Examining the costs and causes of cyber incidents

This paper examines a sample of over 12,000 cyber events that include data breaches, security incidents, privacy violations, and phishing crimes. First, we analyze the characteristics of these breaches (such as causes, and types of information compromised). We then examine the breach and litigation rate, by industry, and we identify the industries that incur the greatest costs from cyber events. We then compare these costs to bad debts and fraud within other industries. Public concerns regarding the increasing rates of breaches and legal actions, conflict, however, with our findings that show a much smaller financial impact to firms that suffer these events. Specifically, we find that the cost of a typical cyber incident in our sample is less than $200k (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues.