Prioritizing Investments in Cybersecurity: Empirical Evidence from an Event Study on the Determinants of Cyberattack Costs
Détails
Télécharger: Celeny-et-al-WEIS-2024-e1141bd52ac52852.pdf (1032.43 [Ko])
Etat: Public
Version: Final published version
Licence: Non spécifiée
Etat: Public
Version: Final published version
Licence: Non spécifiée
ID Serval
serval:BIB_86F8470FCBDD
Type
Actes de conférence (partie): contribution originale à la littérature scientifique, publiée à l'occasion de conférences scientifiques, dans un ouvrage de compte-rendu (proceedings), ou dans l'édition spéciale d'un journal reconnu (conference proceedings).
Collection
Publications
Institution
Titre
Prioritizing Investments in Cybersecurity: Empirical Evidence from an Event Study on the Determinants of Cyberattack Costs
Titre de la conférence
23rd Workshop on the Economics of Information Security
Statut éditorial
Publié
Date de publication
04/2024
Peer-reviewed
Oui
Langue
anglais
Résumé
Along with the increasing frequency and severity of cyber incidents, understanding their economic implications is paramount. In this context, listed firms’ reactions to cyber incidents are compelling to study since they (i) are a good proxy to estimate the costs borne by other organizations, (ii) have a critical position in the economy, and (iii) have their financial information publicly available. We extract listed firms’ cyber incident dates and characteristics from newswire headlines. We use an event study over 2012–2022, using a three-day window around events and standard benchmarks. We find that the magnitude of abnormal returns around cyber incidents is on par with previous studies using newswire or alternative data to identify cyber incidents. Conversely, as we adjust the standard errors accounting for event-induced variance and residual cross-correlation, we find that the previously claimed significance of abnormal returns vanishes. Given these results, we run a horse race of specifications, in which we test for the marginal effects of type of cyber incidents, target firm sector, periods, and their interactions. Data breaches are the most detrimental incident type with an average loss of -1.3% or (USD -1.9 billion) over the last decade. The health sector is the most sensitive to cyber incidents, with an average loss of -5.21% (or USD -1.2 billion), and even more so when these are data breaches. Instead, we cannot show any time-varying effect of cyber incidents or a specific effect of the type of news as had previously been advocated.
Création de la notice
11/04/2024 10:00
Dernière modification de la notice
23/04/2024 5:59