Cyber incidents, security measures and financial returns: Empirical evidence from Dutch firms
Often, small and medium-sized enterprises are identified as a particularly vulnerable group for cyber incidents. However, there is not much academic research focusing on the cyber security costs for those firms.
In this paper, we employ representative survey data on ICT use and administrative tax record data on Dutch firms to understand how cybersecurity investments relate to the probability of cyber incidents and firm profitability. This dataset allows us to control for firm size, industry, and IT organization.
We construct a new indicator to measure the degree of cyber maturity of firms and find that this maturity level tends to increase with firm size. Regression analyses suggest that the relation between maturity level and probability of a cyber incident is inverted U-shaped: a higher maturity level is initially associated with a higher incident probability, but the highest maturity level is associated with fewer reported incidents.
This finding is consistent with the hypothesis that basic cybersecurity measures enable better detection of incidents and more sophisticated measures help to prevent incidents. An intuitive explanation for this pattern is that you first need a basic level of cybersecurity to be able to detect incidents and that additional investments in cybersecurity can help to prevent incidents.
Additionally, we consider firm profitability and find no significant correlation between profits and cybersecurity measures. A possible explanation is that tail risks (low risk with high impact) are not part of the ICT survey. Furthermore it could be that firms already are investing optimally in security measures and additional investments in cybersecurity would not be mirrored in higher profits.