Economics of Cybersecurity

Invited talks

Chair: Claudia BIANCOTTI

Short description

In the recent past, cybersecurity has attracted increasing attention from economists and financial regulators. Information gaps on the probability and cost of incidents, asymmetries between vendors and consumers of defensive tools, and negative externalities from cyber vulnerabilities yield textbook market failures – distorted incentives result in structural undersupply of cyber defense on the part of the private sector. The peculiar nature of cyber threats, which are sometimes part of broader hybrid warfare strategies, further complicates response on the part of economic agents. Economic research is trying to shed light on each of these aspects, as regulation attempts to provide effective remedies.

This workshop aims at giving a bird-eye’s view of the key challenges in understanding cybersecurity from an economist’s point of view, while also discussing how regulation in the financial sector is gearing up to address the issue.

Format

The workshop features two thematic sessions and a short presentation of a dataset. During each thematic session, two preliminary-stage papers will be presented (15min presentation + 5 mins discussion + 10 mins Q&A for each paper).

Participants

We welcome economists as well as cybersecurity experts with a technical background.

Agenda

10.00am – 11.00 am Session 1
What drives corporate investment in cyber security?

Paper 1:
Do Directors Drive Corporate Cybersecurity Awareness?

Gabriele Lattanzio, Monash Business School, Monash University
Jerome Taillard, Finance Department, Babson College

We use exogenous variation in the exposure of U.S. firms’ directors to the staggered passage of cybersecurity reforms in foreign countries to assess the role of the board of directors in defining corporate awareness to cybersecurity risk. By employing a staggered difference-in-difference approach, we document that the board has a strong impact on U.S. firms’ cybersecurity disclosure transparency and probability of suffering from future cyberattacks. We further document that cybersecurity improvements are larger for firms with lower financial risk and for firms operating in high-tech industries Finally, we show that firms exposed to foreign cybersecurity reforms experience greater subsequent stock market performance and reduced volatility.

Discussant: Davide Ferrari, University of Melbourne

Paper 2:
Reputational Risk, Cyber-Insurance and the Market Value of Breached Firms

Gabriele Lattanzio, Monash Business School, Monash University
Cristian Roner, Faculty of Economics and Management, Free University of Bozen-Bolzano

Cyber breaches often imply a damage of corporate reputation with ensuing costs, for instance financiers could modify their risk expectations and ask for higher equity remuneration to keep their investments in the breached company. Therefore, reputational risk is a component of cyber-risk. The availability of insurance policies covering reputational risk is still very scarce. However, insurance can influence reputation by affecting stakeholders’ expectation. This paper focuses on the effects of cyber-insurance on investors. The literature concerning the effect of cyber breaches on corporate market value, and the contributions that focus specifically on reputational risk, does not consider the role of cyber-insurance in shaping investors’ expectations. The paper fills this gap by setting forth the hypothesis that cyber-insurance influences corporate reputation and thus stock market valuation or, equivalently, that reputational costs from a cyber breach disclosure are different for a cyber-insured vis-à-vis a non-insured company.

11.00am – 11.15am
Break

11.15am – 12.15pm Session 2
Measuring the frequency and cost of cyber incidents

Paper 1:
Exponential Tilting for Zero-inflated Interval Regression with Applications to Cybersecurity Survey Data

Cristian Roner, Faculty of Economics and Management, Free University of Bozen-Bolzano
Claudia Di Caterina, School of Mathematics and Statistics, University of Melbourne
Davide Ferrari, Faculty of Economics and Management, Free University of Bozen-Bolzano, School of Mathematics and Statistics, University of Melbourne

Digital transformation of businesses exposes firms to higher risk of cyber breaches and even operational disruption. Cybersecurity has thus gained prominence for companies. However, there are only anecdotal indications or limited research on how cybersecurity budget impacts on the profitability of a firm. Moreover, cybersecurity breaches costs estimation based on survey data is likely biased because of the prevalence of observed zero costs (zero-inflation) and skewed distribution of the non-zero losses, with many reported small amounts and few outliers with very large losses. The econometric model we present in this paper studies the relationship between firm-level breach probability, the cost of cyber breaches and the investments in cyber defence. The model is estimated using a robust estimation method that handles typical problems affecting survey-based cybersecurity data, such as zero-inflation and non-standard distribution. We find that investments in countermeasures decrease the probability to suffer a non-zero cost from a cyber attack, while there is no evidence that the investments can reduce the amount of incurred loss.

Discussant: Claudia Biancotti, Bank of Italy

Paper 2:
The Economic Cost of State-Mandated Corporate Cyber Espionage

Gabriele Lattanzio, Monash Business School, Monash University
William L. Megginson, University of Oklahoma

Between 2015 and 2018, the Chinese government passed a set of historical cyber security reforms aiming at creating a comprehensive regulatory framework covering privacy, data ownership, and IP protection issues. These laws – namely the National Security Law of 2015, the Cybersecurity Law of 2016, and the Intelligence Law of 2017 – define the concept of cyberspace sovereignty, granting Beijing with an unprecedented access to foreign companies’ technologies and data. These reforms sparked a fierce foreign opposition, especially by US high-tech firms, as they provide the Chinese governments with a tool to engage in “legalized” forms of corporate cyber espionage. Yet, the international community failed at preventing the enactment of these reforms. In this study, we exploit the staggered adoption of these regulatory acts to analyze the cost of international state-mandated corporate espionage, and, namely, the cost of Chinese legalized corporate espionage on U.S. corporations. In particular, we document that U.S. corporations reacted negatively to the passage of all these relevant reforms, losing between 1.5% and 2% of their market value per event over a ten-day window. Our results further document that Chinese SOEs’ valuation increases following the passage of these laws, while no material effects can be identified for privately owned Chinese firms. These results provide compelling evidence supporting the argument that the Chinese Cybersecurity Reforms are imposing material financial costs on foreign corporations operating in China by legalizing forms of state mandated corporate espionage.

Discussant: Michele Savini Zangrandi, Bank of Italy

12.15pm – 12.30pm
Short presentation: The Bank of Italy’s dataset on cyber incidents in the Italian private sector

Claudia Biancotti, Bank of Italy, International Economics Directorate

The Bank of Italy was the first institution in Italy to run a survey on the frequency and cost of cyber incidents in the Italian non-financial private sector. The data is available for research. We present an overview of the dataset, explain the access criteria, and provide an update on recent unpublished evidence.

12.30pm – 12.45pm
Wrap-up and way forward