Cybersecurity breaches may be correlated due to geography, similar infrastructure, or use of a third-party contractor. We show how a logistic regression may be used to estimate the probability of an attack where breaches may be correlated among firms up and down the supply chain. We also show how a Poisson regression may be used to estimate the number of records breached. Losses arising from cybersecurity breaches have an unknown distribution. We propose the stock price reaction to a breach as an objective measure of the loss in wealth sustained by the firm due to a breach. This loss measure reflects the immediate and long-term effects of a breach, including reputational effects and other intangible impacts that are otherwise more difficult to quantify. We examine stock returns for 258 cybersecurity breach announcements over 2011-2016 in order to obtain the empirical loss distribution. We find a five-day abnormal return of -1.44%. Seventy-one percent of these 258 announcements result in a negative abnormal return, and a gamma distribution provides an excellent fit to these losses. In addition to introducing a predictive model for correlated losses, our study shows how insurers can use either the empirical stock return distribution of losses or the per record cost of a breach in the pricing of cyberinsurance.
References
[1]
Morgan, S. (2017) Cybersecurity Ventures. Cybercrime Report, Sponsored by the Herjavec Group.
[2]
Ponemon Institute (2017) Responsible Information Management. https://www.ponemon.org http://www.ponemon.org/rim-council-faqs-1
[3]
Ponemon Institutue (2016) 2016 Cost of Cyber Crime Study & the Risk of Business Innovation. http://www.ponemon.org/local/upload/file/2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203.pdf
[4]
Deloitte (2017) Beneath the Surface of a Cyberattack: A Deeper Look at Federal Sector Impacts. https://www2.deloitte.com/us/en/pages/risk/articles/hidden-business-impact-of-cyberattack.html
[5]
Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457. https://doi.org/10.1145/581271.581274
[6]
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) Externalities and the Magnitude of Cyber Security Underinvestment by Private Sector Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 24-30. https://doi.org/10.4236/jis.2015.61003
[7]
Garg, A., Curtis, J. and Halper, H. (2003) Quantifying the Financial Impact of IT Security Breaches. Information Management & Computer Security, 11, 74-83. https://doi.org/10.1108/09685220310468646
[8]
Campbell, K., Gordon, L.A., Loeb, M.P. and Zhou, L. (2003) The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, 11, 431-448. https://doi.org/10.3233/JCS-2003-11308
[9]
Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004) The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce, 9, 70-104. https://doi.org/10.1080/10864415.2004.11044320
[10]
Acquisti, A., Friedman, A. and Telang, R. (2006) Is There a Cost to Privacy Breaches? An Event Study. ICIS 2006 Proceedings, Milwaukee, 10-13 December 2006, 94.
[11]
Goel, S. and Shawky, H.A. (2009) Estimating the Market Impact of Security Breach Announcements on Firm Values. Information & Management, 46, 404-410. https://doi.org/10.1016/j.im.2009.06.005
[12]
Hovav, A. and D’Arcy, J. (2003) The Impact of Denial of Service Attack Announcements on the Market Value of Firms. Risk Management and Insurance Review, 6, 97-121. https://doi.org/10.1046/J.1098-1616.2003.026.x
[13]
Gordon, L.A., Loeb, M.P. and Zhou, L. (2011) The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs? Journal of Computer Security, 19, 33-56. https://doi.org/10.3233/JCS-2009-0398
[14]
Morse, E.A., Raval, V. and Wingender Jr., J.R. (2011) Market Price Effects of Data Security Breaches. Information Security Journal: A Global Perspective, 20, 263-273. https://doi.org/10.1080/19393555.2011.611860
[15]
Spanos, G. and Angelis, L. (2016) The Impact of Information Security Events to the Stock Market: A Systematic Literature Review. Computers & Security, 58, 216-229. https://doi.org/10.1016/j.cose.2015.12.006
[16]
Rosati, P., Cummins, M., Deeney, P., Gogolin, F., van der Werff, L. and Lynn, T. (2017) The Effect of Data Breach Announcements beyond the Stock Price: Empirical Evidence on Market Activity. International Review of Financial Analysis, 49, 146-154. https://doi.org/10.1016/j.irfa.2017.01.001
[17]
Gordon, L.A., Loeb, M.P. and Sohail, T. (2003) A Framework for Using Insurance for Cyber-Risk Management. Communications of the ACM, 46, 81-85. https://doi.org/10.1145/636772.636774
[18]
Kesan, J., Majuca, R.P. and Yurcik, W.J. (2005) Cyberinsurance as a Market-Based Solution to the Problem of Cybersecurity—A Case Study. Workshop on the Economics of Information Security (WEIS), Cambridge, 1-3 June 2005.
[19]
Bohme, R. (2005). Cyber-Insurance Revisited. Workshop on the Economics of Information Security (WEIS), Cambridge, 1-3 June 2005.
[20]
Ogut, H., Menon, M. and Raghunathan, S. (2005) Cyber Insurance and IT Security Investment: Impact of Interdependent Risk. Workshop on the Economics of Information Security (WEIS), Cambridge, 1-3 June 2005.
[21]
Zhao, X. and Xue, L. (2009) A Framework of Using Captive Insurance to Streamline IT Control and Compliance Management. Journal of Information Privacy & Security, 5, 27-43. https://doi.org/10.1080/15536548.2009.10855868
[22]
Zhao, X., Xue, L. and Whinston, A. (2013) Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements. Journal of Management Information Systems, 30, 123-152. https://doi.org/10.2753/MIS0742-1222300104
[23]
Bandyopadhyay, Mookerjee, V.S. and Rao, R.C. (2009). Proposed Contracts Tend to Be Overpriced Because Insurers Are Unable to Anticipate Customers’ Secondary Losses. Communications of the ACM, 52, 68-73. https://doi.org/10.1145/1592761.1592780
[24]
Srinidhi, B., Yan, J. and Tayi, G.K. (2008) Firm-Level Resource Allocation to Information Security in the Presence of Financial Distress. Washington State University, School of Economic Sciences Working Paper Series WP 2008-17.
[25]
Fan, J.P. and Lang, L.H. (2000) The Measurement of Relatedness: An Application to Corporate Diversification. The Journal of Business, 73, 629-660. https://doi.org/10.1086/209657
[26]
Dewan, S. and Ren, F. (2011) Information Technology and Firm Boundaries: Impact on Firm Risk and Return Performance. Information Systems Research, 22, 369-388. https://doi.org/10.1287/isre.1090.0261
[27]
Jia, N., Rai, A. and Xu, S.X. (2020) Reducing Capital Market Anomaly: The Role of Information Technology Using an Information Uncertainty Lens. Management Science, 66, 979-1001. https://doi.org/10.1287/mnsc.2018.3235