Empirically Evaluating the Effect of Security Precautions on Cyber Incidents

Empirical evidence that connects firm investment in cybersecurity defenses to the likelihood of being attacked has been very hard to come by. The Israel National Cyber Directorate (INCD) and the Israeli Central Bureau of Statistics (CBS) recently surveyed Israeli firms about their ICT operations including cyber defenses and attacks. Using the survey, in this paper, we empirically examine whether security precautions adopted by firms do in fact reduce the chances of being attacked. We find that for ‘large” firms with significant revenues using ecommerce and cloud services (the riskiest firms), employing 18 out of 20 security precautions (covered by the survey) rather than 13 security precautions reduces the probability of experiencing a cyber incident from 81% to 58%. Using an alternative measure for security, we find that for ‘large” firms with significant revenues using ecommerce and cloud services, using all six basic security precautions reduces the probability of experiencing a cyber incident from 80% to 42%.

Keywords: cybersecurity, precautions, empirical

JEL Classification: B21, D22

Suggested Citation: Suggested Citation

Gandal, Neil and Moore, Tyler and Riordan, Michael H. and Barnir, Noa, Empirically Evaluating the Effect of Security Precautions on Cyber Incidents (June 27, 2023). Computers & Security, Volume 133, October 2023, 103380 https://doi.org/10.1016/j.cose.2023.103380, Available at SSRN: https://ssrn.com/abstract=4189908 or http://dx.doi.org/10.2139/ssrn.4189908