前入侵企业网络风险：来自互联网协议网络的证据

IF 0.4 4区经济学 Q4 BUSINESS, FINANCE Journal of Operational Risk Pub Date : 2021-09-22 DOI:10.21314/jop.2021.007

Bill Francis, Wenyao Hu, Thomas D. Shohfi

{"title":"前入侵企业网络风险：来自互联网协议网络的证据","authors":"Bill Francis, Wenyao Hu, Thomas D. Shohfi","doi":"10.21314/jop.2021.007","DOIUrl":null,"url":null,"abstract":"Previous event studies of corporate cyber-risk have been limited to successful attacks on public firms but are biased samples constructed based on the economic magnitude of equity losses. To address this selection bias, we construct a larger and more representative sample of cyber intrusions only to find diminished negative equity (and insignificant corporate bond) market reactions compared to these prior studies. To identify cyber-risk irrespective of observing successful attacks, we match public firms to Internet protocol (IP) network data from the American Registry for Internet Numbers (ARIN) from 1991 to 2017. We find that both stockholders and creditors incorporate external IP network size into firm value. Further, debt and equity market reactions to cyberattacks are mitigated for firms with registered IP networks and that have larger network deployments. Overall, our study demonstrates an important public data source that can help institutions proxy for and more accurately price firm cybersecurity risk.","PeriodicalId":54030,"journal":{"name":"Journal of Operational Risk","volume":"1 1","pages":""},"PeriodicalIF":0.4000,"publicationDate":"2021-09-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Ex-intrusion corporate cyber risk: evidence from internet protocol networks\",\"authors\":\"Bill Francis, Wenyao Hu, Thomas D. Shohfi\",\"doi\":\"10.21314/jop.2021.007\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Previous event studies of corporate cyber-risk have been limited to successful attacks on public firms but are biased samples constructed based on the economic magnitude of equity losses. To address this selection bias, we construct a larger and more representative sample of cyber intrusions only to find diminished negative equity (and insignificant corporate bond) market reactions compared to these prior studies. To identify cyber-risk irrespective of observing successful attacks, we match public firms to Internet protocol (IP) network data from the American Registry for Internet Numbers (ARIN) from 1991 to 2017. We find that both stockholders and creditors incorporate external IP network size into firm value. Further, debt and equity market reactions to cyberattacks are mitigated for firms with registered IP networks and that have larger network deployments. Overall, our study demonstrates an important public data source that can help institutions proxy for and more accurately price firm cybersecurity risk.\",\"PeriodicalId\":54030,\"journal\":{\"name\":\"Journal of Operational Risk\",\"volume\":\"1 1\",\"pages\":\"\"},\"PeriodicalIF\":0.4000,\"publicationDate\":\"2021-09-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Operational Risk\",\"FirstCategoryId\":\"96\",\"ListUrlMain\":\"https://doi.org/10.21314/jop.2021.007\",\"RegionNum\":4,\"RegionCategory\":\"经济学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q4\",\"JCRName\":\"BUSINESS, FINANCE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Operational Risk","FirstCategoryId":"96","ListUrlMain":"https://doi.org/10.21314/jop.2021.007","RegionNum":4,"RegionCategory":"经济学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"BUSINESS, FINANCE","Score":null,"Total":0}

引用次数: 1

摘要

以前对企业网络风险的事件研究仅限于对上市公司的成功攻击，而且是基于股权损失的经济规模构建的有偏见的样本。为了解决这种选择偏差，我们构建了一个更大、更有代表性的网络入侵样本，结果发现与之前的研究相比，负资产(和微不足道的公司债券)市场反应有所减少。为了识别网络风险，无论是否观察到成功的攻击，我们将上市公司与1991年至2017年美国互联网号码注册局(ARIN)的互联网协议(IP)网络数据进行了匹配。我们发现股东和债权人都将外部IP网络规模纳入公司价值。此外，对于拥有注册IP网络和拥有更大网络部署的公司来说，债务和股票市场对网络攻击的反应会有所缓解。总的来说，我们的研究展示了一个重要的公共数据源，可以帮助机构代理和更准确地定价企业网络安全风险。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Ex-intrusion corporate cyber risk: evidence from internet protocol networks

Previous event studies of corporate cyber-risk have been limited to successful attacks on public firms but are biased samples constructed based on the economic magnitude of equity losses. To address this selection bias, we construct a larger and more representative sample of cyber intrusions only to find diminished negative equity (and insignificant corporate bond) market reactions compared to these prior studies. To identify cyber-risk irrespective of observing successful attacks, we match public firms to Internet protocol (IP) network data from the American Registry for Internet Numbers (ARIN) from 1991 to 2017. We find that both stockholders and creditors incorporate external IP network size into firm value. Further, debt and equity market reactions to cyberattacks are mitigated for firms with registered IP networks and that have larger network deployments. Overall, our study demonstrates an important public data source that can help institutions proxy for and more accurately price firm cybersecurity risk.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Operational Risk BUSINESS, FINANCE-

CiteScore

1.00

自引率

40.00%

发文量

期刊介绍： In December 2017, the Basel Committee published the final version of its standardized measurement approach (SMA) methodology, which will replace the approaches set out in Basel II (ie, the simpler standardized approaches and advanced measurement approach (AMA) that allowed use of internal models) from January 1, 2022. Independently of the Basel III rules, in order to manage and mitigate risks, they still need to be measurable by anyone. The operational risk industry needs to keep that in mind. While the purpose of the now defunct AMA was to find out the level of regulatory capital to protect a firm against operational risks, we still can – and should – use models to estimate operational risk economic capital. Without these, the task of managing and mitigating capital would be incredibly difficult. These internal models are now unshackled from regulatory requirements and can be optimized for managing the daily risks to which financial institutions are exposed. In addition, operational risk models can and should be used for stress tests and Comprehensive Capital Analysis and Review (CCAR). The Journal of Operational Risk also welcomes papers on nonfinancial risks as well as topics including, but not limited to, the following. The modeling and management of operational risk. Recent advances in techniques used to model operational risk, eg, copulas, correlation, aggregate loss distributions, Bayesian methods and extreme value theory. The pricing and hedging of operational risk and/or any risk transfer techniques. Data modeling external loss data, business control factors and scenario analysis. Models used to aggregate different types of data. Causal models that link key risk indicators and macroeconomic factors to operational losses. Regulatory issues, such as Basel II or any other local regulatory issue. Enterprise risk management. Cyber risk. Big data.