Empirically evaluating the effect of security precautions on cyber incidents

Neil Gandal, Tyler Moore*, Michael Riordan, Noa Barnir

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

Available data on firm cybersecurity often exhibits a positive correlation between investment in security precautions and cyber attacks since investments are often made after a firm has been breached. Using survey data from Israeli firms about their cyber defenses, we overcome the endogeneity obstacle using an instrumental variable (IV) drawn from questions about a cybersecurity directive. The resulting regressions examine the causal relationship between security precautions potentially undertaken by enterprises and the likelihood of experiencing a cyber incident. Once suitably instrumented and controlling for characteristics that make some firms more attractive attack targets than others, we find robust evidence that increased adoption of security controls does in fact reduce the likelihood of being breached.

Original languageEnglish
Article number103380
JournalComputers and Security
Volume133
DOIs
StatePublished - Oct 2023

Funding

FundersFunder number
Economics of Information Security
WEIS
National Science Foundation2147505
Bloom's Syndrome Foundation2021711, 2016622
United States - Israel Binational Science Foundation
Israel National Cyber Directorate

    Keywords

    • Cyber incidents
    • Cybersecurity
    • Empirical study
    • Precautions

    Fingerprint

    Dive into the research topics of 'Empirically evaluating the effect of security precautions on cyber incidents'. Together they form a unique fingerprint.

    Cite this