Empirically evaluating the effect of security precautions on cyber incidents

Neil Gandal, Tyler Moore*, Michael Riordan, Noa Barnir

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review


Available data on firm cybersecurity often exhibits a positive correlation between investment in security precautions and cyber attacks since investments are often made after a firm has been breached. Using survey data from Israeli firms about their cyber defenses, we overcome the endogeneity obstacle using an instrumental variable (IV) drawn from questions about a cybersecurity directive. The resulting regressions examine the causal relationship between security precautions potentially undertaken by enterprises and the likelihood of experiencing a cyber incident. Once suitably instrumented and controlling for characteristics that make some firms more attractive attack targets than others, we find robust evidence that increased adoption of security controls does in fact reduce the likelihood of being breached.

Original languageEnglish
Article number103380
JournalComputers and Security
StatePublished - Oct 2023


FundersFunder number
Economics of Information Security
National Science Foundation2147505
Bloom's Syndrome Foundation2021711, 2016622
United States - Israel Binational Science Foundation
Israel National Cyber Directorate


    • Cyber incidents
    • Cybersecurity
    • Empirical study
    • Precautions


    Dive into the research topics of 'Empirically evaluating the effect of security precautions on cyber incidents'. Together they form a unique fingerprint.

    Cite this