Publisher
University of Tennessee at Chattanooga
Place of Publication
Chattanooga (Tenn.)
Abstract
[Invited adaptation from presentation proposal, "A Matter of Time: Exploring Survival Analysis Through Cybersecurity] Given that employees pose a large threat to organizational cybersecurity, much research attention has been directed to identifying individual risk factors for cybersecurity noncompliance and misbehavior at the cost of examining broad organizational risk factors. However, no study to date has formally examined how the risk of organizational cybersecurity incident changes over time, or how organizational characteristics affect this risk. The proposed study aims to conduct a survival analysis (SA) of cybersecurity events across the past decade, examining broad factors that impact the changing probability of cyberincidents. In particular, the proposed study will examine associations between cyberbreaches and industry type, annual revenue, and the sensitivity of information handled in the organization. While other studies have examined organization-wide risk factors, none have done so in a longitudinal analysis such as SA. The proposed study emphasizes the necessity of examining changes in risk across time due to the abundant evidence that cybersecurity incidents are increasing in both frequency and severity. Previously-employed methods such as odds ratios fail to account for the time-based component needed for properly analyzing the continuously-changing threat of cyberattacks. To analyze the impact of organizational factors on the risk of cyberincident, the proposed study will record security breaches (or lack thereof) for organizations listed in the top Fortune 1000 from 2005 to 2019, using publically-available data on over 9,000 cyberincidents recorded by Privacy Rights Clearinghouse. Event data will be examined in R, and organizational factors will be examined for covariance with the risk of cyberincident. Preliminary results from 2004 Fortune 500 companies indicate significant associations between cyberincident risk and both industry type and annual revenue. By utilizing Survival Analysis, the proposed study will provide an enhanced, time-based view on the past prevalence of cybersecurity incidents and the organizational factors associated with increased risk. Emphasis of these factors serves to alert organizations of their unique vulnerabilities, inspiring increased attention to the subject of security.
Date
October 2019
Subject
Industrial and organizational psychology
Document Type
posters
Language
English
Rights
http://rightsstatements.org/vocab/InC/1.0/
License
http://creativecommons.org/licenses/by-nc-sa/4.0/
Table + graphic of preliminary results
Included in
Industrial and Organizational Psychology Commons, Management Information Systems Commons
Survival of the safest: examining organization risk factors for cybersecurity incidents
[Invited adaptation from presentation proposal, "A Matter of Time: Exploring Survival Analysis Through Cybersecurity] Given that employees pose a large threat to organizational cybersecurity, much research attention has been directed to identifying individual risk factors for cybersecurity noncompliance and misbehavior at the cost of examining broad organizational risk factors. However, no study to date has formally examined how the risk of organizational cybersecurity incident changes over time, or how organizational characteristics affect this risk. The proposed study aims to conduct a survival analysis (SA) of cybersecurity events across the past decade, examining broad factors that impact the changing probability of cyberincidents. In particular, the proposed study will examine associations between cyberbreaches and industry type, annual revenue, and the sensitivity of information handled in the organization. While other studies have examined organization-wide risk factors, none have done so in a longitudinal analysis such as SA. The proposed study emphasizes the necessity of examining changes in risk across time due to the abundant evidence that cybersecurity incidents are increasing in both frequency and severity. Previously-employed methods such as odds ratios fail to account for the time-based component needed for properly analyzing the continuously-changing threat of cyberattacks. To analyze the impact of organizational factors on the risk of cyberincident, the proposed study will record security breaches (or lack thereof) for organizations listed in the top Fortune 1000 from 2005 to 2019, using publically-available data on over 9,000 cyberincidents recorded by Privacy Rights Clearinghouse. Event data will be examined in R, and organizational factors will be examined for covariance with the risk of cyberincident. Preliminary results from 2004 Fortune 500 companies indicate significant associations between cyberincident risk and both industry type and annual revenue. By utilizing Survival Analysis, the proposed study will provide an enhanced, time-based view on the past prevalence of cybersecurity incidents and the organizational factors associated with increased risk. Emphasis of these factors serves to alert organizations of their unique vulnerabilities, inspiring increased attention to the subject of security.
Department
University of Tennessee at Chattanooga. Dept. of Psychology