Empirical Investigation of Threats to Loyalty Programs by Using Models Inspired by the Gordon-Loeb Formulation of Security Investment

Loyalty program (LP) is a popular marketing activity of enterprises. As a result of firms’ effort to increase customers’ loyalty, point exchange or redemption services are now available worldwide. These services attract not only customers but also attackers. In pioneering research, which first focused on this LP security problem, an empirical analysis based on Japanese data is shown to see the effects of LP-point liquidity on damages caused by security incidents. We revisit the empirical models in which the choice of variables is inspired by the Gordon-Loeb formulation of security investment: damage, investment, vulnerability, and threat. The liquidity of LP points corresponds to the threat in the formulation and plays an important role in the empirical study because it particularly captures the feature of LP networks. However, the actual proxy used in the former study is artificial. In this paper, we reconsider the liquidity definition based on a further observation of LP security incidents. By using newly defined proxies corresponding to the threat as well as other refined proxies, we test hypotheses to derive more implications that help LP operators to manage partnerships; the implications are consistent with recent changes in the LP network. Thus we can see the impacts of security investment models include a wider range of empirical studies.


Introduction
Loyalty programs (LPs) are structured marketing efforts that reward, and therefore encourage, customers' loyalty [1].LPs have proliferated in recent years as companies seek to acquire and retain customers, increase customer spending, and encourage the purchase of additional products [2].However, some studies such as [3] argued that since most firms now utilize LPs, they are no longer effective in contributing to competitive advantage.Consequently, many firms are attempting to redesign LPs to enhance their effectiveness.In particular, in order to increase customers' loyalty, point exchange or redemption services have matured worldwide.For example, Points.com1 is a major point exchange or redemption service in the U.S. In Japan, point exchange network is expanding, which enables customers to redeem points from one LP to another LP [4].However, these services attract not only customers but also attackers whose aim is to obtain monetary benefits.In fact, there are an increasing number of LP incidents worldwide, as shown in Section 2.
When we consider security investment to reduce the damages caused by such incidents, we need to assess the features of LP network from the viewpoint of the efficacy of security investment.In order to answer to the above question, Jenjarrussakul and Matsuura [5] conducted an empirical study of LPs.Their study was performed inspired by the Gordon-Loeb model [6]- [8] of security investment; they considered damage, expense (or security investment), threat, and vulnerability as four fundamental factors when they developed their empirical analysis model.In particular, they provided security-liquidity implications by using the liquidity of an LP as a metric of threat.This analysis is possible because threat (defined as the probability of a threat occurring) and vulnerability (defined as the conditional probability that a threat once realized would be successful) are handled separately.
However, the definition of the liquidity itself is not deeply studied.The possibility of using other metrics is not well considered, either.In this paper, we investigate this threat metric more deeply by considering different metrics based on an observation of actual security incidents on LP systems.
Our work to be reported in the rest of this paper is inspired by this primary study [5], but there are important differences as follows.First, the liquidity definition is reconsidered, and a more intuitively convincing one is introduced.Second, we observe actual security incidents more deeply and give more implications that help LP operators to manage partnerships; the implications are consistent with recent changes in the LP network.Minor changes over the proxies used to test hypotheses also help our empirical study.
The rest of this paper is organized as follows.In Section 2, we see major incidents on LPs, which occurred worldwide, and their characteristics.In Section 3, we describe related and previous works.In Section 4, the data used in our empirical analyses are shown.In Sections 5, 6 and 7, different threat metrics and liquidity definition are investigated.Lastly, Section 8 concludes the paper.

Incidents on Loyalty Programs
In the U.K., compromised credentials enabled the theft of users' miles from the British Airways loyalty program in March 2015 [9].In the U.S., Hilton Hotel rewards points were stolen in November 2014 [10].This case happened because the login process was weak.Hackers can not only sell the stolen accounts or redeem the points but can also buy expensive items at Hilton shopping mall.About 10,000 accounts of American Airlines and United Airlines loyalty programs were compromised in December 2014 [11].A March 2015 report [12] says "with Starbucks, hackers were somehow (still unclear) able to obtain customer usernames and passwords that opened up access to payment methods, which were used to refill gift card balances and transfer out gift card funds.Hackers can then sell these gift card balances to other people."In these cases, hackers are said to have used ID-password lists for mimicking successful authentications.
There is an increasing number of LP security incidents in Japan as well [13].Table 1 shows a list of major security incidents of LPs in Japan collected from web news articles that describe some characteristics of the attackers' behaviors: they often 1) attempt to go through the web login authentication mechanisms, 2) make malicious attempts in one or two days, and 3) attempt to steal the compromised accounts' points and redeem them into certain LP points.Regarding the third characteristic, it should be noted that Amazon Gift Card and iTunes Gift Code are often chosen as the redemption destinations by attackers.Their codes can be sold and eventually converted into real money.This is the first possible reason why attackers often choose those gifts.The second possible reason is that most attackers live outside Japan.Both Amazon and iTunes services are provided  [37] internationally with their head offices outside Japan, so attackers can avoid investigations by Japanese police.As the third possible reason, it should be noted that Amazon and iTunes are not willing to publish the redemption algorithms; without their disclosure, we cannot trace and find who stole the points.

Loyalty Programs
Effectiveness of LPs is well investigated in the management area [3].Also, some research focuses on Japanese LPs.For example, the research has been conducted on the characteristics of Japanese LP network [38], the factor which leads LP partnership [39], LP network's economic reliability [40] and the network's impact on marketing performances [4].These works do not consider LP security problems.LP security issues were first economically researched by Jenjarrussakul and Matsuura in 2014 [5].They show two implications: the impact of LP security incidents gets lower if stronger security requirements in web authen-tication process are satisfied, and it is higher if the liquidity of the LP points gets higher.Our work is inspired by this primary study, but there are some important differences as mentioned in Section 1.

Virtual Currency and Security
European Central Bank defined virtual currency as "a type of unregulated, digital money, which is issued and usually controlled by its developers, and used and accepted among the members of a specific virtual community" and pointed out that LP points or miles can satisfy the definition [41].Other representative virtual currencies include cryptocurrency and game currency.Regarding cryptocurrency, Bitcoin is the main research target [42]- [45].Although these works handle security problems, they do not consider the relation between Bitcoin and LP systems.Massively multiplayer online games (MMOGs) currencies are also virtual currencies with security issues that have been researched without considering the relationship between the currencies and LP systems [46]- [50].

Data Collection
We retrieved the LP network structure from Poitan.net, a portal site of Japanese LP networks where users can search possible routes of point redemption, find the market value of each LP point, and so on (see Appendix A.1).Each LP operator's capital size was retrieved from each LP operator's website.The data of the security investment, damage amount and security requirements are the same as those in [5].Table 2 summarizes the data used in our study.

Hypothesis Development
Reference [5] shows an important implication: an LP with higher liquidity suffers a bigger impact from incidents.However, the definition of the liquidity in [5] was not intuitively convincing as described in Appendix C. It may be more convincing if liquidity is defined more simply as: where i GoPartner is the number of partners into which one can redeem points from LP i .In order to examine this definition, we set the following hypothesis: H1.An LP with more outgoing partners suffers greater damage.

Model
In order to test H1, the following linear regression model is set: ) where i is an index that indicates each LP, i damage is the annual damage amount of the overall IT security

Security investment and damage amount of security incident
Retrieved from Information Processing Census (2012), the statistical data by METI (Ministry of Economics, Technology and Industries) of Japan [51].
Exchange network Retrieved at Poitan.net in Dec. 2014.

Security requirement
Retrieved by Jenjarrussakul and Matsuura [5]  incidents of LP i 's operator, i capital is the capital size of LP i 's operator, i expense is the annual IT security expense of LP i 's operator, i sec_score is the security requirement level of the LP i 's authentications, and i u is the model's error term, assumed to be independent of the observed covariates.For more calculation details of these proxies, see Appendix B.3.Correlations between variables are shown in Table 3.

Results
To test H1, let the null hypothesis be 2 0 β = in Equation (2).H1 is accepted if this null hypothesis is rejected.
The estimated result of Equation ( 2) is shown in Table 4.The coefficient of i GoPartner is significantly pos- itive, so the null hypothesis 2 0 β = is rejected, and H1 is accepted.Additionally, the coefficient of i sec_score is significantly negative.This result is consistent with the results of [5].

Hypothesis Development
A redemption request is not always approved quickly; it may take one week or longer.If the LP operators have more time to give approval, they may notice suspicious redemption applications and reject them with higher chances.Thus attackers may prefer quicker redemption to avoid the risk of being detected.In fact, the incidents surveyed in Section 2 suggest this preference.So let us consider the following hypothesis.
H2.If an LP has more outgoing partners with short redemption time, the damage from incidents is bigger.

Data and Descriptive Statistics
Figure 1 shows the histogram of the time required for redemptions of all the exchange routes of 274 LPs and Table 5 shows the descriptive statistics.Table 6 shows the descriptive statistics regarding the 82 selected LPs.

Model
To test H2, we set the linear regression model as follows:   GoPartner is the number of partners into which one can redeem points from LP i within N days and the other variables are the same as those in Equation (2).Correlations between variables are shown in Table7.

Results and Discussion
The estimated results of Equation (3) for 0,5,10,30, 45, 60 N = are shown in Table 8.When N is 0 or 5, 3 β is significantly positive, but 2 β does not show any significances.This means that if an LP suffers greater damage if it has more point-redeeming partners over the time threshold, 0 or 5 days.On the other hand, when N is 45 or 60, 3 β shows no significance but 2 β is significantly positive.This suggests that a LP suffers more damage when it has a larger number of point-redeeming partners under the time threshold, 45 or 60 days.When N is 10 or 30, no significances were provided.These results suggest that the number of outgoing partners that require at least 45 days for redemption does not affect the liquidity.Although it is not supported if the threshold time is 5 days, H2 is supported if the threshold time is 45 days.It is shown that the damage gets bigger if the LP has more partnerships with shorter redemption times.Thus we find that redemption time has some effects on liquidity, and hence, on the threats to LPs.   into Amazon Gift Cards and iTunes Gift Codes with respect to the time required for redemption.As we mentioned in Section 2, attackers seem to prefer Amazon Gift Cards and iTunes Gift Codes for malicious redemptions.Taking alliances with specific partners might expose an LP to bigger threats.So we set the following hypothesis.

Hypothesis Development
H3.An LP that takes partnership with Amazon or iTunes suffers greater damage.

Model
To test H3, we set the linear regression model as follows:

GoToAorI
is the binary value representing whether one can redeem points from LP i to an Amazon Gift Card or iTunes Gift Code within N days (1 if possible, 0 otherwise), and the other va- riables are the same as in Equation (2).
Correlations between the variables in Equation ( 4) and Equation ( 5) are shown in Table 10.

Results and Discussion
The estimated results for 0,5,10,30, 45, 60,90 N = are shown in β is significantly weakly positive at 10% level.When N is 10 or 45, 3 β does not show any significance.This means that H3 is weakly supported for the redemption time, 10, 45 and 90 days.Additionally, it suggests that availability of redemption into Amazon or iTunes does not affect the damage if one has to wait more than 45 days to complete the transaction.When N = 30 or N = 60, the p-values of 2 β are ra- ther small, although it is insufficient for the 10%-level weak support.On the other hand, when N = 0 or N = 5, 3 β is significantly positive and 2 β is insignificant.This means if an LP has an outgoing partnership with Amazon or iTunes and the redemption takes more than 0 or 5 days, it suffers more damage, while we cannot see any relation between the damage and the availability of 0 or 5-day redemption.While it differs from the intuition, the same discussion as in Section 6.4 can be applied.
In Japan, some of the LP operators who experienced damages by malicious redemption into Amazon Gift Cards or iTunes Gift Codes introduced countermeasures; they either temporarily stopped their alliance with Amazon and iTunes or introduced phone authentication regarding the redemption into.This recent trend is supported by the above result of our empirical analysis.

Concluding Remarks
In this paper, we revisit the empirical models used in a former study [5] regarding the security of loyalty   4) and ( 5) for N = 0, 5, 10, 30, 45, 60, 90.The notations are the same as in Table 10.programs.In the models, the choice of variables is inspired by the Gordon-Loeb formulation of security investment: damage, investment, vulnerability, and threat.The liquidity of LP points corresponds to the threat in the formulation and plays an important role in the empirical study because it captures a particular feature of LP networks.However, the actual proxy used in the former study is artificial due to the fact that its original definition is not LP-wise but industry-wise.In this paper, we reconsidered the liquidity definition based on a further observation of LP security incidents.By using newly defined proxies corresponding to the threat as well as other refined proxies, we conducted hypothesis testing to derive more implications.We show the damage from LP incidents grows if partnerships with short redemption times or with Amazon or iTunes are accepted.These implications will help LP operators manage partnerships.In fact, these findings are consistent with recent trends in the LP network.Thus we can see the impacts of security investment models include a wider range of empirical studies in the economics of information security.i damage is the average damage amount of its industry and i rank indicates the LP's ranking score at Poitan.net.However, this might be somewhat artificial.

B.3.2. Expense
The proxy of expense is also calculated from METI's data by the same method used for the damage.Then, ( )

B.3.3. Vulnerability
The metric of vulnerability is the same as [5] used.We used six requirements in the registration process, the authentication (login) process, and the back-up authentication process of each LP.Table A4 shows these six requirements.They computed the security score, i sec_score , of LP i as the ratio of "the number of satisfied re- quirements in LP i " to "the number of requirements about which we can obtain data regarding LP i ."i sec_score represents how unsuccessful an attack is, so we can view i sec_score as a metric for anti- vulnerability.
TableA4.Security requirements in web authentications used for the calculationof sec_score [5].Each LP-operating company has a lot of IT systems, and an LP system is just one of them.Since the empirical data of expense and damage is for all the IT systems of the company, some normalization would be necessary when we measure the expense and expense on its LP system.

Figure 1 .
Figure 1.Histogram of the time required for redemption in December 2014.

Figure 2 .
Figure 2. Number of LPs (of the 82 selected LPs) from which one can redeem into Amazon Gift Card or iTunes Gift Code within N days.

Table 1 .
Major LP security incidents in Japan.

Table 2 .
Data used in our study.

Table 3 .
Correlations between the variables in Equation (2).To save space, the following notation is used: ldam is log(damage i ), lcap is log(capital i ), lex is log(expense i ), GoPartner is GoPartner i , and SecScore is sec_score i .

Table 4 .
Results of the linear regression by Equation (2).The notations are the same as in Table3.

Table 5 .
Descriptive statistics of the time reqiured for redemption.

Table 6 .
Descriptive statistics of the number of outgoing partners regarding the 82 selected LPs.Go N represents the number of partners into which one can redeem points from each LP within N days.

Table 9 and
Figure2show the number of LPs (out of the 82 selected LPs) from which one can redeem points

Table 7 .
Correlations between the variables in Equation(3) for different values of N. Go N represents GoPartner i,N and other notations are the same as in Table3.

Table 10 .
Correlations between variables in Equations (4) and (5) for different values of N. GoAI N represents GoToAorI i,N and other notations are the same as in Table3.

Table A1 .
List of the 82 Selected LPs (Part 1).LP ID indicates registered ID at Poitan, Industry ID indicates each industry (details are in Appendix B.2), and Capital size is each LP operator's capital size.Security score shows a security requirement level calculated by the methods described at Appendix B.3.3.N/A means that we cannot access the corresponding information.

Table A2 .
[5]e industries which operate LPs in Japan.Each industry ID is the same as in[5].
i IND indicates LP i 's belonging industry ID, Trusted information (e.g.certified information, security code, information which is matched to certifiable document).-Necessity of physical card or account.-Implementation of additional security techniques (e.g.CAPTCHA, secret question).Authentication (login)-Data which increases difficulty to log into the account.(e.g.mobile number, physical card number, system generated ID).] did not normalize any parameters, but we normalize damage and expense with capital size as follows: