Working Paper: CEPR ID: DP17605
Authors: Neil Gandal; Tyler Moore; Michael Riordan; Noa Barnir
Abstract: To the best of our knowledge, there is no econometric evidence to show that firm investment in cybersecurity defenses reduces the likelihood of a cyber incident. Instead, the available data often exhibits a positive correlation between investment in security precautions and incidents. This is because manysuch investments are made ex post, i.e., after a firm has suffered a cyber incident. The Israel National Cyber Directorate (INCD) and the Israeli Central Bureau of Statistics (CBS) recently surveyed Israeli firms about their ICT operations including cyber defenses and cyber incidents. We overcome the endogeneity “obstacle” using an instrumental variable drawn from questions about a cybersecurity directive. The resulting regressions enable us to examine the causal relationship between security precautions potentially undertaken by enterprises and the likelihood of experiencing a cyber incident. Once suitably instrumented, we find robust evidence that increased adoption of security controls does in fact reduce the likelihood of experiencing a cyber incident or breach.
Keywords: empirical
JEL Codes: D22
Edges that are evidenced by causal inference methods are in orange, and the rest are in light blue.
| Cause | Effect |
|---|---|
| Increased adoption of security controls (K24) | Reduced probability of a cyber incident (K24) |
| Implementation of cybersecurity directives (K24) | Lower likelihood of incidents (G52) |
| Employing more than 15 security precautions (Y50) | Lower incidence rate (I12) |
| Employing all six basic security precautions (H56) | Lower incidence rate (I12) |