More Security, less Harm? Exploring the Link between Security Measures and Direct Costs of Cyber Incidents within Firms using PLS-PM

Abstract

As one of the first articles to empirically explore the direct costs of cyber incidents, our research provides novel and significant insights into the structural links between cyber incidents, exposure, and security within firms, as well as the related technical consequences. We employ an explorative approach, which is based on the causal information/cyber risk models proposed by Cohen et al. and Woods & Böhme, as well as PLS-modeling to analyze data from 493 firms that have incurred direct costs from their most severe cyber incident in the last 12 months. These data are part of a larger dataset, based on a representative and stratified random sample of 5,000 organizations that participated in a survey in 2018/19. Based on our model, we discuss the results and derive implications that are highly relevant to the alignment of IT (security) strategy and management. Furthermore, we identify gaps to be assessed in future research. © 2022 17th International Conference on Wirtschaftsinformatik, WI 2022. All rights reserved.