IDEAS home Printed from https://ideas.repec.org/a/kap/sbusec/v63y2024i1d10.1007_s11187-023-00803-0.html
   My bibliography  Save this article

Should firms invest more in cybersecurity?

Author

Listed:
  • Milena Dinkova

    (CPB Netherlands Bureau for Economic Policy Analysis)

  • Ramy El-Dardiry

    (CPB Netherlands Bureau for Economic Policy Analysis)

  • Bastiaan Overvest

    (CPB Netherlands Bureau for Economic Policy Analysis)

Abstract

We combine unique survey data on IT use and administrative tax record data on Dutch firms to understand how cybersecurity investments relate to the probability of cyber incidents and firm profitability. This dataset allows us to control for firm size, industry, and IT organization. We construct a new indicator to measure the degree of cyber maturity of firms and find that this maturity level tends to increase with firm size. Regression analyses suggest that the relation between maturity level and probability of a cyber incident is inverted U-shaped: a higher maturity level is initially associated with a higher incident probability, but the highest maturity level is associated with fewer reported incidents. This finding is consistent with the hypothesis that basic cybersecurity measures enable better detection of incidents and more sophisticated measures help to prevent incidents. We do not find, however, evidence for a positive relation between cybersecurity measures and profits.

Suggested Citation

  • Milena Dinkova & Ramy El-Dardiry & Bastiaan Overvest, 2024. "Should firms invest more in cybersecurity?," Small Business Economics, Springer, vol. 63(1), pages 21-50, June.
    • Handle: RePEc:kap:sbusec:v:63:y:2024:i:1:d:10.1007_s11187-023-00803-0
    DOI: 10.1007/s11187-023-00803-0
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s11187-023-00803-0
    File Function: Abstract
    Download Restriction: Access to full text is restricted to subscribers.
    File URL: https://libkey.io/10.1007/s11187-023-00803-0?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Anat Hovav & John D'Arcy, 2003. "The Impact of Denial‐of‐Service Attack Announcements on the Market Value of Firms," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 6(2), pages 97-121, September.
    2. Kamiya, Shinichi & Kang, Jun-Koo & Kim, Jungmin & Milidonis, Andreas & Stulz, René M., 2021. "Risk management, firm reputation, and the impact of successful cyberattacks on target firms," Journal of Financial Economics, Elsevier, vol. 139(3), pages 719-749.
    3. Tyler Moore & Richard Clayton & Ross Anderson, 2009. "The Economics of Online Crime," Journal of Economic Perspectives, American Economic Association, vol. 23(3), pages 3-20, Summer.
    4. Eli Amir & Shai Levi & Tsafrir Livne, 2018. "Do firms underreport information on cyber-attacks? Evidence from capital markets," Review of Accounting Studies, Springer, vol. 23(3), pages 1177-1206, September.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Milena Dinkova & Ramy El-Dardiry & Bastiaan Overvest, 2020. "Cyber incidents, security measures and financial returns: Empirical evidence from Dutch firms," CPB Discussion Paper 411.rdf, CPB Netherlands Bureau for Economic Policy Analysis.
    2. Milena Dinkova & Ramy El-Dardiry & Bastiaan Overvest, 2020. "Cyber incidents, security measures and financial returns: Empirical evidence from Dutch firms," CPB Discussion Paper 411, CPB Netherlands Bureau for Economic Policy Analysis.
    3. Chris Florakis & Christodoulos Louca & Roni Michaely & Michael Weber, 2020. "Cybersecurity Risk," Working Papers 2020-178, Becker Friedman Institute for Research In Economics.
    4. Michael McShane & Trung Nguyen, 2020. "Time-varying effects of cyberattacks on firm value," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 580-615, October.
    5. Jing Chen & Elaine Henry & Xi Jiang, 2023. "Is Cybersecurity Risk Factor Disclosure Informative? Evidence from Disclosures Following a Data Breach," Journal of Business Ethics, Springer, vol. 187(1), pages 199-224, September.
    6. Alessandro Fedele & Cristian Roner, 2022. "Dangerous games: A literature review on cybersecurity investments," Journal of Economic Surveys, Wiley Blackwell, vol. 36(1), pages 157-187, February.
    7. Masoud, Najeb & Al-Utaibi, Ghassan, 2022. "The determinants of cybersecurity risk disclosure in firms’ financial reporting: Empirical evidence," Research in Economics, Elsevier, vol. 76(2), pages 131-140.
    8. Kamiya, Shinichi & Kang, Jun-Koo & Kim, Jungmin & Milidonis, Andreas & Stulz, René M., 2021. "Risk management, firm reputation, and the impact of successful cyberattacks on target firms," Journal of Financial Economics, Elsevier, vol. 139(3), pages 719-749.
    9. Cao, Hung & Phan, Hieu V. & Silveri, Sabatino, 2024. "Data breach disclosures and stock price crash risk: Evidence from data breach notification laws," International Review of Financial Analysis, Elsevier, vol. 93(C).
    10. Michael McShane & Trung Nguyen, 0. "Time-varying effects of cyberattacks on firm value," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 0, pages 1-36.
    11. Loic Mar'echal & Alain Mermoud & Dimitri Percia David & Mathias Humbert, 2024. "Measuring the performance of investments in information security startups: An empirical analysis by cybersecurity sectors using Crunchbase data," Papers 2402.04765, arXiv.org, revised Feb 2024.
    12. Crosignani, Matteo & Macchiavelli, Marco & Silva, André F., 2023. "Pirates without borders: The propagation of cyberattacks through firms’ supply chains," Journal of Financial Economics, Elsevier, vol. 147(2), pages 432-448.
    13. Lin, Zhaoxin & Sapp, Travis R.A. & Ulmer, Jackie Rees & Parsa, Rahul, 2020. "Insider trading ahead of cyber breach announcements," Journal of Financial Markets, Elsevier, vol. 50(C).
    14. Gauguier, Jean-Jacques, 2009. "L’industrialisation de l’Open Source," Economics Thesis from University Paris Dauphine, Paris Dauphine University, number 123456789/4388 edited by Toledano, Joëlle.
    15. Daniel Celeny & Loic Mar'echal & Evgueni Rousselot & Alain Mermoud & Mathias Humbert, 2024. "Prioritizing Investments in Cybersecurity: Empirical Evidence from an Event Study on the Determinants of Cyberattack Costs," Papers 2402.04773, arXiv.org.
    16. Agbodoh-Falschau, Kouassi Raymond & Ravaonorohanta, Bako Harinivo, 2023. "Investigating the influence of governance determinants on reporting cybersecurity incidents to police: Evidence from Canadian organizations’ perspectives," Technology in Society, Elsevier, vol. 74(C).
    17. Seo-Young Cho, 2016. "A crime 2.0 - cybercrime, e-talent, and institutions," MAGKS Papers on Economics 201608, Philipps-Universität Marburg, Faculty of Business Administration and Economics, Department of Economics (Volkswirtschaftliche Abteilung).
    18. Sanjeev Goyal & Adrien Vigier, 2014. "Attack, Defence, and Contagion in Networks," Review of Economic Studies, Oxford University Press, vol. 81(4), pages 1518-1542.
    19. Narcyz Roztocki & Heinz Roland Weistroffer, 2015. "Investments in enterprise integration technology: An event study," Information Systems Frontiers, Springer, vol. 17(3), pages 659-672, June.
    20. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.

    More about this item

    Keywords

    Cybersecurity; Risks; IT; SMEs; Investment;
    All these keywords.

    JEL classification:

    • D22 - Microeconomics - - Production and Organizations - - - Firm Behavior: Empirical Analysis
    • M15 - Business Administration and Business Economics; Marketing; Accounting; Personnel Economics - - Business Administration - - - IT Management
    • L25 - Industrial Organization - - Firm Objectives, Organization, and Behavior - - - Firm Performance

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:kap:sbusec:v:63:y:2024:i:1:d:10.1007_s11187-023-00803-0. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.