Article Preview
TopIntroduction
Data breach incidents have become a critical risk item in cybersecurity risk assessment. Data security plays an essential role in keeping companies’ reputations and avoiding financial fees or litigations. A primary concern of data breaches for companies is severe financial consequences. Recent data privacy laws have enabled government organizations such as the Securities and Exchange Commission and Federal Trade Commission to issue financial fees on companies in case of a data breach. Class-action lawsuits and settlements with the government can exceed a hundred million dollars, evidenced by the Equifax case. The increasing dependency on cyber systems and interdependency among assets makes cyber-attacks a legitimate concern. This dependency put the cyber-attacks one of the top 10 global economic risks (WEF, 2019). As a result of this, to reduce the financial impact of data breaches, cyber insurance has become a way to minimize data breaches’ monetary impact.
Quantifying data breaches into a monetary value is a point of interest for insurers and risk managers that they still try to decipher the impact due to the lack of data and latent costs. The monetary impact of data breaches may exceed hundreds of millions of dollars that can harshly reduce an organization’s profit, if not bankrupt them. Therefore, decision-makers and cyber insurance companies need to understand better that loss of information has financial consequences and impacts on business. This increased situational awareness can ameliorate companies’ investment strategies in cybersecurity tools and techniques and consider transferring the data breach risk by purchasing cyber insurance. The insurance industry also needs to figure out the probability and impact of data breaches to define premiums and sell cyber insurance.
This study adopts the bifurcated categorization of personally identifiable information (PII) as PII and sensitive PII (SPII) based on Department of Homeland Security definitions (2017) (Poyraz et al., 2020). Hence, the scope of data breaches is limited, with the ones that include PII and SPII. Although there are myriad data breach incidents and a few data breach datasets, there are not enough comprehensive public datasets that shed light on the details of the incidents, such as stolen information, causes, type, and costs. This obscurity precludes decision-makers and insurers from fathoming the multiple implications of data breaches. Thus, they have been struggling to determine companies’ cyber risk exposure, and assessing PII and SPII data breaches’ monetary impact is crucial for organizations to forecast and manage the risk.
Data breach risk is an integral part of the cyber risk due to the enforcement of governments. Because of multiple cyber risk implications such as monetary loss, business interruption, loss of a customer, and loss of confidential information, organizations have been integrating cyber risk into overall enterprise risk management. Cyber risk must be well understood, and this can be achieved by data categorization that can capture the quirks of the cyber risk.
This study aims to explicate the effects of separate categorization of PII and SPII on the cost of mega data breaches. In this paper, we expand the previous research (Poyraz et al., 2020), which introduced a model to demonstrate the significance of the SPII category, in three aspects. First, a new mega data breach data point has been added to the previously used dataset (Poyraz et al., 2020). Second, using the new dataset, a robust stepwise regression analysis was conducted. Third, using the new dataset and the developed model, a Monte Carlo analysis was conducted to investigate the interaction among independent variables and emerging patterns.
The structure of the paper is as follows. The literature review summarizes the background of this work. The methodology section includes the dataset we utilized, robust stepwise regression, and a predicted R-squared study. The methodology section also includes a Monte Carlo analysis to explain the interaction among the four independent variables. The conclusion part reviews the results and further research directions.