Response Patterns to Data Breaches in Firm IT Investment

This research explores how firms reallocate internal IT resources in response to security breaches and the impact of these allocation patterns on future firm performance. It delves into the allocation of IT budgets, changes in IT staffing, and examines antecedents and consequences of security breaches based on previous literature.

• Data breaches
• IT investment
• Security expenditures
• Resource allocation
• Firm performance

alyssa Follow

Uploaded on Aug 05, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Data Breaches and Firm IT investment Ali Mahdavi Adeli DS cluster presentation Nov 13, 2019

2. Motivation Increasing number of Breaches More than 3,800 publicly disclosed breaches exposing an incredible 4.1 billion compromised records. (Forbes) Annual cost $445 billion worldwide and $107 billion US economy. Increasing Security Expenditures Consistent increase in IT security expenditure over the past decade across all industries (Gartner 2015) $124 Billion in 2019, annual growth rate 8.7% (Gartner)

3. Research Question Internal Resource Allocation 1. How do Firms Reallocate Internal IT Resources in Response to Security Breaches?

4. Research Question Internal Resource Allocation 2. How does the Internal Resource Allocation Pattern Affect the Future Performance of the Breached Firm? Future breach incidents Financial & operational performance

5. Research Question 1. How do Firms Reallocate the Internal IT Resources in Response to Security Breaches? 2. How does the Internal Resource Allocation Pattern Affect the Future Performance of the Breached Firm?

6. Following a security breach: How does the focal firm allocate IT budget to its sites Does the firm fire or hire? Number of IT employees at the site 7

7. Previous Literature Antecedents of security breach Proactive vs. reactive security investment (Kwon and Johnson 2014) Substantive vs. symbolic adoption (Angst et al. 2017) Firm characteristics: size, value, intangible assets, board attention to risk management cyberattacks (Kamiya, et al. 2018) Action-oriented disclosure lower likelihood of future breaches (Wang, Kannan, & Ulmer 2013) 8

8. Previous Literature Consequences of security breach Cost-effectiveness of security decisions (Kwon and Johnson, MISQ 2014) Financial loss (HHS 2009; Mulligan and Bamberger 2007) Firm market value (Cavusoglu et al. 2004) Negative impact when consumer financial information is appropriated (Kamiya, et al. 2018)

9. Research Question How do Firms Reallocate their Internal IT Resources in Response to Security Breaches? IT budget allocation at the sites IT employees at the sites

10. Key Takeaways After a security breach The overall firm IT budget, IT employees and SaaS usage did not change. Breached Sites, on average, no change in site IT budget, IT employees, and SaaS usage; but: Site IT budget large, close to the HQ, or in the main industry of the firm Site IT employees regional HQ, close to HQ Site SaaS Large Non-breached sites in breached firms, on average, increase in site IT budget, and decrease in SaaS usage; moreover: regional HQ, close to the HQ, or in the main industry of the firm Site IT budget large, or in the main industry of the firm Site IT employees Regional HQ Site SaaS

11. Data and Measurements

12. Sample Construction Firm-level Unit of Analysis: firm-year Site-level 3,943 unique public firms in US Unit of Analysis: site-year Year 2010 to 2016 52,921 unique sites 857 breach events Year 2010 to 2016 801 breach events 13

13. Data Sources I: Security Breaches Privacy Rights Clearinghouse (PRC) website a nonprofit organization: comprehensive list of publicized security breaches since 2005 using various sources (e.g., Media, government agencies, attorney general offices, other discontinued databases such DataLossDB). Data from this source has been used by IS researchers in recent studies (Angst et al. 2017; Sen and Borle 2015). Breach Level Index (BRI) website collects information on publicly announced data security breaches from 2013 onwards. 14

14. 2 digit NAICS code Freqency Percent 11 Agriculture, Forestry, Fishing and Hunting 1 0.12 21 Mining, Quarrying and Oil and Gas Extraction 22 Utilities 4 4 0.47 0.47 Industry Distribution in the Breach Sample 23 Construction 7 0.83 11 19 60 1.3 2.25 7.11 31 - 33 Manufacturing 42 Whole sale 62 7.35 44 5.21 44 and 45 Retail 24 2.84 22 2.61 48 Transportation and Warehousing 28 86 206 15 51 10 3.32 10.19 24.41 1.78 6.04 1.18 51 Information 52 Finance/insurance 53 Real estate and Rental and Leasing 54 Professional, Scientific and Technical Services 55 Management of Companies and Enterprises 56 Administrative and Support and Waste Management and Remediation Services 61 Educational Services 62 Healthcare 71 Arts, Entertainment, and Recreation 72 Accommodation and Food Services 81 Other Services (except Public Administration) 25 2.96 5 75 6 29 16 0.59 8.89 0.71 3.44 1.9 15

15. Top 10 States Ranking 1 2 3 4 5 6 7 8 9 10 State Frequency Percent California Maryland Texas New York Florida Illinois Georgia New Jersey Minnesota Pennsylvania 70 37 31 26 25 25 21 19 16 15 16.09 8.51 7.13 5.98 5.75 5.75 4.83 4.37 3.68 3.45 16

16. Number of Breached Records 621 incidents with #breached records information Median = 1,651 records 75% = 13,000 records 90% = 200,000 records 17

17. Examples 2011, Epsilon, an email service provider for companies, ... Only e-mail addresses and names were stolen. A total of 75 companies were affected... Conservative estimates place the number of customer email addresses breached at 50-60 million. The total of customer emails exposed could reach 250 million. 2013, Adobe, hackers broke into its network and stole source code for an as- yet undetermined number of software titles, ..... The company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts. 2018, Under Armour says roughly 150 million MyFitnessPal users are affected by a breach of their wildly popular fitness app MyFitnessPal, 18

18. Data Sources II: IT Budget, IT Employees, SaaS Harte-Hanks CI database. Site-level IT budget, IT employment and the usage of SaaS. Year 2010 to 2016 536,587 unique sites (different physical locations). Mapped to 28,373 5-digit zip codes and 414 MSA (Metropolitan Statistical Area Codes). 19

19. Data Sources III: Control Variables Compustat Harte-Hanks 20

20. Firm-level Analysis Dependent Vars Firm total IT budget: $Million Firm total # of IT employees Independent Vars Breach occurrence at t-1 (0 / 1), t-2 (0 / 1), t-3 (0 / 1), Control Vars Firm # emplyees, market capitalization, ROE, liquidity, market/book, %IT employees

21. Site-level Analysis Dependent Vars Site total IT budget: $ Site total # of IT employees Independent Vars Difference-in-difference Breach occurrence Control Vars SITE CONTROLS: Size of the site (#employees), %IT employees FIRM CONTROLS: Firm # employees, market capitalization, ROE, liquidity, market/book, %IT employees

22. Methods / Model Specification

23. Model Specification Firm-level Analysis Linear Panel Model with Firm Fixed Effects Site-level Analysis Difference-in-Difference Treatment: (I) breached site in a breached firm; (II) non-breached site in a breached firm. 24

24. Difference-in-Difference Analysis I Control site: non-breached site in a non-breached firm Treated site: breached site in a breached firm 115 : 728 Non- breached site Non- breached site Headquarter Breached site Non- breached site Headquarter Non- breache d site Matched based on industry, location, year and size of the site. Non- Non- breached site breached site Non- breached site Non- breached site Non-breached Firm B Breached Firm A

25. Difference-in-Difference Analysis II Non-breached Firm B Breached Firm A Non-breached site Non- breached site Breached site Headquarter Non- breached site Non- breached site Headquarter 1,178 : 6,625 Non-breached site Non- breached site Non- breached site Non- breached site Matched based on industry, location, year and size of the site. Treated site: non-breached site in a breached firm Control site: non-breached site in a non-breached firm

26. Analysis Firm-level Analysis Site-level Difference-in-Difference Analysis BREACHED SITE as the Treated NON-BREACHED SITE as the Treated Human error VS. IT failure? Number of breached records?

27. Analysis Firm-level Analysis Site-level Difference-in-Difference Analysis BREACHED SITE as the Treated NON-BREACHED SITE as the Treated Human error VS. IT failure? Number of breached records?

28. Table 3: Firm-level Analysis Linear panel model with firm and year fixed effects Firm total IT budget, $1000,000 Firm # IT employees Firm software-as-a-service Breach occurance, t-1 4.164 (44.78) 37.93 (46.14) 146.2 (115.70) 1.336 (1.60) 0.00482 (0.00) 0.215 (0.17) 1.631 (2.12) 0.0195*** (0.01) 2.548 (3.35) 32.72 (55.18) -23.21 (38.14) -108.9** (53.85) 0.854 (0.84) 0.000855 (0.00) 0.0129 (0.09) -2.441 (2.36) -0.0337 (0.02) -0.00616 (0.01) -0.0173 (0.01) -0.00586 (0.01) 0.0000405 (0.00) 0.000000255 (0.00) -0.0000901 (0.00) 0.00167 (0.01) 0.000011 (0.00) 0.000657 (0.00) Breach occurance, t-2 Breach occurance, t-3 Firm #employees Firm market capitalization Firm ROE Firm liquidity Firm market to book ratio Firm: proportion of IT in total employees Year dummy Yes Yes Yes Constant 24.65 -33.71 7,483 0.068 1.905 -47.44 8,198 0.045 0.179*** -0.00477 6,659 0.007 Observations R-squared 33

29. Analysis Firm-level Analysis Site-level Difference-in-Difference Analysis BREACHED SITE as the Treated NON-BREACHED SITE as the Treated Human error VS. IT failure? Number of breached records?

30. Table 4: Site-level Difference-in-Difference Analysis: (Treated group: Breached site in breached firm) Panel A: Difference-in-Difference Analysis Site IT budget, $1000 Site # IT employees Software-as-a- service Treated 156 -2.684*** (1.03) 2.806*** (0.49) 1.851 (1.85) 0.0534*** (0.00) 0.0345 (0.03) 0.111*** (0.01) -0.0850* (0.05) -3.86e-05** (0.00) 0.438*** (0.06) 0.0395*** (0.01) -0.000371** (0.00) -9.08E-08 (0.00) 0.0118** (0.01) 0.0205 (0.04) -0.000268 (0.00) (1327.00) 3,731*** (638.70) 1351 (2380.00) 8.329*** (0.86) 129.7 (3060.00) -314.1 (421.30) -20.24*** (7.42) 0.0366*** (0.01) -311.7 (273.40) -605.9 (1676.00) -3.036 (10.76) After Treated * After Site #employees Site: proportion of IT in total employees Firm: proportion of IT in total employees 0.206 (0.33) 0.0111* (0.01) -1.47e-05* (0.00) 0.263 (0.21) 1.071 (1.29) -0.00273 (0.01) Firm #employees Firm market capitalization Firm ROE Firm liquidity Firm market to book ratio Industry dummies Yes Yes Constant -2861 (20032.00) 4,661 0.049 -8.468 (15.61) 4,803 0.61 -0.0584 (0.19) 4,757 0.191 Observations R-squared Standard errors in parentheses *** p<0.01, ** p<0.05, * p<0.1 36

31. Table 4: Site-level Difference-in-Difference Analysis: (Treated Group: Breached Site in Breached Firm) Panel B: Moderating Effects Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service Treated -427.2 -2.475* -0.0706* Treated -740.2 -3.233** 0.0718* (1768.00) (1.38) (0.04) (1031.00) (1.30) (0.04) Treated * headquarter 1478 -0.429 0.227*** Treated * distance to headquarter 0.344 0.00168 -0.0000426 (2607.00) (2.05) (0.06) (0.96) (0.00) (0.00) After -7.334 1.655*** 0.136*** After 4,463*** 2.610*** 0.153*** (819.50) (0.62) (0.02) (532.20) (0.66) (0.02) After * headquarter 8,969*** 2.905*** -0.0707*** After * distance to headquarter -2.471*** -0.0002 -3.20e-05* (1275.00) (0.99) (0.03) (0.46) (0.00) (0.00) Treated * After -596.2 -1.164 -0.0696 Treated * After 7,979*** 5.848** -0.0242 (3032.00) (2.37) (0.06) (2008.00) (2.54) (0.07) Treated * After * headquarter 6038 8.020** 0.0219 Treated * After * distance to headquarter -3.564** -0.00441** -0.0000477 (4837.00) (3.80) (0.10) (1.63) (0.00) (0.00) Site being headquarter 1267 -0.672 0.198*** Distance to headquarter -0.00694 0.000163 -0.000003 (796.10) (0.62) (0.02) (0.26) (0.00) (0.00) Full set of controls Yes Yes Yes Full set of controls Yes Yes Yes Industry dummies Yes Yes Yes Industry dummies Yes Yes Yes Constant 160.3 -10.38 -0.202 Constant -361.3 -11.17 -0.163 (9799.00) (15.29) (0.42) (11840.00) (14.72) (0.43) Observations 4,661 4,757 4,757 Observations 4,105 4,184 4,184 R-squared 0.072 0.629 0.229 R-squared 0.137 0.615 0.209 Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service Treated 1779 -1.559 0.0196 Treated 588.5 -2.695** -0.0213 (1456.00) (1.09) (0.03) (1569.00) (1.21) (0.03) Treated * site #employees -5.556*** -0.000332 0.0000339 Treated * same industry as the firm's main industry -1624 -0.24 0.179*** (2.12) (0.00) (0.00) (2882.00) (2.24) (0.06) After 4,049*** -1.668*** 0.137*** After 3,579*** 1.630*** 0.0861*** (741.10) (0.54) (0.02) (759.20) (0.57) (0.02) After * site #employees -1.51 0.0256*** -0.000141*** After * same industry as the firm's main industry 672 4.236*** 0.0768** (2.04) (0.00) (0.00) (1405.00) (1.08) (0.03) Treated * After -4484 2.359 -0.135** Treated * After -1957 2.358 -0.0643 (2815.00) (2.11) (0.06) (2794.00) (2.17) (0.06) Treated * After * site #employees 24.98*** (6.80) 10.03*** (1.38) Yes Yes -4127 (9836.00) 4,661 0.052 -0.0104** (0.01) 0.0453*** (0.00) Yes Yes -9.88 (14.82) 4,757 0.651 0.000286** (0.00) -0.00000619 (0.00) Yes Yes 0 (0.43) 4,757 0.194 Treated * After * same industry as the firm's main industry 11,953** (5303.00) 1131 (852.90) Yes Yes -5645 (9837.00) 4,661 0.051 -1.425 (4.13) -0.775 (0.66) Yes Yes -10.54 (15.30) 4,757 0.629 -0.0285 (0.11) -0.113*** (0.02) Yes Yes -0.162 (0.43) 4,757 0.198 Site #employees same industry as the firm's main industry Full set of controls Industry dummies Constant Full set of controls Industry dummies Constant Observations R-squared Standard errors in parentheses *** p<0.01, ** p<0.05, * p<0.1 Observations R-squared 37

32. Panel B: Moderating Effects Site IT budget, $1000 -596.2 (3032.00) 6038 Site IT budget, $1000 7,979*** (2008.00) -3.564** Site # IT employees Site # IT employees Saas Saas Treated * After -1.164 (2.37) 8.020** -0.0696 (0.06) 0.0219 Treated * After 5.848** (2.54) -0.00441** -0.0000477 -0.0242 (0.07) Treated * After * headquarter Treated * After * distance to headquarter (4837.00) (3.80) (0.10) (1.63) (0.00) (0.00) Treated * After -4484 (2815.00) 2.359 (2.11) -0.135** (0.06) Treated * After -1957 (2794.00) 2.358 (2.17) -0.0643 (0.06) Treated * After * same industry as the firm's main industry 24.98*** -0.0104** 0.000286** 11,953** -1.425 -0.0285 Treated * After * site #employees (6.80) (0.01) (0.00) (5303.00) (4.13) (0.11) 38

33. Panel B: Moderating Effects Site IT budget, $1000 -596.2 (3032.00) 6038 Site IT budget, $1000 7,979*** (2008.00) -3.564** Site # IT employees Site # IT employees Saas Saas Treated * After -1.164 (2.37) 8.020** -0.0696 (0.06) 0.0219 Treated * After 5.848** (2.54) -0.00441** -0.0000477 -0.0242 (0.07) Treated * After * headquarter Treated * After * distance to headquarter (4837.00) (3.80) (0.10) (1.63) (0.00) (0.00) Treated * After -4484 (2815.00) 2.359 (2.11) -0.135** (0.06) Treated * After -1957 (2794.00) 2.358 (2.17) -0.0643 (0.06) Treated * After * same industry as the firm's main industry 24.98*** -0.0104** 0.000286** 11,953** -1.425 -0.0285 Treated * After * site #employees (6.80) (0.01) (0.00) (5303.00) (4.13) (0.11) 39

34. Analysis Firm-level Analysis Site-level Difference-in-Difference Analysis BREACHED SITE as the Treated NON-BREACHED SITE as the Treated Human error VS. IT failure? Number of breached records?

35. Table 5: Site-level Difference-in-Difference Analysis: (Treated group: Non-breached site in breached firm) Panel A: Difference-in-Difference Analysis Site IT budget, $1000 Site # IT employees Software-as-a- service Treated -590.9 (433.00) 1,258*** (270.10) 1,215* (707.00) 8.735*** (0.40) 4,370*** (1043.00) 276.2 (362.20) -2.53 (2.42) 0.00523 (0.00) -40.57 (56.20) -38.15 (217.90) -1.321 (3.01) -0.951*** (0.32) 1.662*** (0.20) 0.83 (0.53) 0.0509*** (0.00) 0.0160** (0.01) 0.0582*** (0.00) -0.0483*** (0.01) 2.25e-05*** (0.00) 0.451*** (0.02) 0.0370*** (0.01) -0.000593*** (0.00) 6.00e-07*** (0.00) -0.00459*** (0.00) 0.00365 (0.00) -0.000450*** (0.00) After Treated * After Site #employees Site: proportion of IT in total employees Firm: proportion of IT in total employees 1.506*** (0.27) -0.0114*** (0.00) 1.22e-05*** (0.00) 0.0789* (0.04) -0.127 (0.16) -0.0036 (0.00) Firm #employees Firm market capitalization Firm ROE Firm liquidity Firm market to book ratio Industry dummies Yes Yes Yes Constant -1153 (9205.00) 34,591 0.016 0.572 (16.24) 35,299 0.465 -0.0805 (0.39) 35,169 0.117 Observations R-squared 43

36. Table 5: Site-level Difference-in-Difference Analysis: (Treated Group: Non-breached Site in Breached Firm) Panel B: Moderating Effects Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service VARIABLES VARIABLES Treated -235 (497.60) -157.4 (967.60) 309.3 (326.50) 3,222*** (568.10) -11.42 (813.40) 5,518*** (1616.00) 2,682*** (353.20) Yes -0.944** (0.37) 0.455 (0.73) 0.0829 (0.24) 5.142*** (0.43) 1.578*** (0.61) -1.968 (1.21) 0.580** (0.26) Yes 0.0359*** (0.01) -0.0264 (0.02) 0.0605*** (0.01) 0.00193 (0.01) -0.0284** (0.01) -0.102*** (0.03) 0.136*** (0.01) Yes Treated -1040 (697.40) 0.509 (0.55) 1,894*** (400.30) -0.811** (0.34) 2,836** (1193.00) -1.987** (0.95) -0.870*** (0.21) Yes -1.525*** (0.51) 0.000968** (0.00) 3.331*** (0.29) -0.00230*** (0.00) 0.138 (0.87) -0.000304 (0.00) 0.0000151 (0.00) Yes -0.00319 (0.01) 2.82e-05*** (0.00) 0.0558*** (0.01) -0.00000571 (0.00) -0.0128 (0.02) -0.0000103 (0.00) -1.42e-05*** (0.00) Yes Treated * headquarter Treated * distance to headquarter After After After * headquarter After * distance to headquarter Treated * After Treated * After Treated * After * headquarter Treated * After * distance to headquarter Site being headquarter Distance to headquarter Full set of controls Full set of controls Industry dummies Yes Yes Yes Industry dummies Yes Yes Yes Constant -4455 (9169.00) 34591 0.03 1.356 (16.17) 35299 0.47 -0.0845 (0.38) 35169 0.14 Constant -988.7 (9153.00) 30242 0.02 1.929 (15.67) 30879 0.47 0.852*** (0.16) 30750 0.13 Observations R-squared Observations R-squared Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service VARIABLES VARIABLES Treated 58.22 (521.60) -3.138** (1.42) 1,274*** (310.80) -0.0617 (0.89) 829.8 (809.60) 1.729 (2.02) 9.197*** (0.60) Yes Yes 0.15 (0.39) 0.0255*** (0.01) -4.71e-05* (0.00) 0.0604*** (0.01) -0.0000115 (0.00) -0.0420*** (0.01) -0.000035 (0.00) 4.02e-05*** (0.00) Yes Yes Treated -192.8 (499.30) -1,761* (970.40) 1,088*** (308.00) 565 (624.00) -48.29 (817.80) 4,782*** (1597.00) 2,296*** (398.50) Yes Yes -1.063*** (0.37) 0.333 (0.72) 1.996*** (0.23) -1.492*** (0.47) 0.00969 (0.61) 3.220*** (1.19) 1.055*** (0.30) Yes Yes -0.000824 (0.01) 0.0697*** (0.02) 0.0274*** (0.01) 0.130*** (0.01) -0.0467*** (0.01) -0.0165 (0.03) -0.0773*** (0.01) Yes Yes Treated * site #employees -0.00479*** (0.00) 0.839*** (0.23) 0.00483*** (0.00) -3.235*** (0.60) 0.0199*** (0.00) 0.0500*** (0.00) Yes Yes Treated * same industry as the firm's main industry After After After * site #employees After * same industry as the firm's main industry Treated * After Treated * After Treated * After * site #employees Treated * After * same industry as the firm's main industry Site #employees same industry as the firm's main industry Full set of controls Industry dummies Full set of controls Industry dummies Constant -1197 (9205.00) 34591.00 0.02 0.985 (16.14) 35299.00 0.47 0 Constant -1063 (9193.00) 34591 0.02 0.417 (16.23) 35299 0.47 -0.0632 (0.39) 35,169 0.12 (0.39) 35169.00 0.12 Observations R-squared Observations R-squared 44

37. Panel B: Moderating Effects Site IT budget, $1000 -11.42 (813.40) 5,518*** Site IT budget, $1000 2,836** (1193.00) -1.987** Site # IT employees Site # IT employees Saas Saas Treated * After 1.578*** (0.61) -1.968 -0.0284** (0.01) -0.102*** Treated * After 0.138 (0.87) -0.000304 -0.0128 (0.02) -0.0000103 Treated * After * headquarter Treated * After * distance to headquarter (1616.00) (1.21) (0.03) (0.95) (0.00) (0.00) Treated * After 829.8 (809.60) -3.235*** (0.60) -0.0420*** (0.01) Treated * After -48.29 (817.80) 0.00969 (0.61) -0.0467*** (0.01) Treated * After * same industry as the firm's main industry 1.729 0.0199*** -0.000035 4,782*** 3.220*** -0.0165 Treated * After * site #employees (2.02) (0.00) (0.00) (1597.00) (1.19) (0.03) 45

38. Panel B: Moderating Effects Site IT budget, $1000 -11.42 (813.40) 5,518*** Site IT budget, $1000 2,836** (1193.00) -1.987** Site # IT employees Site # IT employees Saas Saas Treated * After 1.578*** (0.61) -1.968 -0.0284** (0.01) -0.102*** Treated * After 0.138 (0.87) -0.000304 -0.0128 (0.02) -0.0000103 Treated * After * headquarter Treated * After * distance to headquarter (1616.00) (1.21) (0.03) (0.95) (0.00) (0.00) Treated * After 829.8 (809.60) -3.235*** (0.60) -0.0420*** (0.01) Treated * After -48.29 (817.80) 0.00969 (0.61) -0.0467*** (0.01) Treated * After * same industry as the firm's main industry 1.729 0.0199*** -0.000035 4,782*** 3.220*** -0.0165 Treated * After * site #employees (2.02) (0.00) (0.00) (1597.00) (1.19) (0.03) 46

39. Analysis Firm-level Analysis Site-level Difference-in-Difference Analysis BREACHED SITE as the Treated NON-BREACHED SITE as the Treated Human error VS. IT failure? Number of breached records?

40. Human error vs. IT failure? Manually coded Human error: A former customer service representative gathered account information directly from two customers during telephone calls and later attempted to use the information for personal purchases. A laptop with .... member information was stolen on December 13. Two of the burglars distracted the receptionist while the third entered a hallway and stole the laptop. IT failure The Sacramento Bee said in a statement that a firewall protecting its database was not restored during routine maintenance last month, leaving the 19,501,258 voter files publicly accessible. Additionally, the names, home addresses, email addresses, and phone numbers of 52,873 Sacramento Bee subscribers were compromised. 49

41. Number of breached records? Use 1,674 compromised records as a cutoff High-record breach vs. low-record breach 50

42. Treated Group: Breached Site in Breached Firm Treated Group: Breached Site in Breached Firm Panel C: Human Error VS. IT Failure Panel D: Low VS. High # of Breached Records Human error IT failure Low breached records High breached records Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service VARIABLES Treated -95.15 (614.80) 1,524*** (277.20) 53.57 (1107.00) Panel D: Low VS. High # of Breached Records -1.457 (1.63) 3.521*** (0.74) 0.619 (2.93) -0.0578 (0.04) 0.0824*** (0.02) -0.0129 (0.08) 2462 (3118.00) 7,015*** (1604.00) 1874 (5913.00) 0.767 (1.31) 2.193*** (0.67) 0.178 (2.49) 0.0655 (0.04) 0.177*** (0.02) -0.126 (0.08) Treated -1284 (5545.00) 6,962*** (1940.00) 1969 (8084.00) 0.268 (1.61) 2.031*** (0.57) 4.177* (2.33) -0.0961 (0.08) 0.134*** (0.03) -0.0331 (0.11) 380.4 (1682.00) 1,885*** (661.00) -501.8 (2533.00) 0.901 (1.57) 4.033*** (0.61) 0.182 (2.36) -0.143** (0.06) 0.0328 (0.02) -0.0356 (0.09) After After Treated Group: Breached Site in Breached Firm Treated Group: Breached Site in Breached Firm Treated * After Treated * After Panel C: Human Error VS. IT Failure Treated Group: non-Breached Site in Breached Firm Low breached records Treated Group: non-Breached Site in Breached Firm Human error IT failure High breached records Site IT budget, $1000 $1000 Site # IT employees employees Software-as-a- service service Site IT budget, $1000 $1000 Site # IT employees employees Software-as-a- service service Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, Site # IT Software-as-a- Site IT budget, Site # IT Software-as-a- VARIABLES Treated Treated -981.1 (727.20) 2,589*** (370.40) 666.6 (1105.00) 1969 (8084.00) 0.349 (0.44) 3.168*** (0.23) -0.775 (0.67) 4.177* (2.33) -0.00154 (0.01) 0.0240*** (0.01) -0.00975 (0.02) -0.0331 (0.11) 51.74 (822.00) 1,972*** (464.80) 1507 (1567.00) -501.8 (2533.00) -0.875* (0.49) 5.193*** (0.28) 1.614* (0.93) 0.182 (2.36) -0.00645 (0.01) 0.0998*** (0.01) -0.148*** (0.03) -0.0356 (0.09) Treated 1382 -0.249 (1.78) 2.727*** (0.45) 2.218 (2.22) 0.000791 (0.03) -0.0410*** (0.01) 0.0213 (0.04) -657.8 (623.70) 2,232*** (272.80) 2,194** (916.50) -2.018*** (0.77) 4.348*** (0.34) 0.673 (1.14) -0.150*** (0.03) 0.0817*** (0.01) -0.0638* (0.04) Treated -95.15 (614.80) 1,524*** (277.20) 53.57 (1107.00) -1.457 (1.63) 3.521*** (0.74) 0.619 (2.93) -0.0578 (0.04) 0.0824*** (0.02) -0.0129 (0.08) 2462 (3118.00) 7,015*** (1604.00) 1874 (5913.00) 0.767 (1.31) 2.193*** (0.67) 0.178 (2.49) 0.0655 (0.04) 0.177*** (0.02) -0.126 (0.08) -1284 (5545.00) 6,962*** (1940.00) 0.268 (1.61) 2.031*** (0.57) -0.0961 (0.08) 0.134*** (0.03) 380.4 (1682.00) 1,885*** (661.00) 0.901 (1.57) 4.033*** (0.61) -0.143** (0.06) 0.0328 (0.02) (3970.00) 3,435*** (1005.00) -2118 (4931.00) After After After After Treated * After Treated * After Treated * After Treated * After 51 Treated Group: non-Breached Site in Breached Firm Treated Group: non-Breached Site in Breached Firm Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service Site IT budget, $1000 Site # IT employees Software-as-a- service Treated -981.1 (727.20) 2,589*** (370.40) 666.6 (1105.00) 0.349 (0.44) 3.168*** (0.23) -0.775 (0.67) -0.00154 (0.01) 0.0240*** (0.01) -0.00975 (0.02) 51.74 (822.00) 1,972*** (464.80) 1507 (1567.00) -0.875* (0.49) 5.193*** (0.28) 1.614* (0.93) -0.00645 (0.01) 0.0998*** (0.01) -0.148*** (0.03) Treated 1382 -0.249 (1.78) 2.727*** (0.45) 2.218 (2.22) 0.000791 (0.03) -0.0410*** (0.01) 0.0213 (0.04) -657.8 (623.70) 2,232*** (272.80) 2,194** (916.50) -2.018*** (0.77) 4.348*** (0.34) 0.673 (1.14) -0.150*** (0.03) 0.0817*** (0.01) -0.0638* (0.04) (3970.00) 3,435*** (1005.00) -2118 (4931.00) After After Treated * After Treated * After

43. Treated Group: non-Breached Site in Breached Firm Human error IT failure Site IT budget, $1000 -981.1 (727.20) 2,589*** (370.40) 666.6 (1105.00) Site # IT employees 0.349 (0.44) 3.168*** (0.23) -0.775 (0.67) Software-as-a- service -0.00154 (0.01) 0.0240*** (0.01) -0.00975 (0.02) Site IT budget, $1000 51.74 (822.00) 1,972*** (464.80) 1507 (1567.00) Site # IT employees -0.875* (0.49) 5.193*** (0.28) 1.614* (0.93) Software-as-a- service -0.00645 (0.01) 0.0998*** (0.01) -0.148*** (0.03) Treated After Treated * After Treated Group: non-Breached Site in Breached Firm Low breached records High breached records Site IT budget, $1000 1382 (3970.00) 3,435*** (1005.00) -2118 (4931.00) Site # IT employees -0.249 (1.78) 2.727*** (0.45) 2.218 (2.22) Software-as-a- service 0.000791 (0.03) -0.0410*** (0.01) 0.0213 (0.04) Site IT budget, $1000 -657.8 (623.70) 2,232*** (272.80) 2,194** (916.50) Site # IT employees -2.018*** (0.77) 4.348*** (0.34) 0.673 (1.14) Software-as-a- service -0.150*** (0.03) 0.0817*** (0.01) -0.0638* (0.04) Treated After Treated * After 52

44. Key Takeaways After a security breach The overall firm IT budget, IT employees and SaaS usage did not change. Breached Sites, on average, no change in site IT budget, IT employees, and SaaS usage; but: Site IT budget large, close to the HQ, or in the main industry of the firm Site IT employees regional HQ, close to HQ Site SaaS Large Non-breached sites in breached firms, on average, increase in site IT budget, and decrease in SaaS usage; moreover: regional HQ, close to the HQ, or in the main industry of the firm Site IT budget large, or in the main industry of the firm Site IT employees Regional HQ Site SaaS

45. Conclusions Breached firms do not necessarily increase total IT budget post security breach. However, there seems to be a shift of internal IT resources to important establishments of the firm. Large Regional headquarter Close to HQ In the main industry sector that the firm is in

47. Theory Model of capital allocation