Estimating the Contextual Risk of Data Breach: An Empirical Approach

Abstract Data breach incidents are on the rise, and have resulted in severe financial and legal implications for the affected organizations. We apply the opportunity theory of crime, the institutional anomie theory, and institutional theory to identify factors that could increase or decrease the contextual risk of data breach. We investigate the risk of data breach in the context of an organization’s physical location, its primary industry, and the type of data breach that it may have suffered in the past. Given the location of an organization, the study finds support for application of the opportunity theory of crime and the institutional anomie theory in estimating the risk of data breach incidents within a state. In the context of the primary industry in which an organization operates, we find support for the institutional theory and the opportunity theory of crime in estimating risk of data breach incidents within an industry. Interestingly though, support for the opportunity theory of crime is partial. We find that investment in information technology (IT) security corresponds to a higher risk of data breach incidents within both a state and an industry, a result contrary to the one predicted by the opportunity theory of crime. A possible explanation for the contradiction is that investments in IT security are not being spent on the right kind of data security controls, a fact supported by evidence from the industry. The work has theoretical and practical implications. Theories from criminology are used to identify the risk factors of data breach incidents and the magnitude of their impact on the risk of data breach. Insights from the study can help IT security practitioners to assess the risk environment of their firm (in terms of data breaches) based on the firm’s location, its industry sector, and the kind of breaches that the firm may typically be prone to.

[1]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[2]  Juhee Kwon,et al.  Health-Care Security Strategies for Data Protection and Regulatory Compliance , 2013, J. Manag. Inf. Syst..

[3]  Andrew B. Whinston,et al.  Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements , 2013, J. Manag. Inf. Syst..

[4]  Kai Lung Hui,et al.  Information Security Outsourcing with System Interdependency and Mandatory Security Requirement , 2012, J. Manag. Inf. Syst..

[5]  Alessandro Acquisti,et al.  Do data breach disclosure laws reduce identity theft?: Do Data Breach Disclosure Laws Reduce Identity Theft? , 2011 .

[6]  Kyoungrae Jung,et al.  The impact of information disclosure on quality of care in HMO markets. , 2010, International journal for quality in health care : journal of the International Society for Quality in Health Care.

[7]  Hennie A. Kruger,et al.  A framework for evaluating IT security investments in a banking environment , 2010, 2010 Information Security for South Africa.

[8]  Kristin M. Finklea Identity Theft: Trends and Issues , 2010 .

[9]  Sanjay Goel,et al.  Estimating the market impact of security breach announcements on firm values , 2009, Inf. Manag..

[10]  Michael W. Toffel,et al.  Responding to Public and Private Politics: Corporate Disclosure of Climate Change Strategies , 2009 .

[11]  Alessandro Acquisti,et al.  Do Data Breaches Disclosure Laws Reduce Identity Theft? , 2010, WEIS.

[12]  Helmut Thome,et al.  Institutions, Anomie, and Violent Crime: Clarifying and Elaborating Institutional-Anomie Theory , 2008 .

[13]  Sheila M. Olmstead,et al.  The Impacts of the 'Right to Know': Information Disclosure and the Violation of Drinking Water Standards , 2008 .

[14]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[15]  Quey-Jen Yeh,et al.  Threats and countermeasures for information system security: A cross-industry study , 2007, Inf. Manag..

[16]  D. Weil,et al.  The Effectiveness of Regulatory Disclosure Policies. , 2006 .

[17]  Robert J. Kauffman,et al.  The Impact of IT on Market Information and Transparency: A Unified Theoretical Framework , 2006, J. Assoc. Inf. Syst..

[18]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[19]  Anat Hovav,et al.  Capital market reaction to defective IT products: The case of computer viruses , 2005, Comput. Secur..

[20]  David Porter,et al.  Should securities markets be transparent , 2005 .

[21]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[22]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[23]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[24]  Anat Hovav,et al.  The Impact of Virus Attack Announcements on the Market Value of Firms , 2004, Inf. Secur. J. A Glob. Perspect..

[25]  Robert S. Huckman,et al.  The Role of Information in Medical Markets: An Analysis of Publicly Reported Outcomes in Cardiac Surgery , 2004, The American economic review.

[26]  John J. Donohue,et al.  Guns, Crime, and the Impact of State Right-to-Carry Laws , 2004 .

[27]  Joseph D. Piotroski,et al.  What Determines Corporate Transparency? , 2003 .

[28]  R. Gittings,et al.  Getting off Death Row: Commuted Sentences and the Deterrent Effect of Capital Punishment* , 2003, The Journal of Law and Economics.

[29]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[30]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[31]  M. Khanna,et al.  Corporate Environmental Management: Regulatory and Market-Based Incentives , 2002, Land Economics.

[32]  Ian Ayres,et al.  Shooting Down the More Guns, Less Crime Hypothesis , 2002 .

[33]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[34]  Lance Hannon,et al.  CRIMINAL OPPORTUNITY THEORY AND THE RELATIONSHIP BETWEEN POVERTY AND PROPERTY CRIME , 2002 .

[35]  G. Jin,et al.  The Effect of Information on Product Quality: Evidence from Restaurant Hygiene Grade Cards , 2002 .

[36]  William A. Arbaugh,et al.  A trend analysis of exploitations , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[37]  Jukka Savolainen,et al.  INEQUALITY, WELFARE STATE, AND HOMICIDE: FURTHER SUPPORT FOR THE INSTITUTIONAL ANOMIE THEORY* , 2000 .

[38]  Allen Blackman,et al.  How Do Public Disclosure Pollution Control Programs Work? Evidence from Indonesia , 2000 .

[39]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[40]  E. DeLong,et al.  The effects of New York's bypass surgery provider profiling on access to care and patient outcomes in the elderly. , 1998, Journal of the American College of Cardiology.

[41]  Dan A. Black,et al.  Do Right‐To‐Carry Laws Deter Violent Crime? , 1998, The Journal of Legal Studies.

[42]  Daniel S. Nagin,et al.  Criminal Deterrence Research at the Outset of the Twenty-First Century , 1998, Crime and Justice.

[43]  David B. Mustard,et al.  Crime, Deterrence, and Right‐to‐Carry Concealed Handguns , 1997, The Journal of Legal Studies.

[44]  I. Bellany Insuring Security , 1996 .

[45]  Perry Sadorsky,et al.  The Determinants of an Environmentally Responsive Firm: An Empirical Approach , 1996 .

[46]  Steven D. Levitt,et al.  Why Do Increased Arrest Rates Appear to Reduce Crime: Deterrence, Incapacitation, or Measurement Error? , 1995 .

[47]  E L Hannan,et al.  Improving the outcomes of coronary artery bypass surgery in New York State. , 1994, JAMA.

[48]  Richard Rosenfeld,et al.  Crime and the American Dream , 1993 .

[49]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[50]  A. Hirschman Rival Views of Market Society and Other Recent Essays , 1992 .

[51]  Fred Niederman,et al.  Information Systems Management Issues for the 1990s , 1991, MIS Q..

[52]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[53]  A. Blumstein,et al.  Deterrence and incapacitation : estimating the effects of criminal sanctions on crime rates , 1980 .