Discussion paper

DP14461 A New Approach to Quantifying, Reducing and Insuring Cyber Risk: Preliminary Analysis and Proposal for Further Research

Few would dispute that cyber risk is a very serious problem for the global economy and for society. But there is a “disconnect” between acknowledgement of the problem and action to address the problem. What is the relationship between vulnerabilities, preventive measures, and security incidents, like the leaking of sensitive data (say credit card information) to the web? To the best of our knowledge, little if anything is known about the relationship among these variables and no one has examined this issue empirically at the micro level, that is, at the level of the firm.

In this paper, we put together a remarkable and unique cross-sectional data set at the firm level that includes information on vulnerabilities, attempted email attacks, incidents (breaches), precautions (security measures.) and firm characteristics. The data set contains slightly under 1000 small and medium firms in the U.K. We empirically examine the data and show that there are meaningful correlations among incidents and the other variables. Finally, we estimate a reduced form model with incidents as the dependent variable to illustrate the potential from employing such data.

£6.00
Citation

Gandal, N, M Riordan and S Bublil (2020), ‘DP14461 A New Approach to Quantifying, Reducing and Insuring Cyber Risk: Preliminary Analysis and Proposal for Further Research‘, CEPR Discussion Paper No. 14461. CEPR Press, Paris & London. https://cepr.org/publications/dp14461