-breaches-come-with-high-risks.html
38. Karimi, J.; Bhattacherjee, A.; Gupta, Y.P.; and Somers, T.M. The effects of MIS steering
committees on information technology management sophistication. Journal of Management
Information Systems, 17, 2 (2000), 207–230.
39. Karyda, M.; Kiountouzis, E.; and Kokolakis, S. Information systems security policies:
A contextual perspective. Computers and Security, 24, 3 (2005), 246–260.
40. Keeney, R.L., and Raiffa, H. Decisions with Multiple Objectives: Preferences and Value
Tradeoffs. Cambridge, UK: Cambridge University Press, 1993.
41. Khoumbati, K.; Themistocleous, M.; and Irani, Z. Evaluating the adoption of enterprise
application integration in health-care organizations. Journal of Management Information
Systems, 22, 4 (2006), 69–108.
42. Kruse, C.S.; Frederick, B.; Jacobson, T.; and Monticone, D.K. Cybersecurity in health-
care: A systematic review of modern threats and trends. Technology and Health Care, 25, 1
(2017), 1–10.
43. Kwon, J., and Johnson, M.E. Health-care security strategies for data protection and
regulatory compliance. Journal of Management Information Systems, 30, 2 (2013), 41–66.
44. Lee, A.S., and Baskerville, R.L. Generalizing generalizability in information systems
research. Information Systems Research, 14, 3 (2003), 221–243.
45. Li, Y.-C.; Kuo, H.-S.; Jian, W.-S.; Tang, D.-D.; Liu, C.-T.; Liu, L.; Hsu, C.-Y.; Tan, Y.-
K.; and Hu, C.-H. Building a generic architecture for medical information exchange among
healthcare providers. International Journal of Medical Informatics, 61, 2 (2001), 241–246.
46. Lim, S.Y.; Jarvenpaa, S.L.; and Lanham, H.J. Barriers to interorganizational knowledge
transfer in post-hospital care transitions: Review and directions for information systems
research. Journal of Management Information Systems, 32, 3 (2015), 48–74.
47. Martin, J. Security, Accuracy and Privacy in Computer Systems. Englewood Cliffs, NJ:
Prentice Hall, 1973.
48. Mason, J. Qualitative Researching. London, UK: Sage, 2002.
49. Miles, M.B., and Huberman, A.M. Qualitative Data Analysis. Thousand Oaks, CA:
Sage, 1994.
50. Neufeld, D.J.; Dong, L.; and Higgins, C. Charismatic leadership and user acceptance of
information technology. European Journal of Information Systems, 16, 4 (2007), 494–510.
51. Neumann, P.G. Risks in Digital Commerce. Communications of the ACM, 39, 1 (1996), 154.
52. Office of the National Coordinator (ONC). Connecting health and care for the nation: A
shared nationwide interoperability roadmap, 2015. Available at https://www.healthit.gov/sites/
default/files/hie-interoperability/nationwide-interoperability-roadmap-final-version-1.0
(accessed on March 19, 2017)
53. Pathari, V., and Sonar, R. Identifying linkages between statements in information
security policy, procedures and controls. Information Management and Computer Security,
20, 4 (2012), 264–280.
54. Ponemon, L. 2017 Ponemon Institute Cost of a Data Breach Study, 2017. Available at
https://securityintelligence.com/media/2017-ponemon-institute-cost-of-a-data-breach-study/
(accessed on September 4, 2017)
55. Redspin. Breach Report 2016: Protected Health Information (PHI). Cynergis Teki,
2017. Available at https://www.redspin.com/resources/download/breach-report-2016-pro
tected-health-information-phi/.
56. Saaty, T.L. Decision making with the analytic hierarchy process. International Journal
of Services Sciences, 1 (2008), 83–98.
57. Sadler, T.D., and Zeidler, D.L. Patterns of informal reasoning in the context of socio-
scientific decision making. Journal of Research in Science Teaching, 42, 1 (2005), 112–138.
58. Schweitzer, E.J. Reconciliation of the cloud computing model with US federal electro-
nic health record regulations. Journal of the American Medical Informatics Association, 19, 2
(2012), 161–165.
59. Sen, R., and Borle, S. Estimating the contextual risk of data breach: An empirical
approach. Journal of Management Information Systems, 32, 2 (2015), 314–341.
60. Siponen, M.; Willison, R.; and Baskerville, R. Power and practice in information
systems security research. In R. Boland, M. Limayem, and B. Pentland (eds.), International
Conference on Information Systems. Paris, France, 2008, pp. 1–12.
INFORMATION SECURITY CONTROL THEORY 1109
https://www.healthit.gov/sites/default/files/hie-interoperability/nationwide-interoperability-roadmap-final-version-1.0
https://www.healthit.gov/sites/default/files/hie-interoperability/nationwide-interoperability-roadmap-final-version-1.0
https://securityintelligence.com/media/2017-ponemon-institute-cost-of-a-data-breach-study/
https://www.redspin.com/resources/download/breach-report-2016-protected-health-information-phi/
https://www.redspin.com/resources/download/breach-report-2016-protected-health-information-phi/
61. Siwicki, B. Ransomware attackers collect ransom from Kansas hospital, don’t unlock all
the data, then demand more money. Healthcare IT News, 2016. Available at http://www.
healthcareitnews.com/news/kansas-hospital-hit-ransomware-pays-then-attackers-demand-sec
ond-ransom (accessed on March 19, 2017)
62. Skopik, F.; Settanni, G.; and Fiedler, R. A problem shared is a problem halved: A
survey on the dimensions of collective cyber defense through security information sharing.
Computers and Security, 60 (2016), 154–176.
63. Sriram, R.D. Health Information Technology (IT). The National Institute of Standards
and Technology (NIST), 2016. Available at https://www.nist.gov/healthcare (accessed on
September 4, 2017)
64. Straub, D., and Welke, R. Coping with systems risk: Security planning models for
management decision-making. MIS Quarterly, 22 (1998), 441–469.
65. Titah, R.; Shuraida, S.; and Rekik, Y. Integration breach: Investigating the effect of
internal and external information sharing and coordination on firm profit. International
Journal of Production Economics, 181, Part A (2016), 34–47.
66. Vance, A.; Lowry, P.B.; and Eggett, D. Using accountability to reduce access policy
violations in information systems. Journal of Management Information Systems, 29, 4 (2013),
263–290.
67. Vest, J.R., and Gamm, L.D. Health information exchange: Persistent challenges and new
strategies. Journal of the American Medical Informatics Assocation, 17 (2010), 288–294.
68. von Solms, B., and von Solms, R. The 10 deadly sins of information security manage-
ment. Computers and Security, 23, 5 (2004), 371–376.
69. Wenjing, L. Government information sharing: Principles, practice, and problems—An
international perspective. Government Information Quarterly, 28, 3 (2011), 363–373.
70. Whitman, M.E. In defense of the realm: Understanding the threats to information
security. International Journal of Information Management, 24, 1 (2004), 43–57.
71. Wolff, J. Perverse effects in defense of computer systems: When more is less. Journal of
Management Information Systems, 33, 2 (2016), 597–620.
72. Woodward, B.; Davis, D.C.; and Hodis, F.A. The relationship between ethical decision
making and ethical reasoning in information technology students. Journal of Information
Systems Education, 18, 2 (2007), 193–202.
73. Yang, T.-M., and Maxwell, T.A. Information-sharing in public organizations: A litera-
ture review of interpersonal, intra-organizational and inter-organizational success factors.
Government Information Quarterly, 28, 2 (2011), 164–175.
74. Yeager, V.A.; Walker, D.; Cole, E.; Mora, A.M.; and Diana, M.L. Factors related to health
information exchange participation and use. Journal of Medical Systems, 38, 8 (2014), 1–9.
Timeline
When did you join the QIO?
When did you take on the work with WesternHIE and why did you assume that
role?
What is your current role with WesternHIE?
Historical Account
What do you recall about the environment at WesternHIE when you first got started
with regard to information security and privacy?
What stood out for you with regard to WesternHIE’s privacy and security policies?
1110 ANDERSON, BASKERVILLE, AND KAUL
http://www.healthcareitnews.com/news/kansas-hospital-hit-ransomware-pays-then-attackers-demand-second-ransom
http://www.healthcareitnews.com/news/kansas-hospital-hit-ransomware-pays-then-attackers-demand-second-ransom
http://www.healthcareitnews.com/news/kansas-hospital-hit-ransomware-pays-then-attackers-demand-second-ransom
https://www.nist.gov/healthcare
How would you describe the organizational structures that were in place to
facilitate change?
Please describe the process that occurred with regard to making changes to the
organization’s privacy and security policies.
Who was involved in the process and who were the primary drivers of change at
that time?
Current View
What do you see as the current strengths and weaknesses of WesternHIE for
implementing and maintaining a good privacy and security policy?
How is the organization continuing to evaluate and change its policies and
procedures and what mechanisms are in place to ensure that process continues
effectively?
Who is currently involved in the process of evaluating and updating the organiza-
tion’s privacy and security policies?
What mechanisms are in place to ensure that existing policies are being met in
practice?
Who is responsible for enforcement and compliance?
Future Thoughts
Where do you see the organization going with regard to privacy and security?
What changes to the health-care environment might be the most critical for
WesternHIE to look for with regard to maintaining good privacy and security?
Current Policies and Procedures
What responsibilities does the Policy Owner have? Operational oversight?
How is compliance with permitted use and disclosure handled? How do you
ensure that the workforce is only accessing PHI [protected health information] on
an as needed basis?
Who is on the Crisis Communication Team?
Who is on the security incident response team?
What is included in the WesternHIE training program for their workforce and for
participants?
What is a Provider Address Book?
What is the status of partial record consent? Will your vendor offer that or not and
is the state still considering it as a requirement for HIE?
What’s included in the Business Associate Agreement?
How is auditing of the vendor handled?
INFORMATION SECURITY CONTROL THEORY 1111
Describe your role at WesternHIE and how that role has changed during your time
with the organization.
Describe your prior experiences that prepared you for your work at WesternHIE.
Explain your involvement in the development and implementation of
WesternHIE’s information security policies since spring of 2015.
How did the process of developing and implementing WesternHIE’s information
security policies relate to your expectations for how that process should occur?
How have WesternHIE’s information security policies changed since spring of
2015 and why were those changes necessary?
Describe any key issues that you encountered in developing the information
security policies for WesternHIE.
Do you feel that WesternHIE’s information security policies are effective in their
current form?
Describe any key issues that you encountered in implementing the information
security policies for WesternHIE.
Explain how WesternHIE’s information security policies are enforced and audited.
How successful has WesternHIE been in achieving its goals as a health informa-
tion exchange?
From your perspective, what are some of the primary challenges that WesternHIE
has experienced in achieving its goals.
1112 ANDERSON, BASKERVILLE, AND KAUL
Copyright of Journal of Management Information Systems is the property of Taylor & Francis
Ltd and its content may not be copied or emailed to multiple sites or posted to a listserv
without the copyright holder’s express written permission. However, users may print,
download, or email articles for individual use.
- Abstract
- References
Theoretical Background
Exposure Control Reasoning
Ethical Control Reasoning
Formulating Policies
The Essential Tension
Case Study
Method
HIE Security Policy Development
First Iteration
Second Iteration
Third Iteration
Fourth Iteration
Discussion
Conclusion
Appendix A: Phase 1 Interview Guide
Timeline
Historical Account
Current View
Future Thoughts
Current Policies and Procedures
Appendix B: Phase 2 Interview Guide
Journal of Management Information Systems / Summer 20
1
3, Vol. 30, No. 1, pp. 123–152
.
© 2013 M.E. Sharpe, Inc. All rights reserved. Permissions: www.copyright.com
ISSN 0742–1222 (print) / ISSN 1557–928X (online)
DOI: 10.2753/MIS0742-1222300104
Managing Interdependent Information
Security Risks: Cyberinsurance,
Managed Security Services, and
Risk Pooling Arrangement
s
XIA ZhAO, LINg XuE, AND ANDrEw B. whINStON
Xia Zhao is an assistant professor of information systems at the Bryan School of
Business and Economics, university of North Carolina at greensboro. She received
her Ph.D. in management science and information systems from the McCombs School
of Business at the university of texas at Austin. her research interests include online
advertising, information security, electronic commerce, and It governance. She has
published in Journal of Management Information Systems, Production and Opera-
tions Management, Decision Support Systems, Information Systems Frontiers, IEEE
Computer, International Journal of Electronic Commerce, and many conference
proceedings.
Ling Xue is an assistant professor of information systems at the Bryan School of
Business and Economics, university of North Carolina at greensboro. he received his
Ph.D. in management science and information systems from the McCombs School of
Business at the university of texas at Austin. his research interests are in the areas of
It governance, the business value of It, electronic commerce, and information secu-
rity. his papers have been published in Information Systems Research, MIS Quarterly,
Academy of Management Journal, Journal of Operations Management, Production
and Operations Management, Journal of Management Information Systems, Decision
Support Systems, International Journal of Electronic Commerce, Journal of Global
Information Management, and the proceedings of the International Conference on
Information Systems.
andrew B. whinston is the hugh roy Cullen Centennial Chair in Business Admin-
istration, Professor of Information Systems, Computer Science and Economics, John
Newton Centennial IC2 Fellow, and Director of the Center for research in Electronic
Commerce at the university of texas at Austin. he received his Ph.D. in management
from Carnegie Mellon university. he was the editor-in-chief of Decision Support
Systems and serves on the editorial or the advisory board of a number of journals. he
has published over 400 articles in refereed journals, 27 books, and 62 book chapters.
Among other career awards, he received recently the LEO Award for lifetime excep-
tional achievement in information systems and AIS Fellowship from the Association
for Information Systems in 2005.
aBstract: the interdependency of information security risks often induces firms to
invest inefficiently in information technology security management. Cyberinsurance
has been proposed as a promising solution to help firms optimize security spending.
124 ZhAO, XuE, AND whINStON
however, cyberinsurance is ineffective in addressing the investment inefficiency caused
by risk interdependency. In this paper, we examine two alternative risk management
approaches: risk pooling arrangements (rPAs) and managed security services (MSSs).
we show that firms can use an rPA as a complement to cyberinsurance to address the
overinvestment issue caused by negative externalities of security investments; however,
the adoption of an rPA is not incentive-compatible for firms when the security invest-
ments generate positive externalities. we then show that the MSS provider serving
multiple firms can internalize the externalities of security investments and mitigate
the security investment inefficiency. As a result of risk interdependency, collective
outsourcing arises as an equilibrium only when the total number of firms is small.
Key words and phrases: cyberinsurance, information security, interdependent risks,
managed security services, risk management, risk pooling.
in the networK economy, product innovation and value creation are achieved via
networks of firms, operating on large scales. the scope of information technology
(It) has been expanding beyond the traditional organizational boundaries [17, 40].
As a result, information security risks have become intricately interdependent. For
example, interorganizational information systems essentially physically connect firms’
It infrastructure via the Internet and expose the participating firms to network-wide
security risks. An organization’s network is at risk if a hacker gains access to its
partner’s network. Even firms without close business relationships may be logically
interdependent: Strategic hackers often evaluate the security level of firms and select
their targets on the basis of whose systems they can break into quickly without being
detected [35]. In these examples, a firm’s security risks depend not only on its own
security practices but also on the security protections of others.
Firms’ security risks can be either positively interdependent or negatively interde-
pendent. the security risk is defined as the probability for a firm to have a security
incident. Positive interdependency occurs when a company has higher security risks
while other companies also have higher security risks. For example, a security threat
that affects a firm may also influence the firm’s partners via the interorganizational
information systems. the hacker who breaks into the firm’s network may steal sensi-
tive data about the partners or penetrate the partners’ networks via the trust connec-
tions. the security risks of the firm and its partners are thus positively interdependent.
with positive interdependency, a firm’s security investment not only strengthens its
protection but also reduces the likelihood that other firms have security breaches. the
security investments therefore generate positive externalities [19, 31].
Negative interdependency occurs when a company has higher security risks while
other companies have lower security risks. A typical example of a negatively inter-
dependent security risk is a targeted attack. A targeted attack refers to a malware
attack aimed at one firm or a small set of firms. Strategic hackers often evaluate
the security level of firms using various hacking techniques, such as port scans or
eavesdropping, and select as their target firms whose systems can be broken into
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 125
quickly without detection [35]. they usually put more effort into attacking systems
with lower security levels [5]. According to the CSI Computer Crime and Security
Survey 2010/2011 [6], 22 percent of respondents reported that their companies expe-
rienced targeted attacks between July 2009 and June 2010. In this case, a firm’s self-
protection, while reducing its own risks, potentially diverts hackers to other firms
and
thus increases other firms’ risks. therefore, security investments in this case generate
negative externalities [5].
Because of the network externalities of security investments, firms often invest
inefficiently from the perspective of a central decision maker who maximizes the
total payoffs of all stakeholders. researchers from previous literature have identified
both the underinvestment and overinvestment issues caused by the interdependency
of security risks [5, 19, 31]. when the firms’ security investments generate positive
externalities, a firm’s security investments strengthen not only its own security but also
other firms’ security. Often, self-interested firms invest at a level lower than the opti-
mal level, which maximizes the total profit of all firms [19, 31]. Examples of security
investments that generate positive externalities include antivirus software and firewalls.
the installation of antivirus software helps prevent viruses from widely propagating,
and therefore benefits others. however, underinvestment in antivirus protection is
prevalent. A study by McAfee reported that 17 percent of computers around the world
had no antivirus protection installed or that the antivirus subscriptions had expired.
Furthermore, the united States outpaced the average, with 19 percent of computers
unprotected, according to the data [37]. when the firms’ security investments gener-
ate negative externalities, self-interested firms invest at a level that is higher than the
optimal level for all firms. Security measures that are used to defend against distributed
denial of service (DDoS) attacks, such as content caching and redundant network
devices, are more likely to generate negative externalities. Many e-commerce web
sites, for example, prepare for 10 times the amount of peak traffic when designing
their networks to defend the DDoS attacks. Such cost of risk mitigation is fairly high
given that the possibility of DDoS attack is usually very low [29, 41].
this paper examines risk management solutions to the investment inefficiency caused
by interdependent information security risks. Cyberinsurance has been proposed as a
promising approach to managing information security risks and optimizing security
expenditures [12, 31, 42]. Cyberinsurance is a range of first-party and third-party
coverage that enables firms to transfer their security risks to the commercial insurance
market. with cyberinsurance, firms can balance their expenditures between investing
in security protections and acquiring insurance. however, cyberinsurance is ineffective
in addressing the issue of investment inefficiency caused by interdependent security
risks [31]. It does not internalize the externalities of security investments and cannot
mitigate firms’ incentives to underinvest or overinvest. In addition, the cyberinsurance
market is still underdeveloped. Only a few insurers offer cyberinsurance, and actuarial
data on information security, breaches, and damages is scarce. the ever-changing nature
of security threats also impedes the development of the third-party cyberinsurance
market. the deficiency of cyberinsurance calls for new risk management solutions to
address issues related to information security risks.
126 ZhAO, XuE, AND whINStON
we consider two potential risk management solutions: risk pooling arrangements
(rPAs) and managed security services (MSSs). we study whether and how these solu-
tions can be used to address the investment inefficiency and whether the self-interested
firms have incentives to adopt these solutions. An rPA is a mutual form of insurance
organization in which the policyholders are also the owners. Mutual insurance was
widely adopted in the insurance market for medical malpractice and municipal liability
during the late 1980s [22] and has since also been used in other lines of insurance, such
as employee pension and employee health insurance. the traditional advantages of
an rPA over commercial insurance include tax benefits, reduced overhead expenses,
and flexible policy development [32].
rPAs are different from third-party cyberinsurance in terms of risk transfer. rPAs
can never completely eliminate the risks for an individual policyholder. Even though
the risk pool can issue full coverage for the firms’ security losses, each individual firm
still bears part of the risk pool’s loss through its equity position. table 1 compares
cyberinsurance and rPAs.
we find that even though an rPA endogenizes the network externalities of security
investments for firms, the adoption of the rPA is incentive-compatible for firms only
when security investments generate negative externalities. the key reason is that by
pooling the risks of individual firms, the rPA induces moral hazard in teams, which
refers to firms’ reluctance to invest in loss prevention when they can transfer security
losses to others [15]. this type of moral hazard is shown to be desirable when security
investments generate negative externalities. however, in the case of positive externali-
ties, moral hazard further reduces the firms’ investment incentives and exacerbates
the underinvestment problem.
the second solution is MSSs, or It security outsourcing. MSS providers (MSSPs)
provide a range of security services, such as security monitoring and vulnerability
assessments, network protection and penetration testing, managed spam services,
antivirus and content filtering services, incident management and forensic analysis,
data archiving and restoration, and on-site audits and consulting [1, 3]. the CSI
Computer Crime and Security Survey 2010/2011 reported that as many as 36 percent
of respondents outsourced part or all of their computer security functions to MSSPs.
In addition, 14.1 percent of respondents indicated that their companies outsourced
more than 20 percent of their security functions [6]. the global MSS market is fore-
table 1. Comparison Between Cyberinsurance and rPAs
Cyberinsurance rPA
Owner Third-party insurers Policyholders
Risk transfer Policyholders can completely
transfer risks to insurers
Policyholders always retain some
risks
Examples AIG’s NetAdvantage,
Lloyd’s eComprehensive,
Chubb’s CyberSecurity,
Hiscox’s Hacker
Captives, risk retention groups,
self-insurance groups
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 127
casted to more than double between 2011 and 2015, when it is expected to reach
$16.8 billion [24].
we show that MSSs can address investment inefficiency caused by both positive
and negative externalities of security investments when the total number of firms is
small. using MSSs with a service level agreement (SLA), firms not only delegate the
security operations but also transfer their security risks to MSSPs. Because the MSSP
collectively manages the interdependent security risks for multiple client firms, it can
internalize the externalities of security investments. however, collective outsourcing
may not always arise as an equilibrium because of the interdependent nature of secu-
rity risks. when the total number of firms is large, an individual firm can leverage
the MSSP’s collective operations for others and receive a higher payoff by managing
security in-house. Even if the MSSP is better able to manage security (i.e., is more
cost-efficient in managing security) than the firms, this result still holds. this paper
characterizes the condition under which all firms will adopt the MSS solution.
this paper contributes to the research on alternative risk transfer (Art) solutions.
rPAs, as an Art approach, have been recognized by practitioners as having the advan-
tages of reduced overhead expense and flexible policy development [32]. we find that,
in addition to these advantages, rPAs can serve as a potential solution to investment
inefficiency caused by interdependent security risks and can optimize firms’ security
spending. this finding helps policymakers recognize the potential benefit of rPAs in
security management and guide the development of policies for the mutual insurance
industry. this paper also contributes to the literature on It security outsourcing. It
has been well recognized that firms outsourcing security services can benefit from
cost savings, reduced staffing needs, broader skills acquisition, security awareness,
dedicated facilities, liability protection, and around-the-clock service [1]. we illus-
trate that the use of MSSs can also be justified from the perspective of mitigating the
investment inefficiency caused by risk interdependency.
the rest of the paper is organized as follows. In the next section, we review related
literature on the economics of information security, cyberinsurance, rPAs, and MSSs.
we then outline the model setup, followed by the analysis of the cyberinsurance,
rPAs, and MSSs solutions. we also extend the model to account for heterogeneous
firms. Finally, we draw managerial and policy implications and conclude this paper
with future extensions.
related Literature
researchers in prior studies on the economics of information security have examined
many issues related to information security investments (e.g., [14, 16, 18]). Anderson
and Moore [2] discussed how moral hazard and adverse selection distort firms’ incen-
tives to invest in information security. gordon and Loeb [10] developed an economic
model to determine the optimal level of investment in information security. gal-Or
and ghose [9] examined firms’ incentives to share security information and showed
that information sharing and security investment complement each other. kunreuther
and heal [19] characterized a class of interdependent security risks and demonstrated
128 ZhAO, XuE, AND whINStON
that firms generally underinvest in security protections when their security risks are
interdependent. Our paper complements this stream of research by exploring risk
management solutions to the investment inefficiency associated with interdependent
information security risks.
there is an emerging body of literature that has examined the use of insurance in
information security management. gordon et al. [12] discussed the advantages of
using cyberinsurance to manage information security risks. Ogut et al. [31] used an
economic model to examine firms’ investments in security protections and the use of
cyberinsurance in the context of interdependent security risks. they showed that inter-
dependence of security risks reduces firms’ incentives to invest in security technologies
and to buy insurance coverage. All these studies focused on third-party commercial
cyberinsurance, whereas in this paper, we propose and examine two alternative risk
management approaches to information security risks: rPAs and MSSs.
Prior literature on risk management has justified the existence of rPAs from various
perspectives. For example, the mutual form of insurance organization is more efficient
when the distribution of risks prevents independent insurers from using the law of large
numbers to eliminate risks [8, 25]. the mutual form of insurance can also address the
conflicts of interest between insurers and policyholders because policyholders them-
selves are the owners of a mutual insurer [7, 26, 27]. Moreover, mutual insurers can
coexist with independent insurers as a result of the adverse selection of risk-averse
policyholders [22]. this paper complements these studies by illustrating the use of
mutual insurance to endogenize network externalities of security investments.
Our work is also related to prior work on contracting in It outsourcing, especially
It security outsourcing. richmond et al. [34] analytically characterized the condi-
tions under which an organization outsources its software enhancements, considering
information asymmetry and different profit-sharing rules. whang [45] proposed a
contract for outsourcing software development that achieves the outcome of in-house
development. wang et al. [44] characterized the efficiency loss resulting from invest-
ment externalities for both in-house software development and outsourced custom
software development. Sen et al. [38] proposed a dynamic, priority-based, price-penalty
scheme for outsourcing It services and found that it is more effective than a fixed-price
approach. It security outsourcing has not received adequate research attention until
recently. Allen et al. [1], Axelrod [3], and McQuillan [28] provided organizations with
general guidance to help them knowledgeably engage MSSPs. gupta and Zhdanov [13]
analytically explained the growth and sustainability of MSSP networks and found that
the initial investment is critical in determining the size of MSS networks with positive
externalities. In their setting, the issue of free-riding never occurred. Our paper exam-
ines the use of MSSs to address interdependent information security risks that often
lead to free-riding. hui et al. [16] examined both an MSSP and its clients’ equilibrium
effort decisions when risk interdependency arose among the MSSP’s clients. In our
paper, firms’ security risks are interdependent even though firms do not use an MSSP.
Lee et al. [20] proposed a multilateral contract to solve the double moral hazard issues
between the client firm and the MSSP. Our paper complements this stream of research
by examining the use of It security outsourcing to address the investment inefficiency
caused by interdependent information security risks among firms.
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 129
Model
we consider n risK-averse firms. Each firm has an initial wealth A. All firms have an
identical payoff function U(.), where U(.) satisfies the conditions that U(.) > 0 and
U(.) < 0 (i.e., U(.) is concave). the assumption of an increasing and concave utility
function is consistent with the literature on risk management (e.g., [21, 23, 36, 39]).
Firms invest in security protection to safeguard their information assets. As we dis-
cussed in the Introduction, security investments often generate network externalities.
the breach probability for an individual firm, firm i, is affected not only by its own
security investment but also by the security investments of others. we let m(
x
i
, X
–i
) be
firm i ’s breach probability, where x
i
represents firm i ’s security investment, and where
X
–i
= [x
1
, …, x
i–1
, x
i+1
, …, x
n
] represents the other n – 1 firms’ security investments. A firm
loses L in a security breach. Firm i‘s expected payoff can be represented by
π µ µi i i i i i ix X U A L x x X U A x= ( ) − −( )+ − ( )( ) −( )− −, , .1
It is assumed that the investment cost is linear in the investment level. In particular,
the investment cost is equal to the investment level. the qualitative insights still hold
if the investment cost is an increasing and convex function of the investment level. A
firm’s security investment decreases its breach probability, and the investment exhibits
a diminishing marginal return in reducing the breach probability. that is,
′ ( )
=
∂ ( )
∂
<
−
−
µ
µ
i
i i
i i
i
x X
x X
x
,
,
0
and
′′( ) =
∂ ( )
∂
>−
−
µ
µ
i i i
i i
i
x X
x X
x
,
,
.
2
2
0
the assumption about the declining marginal return of the security investment is
consistent with the CErt (Computer Emergency response team) incident data [30]
and is widely used in the literature on security management (e.g., [4, 10, 11]).
we consider two types of network externalities: positive externalities and negative
externalities. In the case of positive externalities, a firm’s security investment, while
decreasing its breach probability, also decreases the breach probability of other firms
(i.e., z
i
′
(x
j
, X
–j
) = (∂m(x
j
, X
–j
)/x
i
) < 0, i ≠ j). In the case of negative externalities, a firm’s
security investment increases the breach probability of other firms (i.e., z
i
′
(x
j
, X
–j
) =
(∂m(x
j
, X
–j
)/x
i
) > 0, i ≠ j). table 2 summarizes and compares the features of different
network externalities.
Although firms’ security risks are interdependent, a firm’s security investment
generally has a greater effect on its own security than on other firms’ security. we
therefore assume that
′ ( ) > ′ ( ) ≠− −µ ζi i i i j jx X x X j i, , , . (1)
In addition, we assume that
(2)′′ ( ) >−
=
∑ µi
j j
j
j n
x X, .
…
0
1
130 ZhAO, XuE, AND whINStON
Condition (2) requires that the second-order effect of a firm’s security investment
on its breach probability dominates the aggregate second-order effect of other firms’
investments on its breach probability. these conditions reflect the reality that, even
though security risks are interdependent in cyberspace, a firm’s security investment
is still an effective strategy for self-protection.
third-Party Cyberinsurance
we estaBLish the BenchmarK case in which firms use cyberinsurance to cover their
security risks. we assume that firms can buy an insurance policy from the cyberinsur-
ance market to cover their security losses. In practice, before issuing insurance poli-
cies, insurance companies often formally audit the client firms to ensure that firms
take proper actions to protect themselves. therefore, we assume that the security
investment is observable to the insurers. the same assumption has been used in the
literature [31].
the timing of events is as follows: (1) each firm chooses its security investment
x
i
, i = 1, …, n; (2) each firm purchases cyberinsurance with coverage I
i
, i = 1, …, n,
from third-party insurers; and (3) the security losses are realized and the insurance
compensations are made.
In this paper, we consider a mature insurance market in which firms are charged an
actuarially fair premium. when firm i purchases an insurance policy with coverage
I
i
, the insurance premium is P
i
= m(x
i
, X
–i
)I
i
. Firm i ’s optimization problem can be
represented by
(3)
According to the first-order condition with respect to (w.r.t.) I
i
, we get I
i
e = L, where
the superscript e denotes the cyberinsurance-only case. Equation (3) can be simpli-
fied as
(4)
In the symmetric case, we have m
i
′ (x
i
e, X e
–i
) = –1/L, where x
i
e represents firm i ’s equi-
librium security investment and X e
–i
= [x
1
e, …, x e
i–1
, x e
i+1
, …, x
n
e].
table 2. Characteristics of Network Externalities
Derivatives of breach
probability m
i
′(x
i
, X
–i
) m
ii
″(x
i
, X
–i
) z
i
′(x
j
, X
–j
)
No externalities < 0 > 0 = 0
Positive externalities < 0 > 0 < 0
Negative externalities < 0 > 0 > 0
π
µ µ
µ
i
I x
i
i i
i i i i
i i
i i
x X U A L I x X I x
x X
= ( ) − + − ( ) − )(
+ − ( )( )
−−
−
max
, ,
,
,
1 UU A x X I xi i i i− ( ) −( )−µ , .
π µi
x
i i
i
i
U A x X L x= − ( ) −( )−max , .
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 131
to evaluate the investment efficiency, we compare the firms’ investment levels in the
cyberinsurance-only case with the optimal investment level. the optimal investment
level is defined as the security investment level when all the firms jointly maximize their
total payoffs. It is equivalent to the case in which a central decision maker maximizes
the joint payoff and determines the investment levels for all firms. we next examine
the central decision maker’s problem:
(5)
Again, according to the first-order condition w.r.t. I
i
, we get I
i
o = L, i = 1…n, where the
superscript o denotes the centralized case. Equation (5)
can be simplified as
Πs
I x
i i i
i
n
i i
U A x X L x= − ( ) −( )−
=
∑max , .
,
µ
1
(6)
the first-order condition of Equation (6) w.r.t. x
i
is
′ − ( ) −( ) − ′ ( ) −( )
+ ′ − ( ) −( ) − ′
− −
−
U A x X L x x X L
U A x X L x
i
i i i i i
j j j
µ µ
µ
, ,
,
1
ζζi j j
j j i
n
x X L, .
,
−
= ≠
( )( ) =∑ 0
1
In the symmetric case, we have m
i
′ (x
i
o, X o
–i
) + (n – 1)z′
i
(x
j
o, X o
–j
) = –1/L, where x
i
o rep-
resents the optimal level of security investment for firm i in the centralized case and
X o
–i
= [x
1
o, …, x o
i–1
, x o
i+1
, …, x
n
o].
In the case of negative externalities, because m
ii
″(x
i
, X
–i
) > 0 and z
i
′(x
j
, X
–j
) > 0, we get
x
i
e > x
i
o. In the case of positive externalities, because m
ii
″(x
i
, X
–i
) > 0 and z
i
′(x
j
, X
–j
) < 0,
we get x
i
e < x
i
o. therefore, the firms overinvest when the security investments generate
negative externalities and underinvest when the security investments generate positive
externalities.
In the cyberinsurance-only case, we find that when security investments generate
negative (positive) externalities, firms purchase full insurance (i.e., I
i
e = L) and invest
more (less) than the optimal level. these results are in line with the findings in the
existing literature [19, 31]. Even though commercial cyberinsurance can hedge firms’
risks, it cannot internalize the externalities of security investments and therefore is
incapable of resolving either the overinvestment or underinvestment issues. A fine
for liability has been proposed to address the investment inefficiency issues caused
by the interdependent security risks [19, 31]. this mechanism requires the liable firm
to compensate the loss that it causes to other firms. As a result, a self-interested firm
will consider the impact of its investment on other firms’ security [19, 31]. however, a
fine for liability between firms is difficult to enforce. Because the Internet has no clear
delineation of jurisdiction, the imposition of liability across countries by enforcement
powers (e.g., governments, regulatory agencies, or trade associations) is extremely
costly, if not impossible. we next examine other risk management approaches—rPAs
or MSSs—that can be used to address the investment inefficiency caused by risk
interdependency.
Πs
I x
i i i
i i i i
i
n
i
i i
x X U A L I x X I x
x X
= ( ) − + − ( ) − )((
+ −
−−
=
∑max , ,
,
,
µ µ
µ
1
1 −− −( )( ) − ( ) −( ))i i i i iU A x X I xµ , .
132 ZhAO, XuE, AND whINStON
risk Pooling Arrangements
in this section, we eXamine the use of rpas in addressing interdependent risks. we
use q ∈ [0, 1] to denote the ratio of loss covered by the risk pool. when a firm suffers
a security loss of L, the mutual insurer compensates the firm qL. Because the firms
are the equity holders of the mutual insurer, the total security losses collected by the
mutual insurer are then shared equally among all the firms. If q < 1, the firms transfer
only partial losses to the mutual insurer. If q = 1, the rPA provides full coverage to
the firms, but each firm still retains part of the risk because of its equity position.
the timing of events is as follows: (1) n firms cooperatively choose q; (2) given q,
each firm chooses its security investment x
i
, i = 1, …, n; (3) each firm purchases cyber-
insurance with coverage I
i
, i = 1, …, n, from third-party insurers; and (4) the security
losses are realized, and the compensation stemming from both cyberinsurance and
the rPA is received.
the compensation from an rPA is modeled as follows [21]. Assume that k firms out
of n – 1 firms (excluding firm i ) suffer a security loss L. If firm i also suffers a loss
L, each of the other n – 1 – k firms shares qL /n for firm i. Consequently, firm i bears
only a loss of L – ((n – 1 – k)qL)/n in total. If firm i does not suffer any loss, it shares
qL /n for each of the k firms that suffer a loss. As a result, firm i has to compensate
kqL /n in total to the k firms.
when the rPA does not cover all the risks, firms can purchase third-party cyber-
insurance in addition to using an rPA. the principle of indemnity1 requires that the
cyberinsurance coverage satisfies the constraint that I
i
+ qL ≤ L; that is, the total insur-
ance compensation from both the rPA and the cyberinsurance cannot exceed the total
loss. In the symmetric case, firm i’s expected payoff can be represented by
π µ ζ µi
q x I
i i
i i i
i i
x X b k n
U A L
n k qL
n
I x X= ( ) −( ) − + − −( ) + −− −max
, , , ,
,
,
1
1 (( ) −
+ − ( )( ) −( ) − −
=
−
−
∑ I x
x X b k n U A
kqL
n
x X
i
i
k
n
i i i
0
1
1 1µ ζ µ, , , , −−
=
−
( ) −
≤ −( )
∑ i i i
k
n
i
I x
I q L
,
. . ,
0
1
1
s t
where z = z
k
= m(x
k
, X
–k
) represents the breach probability for firm k (k ≠ i). we drop
the subscript k in the symmetric case. the function
b k n
n
k n k
k n k, ,
!
! !
−( ) =
−( )
− −( )
−( ) − −
1
1
1
1
1ζ ζ ζ
denotes the binomial probability that k out of n – 1 firms have security breaches.
Proposition 1 characterizes the complementary relationship between the rPA and the
cyberinsurance:
Proposition 1: When firms use both an RPA and third-party cyberinsurance, we
have I
i
= (1 – q)L. That is, if the risk pool does not provide full coverage, firms
will buy third-party insurance to cover the residual risks.2
Proposition 1 shows that risk-averse firms always choose to hedge against all
risks. If the risk pool covers only part of a firm’s risks (i.e., q < 1), the firm will use
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 133
the cyberinsurance to cover the residual risks. thus, firm i’s expected payoff can be
represented by
π µ ζ µi
q x
i i i i
i
x X b k n U A L
k qL
n
x X q L= ( ) −( ) − + +( ) − ( ) −( )− −max , , , ,
,
1
1
1 −−
+ − ( )( ) −( ) − − ( )
=
−
− −
∑ x
x X b k n U A
kqL
n
x X
i
k
n
i i i i
0
1
1 1µ ζ µ, , , , 1
1
0
1
−( ) −
=
−
∑ q L xi
k
n
.
(7)
when a firm uses only cyberinsurance, it purchases full coverage (I
i
= L) and
completely transfers its risks to the cyberinsurance market. however, if firms adopt
an rPA, they still retain part of the risks because they are equity holders of the risk
pool (i.e., the mutual insurance entity). Presumably, a risk-averse firm always wants
to minimize its risk exposure and prefers the third-party cyberinsurance to the rPA.
however, in the context of interdependent security risks, cyberinsurance may not be
superior because it cannot address network externalities of security investments. the
question is whether, given interdependent security risks, firms have an incentive to
use rPAs as a complement to cyberinsurance. we show next that the rPA solution is
incentive-compatible for firms in the case of negative externalities but not in the case
of positive externalities.
Negative Externalities
we first examine how the use of an rPA in addition to cyberinsurance influences firms’
security investments and payoffs when negative externalities exist:
Proposition 2: When security investments generate negative externalities, firms
invest less in security in the case with both an RPA and cyberinsurance than in
the case with cyberinsurance only.
the underlying insights of Proposition 2 are as follows. when q = 0, a firm uses
cyberinsurance only and purchases full insurance. Considering the marginal effect of q
on a firm’s investment at q = 0, we have (∂x
i
/∂q)
|
q=0
< 0. In other words, an individual
firm invests less in security protections if all the firms collectively set up a risk pool
and allocate a very small proportion of risk to the pool. the use of an rPA influences a
firm’s investment incentives through two effects. the first is the internalization effect.
Firms essentially share their security losses with one another via the rPA. Because an
individual firm bears other firms’ losses, it takes into consideration the negative effect
of its security investments on others and thus invests less. the second is the moral
hazard effect. the rPA allows a firm to transfer its security loss to others, which also
dampens the firm’s investment incentives (i.e., a firm would like to free ride on other
firms because of moral hazard in teams [15]). In the case of negative externalities, firms
have excess incentives to invest in security. the moral hazard effect helps mitigate the
overinvestment incentive and hence strengthens the internalization effect. therefore,
firms invest less in security protections when they participate in an rPA.
Proposition 3: When security investments generate negative externalities, partici-
pating in an RPA (i.e., q > 0) is incentive-compatible for individual firms.
134 ZhAO, XuE, AND whINStON
Proposition 3 generates an important implication: when firms overinvest because
of the negative externalities of their security investments, they have the incentives
to adopt an rPA as a complement to the third-party cyberinsurance. In other words,
individual firms are willing to pool their security risks using an rPA in addition to
purchasing cyberinsurance. to better explain this incentive compatibility, we derive
the marginal effect of q on firm i’s expected payoff when q = 0:
∂
∂
= ′ − ( ) −( ) ( )
− ′ − ( ) −( )
= − −
−
π
µ µ
µ
i
q i i i i i
i i i
q
U A x X L x x X L
U A x X L x
0 , ,
,
1
1 1
n
x X L
n
n
L
U A x X L x
x X
x
i i
i i i
i i
µ ζ
µ
µ
,
,
,
−
−
−
( ) + −
− ′ − ( ) −( ) ∂ ( )
∂ jj
j
j j i
n x
q
L
∂
∂
= ≠
∑
1,
.
(8)
the first term of Equation (8) represents the marginal benefit that a firm receives
from the reduced cyberinsurance premium. when the coverage of the risk pool, q,
increases, a firm can purchase less cyberinsurance coverage I
i
and thus pay a lower
premium m
i
I
i
to the commercial insurer. the second term of Equation (8) represents
the marginal loss that a firm incurs from being exposed to the risks within the risk
pool. In particular, (1/n)m(x
i
, X
–i
)L represents the marginal loss that a firm incurs
from retaining its own security damage and ((n – 1)/n)zL represents the marginal
loss that a firm incurs from compensating others in the risk pool. the third term of
Equation (8) represents the marginal effect of other firms’ security investments on
the firm’s payoff. the first two terms cancel out in a symmetric equilibrium. Because
U′(A – m(x
i
, X
–i
)L – x
i
) > 0, ∂m(x
i
, X
–i
)/∂x
j
= z
i
′(x
i
, X
–i
) > 0, and ∂x
j
/∂q < 0, the third term
(including the negative sign) is positive, which means that the firm benefits from the
reduced investments of others. the overall marginal effect of q on the firm’s expected
payoff is positive (i.e., (∂p
i
/∂q)
|
q=0
> 0); thus, firms always have an incentive to set up
a risk pool when the security investments generate negative externalities. Note that
the findings in Propositions 1 to 3 do not depend on the functional forms of the utility
function U(.) and breach probability function m(.), as long as U(.) and m(.) satisfy the
conditions specified in the section of model setup.
Because the analytical solutions of the n-firm game with an rPA are intrac-
table, we use numerical examples to illustrate the equilibrium pool coverage,
the equilibrium investment, and the firms’ payoffs given n. In the numerical
examples, we assume that the security investments are additive [24]. In particular,
m(x
i
, X
–i
) = exp(–2(x
i
+ bS
k=1…n,k≠i xk )). this breach probability function ensures that
m
i
′(x
i
, X
–i
) < 0 and m″
ii
(x
i
, X
–i
) > 0. the degree of network externalities is captured by
b, with b < 0 for the case of negative externalities, b > 0 for the case of positive exter-
nalities, and b = 0 for no externalities. this function form of breach probability nicely
captures the interdependent nature of security investments. For the case of negative
externalities, we let b = –(1/15). this value ensures that z
i
′(x
j
, X
–j
) > 0, m″
ij
(x
j
, X
–j
) < 0,
| m
i
′(x
i
, X
–i
) | > | z
i
′(x
j
, X
–j
) |, (j ≠ i), and S
j=1…n
m
ij
(x
j
, X
–j
) > 0 when the total number of firms
is less than 15. In the numerical example, we let A = 8, L = 6, and U(w) = –w(w – 20)
for illustration.3
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 135
Figure 1a compares an individual firm’s security investments in the cyberinsurance-
only case, the rPA case, and the optimal case when security investments generate
negative externalities. when the number of firms increases, the security investment of
an individual firm becomes less effective because of the higher negative aggregate effect
of other firms’ security investments. A higher level of security investment is desirable
to cancel out this aggregate effect. therefore, the security investments in the optimal
case and the cyberinsurance case are increasing in n. the higher negative effect with
larger n also leads to a wider gap between the optimal investment and the investment
in the cyberinsurance-only case. Specifically, as the number of firms increases, each
individual firm’s security investment in the cyberinsurance-only case further deviates
from the optimal level. rPAs can effectively mitigate firms’ overinvestment incentives.
An individual firm’s security investment is significantly lower in the rPA case than in
the cyberinsurance-only case. relative to the investment in the cyberinsurance-only
case, the investment in the rPA case comes closer to the optimal level. Figure 1b
compares the firm’s expected payoffs in the cyberinsurance-only case, the rPA case,
and the optimal case. the curves show that relative to the cyberinsurance-only case,
the firm’s expected payoff in the rPA case is much closer to the optimal payoff.
Figure 1c illustrates the optimal ratio of loss that firms allocate to the risk pool. the
proportion of the loss allocated to the risk pool increases as the number of firms in
the pool increases. when the number of firms increases, firms have more incentives
to overinvest because of the higher negative aggregate effect of security investments
by other firms. Firms allocate more risks to the risk pool to better leverage the inter-
nalization and moral hazard effects and to mitigate overinvestment. Figure 1 thus
illustrates that an rPA is an effective solution to the investment inefficiency caused
by the negative externalities of security investments.
Positive Externality
the preceding subsection demonstrates that when security investments generate nega-
tive externalities, firms will set up a risk pool and use it to cover a positive proportion
of risks. rPAs help address firms’ overinvestment incentives through the internalization
and moral hazard effects. when security investments generate positive externalities,
do firms still have an incentive to set up an rPA? Proposition 4 provides some insights
on the firms’ investment incentive with an rPA:
Proposition 4: When security investments generate positive externalities, firms
invest less in security in the RPA case (as compared with the cyberinsurance-only
case) if the risks covered in the RPA are sufficiently small (i.e., ∂x
i
/∂q |
q=0
< 0).
In the case of positive externalities, we have ∂x
i
/∂q |
q=0
< 0. Again, a firm invests
less in security protections if firms set up a risk pool and allocate a very small pro-
portion of risk to the pool. the positive externalities of security investments lead to
insufficient investment incentives for firms. Even though the internalization effect
helps mitigate the underinvestment incentive, the moral hazard effect dampens firms’
investment incentives and undermines the capability of rPAs to internalize the posi-
tive externalities. the moral hazard effect always dominates over the internalization
136 ZhAO, XuE, AND whINStON
(c) ratio of loss covered by an rPA
Figure 1. Firms’ Security Investments, Firms’ Payoffs, and the ratio of Loss Covered by an
rPA when Security Investments generate Negative Externalities
(a) Firms’ security investments
(b) Firms’ payoffs
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 137
effect. therefore, when an rPA is used in addition to cyberinsurance, firms have even
fewer incentives to invest. Proposition 5 sheds light on firms’ incentives to set up a
risk pool for positively interdependent security risks:
Proposition 5: When security investments generate positive externalities, an RPA
is not an incentive-compatible solution for individual firms if it is used to cover
only a small proportion of the risk (i.e., ∂x
i
/∂q |
q=0
< 0).
to understand Proposition 5, we examine Equation (8) in the context of positive
externalities. As in the case with negative externalities, the first two terms of Equa-
tion (8) cancel out. Because U ′(A – m(x
i
, X
–i
)L – x
i
) > 0, ∂m(x
i
, X
–i
)/x
j
< 0, and ∂x
j
/q < 0,
the third term (including the negative sign) is negative. therefore, Equation (8) is
negative overall. thus, using a risk pool to cover a small proportion of risks decreases
an individual firm’s expected payoff. therefore, firms have no incentive to set up a
risk pool for a small proportion of risks. the question, then, is whether firms have an
incentive to set up an rPA with a large coverage. Because the closed-form solution of
q in this multiplayer game is intractable, we used a numerical approach to search for
the possibility that firms are willing to adopt an rPA. In our search, we used a series
of exponential breach probability functions, m(x
i
, X
–i
) = exp(–t (x
i
+ bS
k=1…n,k≠i xk )). the
exponential function ensures that the value of breach probability is always between
0 and 1 for a positive amount of security investments. we let t ∈ {1, 2, …, 10},
which represents different degrees of convexity of the breach probability func-
tion. the total number of firms, n, ranges from 2 to 30. we let b ∈ {1/10(n – 1),
9/10(n – 1), …, 1/(n – 1)}, which ensures that the externality is positive. In addition, the
aggregate effect of others’ security investments is lower than that of the firm’s own secu-
rity investment. three increasing and concave payoff functions are examined. they are
U(w) = –exp(–w) + 1, U(w) = –w(w – 20), and U(w) = log(w + 1), which represent
different degrees of concavity of the firms’ payoffs. we did not find any parameter
space in which firms have an incentive to set up a risk pool. therefore, the incentive-
compatibility of the rPA solution is difficult to achieve in the case with positive
externalities of security investments.
Managed Security Services
in the previous section, we showed that the effectiveness of rpas depends on the
nature of security risks. the rPA solution is effective in addressing overinvestment
issues associated with negatively interdependent risks. however, it cannot address the
underinvestment issues associated with positively interdependent risks. In this section,
we examine a different security management solution: MSSs (or security management
outsourcing). we first assume that the MSSP has the same level of security expertise
as the firms. this assumption enables us to highlight the insight that the use of MSSs
can be justified from the perspective of risk interdependency—not on the basis that
the MSSP is more cost-efficient than the client firms. we later extend the analysis and
study the case that the MSSP has a cost advantage.
If a firm uses MSSs, it pays a fixed fee, denoted by t, to the MSSP. we refer to the
firms using MSSs as the member firms and the firms not using MSSs as nonmember
138 ZhAO, XuE, AND whINStON
firms. In practice, an SLA is often used to ensure that the MSSP assumes account-
ability for the security loss and manages the security for the member firms’ benefits.
In this paper, we assume that the SLA specifies the compensation level that the MSSP
pays to a member firm if the latter suffers a security loss. we denote the compensa-
tion level as d.
the timing of events is as follows: (1) the MSSP announces the service fee, t ;
(2) firms decide whether or not to use the MSSs; (3) the MSSP invests in security
protections for the member firms, and the nonmember firms obtain the expected
reservation payoff, U
s
; and (4) the security losses are realized and the compensations
are made according to the SLAs.
Because firms are homogeneous, we focus on the symmetric case in which all firms
choose the same strategies. the MSSP’s problem can be formulated as
Πm
d t x
i i i
i
n
i i
i
t x X d x
x X U A L d t
= − ( ) −
( ) − + −( )
+
−
=
−
∑max ,
. . ,
, ,
µ
µ
1
1s t −− ( )( ) −( ) ≥−µ x X U A t Ui i s, .
(9)
Constraint (9) ensures that a firm has a higher payoff when outsourcing security
management to the MSSP than when it manages security in-house and achieves the
reservation payoff. Lemma 1 characterizes the optimal compensation level that the
MSSP will establish.
Lemma 1: The loss compensation d satisfies that d = L .
when a member firm has a security breach and losses L , the MSSP compensates
the firm to the level of d. Because the member firms are risk averse but the MSSP is
risk neutral, the MSSP is willing to provide full insurance to the member firms. As
a result, the member firms transfer all security risks to the MSSP. In this regard, the
MSSP serves as a third-party insurer in addition to a professional service provider [1].
this is in contrast to the rPA, with which each member firm has to share 1/n of the
total loss.
using the result in Lemma 1, the MSSP’s problem can be simplified as
Πm
t x
i i i
i
n
s
i
t x X L x
U A t U
= − ( ) −
−( ) ≥
−
=
∑max ,
.
. .
,
µ
1
s t
(10)
Proposition 6 gives the MSSP’s investment decisions for the member firms:
Proposition 6: When all individual firms collectively outsource their security
management to the MSSP, the MSSP makes the security investment at the optimal
level.
Collective outsourcing occurs when all firms outsource their security management to
the MSSP. Proposition 6 shows that in collective outsourcing, investment inefficiency
caused by risk interdependency is addressed: the MSSP makes the security investment
at the optimal level for all member firms. the optimal level is achieved because the
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 139
investment decision making is shifted to one entity, so that network externalities are
completely internalized. As a result, the investment inefficiency is eliminated.
Sustainability of Collective Outsourcing
Although collective outsourcing can lead to optimal security investments (made by
the MSSP), whether this solution is incentive-compatible to individual firms is still
unclear. the question is this: when all other firms use MSSs, does an individual firm
have the incentive to defect from using the MSSs? when a firm defects, it has to man-
age security in-house, but it can still use cyberinsurance to hedge against its security
risks. the payoff of the defecting firm can be considered as a firm’s reservation payoff
(outside option) when deciding on whether to use MSSs (i.e., U
s
). we next examine
whether collective outsourcing is sustainable as an equilibrium for individual firms. For
analysis tractability, we again assume that the security investments are additive [24].
In particular, m(x
i
,X
–i
) = p(x
i
+ bS
k=1…n,k≠i xk ), where p is a decreasing and convex func-
tion, p′(.) < 0, and p″(.) > 0. this breach probability function ensures that m
i
′(.) < 0
and m
ii
″(.) > 0. In the case of negative externality, let b < 0. this ensures z
i
′(.) > 0. In
the case of positive externality, let b > 0. this ensures z
i
′(.) < 0.
Suppose that a firm defects but that the other n – 1 firms still outsource their security man-
agement to the MSSP. the defecting firm’s payoff is pd = U(A – p(xd + b(n – 1)xmd)L – xd )
where xd represents the defecting firm’s security investment level and xmd represents
the MSSP’s investment level for a member firm when a firm defects.
Let U
s
= pd. the MSSP’s problem can be represented as
Πm
d
t x
i k
k k i
n
i
i
n
i
t p x b x L x= − +
−
= ≠=
∑∑max
, ,11
(11)
s t. . . U A t U A p x b n x L xd md d−( ) ≥ − + −( )( ) −( )1 (12)
Constraint (12) is an individual rationality constraint ensuring that a firm has a
higher payoff when using MSSs than when managing security in-house and purchasing
cyberinsurance. this constraint requires that the MSSP establishes a fee that would
not result in member firm defection. Lemma 2 characterizes the optimal service fee
that the MSSP charges:
Lemma 2: The optimal service fee charged by the MSSP satisfies t = p(xd +
b(n – 1)xmd)L + xd.
the MSSP profits from the service fee. A for-profit MSSP charges a service fee that
is as high as possible to maximize its profit, while still ensuring that firms are willing
to use the MSS. Suppose a firm defects. the total expected cost for It security for
the defecting firm is p(xd + b(n – 1)xmd )L + xd (i.e., the cyberinsurance premium plus
the security investment). the maximum service fee for the MSSs is therefore equal
to the expected total security cost of the defecting firm, so that any firm is indifferent
between defecting or not.
140 ZhAO, XuE, AND whINStON
According to Equation (11) and Lemma 2, the MSSP’s profit is
Πm
d d md d o on p x b n x L x p b n x L x= + −( )( ) + − + −( )( )( ) +( ) 1 1 1 .
For collective outsourcing to be viable, the MSSP must charge a fee that can
cover its service cost. to derive additional insight, we use a general exponential
breach probability (i.e., p(y) = exp(–ly)) to compare between the service fee (i.e.,
p(xd + b(n – 1)xmd )L + xd )) and the service cost (i.e., p((1 + b(n – 1))xo)L + xo). Propo-
sition 7 characterizes the condition under which collective outsourcing is sustainable
as an equilibrium:
Proposition 7: All firms are willing to outsource their security management if
1 1 1 2 1 1 0
1 1
−( ) −( ) − + −( )( ) + −( )( )( ) >−( ) −( )b b n b n b nb n bln .
when the condition in Proposition 7 holds, the expected security cost incurred by a
defecting firm (i.e., p(xd + b(n – 1)xmd )L + xd ) is higher than the service cost incurred by
the MSSP for each member firm in collective outsourcing (i.e., p((1 + b(n – 1))xo)L + xo).
According to Lemma 2, the MSSP charges a fee equal to a defecting firm’s security
cost. this service fee not only ensures that all firms have incentives to use MSSs but
also yields a positive profit for the MSSP. therefore, the equilibrium of collective
outsourcing using MSSs is sustainable when the condition in Proposition 7 holds.
the sustainability of collective outsourcing, although achievable with a small number
of firms, becomes increasingly difficult to achieve as the number of firms increases.
when the number of firms is larger, an individual defecting firm gains more from the
MSSP’s collective operations. In the case of negative externalities, a larger number
of firms provides the MSSP with more incentives to reduce the security investment to
address the overinvestment issue for each member firm, making it easier for a defect-
ing firm to beat the MSSP in security investment and drive hackers away. In the case
of positive externalities, a larger number of firms induces the MSSP to increase the
security investment to address the underinvestment issue for each member firm, making
it easier for a defecting firm to free-ride. therefore, an individual firm is more likely
to defect, and the retention of all member firms is then more difficult for the MSSP.
As a result, there is a maximum number of firms with which the MSSP can induce all
firms to use the MSSs and address the investment inefficiency. Figure 2 demonstrates
the maximum number of firms for which a sustainable equilibrium exists, given the
degree of network externalities, b.
the increase in the degree of network externalities generates two countervailing
effects on firms’ incentives to defect. In the case of negative externalities (b < 0), when
the degree of network externalities is higher (b is smaller), the advantage of the MSS
solution in internalizing externalities of the security investments is more evident, and
a firm is more willing to use the MSSs. whereas a firm also benefits more if it deviates
from using the MSSs. this is because higher negative externalities induce the MSSP
to invest less aggressively, and, as a result, it is easier for a defecting firm to beat the
MSSP in security investment and drive hackers away. An individual firm is thus less
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 141
willing to pay for MSSs, forcing the MSSP to lower the service fee. the fee that the
MSSP can charge depends on the trade-off between these two effects. As a result, the
maximum number of firms that ensures a sustainable equilibrium is first increasing
in b and then decreasing in b.
when the security investments generate positive externalities (i.e., b > 0), the defect-
ing firm can free-ride on the MSSP’s collective security operations for member firms.
As a result, the MSSP has to keep the service fee low to retain the member firms. when
the number of firms is larger, the benefit of free-riding is higher, and the service fee
that the MSSP charges cannot cover the expected cost of serving a firm. As a result,
collective outsourcing to the MSSP is a sustainable equilibrium only when n = 2. It
is worth noting that when security investments generate positive externalities and the
MSSP is more cost-efficient, the maximum number of firms in a sustainable equilib-
rium may be higher than two, as is illustrated in the next section.
when b = 0, the firms’ security risks are independent, and security investments have
no externalities. the service fee that the MSSP charges is equal to the security cost
that the MSSP incurs to serve a member firm. As a result, the MSSP always makes
zero profit (i.e., P7’s condition never holds). this case is a trivial one.
MSSP’s Cost Efficiency
the previous analysis presents a counterintuitive result: Even though the MSSP serving
all firms invests at the optimal level and firms all benefit from security outsourcing,
collective outsourcing to the MSSP might not arise as an equilibrium. this phenomenon
occurs because a firm, even after defecting, might indirectly benefit from the MSSP’s
Figure 2. Maximum Number of Firms in Collective Outsourcing Equilibrium as a Function
of b
142 ZhAO, XuE, AND whINStON
security operations, resulting in a higher payoff for the firm than actually using the
MSSs. As a result, the MSSP cannot charge a fee that sustains collective outsourcing
and results in a profit.
In practice, the MSSP is often more capable of managing security because of its
better technology, more experienced staff, and higher operational efficiency. A major
reason for which individual firms outsource security management is to leverage the
MSSP’s cost efficiency [1, 3]. In this subsection, we examine how the MSSP’s cost
advantage is weakened by network externalities of security investments. we assume
that the MSSP incurs an investment cost, yx
i
, where y ∈ [0, 1] captures the level of
cost efficiency. when y = 1, the MSSP has the same level of cost efficiency as indi-
vidual firms; as y decreases, the MSSP becomes more cost-efficient than individual
firms. the MSSP’s problem can be represented as
Π = − +
−
−( ) ≥ −
= ≠=
∑∑max
. .
, ,t x
i k
k k i
n
i
i
n
i
t p x b x L x
U A t U A
11
ψ
s t pp x b n x L xd md d+ −( )( ) −( )2 .
Proposition 8 presents the condition under which collective outsourcing arises as an
equilibrium when the MSSP is more cost-efficient than individual firms:
Proposition 8: When the MSSP is more cost-efficient than the individual firms
(0 < y < 1), all firms decide to outsource their security services if
1
1 1 1 1
1 2 1
1
−( ) − + −( )( ) + −( ) + −( )( )
− + −( )( ) +−( )
b b n b n b
b n b
b n
ψ ψ ψln
ln nn b L
b
−( )( )( ) + −( ) −( ) ( ) >−( )1 1 1 01ψ ψ λln .
when the MSSP is more cost-efficient than individual firms (0 < y < 1), the maximum
number of firms yielding a collective outsourcing equilibrium depends on the level
of cost efficiency (y), in addition to the degree of network externalities (b). Figure 3
illustrates the maximum number of firms with which collective outsourcing arises as
a sustainable equilibrium, given the level of cost efficiency. Similar to the degree of
network externalities, cost efficiency affects the firms’ defection incentives through
two countervailing effects. On the one hand, a more efficient MSSP (y is smaller)
is more capable of managing the security risks than are individual firms. therefore,
an individual firm is more willing to use the MSSs. this is the cost-efficiency effect.
On the other hand, a defecting firm benefits more by taking advantage of the MSSP’s
collective security management when the MSSP is more cost-efficient. this effect
decreases a firm’s willingness to pay for the MSS. this is the defection effect. Fig-
ure 3 illustrates the maximum number of firms in a sustainable equilibrium when the
MSSP is more cost-efficient. It shows that when the security investments generate
positive externalities (b = 0.1), the maximum number of firms in a collective out-
sourcing equilibrium is first increasing and then decreasing in y. when the security
investments generate negative externalities (b = –0.1), the cost-efficiency effect
dominates the defection effect when the MSSP’s cost efficiency is high (y is small).
therefore, collective outsourcing is more likely to arise (i.e., all firms are willing to
use the MSS) when y is small.4 however, when y is large enough (i.e., the MSSP is
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 143
less cost-efficient), the cost-efficiency effect is weakened and the maximum number
of firms decreases to two.
heterogeneous Firms
in this paper, we foLLow the cLassic Literature on risK pooLing and focus on ex ante
homogeneous firms. In this section, we extend the model and discuss the case that
firms have heterogeneous security losses. In particular, we assume that there are two
types of firms: type-1 firms and type-2 firms. In a security breach, a type-1 firm loses
L
1
, and a type-2 firm loses L
2
, where L
1
> L
2
. Let the total numbers of type-1 firms and
type-2 firms be n
1
and n
2
, respectively. we have n = n
1
+ n
2
.
when firms use cyberinsurance only, we can verify that a firm still overinvests when
the security investments generate negative externalities and underinvests when the
security investments generate positive externalities. we next examine firms’ security
investments and expected payoffs in the rPA case. the expected payoff of a type-1
firm can be represented by
π µ ζ ζi i i
j
n
k
n
x X b k n b j n
U A L
1 1 1
1 200
1
1
121= ( ) −( ) ( )(
⋅ − +
− ==
− ∑∑, , , , ,
nn k j q L
n
I x X I x
x X
i i i i i
i i
− − −( )
+ − ( ) −
+ −
−
−
1
1
1 1 1 1 1 1 1
1
µ
µ
,
, 11
1 200
1
1 1
2 2
121( )( ) −( ) ( )(
⋅ −
+
==
−
∑∑ b k n b j n
U A
kq L jq L
n
j
n
k
n
, , , ,ζ ζ
−− ( ) −
≤ −( )
−µ x X I x
I q L
i i i i
i
1 1 1 1
1
1 11
, ,
. . .s t
Figure 3. Maximum Number of Firms in a Collective Outsourcing Equilibrium as a Function
of y
144 ZhAO, XuE, AND whINStON
And, the expected payoff of a type-2 firm can be represented by
π µ ζ ζi i i j
n
k
n
x X b k n b j n
U A L
2 2 2
1 20
1
0
2
121= ( ) ( ) −( )(
⋅ − +
−
=
−
= ∑∑, , , , ,
nn k j q L
n
I x X I x
x X
i i i i i
i i
− − −( )
+ − ( ) −
+ −
−
−
1
1
2 2 2
2 2 2 2
2
µ
µ
,
, 22
1 20
1
0
1 1 2 2
121( )( ) ( ) −( )(
⋅ −
+
=
−
= ∑∑ b k n b j n
U A
kq L jq L
n
j
n
k
n
, , , ,ζ ζ
−− ( ) −
≤ −( )
−µ x X I x
I q L
i i i i
i
2 2 2 2
2
2 21
, ,
. . ,s t
where q
1
(q
2
) is the ratio of loss covered by the risk pool for type-1 firms (type-2 firms).
Since the rPA is a mutual insurance organization and the participating firms equally
share the loss as equity holders, the rPA covers the same amount of loss for all the
firms. we therefore focus on the case that q
1
L
1
= q
2
L
2
. Differentiating p
i
j w.r.t. I
i
j, we
get I
i
j = (1 – q
j
)L
j
, where j = 1, 2.
the expected payoffs for type-1 and type-2 firms are, respectively,
π µ ζ ζi i i j
n
k
n
x X b k n b j n
U A
k j
1 1 1
1 200
1
121= ( ) −( ) ( )(
⋅ −
+
− ==
− ∑∑, , , , ,
++( )
− ( ) −( ) −
+ − ( )(
−
−
1
1
1
1 1
1 1
1 1
1
1 1
n
q L x X q L x
x X
i i i
i i
µ
µ
,
, )) −( ) ( )(
⋅ −
+
−
==
−
−
∑∑ b k n b j n
U A
k j
n
q L x X
j
n
k
n
i
, , , ,
,
1 200
1
1 1
1
121 ζ ζ
µ ii iq L x
1
1 1
11( ) −( ) −
and
π µ ζ ζi i i j
n
k
n
x X b k n b j n
U A
k j
2 2 2
1 20
1
0 1
21= ( ) ( ) −( )(
⋅ −
+
− =
−
= ∑∑, , , , ,
++( )
− ( ) −( ) −
+ − ( )(
−
−
1
1
1
1 1
2 2
2 2
2
2 2
n
q L x X q L x
x X
i i i
i i
µ
µ
,
, )) ( ) −( )(
⋅ −
+
−
=
−
=
−
∑∑ b k n b j n
U A
k j
n
q L x X
j
n
k
n
i
, , , ,
,
1 20
1
0
1 1
2
121 ζ ζ
µ ii iq L x
2
2 2
21( ) −( ) −
.
Since the analytical solutions to the case with heterogeneous firm are intractable, we
use numerical examples to illustrate the equilibrium security investments, the firms’
payoffs, and the equilibrium pool coverages. Similar to the numerical examples in the
risk Pooling Arrangements section, we assume m(x
i
, X
–i
) = exp(–2(x
i
+ bS
k=1…n,k≠i xk )),
where b = –(1/15) and U(w) = –w(w – 20). In addition, we let A = 8, L
1
= 6, and L
2
= 4.
we assume that type-1 firms account for about half the firms. In particular, n
1
= n
2
= n/ 2
when n is an even number and n
1
= n
2
– 1 when n is an odd number. Figures 4 show
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 145
the security investments, the firms’ payoffs, and the ratios of loss coverage for type-1
and type-2 firms.
Figure 4a shows the firms’ security investments in the cyberinsurance-only case,
the rPA case, and the optimal case when security investments generate negative
externalities. the solid curves represent a type-1 firm’s security investments, and the
dash curves represent a type-2 firm’s security investments. with heterogeneous firms,
rPAs can still mitigate firms’ overinvestment incentives. Both the type-1 firm’s and
type-2 firm’s security investments in the rPA case are significantly lower than their
investments in the cyberinsurance-only case. Figure 4b compares the firm’s expected
payoffs. the curves show that the firm’s expected payoffs in the rPA case are higher
than their payoffs in the cyberinsurance-only case. Figure 4c illustrates the optimal
ratios of loss covered by the risk pool for type-1 firms and type-2 firms. Similar to
Figure 1c, the pool coverages increase as the number of firms in the pool increases.
we also examined the case in which security investments generate positive network
externalities and found that the rPA cannot address the underinvestment issues. All
the findings in the risk Pooling Arrangements section hold qualitatively.
we then examine firms’ security investments and expected payoffs in the MSS case.
the MSSP’s profit can be represented as
Πm
i i i i i
i
n
i i i i i i
t x X d x
x X U A L d t x
= − ( ) −
( ) − + −( ) + −
−
=
−
∑ µ
µ µ
,
. . ,
1
1s t ,, .X U A t Ui i si−( )( ) −( ) ≥
As we described in the Managed Security Services section, the MSSP has extensive
security expertise and is therefore capable of evaluating the clients’ security. In practice,
the MSSP often needs to conduct an on-site inspection before serving a client. It is
reasonable to assume that the MSSP can accurately diagnose and separate type-1 firms
and type-2 firms. this assumption ensures that the MSSP does not need to practice
price differentiation. Differentiating P
m
w.r.t. d
i
, we have d
i
= L
i
. the MSSP’s profit
can be simplified as
Πm
d t x
i i i i i
i
n
i si
i i i
t x X d x
U A t U
= − ( ) −
−( ) ≥
−
=
∑max ,
. . .
, ,
µ
1
s t
Again, we use numerical examples to illustrate the maximum number of firms
for which a sustainable equilibrium exists, given the degree of network exter-
nalities, b. we use the same parameter specifications as in Figure 4. In particular,
m(x
i
, X
–i
) = exp(–2(x
i
+ bS
k=1…n,k≠i xk )), U(w) = –w(w – 20), A = 8, L1 = 6, and L2 = 4.
In addition, n
1
= n
2
= n/ 2 when n is an even number, and n
1
= n
2
– 1 when n is an odd
number.
Figure 5 shows that when the security investments generate negative externalities
(i.e., b < 0), the maximum number of firms that ensures a sustainable equilibrium is first increasing in b and then decreasing in b. when firms are heterogeneous, the countervailing effects of network externalities on the MSSP’s service fee identified in the section of managed security services still exist. As a result, the maximum
146 ZhAO, XuE, AND whINStON
Figure 4. Firms’ Security Investments, Firms’ Payoffs, and the ratios of Loss Covered by an
rPA when Security Investments generate Negative Externalities in the heterogeneous Case
with two types of Firms
(a) Firms’ security investment in the heterogeneous case
(b) Firms’ payoffs in the heterogeneous case
(c) ratio of loss covered by an rPA in the heterogeneous case
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 147
number of firms for a sustainable equilibrium changes in the same pattern as that in
the homogeneous case. when the security investments generate positive externalities
(i.e., b > 0), collective outsourcing to the MSSP is a sustainable equilibrium only
when n = 2. the analysis and numerical illustrations show that all the findings in the
previous sections hold qualitatively.
It is worth noting that the use of a common increasing and concave utility function
in this paper, although rooted in the risk management literature, could be potentially
restrictive. In reality, the payoffs of heterogeneous firms may be better modeled using
different functions. the present study is the first step to gaining insights in using
alternative solutions to manage interdependent security risks. A thorough study of
the alternative risk management solutions for heterogeneous firms deserves further
research.
Discussion and Conclusion
the oBjective of security risK management is to appropriately use security resources
to reduce firms’ risk exposure. the risk management approaches considered in this
paper—third-party cyberinsurance, MSSs, and rPAs—differ in their effectiveness in
reducing risk exposure and inducing efficient security investments. Both cyberinsur-
ance and MSSs provide complete risk transfer. As compared with cyberinsurance,
MSSs induce more efficient allocation of security resources because the MSSP, when
serving all firms, internalizes the externalities of security investments between the
member firms. rPAs, in contrast, do not provide complete risk transfer. however,
they still help to induce more efficient security investments than cyberinsurance
when security investments generate negative externalities. Both the internalization
Figure 5. Maximum Number of Firms in Collective Outsourcing Equilibrium as a Function
of b in the heterogeneous Case with two types of Firms
148 ZhAO, XuE, AND whINStON
effect and the moral hazard effect associated with rPAs mitigate firms’ overinvest-
ment incentives.
In this paper, we focused on risk-averse firms. Note, however, that the analysis on
the rPA and MSS solutions can also be applied to the case with risk-neutral firms,
and all the findings still hold. Even though the risk-neutral firms are indifferent to the
choices of adopting cyberinsurance to hedge risks and bearing random losses, they
might still be willing to adopt the solutions that address interdependent security risks.
In particular, risk-neutral firms have incentives to use rPAs when the security invest-
ments generate negative externalities. In addition, MSSs can be used to address the
investment inefficiency caused by interdependent risks; however, collective outsourcing
to an MSSP is not sustainable when the number of firms is large. risk-loving firms
are likely to actively pursue risks to maximize their payoffs, and they are beyond the
scope of this research.
In this paper, we assumed that the amount of loss is fixed in a security breach. If a
firm’s loss is a random amount in a security breach and the insurance company can
specify a complete contingent insurance contract, a risk-neutral insurance company
still provides full insurance to the risk-averse firm. In that case, the insurance com-
pany must be able to expect all loss contingencies and write the complete contingent
contract, which details the compensation level for each loss level. Similarly, the MSSP
will offer full compensation for each loss level.
rPAs have traditionally been implemented in the forms of self-insurance, captives,
risk retention groups, and pools to insure a wide variety of risks, such as medical
practices, municipal liability, employee pension, and employee health care insurance.
however, they have not been widely employed in the area of information security.
Information security risks have the feature of risk interdependency, which challenges
traditional risk management solutions and calls for alternative solutions. rPAs make
firms share risks with one another within the pool and hence motivate firms to consider
others’ risks when making investment decisions. they thus have the potential to be an
effective solution for interdependent risks in the area of information security. rPAs’
ability to address interdependent information security risks also makes their use desir-
able, even when firms are risk-neutral. thus, we see another advantage of using rPAs
in information security: they empower firms to actively control interdependent risks,
in addition to hedging risks for risk-averse firms.
Additional advantages of using rPAs in information security include flexible
policy development and larger capacity. Insurability of information security risks is
often limited in the cyberinsurance market because of the lack of experience in deal-
ing with new security risks. rPAs allow the policy terms to be tailored to member
firms and therefore to help cover new security risks. the cyberinsurance market is
also limited in its capacity. rPAs could substantially increase the capacity of the risk
management market, helping to insure against vast and ever-increasing information
security risks.
Firms also face many operational challenges in implementing rPAs. In general, the
process of implementation involves identifying the insurance coverages, determin-
ing premiums for the coverages, determining captive ownership and capitalization,
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 149
identifying where the captive is formed and regulated, issuing insurance policies, and
managing claims [32]. Firms outside the insurance industry often lack experience in
risk underwriting and claims management. Entering such a new business area would
likely be very costly for them. In practice, insurance companies offer rent-a-captive
services that provide firms with access to captive facilities. thus, firms can use a rent-
a-captive approach to establish and run their rPAs for information security risks. At
the initial stage of implementation, a firm might start with a single-parent captive (i.e.,
an rPA within one firm) to manage security risks within its business units. Later, the
firm might expand the rPA operation to the multifirm context.
regulatory restrictions pose additional challenges to the implementation of rPAs.
the insurance market is highly regulated, and the development of rPAs is subject
to regulatory attitudes. For example, in many jurisdictions, certain lines of insurance
can be underwritten only by an admitted commercial insurer, not by a mutual insurer.
Other factors affecting the adoption of rPAs include restrictions on the risk pool’s
underwriting terms, the deductibility of insurance premiums for corporate taxation
purposes, and the risk pool’s access to the reinsurance market. Considering the poten-
tial that rPAs offer in coordinating firms’ security investments, firms should actively
promote rPAs to their regulatory agencies.
Security outsourcing enables firms to tap into the MSSP’s security resources, skills,
and capabilities. In practice, SLAs are often used in service outsourcing to specify per-
formance expectations, establish accountability, and detail remedies or consequences
if performance or service quality standards are not met [1]. In security outsourcing,
SLAs enable firms to transfer the security risks to external service providers. In this
regard, the MSSP serves not only as a service provider but also as an insurer. the
MSSP takes into account the interaction between member firms when making security
decisions for them. the MSS approach, therefore, internalizes the externalities of
security investments and provides a solution for interdependent security risks.
the MSS approach also provides a collective solution to create security protections
that are difficult for individual firms to implement. For example, serving clients over
different jurisdictions enables the MSSP to trace and collapse botnets, which are geo-
graphically distributed [33]. From individual firms’ perspectives, devoting sufficient
efforts to combat such distributed networks is often unwarranted. In this regard, MSSs
can offer a potential approach for managing distributed and interdependent risks.
the MSS solution yields the optimal investment level when all interdependent firms
adopt this solution. however, executives and security managers should recognize that
collective outsourcing might not be incentive-compatible when the number of firms
is large. Because of risk interdependency, an individual firm might be better off if
it manages security in-house instead of using MSSs. Such an incentive of defection
exists even when the MSSP has a cost advantage over individual firms in security
management. these findings help explain why firms might not use the MSS solution,
even when the MSSPs are often more capable of managing security risks. Executives
and security managers should recognize the advantages and limitations of the MSS
approach and choose their risk management solutions according to the interdependent
nature of security risks.
150 ZhAO, XuE, AND whINStON
the present study may be extended in many directions. First, we focused on the
incentive-compatible solutions, and the proposed solutions help firms address the
investment inefficiency issues and improve their security toward the optimal outcome.
the findings in the present study provide useful managerial implications and insights.
In the future, it would be desirable to investigate the incentive-compatible approaches
that always yield the optimal solution in the domain of information security. Second,
we compared rPA and MSS solutions with cyberinsurance in addressing interde-
pendent security risks. Future research might consider the interactions among the
cyberinsurance, rPA, and MSS solutions. For example, the MSSP has better security
skills than do the firms, in addition to cost advantages, and it may differentiate its
services to better compete against the other two security management mechanisms.
this is particularly important when firms are heterogeneous. the MSSP’s service dif-
ferentiation and competitive strategies in the presence of heterogeneous firms merit
in-depth study. Finally, future research might also study various implementation issues
of the risk-management solutions. For example, the use of SLAs in security outsourc-
ing requires firms to deploy various measures to monitor the MSSP’s performance
and enforce the contract terms. reputation systems for MSSPs can be an effective
mechanism to motivate the MSSP to behave properly in the long term. the design
of diverse mutual insurance policies for different types of It security risks deserves
more research attention.
Acknowledgment: Andrew B. whinston greatly appreciates support from National Science
Foundation grant number 0831338 for the completion of this paper. the authors thank three
anonymous reviewers and the seminar participants at the university of utah, the university of
North Carolina at Charlotte, the university of North Carolina at greensboro, and International
Conference on Information Systems (ICIS2009) for their feedback on the early draft of this
paper.
notes
1. the principle of indemnity is an insurance principle stating that an insured may not be
compensated by the insurance companies in an amount exceeding the insured’s economic loss.
therefore, a firm is not allowed to purchase insurance coverage from multiple insurers resulting
in an amount of compensation or payout that is higher than the total economic loss [43].
2. the proofs of the lemmas and propositions are available upon request of the authors.
3. we also examined other parameter values (A and L) for the payoff function and other payoff
function forms and found that the insights hold qualitatively.
4. when b = –0.1, the total number of firms must be no more than 10 to ensure that
x
i
+ bS
k=1…n,k≠i xk > 0.
references
1. Allen, J.; gabbard, D.; and May, C. Outsourcing managed security services. Carnegie
Mellon Software Engineering Institute, Pittsburgh, 2003 (available at www.cert.org/archive/
pdf/omss ).
2. Anderson, r. and Moore, t. the economics of information security. Science, 314 (Oc-
tober 27, 2006), 610–613.
3. Axelrod, C.w. Outsourcing Information Security. Boston: Artech house, 2004.
MANAgINg INtErDEPENDENt INFOrMAtION SECurIty rISkS 151
4. Cavusoglu, h.; raghunathan, S.; and yue, w.t. Decision-theoretic and game-theoretic
approaches to It security investment. Journal of Management Information Systems, 25, 2 (Fall
2008), 281–304.
5. Cremonini, M., and Nizovtsev. D. risks and benefits of signaling information system
characteristics to strategic attackers. Journal of Management Information Systems, 26, 3 (winter
2009–10), 241–274.
6. CSI computer crime and security survey 2010/2011. Computer Security Institute, New
york, 2011 (available at http://gocsi.com/survey/).
7. Cummins, J.D., and weiss, M.A. Organizational form and efficiency: the coexistence of
stock and mutual property-liability insurers. Management Science, 45, 9 (1999), 1254–1270.
8. Doherty, N.A., and Dionne, g. Insurance with undiversifiable risk: Contract structure
and organizational form of insurance firms. Journal of Risk and Uncertainty, 6, 2 (1993),
187–203.
9. gal-Or, E., and ghose, A. the economic incentives for sharing security information.
Information Systems Research, 16, 2 (2005), 186–208.
10. gordon, L.A., and Loeb, M.P. the economics of information security investment. ACM
Transactions on Information and Systems Security, 5, 4 (2002), 428–457.
11. gordon, L.A.; Loeb, M.P.; and Lucyshyn, w. Sharing information on computer sys-
tems security: An economic analysis. Journal of Accounting and Public Policy, 22, 6 (2003),
461–485.
12. gordon, L.A.; Loeb, M.P.; and Sohail, t. A framework for using insurance for cyber-risk
management. Communications of the ACM, 46, 3 (2003), 81–85.
13. gupta, A., and Zhdanov, D. growth and sustainability of managed security services
networks: An economic perspective. MIS Quarterly, 36, 4 (2012), 1109–1130.
14. herath, h.S.B., and herath, t.C. Investments in information security: A real options per-
spective with Bayesian postaudit. Journal of Management Information Systems, 25, 3 (winter
2008–9), 337–375.
15. holmstrom, B. Moral hazard in teams. Bell Journal of Economics, 13, 2 (1982),
324–340.
16. hui, k.-L.; hui, w.; and yue, w.t. Information security outsourcing with system interde-
pendency and mandatory security requirement. Journal of Management Information Systems,
29, 3 (winter 2012–13), 117–154.
17. humphreys, P.k.; Lai, M.k.; and Sculli, D. An inter-organizational information system
for supply chain management. International Journal of Production Economics, 70, 3 (2001),
245–255.
18. kumar, r.L.; Park, S.; and Subramaniam, C. understanding the value of countermeasure
portfolios in information systems security. Journal of Management Information Systems, 25,
2 (Fall 2008), 241–280.
19. kunreuther, h., and heal, g. Interdependent security. Journal of Risk and Uncertainty,
26, 2–3 (2003), 231–249.
20. Lee, C.h.; geng, X.; and raghumathan, S. Contracting information security in the pres-
ence of double moral hazard. Information Systems Research, 24, 2 (2013), 295–311.
21. Lee, w., and Ligon, J.A. Moral hazard in risk pooling arrangements. Journal of Risk and
Insurance, 68, 1 (2001), 175–190.
22. Ligon, J.A., and thistle, P.D. the formation of mutual insurers in markets with adverse
selection. Journal of Business, 78, 2 (2005), 529–555.
23. Malamud, S.; rui, h.; and whinston, A.B. Optimal risk sharing with limited liability.
working Paper, National Center of Competence in research Financial Valuation and risk
Management, Lausanne, 2012.
24. Managed security services hot despite cool economy due to growing threats, mobile
devices, move to cloud. Infonetics research report, Campbell, CA, September 27, 2011.
25. Marshall, J.M. Insurance theory: reserves versus mutuality. Economic Inquiry, 12, 4
(1974), 476–492.
26. Mayers, D. Ownership structure across lines of property-casualty insurance. Journal of
Law and Economics, 31, 2 (1988), 351–378.
27. Mayers, D., and Smith, C.w. Contractual provisions, organizational structure and conflict
in insurance markets. Journal of Business, 54, 3 (1981), 407–434.
152 ZhAO, XuE, AND whINStON
28. McQuillan, L.h. how to work with a managed security service provider. In h.F. tipton
and M. krause (eds.), Information Security Management Handbook. Boca raton, FL: CrC
Press, 2007, pp. 631–642.
29. Mohan, r. 2010. how to defend against DDoS attacks? Security Week, April 27, 2010
(available at www.securityweek.com/content/how-defend-against-ddos-attacks/).
30. Moitra, S.D., and konda, S.L. the survivability of network systems: An empirical analy-
sis. Software Engineering Institute/Computer Emergency response team (SEI/CErt) report
no. CMu/SEI-2000-tr-021, Carnegie Mellon university, Pittsburgh, PA, December 2000.
31. Ogut, h.; Menon, N.; and raghunathan, S. Cyber insurance and It security investment:
Impact of interdependent risk. working Paper, university of texas at Dallas, 2005 (available
at http://infosecon.net/workshop/pdf/56 ).
32. the picture of Art. Swiss re study, Zurich, February 5, 2003 (available at www.swissre
.com/media/news_releases/new_swiss_re_sigma_study__the_picture_of_art.html).
33. Pitsillidis, A.; Levchenko, k.; kreibich, C.; kanich, C.; Voelker, g.M.; Paxson, V.; weav-
er, N.; and Savage, S. Botnet judo: Fighting spam with itself. Paper presented at the Network
and Distributed System Security Symposium (NDSS), San Diego, CA, February 28–March 3,
2010 (available at www.isoc.org/isoc/conferences/ndss/10/pdf/12 ).
34. richmond, w.B.; Seidmann, A.; and whinston, A.B. Incomplete contracting issues in infor-
mation systems development outsourcing. Decision Support Systems, 8, 5 (1992), 459–477.
35. rippon, A. Cyber hackers can mess with google—Are you afraid for your business?
EzineArticles.com, 2010 (available at http://ezinearticles.com/?Cyber-hackers-Can-Mess-
with-google–Are-you-Afraid-For-your-Business?&id=3882184/).
36. rothschild, M., and Stiglitz, J. Equilibrium in competitive insurance markets: An essay
on the economics of imperfect information. Quarterly Journal of Economics, 90, 4 (1976),
629–649.
37. Scott, C. Nearly a fifth of u.S. PCs have no antivirus protection. IDg News Service,
May 29, 2012 (available at www.pcworld.com/article/256493/nearly_a_fifth_of_us_pcs_have_
no_virus_protection_mcafee_finds.html).
38. Sen, S.; raghu, t.S.; and Vinze, A. Demand heterogeneity in It infrastructure services:
Modeling and evaluation of a dynamic approach to defining service levels. Information Systems
Research, 20, 2 (2009), 258–276.
39. Shavell, S. On moral hazard and insurance. Quarterly Journal of Economics, 93, 4
(1979), 541–562.
40. Subramaniam, C., and Shaw, M.J. A study of the value and impact of B2B e-commerce:
the case of web-based procurement. International Journal of Electronic Commerce, 6, 4
(Summer 2002), 19–40.
41. tung, L. Five ways to defend against a DDos attack. It News for Australian Business,
October 12, 2010 (available at www.itnews.com.au/News/234834,five-ways-to-defend-against-
a-ddos-attack.aspx).
42. Varian, h.r. Managing online security risks. New York Times, June 1 (2000) (available at
http://people.ischool.berkeley.edu/~hal/people/hal/Nytimes/2000-06-01.html).
43. Vaughan, E.J., and Vaughan, t.M. Fundamentals of Risk and Insurance, 10th ed. hoboken,
NJ: John wiley & Sons, 2008.
44. wang, E.t.g.; Barron, t.; and Seidmann, A. Contracting structures for custom software
development: the impacts of informational rents and uncertainty on internal development and
outsourcing. Management Science, 43, 12 (1997), 1726–1744.
45. whang, S. Contracting for software development. Management Science, 38, 3 (1992),
307–324.
Copyright of Journal of Management Information Systems is the property of M.E. Sharpe Inc.
and its content may not be copied or emailed to multiple sites or posted to a listserv without
the copyright holder’s express written permission. However, users may print, download, or
email articles for individual use.
Detecting Anomalous Online Reviewers:
An Unsupervised Approach Using Mixture
Models
NAVEEN KUMAR, DEEPAK VENUGOPAL, LIANGFEI QIU, AND
SUBODHA KUMAR
NAVEEN KUMAR (nkchawla@uw.edu) is an assistant professor of Management
Information Systems in the School of Business, University of Washington,
Bothell. He received his Ph.D. from the University of Washington, Seattle. His
research focuses on applying deep learning and other artificial intelligence techni-
ques in social media and information systems. Before joining academia, he worked
as a researcher in the high-tech industry, solving complex business problems in IT,
Finance, and Manufacturing using advanced machine-learning techniques.
DEEPAK VENUGOPAL (dvngopal@memphis.edu) is an assistant professor in the
Department of Computer Science at the University of Memphis. He received his
Ph.D. in computer science from the University of Texas at Dallas. His research
interests focus on probabilistic and statistical relational models. Dr. Venugopal’s
work has been published in the proceedings of conferences, including those of the
Association for the Advancement of Artificial Intelligence, Conference on Neural
Information Processing, and others.
LIANGFEI QIU (liangfei.qiu@warrington.ufl.edu; corresponding author) is an associ-
ate professor in the Department of Information Systems and Operations
Management at the Warrington College of Business, University of Florida. He
received his Ph.D. in economics from the University of Texas at Austin.
Dr. Qiu’s research focuses on economics of information systems, prediction mar-
kets, social media, and telecommunications policy. His work has been published in
Decision Support Systems, Information Systems Research, Journal of Management
Information Systems, MIS Quarterly, and other journals.
Subodha KUMAR (subodha@temple.edu) is the Paul Anderson Distinguished
Professor of Supply Chain Management, Marketing, Information Systems, and
Statistical Science, and the director of the Center for Data Analytics at the Fox
School of Business, Temple University. He earned his Ph.D. from the University of
Texas at Dallas. Dr. Kumar has published numerous papers in a variety of journals.
He is the deputy editor and a department editor of Production and Operations
Color versions of one or more of the figures in the article can be found online at www.
tandfonline.com/mmis.
Journal of Management Information Systems / 2019, Vol. 36, No. 4, pp. 1313–1346.
Copyright © Taylor & Francis Group, LLC
ISSN 0742–1222 (print) / ISSN 1557–928X (online)
DOI: https://doi.org/10.1080/07421222.2019.1661089
http://orcid.org/0000-0002-8771-9389
mailto:nkchawla@uw.edu
mailto:dvngopal@memphis.edu
mailto:liangfei.qiu@warrington.ufl.edu
mailto:subodha@temple.edu
http://www.tandfonline.com/mmis
http://www.tandfonline.com/mmis
https://crossmark.crossref.org/dialog/?doi=10.1080/07421222.2019.1661089&domain=pdf&date_stamp=2019-10-03
Management and has served as a senior editor of Decision Sciences and an
associate editor of Information Systems Research.
ABSTRACT: Online reviews play a significant role in influencing decisions made by
users in day-to-day life. The presence of reviewers who deliberately post fake
reviews for financial or other gains, however, negatively impacts both users and
businesses. Unfortunately, automatically detecting such reviewers is a challenging
problem since fake reviews do not seem out-of-place next to genuine reviews. In
this paper, we present a fully unsupervised approach to detect anomalous behavior
in online reviewers. We propose a novel hierarchical approach for this task in which
we (1) derive distributions for key features that define reviewer behavior, and (2)
combine these distributions into a finite mixture model. Our approach is highly
generalizable and it allows us to seamlessly combine both univariate and multi-
variate distributions into a unified anomaly detection system. Most importantly, it
requires no explicit labeling (spam/not spam) of the data. Our newly developed
approach outperforms prior state-of-the-art unsupervised anomaly detection
approaches.
KEY WORDS AND PHRASES: online reviews, fake reviews, opinion spam, unsupervised
learning, anomaly detection, mixture models, deception detection.
Falsehood diffused significantly farther, faster, deeper, and more broadly than
the truth in all categories of information. — Vosoughi et al. [86]
The past few years have witnessed an unprecedented spread of misinformation in
various forms. While traditional spam e-mails have long been a threat, the rise of
fake online reviews and fake news on social media platforms highlights the
vulnerabilities of individuals, institutions, and society to manipulation in the age
of social media. Misinformation on social media platforms has drawn recent
attention in political contexts. Social media sites such as Facebook and Twitter
are reported to be major platforms used to spread fake news in the 2016
U.S. presidential election cycle [38]. Recent research has mainly focused on the
dissemination of misinformation through social media [86]. However, in the first
place, we must identify and detect misinformation and understand how common
misinformation is on social media platforms.
By now, machine-learning techniques can detect spam e-mails quite accurately
[14, 94]. However, can we say the same about inauthentic online reviews on social
media platforms? Are we equally equipped to rule them out as fake, or are they
harder to pinpoint? This problem is particularly important to address since a large
percentage of modern consumers routinely use online reviews as an important
factor in their decision-making process [56]. It has been reported that up to
90 percent of consumers read online reviews before making a purchase, and most
of these consumers trust the authenticity of the comments [56, 73]. Additionally,
1314 KUMAR ET AL.
businesses pay close attention to what consumers are writing about them online to
maintain their brand reputation [6]. Thus, maintaining a fair, unbiased review
system is extremely important for both users and businesses. Since online reviews
have such a high degree of influence, however, fake reviewers seek financial gain
or other incentives in exchange for online review manipulation. For instance,
reviewers may be hired by businesses to write biased reviews either favoring
a product or unfairly denouncing a competitor’s products [82]. In fact, there have
been several known instances of review manipulation misleading consumers and
resulting in lawsuits [71]. More specifically, to boost demand, restaurants some-
times invest in hiring freelance writers or some social media optimization compa-
nies to post fake reviews on Yelp.1 The cost of doing this may be as low as $2 per
five-star review on platforms like Yelp and TripAdvisor.2 Therefore, to ensure the
integrity and trustworthiness of online reviews, it is essential to develop techniques
that can automatically identify and flag such fake reviewers who exhibit anomalous
behavior in online social media.
Automatic detection of fake reviewers, also referred to as opinion spammers [35],
is a challenging problem. In some previous studies, even the accuracy of humans
distinguishing fake reviews from real reviews was shown to be just slightly better
than random chance [63]. In comparison, detecting anomalous behavior in e-mail
messages is often not as challenging. For example, an unsolicited e-mail message
received from an unknown user with the word “Viagra” or its variants is almost
always spam [13] and may not be relevant to the vast majority of users who receive
the e-mail. Conversely, fake reviews about a product are more likely to be trusted in
an online forum even if they are from anonymous users [53].
However, since the ulterior motive of a fake reviewer is typically different from
a regular user (e.g., financial gains, denouncing competitors, etc.), behaviors of fake
reviewers are likely to show up as statistical anomalies when compared to the
observed behaviors of regular users [21]. For example, reviewers who are being
paid may write reviews very often while regular users may write reviews more
sporadically. Some other types of anomalous behavior are more complex and
require analysis of more than one variable simultaneously. For instance, a fake
reviewer might specifically target restaurants that are popular among several other
users. Therefore, in general, we can capture different aspects of reviewer behavior
by modeling variables in an independent (univariate) or joint (multivariate) manner.
The key goal of our work is to combine such univariate and multivariate models of
reviewer behavior and use unsupervised learning to obtain a more robust anomaly
detection system.
Over the past few years, different approaches have been proposed to detect fake
reviews and reviewers starting with the pioneering work by Jindal and Liu [35].
Notable approaches include both supervised classification based methods [62, 63]
and unsupervised techniques [1, 5, 57, 70]. However, even though probability distribu-
tions related to reviewing behavior have been studied in the past [15, 32, 35, 57], prior
approaches do not fully exploit univariate and multivariate distributions associated
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1315
with reviewers (and reviews) when detecting anomalies. For instance, Feng et al. [21]
use only the J-shaped or bimodal characteristic typically associated with review ratings
to flag reviewers who distort this shape, but they do not consider distributions over
other possible features. Mukherjee et al. [57] develop a Bayesian learning approach to
detect opinion spammers in Amazon.com reviews. However, since distinct features of
online reviews have their own subtle distinctive distributional characteristics [15], the
prior distributions used in Mukherjee et al. may not always be indicative of the true
underlying distributions, thus biasing the model.
More recently, Kumar et al. [37] proposed an approach where they learn empirical
distributions corresponding to several features from the data, and then use these
distributions within a classifier, thus making the classifier more robust to noise and
one that has better generalization. However, a major shortcoming of their proposed
approach is that it requires the data to be labeled (with spam/no-spam labels). In
general, it is quite difficult to obtain labeled data, especially for review spam
detection [63]. In this work, we extend Kumar et al.’s [37] approach to develop
a fully unsupervised model to identify review spam. Specifically, as in Kumar et al.
[37], we learn independent probability distributions corresponding to univariate and
multivariate features related to reviewing behavior. Once we obtain the empirical
probability distributions, however, we develop a fully unsupervised method to com-
bine the distributions into a unified anomaly detection model. Specifically, we
develop a finite mixture model, where we combine the individual distributions that
we learn corresponding to different features. We then learn the full mixture model by
maximizing the overall log-likelihood of the data using an Expectation Maximization
(EM) approach. Although we specifically consider the problem of detecting anom-
alous reviewers in the context of reviews, our general technique can be applied to
other anomaly detection tasks quite easily. Note that the goal of this study is to detect
fake reviewers rather than fake reviews.
To summarize, our main contributions are as follows:
1. We develop a novel probabilistic approach to detect anomalous reviewers in
a fully unsupervised manner by learning a finite mixture model over derived
feature distributions. Our approach is general in the sense that it can be
regarded as a method to combine several heterogeneous distributions (both
univariate and multivariate) into a unified model that represents overall
behavior of a reviewer.
2. We perform a comprehensive experimental evaluation of our approach on
real-world restaurant reviews taken from Yelp.com. Specifically, for our
evaluation, we develop four baseline unsupervised methods for detecting
anomalous reviews, namely Gaussian Mixture Models (GMM), Non-
parametric Gaussian Mixtures, One-Class Support Vector Machines
(SVMs), and Stacking (STK) with uniform weights. We compare our
approach with each of these baselines on real-world data as well as synthetic
data where we injected distributional anomalies. Furthermore, we compare
our approach with two state-of-the-art unsupervised systems that have been
1316 KUMAR ET AL.
evaluated for Yelp reviews, namely FraudEagle by Akoglu et al. [1] and
SpEagle by Rayana and Akoglu [70]. We clearly show in our evaluation that
our system outperforms all the baseline methods as well as FraudEagle and
SpEagle in terms of accuracy.
In terms of practical implementation of our method, we need to consider the
dynamic nature of online platforms. On Yelp and Amazon, an enormous amount of
online reviews is posted every hour or even every minute. Our approach can be
viewed as a generic method to unify complex distributional characteristics into
a unified probabilistic model. In practice, the distribution of the features can be
updated regularly depending on the computational burden of the platform. In
addition, although the high-level methodology can be the same, the features used
in the systems should depend on the practical contexts. (For example, restaurant
review platforms, such as Yelp, could be different from product review platforms,
such as Amazon.)
In our current research, we primarily focus on detecting online spammers in
online platforms such as Yelp. However, our modeling and evaluation framework
can be extended to the cases of detecting social media bots in large online social
networks. “A social bot is a computer algorithm that automatically produces
content and interacts with humans on social media.” [22]. In Computer Science
literature, a number of studies have focused on the design of advanced methods to
automatically detect social bots. In general, there are three approaches in the
literature: (i) Graph-based social bot detection, (ii) crowdsourcing social bot detec-
tion, and (iii) feature-based social bot detection. The first approach relies on
studying the network structure of a social graph. The second approach makes use
of human detection and crowdsources detection work to human workers. The last
approach adopts machine-learning techniques to learn behavioral patterns. Our
method of detecting online spammers belongs to the third approach and can be
generalized to the context of detecting social bots.
The rest of this paper is organized as follows. We first review related work and
our dataset. Next, we present analysis of univariate and multivariate features
associated with reviewer behavior. We then describe our mixture model that
combines feature distributions. Finally, we present our baseline methods for anom-
aly detection and conclude with our experimental evaluation and discussion.
ReviewManipulation on digital platforms is a widely studied topic [23, 28, 30, 39, 40,
43, 67]. Luca and Zervas [47] analyze the correlation between reviews and competi-
tion. Mayzlin [51] apply game theory to analyze review manipulation by firms.
Mayzlin et al. [52] explore relationships between reviews and hotel characteristics.
However, online deception detection is still an open research area [60, 69], motivating
us to study and develop more sophisticated methods.
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1317
Machine-learning is the pre-dominant approach to automatically detect manipula-
tion in reviews and/or other forms of social media communication [77, 95]. The
vast majority of existing approaches are supervised machine-learning methods that
require the training data to be labeled as spam or not spam. Jindal and Liu [35]
detect fake online product reviews using a supervised learning approach to recog-
nize several key features unique to the behavior of review spammers. Following
this, over the last few years, other approaches have been proposed to detect fake
reviews as well as fake reviewers [1, 44, 45, 57].
Ludwig et al. [48] develop a multilevel regression model to detect deception in
e-mails. Benjamin et al. [4] investigate cybercriminal communities to identify
potential long-term and key participants. Lim et al. [45] use abnormalities in ratings
to detect spammers in product reviews using a supervised model and evaluate their
approach on reviews taken from amazon.com. Mukherjee et al. [57] develop
a Bayesian inference framework using similar features to Jindal et al. [36], but
unlike Jindal et al. they use unsupervised learning. Wang et al. [87] propose an
approach to detect review spammers based on graphs constructed from reviews. Xie
et al. [89] propose an approach where they discover temporal pattern distortions to
detect spammers. Fei et al. [19] develop an approach to detect spammers who
operate in bursts. Specifically, they model the interdependencies between reviewers
as a graph and use supervised graph propagation methods to label spammers. Li
et al. [44] create a dataset that includes reviews for different products/services such
as hotels, restaurants, and healthcare, and they build a classification framework
using a Sparse Additive Generative Model. Abnormal network footprints are used
by Ye and Akoglu [91] to uncover coordinated groups of online review spammers.
Similarly, Mukherjee et al. [58] and Xu and Zhang [90] develop methods to detect
spammer groups, namely spammers who collude with each other. More recently, Ye
et al. [92] use temporal analysis to signal opinion spam. Specifically, they model
reviews as time series data and detect deviations in this model as potential signals
of opinion spammers.
The problem of opinion spam and related topics has also been studied by the
Natural Language Processing community. Several methods have been proposed that
use linguistics to detect fake/manipulative reviews. Ott et al. [62, 63] develop
a supervised learning model using linguistic features that detected deception in
reviews. Banerjee and Chua [3] conduct a linguistic analysis to identify key features
and use Logistic Regression to build a supervised classifier. Similarly, Newman
et al. [61] look into possible linguistic cues to identify deception in language. Hu
et al. [31] develop a statistical method to examine the review text and style to
determine if online products are subject to review manipulation. Zhou et al. [97]
build a model to detect deception in online communication using statistical lan-
guage models that take advantage of dependencies between words. Feng et al. [20]
analyze deep syntactic structure in sentences to infer deception in reviews. They
evaluate their approach on several benchmarks including tripadvisor.com and yelp.
com reviews.
1318 KUMAR ET AL.
Our work builds upon previous studies that have tried to analyze reviewing
behavior with standard probability distributions. For instance, Hu et al. [32] analyze
review ratings from Amazon and showed that typically all product ratings had
a J-shaped or bimodal distribution. Similar results have been observed in earlier
work [10, 16] that shows asymmetry and skewness as typical characteristics of
reviews in general. Dalvi et al. [15] analyze ratings in three distinct domains,
namely products, movies, and restaurants, and they conclude that selection bias
contributes to heavily skewed rating distributions in these domains. Unlike previous
studies that focus mainly on analyzing distributional characteristics for rating
scores, our work more generally analyzes distributions for varied and complex
features of reviewer behavior.
Also, when we consider the general area of anomaly detection, several probabilistic
models have been proposed (e.g., Chandola et al. [9]). In the context of anomaly
detection specific to online reviews, there have been prior approaches that use
probabilistic methods or models to detect spammers. Notably, Jindal et al. [36] define
the problem as computing a measure of unexpectedness of rules regarding reviewer
behavior. Mukherjee et al. [57] take a Bayesian approach and develop an unsuper-
vised model for anomaly detection. Akouglu et al. [1] model the network structure
between products and reviewers as a probabilistic graphical model, and used belief
propagation [93] to label spammers. Rayana and Akoglu [70] extend this approach
with SpEagle, where they examine behavioral features using meta-data and language
as priors in the graphical model.
We have further reviewed the prior Information Systems (IS) literature to identify
studies that use unsupervised learning approaches in general and for anomalous
users’ detection in particular. There are numerous studies that have used unsuper-
vised learning techniques in general. A few notable ones include Zheng et al. [96],
Bockstedt and Goh [7], Visa et al. [85], Churilov et al. [12], Guo et al. [26], and
Ivanova and Scholz [34]. Zheng et al. [96] use a semi-supervised ensemble learning
embedded with independent component analysis to identify highly influential
reviewers. Bockstedt and Goh [7] use unsupervised learning techniques to identify
common seller strategies for the use of discretionary auction attributes. Churilov
et al. [12] use undirected knowledge discovery (unsupervised learning methods) to
group the patients. Guo et al. [26] explore unsupervised deep learning for perso-
nalized point-of-interest recommendation. Visa et al. [85] use unsupervised learning
method in content-based informational retrieval.
Based on further investigation, we have observed that IS literature for detecting
anomalous users using unsupervised learning techniques is limited in nature. To the
best of our knowledge, there are only a few studies in the IS domain that have used
unsupervised learning techniques to detect anomalous reviewers or reviews in
particular. For example, Ivanova and Scholz [34] develop an unsupervised learning
approach to dynamically aggregate online ratings. We believe that our approach is
the first one to consider the heterogeneity of distributions that characterize reviewer
behavior in an unsupervised manner. In particular, we propose a generic method to
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1319
unify these heterogeneous distributions (both univariate as well as multivariate) and
use unsupervised learning methods in a principled manner, to yield a unified
anomaly detection model.
We use the dataset of restaurant reviews taken from Yelp.com shared by Rayana and
Akoglu that was previously used in their study on opinion spam [70]. This dataset
contains a subset of the information in Yelp reviews. Specifically, it contains the rating
scores, the review text, the date when the review was posted, the user (anonymized)
who posted the review, and the restaurant for which the review was posted.
A high-level description of the attributes of this dataset is shown in Table 1. The
number of spammers indicated in Table 1 is based on the label provided by Yelp.
com’s proprietary filtering algorithm. Plotting the histogram for the rating scores in
this dataset yields the unimodal skewed (left) distribution as shown in Figure 1.
Based on the distribution analysis of filtered reviews per year (please refer to
Online Supplemental Appendix A for details), we observe that the filtered reviews
are on the rise every year, which confirms that the presence of anomalous reviews
and reviewers on the social media platform is a serious issue.
In this section, we describe our main contribution, that is, a fully unsupervised method
for detecting fake reviewers using a hierarchical approach. Specifically, we first
consider several features that are commonly used indicators of reviewer behavior
[35, 45] and empirically derive univariate distributions that can best generalize these
features. Prior literature has mainly focused on using features to detect online spam-
mers. These approaches do not fully exploit univariate and multivariate distributions
associated with reviewers (and reviews) when detecting anomalies. Our model con-
tributes to the literature by deriving distributions for key features and combing these
distributions into a finite mixture model. Next, we model the joint distribution between
users and restaurants as a Dirichlet-multinomial distribution. A Dirichlet-multinomial
distribution is a compound distribution where the compounding is a Polya urn scheme,
which in our case models the process where positive (negative) reviews about
Table 1. Data Description
Variables Values
Number of Users 260277
Number of Restaurants 5044
Range of Summary Ratings 1-5
Range of Dates 7/17/10 – 11/16/14
Number of Spammers 62228
1320 KUMAR ET AL.
a restaurant generate more positive (negative) reviews from users. Finally, we combine
the heterogeneous distributions by stacking them together to obtain an overall model
representing reviewer behavior, and we use this model to detect anomalous reviewers.
Our underlying assumption is that even though fake reviewers may look genuine when
we analyze them with respect to a single distribution, since a fake reviewer’s end goal
is to bias opinions falsely, such users will show up as anomalies when we view their
behavior across multiple distributions. For instance, a user who assigns a 1-star rating
to a restaurant that most other users have also rated as poor seems like a genuine user if
we model that restaurant’s review pattern. However, if the same user repeatedly
underrates every restaurant he/she reviews, then it might signal that the user is an
anomaly using a model of a user’s review pattern.
In the remainder of this section, we first derive distributions for univariate
reviewer features. Then, we model joint dependencies between reviewers and
restaurants using a Dirichlet-multinomial distribution, and finally stack all the
distributions using a mixture model.
Modeling Univariate Features
Several features have been proposed in previous approaches for identifying opinion
spammers [19, 35, 43, 45, 57, 59, 70]. Here, we do not develop new features, but
instead, for statistics related to existing features, we empirically derive the best
fitting distribution family for that statistic.
Figure 1. Histogram of Review Ratings in our Dataset
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1321
Specifically, given data D corresponding to a feature f , the task is to find
a distribution family that best fits D. For this, we fit a set of standard distribution
families, P, by maximizing the likelihood of each distribution in P over D.
However, in practice, it has been observed that several statistics related to reviews
have highly skewed distributions [35]. To handle such cases, we use a data trans-
formation technique that is often used to obtain a better fitting model for distribu-
tions with extreme-skewness. Specifically, we employ two well-known
transformations, the log-log and the log-linear transform. In the log-log transform,
we transform the values of the features in each instance of D to their log values, and
in the log-linear transform, we only transform the feature’s value to its log value.
Following Kumar et al. [37], we apply log transformation because in many cases
(as we see in our experiments), the data is highly skewed and regular distributions
do not fit it very well. In such cases, transforming the frequency helps us ensure
a better fit, since in general a linear fit would be more preferable to a nonlinear fit
(since it has a simpler form) when it comes to generalization performance [37].
We then fit a Normal error regression model on the transformed data.
Specifically, given the transformed data D0 ¼ Xi; Yið Þf gMi¼1, we assume that
Yi ¼ β0 þ β1Xi þ �i, where Pi ,N 0; σ2
� �
and each error term is uncorrelated
with all the other error terms. The distribution associated with the feature variable
is given by Yi ,N β0 þ β1Xi; σ2
� �
. We compute the parameters for the model, β0
and β1, using Max-likelihood estimation. To obtain the distribution family for f , we
compare the likelihood scores for each of the standard distribution families in P and
the Normal error regression models (with parameters β0, β1) using the log-log and
the log-linear transformed data. We choose the model that has the highest like-
lihood score as the distribution family that best generalizes f .
Next, we describe the feature statistics that we used and the type of distribution
family that we choose for each feature. For the set, P, we use a large set of standard
distributions such as lognormal, beta, exponential, weibull, gamma, and so forth.
Several of these distribution families can fit skewed distributions and J-shaped
distributions, both of which are commonly encountered when analyzing review data
[15, 32]. For readability in the subsequent figures, we only show the distribution for
which we obtained the best likelihood score and also scale the feature values to
a common range. Please note that we are approximating discrete frequency mea-
sures (that are observed in the data) with a continuous distribution. Therefore, the
y-axis in the figures is a probability measure that fits the observed data based on the
approximation with the continuous distribution. Of course, one could argue that we
can simply use the discrete frequency measures (observed in the training data) and
apply “nearest-neighbor” type of methods to approximate the frequencies in the test
data. However, to reduce over-fitting, following Kumar et al. [37], we are general-
izing the discrete measures with a continuous approximation based on standard
distributions or transforms.
1322 KUMAR ET AL.
Review Count
The number of reviews posted by a user is a useful feature to distinguish between
a genuine and fake user. Specifically, paid reviewers may write many more or very few
reviews compared to a regular user to avoid detection. Therefore, we derive the
distribution of the number of reviews written by a user. The best fit for this distribution
was the regression model with log-log transformed data. This is shown in Figure 2.
Review Gap
The gap between messages is a useful statistic to distinguish between users who
post messages in bursts as opposed to users who have a more uniform interval
between messages. Fake reviewers in some cases may show the former tendency
since genuine users typically write reviews when they visit restaurants, an activity
that does not usually occur in bursts and is more uniform. The gap between the two
successive reviews written by the same user is represented as follows:
RGi ¼ Ri;j � Ri;j�1
;
where RGi corresponds to the review gap for the i-th user, Ri;j corresponds to the
timestamp of the j-th review for user i, and Ri;j�1 corresponds to the timestamp of
the (j� 1)-th review for user i.
We consider the average and standard deviation statistics of review gaps for
a user. For the average statistic, the log-log transformed fit is the best fitting
distribution as shown in Figure 3a. For the standard deviation, the best fitting
distribution is again the regression model with a log-log transformation as shown
in Figure 3b.
Figure 2. Distribution for Review Count
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1323
Rating Entropy
The genuine reviewer tends to write more balanced reviews, that is, equally critical
or noncritical in nature. Therefore, the reviews may be distributed evenly across
different ratings. By contrast, fake reviewers typically post uniform (extreme)
reviews since their goal is either to artificially improve a restaurant’s quality rating
or wrongly damage competitors. Therefore, their reviews tend to have smaller
entropy. To assess randomness of the reviews, the entropy of the rating scores is
computed as follows:
ENi ¼
XN
j¼1 pi; j log pi;j
� �
;
where ENi is the entropy of a given user’s ratings, pi;j is the probability of user
i assigning a rating score j, and N is the number of rating scores that can be given
by a user. For the entropy distribution, the best fit is obtained using the lognormal
distribution as shown in Figure 4.
Rating Deviation
Consider a reviewer whose pattern is to simply assign a low rating to each
restaurant he/she reviews irrespective of the ratings given by others. To detect
such reviewers, how their ratings deviate from the average restaurant ratings must
be calculated. If the number of genuine reviewers is greater than the number of fake
reviewers, it is possible to identify instances where a rating is significantly different
from other reviews. We compute this measure as the absolute difference between
the rating score assigned by a user to a restaurant and the average score received by
the restaurant.
RDi ¼ Ri;j � μH jð Þ
���
���;
Figure 3. Distributions for Gaps between Reviews
1324 KUMAR ET AL.
where RDi corresponds to the rating deviation of the i-th user, Ri;j is the rating score
given by the i-th reviewer for the j-th review which corresponds to restaurant H jð Þ;
and μH jð Þ is the mean rating for this restaurant. The distributions associated with the
rating deviation of users is shown in Figure 5. For the average and standard
deviation of this feature, the best fit is obtained using the lognormal distribution
and the beta distribution respectively as shown in Figures 5a and 5b.
Time of Review
Fake reviewers sometimes act very early (first reviews for a restaurant) in order to
extend their influence over other reviews. Thus, if we notice a user who always
reviews restaurants before any other user, then that might signal suspicious
Figure 4. Distribution for Rating Entropy
Figure 5. Distributions for Rating Deviation
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1325
behavior. We model this using the difference (in days) between the time a reviewer
reviews a restaurant and the first review posted for that restaurant. Time of Review
TRi for the i-th user is represented as follows:
TRi ¼ ðTi;j � DH jð ÞÞ;
where Ti;j is the timestamp for the j-th review written by the i-th user, H jð Þ is the
restaurant corresponding to the j-th review, and DH jð Þ is the timestamp for the initial
review for this restaurant. Figure 6 shows the distribution of the average and
standard deviation of the time deviations across users. The lognormal and the
beta distribution yield the best fit for the average and standard deviation,
respectively.
Rating Scores
Figure 7 shows the distribution of the mean ratings and the standard deviation over
ratings. Fake reviewers may tend to give out more extreme rating scores (e.g. rating
5 or rating 1) to influence other users, which can be captured by this feature. In this
case, the beta distribution is the best fit for both the average and standard deviation
of rating scores across all users.
Text Length
We consider the number of words used in the review since fake reviewers may
write reviews without too much information as opposed to genuine reviewers who
write more detailed reviews. Specifically, we consider unigrams in the review text
and pre-process the text by removing the stop words, performing word stemming
(using Porter-stemmer) and lemmatization. We then count the total number of
unique words after the pre-processing step. Figure 8 shows the distribution of
users with respect to the average and standard deviations over word-counts. The
Figure 6. Distributions for Time Deviation
1326 KUMAR ET AL.
lognormal and the beta distributions are the best fit distributions for the average and
standard deviation statistics for this feature, respectively.
Table 2 represents the log-likelihood values obtained for each feature of the data
using different distributions. We empirically chose the best fitting distribution for
each feature based on the values obtained. Specifically, we choose the distributions
with the maximum likelihood scores highlighted in bold. Our full list of features
along with their summary statistics is shown in Table 3.
Modeling Multivariate Features
Using univariate distributions to model individual review features has limitations for
identifying bogus or deceptive reviews. Another factor to be considered is the mutual
dependency between reviewers and restaurants. For example, consider a scenario
where user ratings of a specific restaurant can be biased by the types of reviews the
restaurant has received from other users. Specifically, some positive reviews could
help generate more positive reviews, and some negative reviews could help generate
more negative reviews. To model such interdependencies, we develop a joint model
Figure 7. Distributions for Rating Scores
Figure 8. Distributions for Text Length
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1327
between reviewers and restaurants using a Dirichlet-multinomial distribution, which
is also known as the multivariate Polya distribution.
The Dirichlet-multinomial distribution, well known as a conjugate prior for multi-
nomial distributions, is widely used for modeling multivariate count data and has
several applications such as document clustering [17], genomics [29], topic modeling
[54], and so forth. The Dirichlet-multinomial distribution is a compound distribution
where we assume that the observed data is generated from a distribution p, which is
itself drawn from a Dirichlet distribution. The compounding follows a Polya Urn
scheme which is particularly useful to model processes that typically have the “rich-
get-richer” effect [49]. Therefore, this is well suited in our case to model the
Table 2. Performance Evaluation of Spammers Features Distributions
Feature loglog loglin norm
log-
norm beta Rayleigh
weibull-
min
Review Count -7.47 -9.54 -94.89 -11.62 -28.82 -78.92 -13.18
Review Gap (avg) -7.51 -14.62 -97.18 -9.71 -59.65 -76.92 -10.22
Review Gap (sd) -6.53 -13.22 -24.67 -7.85 -11.17 -20.29 -7.16
Rating Entropy -15.59 -13.62 -9.56 -7.15 -7.78 -7.28 -7.26
Rating Dev (avg) -16.32 -13.28 -22.38 -10.36 -11.93 -12.17 -18.29
Rating Dev (sd) -15.71 -13.26 -11.4 -8.21 -8.05 -9.96 -9.22
Time of Review
(avg)
-15.37 -14.17 -8.12 -7.24 -7.28 -8.03 -8.47
Time of Review (sd) -15.38 -13.71 -7.29 -7.21 -5.74 -7.86 -7.1
Rating Scores (avg) -15.76 -18.44 -5.78 -5.77 -3.83 -4.86 -7.02
Rating Scores (sd) -15.39 -15.15 -6.73 -6.82 -6.43 -7.82 -6.94
Text Length (avg) -16.74 -13.27 -35.74 -8.17 -12.67 -25.6 -10.52
Text Length (sd) -16.4 -12.95 -23.03 -8.58 -7.91 -17.92 -8.39
Multivariate Feature -0.015 (dirichlet distribution)
Table 3. Feature Statistics for Yelp Dataset
Feature Mean Std Min Max
Review Count 4.86 20.59 2 205
Review Gap (Avg) 163.4 260.4 0 3046
Review Gap (Std) 69.6 126.5 0 1488
Rating Entropy 1.20 0.69 0.45 5.25
Rating Deviation (Avg) 0.82 0.44 0 3.34
Rating Deviation (Std) 0.41 0.28 0 1.77
Time from Initial Review (Avg) 1477 661.6 0 3602
Time from Initial Review (Std) 590.50 362.42 0 1798.50
Rating Scores (Avg) 3.60 0.74 1 5
Rating Scores (Std) 0.66 0.50 0 2
Text Length (Avg) 53.59 38.48 0 480
Text Length (Std) 20.85 20.59 0 205
1328 KUMAR ET AL.
interdependency between reviewer ratings and restaurant ratings where initial reviews
typically have an influence on subsequent reviews [65]. Note that the Dirichlet
distribution is one of the components in the mixture model. Thus, our mixture
model can seamlessly integrate different types of distributions (univariate and multi-
variate) into a unified model. We next describe how we learn the Dirichlet-
multinomial distribution from our data.
Consider a user ui (where i is the index for the users) who has rated m restaurants.
We consider the joint distribution between the ratings given by ui with the types of
restaurants he/she has reviewed. Specifically, this is represented as a sequence of
2m variables, x1; . . . ; xm, y1; . . . ; ym, where x1; . . . ; xm are the rating scores given by
ui, and y1; . . . ; ym are the average rating scores for each restaurant that the user has
reviewed respectively. We now define the Polya distribution over 2C count vari-
ables for ui, where C is the total number of rating-bins. In our case, we have 5 bins,
corresponding to rating scores � 1, rating scores >1 and � 2, rating scores
>2 and � 3; rating scores >3 and � 4, and rating scores >4: Thus, user ui is
represented by a count vector hni1; ni2; . . . ; ni2Ci, where for the first C dimensions
in the vector, nik corresponds to the number of reviews ui has written corresponding
to rating-bin k, and for the last C dimensions of the vector, nik corresponds to the
number of restaurants reviewed by ui with an average rating in rating-bin k. For
example, if a user has rated three restaurants with scores, 2, 3, and 5, respectively,
and the average ratings for those restaurants are 3.5, 3.25, and 4.4, respectively, the
count vector for this user is given by h0; 1; 1; 0; 1; 0; 0; 0; 2; 1i. Note that
y (y1; . . . ; ym), for example, represents the average rating scores of restaurants
reviewed by a specific user. More specifically, we have used the scores at the
time the user submits his/her rating, not at the time of data collection. Also, we
have not considered the time of review in this formulation. Given a count vector for
any user, represented generally by �u, the Polya distribution is given by
P �ujαð Þ ¼ Γ
P
kαk
Γ
P
knk þ αk
� �Y
k
Γ nk þ αkð Þ
Γ αkð Þ (1)
where α ¼ α1; . . . ; αk are called concentration parameters of the Dirichlet distribu-
tion from which the distribution that generated the count vector for user �u was
drawn.
We now estimate α using D ¼ �di
� �M
i¼1, where
�di is the count vector for user �ui.
Let nik be the k-th dimension of �di. The log-likelihood of D is given by
logP Djαð Þ
¼
X
i
logP �uijαð Þ
¼
X
i
logΓ
X
k
αk
� �
� logΓ ni þ
X
k
αk
� �
þ
X
k
Γ nik þ αkð Þ � logΓ αkð Þ (2)
where ni ¼
P
k nik.
We can now compute the concentration parameters α that maximize the like-
lihood function in Equation (2). Since the likelihood function in this case is convex,
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1329
we can reach the global optima through gradient ascent. Specifically, we randomly
initialize parameters α and update them in each iteration using the following update
equation until we converge to a fixed point (See Minka [55] for the derivation).
αtþ1k ¼ αtk
P
iΨ nik þ αtk
� �
P
iΨ ni þ
P
kα
t
k
� �� Ψ Pkαtk
� � ; 3ð Þ (3)
where Ψ is the digamma function and αtk is the value of parameter αk in
iteration t. In our experiments, we initialized α0k using the moment matching
estimate method [55].
Mixture Model
Each of the distributions specified in the previous two subsections model
a specific univariate/multivariate feature. We now combine these distributions
into a unified model that intuitively provides a more “global” view of reviewer
behavior. Combining models into a more powerful ensemble model is a well-
known supervised machine-learning method used in algorithms such as
Bagging [8] and Boosting [24]. In both these approaches, the idea is to train
a classification algorithm on sampled portions of the training data to yield
multiple models and finally average all the models to reduce variance and/or
bias in the overall classifier. Along similar lines, Wolpert proposes a method
called stacking [88] that can be used to combine heterogeneous classifiers into
a unified classifier. Furthermore, Smyth and Wolpert [78, 79] extend the
stacking approach to probability density estimation by combining heteroge-
neous probability distributions together. Here, based on this approach, we
learn a finite mixture model, where the individual components of the mixture
model are the probability distributions corresponding to the univariate/multi-
variate features, which we refer to as base distributions. The main idea in
learning the mixture model is to first compute the cross-validated likelihood
scores for each training instance w.r.t each base distribution, and then estimate
the coefficients of the mixture model to maximize the combined likelihood.
Formally, let P1 . . .PK be the base distributions for our model. Our stacked model
is a K component mixture model ϕ1; . . . ϕK ;P1; . . . ;PKf g, where ϕ1; . . . ϕK are the
mixture coefficients. The mixture coefficient ϕj represents the probability that
a randomly chosen reviewer from the data was generated from the j-th component
of the mixture model. Thus, the mixture coefficients specify a distribution, i.e.,P
k ϕk ¼ 1. For computing the test likelihood for each instance, we divide the set
of users D into N roughly-equal folds. We learn the parameters for each base
distribution from N � 1 folds and compute the probability density values for all the
instances in the remaining fold from the learned base distributions. Note that for
each base distribution, we assume that the distribution family is always fixed as
given in the previous section. We only re-compute the parameters of each
1330 KUMAR ET AL.
distribution from the N � 1 folds. Thus, we have a M � K matrix where the i; jð Þ-th
entry is equal to Pj �uið Þ, which is the out-of-sample likelihood for �ui w.r.t the j-th
base distribution. That is, the likelihood is computed from a distribution whose
parameters are learned from training data that does not include �ui.
We now search for optimal values of the mixture coefficients in the model such
that overall out-of-sample log-likelihood score is maximized. Specifically, the
optimization problem is given by
maxϕ1…ϕk
XM
i¼1 log
XK
j¼1 ϕjPj �uið Þ: (4)
It is difficult to obtain a closed-form optimal solution for this optimization
problem. Therefore, we use the EM (Expectation-Maximization) approach to opti-
mize Equation (4). Specifically, let W be a M � K matrix of weights that determine
the relative importance of each mixture component. The (i; j)-th entry in W
represents the weight for the i-th user being generated by the j-th mixture compo-
nent, and is given by
wij ¼
ϕjPj �uið ÞPK
k¼1 ϕkPk �ukð Þ
: (5)
We start by initializing the mixture coefficients to random initial values,
ϕ 0ð Þ1 . . . ϕ
0ð Þ
K . In each subsequent step, we re-compute each mixture coefficient as
ϕ tþ1ð Þk ¼
PM
i¼1 wiK
M
(6)
Note that in the typical use of EM algorithms for learning mixture models,
such as in the Gaussian Mixture Model, in each step, the parameters of the
mixture components, namely the Gaussian distributions, are re-estimated based
on the updated mixture coefficients. However, in the stacking approach, we fix
the parameters of the mixture components and only re-estimate the mixture
coefficients in each step. We terminate the algorithm once the coefficients
converge to a fixed point. In our experiments, we use the stopping criteria,
maxi ϕ
tð Þ
i � ϕ t�1ð Þi
���
��� � 0:0001. To avoid local minima, we run the learning algo-
rithm from several initial random points and average the converged coefficient
values across these runs.
Finally, we use all of the training data to re-estimate the parameters for each
base distribution. Our final mixture distribution weighs each base distribution
(with the re-learned parameters) with the learned mixture coefficients and is
given by
P �uð Þ ¼
XK
j¼1 ϕjPj �uð Þ: (7)
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1331
Algorithm 1 summarizes our two-stage method for learning the mixture model.
As shown here, in the first stage, we learn the parameters for the distributions
corresponding to each feature. We then compute the weight matrix using the out-of-
sample likelihood values for each user with respect to each of the learned distribu-
tions. Next, we compute the mixture coefficients that maximize the likelihood of
the mixture model that combines the distributions. An anomalous user is likely to
have a smaller probability with respect to the mixture distribution in Equation (7) as
compared to a nonanomalous user.
To evaluate the performance of our stacked model in anomaly detection, we
develop the following four unsupervised anomaly detection systems and use them
as baselines in our experiments.
1. Gaussian Mixture Models based anomaly detection: Here, we model the joint
distribution over users by a finite mixture of multivariate Gaussian distribu-
tions. This approach is similar to the general anomaly detection approach
proposed in Song et al. [80]. This baseline model constitutes the case where
we do not consider the natural distribution shapes of individual features when
modeling the overall joint distribution. In other words, we assume that the
joint distribution over reviewers can be modeled as a mixture of Gaussians. To
learn this model, we use the EM algorithm for Gaussian mixtures.
Algorithm 1: Mixture Model Learning
Input: A set of distribution types D1 . . .Dk, where each Di corresponds to the
distribution-type of a univariate/multivariate feature for the dataset D
Output: Mixture distribution P �uð Þ
//Learn the mixture distributions
1 Divide D into 5 folds
2 for each fold Di do
3 Estimate the parameters of D1 . . .Dk using the remaining 4 folds
4 P1 . . .PK= Estimated distributions for the features
5 for each user �ui in Dj do
6 Compute P1 �uið Þ . . .PK �uið Þ
7 Compute wij, for 1 � j � K using Eq. (5)
//Learn the mixture coefficients
8 initialize the coefficients ϕ1 . . . ϕK randomly
9 while ϕ1 . . . ϕK have not converged do
10 Update ϕ1 . . . ϕK using Eq. (6)
11 Return
PK
j¼1 ϕjPj �uð Þ
1332 KUMAR ET AL.
2. Nonparametric GaussianMixtureModels based anomaly detection: This model
is similar to GMM except that we do not fix the number of mixture components
a priori. We learn the optimal number of mixture components using a Bayesian
approach. That is, we assume that the components are generated from
a Dirichlet process-distributed distribution. Thus, this baseline is a fully non-
parametric approach for anomaly detection. We use the EM algorithm for finite
Gaussian mixtures to learn the parameters of this model.
3. One-Class SVM based anomaly detection: One-Class SVMs are a state-
of-the-art approach for outlier detection [75, 76]. Unlike traditional
SVMs which are used for classification, in One-Class SVMs all the
examples in the training data are considered as belonging to a single
(positive) class. Thus, the SVM model is only learned over one class
and examples that are classified as out-of-class are considered outliers.
During training, a tunable parameter bounds the number of data points
in data that are to be regarded as outliers (or out-of-class examples).
Similar to standard SVMs, several different kernels, such as the linear
kernel, Radial Basis Function (RBF) kernel, or the sigmoid kernel, can
be used within One-Class SVMs. One-Class SVMs have been used for
anomaly detection in various studies [2, 27, 81]. We construct features
for our One-Class SVM based anomaly detector as follows. We use all
the univariate features that we use in the stacking-based model, but we
use their raw values instead of converting them to their probability
values. For the multivariate feature, we use the raw counts to learn
the Dirichlet-multinomial. We standardize all the feature values by
subtracting them by the mean and then dividing by the standard devia-
tion of the feature. This baseline models the case where we do not
explicitly consider the probability distributions that generate the feature
values for anomaly detection.
4. Uniform Stacking based anomaly detection: In this model, similar to our
stacking model, we combine the learned base distributions into a mixture
model. However, we do not learn the mixture component weights, as in the
stacked model. Instead, we weigh each component equally. That is, given
individual distributions, P1 . . .Pk , we combine them into a single mixture
distribution as,
P �uð Þ ¼
XK
j¼1
1
K
Pj �uð Þ:
Using this baseline, we wish to evaluate the case where we consider the
underlying distributional characteristics of each feature, but we simply give
each base distribution equal importance in the overall mixture model.
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1333
Datasets
We use two datasets in our experiments. The first one is a synthetic dataset where
we inject anomalies and the next one is the real-world Yelp.com dataset described
in the earlier section. We generate the synthetic dataset as follows. We generate the
set of nonanomalous instances in the data by sampling each feature from its
corresponding distribution (derived in the earlier section). For generating anom-
alous instances, we use the following sampling strategy. Following the work by
Eskin [18], for each feature, we assume that with probability α, the feature value is
sampled from its corresponding distribution, and with probability 1� α, it is
sampled from a uniform distribution since we do not know a priori the distribution
for the anomalous features. Thus, for an anomalous instance, certain features may
look anomalous with respect to the feature’s natural distribution, and certain other
features may look non-anomalous with respect to its distribution. Similar to that in
past studies, we set α as 0.25 in our experiments. We generate 10,000 instances of
nonanomalous users and vary the percentage of anomalous users in the dataset in
our experiments.
Evaluation Setup
Evaluating the performance of our system is a challenging problem by itself. The main
issue is the lack of annotated or gold standard data since labeling the data is quite
challenging. To get around this problem, some earlier studies have used crowdsourcing
to write known deceptive reviews. For instance, in Ott et al. [62, 63], the authors used
Amazon Mechanical Turk to have paid reviewers write false reviews for TripAdvisor,
thus creating a labeled dataset with known anomalies. For the Yelp dataset that we
used, it turns out that yelp.com generates its own classification of spam, also called
“filtered reviews,” which are available to us as labels of anomalies. Unfortunately, the
method used by yelp.com for their classification is proprietary. Therefore, it is quite
hard to verify what these labels signify and to determine what anomalous behaviors of
spammers are considered in Yelp’s classification. However, Mukherjee et al. [59]
empirically studied the Yelp filtering algorithm in detail and were quite positive in
their analysis regarding the performance of the filtering system in identifying opinion
spammers. Therefore, even though it is not an ideal gold standard, for the purpose of
our evaluation, we choose to use Yelp’s labels to signal anomalies in our dataset.
Specifically, we label a reviewer as anomalous if he/she has even one review that has
been filtered out by Yelp’s filtering algorithm. This assumption is similar to the
assumptions made in previous work [70] and is consistent with our observations in
the dataset. Specifically, in our Yelp dataset, 62,228 reviewers have written at least one
filtered review, and out of these reviewers, 60,107 of them have all their reviews
marked as filtered reviews.
1334 KUMAR ET AL.
In our evaluation, we use standard metrics for comparing performance. For
comparing accuracy, we use the ROC-AUC (area under the ROC curve) scores.
For measuring relevance, we use precision@K, a measure commonly used to
measure effectiveness of information retrieval systems [50], where relevant results
at the top are far more important than the relevant results returned at the bottom. In
our case, precision@K is the ratio of spammers in the first k users ranked by the
anomaly detector. Thus, a more effective anomaly detection method will place
several anomalous reviewers at the top of its rankings.
Finally, to evaluate how well a model fits the data, we use its test log-likelihood
score. Specifically, we run k-fold cross validation and we learn the parameters of
the model on the training folds and compute log-likelihood of the data in the test
fold using the learned parameters. We repeat this process for all k folds and report
the average log-likelihood over the folds.
While describing our results in the following section, we abbreviate our
approaches as: Stacking (STK), Gaussian Mixture Model (GMM), non-parametric
Dirichlet Process Gaussian Mixture Model (DPGMM), One-Class SVMs (OSVM)
and Uniform Stacking (UM).
Results on Synthetic Data
Figure 9 illustrates the ROC curves obtained using different competing methods for
varying amount of anomalies in the data (controlled by parameter p). Table 4 shows
the corresponding ROC-AUC scores obtained for the ROC curves. We report the
average ROC-AUC scores over the scores obtained using five-fold cross-validation.
Here, OSVM-L, OSVM-R and OSVM-S denote the linear, RBF, and sigmoid
kernels used within OSVM, respectively. Note that we have included only the
best performing OSVM in Figure 9 for readability purpose.
As seen from our results, STK obtained the best score for all values of p as compared
to the other baseline methods. In general, as the number of anomalous reviewers
increases in the dataset, the accuracy of the anomaly detector goes down slightly,
since anomalies distort the distributions learned for the features to a greater extent.
Figure 10 compares the log-likelihood scores for the different probabilistic
methods for varying amounts of anomalies in the data. As seen here, for all values
of p, the log-likelihood score for STK is higher than all the other baseline methods.
UM has the next highest score, which is significantly higher than the scores
obtained using GMM and DPGMM. This illustrates that our stacking-based mixture
models fit the data better when features are derived from multiple heterogeneous
distributions as compared to methods that make assumptions about the underlying
distribution (e.g., GMM and DPGMM assume that the data is generated from
a mixture of multivariate Gaussian distributions).
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1335
(a) p = 0.01 (b) p = 0.05
(c) p = 0.10 (d) p = 0.15
(e) p = 0.20 (f) p = 0.25
Figure 9. ROC Curves (Synthetic data) for Varying Percentage of Anomalies (denoted by p)
Table 4. ROC-AUCScores (Synthetic Data) for Varying Percentage of Anomalies (p)
p GMM DPGMM OSVM-L OSVM-R OSVM-S UM STK
0.01 0.45 0.46 0.84 0.81 0.82 0.69 0.93
0.05 0.45 0.45 0.83 0.79 0.80 0.68 0.89
0.10 0.45 0.44 0.83 0.78 0.81 0.68 0.89
0.15 0.45 0.45 0.82 0.81 0.82 0.68 0.89
0.20 0.45 0.44 0.81 0.81 0.82 0.67 0.87
0.25 0.45 0.44 0.80 0.80 0.80 0.68 0.85
1336 KUMAR ET AL.
Results on Real-World Data
Figure 11 shows the ROC curves for STK and the other baseline algorithms. As
seen from our results, our approach performs much better than the OSVM based
approaches as well as the Gaussian Mixture Models based methods. UM is the best
performing algorithm among the baseline anomaly detectors.
We next compare the accuracy of our approaches with two state-of-the-art
unsupervised approaches, FraudEagle [1] and SpEagle [70]. Both these approaches
model the joint distribution using a Markov Random Field (MRF). Computing
exact probabilities from the MRF is a computationally hard problem. Therefore,
Figure 10. Comparison of Log-Likelihood Scores (Synthetic Data)
Figure 11. Comparison of ROC Curves (Yelp Data)
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1337
FraudEagle and SpEagle use a well-known approximate inference method known
as Loopy Belief Propagation [66, 93]. The results for both these methods are
available for the same Yelp dataset [70]. Table 5 compares the ROC-AUC scores
for our method with the corresponding scores obtained for the baselines as well as
FraudEagle and SpEagle. As seen here, our approach performs better than all the
other approaches. It improves over the ROC-AUC score obtained in SpEagle by
around 3 points. It performs significantly better than GMM, DPGMM, and OSVM.
UM is the best performing baseline algorithm, which also performs slightly better
than FraudEagle but worse than SpEagle.
Table 6 shows the results for precision@K, that is, the percentage of spammers at
the top K positions when we rank users in the dataset. As we see here, STK
outperforms all the baseline anomaly detectors by a significant margin for each
value of K. It also performs better than SpEagle for several smaller values of K. For
slightly larger values of K, STK and SpEagle achieve comparable scores. This
means that STK is quite precise in its top rankings of anomalies. The best
performing baseline method is UM that outperforms the OSVM based methods as
Table 5. Comparison of ROC-AUC Scores (Yelp
Data)
Algorithm AUC-Score
GMM 0.52
DPGMM 0.53
OSVM-L 0.49
OSVM-R 0.49
OSVM-S 0.49
UM 0.62
FraudEagle 0.61
SpEagle 0.67
STK 0.70
Table 6. Comparison of precision@K (Yelp Data)
K GMM DPGMM OSVM-L OSVM-R OSVM-S UM SpEagle STK
100 0.13 0.13 0.38 0.1 0.38 0.32 0.44 0.57
200 0.13 0.14 0.20 0.28 0.20 0.30 0.53 0.54
300 0.14 0.13 0.14 0.19 0.14 0.26 0.5 0.54
400 0.12 0.13 0.12 0.14 0.12 0.26 0.54 0.54
500 0.12 0.12 0.12 0.13 0.12 0.25 0.52 0.5
600 0.13 0.13 0.11 0.13 0.11 0.24 0.51 0.5
700 0.13 0.12 0.10 0.12 0.10 0.25 0.50 0.48
800 0.13 0.12 0.11 0.11 0.11 0.25 0.50 0.48
900 0.13 0.13 0.11 0.11 0.11 0.25 0.49 0.48
1000 0.13 0.13 0.10 0.11 0.10 0.25 0.50 0.48
1338 KUMAR ET AL.
well as GMM and DPGMM. Note that the results for FraudEagle
precision@K were unavailable to us, and therefore, we do not report them here.
In our final experiment, we compare the log-likelihood scores for the four prob-
abilistic methods namely, GMM, DPGMM, UM, and STK, for the Yelp dataset.
Table 7 shows our results, from which it can be seen that STK fits the data much
better than the competing approaches. GMM and DPGMM have significantly smaller
log-likelihood scores, which indicate that leveraging the distributional shapes of the
behavioral features is important to design a robust probabilistic model of a user’s
online behavior. UM performs much better than GMM and DPGMM but worse than
STK. This indicates that it is important to consider the importance of specific features
in the mixture model in order to obtain a better fit for the data.
Note that in our study, we adopt a measure (log-likelihood score) that is widely
used in the Computer Science (CS) literature [72, 46, 11, 25, 74]. The idea of
including the log-likelihood scores (apart from the ROC-AUC) is to compare how
well our probabilistic model fits the data. The number of parameters across the
models is comparable to each other. That is, GMM, DPGMM, UM, and STK are all
different mixture models. That is, each of them mixes several mixture component
distributions. UM and STK use the same number of components (corresponding to
our features) in the mixture. GMM uses the same number of components as UM
and STK (but still do not fit the data very well) since it assumes that the mixture
component distributions are Gaussian distributions. DPGMM uses even more
components (and still does not fit very well due to the Gaussian distribution
assumption) since we do not pre-specify the number of components in the mixture.
That is, we use a Bayesian approach to learn the optimal number of components.
Thus, all our models are comparable in terms of parameters. Thus, the fit of the
distribution is based on how well we can model the underlying distribution in our
mixture. The experiments related to log-likelihood scores illustrate this in general,
and therefore seeks to complement our ROC-AUC scores. In addition, we have
used AIC and BIC as performance metrics. The results are presented in Table 8. We
Table 7. Comparison of Log-Likelihood Scores (Yelp
Data)
GMM DPGMM UM STK
-64.50 -65.52 -10.40 -2.12
Table 8. Performance Comparison using AIC and BIC Scores
GMM DPGMM UM STK
AIC 2316980 2991243 111498 110952
BIC 2324163 2998427 112074 111528
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1339
observe that STK model outperforms the competing approaches. Our model for
predicting or classifying a new user is very fast. Specifically, for around 18K users,
it takes only 0.09 seconds to classify whether each of them is a real or fake
reviewer. We measured these times on an Intel Core i7 3.1 GHz processor system
with 16 GB memory. The implementation of our entire system was done using
python available from the Anaconda distribution.
As part of the robustness test, we have used several methods to show general-
izability of our approach. First, we have used a new test dataset and the results are
presented in Online Supplemental Appendix B. Second, we have rerun our experi-
ments using a stricter definition of filtered reviewers, i.e., reviewers who have all
their reviews marked as filtered reviews. The results are presented and discussed in
Online Supplemental Appendix C. Third, we have used two additional outlier detec-
tion methods: Local Outlier Factors (LOF) and Elliptic Envelopes (E-Env). The
results are robust and are presented in Online Supplemental Appendix D.
Detecting fake reviewers in online forums is known to be a challenging task. Even
though several approaches have been proposed to detect such reviewers, they do not
fully exploit the underlying distributional characteristics of reviewing behavior. In this
work, we propose a novel method for unsupervised identification of anomalous
reviewers. The key idea in our approach is to combine several heterogeneous distribu-
tions that describe different facets of reviewing behavior into a unified model for
anomaly detection. Specifically, we derive (1) univariate distributions of features
commonly used to characterize reviewing habits, and (2) a Dirichlet-multinomial
distribution that models the interdependent features. Furthermore, we stack these
distributions into a single mixture model and learn the parameters of the model in an
unsupervised manner using the EM algorithm. We perform a comprehensive experi-
mental study in which we develop four baseline algorithms for anomaly detection
based on Gaussian mixture models and One-Class SVMs. Using both synthetic data as
well as real-world restaurant reviews from yelp.com, we compare our approach with
the baseline algorithms and state-of-the-art unsupervised methods for spammer detec-
tion, and show that our approach outperforms all these methods.
Our research has important managerial implications for social media platforms.
New social media technologies have facilitated information sharing and shaped the
information to which individuals were exposed [68, 83, 84]. Meanwhile, these
technologies enable misinformation to spread rapidly through online media, which
suggests that social media platforms are vulnerable to manipulation [42]. For
instance, false information on Twitter is retweeted by many more users — and far
more rapidly — than true information [86]. Specifically, a false tweet claimed that
Barack Obama was injured in an explosion has caused a $130 billion loss in stock
value [86]. Our proposed method offers a useful platform-based detection and
intervention tool to correct biases that make social media platforms vulnerable to
1340 KUMAR ET AL.
misinformation. As social media platforms have become the primary conduits of fake
news, social bots (automated social media accounts) can magnify the spread of fake
news by liking and sharing information. According to a recent estimate, 9-15 percent
of active Twitter accounts are social bots [41]. Our novel hierarchical approach using
unsupervised-learning approach on detecting online spammers can be generalized to
identify social bots. Social media platforms can use our method to redesign their
systems and curb the automated spread of news content by social bots.
With a surge in fake reviewers on social media platforms, the issue of detecting fake
reviewers is of increasing importance to firms and their customers. Our research study
is very timely since there is a great interest in deploying fake reviewers’ detection
models in production by social media platforms. Detecting fake reviewers in a real-
world production setting is a very complex task. Even after the development of one of
the best performing machine-learning algorithms, deployment and maintenance of
fake reviewers’ detection models into production on social media platforms can pose
a challenge. The ongoing monitoring and review of a model’s success in detecting real
fake reviewers is a critical component. If supervised models trained on historical
labeled data are allowed to continue running on a social media platform, there is
substantial risk of losing credibility because fake reviewers continuously come up
with new tricks to game the system. The supervised learning models can lose their
effectiveness and produce false signals when fake reviewers dynamically change
behaviors. Social media platforms may not have access to the most up-to-date labeled
dataset. In other situations, the high effort and costs associated with periodically
(manually) labeling large amounts of data becomes a prohibitive factor when using
supervised learning techniques. Even if we disregard all these challenges for
a moment, the overhead of continuously updating model parameters with a new
labeled dataset significantly add to the model deployment costs. In these situations,
using unsupervised learning techniques that do not rely on the labeled data is more
cost effective, and easier to deploy and maintain in a production environment.
Moreover, when using unsupervised models, the social media platforms do not have
to deal with the cumbersome task of labeling data at a regular time interval. Given the
merits of the proposed unsupervised learning-based mixture models, deploying these
models in the production environment does not pose a serious challenge. In addition,
a plethora of open source deployment tools and libraries are available these days that
support the methodology proposed in this paper.
Our approach can also be viewed as a generic method to unify complex distribu-
tional characteristics into a unified probabilistic model and is thus applicable across
several domains. Future work includes applying our general approach to detect
spammer groups [57, 90] by modeling them as multivariate distributions. We would
also like to develop adaptive versions of our method [33] and integrate advanced
linguistics into our model such as models that detect deceptive writing [63] and
models for sentiment analysis [64].
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1341
NOTES
1. See http://www.huffingtonpost.com/2013/09/25/fake-yelp-reviews_n_3983564.html,
retrieved on March 19, 2019.
2. See http://www.nytimes.com/2011/08/20/technology/finding-fake-reviews-online.html,
retrieved on March 19, 2019.
Supplemental data for this article can be accessed on the publisher’s website.
ORCID
Liangfei Qiu http://orcid.org/0000-0002-8771-9389
REFERENCES
1. Akoglu, L.; Chandy, R.; and Faloutsos, C. Opinion fraud detection in online reviews
by network effects. Proceedings of the International AAAI Conference on Weblogs and
Social Media, 7, (2013), 2–11.
2. Amer, M.; Goldstein, M.; and Abdennadher, S. Enhancing one-class support
vector machines for unsupervised anomaly detection. In Proceedings of the ACM
SIGKDD Workshop on Outlier Detection and Description. New York, NY: ACM,
2013, pp. 8–15.
3. Banerjee, S.; and Chua, A.Y.K. A study of manipulative and authentic negative
reviews. Proceedings of the International Conference on Ubiquitous Information
Management and Communication, 8, (2014), 76:1-76:6.
4. Benjamin, V.; Zhang, B.; Nunamaker Jr, J.F.; and Chen, H. Examining hacker parti-
cipation length in cybercriminal Internet-relay-chat communities. Journal of Management
Information Systems, 33, 2 (2016), 482–510.
5. Bhattarai, A.; Rus, V.; and Dasgupta, D. Characterizing comment spam in the blogo-
sphere through content analysis. Proceedings of IEEE Symposium on Computational
Intelligence in Cyber Security, 1, (2009), 37–44.
6. Blanding, M. The yelp factor: Are consumer reviews good for business? Harvard
Business School, 2011. https://hbswk.hbs.edu/item/the-yelp-factor-are-consumer-reviews-
good-for-business (accessed on July 4, 2018).
7. Bockstedt, J.; and Goh, K. H. Seller strategies for differentiation in highly compe-
titive online auction markets. Journal of Management Information Systems, 28, 3 (2011),
235–268.
8. Breiman, L. Bagging predictors. Machine Learning, 24, 2 (1996), 123–140.
9. Chandola, V.; Banerjee, A.; and Kumar, V. Anomaly detection: A survey. ACM
Computing Surveys, 41, 3 (2009), 15:1-15:58.
10. Chevalier, J.A.; and Mayzlin, D. The effect of word of mouth on sales: Online book
reviews. Journal of Marketing Research, 43, 3 (2006), 345–354.
11. Chou, L.; Sarkhel, S.; Ruozzi, N.; and Gogate, V. On parameter tying by quantization.
In Proceedings of the Thirtieth AAAI Conference on Artificial Intelligence, 2016, pp.
3241–3247.
12. Churilov, L.; Bagirov, A.; Schwartz, D.; Smith, K.; and Dally, M. Data mining with
combined use of optimization techniques and self-organizing maps for improving risk
grouping rules: application to prostate cancer patients. Journal of Management Information
Systems, 21, 4 (2005), 85–100.
13. ClearMyMail. Viagra spam e-mails.http://www.clearmymail.com/guides/viagra_spam_
emails.aspx (accessedon July 4, 2018).
1342 KUMAR ET AL.
http://www.huffingtonpost.com/2013/09/25/fake-yelp-reviews_n_3983564.html
http://www.nytimes.com/2011/08/20/technology/finding-fake-reviews-online.html
https://doi.org/10.1080/07421222.2019.1661089
https://hbswk.hbs.edu/item/the-yelp-factor-are-consumer-reviews-good-for-business
https://hbswk.hbs.edu/item/the-yelp-factor-are-consumer-reviews-good-for-business
http://www.clearmymail.com/guides/viagra_spam_emails.aspx
http://www.clearmymail.com/guides/viagra_spam_emails.aspx
14. Cormack, G.V. Email spam filtering: A systematic review. Foundations and Trends in
Information Retrieval, 1, 4 (2008), 335–455.
15. Dalvi, N.N.; Kumar, R.; and Pang, B. Para ’normal’ activity: On the distribution of
average ratings. Proceedings of the International AAAI Conference on Weblogs and Social
Media, 7, (2013), 110–119.
16. Eliashberg, J.; and Shugan, S.M. Film critics: Influencers or predictors? Journal of
Marketing, 61, 2 (1997), 68–78.
17. Elkan, C. Clustering documents with an exponential-family approximation of the
dirichlet compound multinomial distribution. In Proceedings of the 23rd International
Conference on Machine Learning. New York, NY: ACM, 2006, pp. 289–296.
18. Eskin, E. Anomaly detection over noisy data using learned probability distributions. In
Proceedings of the Seventeenth International Conference on Machine Learning. San
Francisco, CA: Morgan Kaufmann, 2000, pp. 255–262.
19. Fei, G.; Mukherjee, A.; Liu, B.; Hsu, M.; Castellanos, M.; and Ghosh, R. Exploiting
burstiness in reviews for review spammer detection. Proceedings of the International AAAI
Conference on Weblogs and Social Media, 7, (2013), 175–184.
20. Feng, S.; Banerjee, R.; and Choi, Y. Syntactic stylometry for deception detection.
Proceedings of the Annual Meeting of the Association for Computational Linguistics, 50,
(2012), 171–175.
21. Feng, S.; Xing, L.; Gogar, A.; and Choi, Y. Distributional footprints of deceptive
product reviews. Proceedings of the International AAAI Conference on Weblogs and Social
Media, 6, (2012), 98–105.
22. Ferrara, E.; Varol, O.; Davis, C.; Menczer, F.; and Flammini, A. The rise of social bots.
Communications of the ACM, 59, 7 (2016), 96–104.
23. Forman, C.; Ghose, A.; and Wiesenfeld, B. Examining the relationship between
reviews and sales: the role of reviewer identity disclosure in electronic markets.
Information Systems Research, 19, 3 (2008), 291–313.
24. Freund, Y.; and Schapire, R.E. Experiments with a new boosting algorithm. In
Proceedings of the Thirteenth International Conference on Machine Learning. San
Francisco, CA: Morgan Kaufmann, 1996, pp. 148–156.
25. Gogate, V.; Webb, W.; and Domingos, P. Learning efficient markov networks. In
Advances in Neural Information Processing Systems, 2010, pp. 748–756.
26. Guo, J.; Zhang, W.; Fan, W.; and Li, W. Combining geographical and social influences
with deep learning for personalized point-of-interest recommendation. Journal of
Management Information Systems, 35, 4 (2018), 1121–1153.
27. Heller, K.A.; Svore, K.M.; Keromytis, A.D.; and Stolfo, S.J. One class support vector
machines for detecting anomalous windows registry accesses. In Proceedings of the work-
shop on Data Mining for Computer Security, 2003.
28. Ho, S.M.; Hancock, J.T.; Booth, C.; and Liu, X. Computer-mediated deception:
strategies revealed by language-action cues in spontaneous communication. Journal of
Management Information Systems, 33, 2 (2016), 393–420.
29. Holmes, I.; Harris, K.; and Quince, C. Dirichlet multinomial mixtures: Generative
models for microbial metagenomics. PLoS ONE, 7, 2 (2012), 1–15.
30. Hu, N.; Bose, I.; Gao, Y.; and Liu, L. Manipulation in digital word-of-mouth: a reality
check for book reviews. Decision Support Systems, 50, 3 (2011), 627–635.
31. Hu, N.; Bose, I.; Koh, N.S.; and Liu, L. Manipulation of online reviews: An analysis of
ratings, readability, and sentiments. Decision Support Systems, 52, 3 (2012), 674–684.
32. Hu, N.; Zhang, J.; and Pavlou, P.A. Overcoming the j-shaped distribution of product
reviews. Communications of the ACM, 52, 10 (2009), 144–147.
33. Hulten, G.; Spencer, L.; and Domingos, P. Mining time-changing data streams. In
Proceedings of the Seventh ACM SIGKDD International Conference on Knowledge
Discovery and Data Mining. New York, NY: ACM, 2001, pp. 97–106.
34. Ivanova, O.; and Scholz, M. How can online marketplaces reduce rating manipulation?
A new approach on dynamic aggregation of online ratings. Decision Support Systems, 104, 4
(2017), 64–78.
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1343
35. Jindal, N.; and Liu, B. Opinion spam and analysis. In Proceedings of the 2008
International Conference on Web Search and Data Mining, New York, NY: ACM, 2008,
pp. 219–230.
36. Jindal, N.; Liu, B.; and Lim, E.-P. Finding unusual review patterns using unexpected
rules. In Proceedings of the 19th ACM International Conference on Information and
Knowledge Management. New York, NY: ACM, 2010, pp. 1549–1552.
37. Kumar, N.; Venugopal, D.; Qiu, L.; and Kumar, S. Detecting review manipulation on
online platforms with hierarchical supervised learning. Journal of Management Information
Systems, 35, 1 (2018), 350–380.
38. Kurtzleben, D. Did fake news on Facebook help elect Trump? Here’s what we know.
NPR News. April 11, 2018. https://www.npr.org/2018/04/11/601323233/6-facts-we-know-
about-fake-news-in-the-2016-election (accessed on July 4, 2018).
39. Lappas, T.; Sabnis, G.; and Valkanas, G. The impact of fake reviews on online
visibility: a vulnerability assessment of the hotel industry. Information Systems Research,
27, 4 (2016), 940–961.
40. Lau, R.Y.K.; Liao, S.Y.; Kwok, R.C.W.; Xu, K.; Xia, Y.; and Li, Y. Text mining and
probabilistic language modeling for online review spam detection. ACM Transactions on
Management Information Systems, 2, 4 (2011), 1–30.
41. Lazer, D.M.; Baum, M.A.; Benkler, Y.; Berinsky, A.J.; Greenhill, K.M.; Menczer, F.;
and Schudson, M. The science of fake news. Science, 359, 6380 (2018), 1094–1096.
42. Lee, S.Y.; Qiu, L.; and Whinston, A.B. Sentiment manipulation in online platforms: An
analysis of movie tweets. Production and Operations Management, 27, 3 (2018), 393–416.
43. Li, F.; Huang, M.; Yang, Y.; and Zhu, X. Learning to identify review spam.
Proceedings of the International Joint Conference on Artificial Intelligence, 22, 3 (2011),
2488–2493.
44. Li, J.; Ott, M.; Cardie, C.; and Hovy, E. Towards a general rule for identifying
deceptive opinion spam. Proceedings of the Annual Meeting of the Association for
Computational Linguistics, 52, (2014), 1566–1576.
45. Lim, E.-P.; Nguyen, V.-A.; Jindal, N.; Liu, B.; and Lauw, H.W. Detecting product
review spammers using rating behaviors. Proceedings of the ACM International Conference
on Information and Knowledge Management, 19, (2010), 939–948.
46. Lowd, D.; and Rooshenas, A. Learning markov networks with arithmetic circuits. In
Artificial Intelligence and Statistics. 2013, pp. 406–414.
47. Luca, M.; and Zervas, G. Fake it till you make it: reputation, competition, and Yelp
review fraud. Management Science, 62, 12 (2016), 3412–3427.
48. Ludwig, S.; Van Laer, T.; De Ruyter, K.; and Friedman, M. Untangling a web of lies:
exploring automated detection of deception in computer-mediated communication. Journal
of Management Information Systems, 33, 2 (2016), 511–541.
49. Mahmoud, H. Polya UrnModels (1st ed.). NewYork, NY: Chapman and Hall/CRC, 2008.
50. Manning, C.D.; Raghavan, P.; and Schütze, H. Introduction to Information Retrieval.
New York, NY: Cambridge University Press, 2008.
51. Mayzlin, D. Promotional chat on the Internet. Marketing Science, 25, 2 (2006),
155–163.
52. Mayzlin, D.; Dover, Y.; and Chevalier, J. Promotional reviews: an empirical investiga-
tion of online review manipulation. American Economic Review, 104, 8 (2014), 2421–2455.
53. Michaels, J. Four digital marketing trends that will impact small business in 2015.
Beyond Social Buzz, 2014. https://beyondsocialbuzz.co.uk/small-business-digital-marketing-
trends/(accessed on July 4, 2018).
54. Mimno, D.M.; and McCallum, A. Topic models conditioned on arbitrary features with
Dirichlet-multinomial regression. In Proceedings of the Twenty-Fourth Conference on
Uncertainty in Artificial Intelligence. Arlington, VA: AUAI Press, 2008, pp. 411–418.
55. Minka, T. Estimating a Dirichlet distribution. Technical report, MIT, 2000.
56. Mintel. Seven in 10 Americans seek out opinions before making purchases. Mintel.
June 3, 2015. http://www.mintel.com/press-centre/social-and-lifestyle/seven-in-10-americans
-seek-out-opinions-before-making-purchases. (accessed on July 4, 2018).
1344 KUMAR ET AL.
https://www.npr.org/2018/04/11/601323233/6-facts-we-know-about-fake-news-in-the-2016-election
https://www.npr.org/2018/04/11/601323233/6-facts-we-know-about-fake-news-in-the-2016-election
Four Digital Marketing trends that will impact small business in 2015
Four Digital Marketing trends that will impact small business in 2015
http://www.mintel.com/press-centre/social-and-lifestyle/seven-in-10-americans-seek-out-opinions-before-making-purchases
http://www.mintel.com/press-centre/social-and-lifestyle/seven-in-10-americans-seek-out-opinions-before-making-purchases
57. Mukherjee, A.; Kumar, A.; Liu, B.; Wang, J.; Hsu. M., Castellanos; M., and Ghosh, R.
Spotting opinion spammers using behavioral footprints. Proceedings of the ACM SIGKDD
International Conference on Knowledge Discovery and Data Mining, 19, (2013), 632–640.
58. Mukherjee, A.; Liu, B.; and Glance, N. Spotting fake reviewer groups in consumer
reviews. Proceedings of the International Conference on World Wide Web, 21, (2012), 191–200.
59. Mukherjee, A.; Venkataraman, V.; Liu, B.; and Glance, N.S. What yelp fake review
filter might be doing? Proceedings of the International AAAI Conference on Weblogs and
Social Media, 7, (2013), 409–418.
60. Narayan, R.; Rout, J. K.; and Jena, S. K. Review spam detection using opinion mining.
In Progress in Intelligent Computing Techniques: Theory, Practice, and Applications.
Springer, Singapore, 2018, pp. 273–279.
61. Newman, M.L.; Pennebaker, J.W.; Berry, D.S.; and Richards, J.M. Lying words:
Predicting deception from linguistic styles. Personality and Social Psychology Bulletin, 29,
5 (2003), 665–675.
62. Ott, M.; Cardie, C.; and Hancock, J.T. Estimating the prevalence of deception in online
review communities. Proceedings of the International Conference on World Wide Web, 21,
(2012), 201–210.
63. Ott, M.; Choi, Y.; Cardie, C.; and Hancock, J.T. Finding deceptive opinion spam by
any stretch of the imagination. Proceedings of the Annual Meeting of the Association for
Computational Linguistics: Human Language Technologies, 49, 1 (2011), 309–319.
64. Pang, B.; and Lee, L. Opinion mining and sentiment analysis. Foundations and Trends
in Information Retrieval, 2, 1–2 (2008), 1–135.
65. Park, S.; Shin, W.; and Xie, J. The first-review effect: Interdependence between
volume and valence of online consumer reviews. Working paper, University of Florida,
2016. https://ssrn.com/abstract=2824846 (accessed on July 4, 2018).
66. Pearl, J. Probabilistic Reasoning in Intelligent Systems: Networks of Plausible
Inference. San Francisco, CA: Morgan Kaufmann, 1988.
67. Proudfoot, J.G.; Jenkins, J.L.; Burgoon, J.K.; and Nunamaker, J.F. Jr. More than meets
the eye: how oculometric behaviors evolve over the course of automated deception detection
interactions. Journal of Management Information Systems, 33, 2 (2016), 332–360.
68. Qiu, L.; Tang, Q.; andWhinston, A.B. Two formulas for success in social media: Learning
and network effects. Journal of Management Information Systems, 32, 4 (2015), 78–108.
69. Olivieri, A.; Shabani, S.; Sokhn, M.; and Cudré-Mauroux, P. Creating task-generic
features for fake news detection. In Proceedings of the 52nd Hawaii International
Conference on System Sciences, 2019, pp. 5196–5205.
70. Rayana, S.; and Akoglu, L. Collective opinion spam detection: bridging review net-
works and metadata. Proceedings of the ACM SIGKDD International Conference on
Knowledge Discovery and Data Mining, 21, (2015), 985–994.
71. Roberts, J. Amazon sues people who charge 5 for fake reviews. Fortune Magazine. October
19, 2015. http://fortune.com/2015/10/19/amazon-fake-reviews/(accessed on July 4, 2018).
72. Rooshenas, A.; and Lowd, D. Learning sum-product networks with direct and indirect
variable interactions. In International Conference on Machine Learning, (2014), pp. 710–718.
73. Rudolph, S. The impact of online reviews on customers buying decisions. Business 2
Community. July 25, 2015. https://www.business2community.com/infographics/impact-
online-reviews-customers-buying-decisions-infographic-01280945#iZwM69pSgVKLlH6A.
97 (accessed on July 4, 2018).
74. Sarkhel, S.; Venugopal, D.; Pham, T. A.; Singla, P.; and Gogate, V. Scalable training of
markov logic networks using approximate counting. In Proceedings of the Thirtieth AAAI
Conference on Artificial Intelligence, 2016, pp. 1067–1073.
75. Schölkopf, B.; Platt, J.C.; Shawe-Taylor, J.C.; Smola, A.J.; and Williamson, R.C.
Estimating the support of a high-dimensional distribution. Neural Computation, 13, 7
(2001), 1443–1471.
76. Schölkopf, B.; Williamson, R.C.; Smola, A.J.; Shawe-Taylor, J.; and Platt, J.C. Support
vector method for novelty detection. Proceedings of Advances in Neural Information
Processing Systems, 12, (1999), 582–588.
DETECTING ANOMALOUS ONLINE REVIEWERS USING UNSUPERVISED LEARNING 1345
https://ssrn.com/abstract=2824846
http://fortune.com/2015/10/19/amazon-fake-reviews/
https://www.business2community.com/infographics/impact-online-reviews-customers-buying-decisions-infographic-01280945%23iZwM69pSgVKLlH6A.97
https://www.business2community.com/infographics/impact-online-reviews-customers-buying-decisions-infographic-01280945%23iZwM69pSgVKLlH6A.97
https://www.business2community.com/infographics/impact-online-reviews-customers-buying-decisions-infographic-01280945%23iZwM69pSgVKLlH6A.97
77. Siering, M.; Koch, J.A.; and Deokar, A.V. Detecting fraudulent behavior on crowd-
funding platforms: the role of linguistic and content-based cues in static and dynamic
contexts. Journal of Management Information Systems, 33, 2 (2016), 421–455.
78. Smyth, P.; and Wolpert, D. Linearly combining density estimators via stacking.
Machine Learning, 36, 1 (1999), 59–83.
79. Smyth, P.; and Wolpert, D. Stacked density estimation. Proceedings of Advances in
Neural Information Processing Systems, 10, (1997), 668–674.
80. Song, X.; Wu, M.; Jermaine, C.; and Ranka, S. Conditional anomaly detection. IEEE
Transactions on Knowledge and Data Engineering, 19, 5 (2007), 631–645.
81. Stolfo, S.J.; Apap, F.; Eskin, E.; Heller, K.; Hershkop, S.; Honig, A.; and Svore, K.
A comparative evaluation of two algorithms for windows registry anomaly detection.
Journal of Computer Security, 13, 4 (2005), 659–693.
82. Stritfeld, D. The best book reviews money can buy. New York Times. August 26, 2012.
http://www.nytimes.com/2012/08/26/business/book-reviewers-for-hire-meet-a-demand-for-
online-raves.html (accessed on July 4, 2018).
83. Susarla, A.; Oh, J.H.; and Tan, Y. Influentials, imitables, or susceptibles? Virality and
word-of-mouth conversations in online social networks. Journal of Management Information
Systems, 33, 1 (2016), 139–170.
84. Susarla, A.; Oh, J.H.; and Tan, Y. Social networks and the diffusion of user-generated
content: Evidence from YouTube. Information Systems Research, 23, 1 (2012), 23–41.
85. Visa, A.; Toivonen, J.; Vanharanta, H.; and Back, B. Contents matching defined by
prototypes: Methodology verification with books of the Bible. Journal of Management
Information Systems, 18, 4 (2002), 87–100.
86. Vosoughi, S.; Roy, D.; and Aral, S. The spread of true and false news online. Science,
359, 6380 (2018), 1146–1151.
87. Wang, G.; Xie, S.; Liu, B.; and Yu, P.S. Review graph based online store review
spammer detection. Proceedings of the International Conference on Data Mining, 11, (2011),
1242–1247.
88. Wolpert, D. Stacked generalization. Neural Networks, 5, 2 (1992), 241–259.
89. Xie, S.; Wang, G.; Lin, S.; and Yu, P.S. Review spam detection via temporal pattern
discovery. Proceedings of the ACM SIGKDD International Conference on Knowledge
Discovery and Data Mining, 18, (2012), 823–831.
90. Xu, C.; and Zhang, J. Towards collusive fraud detection in online reviews. Proceedings
of IEEE International Conference on Data Mining, 15, (2015), 1051–1056.
91. Ye, J.; and Akoglu, L. Discovering opinion spammer groups by network footprints. In
Proceedings of the Joint European Conference on Machine Learning and Knowledge
Discovery in Databases. Berlin, Heidelberg: Springer, (2015), pp. 267–282.
92. Ye, J.; Kumar, S.; and Akoglu, L. Temporal opinion spam detection by multivariate
indicative signals. Proceedings of the International AAAI Conference on Web and Social
Media, 10, (2016), 743–746.
93. Yedidia, J.S.; Freeman, W.T.; and Weiss, Y. Constructing free-energy approximations
and generalized Belief propagation algorithms. IEEE Transactions on Information Theory,
51, 7 (2005), 2282–2312.
94. Yerazunis, W.S. The spam-filtering accuracy plateau at 99.9% accuracy and how to get
past it. Proceedings of MIT Spam Conference, 2004.
95. Zhang, L.; Ma, B.; and Cartwright, D.K. The impact of online user reviews on cameras
sales. European Journal of Marketing, 47, 7 (2013), 1115–1128.
96. Zheng, X.; Zhu, S.; and Lin, Z. Capturing the essence of word-of-mouth for social
commerce: Assessing the quality of online e-commerce reviews by a semi-supervised
approach. Decision Support Systems, 56, 4 (2013), 211–222.
97. Zhou, L.; Shi, Y.; and Zhang, D. A statistical language modeling approach to online
deception detection. IEEE Transactions on Knowledge and Data Engineering, 20, 8 (2008),
1077–1081.
1346 KUMAR ET AL.
http://www.nytimes.com/2012/08/26/business/book-reviewers-for-hire-meet-a-demand-for-online-raves.html
http://www.nytimes.com/2012/08/26/business/book-reviewers-for-hire-meet-a-demand-for-online-raves.html
Copyright of Journal of Management Information Systems is the property of Taylor & Francis
Ltd and its content may not be copied or emailed to multiple sites or posted to a listserv
without the copyright holder’s express written permission. However, users may print,
download, or email articles for individual use.
- Abstract
- Notes
- References
Introduction
Related Work
Dataset
Detecting Anomalous Reviewers
Modeling Univariate Features
Review Count
Review Gap
Rating Entropy
Rating Deviation
Time of Review
Rating Scores
Text Length
Modeling Multivariate Features
Mixture Model
Baseline Systems
Experimental Setup and Results
Datasets
Evaluation Setup
Results on Synthetic Data
Results on Real-World Data
Discussion and Conclusions
Supplemental Material
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
