• Corpus ID: 3341362

Estimating the size of the iceberg from its tip : An investigation into unreported data breach notifications

  title={Estimating the size of the iceberg from its tip : An investigation into unreported data breach notifications},
  author={Fabio Bisogni and Hadi Asghari and Michel van Eeten},
Introduction A decade has passed since the enactment of data breach notification laws (DBNLs) in numerous U.S. states. These laws mandate companies that have suffered a data breach to inform the customers whose data might have been exposed. The intent of DBNLs can perhaps be best summed up in the phrase: “sunlight is the best disinfectant”. Whether the goal of incentivizing better security practices has been realized is the subject of an ongoing debate (e.g., Romanosky et al. 2011, Bisogni 2016… 

A Framework for Predicting Data Breach Risk: Leveraging Dependence to Cope With Sparsity

An innovative statistical framework to leverage the dependence between multiple time series is proposed and applied to a dataset of enterprise-level breach incidents, showing effectiveness in modeling and predicting enterprise- level breach incidents.

Statistical Modeling of Data Breach Risks: Time to Identification and Notification

A novel approach to imputing the missing data is proposed, and a dependence model is developed to capture the complex pattern exhibited by those two metrics, which are two important components in determining the cost of a cyber incident.

An analysis of cybersecurity in Dutch annual reports of listed companies

The results of this study show that although there is no strict legal obligation to do so, 87% of the companies mention cybersecurity or similar words in their annual report in 2018, however, only 4 out of 75 companies disclosed more than six specific cybersecurity measures, while openness would generate the highest surplus for society from a social welfare perspective.

Modeling and Predicting Cyber Hacking Breaches

It is shown that, in contrast to the findings reported in the literature, both hacking breach incident inter-arrival times and breach sizes should be modeled by stochastic processes, rather than by distributions because they exhibit autocorrelations.

Underlying and Consequential Costs of Cyber Security Breaches: Changes in Systematic Risk

An analysis of security breach-induced changes in regular, downside, and upside betas that contribute to increases in cost of equity finds that severe security breaches are associated with significantly positive increases of systematic risk and systematic downside risk in terms of regular and downside beta.

Mind the denominator: towards a more effective measurement system for cybersecurity

Crime statistics in the physical world are routinely normalised around the population of a city or country, as they provide both a propensity-based perspective on crime and an empirical basis for criminal justice policy.

More Than a Suspect: An Investigation into the Connection Between Data Breaches, Identity Theft, and Data Breach Notification Laws

This article investigates the relationship between data breaches and identity theft, including the impact of Data Breach Notification Laws (DBNL) on these incidents (using empirical data and Bayesian modeling), and shows that the correlation is driven by the size of a state.

Measuring the Economic Effects of Data Breaches on Firm Outcomes: Challenges and Opportunities

We estimate the association between data breaches and firm-level outcomes using newly assembled data on the universe of reported data breaches between 2005 and 2016. First, we document several new

Cyber Risk Information Sharing with Authorities



Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?

  • F. Bisogni
  • Business
    Journal of Information Policy
  • 2016
This article investigates the adequateness of data breach notification laws and the possible impact of a federal law in the United States. Based on the analysis of 445 notifications issued in 2014,

Empirical Analysis of Data Breach Litigation

Using a unique and manually collected database, this work analyzes court dockets for more than 230 federal data breach lawsuits from 2000 to 2010 to provide the first comprehensive empirical analysis of data breach litigation.

Is There a Cost to Privacy Breaches? An Event Study

It is shown that there exists a negative and statistically significant impact of data breaches on a company’s market value on the announcement day for the breach, and the cumulative effect increases in magnitudes over the day following the breach announcement, but then decreases and loses statistical significance.

Notification of Data Security Breaches

This Article advocates creation of a coordinated response architecture and develops the elements of such an approach and proposes a bifurcated notice scheme that lets firms know that the CRA is watching and is scrutinizing their decision whether or not to disclose information about a breach to the affected individuals.

Do Data Breaches Disclosure Laws Reduce Identity Theft?

It is found that adoption of data breach disclosure laws reduce identity theft caused by data breaches, on average, by 6.1 percent from 2002 to 2009.

The Market Effect of Healthcare Security: Do Patients Care about Data Breaches?

This paper investigates consumer reaction to data breaches by examining changes in patient visits consequent to breaches, and provides policy insights on effective security programs that induce providers to invest in security as they would for other market-based, brand-building initiatives.

Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information

Although spending on cybersecurity continues to grow, companies, government agencies, and nonprofit organizations are still being breached, and sensitive personal, financial, and health information

The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market

Stock market participants appear to discriminate across types of breaches when assessing their economic impact on affected firms, consistent with the argument that the economic consequences of information security breaches vary according to the nature of the underlying assets affected by the breach.

Identifying How Firms Manage Cybersecurity Investment

The purpose of the interviews was to learn more about how organizations make cybersecurity investment decisions: how much support they receive to execute their mission, how they prioritize which threats to defend against, and how they choose between competing security controls.

The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers

The results show that announcing an Internet security breach is negatively associated with the market value of the announcing firm, and the cost of poor security is very high for investors.