Prioritizing Investments in Cybersecurity: Empirical Evidence from an Event Study on the Determinants of Cyberattack Costs

Daniel Celeny, Loïc Maréchal, Evgueni Rousselot, Alain Mermoud, Mathias Humbert
{"title":"Prioritizing Investments in Cybersecurity: Empirical Evidence from an Event Study on the Determinants of Cyberattack Costs","authors":"Daniel Celeny, Loïc Maréchal, Evgueni Rousselot, Alain Mermoud, Mathias Humbert","doi":"arxiv-2402.04773","DOIUrl":null,"url":null,"abstract":"Along with the increasing frequency and severity of cyber incidents,\nunderstanding their economic implications is paramount. In this context, listed\nfirms' reactions to cyber incidents are compelling to study since they (i) are\na good proxy to estimate the costs borne by other organizations, (ii) have a\ncritical position in the economy, and (iii) have their financial information\npublicly available. We extract listed firms' cyber incident dates and\ncharacteristics from newswire headlines. We use an event study over 2012--2022,\nusing a three-day window around events and standard benchmarks. We find that\nthe magnitude of abnormal returns around cyber incidents is on par with\nprevious studies using newswire or alternative data to identify cyber\nincidents. Conversely, as we adjust the standard errors accounting for\nevent-induced variance and residual cross-correlation, we find that the\npreviously claimed significance of abnormal returns vanishes. Given these\nresults, we run a horse race of specifications, in which we test for the\nmarginal effects of type of cyber incidents, target firm sector, periods, and\ntheir interactions. Data breaches are the most detrimental incident type with\nan average loss of -1.3\\% or (USD -1.9 billion) over the last decade. The\nhealth sector is the most sensitive to cyber incidents, with an average loss of\n-5.21\\% (or USD -1.2 billion), and even more so when these are data breaches.\nInstead, we cannot show any time-varying effect of cyber incidents or a\nspecific effect of the type of news as had previously been advocated.","PeriodicalId":501372,"journal":{"name":"arXiv - QuantFin - General Finance","volume":"16 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - QuantFin - General Finance","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2402.04773","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Along with the increasing frequency and severity of cyber incidents, understanding their economic implications is paramount. In this context, listed firms' reactions to cyber incidents are compelling to study since they (i) are a good proxy to estimate the costs borne by other organizations, (ii) have a critical position in the economy, and (iii) have their financial information publicly available. We extract listed firms' cyber incident dates and characteristics from newswire headlines. We use an event study over 2012--2022, using a three-day window around events and standard benchmarks. We find that the magnitude of abnormal returns around cyber incidents is on par with previous studies using newswire or alternative data to identify cyber incidents. Conversely, as we adjust the standard errors accounting for event-induced variance and residual cross-correlation, we find that the previously claimed significance of abnormal returns vanishes. Given these results, we run a horse race of specifications, in which we test for the marginal effects of type of cyber incidents, target firm sector, periods, and their interactions. Data breaches are the most detrimental incident type with an average loss of -1.3\% or (USD -1.9 billion) over the last decade. The health sector is the most sensitive to cyber incidents, with an average loss of -5.21\% (or USD -1.2 billion), and even more so when these are data breaches. Instead, we cannot show any time-varying effect of cyber incidents or a specific effect of the type of news as had previously been advocated.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
确定网络安全投资的优先次序:网络攻击成本决定因素事件研究的经验证据
随着网络事件日益频繁和严重,了解其对经济的影响至关重要。在此背景下,上市公司对网络事件的反应值得研究,因为它们(i)是估算其他组织所承担的成本的良好替代品,(ii)在经济中处于关键地位,(iii)其财务信息是公开的。我们从新闻通稿中提取上市公司的网络事件日期和特征。我们对 2012-2022 年期间的事件进行了研究,使用了事件前后三天的窗口和标准基准。我们发现,网络事件前后的异常回报幅度与之前使用新闻电讯或其他数据识别网络事件的研究结果相当。相反,当我们对标准误差进行调整,并考虑到事件引起的方差和残差交叉相关性时,我们发现之前声称的异常回报的重要性消失了。鉴于上述结果,我们进行了一次规格竞赛,检验网络事件类型、目标公司行业、时期及其交互作用的边际效应。数据泄露是危害最大的事件类型,过去十年的平均损失为-1.3%或(19 亿美元)。医疗行业对网络事件最为敏感,平均损失为-5.21%(或-12 亿美元),如果是数据泄露,损失会更大。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Information Asymmetry Index: The View of Market Analysts Market Failures of Carbon Trading Hydrogen Development in China and the EU: A Recommended Tian Ji's Horse Racing Strategy Applying the Nash Bargaining Solution for a Reasonable Royalty II Auction theory and demography
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1