Based on research by Sharad Borle and Ravi Sen
What Does It Take To Lock Data Thieves Out?
- Investment in certain types of security measures actually corresponds with a higher risk of data theft, both within government and within industry.
- Data disclosure laws can have an unintended consequence: putting firm information at higher risk.
- In some industries, stricter laws requiring transparency in data breach cases are linked to less data theft.
When hackers forged an assault on Dallas-based department store Neiman Marcus in 2013, they put at risk 1.1 million credit and debit cards. The clandestinely inserted malware was the same deployed earlier by cyber thieves who accessed sensitive information in Target stores, exposing the data of about 110 million customers. Neiman Marcus, though, did not recognize the breach for several months. When the damage was finally revealed, the department store offered some 2,400 shoppers affected by the fraud a free year of credit monitoring.
While only about a quarter of credit card transactions occur in the United States, almost half — 47 percent — of global card fraud takes place in this country. And these breaches are on the rise. Why is data at such high risk? Rice Business Professor Sharad Borle examined the factors influencing data breaches in both government and industry. His findings provide useful practical guidance for firms fighting to ward off cyber thieves. Borle’s insights research are of special use to IT risk assessment experts.
Rather surprisingly, Borle found that investing in information technology security corresponds to higher risk of data theft in both government and industry. This directly contradicts a common criminology theory, the opportunity theory, which posits that criminals are drawn to easy targets.
One explanation for the counterintuitive findings may be that firms are investing in IT security controls inefficiently, installing firewalls and anti-virus software at the expense of administrative and even physical controls. According to one survey, 45 percent of IT security budgets go to software and hardware. The problem is that these aren’t necessarily more secure than the underlying systems they are meant to protect. In fact, several security software systems may have vulnerabilities that could increase the opportunity for data thieves.
The costs for everyone affected are vast. In recent years, major data breaches have compromised sensitive, protected or confidential data including health or personal information, trade secrets, intellectual property or financial data. Every time one of these breaches occurs, studies show, the affected company’s stock prices drop about five percent.
To understand why data breaches are so common in this country, Borle turned to the poetically named “institutional anomie” theory. Focusing on the social causes of crime, this theory argues that advanced societies assign higher-level priority to economic institutions such as markets than they do to legal and family structures. The result is a higher likelihood of crime. The market economy’s promotion of a calculating, materialistic attitude towards social relationships, the theory contends, directly leads to more criminal activity.
Analyzing different types of data breach incidents, Borle used intervals between past breaches along with various explanatory factors to mathematically predict the firm’s next breach, thus assessing the risk of a future breach for a firm. He also investigated the role of disclosure laws, which force organizations to act transparently and improve their data security controls in preventing these crimes.
Borle found that in certain industries, strict disclosure laws indeed correlate with less data crime. These industries included financial, educational and medical fields. But the laws didn’t not necessarily benefit consumers, he found. This is because companies may outsource protection services, which can actually put data at even greater risk. Amazingly, some security software systems have vulnerabilities that actually increase the opportunity for data thieves. The lessons?
Transparency requirements — though costly for the firm that must admit a breach — significantly reduce risk certain industries overall. But outsourcing security can make a company’s data more vulnerable, rather than less. On the Internet, there are no secrets — except for those firms that sit on information about colossal security lapses long enough to endanger other companies and consumers. Telling the truth, and investing in proper security measures may both be costly – but they’re a bargain compared to the long-term effects of cyber thieves rampaging unchecked.
Sharad Borle is an associate professor of marketing at the Jones Graduate School of Business at Rice University.
To learn more please read: Sen, R. & Borle, S. (2015). Estimating the Contextual Risk of Data Breach, an Empirical Approach. Journal of Management Information Systems, 30(2). 314-341