Three essays on cyber risk management

Abstract

With rapid advancements in technology, cybersecurity risks impose greater threats on enterprise’s operation and business objectives. Thus, it is imperative for organizations to manage these risks effectively. A massive part of this endeavor is to understand the organizational risks, either from internal or external, and implement different strategies to handle the risks in an optimal way. My dissertation addresses these issues by applying business analytics tools to data breach data and firm transactional data to help companies better understand cybersecurity risks and protect business values efficiently and effectively. My dissertation is comprised of three essays. The first essay uses stock trading data to classify opportunistic insiders who sell stocks ahead of cyber breach announcements and examine their trading patterns and reporting relationship roles. In the second essay, I apply a Difference in Difference method to explore the breached firm’s internal IT capital allocation strategy and investigate the tradeoff between IT capital investment efficiency and cybersecurity risk mitigation during the post-event era. In the third essay, a copula-based model is proposed for pricing cybersecurity insurance premiums for the focal firm under a correlated network. In these essays, I apply financial, econometric, and statistical methods. These essays contribute to the finance and management information systems literature and help policy makers and firms implement and maintain administrative actions and comprehensive solutions to make sure the business is adequately protected.