The value of cybersecurity : Stock market reactions to security breach announcements / Värdet av datasäkerhet : Marknadsreaktioner på datasäkerhetsincidenter

Nyrén, Paul, Isaksson, Oscar

January 2019

Companies around the world invest an increasing amount of money trying to protect themselves from cybercrime and unauthorized access of valuable data. The nature of these covert threats makes it seemingly impossible to quantify the risk of getting attacked. While it is possible to estimate the tangible costs of a security breach it is much harder to asses what a company stands to lose in terms of intangible costs. This thesis uses the Event Study methodology to determine the intangible losses of listed American companies who suffered data breaches. On average, the companies in the dataset loses 0.21% of their market cap after a security breach which, although not being statistically significant, translates to $267 million. Despite looking at several parameters to find significant predictors, only one turned out to be statistically significant, namely the number of records breached. These weak correlation is a result in itself; because of the low impact of a breach perhaps the companies lack proper incentives to protect their users' data. / Det ständigt växande cyberhotet gör att allt fler företag väljer att göra stora investeringar i datasäkerhet. Den dolda hotbilden gör det i stort sett omöjligt att kvantifiera sannolikheten för att råka ut för en attack. Även om det går att avgöra och förutspå de direkta kostnaderna kring ett dataintrång så är det nästintill omöjligt att avgöra de indirekta kostnaderna kring ett dataintrång. Detta arbete använder eventstudie-metodologin för att uppskatta de indirekta kostnaderna hos börsnoterade amerikanska företag efter att de haft ett dataintrång. Företagen i den undersökta datamängden förlorar i genomsnitt 0.21% av sitt marknadsvärde vilket, även om det saknar statistisk signifikans, motsvarar $267 miljoner. Arbetet undersöker ett antal parametrar för att hitta signifikanta prediktorer men endast en av de prediktorer vi undersökte var statistiskt signifikant, nämligen antalet läckta uppgifter. Dessa svaga samband är i sig intressanta; den till synes svaga inverkan av dataintrång på företagens börsvärde antyder att de kanske inte har så stora finansiella incitament att skydda sina kunders data.

Cybersecurity

Information security

InfoSec

Event study

cyberinsurance

data breach

Datasäkerhet

informationssäkerhet

infosec

Eventstudie

cyberförsäkring

dataintrång

Engineering and Technology

Teknik och teknologier

DATA QUALITY CONSEQUENCES OF MANDATORY CYBER DATA SHARING BETWEEN DUOPOLY INSURERS

Reinert, Olof, Wiesinger, Tobias

January 2020

Cyber attacks against companies are becoming more common as technology advances and digitalization is increasing exponentially. All Swedish insurance companies that sell cyber insurance encounter the same problem, there is not enough data to do good actuarial work. In order for the pricing procedure to improve and general knowledge of cyber insurance to increase, it has been proposed that insurance companies should share their data with each other. The goal of the thesis is to do mathematical calculations to explore data quality consequences of such a sharing regime. This thesis is based on some important assumptions and three scenarios. The most important assumptions are that there are two insurance companies forced to share all their data with each other and that they can reduce the uncertainty about their own product by investing in better data quality. In the first scenario, we assume a game between two players where they can choose how much to invest in reducing the uncertainty. In the second scenario, we assume that there is not a game, but the two insurance companies are forced to equal investments and thus have the same knowledge of their products. In the third scenario, we assume that the players are risk averse, that is, they are not willing to take high risk. The results will show how much, if any, the insurance companies should invest in the different scenarios to maximize their profits (if risk neutral) or utility (if risk averse). The results of this thesis show that in the first and second scenario, the optimal profit is reached when the insurance companies do not invest anything. In the third scenario though, the optimal investment is greater than zero, given that the companies are enough risk averse.

Cyber insurance

Information transmission

Game theory

Cournot market

Nash Equilibrium

Cyberförsäkring

Informationsdelning

Spelteori

Cournot-marknad

Nashjämvikt

Engineering and Technology

Teknik och teknologier

Mathematics

Matematik