JIS  Vol.7 No.2 , March 2016
Empirical Investigation of Threats to Loyalty Programs by Using Models Inspired by the Gordon-Loeb Formulation of Security Investment
Abstract: Loyalty program (LP) is a popular marketing activity of enterprises. As a result of firms’ effort to increase customers’ loyalty, point exchange or redemption services are now available worldwide. These services attract not only customers but also attackers. In pioneering research, which first focused on this LP security problem, an empirical analysis based on Japanese data is shown to see the effects of LP-point liquidity on damages caused by security incidents. We revisit the empirical models in which the choice of variables is inspired by the Gordon-Loeb formulation of security investment: damage, investment, vulnerability, and threat. The liquidity of LP points corresponds to the threat in the formulation and plays an important role in the empirical study because it particularly captures the feature of LP networks. However, the actual proxy used in the former study is artificial. In this paper, we reconsider the liquidity definition based on a further observation of LP security incidents. By using newly defined proxies corresponding to the threat as well as other refined proxies, we test hypotheses to derive more implications that help LP operators to manage partnerships; the implications are consistent with recent changes in the LP network. Thus we can see the impacts of security investment models include a wider range of empirical studies.
Cite this paper: Shinoda, S. and Matsuura, K. (2016) Empirical Investigation of Threats to Loyalty Programs by Using Models Inspired by the Gordon-Loeb Formulation of Security Investment. Journal of Information Security, 7, 29-48. doi: 10.4236/jis.2016.72003.

[1]   Sharp, B. and Sharp, A. (1997) Loyalty Programs and Their Impact on Repeat-Purchase Loyalty Patterns. International Journal of Research in Marketing, 14, 473-486.

[2]   PricewaterhouseCoopers LLP (2013) Loyalty Analytics Exposed: What Every Program Manager Needs to Know.

[3]   Zhang, J. and Breugelmans, E. (2012) The Impact of an Item-Based Loyalty Program on Consumer Purchase Behavior. Journal of Marketing Research, 49, 50-65.

[4]   Katsumata, S. and Wakabayashi, T. (2014) Loyalty Program Point Exchange Networks and Their Impact on Marketing Performance. Faculty of Economics, Nagasaki University Discussion Paper Series, 2014, 1-19.

[5]   Jenjarrussakul, B. and Matsuura, K. (2014) Analysis of Japanese Loyalty Programs Considering Liquidity, Security Efforts, and Actual Security Levels. The 13th Workshop on the Economics of Information Security, Pennsylvania, 23-24 June 2014.

[6]   Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457.

[7]   Willemson, J. (2006) On the Gordon & Loeb Model for Information Security Investment. The 5th Workshop on the Economics of Information Security, Cambridge, 26-28 June 2006.

[8]   Matsuura, K. (2008) Productivity Space of Information Security in an Extension of the Gordon-Loeb’s Investment Model. The 7th Workshop on the Economics of Information Security, New Hampshire, 25-28 June 2008.

[9] (2015) British Airways the Latest Loyalty Program Breach Victim.

[10]   Krebs on Security (2014) Thieves Cash out Rewards, Points Accounts.

[11]   The Dallas Morning News (2015) Cyberthieves Steal Miles from American, United Customers.

[12]   My Bank Tracker (2015) Lesson from Starbucks: Creative Ways That Hackers Can Steal from You.

[13]   TrendMicro (2014) TrendLabs 2Q 2014 Security Roundup in Japan. (In Japanese) pdf?cm_sp=threat-_-sr-2014q2-_-lp-txt

[14]   G-PLAN INC (2012) Correspondence to the Unauthorized Accesses to G-Point. (In Japanese)

[15]   ITmedia Enterprise (2013) Unauthorized Access to T-Point, 299 Accounts Were Compromised. (In Japanese)

[16]   Record China (2013) Chinese Students Were Arrested. They Exchanged 250 Accounts Rakuten Points into Electric Money. (In Japanese)

[17]   NTT Communications Online Marketing Solutions (2014) The Report of Unauthorized Access to Potora. (In Japanese)

[18]   ITpro (2014) Unauthorized Access to JAL Mileage Website, JAL Requested 27 Million People to Change Their Passwords. (In Japanese)

[19]   Nikkei (2014) Enormous Unauthorized Access Attempted to JR East. (In Japanese)

[20]   Hatena Co., Ltd. (2014) Please Confirm Your Password and Registration Information in Order to Prevent Unauthorized Access. (In Japanese)

[21]   ITpro (2014) 1.12 Million Miles of ANA Mileage Club Were Stolen, Personal Information Such as Addresses Might Be Browsed. (In Japanese)

[22]   Poitan News (2014) Unauthorized Access to My JCB and Redeemed to T-Point. (In Japanese)

[23]   Sony Marketing (Japan) Inc. (2014) The Report of Unauthorized Access to Sony Point Service and a Request for Changing Passwords. (In Japanese)

[24]   Security NEXT (2014) 0.22 Million Unauthorized Accesses to Niconico Video, 0.17 Million Yen Loss. (In Japanese)

[25]   Security NEXT (2014) Unauthorized Access to Hatena, Redemption to Amazon Gift Code Was Failed in Attempts. (In Japanese)

[26]   Security NEXT (2014) 11502 Unauthorized Accesses to a Questionnaire Website and Some Points Were Stolen. (In Japanese)

[27]   Scan Net Security (2014) A Questionnaire Website, Anpara, Was Attacked and Some Points Were Stolen. (In Japanese)

[28]   NTT Communications Corporation (2014) Unauthorized Access to Poin-Talk and Goo-Points. (In Japanese)

[29]   ITpro (2014) Enormous Number of Accesses to Suica Point Club, Unauthorized Access to Some Acounts. (In Japanese)

[30]   D Style Web (2014) Information of Unauthorized Access and Unauthorized Point Redemption. (In Japanese)

[31]   Security NEXT (2014) Unauthorized Access to a Research Service of Kyushu Electric Power, Which Was Detected When the Operator Found the Number of Exchanges Is 10 Times as Many as Usual. (In Japanese)

[32]   Mixi, Inc. (2015) The Report of Unauthorized Accesses to Morappo and Mixi Questionnaire Using the Passwords Which Were Leaked at the Third Party. (In Japanese)

[33]   AIP Corporation (2015) Unauthorized Access, Point Redemption and Personal Information Browsing. (In Japanese)

[34]   Lifemedia, Inc. (2015) The Report of Unauthorized Access to Lifemedia. (In Japanese)

[35]   Orient Corporation (2015) Unauthorized Access to Customer Web Services. (In Japanese)

[36]   PrizePrize (2015) The Report of Unauthorized Point Redemptions and Our Request for Changing Your Passwords. (In Japanese)

[37]   Washington Hotel (2015) The Report of Unauthorized Access to Lodging Net Point and Our Request for Changing Your Password. (In Japanese)

[38]   Wakabayashi, T. (2008) Structure and Formation of the Exchange Market of Point Programs and Electronic Moneys. (In Japanese) Organizational Science, 42, 47-60.

[39]   Wakabayashi, T. and Katsumata, S. (2013) Which Factor Matters to the Formation of Strategic Alliance Network: Industry, Firm or Network? (In Japanese) Oganizational Science, 47, 69-79.

[40]   Yuhashi, H. and Gotou, H. (2010) The Reliability of the New Economic Platform: Mobile Value Exchange Alliance Network. 18th Biennial ITS Conference, Tokyo, 27-30 June 2010.

[41]   European Central Bank (2012) Virtual Currency Schemes.

[42]   Moore, T. and Christin, N. (2013) Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk. Financial Cryptography and Data Security, 7859, 25-33.

[43]   Vasek, M., Thornton, M. and Moore, T. (2014) Empirical Analysis of Denial-of-Service Attacks in the Bitcoin Ecosystem. Financial Cryptography and Data Security, 8438, 57-71.

[44]   Johnson, B., Laszka, A., Grossklags, J., Vasek, M. and Moore, T. (2014) Game-Theoretic Analysis of DDoS Attacks against Bitcoin Mining Pools. Financial Cryptography and Data Security, 8438, 72-86.

[45]   Kroll, J.A., Davey, I.C. and Felten, E.W. (2013) The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries. The 12th Workshop on the Economics of Information Security, Washington DC, 11-12 June 2013.

[46]   Hu, J. and Zambetta, F. (2008) Security Issues in Massive Online Games. Security and Communication Networks, 1, 83-92.

[47]   Ku, Y., Chen, Y., Wu, K. and Chiu, C. (2007) An Empirical Analysis of Online Gaming Crime Characteristics from 2002 to 2004. Intelligence and Security Informatics, 4430, 34-45.

[48]   Bardzell, J., Jakobsson, M., Bardzell, S., Pace, T., Odom, W. and Houssian, A. (2007) Virtual Worlds and Fraud: Approaching Cybersecurity in Massively Multiplayer Online Games. Proceedings of DiGRA 2007 Conference, Tokyo, 24-28 September 2007, 451-742.

[49]   Kiondo, C., Kowalski, S. and Yngstrom, L. (2011) Exploring Security Risks in Virtual Economies. 1st International Conference on Social Eco-Informatics, Barcelona, 23-29 October 2011.

[50]   Irwin, A.S.M. and Slay, J. (2010) Detecting Money Laundering and Terrorism Financing Activity in Second Life and World of Warcraft. Proceedings of the 1st International Cyber Resilience Conference, Perth, 23-24 August 2010, 41-50.

[51]   Ministry of Economy, Trade and Industry (2013) Survey on Information Processing in 2012: Result Detail Part 3— Information Security. (In Japanese)

[52]   Ministry of Economy, Trade and Industry (2012) Survey on Information Processing in 2012: Questionnaire. (In Japanese)