Available data on firm cybersecurity often exhibits a positive correlation between investment in security precautions and cyber attacks since investments are often made after a firm has been breached. Using survey data from Israeli firms about their cyber defenses, we overcome the endogeneity obstacle using an instrumental variable (IV) drawn from questions about a cybersecurity directive. The resulting regressions examine the causal relationship between security precautions potentially undertaken by enterprises and the likelihood of experiencing a cyber incident. Once suitably instrumented and controlling for characteristics that make some firms more attractive attack targets than others, we find robust evidence that increased adoption of security controls does in fact reduce the likelihood of being breached.
- Cyber incidents
- Empirical study