Empirically evaluating the effect of security precautions on cyber incidents

Neil Gandal; Tyler Moore; Michael Riordan; Noa Barnir

doi:10.1016/j.cose.2023.103380

Empirically evaluating the effect of security precautions on cyber incidents

Neil Gandal, Tyler Moore^*, Michael Riordan, Noa Barnir

^*Corresponding author for this work

School of Economics

Research output: Contribution to journal › Article › peer-review

2 Scopus citations

Abstract

Available data on firm cybersecurity often exhibits a positive correlation between investment in security precautions and cyber attacks since investments are often made after a firm has been breached. Using survey data from Israeli firms about their cyber defenses, we overcome the endogeneity obstacle using an instrumental variable (IV) drawn from questions about a cybersecurity directive. The resulting regressions examine the causal relationship between security precautions potentially undertaken by enterprises and the likelihood of experiencing a cyber incident. Once suitably instrumented and controlling for characteristics that make some firms more attractive attack targets than others, we find robust evidence that increased adoption of security controls does in fact reduce the likelihood of being breached.

Original language	English
Article number	103380
Journal	Computers and Security
Volume	133
DOIs	https://doi.org/10.1016/j.cose.2023.103380
State	Published - Oct 2023

Funding

Funders	Funder number
Economics of Information Security
WEIS
National Science Foundation	2147505
Bloom's Syndrome Foundation	2021711, 2016622
United States - Israel Binational Science Foundation
Israel National Cyber Directorate

Keywords

Cyber incidents
Cybersecurity
Empirical study
Precautions

Access to Document

10.1016/j.cose.2023.103380

Cite this

@article{778964da11584b16abcf8f96c0b60cb1,

title = "Empirically evaluating the effect of security precautions on cyber incidents",

abstract = "Available data on firm cybersecurity often exhibits a positive correlation between investment in security precautions and cyber attacks since investments are often made after a firm has been breached. Using survey data from Israeli firms about their cyber defenses, we overcome the endogeneity obstacle using an instrumental variable (IV) drawn from questions about a cybersecurity directive. The resulting regressions examine the causal relationship between security precautions potentially undertaken by enterprises and the likelihood of experiencing a cyber incident. Once suitably instrumented and controlling for characteristics that make some firms more attractive attack targets than others, we find robust evidence that increased adoption of security controls does in fact reduce the likelihood of being breached.",

keywords = "Cyber incidents, Cybersecurity, Empirical study, Precautions",

author = "Neil Gandal and Tyler Moore and Michael Riordan and Noa Barnir",

note = "Publisher Copyright: {\textcopyright} 2023 Elsevier Ltd",

year = "2023",

month = oct,

doi = "10.1016/j.cose.2023.103380",

language = "אנגלית",

volume = "133",

journal = "Computers and Security",

issn = "0167-4048",

publisher = "Elsevier Ltd.",

}

TY - JOUR

T1 - Empirically evaluating the effect of security precautions on cyber incidents

AU - Gandal, Neil

AU - Moore, Tyler

AU - Riordan, Michael

AU - Barnir, Noa

PY - 2023/10

Y1 - 2023/10

N2 - Available data on firm cybersecurity often exhibits a positive correlation between investment in security precautions and cyber attacks since investments are often made after a firm has been breached. Using survey data from Israeli firms about their cyber defenses, we overcome the endogeneity obstacle using an instrumental variable (IV) drawn from questions about a cybersecurity directive. The resulting regressions examine the causal relationship between security precautions potentially undertaken by enterprises and the likelihood of experiencing a cyber incident. Once suitably instrumented and controlling for characteristics that make some firms more attractive attack targets than others, we find robust evidence that increased adoption of security controls does in fact reduce the likelihood of being breached.

AB - Available data on firm cybersecurity often exhibits a positive correlation between investment in security precautions and cyber attacks since investments are often made after a firm has been breached. Using survey data from Israeli firms about their cyber defenses, we overcome the endogeneity obstacle using an instrumental variable (IV) drawn from questions about a cybersecurity directive. The resulting regressions examine the causal relationship between security precautions potentially undertaken by enterprises and the likelihood of experiencing a cyber incident. Once suitably instrumented and controlling for characteristics that make some firms more attractive attack targets than others, we find robust evidence that increased adoption of security controls does in fact reduce the likelihood of being breached.

KW - Cyber incidents

KW - Cybersecurity

KW - Empirical study

KW - Precautions

UR - http://www.scopus.com/inward/record.url?scp=85165230945&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2023.103380

DO - 10.1016/j.cose.2023.103380

M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???

AN - SCOPUS:85165230945

SN - 0167-4048

VL - 133

JO - Computers and Security

JF - Computers and Security

M1 - 103380

ER -

Empirically evaluating the effect of security precautions on cyber incidents

Abstract

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this