DP17605 Empirically Evaluating the Effect of Security Precautions on Cyber Incidents
To the best of our knowledge, there is no econometric evidence to show that firm investment in cybersecurity defenses reduces the likelihood of a cyber incident. Instead, the available data often exhibits a positive correlation between investment in security precautions and incidents. This is because many
such investments are made ex post, i.e., after a firm has suffered a cyber incident. The Israel National Cyber Directorate (INCD) and the Israeli Central Bureau of Statistics (CBS) recently surveyed Israeli firms about their ICT operations including cyber defenses and cyber incidents. We overcome the endogeneity “obstacle” using an instrumental variable drawn from questions about a cybersecurity directive. The resulting regressions enable us to examine the causal relationship between security precautions potentially undertaken by enterprises and the likelihood of experiencing a cyber incident. Once suitably instrumented, we find robust evidence that increased adoption of security controls does in fact reduce the likelihood of experiencing a cyber incident or breach.