Abstract:
This paper examines the incentives that firms have to adopt the information security frameworks set forth by the National Institute for Standards and Technology (NIST) established in 2013. The framework for enhanced security is voluntary for firms, meaning there must be a driving factor that encourages firms to adopt a new security framework. To assess the financial cost of data breaches and cyber threats to firms across the US, over 12,000 cyber events were examined. These events included data breaches, privacy violations, security incidents and phishing crimes. The events are analyzed for the type of information compromised and the cause of the incident. Then, the cost of the event to firms by industry is assessed to identify industries that incur the greatest cost from cyber events. The results show that the financial impact is relatively modest compared to the magnitude of public concerns that arise from such cyber events. The research shows that typical cyber incidents cost about 0.4% of estimated annual revenues for firms.