(Under) Investment in Cyber Skills and Data Protection Enforcement: Evidence from Activity Logs of the UK Information Commissioner's Office

48 Pages Posted: 6 Aug 2022 Last revised: 24 Apr 2023

See all articles by Pantelis Koutroumpis

Pantelis Koutroumpis

Oxford Martin Programme of Technological and Economic Change; University of Oxford - Institute for New Economic Thinking at the Oxford Martin School; Imperial College Business School

Farshad Ravasan

University of Oxford - Oxford Martin School

Taheya Tarannum

University of Oxford - Oxford Martin School

Date Written: July 23, 2022

Abstract

Data breaches account for a significant share of cyber attacks. While they severely impact customers who lose valuable personal data, they often have a limited effect on the operations of the data-holding companies. This might lead firms to underinvest in cybersecurity. Do stronger data protection laws alleviate the effects of these misaligned incentives? Using the universe of online job postings from the UK, we answer this question by examining the link between firms’ cybersecurity hirings and stronger data protection laws and enforcement. We study two institutional changes that affect data protection enforcement by the Information Commissioner’s Office (ICO). The first change is the removal of the requirement to prove substantial damage and distress in 2015, which gave greater discretion to the ICO to issue monetary penalties. The second one is the enactment of the Data Protection Act 2018, which significantly raised the ceiling of monetary penalties. To study these changes, we assemble a novel dataset with more than 5,000 supervisory actions from ICO activity logs and measure industry-level exposure to ICO enforcement. Combining sectoral variation with the timing of the legal changes, we show that stronger data protection enforcement significantly increases the demand for cybersecurity skills by up to 52%. The effect is particularly strong among data-intensive firms, firms using cloud technologies, and firms with higher cash holdings. While regulation is effective in boosting investment in cybersecurity skills, we find that it slows down the firm dynamics, reducing the entry rate by up to 12%, and increasing the exit rate by up to 13%.

Keywords: Cybersecurity, Skill Acquisition, Data Protection, GDPR, Law Enforcement, Data Intensity, Cash Holding, Firm Dynamics

JEL Classification: G31, G38, J23, J24, K20, K24

Suggested Citation

Koutroumpis, Pantelis and Ravasan, Farshad and Tarannum, Taheya, (Under) Investment in Cyber Skills and Data Protection Enforcement: Evidence from Activity Logs of the UK Information Commissioner's Office (July 23, 2022). Available at SSRN: https://ssrn.com/abstract=4179601 or http://dx.doi.org/10.2139/ssrn.4179601

Pantelis Koutroumpis

Oxford Martin Programme of Technological and Economic Change ( email )

University of Oxford
34 Broad Street
Oxford, OX1 3BD
United Kingdom
01865610388 (Phone)
OX1 3BD (Fax)

University of Oxford - Institute for New Economic Thinking at the Oxford Martin School ( email )

Eagle House
Walton Well Road
Oxford, OX2 6ED
United Kingdom

Imperial College Business School ( email )

South Kensington Campus
Exhibition Road
London SW7 2AZ, SW7 2AZ
United Kingdom

Farshad Ravasan (Contact Author)

University of Oxford - Oxford Martin School ( email )

University of Oxford
34 Broad Street
Oxford, OX1 3BD
United Kingdom

Taheya Tarannum

University of Oxford - Oxford Martin School ( email )

University of Oxford
34 Broad Street
Oxford, OX1 3BD
United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
226
Abstract Views
1,077
Rank
269,995
PlumX Metrics