Speaker: Justin Theriot
Abstract: Does Decomposing Losses Improve Our Understanding of the Financial Impact of Data Breaches?
Previous research modeling the financial impact of a data breach has focused on the total loss amount. Our study asked if decomposing losses can provide accurate overall loss estimates with greater compositional detail of how and if different types of losses will materialize. We analyzed 17,796 unique cyber events from the Advisen loss data set, splitting total financial losses into three FAIR subcategories; primary response costs (PRC), fines & judgments (F&J), and secondary response costs (SRC). The last two forms of loss are not guaranteed to occur; thus, we independently model the probability of them occurring. Each model uses the following seven variables: record count, firm revenue, region, threat access (external or internal), threat type (error or malicious), data type (PII, PCI, or PHI), and industry. Our approach uses standard log-log linear regression and explores three complementary penalized models using ridge, lasso, and elastic net. We find that PRC increases by 5% per 10% increase in the number of records breached, while F&J increased by 2%. Firm revenue is passively associated with all forms of loss but does not impact the likelihood of incurring F&J or SRC. Threat access increases PRC but reduces SRC and reduces the probability of F&J occurring. In comparison, threat type reduces PRC but increases SRC and F&J with no impact on the likelihood of either secondary form of loss occurring. PCI data raise PRC but substantially increases the probability of SRC while not affecting the loss amount for SRC or F&J. Events involving PHI data are twice as likely to incur F&J. The industry does not impact PRC, with only finance and retail having higher SRC. The industry impacts the probability of a secondary loss occurring to varying degrees. Firms can use our results to better model how losses will materialize, and as such enact cyber security controls in an efficient manner to reduce their risk exposure.
Justin has master’s degrees in economics and international relations. He currently works at RiskLens as a Principal Data Scientist. His research focuses on the economic and financial impacts of cyber-events. In addition to his primary research, he sits on the Model Governance Committee, providing model change proposals and reviewing all other proposed changes before implementation. Lastly, he maintains all technical documentation, aiding quantitative model review teams to ensure RiskLens meets regulatory compliance. Prior to RiskLens, he was a data scientist at Emsi designing models and conducting analyses on labor markets and economic development. He has seven years of professional experience as a data scientist. Prior to becoming a data scientist, Justin was an air traffic controller in the Air Force for 11 years.