What Work? Quasi-Experiments in Cybersecurity Policy Interventions

Thumbnail Image
Grindal, Karl T.
Mueller, Milton L.
Associated Organization(s)
Organizational Unit
Supplementary to
Given the significance policymakers place on cybersecurity, how effective has a decade of policy interventions been at reducing social costs? This paper uses the limited regulations implemented by State and United States government agencies as quasi-experiments. This work measures regulatory efficacy by compiling mandatory state-level data breach reports to create novel breach incident data sets. A reduction in breach frequency serves as the kind of measurable outcome that regulators would intend cybersecurity policy interventions to address. To this end, I evaluate four cybersecurity regulations: the Massachusetts Data Security Law, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Federal Trade Commission (FTC) Section 5 enforcements against Wyndham Hotels, and the New York Department of Financial Services (NY DFS) cybersecurity regulations. I assessed each regulatory intervention as a quasi-experiment, employing segmented time-series regressions to evaluate the relative change in reported data breaches. These quasi-experiments controlled for policy implementation phases and reporting requirements. As these policies have overlapping aims (creating information security programs), we can infer whether this meta-regulatory approach, the encouragement of self-regulation by industry with corresponding civil penalties, has been an effective regulatory strategy. An effectively regulatory system would sufficiently motivate the targeted population to improve their cyber posture, such that there was a reduction in breach reporting. Ultimately, three of the cases discussed did not show an impact. However, analysis of the NY DFS regulation suggests a meaningful decrease of approximately 27 breaches in the following year. Comparing these regulations shows differences in scope, content, and penalties that may explain this disparate level of impact. Next, the efficacy of NY DFS regulations is placed in context with a discussion of potential savings and the duration of the effect. While demonstrating that cybersecurity regulations can meaningfully reduce breaches, this work suggests that this effect is neither generalizable across diverse contexts nor a satisfactory solution to the complex and pervasive issues associated with identity theft, fraud, and cybercrime. Overall, these findings suggest potential promise in this methodology for the policy evaluation of data security laws and regulations. Policymakers could improve these assessments by standardizing the reporting of mandatory breach notification data so that policy efficacy can be better measured. Because of its similarity to the NY DFS regulations, this finding may also provide preliminary empirical evidence for the Insurance Data Security Model Law propagated by the National Association of Insurance Commissioners. Drawing on this methodology, this model legislation and other data security and privacy regulatory interventions should now be the subject for future research. The first step for policymakers seeking to design rules to protect citizen's privacy and security is knowing what works?
Date Issued
Resource Type
Resource Subtype
Rights Statement
Rights URI