Shiori Shinoda, Kanta Matsuura
Institute of Industrial Science, The University of Tokyo, Tokyo, Japan.
DOI: 10.4236/jis.2016.72003   PDF    HTML   XML   2,324 Downloads   3,484 Views   Citations

Abstract

Loyalty program (LP) is a popular marketing activity of enterprises. As a result of firms’ effort to increase customers’ loyalty, point exchange or redemption services are now available worldwide. These services attract not only customers but also attackers. In pioneering research, which first focused on this LP security problem, an empirical analysis based on Japanese data is shown to see the effects of LP-point liquidity on damages caused by security incidents. We revisit the empirical models in which the choice of variables is inspired by the Gordon-Loeb formulation of security investment: damage, investment, vulnerability, and threat. The liquidity of LP points corresponds to the threat in the formulation and plays an important role in the empirical study because it particularly captures the feature of LP networks. However, the actual proxy used in the former study is artificial. In this paper, we reconsider the liquidity definition based on a further observation of LP security incidents. By using newly defined proxies corresponding to the threat as well as other refined proxies, we test hypotheses to derive more implications that help LP operators to manage partnerships; the implications are consistent with recent changes in the LP network. Thus we can see the impacts of security investment models include a wider range of empirical studies.

Keywords

Loyalty Program, Security Investment, Gordon-Loeb Model, Liquidity, Information Security Economics

Share and Cite:

Received 26 December 2015; accepted 14 March 2016; published 17 March 2016

1. Introduction

Loyalty programs (LPs) are structured marketing efforts that reward, and therefore encourage, customers’ loyalty [1] . LPs have proliferated in recent years as companies seek to acquire and retain customers, increase customer spending, and encourage the purchase of additional products [2] . However, some studies such as [3] argued that since most firms now utilize LPs, they are no longer effective in contributing to competitive advantage. Consequently, many firms are attempting to redesign LPs to enhance their effectiveness. In particular, in order to increase customers’ loyalty, point exchange or redemption services have matured worldwide. For example, Points.com¹ is a major point exchange or redemption service in the U.S. In Japan, point exchange network is expanding, which enables customers to redeem points from one LP to another LP [4] . However, these services attract not only customers but also attackers whose aim is to obtain monetary benefits. In fact, there are an increasing number of LP incidents worldwide, as shown in Section 2.

When we consider security investment to reduce the damages caused by such incidents, we need to assess the features of LP network from the viewpoint of the efficacy of security investment. In order to answer to the above question, Jenjarrussakul and Matsuura [5] conducted an empirical study of LPs. Their study was performed inspired by the Gordon-Loeb model [6] - [8] of security investment; they considered damage, expense (or security investment), threat, and vulnerability as four fundamental factors when they developed their empirical analysis model. In particular, they provided security-liquidity implications by using the liquidity of an LP as a metric of threat. This analysis is possible because threat (defined as the probability of a threat occurring) and vulnerability (defined as the conditional probability that a threat once realized would be successful) are handled separately.

However, the definition of the liquidity itself is not deeply studied. The possibility of using other metrics is not well considered, either. In this paper, we investigate this threat metric more deeply by considering different metrics based on an observation of actual security incidents on LP systems.

Our work to be reported in the rest of this paper is inspired by this primary study [5] , but there are important differences as follows. First, the liquidity definition is reconsidered, and a more intuitively convincing one is introduced. Second, we observe actual security incidents more deeply and give more implications that help LP operators to manage partnerships; the implications are consistent with recent changes in the LP network. Minor changes over the proxies used to test hypotheses also help our empirical study.

The rest of this paper is organized as follows. In Section 2, we see major incidents on LPs, which occurred worldwide, and their characteristics. In Section 3, we describe related and previous works. In Section 4, the data used in our empirical analyses are shown. In Sections 5, 6 and 7, different threat metrics and liquidity definition are investigated. Lastly, Section 8 concludes the paper.

2. Incidents on Loyalty Programs

In the U.K., compromised credentials enabled the theft of users’ miles from the British Airways loyalty program in March 2015 [9] . In the U.S., Hilton Hotel rewards points were stolen in November 2014 [10] . This case happened because the login process was weak. Hackers can not only sell the stolen accounts or redeem the points but can also buy expensive items at Hilton shopping mall. About 10,000 accounts of American Airlines and United Airlines loyalty programs were compromised in December 2014 [11] . A March 2015 report [12] says “with Starbucks, hackers were somehow (still unclear) able to obtain customer usernames and passwords that opened up access to payment methods, which were used to refill gift card balances and transfer out gift card funds. Hackers can then sell these gift card balances to other people.” In these cases, hackers are said to have used ID-password lists for mimicking successful authentications.

There is an increasing number of LP security incidents in Japan as well [13] . Table 1 shows a list of major security incidents of LPs in Japan collected from web news articles that describe some characteristics of the attackers’ behaviors: they often 1) attempt to go through the web login authentication mechanisms, 2) make malicious attempts in one or two days, and 3) attempt to steal the compromised accounts’ points and redeem them into certain LP points. Regarding the third characteristic, it should be noted that Amazon Gift Card and iTunes Gift Code are often chosen as the redemption destinations by attackers. Their codes can be sold and eventually converted into real money. This is the first possible reason why attackers often choose those gifts. The second possible reason is that most attackers live outside Japan. Both Amazon and iTunes services are provided

internationally with their head offices outside Japan, so attackers can avoid investigations by Japanese police. As the third possible reason, it should be noted that Amazon and iTunes are not willing to publish the redemption algorithms; without their disclosure, we cannot trace and find who stole the points.

3. Related Works

3.1. Loyalty Programs

Effectiveness of LPs is well investigated in the management area [3] . Also, some research focuses on Japanese LPs. For example, the research has been conducted on the characteristics of Japanese LP network [38] , the factor which leads LP partnership [39] , LP network’s economic reliability [40] and the network’s impact on marketing performances [4] . These works do not consider LP security problems.

LP security issues were first economically researched by Jenjarrussakul and Matsuura in 2014 [5] . They show two implications: the impact of LP security incidents gets lower if stronger security requirements in web authentication process are satisfied, and it is higher if the liquidity of the LP points gets higher. Our work is inspired by this primary study, but there are some important differences as mentioned in Section 1.

3.2. Virtual Currency and Security

European Central Bank defined virtual currency as “a type of unregulated, digital money, which is issued and usually controlled by its developers, and used and accepted among the members of a specific virtual community” and pointed out that LP points or miles can satisfy the definition [41] . Other representative virtual currencies include cryptocurrency and game currency. Regarding cryptocurrency, Bitcoin is the main research target [42] - [45] . Although these works handle security problems, they do not consider the relation between Bitcoin and LP systems. Massively multiplayer online games (MMOGs) currencies are also virtual currencies with security issues that have been researched without considering the relationship between the currencies and LP systems [46] - [50] .

4. Data Collection

We retrieved the LP network structure from Poitan.net, a portal site of Japanese LP networks where users can search possible routes of point redemption, find the market value of each LP point, and so on (see Appendix A.1). Each LP operator’s capital size was retrieved from each LP operator’s website. The data of the security investment, damage amount and security requirements are the same as those in [5] . Table 2 summarizes the data used in our study.

5. Point Liquidity and Number of Partners

5.1. Hypothesis Development

Reference [5] shows an important implication: an LP with higher liquidity suffers a bigger impact from incidents. However, the definition of the liquidity in [5] was not intuitively convincing as described in Appendix C.

It may be more convincing if liquidity is defined more simply as:

(1)

where is the number of partners into which one can redeem points from LP_i. In order to examine this definition, we set the following hypothesis:

H1. An LP with more outgoing partners suffers greater damage.

5.2. Model

In order to test H1, the following linear regression model is set:

(2)

where i is an index that indicates each LP, is the annual damage amount of the overall IT security

incidents of LP_i’s operator, is the capital size of LP_i’s operator, is the annual IT security expense of LP_i’s operator, is the security requirement level of the LP_i’s authentications, and is the model’s error term, assumed to be independent of the observed covariates. For more calculation details of these proxies, see Appendix B.3. Correlations between variables are shown in Table 3.

5.3. Results

To test H1, let the null hypothesis be in Equation (2). H1 is accepted if this null hypothesis is rejected.

The estimated result of Equation (2) is shown in Table 4. The coefficient of is significantly positive, so the null hypothesis is rejected, and H1 is accepted. Additionally, the coefficient of is significantly negative. This result is consistent with the results of [5] .

6. Does Time Required for Redemption Affect the Damage?

6.1. Hypothesis Development

A redemption request is not always approved quickly; it may take one week or longer. If the LP operators have more time to give approval, they may notice suspicious redemption applications and reject them with higher chances. Thus attackers may prefer quicker redemption to avoid the risk of being detected. In fact, the incidents surveyed in Section 2 suggest this preference. So let us consider the following hypothesis.

H2. If an LP has more outgoing partners with short redemption time, the damage from incidents is bigger.

6.2. Data and Descriptive Statistics

Figure 1 shows the histogram of the time required for redemptions of all the exchange routes of 274 LPs and Table 5 shows the descriptive statistics. Table 6 shows the descriptive statistics regarding the 82 selected LPs.

6.3. Model

To test H2, we set the linear regression model as follows:

(3)

^**Indicates significance at 5% level. ^***Indicates significance at 1% level.

where is the number of partners into which one can redeem points from LP_i within N days and the other variables are the same as those in Equation (2). Correlations between variables are shown in Table7.

6.4. Results and Discussion

The estimated results of Equation (3) for are shown in Table 8. When N is 0 or 5, is significantly positive, but does not show any significances. This means that if an LP suffers greater damage if it has more point-redeeming partners over the time threshold, 0 or 5 days. On the other hand, when N is 45 or 60, shows no significance but is significantly positive. This suggests that a LP suffers more damage when it has a larger number of point-redeeming partners under the time threshold, 45 or 60 days. When N is 10 or 30, no significances were provided.

These results suggest that the number of outgoing partners that require at least 45 days for redemption does not affect the liquidity. Although it is not supported if the threshold time is 5 days, H2 is supported if the threshold time is 45 days. It is shown that the damage gets bigger if the LP has more partnerships with shorter redemption times. Thus we find that redemption time has some effects on liquidity, and hence, on the threats to LPs.

7. Do Specific Partners Affect the Damage?

7.1. Hypothesis Development

Table 9 and Figure 2 show the number of LPs (out of the 82 selected LPs) from which one can redeem points

^*Indicates significance at 10% level. ^**Indicates significance at 5% level. ^***Indicates significance at 1% level.

into Amazon Gift Cards and iTunes Gift Codes with respect to the time required for redemption. As we mentioned in Section 2, attackers seem to prefer Amazon Gift Cards and iTunes Gift Codes for malicious redemptions. Taking alliances with specific partners might expose an LP to bigger threats. So we set the following hypothesis.

H3. An LP that takes partnership with Amazon or iTunes suffers greater damage.

7.2. Model

To test H3, we set the linear regression model as follows:

(4)

when, and

(5)

when, where is the binary value representing whether one can redeem points from LP_i to an Amazon Gift Card or iTunes Gift Code within days (1 if possible, 0 otherwise), and the other variables are the same as in Equation (2).

Correlations between the variables in Equation (4) and Equation (5) are shown in Table 10.

7.3. Results and Discussion

The estimated results for are shown in Table 11.

When, is significantly weakly positive at 10% level. When N is 10 or 45, does not show any significance. This means that H3 is weakly supported for the redemption time, 10, 45 and 90 days. Additionally, it suggests that availability of redemption into Amazon or iTunes does not affect the damage if one has to wait more than 45 days to complete the transaction. When N = 30 or N = 60, the p-values of are rather small, although it is insufficient for the 10%-level weak support. On the other hand, when N = 0 or N = 5, is significantly positive and is insignificant. This means if an LP has an outgoing partnership with Amazon or iTunes and the redemption takes more than 0 or 5 days, it suffers more damage, while we cannot see any relation between the damage and the availability of 0 or 5-day redemption. While it differs from the intuition, the same discussion as in Section 6.4 can be applied.

In Japan, some of the LP operators who experienced damages by malicious redemption into Amazon Gift Cards or iTunes Gift Codes introduced countermeasures; they either temporarily stopped their alliance with Amazon and iTunes or introduced phone authentication regarding the redemption into. This recent trend is supported by the above result of our empirical analysis.

8. Concluding Remarks

In this paper, we revisit the empirical models used in a former study [5] regarding the security of loyalty

^*Indicates significance at 10% level. ^**Indicates significance at 5% level. ^***Indicates significance at 1% level.

programs. In the models, the choice of variables is inspired by the Gordon-Loeb formulation of security investment: damage, investment, vulnerability, and threat. The liquidity of LP points corresponds to the threat in the formulation and plays an important role in the empirical study because it captures a particular feature of LP networks. However, the actual proxy used in the former study is artificial due to the fact that its original definition is not LP-wise but industry-wise. In this paper, we reconsidered the liquidity definition based on a further observation of LP security incidents. By using newly defined proxies corresponding to the threat as well as other refined proxies, we conducted hypothesis testing to derive more implications. We show the damage from LP incidents grows if partnerships with short redemption times or with Amazon or iTunes are accepted. These implications will help LP operators manage partnerships. In fact, these findings are consistent with recent trends in the LP network. Thus we can see the impacts of security investment models include a wider range of empirical studies in the economics of information security.

Acknowledgements

We thank the editors and the referees for their helpful comments. This work was partly supported by JSPS KAKENHI Grant Number 25280045 and 25240017. The authors express sincere appreciation to Mr. Takahito Kikuchi, the owner of Poitan.net, who provided the data and useful information for this study.

Appendix A. Poitan.net

Poitan (http://poitan.net) provides information on more than 200 LPs in Japan, such as estimated real-currency values of LP points, exchange/conversion rates between different LPs and how long the conversion would take. Suppose that a consumer would like to convert a certain amount of ANA (All Nippon Airways, a star alliance member) miles, say, 20,000 miles, into JAL (Japan Airlines, a one-world alliance member) miles. In response to this query, Poitan shows some possible conversion routes. For example, on December 25, 2015, Poitan said there were 87 possible routes. One of the possible routes with the best rate was as follows:

1) Convert 20,000 ANA miles (estimated value is 30,000 JPY (Japanese Yen)) into 20,000 JQ Card Points² points (estimated value is 20,000 JPY). This would take about 60 days.

2) Convert 20,000 JQ Card points into 20,000 Epos Card Points³ (estimated value is 20,000 JPY). This would take about 3 days.

3) Convert 20,000 Epos Card Points into 10,000 JAL miles (estimated value is 15,000 JPY). This would take about 60 days.

Appendix B. Data and Proxies for Empirical Analyses

B.1. 82 Selected LPs

Table A1 shows the 82 selected LPs. LP ID indicates the LP’s ID of Poitan.net. You can access the information of an LP via http://dir.poitan.net/(.*).html, where (.*) is its ID number.

B.2. Industry

Table A2 shows the nine industries which operate LPs in Japan.

B.3. Calculations of the Proxies

Our empirical studies were conducted based on the Gordon-Loeb security investment model [6] , which considers the following four parameters as fundamental parameters: expense―the amount of security investment, damage―the amount of damage when the attack occurred, threat―the probability that an attack occurs, and vulnerability―the conditional probability that a threat once realized would be successful. When we consider the security of LP systems, one possible interpretation of the four parameters is as follows: Expense is the expense on IT security countermeasures by the LP-operating company; Damage is the amount of damage from IT incidents; Threat is considered to be high if the LP points’ liquidity is high because higher liquidity implies more chances of achieving criminal benefits by malicious conversion of LP points or their redemption and it can be a main attractive factor; Vulnerability is considered to be lower if the online user authentication system of an LP is implemented in a more secure manner.

This appendix shows how we set and calculate each proxy based on this interpretation, other than threat.

B.3.1. Damage

As is shown in Table A3, METI’s numerical data of IT damage represent only the ranges because of its questionnaire design [52] . So we calculated the average damage size for every industry and every capital size level by using the middle value of the range (e.g. 0.75 million JPY for the range “0.5 million to 1 million”) with an exception at the edge (i.e. we use 200 million JPY for the range “over 100 million.” This method is also used by METI [51] .

Then, from each LP’s industry and capital size, we calculate its damage. We set this damage size as where indicates each respective LP. For example, if LP₁’s industry is “Information Service” and its capital size is “under 50 million JPY”, .

This proxy calculation differs from [5] in the following three points. 1) Reference [5] ignored firms which answered “did not suffer information security incidents,” but we consider them as zero because it is more accurate. 2) In [5] , they calculated the average damage considering only the industrial categorization, but we also considered the capital size for segmentation. 3) Reference [5] used as the proxy

of damage, where indicates LP_i’s belonging industry ID, is the average damage amount of its industry and indicates the LP’s ranking score at Poitan.net. However, this might be somewhat artificial.

B.3.2. Expense

The proxy of expense is also calculated from METI’s data by the same method used for the damage. Then, is set.

B.3.3. Vulnerability

The metric of vulnerability is the same as [5] used. We used six requirements in the registration process, the authentication (login) process, and the back-up authentication process of each LP. Table A4 shows these six requirements. They computed the security score, , of LP_i as the ratio of “the number of satisfied requirements in LP_i” to “the number of requirements about which we can obtain data regarding LP_i.”

represents how unsuccessful an attack is, so we can view as a metric for anti- vulnerability.

B.3.4. Normalization

Reference [5] did not normalize any parameters, but we normalize damage and expense with capital size as follows:

damage:,

expense:.

Each LP-operating company has a lot of IT systems, and an LP system is just one of them. Since the empirical data of expense and damage is for all the IT systems of the company, some normalization would be necessary when we measure the expense and expense on its LP system.

Appendix C. Liquidity Definition at the Previous Research

We briefly describe how Jenjarrussakul and Matsuura [5] defined liquidity and used this metric.

Before they conducted quantitative analysis, they first considered the LPs security issues by industry. They listed 204domestic LPs and classified them into 9 industries. They drew a graph of the Japanese LP partnership network where each node indicates an industry. Since they were interest in how each industry node is connected, they checked the edge types―one-directional, opposite one-directional, or bidirectional―between industries and the average number of connecting LPs of all the LPs belonging to each industry.

In order to quantitatively examine which industry is more willing to connect with other industries via LP, they introduced a metric liquidity as a multiplier of the number of edge types, x, and the average number of partners regarding the LPs in a node, y:

.

Then, using METI’s data, they discussed the relation between liquidity and damage or security investment in the industry-wise level.

After this industry based discussion, they entered upon a LP divided discussion and carried on quantitative empirical analysis with the same liquidity definition above. However, this definition does not seem suitable and intuitively convincing when we consider how easily attackers convert the points into actual monetary profit when we consider the LP-wise situation divided from the industry-wise cluster.

NOTES

¹https://www.points.com/.

²JQ Card Point is a reward program of a credit card provided by a Japanese railway company.

³Epos Card Point is a reward program of a credit card provided by one of the biggest department store in Japan, Marui.

Conflicts of Interest

The authors declare no conflicts of interest.

References

[1]	Sharp, B. and Sharp, A. (1997) Loyalty Programs and Their Impact on Repeat-Purchase Loyalty Patterns. International Journal of Research in Marketing, 14, 473-486. http://dx.doi.org/10.1016/S0167-8116(97)00022-0
[2]	PricewaterhouseCoopers LLP (2013) Loyalty Analytics Exposed: What Every Program Manager Needs to Know. http://www.pwc.com/en_US/us/insurance/publications/assets/pwc-loyalty-analytics-exposed.pdf
[3]	Zhang, J. and Breugelmans, E. (2012) The Impact of an Item-Based Loyalty Program on Consumer Purchase Behavior. Journal of Marketing Research, 49, 50-65. http://dx.doi.org/10.1509/jmr.09.0211
[4]	Katsumata, S. and Wakabayashi, T. (2014) Loyalty Program Point Exchange Networks and Their Impact on Marketing Performance. Faculty of Economics, Nagasaki University Discussion Paper Series, 2014, 1-19.
[5]	Jenjarrussakul, B. and Matsuura, K. (2014) Analysis of Japanese Loyalty Programs Considering Liquidity, Security Efforts, and Actual Security Levels. The 13th Workshop on the Economics of Information Security, Pennsylvania, 23-24 June 2014.
[6]	Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457. http://dx.doi.org/10.1145/581271.581274
[7]	Willemson, J. (2006) On the Gordon & Loeb Model for Information Security Investment. The 5th Workshop on the Economics of Information Security, Cambridge, 26-28 June 2006.
[8]	Matsuura, K. (2008) Productivity Space of Information Security in an Extension of the Gordon-Loeb’s Investment Model. The 7th Workshop on the Economics of Information Security, New Hampshire, 25-28 June 2008.
[9]	DarkReading.com (2015) British Airways the Latest Loyalty Program Breach Victim. http://www.darkreading.com/attacks-breaches/british-airways-the-latest-loyalty-program-breach-victim/d/d-id/1319683
[10]	Krebs on Security (2014) Thieves Cash out Rewards, Points Accounts. http://krebsonsecurity.com/2014/11/thieves-cash-out-rewards-points-accounts/
[11]	The Dallas Morning News (2015) Cyberthieves Steal Miles from American, United Customers. http://www.dallasnews.com/business/airline-industry/20150112-american-united-airlines-targets-of-attempt-to-steal-customers-miles.ece
[12]	My Bank Tracker (2015) Lesson from Starbucks: Creative Ways That Hackers Can Steal from You. http://www.mybanktracker.com/news/lesson-starbucks-creative-ways-hackers-steal
[13]	TrendMicro (2014) TrendLabs 2Q 2014 Security Roundup in Japan. (In Japanese) http://www.trendmicro.co.jp/cloud-content/jp/pdfs/security-intelligence/threat-report/pdf-2014q2-20140819. pdf?cm_sp=threat-_-sr-2014q2-_-lp-txt
[14]	G-PLAN INC (2012) Correspondence to the Unauthorized Accesses to G-Point. (In Japanese) http://www.gpoint.co.jp/company/service/gplan20120418.pdf
[15]	ITmedia Enterprise (2013) Unauthorized Access to T-Point, 299 Accounts Were Compromised. (In Japanese) http://www.itmedia.co.jp/enterprise/articles/1304/07/news005.html
[16]	Record China (2013) Chinese Students Were Arrested. They Exchanged 250 Accounts Rakuten Points into Electric Money. (In Japanese) http://www.recordchina.co.jp/a80323.html
[17]	NTT Communications Online Marketing Solutions (2014) The Report of Unauthorized Access to Potora. (In Japanese) http://www.nttcoms.com/page.jsp?id=2409
[18]	ITpro (2014) Unauthorized Access to JAL Mileage Website, JAL Requested 27 Million People to Change Their Passwords. (In Japanese) http://itpro.nikkeibp.co.jp/article/NEWS/20140203/534282/
[19]	Nikkei (2014) Enormous Unauthorized Access Attempted to JR East. (In Japanese) http://itpro.nikkeibp.co.jp/atcl/news/14/081800465/
[20]	Hatena Co., Ltd. (2014) Please Confirm Your Password and Registration Information in Order to Prevent Unauthorized Access. (In Japanese) http://hatena.g.hatena.ne.jp/hatena/20140224/1393211701
[21]	ITpro (2014) 1.12 Million Miles of ANA Mileage Club Were Stolen, Personal Information Such as Addresses Might Be Browsed. (In Japanese) http://itpro.nikkeibp.co.jp/article/NEWS/20140311/542563/
[22]	Poitan News (2014) Unauthorized Access to My JCB and Redeemed to T-Point. (In Japanese) http://www.poitan.jp/archives/3138
[23]	Sony Marketing (Japan) Inc. (2014) The Report of Unauthorized Access to Sony Point Service and a Request for Changing Passwords. (In Japanese) https://www.sony.jp/info/pw_management2.html
[24]	Security NEXT (2014) 0.22 Million Unauthorized Accesses to Niconico Video, 0.17 Million Yen Loss. (In Japanese) http://www.security-next.com/049575
[25]	Security NEXT (2014) Unauthorized Access to Hatena, Redemption to Amazon Gift Code Was Failed in Attempts. (In Japanese) http://www.security-next.com/049827
[26]	Security NEXT (2014) 11502 Unauthorized Accesses to a Questionnaire Website and Some Points Were Stolen. (In Japanese) http://www.security-next.com/049982
[27]	Scan Net Security (2014) A Questionnaire Website, Anpara, Was Attacked and Some Points Were Stolen. (In Japanese) http://scan.netsecurity.ne.jp/article/2014/07/08/34495.html
[28]	NTT Communications Corporation (2014) Unauthorized Access to Poin-Talk and Goo-Points. (In Japanese) http://www.ntt.com/release/monthNEWS/detail/20140730.html
[29]	ITpro (2014) Enormous Number of Accesses to Suica Point Club, Unauthorized Access to Some Acounts. (In Japanese) http://itpro.nikkeibp.co.jp/atcl/news/14/081800465/
[30]	D Style Web (2014) Information of Unauthorized Access and Unauthorized Point Redemption. (In Japanese) http://www.dstyleweb.com/20141028/
[31]	Security NEXT (2014) Unauthorized Access to a Research Service of Kyushu Electric Power, Which Was Detected When the Operator Found the Number of Exchanges Is 10 Times as Many as Usual. (In Japanese) http://www.security-next.com/054803
[32]	Mixi, Inc. (2015) The Report of Unauthorized Accesses to Morappo and Mixi Questionnaire Using the Passwords Which Were Leaked at the Third Party. (In Japanese) http://mixi.co.jp/press/2015/0109/15881/
[33]	AIP Corporation (2015) Unauthorized Access, Point Redemption and Personal Information Browsing. (In Japanese) http://www.aip-global.com/JP/corporate/releases/20150701.html
[34]	Lifemedia, Inc. (2015) The Report of Unauthorized Access to Lifemedia. (In Japanese) http://lifemedia.jp/utilization/info_d20150713.html
[35]	Orient Corporation (2015) Unauthorized Access to Customer Web Services. (In Japanese) http://www.orico.co.jp/information/20150727.html
[36]	PrizePrize (2015) The Report of Unauthorized Point Redemptions and Our Request for Changing Your Passwords. (In Japanese) http://www.moneyforall.net/rss/single.php?id=121
[37]	Washington Hotel (2015) The Report of Unauthorized Access to Lodging Net Point and Our Request for Changing Your Password. (In Japanese) http://www.washingtonhotel.co.jp/pdf/info20150805.pdf
[38]	Wakabayashi, T. (2008) Structure and Formation of the Exchange Market of Point Programs and Electronic Moneys. (In Japanese) Organizational Science, 42, 47-60.
[39]	Wakabayashi, T. and Katsumata, S. (2013) Which Factor Matters to the Formation of Strategic Alliance Network: Industry, Firm or Network? (In Japanese) Oganizational Science, 47, 69-79.
[40]	Yuhashi, H. and Gotou, H. (2010) The Reliability of the New Economic Platform: Mobile Value Exchange Alliance Network. 18th Biennial ITS Conference, Tokyo, 27-30 June 2010.
[41]	European Central Bank (2012) Virtual Currency Schemes. http://www.ecb.europa.eu/pub/pdf/other/virtualcurrencyschemes201210en.pdf
[42]	Moore, T. and Christin, N. (2013) Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk. Financial Cryptography and Data Security, 7859, 25-33. http://dx.doi.org/10.1007/978-3-642-39884-1_3
[43]	Vasek, M., Thornton, M. and Moore, T. (2014) Empirical Analysis of Denial-of-Service Attacks in the Bitcoin Ecosystem. Financial Cryptography and Data Security, 8438, 57-71. http://dx.doi.org/10.1007/978-3-662-44774-1_5
[44]	Johnson, B., Laszka, A., Grossklags, J., Vasek, M. and Moore, T. (2014) Game-Theoretic Analysis of DDoS Attacks against Bitcoin Mining Pools. Financial Cryptography and Data Security, 8438, 72-86. http://dx.doi.org/10.1007/978-3-662-44774-1_6
[45]	Kroll, J.A., Davey, I.C. and Felten, E.W. (2013) The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries. The 12th Workshop on the Economics of Information Security, Washington DC, 11-12 June 2013.
[46]	Hu, J. and Zambetta, F. (2008) Security Issues in Massive Online Games. Security and Communication Networks, 1, 83-92. http://dx.doi.org/10.1002/sec.5
[47]	Ku, Y., Chen, Y., Wu, K. and Chiu, C. (2007) An Empirical Analysis of Online Gaming Crime Characteristics from 2002 to 2004. Intelligence and Security Informatics, 4430, 34-45. http://dx.doi.org/10.1007/978-3-540-71549-8_3
[48]	Bardzell, J., Jakobsson, M., Bardzell, S., Pace, T., Odom, W. and Houssian, A. (2007) Virtual Worlds and Fraud: Approaching Cybersecurity in Massively Multiplayer Online Games. Proceedings of DiGRA 2007 Conference, Tokyo, 24-28 September 2007, 451-742.
[49]	Kiondo, C., Kowalski, S. and Yngstrom, L. (2011) Exploring Security Risks in Virtual Economies. 1st International Conference on Social Eco-Informatics, Barcelona, 23-29 October 2011.
[50]	Irwin, A.S.M. and Slay, J. (2010) Detecting Money Laundering and Terrorism Financing Activity in Second Life and World of Warcraft. Proceedings of the 1st International Cyber Resilience Conference, Perth, 23-24 August 2010, 41-50.
[51]	Ministry of Economy, Trade and Industry (2013) Survey on Information Processing in 2012: Result Detail Part 3— Information Security. (In Japanese) http://www.meti.go.jp/statistics/zyo/zyouhou/result-2/h24jyojitsu.html
[52]	Ministry of Economy, Trade and Industry (2012) Survey on Information Processing in 2012: Questionnaire. (In Japanese) http://www.meti.go.jp/statistics/zyo/zyouhou/result-2/pdf/03_H24chousahyo.pdf