Finance & Cyber Security: Uncovering major non-obvious financial gains and losses associated with corporate cyber security events

My DPhil research project "Finance & Cyber Security: Uncovering major non-obvious financial gains and losses associated with corporate cyber security events" at the University of Oxford sets out to explore hidden costs stemming from firms' cyber security events. I explore firm value implications of investments in cyber security, changes in cost of capital following security breaches, and corporate insiders' knowledge and exploitation of security breaches and vulnerabilities.

Specifically, I analysed the stock market impact of information security investments focusing on security standards. Such investments do not only have the potential to reduce financial penalties and losses associated with data breaches, but may also help to enhance reputation, win new business, and improve business processes. I found that certifications according to the UK's Cyber Essentials scheme are systematically associated with significant and positive market reactions. Becoming ISO/IEC 27001 compliant, however, elicits significant negative abnormal stock returns.

Furthermore, I established that security breaches are associated with a statistically and economically significant increase in cost of equity. Analysing a large US-focused sample of severe security breaches I found that capital market participants ascribe a higher risk, measured in terms of beta factors, to breached companies. Additionally, downside betas particularly increase following a security breach, which indicates that when markets yield negative returns, breached firms are particularly susceptible to increases costs of equity. The findings carry important implications for firms' cost of capital, that is, the costs of obtaining funding from external capital providers.

My research has been published by highly regarded outlets such as the Workshop on the Economics of Information Security (WEIS). The research project is of high relevance to academia and practitioners as previous research has focused mainly on obvious costs associated with cyber security and thereby neglected non-obvious losses to firms and society at large. The aim of my research is to establish a more holistic view on losses stemming from cyber (in-)security. The outcomes of my analyses will inform academic frameworks and executive decision making regarding information security investments.

The novelty of my research methodology stems from the novel (a) perspective on cyber security costs; (b) datasets used; and (c) financial methodologies applied to cyber security. First, I introduce new perspectives on accounting for benefits and losses associated with cyber security (breaches). By highlighting non-obvious economic implications associated with cyber security, academics and practitioners can form a more sophisticated view on cyber security costs and benefits. My research can inform novel frameworks to help guiding information security investment endeavours. Second, I analyse previously-unused (financial) datasets to inform information security decision making. Introducing novel empirical evidence to the nascent field of cyber security investments is of high relevance as data is a scarce economic resource in this area of research. Third, I use well-established analytical methods from the financial economics literature to analyse cyber security phenomena. For instance, establishing changes in dual-beta systematic risk models following security breaches is novel to the information security economics literature.

This project falls within the EPSRC Digital Economy research area.

One sub-research project involves using data provided by a London-based asset management firm. Furthermore, I am in frequent discussions with senior employees at an international risk management and insurance firm, who are interested in my research and apply findings to their business activities.

It is part of the nature of Cyber Security - and a key reason for the urgency in developing new research approaches - that it now is a concern of every section of society, and so the successful CDT will have a very broad impact indeed. We will ensure impact for:

* The IT industry; vendors of hardware and software, and within this the IT Security industry;

* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;

* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;

* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;

* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;

* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.

Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.