Investments in cybersecurity are critical to the national and economic security of a nation. There is, however, a strong tendency for firms in the private sector to underinvest in cybersecurity activities. This paper reports the results of a survey designed to empirically assess whether treating cybersecurity as an important component of a firm’s internal control system for financial reporting purposes serves as a driver for private sector firms to invest in cybersecurity activities. The findings, in this regard, are significantly positive. The study also shows that a firm’s concern over the risk of incurring a large loss due to a cybersecurity breach and the degree the firm treats cybersecurity investments as generating a competitive advantage are drivers of the level of private sector investment in cybersecurity activities. The implications of the empirical results for designing public policies to mitigate the tendency of private sector firms to underinvest in cybersecurity are also explored.
Cybersecurity is a national priority in countries throughout the world (e.g., see [
… The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties ( [
One of the key aspects of President Obama’s EO 13636 [
Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order ( [
Although cybersecurity is considered a national priority, firms in the private sector tend to underinvest in cybersecurity activities relative to what is optimal [
Unfortunately, there is limited research that focuses on ways to rectify the underinvestment in cybersecurity activities by private sector firms. The research that does exist in this area points out that compliance with government requirements is clearly associated with cybersecurity investments (e.g., see [
SOX and the SEC Disclosure Guidance are both concerned with the reliability and transparency of financial reports filed by private sector firms that are publicly traded on U.S. stock exchanges. As pointed out by Gordon [
The primary objective of the study reported in this paper is to empirically assess whether the importance a firm attaches to cybersecurity as a component of its internal control over financial reporting is a driver of the amount of investment by a firm on cybersecurity activities. To our knowledge, this is the first empirical study to examine this issue. Given the SEC’s concern with cybersecurity risks being disclosed, the current study will also consider the empirical association between cybersecurity investments and the risk of incurring a large loss due to a cybersecurity breach. In addition, the current study will consider the association between cybersecurity investments and the potential for gaining a competitive advantage due to improved cybersecurity.
The primary findings from the current study indicate that there is a significant positive association between firms’ spending on cybersecurity activities and their treatment of cybersecurity as an important component of the firm’s internal controls over financial reporting. The current study also found that the risk of incurring a large loss from a potential cybersecurity breach is positively associated with the level of spending on cybersecurity activities. In addition, the current study found a positive association between a firm’s spending on cybersecurity activities and whether or not the firm takes into consideration the potential competitive advantage derived from such spending.
The remainder of this paper proceeds as follows: In the next (second) section of the paper, we review the literature related to the impediments to cybersecurity investments in private sector firms and the determinants of cybersecurity investments by these firms; The second section of the paper also discusses the role of various firm-related characteristics (e.g., size, industry); The third section of the paper briefly discusses the Gordon-Loeb Model for Cybersecurity Investments, so as to provide some theoretical underpinnings of cybersecurity investments; The fourth section develops specific hypotheses concerning the determinants (or drivers) of cybersecurity investments; The fifth section of the paper discusses the empirical study, with a focus on the study’s research design, measurement of variables, and sample used to test the hypotheses developed in the fourth section; The sixth section of the paper discusses the results of the empirical study; The seventh section of the paper discusses implications of the study’s results; The eighth, and final, section of the paper provides some concluding comments, as well as directions for future research.
Investments in cybersecurity activities compete for funds (i.e., resources) that could be used for other organizational activities. Indeed, there are always competing uses for finite organizational funds. Unfortunately, cybersecurity investments are generally at a disadvantage when competing for funds with many, if not most, other organizational investment opportunities. This point is especially true in terms of cybersecurity investments in private sector firms. This situation has led to private sector firms to underinvest in cybersecurity activities.
One key reason that firms in the private sector underinvest in cybersecurity activities is the fact that cybersecurity investments are viewed primarily as cost savings (sometimes called cost avoidance) investments because the major benefit from such investments are usually derived from avoiding or reducing the costs associated with cybersecurity breaches.4 In private sector firms, cost savings investments are generally more difficult to justify than revenue generating investments (e.g., an investment in a new product line) due to the emphasis that private sector firms place on revenue growth (see [
An additional impediment to private sector investments in cybersecurity activities is that the cost savings that derive from the prevention of cybersecurity breaches are not explicitly observable. In other words, even when cybersecurity breaches are prevented or reduced due to cybersecurity investments, there are no cost savings to observe (i.e., the costs associated with the potential breaches do not materialize and, therefore, cannot be observed). Thus, the expected cost savings from cybersecurity expenditures need to be estimated based on the difference between what the costs of breaches would have been in the absence of the cybersecurity investments as compared to the cost of breaches that actually occurred with the cybersecurity investments. As a result of the non-observability of the cost savings associated with cybersecurity investments, these investments are among the most difficult to justify on economic grounds to those in charge of a firm’s resource allocation decisions (e.g., a firm’s CFO).
The inability to explicitly observe the cost savings from cybersecurity investments means that developing reliable probabilistic models to predict the ex-ante benefits from investments in cybersecurity is generally significantly more difficult than developing reliable probabilistic estimates of the ex-ante benefits from many other types of organizational investment opportunities. In fact, convincing a firm’s senior manager (e.g., the CFO) to increase the budget for cybersecurity activities often becomes more of an art than a science. Consequently, many firms defer a portion of their cybersecurity investments until a major cyber incidence occurs or the potential for a major cybersecurity breach clearly surfaces. In fact, it is often economically rational (from a real options perspective) for firms to take a wait-and-see approach to a portion of their cybersecurity investments (e.g., see [
Another impediment to cybersecurity investments, compared to other organizational investment opportunities, relates to the fact that a large portion of the costs of cybersecurity breaches are not borne by the private sector firms incurring the breaches. Indeed, firms other than the one incurring a breach (e.g., business partners), as well as individuals (e.g., customers), often end up absorbing a large share of the costs associated with a cybersecurity breach. This spill-over effect is what economists call externalities. In other words, when a firm experiences a cybersecurity breach, there are private costs (i.e., those costs borne by the firm incurring the cybersecurity breach) and externalities (i.e., those costs borne by firms and individuals external to the firm incurring the cybersecurity breach, such as the costs to customers that have their identity stolen). However, since private sector firms focus on profits, it is well known that there is a tendency among these firms to either ignore, or only pay scant attention to, the externalities associated with cybersecurity breaches [
Despite the above impediments to cybersecurity investments, private sector firms do make a substantial investment in cybersecurity activities. In fact, estimates clearly point out that firms spend a substantial amount on cybersecurity activities and the level of spending is increasing (e.g., see [
Calls for increases in cybersecurity spending by private sector firms are often accompanied by calls for new government incentives to spur such spending. However, as pointed out by Gordon et al. [
There are several models that could be used to derive the appropriate level of cybersecurity investments. One of the models, which has received wide-scale acceptance among academicians and practitioners, is referred to in the literature as the Gordon-Loeb Model (hereafter referred to as the GL Model). The GL Model is based on the fundamental economic principle of cost-benefit analysis and is grounded in mathematics [
The economics underlying the GL Model is based on the assumptions that the benefit from investments in cybersecurity activities are increasing at a decreasing rate and that 100% security is not achievable. As demonstrated in the paper by Gordon and Loeb [
Step 1: Estimate the value, which in turn is the potential loss, associated with each segmented information set in the organization.
Step 2: Estimate the probability that an information set will be breached based on the vulnerability/threat associated with each information set.
Step 3: Create a grid of all combinations of Steps (1) and (2) above. The values in the cells in this grid provide the expected losses from a cybersecurity breach to the information sets. These values also represent the potential benefits from additional cybersecurity investments (i.e., the potential benefits are derived from preventing the expected losses).
Step 4: Derive the total level of cybersecurity investment by allocating additional funds to protect the information sets, subject to the constraint that the incremental benefit from an additional investment in cybersecurity exceeds (or at least equals) the incremental cost associated with the additional investment. An additional investment to protect an information set essentially reduces the probability (i.e., vulnerability/threat) of a cybersecurity breach to that information set, and in turn reduces the expected loss from a cybersecurity breach to that information set.
The GL Model highlights the importance of reducing the probability (i.e., vulnerability/threat) of a security breach in order to manage cybersecurity risk. A fundamental way a firm can reduce the probability of a cybersecurity breach is through its internal control system.12 In fact, a strong internal control system plays, or at least could play, an important role in reducing a firm’s ex ante probability of incurring a cybersecurity breach (or breaches) due to its focus on the effective/efficient operations of an organization and its focus on having an organization comply with relevant laws, regulations, and policies. Accordingly, given that publicly traded firms listed on U.S. stock exchanges are already required to report on their internal controls for financial reporting purposes under sections 302 and 404 of [
The above discussion of the GL Model pointed out that treating cybersecurity as an explicit part of a firm’s internal control system for financial reporting could help a firm better understand and identify the ex ante probability that it will incur a cybersecurity breach. As a result, the firm should be in a better position to determine the appropriate, and possibly higher, level of investment in cybersecurity activities. More to the point, a private sector firm’s internal control system, with its emphasis on operational effectiveness/efficiency and compliance with laws, regulations and policies, could play an important role in helping the firm to offset the tendency to underinvest in cybersecurity activities discussed in the previous sections of this paper. The above point was also made by Gordon et al. [
If a firm were to explicitly treat cybersecurity risks and cyber incidents as an important component of its internal control system for financial reporting purposes, the Sarbanes-Oxley Act of 2002 [
In sum, explicitly considering cybersecurity as an important component of a private sector firm’s internal control system is likely to encourage a firm to invest more into cybersecurity related activities than otherwise would be the case. Of course, this is an empirical issue, which leads us to our first hypothesis that will be tested based on the below null hypothesis.
H01: There is no association between the level of investment in cybersecurity activities and the degree to which a firm considers cybersecurity an important component of its internal controls for financial reporting.
As mentioned earlier in this paper, even though private sector firms tend to underinvest in cybersecurity activities, we know that firms make significant cybersecurity related investments in an effort to avoid experiencing cybersecurity breaches. In this regard, during the Congressional Hearing on February 4, 2014 [
The above noted Congressional Hearings make it clear that organizations recognize the fact that cybersecurity breaches represent a critical potential risk factor for firms. In fact, it is increasingly common for executives to think of cybersecurity risk management as a critical component of their firms’ overall enterprise risk management. Evidence attesting to this latter claim can be found in the 10-K Reports filed with the SEC by firms since the SEC issued its 2011 Disclosure Guidance on cybersecurity risks and cyber incidences [
The reaction to Target’s 2013 cybersecurity breach by Target, and the reaction by other firms, provides strong empirical evidence of how firms view a major cybersecurity breach as a critical firm level risk factor. More to the point, Target’s major cybersecurity breach triggered a significant increase in its cybersecurity spending as well as the spending by other firms in order to avoid a similar breach.15
In sum, it would appear that a critical risk factor associated with a firm’s total level of cybersecurity investment is the potential for a large loss due to a cybersecurity breach. In order to test the above argument concerning the fact that a key determinant (driver) of cybersecurity investments is the concern that a large cybersecurity breach represents a critical potential risk factor for a firm, our empirical study tested the second null hypothesis stated below.
H02: There is no association between the level of investment on cybersecurity activities and the way a firm views a large potential loss from a cybersecurity breach as a critical potential risk factor for the firm.
Another potential determinant (driver) of cybersecurity investments has to do with the potential competitive advantage a firm could derive from cybersecurity activities. As noted in the previous sections of this paper, the primary benefits from cybersecurity investments are usually considered to be the cost savings derived from avoiding cybersecurity breaches. This fact notwithstanding, there are some circumstances where a firm’s cybersecurity activities could help to distinguish the firm from its competitors and thereby generate additional revenues for the firm. Where this occurs, the cybersecurity investment would be revenue generating investment, as well as a cost savings investment. This situation seems especially likely in firms that compete in industries that generate a large portion, or all, of their revenues via the Internet, where cybersecurity is critical to gaining customer confidence regarding on-line purchases (e.g., Internet-based firms such as Amazon, Inc. and E-Bay). In addition, a competitive advantage due to cybersecurity activities seems particularly relevant for small businesses because most small businesses do not have large sums of money to spend on cybersecurity activities. Thus, by devoting an unusually large amount of funds to cybersecurity, a small business might be able to create a competitive advantage over other small businesses in terms of cybersecurity.
A competitive advantage due to cybersecurity could have significant value in doing business with government agencies, especially since President Trump’s Executive Order 13800 [
The potential to create a competitive advantage, which in turn could generate additional revenues, could help to offset the tendency by private sector firms to underinvest in cybersecurity activities. To examine this argument, our empirical study tested the third null hypothesis stated below.
H03: There is no association between the level of investment on cybersecurity activities and the degree to which an organization considers the potential competitive advantage derived from strong cybersecurity.
As part of a study sponsored by the U. S. Department of Homeland Security (DHS), we conducted a large-scale questionnaire-based survey of senior executives in private sector firms. The survey instrument was initially developed based on the existing literature, interviews with several senior executives involved in cybersecurity investment decisions, and four in-depth case studies of publicly traded private sector firms that experienced a major cybersecurity breach within the past few years. The four case studies were based on publicly available data, including data derived from the firms’ 10-K, 10-Q, and 8-K reports filed with the U.S. Securities and Exchange Commission (SEC).16
Prior to finalizing the survey instrument, we conducted a small pilot study to assess the instrument’s reliability and validity. The pilot study consisted of giving the survey instrument to five executives with several years of experience working on cybersecurity related issues. In general, the executives indicated that the survey questions had face validity. Based on their feedback, several minor changes were made to the questionnaire. As discussed in the sample section of this paper, the final survey instrument, along with a cover letter stating that the study was being sponsored by DHS, was sent to a large number of senior executives.
The dependent variable in the study is the portion (measured in terms of percentage) of IT budget devoted to cybersecurity. This variable was allowed to range from 1 (1% - 2%) to 7 (greater than 20%) possible discrete values. Most of our independent variables were also measured based on ordinal survey responses, ranging from 1 (strongly disagree) to 7 (strongly agree). The one exception concerns the last independent variable, which was measured on a 1 to 4 scale. A more complete description of how these variables, including how they were measured, is provided below.
The responses to the survey were measured based on ordinal data, using a 1 - 7 scale for most of the questions related to the variables shown in Equation (1) below, and a 1 - 4 for one of the variables shown in that equation. Since the distance between adjacent values of the answers to the questions are not necessarily equal, we used a logistic regression model for conducting our primary statistical analyses associated with testing the three hypotheses discussed in the last section of this paper. Logistic regression measures the relationship between the dependent variable and independent variables, by estimating the probability of the dependent variable, using a logistic function (i.e., the cumulative logistic distribution). The results help to explain how the values of independent variables affect the probability that the dependent variable equals a specific value (in our case, “how much” is the percentage of IT budget devoted to cybersecurity). The model we used is formally stated as Equation (1) below:
log p r o b ( B g t ) [ 1 − p r o b ( B g t ) ] = β 0 + β 1 I C + β 2 C R + β 3 C A + β 4 R e v + ε . (1)
The definitions of the variables used in Equation (1) are as follows. B g t is the response to the question: “Approximately what portion of your firm’s IT budget is devoted to cybersecurity related activities?” IC refers to the level of (dis)agreement to the statement: “Cybersecurity is an important component of my organization’s approach to the internal controls of financial reporting systems.” CR refers to the level of (dis)agreement to the statement: “In determining the risk associated with cybersecurity breaches, my organization considers the largest potential loss.” CA refers to the level of (dis)agreement to the statement: “The expected benefits from cybersecurity expenditures take into consideration the potential competitive advantage derived from strong cybersecurity within your organization.” Rev refers to a firm’s gross annual revenues, which is used in this study to control for the varying sizes of the firms being represented by the survey respondents.
Dependent Variable
The dependent variable of concern in the empirical study discussed in this paper is the annual level of investment (i.e., expenditures) on cybersecurity activities made by a firm. Unfortunately, firms do not accumulate the expenditures for cybersecurity related activities in one subsidiary account. Thus, rather than asking the survey respondents to indicate a dollar amount of expenditures on cybersecurity activities, we asked them to indicate the portion (measured in terms of percentage) of the firm’s IT budget that was devoted to cybersecurity related activities. As shown in Equation (1), this variable is denoted as Bgt. There were seven possible choices, from which the survey respondents could select one. These choices were: 1) 1% - 2%; 2) 3% - 5%; 3) 6% - 8%; 4) 9% - 11%; 5) 12% - 15%; 6) 16% - 20%; and 7) greater than 20%.
Measuring the annual level of investment (i.e., expenditures) on cybersecurity activities in terms of the percentage of the firm’s IT budget devoted to cybersecurity activities was done for two reasons. First, since the firms in our sample vary in size, combined with the fact that the objectives of the study is to identify the main determinants (drivers) of cybersecurity investments, we concluded that asking respondents to indicate the percentage of the IT budget devoted to cybersecurity activities would result in more comparable findings across respondents than focusing on specific dollar amounts spent on cybersecurity activities (even after controlling for firm size). Second, based on the interviews with executives prior to completing the final survey instrument that was sent out to our sample (as discussed above), we concluded that we were far more likely to get meaningful responses to a question concerning the cybersecurity spending relative to the overall IT budget than a question concerning the exact dollar amount spent on cybersecurity. A fundamental reason for reaching this conclusion is the fact that the executives made it clear that the estimates of cybersecurity expenditures likely varies substantially among firms. Although this variation in estimates affects the information gathered related to the percentage of the firms’ IT budget, the variance in the way this number is estimated is probably much smaller than it would be for the interpretation of what constitutes the actual dollar amounts. Thus, for purposes of this study, level of investment in cybersecurity activities refers to the percentage of IT budget devoted to such activities.
Independent Variables
As shown in Equation (1), our model included one independent variable that is associated with each of the hypotheses discussed in the last section of this paper. More to the point, IC (i.e., which refers to internal control of financial reporting) is associated H01, CR (which refers to the cybersecurity risk associated with a large loss) is associated with H02, and CA (which refers to the potential competitive advantage derived from cybersecurity) is associated with H03. As noted above, these variables are measured on a 1 to 7 scale, where 1 represents “strongly disagree” and 7 represents “strongly agree”.
Rev (which represents the dollar amount of a firm’s gross annual revenues) is another independent variable included in Equation (1) and, as noted above, is used as a control variable to account for the varying sizes of the firms included in the study. This variable was measured in terms of four possible choices, from which the survey respondents could select one. These choices are: 1) under $10 million; 2) $10 million to $99 million; 3) $100 million to $1 billion; and 4) over $1 billion. It should be noted that, although not specified as a specific hypothesis, our expectation is that the larger the firm, the smaller the percentage of the IT budget devoted to cybersecurity related activities. The reason for this later expectation is that a significant portion of IT costs are fixed, rather than variable, and lend themselves to large economies of scale (e.g., the cost of hardware, software, and key personnel).
The survey instrument was sent to a total of approximately 2000 senior executives responsible for either the technical aspects of cybersecurity investments (i.e., Chief Information Officers [CIOs]) or the financial aspects of cybersecurity investments (i.e., Chief Financial Officers [CFOs]) of approximately 1600 major U.S. organizations. These organizations represented a variety of industries that are normally viewed as being part of the U.S. critical infrastructure (see
After approximately eight weeks from the initial mailing of the survey instrument, a second mailing of the survey instrument was sent out. Since all participants in the study were guaranteed anonymity, the second mailing was sent to all 1600 organizations with a cover letter indicating that, if the targeted individuals had already responded to the survey, no further action was required (i.e., we did not want more than one response from a given individual). After taking into consideration the returned questionnaires due to the fact that either a CIO or CFO was no longer with the organization or that the organization itself was no longer in existence (e.g., via a merger or acquisition), we had a usable response rate of approximately 10% (i.e., 158 responses).17
Panel A of
IT budget devoted to cybersecurity | 1% - 2% | 3% - 5% | 6% - 8% | 9% - 11% | 12% - 15% | 16% - 20% | More than 20% | Total |
---|---|---|---|---|---|---|---|---|
Number of observations | 26 | 50 | 25 | 28 | 16 | 10 | 3 | 158 |
Panel B
Panel C
12% and 20%. Less than 2% of the respondents (i.e., 3 out of 158) indicated that the percentage of the IT budget spent on cybersecurity activities in their firms is more than remain 20%.
As shown in Panel B of
The results from the logistic regression analysis (i.e., Equation (1) provided in the previous section of this paper) are provided in
As shown in
A unique aspect of the size factor became clearer during conversations between
a. Regression equation: log p r o b ( B g t ) [ 1 − p r o b ( B g t ) ] = β 0 + β 1 I C + β 2 C R + β 3 C A + β 4 R e v + ε . b. Notations: Bgt = the portion (measured in terms of percentage) of the firm’s IT budget that was devoted to cybersecurity related activities. 1: 1% - 2%; 2: 3% - 5%; 3: 6% - 8%; 4: 9% - 11%; 5: 12% - 15%; 6: 16% - 20%; 7: greater than 20%. IC = level of (dis)agreement to the statement: “Cybersecurity is an important component of my organization’s approach to the internal controls of financial reporting systems.” 1: strongly disagree; 7: strongly agree. CR = level of (dis)agreement to the statement: “In determining the risk associated with cybersecurity breaches, my organization considers the largest potential loss.” 1: strongly disagree; 7: strongly agree. CA = level of (dis)agreement to the statement: “The expected benefits from cybersecurity expenditures take into consideration the potential competitive advantage derived from strong cybersecurity within your organization.” 1: strongly disagree; 7: strongly agree. Rev = gross annual revenues of the firms included in the study. 1: under $10 million; 2: between $10 million and $100 million; 3: between $100 million and $1 billion; 4: more than $1 billion.
the authors of this study and several CISOs. In particular, it was frequently pointed out that smaller to medium size firms often find themselves in the position of having to outsource a large portion of their cybersecurity activities due to the high cost associated with hiring a sufficient number of technically qualified personnel.
As indicated by the results of the current study, there is a significant positive association between the importance firms attach to cybersecurity for internal control purposes and the percentage of their IT budget spent on cybersecurity activities. This finding supports the conceptual argument provided in the paper by Gordon et al. [
Another finding from the current study was a significant positive association between the percentage of a firm’s IT budget spent on cybersecurity activities and the way firms view a large potential loss from cybersecurity breach as a critical risk factor for the firm. Thus, a second policy level implication of the findings from the current study is that the U.S. federal government should facilitate a program that helps private sector firms identify and understand the risk of a large loss resulting from a major cybersecurity breach. The importance of such a program is highlighted by the fact that for some firms (especially small businesses), one security breach resulting in a large loss could force the firm into a precarious financial position (see Fanelli et al. [
The current study also found a significant positive association between the percentage of a firm’s IT budget spent on cybersecurity activities and the degree to which the firm considers the potential competitive advantage derived from strong cybersecurity. Thus, a third policy level implication of the findings from the current study is the opportunity for the U.S. federal government to help private sector firms better understand the potential competitive advantages from having a strong cybersecurity program in place. A better understanding of the potential competitive advantages of cybersecurity would, or at least should, encourage an increase in spending on cybersecurity activities by private sector firms. One way for the federal government to assist private sector firms to better understand the potential competitive advantage of cybersecurity is to either conduct, or provide support for, a comprehensive study on the competitive advantages accruing to firms that have a strong cybersecurity program in place.
Investments in cybersecurity are critical to the national and economic security of a nation. There is, however, a strong tendency for firms in the private sector to underinvest in cybersecurity activities. Given that roughly 85% of the U.S. Critical Infrastructure is owned by private-sector firms, this underinvestment in cybersecurity activities is clearly a serious concern to the national and economic security of the U.S. Unfortunately, there are some fundamental causes creating this situation. Four of the most important causes are as follows: First, cybersecurity investments are treated primarily as cost savings (or cost avoidance) investments by most private sector firms in the U.S. and such investments usually do not fare well compared to revenue generating investments; Second, the cost savings generated from cybersecurity investments are not observable; Third, given the high degree of uncertainty associated with the benefits of cybersecurity investments, there is a tendency for firms to take a “wait-and-see” approach to a large portion of potential cybersecurity investments; Fourth, private sector firms tend to ignore, or only pay “lip-service” to, the costs of the externalities (i.e., spillover effects that are not charged to the firm) associated with cybersecurity breaches. The primary objective of the study reported in this paper has been to empirically assess whether treating cybersecurity as an important component of a firm’s internal control system for financial reporting purposes could serve as a driver for offsetting the above noted tendency by private sector firms to underinvest in cybersecurity activities. In addition, the empirical study reported also considered whether concern over the risk of incurring a large loss due to a cybersecurity breach, as well as treating cybersecurity investments as potentially generating a competitive advantage, could serve as drivers for offsetting the above noted tendency by private sector firms to underinvest in cybersecurity activities.
The findings from the study reported in this paper support the arguments that all three of the above noted potential drivers do indeed increase cybersecurity investments in private sector firms. More specifically, we found that treating cybersecurity as an important component of a firm’s internal control system for financial reporting, firm-level concern over risk of a potentially large loss due to a cybersecurity beach, and considering cybersecurity investments as a firm-level potential competitive advantage are all important drivers (or determinants) of cybersecurity investments in private sector firms. As discussed in the previous sections of the paper, these findings have important implications for offsetting, at least partially, the underinvestment in cybersecurity activities by private sector firms.
As with all empirical studies, there are limitations with the empirical study forming the basis of this paper. One such limitation is that we ended up with only 158 usable responses to our survey. A second limitation is that there are many factors that drive cybersecurity investments in private sector firms not included in our study. In fact, one could come up with a long list of such factors. Indeed, controlling for all the potential factors driving cybersecurity spending presents a formidable problem. One way to address this problem in future research is to conduct laboratory experiments. The above limitations notwithstanding, we believe the study reported upon in this paper should help to improve our understanding of how to increase cybersecurity investments in private sector firms.
This work was supported by the US Department of Homeland Security (DHS) Science and Technology Directorate (Contract #N66001-112-C-0132); the Netherlands National Cyber Security Centre (NCSC); and Sweden MSB (Myndigheten för samhällsskydd och beredskap)―Swedish Civil Contingencies Agency.
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2018) Empirical Evidence on the Determinants of Cybersecurity Investments in Private Sector Firms. Journal of Information Security, 9, 133-153. https://doi.org/10.4236/jis.2018.92010