Empirically evaluating the effect of security precautions on cyber incidents

Neil Gandal, Tyler Moore, Michael Riordan, Noa Barnir

Research output: Contribution to journalArticlepeer-review

Abstract

Available data on firm cybersecurity often exhibits a positive correlation between investment in security precautions and cyber attacks since investments are often made after a firm has been breached. Using survey data from Israeli firms about their cyber defenses, we overcome the endogeneity obstacle using an instrumental variable (IV) drawn from questions about a cybersecurity directive. The resulting regressions examine the causal relationship between security precautions potentially undertaken by enterprises and the likelihood of experiencing a cyber incident. Once suitably instrumented and controlling for characteristics that make some firms more attractive attack targets than others, we find robust evidence that increased adoption of security controls does in fact reduce the likelihood of being breached.

Original languageEnglish
Article number103380
JournalComputers and Security
Volume133
DOIs
StatePublished - Oct 2023

Keywords

  • Cyber incidents
  • Cybersecurity
  • Empirical study
  • Precautions

All Science Journal Classification (ASJC) codes

  • General Computer Science
  • Law

Fingerprint

Dive into the research topics of 'Empirically evaluating the effect of security precautions on cyber incidents'. Together they form a unique fingerprint.

Cite this