NSA Revelations of Privacy Breaches: Do Investors Care?

Our study is focused on the financial impact of NSA-security and privacy breach events announced in the news media between June 2013 and March 2014. While prior research has provided empirical evidence on the stock market reaction of security and privacy breaches such as confidentiality, integrity and availability breaches, there is scarce research on the financial impact of NSA-related security and privacy breaches. Based on previous studies, we apply the event study framework to analyze how NSA revelations influence investor’s confidence. Results show that NSA-breach announcements have a negative impact on investors’ confidence, which is confirmed by the negative cumulated abnormal returns on the event date. Our study contributes hence with insights on a relatively new phenomenon of high relevance concerning the security of information assets

UK security breach investigations report: an analysis of data compromise cases

This report, rather than relying on questionnaires and self-reporting, concerns cases that were investigated by the forensic investigation team at 7Safe. Whilst removing any inaccuracies arising from self-reporting, the authors acknowledge that the limitation of the sample size remains. It is hoped that the unbiased reporting by independent investigators has yielded interesting facts about modern security breaches. All data in this study is based on genuine completed breach investigations conducted by the compromise investigation team over the last 18 months

From Convergence to Compromise: Understanding the Interplay of Digital Transformation and Mergers on Data Breach Risks in Local and Cross-Border Mergers

In today\u27s digital age, the potential risks and challenges associated with digital transformation (DT) and cybersecurity have received limited research attention. This dissertation consists of three interconnected studies that aim to address this gap. The first study employs paradox theory to demonstrate that DT initiatives can increase a firm\u27s susceptibility to data breaches. Using a unique dataset spanning 10 years and involving 3604 brands, our analysis reveals that DT efforts in mobile and digital marketing are associated with a higher incidence of data breaches. However, firms can mitigate this impact by enhancing their innovative capacities. These findings contribute to a better understanding of the complex relationship between DT, data breaches, and innovation. Our second investigation, rooted in complexity theory and matching theory, examines the impact of mergers and acquisitions (M&As) on the frequency of data breaches. By analyzing 18 years of data from 5072 US firms, we find that M&As increase the likelihood of data breaches, particularly when the merging firms operate in different business domains. Furthermore, we observe that M&As that receive more media attention are more prone to data breaches, while those involving a more vulnerable target firm have fewer breaches. In our third study, guided by Institutional theory, we explore the relationship between cross-border mergers and acquisitions (CBMA) and data breaches. Our findings indicate that CBMAs, especially those accompanied by significant media publicity and involving firms from divergent institutional contexts, heighten the risk of data breaches. Overall, these studies provide valuable insights for firms aiming to mitigate data breach risks during their digital transformation (DT) efforts and M&A activities. They emphasize the importance of adopting a balanced communication strategy and considering the security implications of strategic actions. Moreover, our findings contribute to the academic discourse in information systems by illuminating the intricate interplay between DT, M&As, and data breaches

The Economic Impact of Privacy Violations and Security Breaches

Privacy and security incidents represent a serious threat for a company’s business success. While previous research in this area mainly investigated second-order effects (e.g., capital market reactions to privacy or security incidents), this study focuses on first-order effects, that is, the direct consumer reaction. In a laboratory experiment, the authors distinguish between the impact of privacy violations and security breaches on the subjects’ trust and behavior. They provide evidence for the so-called “privacy paradox” which describes that people’s intentions, with regard to privacy, differ from their actual behavior. While privacy is of prime importance for building trust, the actual behavior is affected less and customers value security higher when it comes to actual decision making. According to the results, consumers’ privacy related intention-behavior gap persists after the privacy breach occurred

Efficiency and Sustainability of the Distributed Renewable Hybrid Power Systems Based on the Energy Internet, Blockchain Technology and Smart Contracts

The climate changes that are visible today are a challenge for the global research community. In this context, renewable energy sources, fuel cell systems, and other energy generating sources must be optimally combined and connected to the grid system using advanced energy transaction methods. As this book presents the latest solutions in the implementation of fuel cell and renewable energy in mobile and stationary applications such as hybrid and microgrid power systems based on energy internet, blockchain technology, and smart contracts, we hope that they are of interest to readers working in the related fields mentioned above

The economics of mandatory security breach reporting to authorities

Legislators in many countries enact security breach notification regulation to address a lack of information security. The laws designate authorities to collect breach reports and advise firms. We devise a principal–agent model to analyze the economic effect of mandatory security breach reporting to authorities. The model assumes that firms (agents) have few incentives to unilaterally report breaches. To enforce the law, regulators (principals) can introduce security audits and sanction noncompliance. However, audits cannot differentiate between concealment and nescience of the agents. Even under optimistic assumptions regarding the effectiveness of mandatory security breach reporting to authorities in reducing individual losses, our model predicts that it may be difficult to adjust the sanction level such that breach notification laws generate social benefit

The impact of the Data Protection Officer (DPO) in the firm’s strategic decisions

This dissertation adopts an exploratory empirical research method in order to address a subject that has recently gained considerable media and corporate attention. The urgent focus on the issue in relation to the principles of data protection in corporate governance and the business world results from the fact that although the General Data Protection Regulation (GDPR) affects virtually all companies and requires them to employ a data protection officer (DPO), in fact, the reality does not reflect this. Of the almost 27 million companies in the European Union required by law to enforce GDPR regulation, most have never heard of their requirement to employ a DPO in full compliance with the legislation, even though full observance of GDPR became mandatory as of 25 May 2018. The current research analyses the role of the DPO and explores its potential to impact on the business world. The research assesses the transformational effect the GDPR paradigm has had on the system of corporate responsibility of the businesses that must observe it. In particular the competencies and responsibility bestowed on the DPO when effectively it gave the role the power to take responsibility for and actively influence the direction of a company’s strategic decision-making. In order to identify the gaps, the research commences with an examination of the nature of this transformational paradigm, focusing on its origin, development and finally its execution. The analysis then focuses on the selection, appointment and profile of the DPO and additionally gains insight into the role, actions taken, and structural implementation of the DPO role within organizations. Examination of the relationship of the DPO with other stakeholders and its relationship with the board produced pertinent data, allowing the researcher to come to a number of conclusions as to the impact of GDPR, the DPO’s role, and the role’s relevance to corporate governance. This qualitative research, using semi-structured interviews, selected interviewees according to the criteria adopted, with focus on organizational reputation and the importance of personal data-handling. The DPOs were selected from multinational listed companies operating in data-driven sectors (e.g. banking, telecommunications, pharmaceuticals and retail) because, as these organizations deal with massively sensitive data as an indispensable part of their core business, the DPOs within them play a pivotal role in terms of influence. What emerged from the research is that the involvement of the DPO differs: sometimes the DPO is central to the development of GDPR compliance and sometimes the role is there just to ensure compliance and provide training. The research suggests that the DPO does has real influence at board level; however, the hypothesis is also that the DPO can directly intervene in the decision-making processes of organizations, either in the development or in the execution of GDPR, as a direct result of their involvement in the implementation of the strategy. Finally, even though GDPR is a very recent paradigm, which means there are no guidelines or case laws to refer to, this does not diminish corporate responsibility to comply. However, as businesses often rely upon instinct and community, and base practice on trial and error, the consequences – both positive and negative – are yet to manifest

Evidence-based Cybersecurity: Data-driven and Abstract Models

Achieving computer security requires both rigorous empirical measurement and models to understand cybersecurity phenomena and the effectiveness of defenses and interventions. To address the growing scale of cyber-insecurity, my approach to protecting users employs principled and rigorous measurements and models. In this dissertation, I examine four cybersecurity phenomena. I show that data-driven and abstract modeling can reveal surprising conclusions about longterm, persistent problems, like spam and malware, and growing threats like data-breaches and cyber conflict. I present two data-driven statistical models and two abstract models. Both of the data-driven models show that the presence of heavy-tailed distributions can make naive analysis of trends and interventions misleading. First, I examine ten years of publicly reported data breaches and find that there has been no increase in size or frequency. I also find that reported and perceived increases can be explained by the heavy-tailed nature of breaches. In the second data-driven model, I examine a large spam dataset, analyzing spam concentrations across Internet Service Providers. Again, I find that the heavy-tailed nature of spam concentrations complicates analysis. Using appropriate statistical methods, I identify unique risk factors with significant impact on local spam levels. I then use the model to estimate the effect of historical botnet takedowns and find they are frequently ineffective at reducing global spam concentrations and have highly variable local effects. Abstract models are an important tool when data are unavailable. Even without data, I evaluate both known and hypothesized interventions used by search providers to protect users from malicious websites. I present a Markov model of malware spread and study the effect of two potential interventions: blacklisting and depreferencing. I find that heavy-tailed traffic distributions obscure the effects of interventions, but with my abstract model, I showed that lowering search rankings is a viable alternative to blacklisting infected pages. Finally, I study how game-theoretic models can help clarify strategic decisions in cyber-conflict. I find that, in some circumstances, improving the attribution ability of adversaries may decrease the likelihood of escalating cyber conflict