Best Security Measures to Reduce Cyber-Incident and Data Breach Risks

Corporations plan to adopt appropriate combinations of data privacy managements to mitigate the risk of data breach. Examples of such well-established measures include the certification of an information security management system, a periodic security auditing, and dedicated positions such as a Chief Information Officer (CIO). However, the effectiveness of introducing each of these measures to reduce the risk of data breach is unclear. To assess the effective risk reduction, this work combines the big data of cyber incidents with the attributes of corporations and computes the relative risk with respect to these security measures. Our analysis of five-year data from about 6,000 corporations reveals a negative effect for most measures. The results must be biased by industry characteristics associated with the risk of cyber incidents such as business style and company scale, which are known confounding factors. After investigating company attributes individually, we identify the significant confounding factors that represent obstacles to risk analysis. Using hypothesis testing and multiple logistic regression analysis, we adjust odds ratios for 17 security measures, social responsibilities, environmental conditions, and employment arrangements. The results confirm that an environmental auditing reduces the risk by one-third at a statistically significant level.