By circumventing underlying security measures, a cybersecurity breach involves unauthorized access to data, applications, services, networks, or devices. Incidents may encompass data breaches, ransomware attacks, malware incursions, or phishing attempts. The costs associated with such incidents can be categorized into direct or short-term costs, recovery costs, and long-term costs.
Direct costs involve immediate losses or damages to assets, data, intellectual property, disruption of business operations, and the inability of staff to perform regular tasks, leading to service unavailability for customers. Recovery costs include the resources allocated by the IT function for incident management, reinstating backups, restoring business continuity, expenses related to investigating the incident, and communication with stakeholders. Long-term costs encompass reputational damage, lost business opportunities, market setbacks, attrition of existing and potential clientele, and costs linked to addressing customer concerns and compensation.
From a business perspective, high incident costs are unfavorable as they contribute to overall business expenses. Since direct costs and recovery expenses can fluctuate based on a firm's incident management capabilities, the total incident costs are likely to differ across firms. Exorbitant incident costs can significantly threaten the survival of small and medium-sized businesses.
Therefore, firms have a vested interest in minimizing or preventing these costs. Security firms with well-established capabilities can detect incidents swiftly and respond promptly to limit the impact and extent of the incident. To this end, the continuous enhancement of cybersecurity capabilities aligns with the firm's business goals. Financial investments in cybersecurity play a pivotal role in fostering these capabilities, ultimately enhancing the capacity to avert and respond to incidents.
Source: Clutch
In fact, industry surveys indicate a growing trend in cybersecurity investments as the annual incident count continues to rise. Substantial cybersecurity lapses can prompt an organization to engage in a rigorous assessment, learning from its experience managing the incident, and making substantial improvements to its cybersecurity capabilities. Using organizational learning as a theoretical framework, we can examine the learning and actions that follow such failures. Previous research employed organizational learning as a conceptual framework to provide recommendations for enhancing security capabilities.
Cyber Cost Categories
Costs of breaches and cybersecurity investments
Organizations facing cybersecurity breaches have two primary options: maintain the status quo or enhance their security capabilities. How organizations respond to cybersecurity incidents carries implications for their future cybersecurity readiness. Organizational learning theory suggests that in the case of relatively minor failures, organizations engage in single-loop learning, similar to addressing minor product defects. This process involves identifying, rectifying, and making process changes to address the immediate issue and prevent its recurrence. In the context of cybersecurity breaches, this approach implies that organizations typically focus on resolving the immediate technical issues, with limited attention given to improving the overall incident response process and minimal consideration of long-term enhancements to security capabilities.
For example, organizations may take corrective actions to patch security vulnerabilities, but by focusing solely on the specific vulnerability that led to the recent breach, they protect themselves from attacks exploiting that particular weakness. Failures, therefore, present learning opportunities for organizations, but learning is not guaranteed. Organizations have discretion in how they interpret failures and may choose interpretations that serve their self-interest.
Minor failures also carry the risk of going unnoticed or being intentionally disregarded. Managers often perceive minor failures as isolated, random events. Small-scale failures are less likely to challenge the effectiveness of the IT security function or alter management's fundamental perceptions of the existing security posture.
Not every breach warrants significant concern, and organizations need to make judicious decisions about the extent and areas of investment due to budget constraints. Some breaches may not result in data loss, disruption to business continuity, or have substantial business implications. In such cases, organizations might opt for cost-effective technical fixes or choose to view them as isolated incidents. Alternative responses include policy adjustments, training enhancements following breaches, or changes to tool configurations, access controls, backup plans, standard operating procedures, disciplinary actions, software updates, or password changes, without necessarily requiring substantial financial investments.
Conversely, organizational learning theory argues that major failures are more likely to trigger a meaningful response within an organization. In contrast to minor failures, major failures tend to elicit surprise, greater recognition, and can lead to meaningful changes through a double-loop learning process. Double-loop learning involves a more thorough examination of fundamental routines within a specific area of concern, with an emphasis on long-term improvements. This type of learning is more likely to occur during crises caused by significant events. In parallel, major breaches provide organizations with a tangible measure of the impact that breaches can have on their business.
Higher breach costs increase the visibility and significance of the cybersecurity function, making it easier to justify and gain support for cybersecurity investments. Breaches with elevated costs can trigger extensive and thorough investigations, ultimately resulting in substantial improvements in security measures to enhance the overall security posture. Following a costly breach, organizations may allocate greater resources to cybersecurity to prevent recurring breaches and rebuild trust with key stakeholders. Such events can be viewed as opportunities to enhance the organization's security capabilities, enabling it to prevent, detect, and effectively manage responses to future breaches.
In summary, compared to breaches with less substantial impacts, breaches incurring higher costs are more likely to gain broader visibility within the organization and provide greater motivation for improvements in cybersecurity procedures. Organizations are more inclined to reassess their security strategy and make increased investments in security, rather than pursuing a limited tactical response.
Types of cybersecurity services and hourly rates
Cybersecurity, as one of the leading managed security services, encompasses a range of services that ensure the protection and efficiency of companies. This table summarizes the main types of cybersecurity services and their cost to companies.
Source: Clutch
Note: Price ranges above are in U.S. dollars
Organization Learning Theory and incident response
In the context of organizational learning theory, the significance of postmortems is highlighted for incident analysis and resolution. Postmortems represent a systematic approach to diagnosing issues, involving a comprehensive assessment of both positive and negative aspects of events to derive actionable insights. This methodical learning process is favored over haphazard evaluations.
In cases of cybersecurity breaches, postmortems are conducted in the form of post-breach reviews. These reviews involve a thorough examination and evaluation of breach preparedness, identification, and management. The primary goal is to reduce the likelihood of recurrent incidents and enhance future incident identification and management capabilities. This is achieved through formal reviews, reports, and presentations to management, with documented procedural changes serving as a repository for organizational practices in handling future breaches. We will now explore how breach identification, a crucial component of incident response, may influence the relationship proposed in H1.
Incident response is the formal procedure by which organizations deploy their personnel to analyze, identify, and respond to incidents.
The objective of incident response is to safeguard the organization from the adverse consequences following a breach and facilitate timely business recovery. Effective incident response capabilities are pivotal in preventing the escalation of breaches. Consequently, significant cybersecurity investments are allocated to this area. Due to its substantial business impact, incident response is a top priority for management and security functions. It often involves the assignment of a dedicated team for this purpose. Large organizations typically operate Security Operations Centers for incident response, while smaller businesses may have a more condensed team within the IT function or under the supervision of the IT manager.
Numerous standards propose linear frameworks for incident response that progress through distinct phases. These phases typically encompass preparation, identification, containment, eradication, recovery, and post-incident review. Preparation entails establishing the requisite technology, processes, and governance mechanisms. Identification involves confirming the occurrence of an incident. The containment phase aims to halt further damage to the organization's information systems. Eradication focuses on eliminating the root causes of the breach, often involving the removal of malware. Recovery encompasses the restoration of business continuity and routine operations. Finally, post-incident review involves a reflective analysis of incident handling to enhance processes for the management of future incidents.
Discussion
Organizational learning theory suggests that companies acquire knowledge through dealing with problems. This learning process is not linear, and crisis events often serve as triggers. An empirical analysis of data at the firm level confirms the hypothesis that breaches resulting in higher financial costs are positively correlated with decisions to increase investments in cybersecurity. Additionally, the probability of boosting cybersecurity spending is higher when incidents are reported by third parties, indicating weaker incident response capabilities.
The fact that the moderating factor is not independently significant suggests that firms do not base their cybersecurity investment decisions solely on whether a breach was internally or externally identified. The source of breach identification is only used to further fine-tune cybersecurity investment decisions within the broader context of breach costs. It is unreasonable to expect companies to make strategic cybersecurity decisions in response to every breach; breaches with significantly higher financial costs significantly impact cybersecurity investment choices.
In cases of frequent low-impact breaches, firms may opt to maintain the status quo and focus on successful endeavors rather than minor failures. This is because minor failures offer limited insights into overall company performance. On the contrary, major incidents are more likely to mobilize management support for organizational learning and sustained change. This includes a broader focus on identifying compromised assets, pinpointing additional areas of vulnerability, increased investments in asset security, and enhancing incident response capabilities.
Even when reacting to high-cost breaches, firms must acknowledge their finite resources and consider their current incident response capabilities before making investment decisions. Self-identification of breaches serves as an indicator of incident response capabilities, reflecting the efficiency of various cybersecurity aspects. For example, it reflects the quality of employee training, the configuration of security tools, and the SOC's ability to correlate alerts and identify breaches.
Therefore, the learning derived by firms following breaches will differ, as third-party-identified breaches may suggest greater room for cybersecurity improvement. Given that both higher breach costs and third-party-identified breaches indicate relatively greater security deficiencies and may necessitate increased cybersecurity spending, organizations should prioritize efforts to minimize breach costs and enhance their internal breach identification capabilities.
To achieve these objectives, organizations can consider practical recommendations. Firstly, they can utilize tools, knowledge, and training to improve their internal breach identification capabilities. This includes implementing Security Information and Event Management systems and staying informed about emerging vulnerabilities through security expert groups like Computer Emergency Response Teams. Additionally, comprehensive Security Education, Training, and Awareness (SETA) programs can empower employees to actively detect and report breaches in a timely manner, potentially reducing breach dwell times and associated costs.
Secondly, organizations should focus on expediting incident response phases following breach identification, including containment, eradication, and recovery, to swiftly restore operations and minimize business disruptions. This can help reduce overall breach costs. Finally, the findings encourage firms to review their security budgets based on post-incident review findings. Analyzing incident management experiences can lead to organizational learning, allowing for a more efficient allocation of resources to strengthen the overall cybersecurity posture, particularly in areas with identified weaknesses.
Figure 1. Descriptive Statistic
Figure 2. Hypothesis testing results
We contribute to the existing body of literature on cybersecurity investments by introducing a novel perspective, which focuses on the pivotal role of cybersecurity performance. Prior research has tended to overlook this crucial aspect when assessing cybersecurity investment decisions, primarily concentrating on the market repercussions of specific breach types, particularly data breaches. Unfortunately, this narrow approach has neglected the impact of such breaches on internal operations and investment choices.
This omission is concerning since the feedback obtained from performance assessments significantly influences strategic decision-making. Our study seeks to shift the conversation from simulated approaches and game-theoretic models to practical insights derived from real organizational experiences, particularly how failures shape decision-making. We enhance the theoretical framework by elucidating the cybersecurity investment decision process through the lens of organizational learning, drawing from the practical functioning of organizations. This perspective offers actionable insights for practitioners. While empirical research in this domain lags behind modeling and simulation approaches, we address this gap by analyzing the financial ramifications of actual breaches and the cybersecurity investment choices that follow.
In addition to the under-explored field of incident response, the postmortem phase within incident response has garnered even less attention from researchers. Existing literature on incident response primarily focuses on the technical dimensions encompassing identification, recovery, and investigative aspects for legal follow-up, while overlooking the strategic implications for security posture. This oversight is noteworthy because postmortems represent critical stages that shape the future cybersecurity posture of organizations. Despite this, prior research has predominantly emphasized immediate responses and failed to highlight the importance of organizational learning in enhancing security capabilities. Our study introduces a theoretical perspective on how organizations can leverage postmortem analysis, specifically by evaluating the source of breach identification, to calibrate their cybersecurity investment decisions.
In conclusion, organizations must prioritize cybersecurity investments and responses to breaches, as these factors have a direct impact on their cybersecurity posture and, consequently, downstream effects on overall business performance. Our study bridges these two crucial areas of practical concern to explore the intricate relationship between cybersecurity performance and cybersecurity investment decisions. Empirical findings validate our hypothesis that higher breach costs lead to increased security investments. Furthermore, this relationship is amplified when breaches are identified by external third parties rather than internally by the focal organization.
Top comments (0)