The Florida Polytechnic University community had the opportunity to learn from Australian Fulbright Senior Scholar Dr. Alex Frino about the true financial costs of cyberattacks for large U.S. companies.
Frino is collaborating on important research at Florida Poly investigating cyberattacks’ overall cost to securities companies from the time an attack occurs to the time it’s announced publicly. Dozens of students, faculty, and staff attended the event in the Applied Research Center on Jan. 20.
The professor of economics and senior deputy vice-chancellor at the University of Wollongong said his original intention when coming to Florida Poly was to work on expanding existing U.S.-focused cybersecurity research to other nations. However, when the research team began examining the existing data, it discovered that previous studies only touched the tip of the iceberg in terms of full costs.
“I came here wanting to take existing U.S. research and replicate it for NATO nations to see if there were differences in the impact of cyberattacks,” Frino said. “But in looking at the research, we thought, ‘Oh, no. They’ve gotten it wrong, so let’s fix up the U.S. research first,’ which I think is the first step and then we’ll look at NATO countries.”
The research team, which includes Dr. Rei Sanchez-Arias, assistant chair of Florida Poly’s Department of Data Science and Business Analytics, and others from the University of Virginia and Macquarie University in Australia, has compiled strong data that shows there is a significant period of time between the three hallmarks of a cyberattack: the attack itself, when the attack is discovered, and when the company notifies the public, including its investors.
“This economic paper seeks to justify investment in cybersecurity,” Frino said. “The impact a cyberattack has on your firm is a very important element of determining how much you should spend on cybersecurity.”
Existing data indicates that the stock price of a company falls about 1% after a cyberattack. However, Frino estimates the true cost is closer to 5% because, while previous research focused on the cost impact from the time a breach is announced, companies usually discover the attack an average of 55 days earlier. This gives investors ample time to learn about the attack from alternate sources before the announcement is officially made. This could mean billions of dollars in losses that are not being considered in existing research.
The results of this research can affect future policy decisions, said Sanchez-Arias, who is head of this global research group at Florida Poly.
“It’s a tremendous opportunity to be able to participate in research collaborations with somebody of Dr. Frino’s caliber,” he said. “It has been a great opportunity to apply data science and statistical modeling techniques to problems that have tremendous impact on our society, and I am very excited about the developments in methods and approaches that this research project will help create.”
Director of Communications