Hype and Heavy Tails: A Closer Look at Data Breaches

Recent widely publicized data breaches have exposed thepersonal information of hundreds of millions of people. Somereports point to alarming increases in both the size and fre-quency of data breaches, spurring institutions around theworld to address what appears to be a worsening situation.But, is the problem actually growing worse? In this paper,we study a popular public dataset and develop BayesianGeneralized Linear Models to investigate trends in databreaches. Analysis of the model shows that neither sizenor frequency of data breaches has increased over the pastdecade. We nd that the increases that have attracted at-tention can be explained by the heavy-tailed statistical dis-tributions underlying the dataset. Speci cally, we nd thatdata breach size is log-normally distributed and that thedaily frequency of breaches is described by a negative bi-nomial distribution. These distributions may provide cluesto the generative mechanisms that are responsible for thebreaches. Additionally, our model predicts the likelihood ofbreaches of a particular size in the future. For example, we nd that in the next year there is only a 31% chance of abreach of 10 million records or more in the US. Regardlessof any trend, data breaches are costly, and we combine themodel with two di erent cost models to project that in thenext three years breaches could cost up to $55 billion.

• Publication year

  2016

• Venue

  Workshop on the Economics of Information Security

• Publication date

  2016-12-01

• Fields of study

  Computer Science, Engineering

• Identifiers
  DOI 10.1093/cybsec/tyw003
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• 1 Should Payment Card Issuers Reissue Cards in Response to a Data Breach ?

  2014cited by this paper
• Fitting the Log Skew Normal to the Sum of Independent Lognormals Distribution

  2014cited by this paper
• How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches

  2013cited by this paper
• Time Series: Theory and Methods

  2013cited by this paper
• Estimating the historical and future probabilities of large terrorist events

  2012cited by this paper
• Beyond the blacklist: modeling malware spread and the effect of interventions

  2012cited by this paper
• Negative Binomial Process Count and Mixture Modeling.

  2012cited by this paper
• Negative Binomial Process Count and Mixture Modeling

  2012cited by this paper
• Nonparametric Goodness-of-Fit Tests for Discrete Null Distributions

  2011cited by this paper
• The No-U-turn sampler: adaptively setting path lengths in Hamiltonian Monte Carlo

  2011cited by this paper
• Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal?

  2010cited by this paper
• HEALTH and HUMAN SERVICES

  2010cited by this paper
• Data Analysis Using Regression and Multilevel/Hierarchical Models

  2009cited by this paper
• 2009 Data Breach Investigations Report

  2009cited by this paper
• Privacy Costs and Personal Data Protection: Economic and Legal Perspectives

  2009cited by this paper
• Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry

  2008cited by this paper
• Heavy-tailed distribution of cyber-risks

  2008cited by this paper
• Analysis of Computer Security Incident Data Using Time Series Models

  2008cited by this paper
• Proceedings of the 2007 Workshop on New Security Paradigms

  2008cited by this paper
• Multivariate Poisson-Lognormal Models for Jointly Modeling Crash Frequency by Severity

  2007cited by this paper
• Bayesian inference for the skewness parameter of the scalar skew-normal distribution

  2007cited by this paper
• Is There a Cost to Privacy Breaches? An Event Study

  2006cited by this paper
• Protecting Information Security Under a Uniform Data Breach Notification Law

  2006cited by this paper
• A Brief History of Generative Models for Power Law and Lognormal Distributions

  2004cited by this paper
• An Analysis of the Growth of Computer and Internet Security Breaches

  2003cited by this paper
• Segmented regression analysis of interrupted time series studies in medication use research

  2002cited by this paper
• Mission Statement

  2002cited by this paper
• Information security is information risk management

  2001cited by this paper
• A Linear Poisson Autoregressive Model: The Poisson AR(p) Model

  2001cited by this paper
• ARMA Models and the Box–Jenkins Methodology

  1997cited by this paper
• Gibrat's Legacy

  1996cited by this paper
• Generalized autoregressive conditional heteroskedasticity

  1986cited by this paper
• Autoregressive moving-average processes with negative-binomial and geometric marginal distributions

  1986cited by this paper
• Estimating the Dimension of a Model

  1978cited by this paper
• A new evolutionary law

  1973cited by this paper
• Handbook of the Poisson Distribution

  1967cited by this paper
• Handbook of the Poisson Distribution

  1967cited by this paper
• The Kolmogorov-Smirnov Test for Goodness of Fit

  1951cited by this paper

• Cyber risk modeling within the SIR epidemic framework: a comparative analysis of frequency and severity methods

  2026cites this paper
• Cyber Insurance, Software Diversity, and AI Coders

  2026cites this paper
• Multi-period pricing of data breach catastrophe bonds: A hybrid triggers and LSTM framework

  2026cites this paper
• Unsupervised Learning Framework for Cyber Threat Detection, Anomaly Identification, and Alert Prioritization

  2026cites this paper
• Structure-Aware Diversity Pursuit as an AI Safety Strategy against Homogenization

  2026cites this paper
• Quantifying the Economic Impact of Ransomware: Cyber Risk Modeling with Gamma Regression

  2026cites this paper
• The changing landscape of cyber risk: An empirical analysis of loss severity and tail dynamics

  2025cites this paper
• Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications

  2025cites this paper
• From ransoms to ruin: Are extortion payments by ransomware victims insurable?

  2025cites this paper
• Cyber-insurance pricing models

  2025cites this paper
• An Analytical Review of Cyber Risk Management by Insurance Companies: A Mathematical Perspective

  2025cites this paper
• Automated OSINT Techniques for Digital Asset Discovery and Cyber Risk Assessment

  2025cites this paper
• On the Evolution of Data Breach Reporting Patterns and Frequency in the United States: A Cross-State Analysis

  2025cites this paper
• The Modeling of Cyber Risk Insurance by Hawkes Processes With Loss Covariate

  2025cites this paper
• The impact of extreme cyberattacks on market valuations: An in-depth economic analysis

  2025cites this paper
• EBiCop: Ensemble bivariate copulas for modeling multivariate cyber data breach risks

  2025cites this paper
• Is accumulation risk in cyber methodically underestimated?

  2024cites this paper
• A Data-Driven Classification Framework for Cybersecurity Breaches

  2024cites this paper
• Spatial Cyber Loss Clusters at County Level and Socioeconomic Determinants of Cyber Risks

  2024influential citation
• Enabling Multi-Layer Threat Analysis in Dynamic Cloud Environments

  2024cites this paper
• Toward a Service Availability-Guaranteed Cloud Through VM Placement

  2024cites this paper
• Bayesian Nowcasting Data Breach IBNR Incidents

  2024cites this paper
• An Assessment of the Harms Associated With Ideologically Motivated Cyberattacks

  2024cites this paper
• The effect of corporate risk management on cyber risk mitigation: Evidence from the insurance industry

  2024cites this paper
• Application of the Gordon Loeb model to security investment metrics: a proposal

  2024cites this paper
• Modeling and management of cyber risk: a cross-disciplinary review

  2024influential citation
• Cyber risk modeling: a discrete multivariate count process approach

  2024cites this paper
• Performance Analysis of Decentralized Physical Infrastructure Networks and Centralized Clouds

  2024cites this paper
• AI security and cyber risk in IoT systems

  2024influential citation
• Bayesian credibility model with heavy tail random variables: calibration of the prior and application to natural disasters and cyber insurance

  2024cites this paper
• A robust statistical framework for cyber-vulnerability prioritisation under partial information in threat intelligence

  2023cites this paper
• Cyber risk measurement via loss distribution approach and GARCH model

  2023influential citation
• A User-centric View on Data Breach Response Expectations

  2023cites this paper
• Analyzing web descriptions of cybersecurity breaches in the healthcare provider sector: A content analytics research method

  2023cites this paper
• Modeling and pricing cyber insurance

  2023cites this paper
• A multivariate frequency-severity framework for healthcare data breaches

  2023influential citation
• Affect and information technology use: the impact of state affect on cognitions and IT use

  2023cites this paper
• STRisk: A Socio-Technical Approach to Assess Hacking Breaches Risk

  2023cites this paper
• Operational shock: A method for estimating cyber security incident costs for large Australian healthcare providers

  2023influential citation
• Do US State Breach Notification Laws Decrease Firm Data Breaches?

  2023cites this paper
• Modelling maximum cyber incident losses of German organisations: an empirical study and modified extreme value distribution approach

  2023cites this paper
• Cyber Insurance Premium Setting for Multi-Site Companies under Risk Correlation

  2023cites this paper
• Assessing nation‐state‐sponsored cyberattacks using aspects of Situational Crime Prevention

  2023cites this paper
• A METHOD OF PREDICTING WITH MODELLING OF CYBER HACKING AND BREACHES

  2023cites this paper
• Time Dynamics of Cyber Risk

  2023influential citation
• Mapping cyber insurance: a taxonomical study using bibliometric visualization and systematic analysis

  2023cites this paper
• Uncovering Load-Altering Attacks Against $N-1$ Secure Power Grids: A Rare-Event Sampling Approach

  2023cites this paper
• Hybrid Zero-knowledge Access Control System in e-Health

  2023cites this paper
• The Price Tag of Cyber Risk: A Signal-Processing Approach

  2023influential citation
• Predictive Taxonomy Analytics (LASSO): Predicting Outcome Types of Cyber Breach

  2023cites this paper
• Cyber insurance-linked securities

  2023cites this paper
• Adaptive Channel Sparsity for Federated Learning under System Heterogeneity

  2023cites this paper
• Application of crowdsourcing in education on the example of eTwinning

  2022cites this paper
• Toward enhancing the information base on costs of cyber incidents: implications from literature and a large-scale survey conducted in Germany

  2022cites this paper
• Reviewing Estimates of Cybercrime Victimisation and Cyber Risk Likelihood

  2022cites this paper
• Heterogeneity in cyber loss severity and its impact on cyber risk measurement

  2022cites this paper
• Factors Affecting Reputational Damage to Organisations Due to Cyberattacks

  2022cites this paper
• Frequency and Severity Estimation of Cyber Attacks Using Spatial Clustering Analysis

  2022cites this paper
• Some Remarks on Malicious and Negligent Data Breach Distribution Estimates

  2022cites this paper
• Modelling and predicting enterprise-level cyber risks in the context of sparse data availability

  2022cites this paper
• A Generalized Linear Mixed Model for Data Breaches and its Application in Cyber Insurance

  2022cites this paper
• Statistical Modeling of Data Breach Risks: Time to Identification and Notification

  2022cites this paper
• Poster: Multi-Layer Threat Analysis of the Cloud

  2022cites this paper
• Censoring heavy-tail count distributions for parameter estimation with an application to stable distributions

  2022cites this paper
• Analysis of Load-Altering Attacks Against Power Grids: A Rare-Event Sampling Approach

  2022influential citation
• Modeling and Pricing Cyber Insurance -- Idiosyncratic, Systematic, and Systemic Risks

  2022cites this paper
• Bayesian vine copulas for modelling dependence in data breach losses

  2022cites this paper
• Understanding Online Privacy—A Systematic Review of Privacy Visualizations and Privacy by Design Guidelines

  2022cites this paper
• The nature of losses from cyber-related events: risk categories and business sectors

  2022cites this paper
• Cyber loss model risk translates to premium mispricing and risk sensitivity

  2022cites this paper
• Moderate embed cross validated and feature reduced Steganalysis using principal component analysis in spatial and transform domain with Support Vector Machine and Support Vector Machine-Particle Swarm Optimization

  2022cites this paper
• Modelling health-data breaches with application to cyber insurance

  2022cites this paper
• Modeling and Pricing Cyber Insurance – A Survey

  2022cites this paper
• ThreatPro: Multi-Layer Threat Analysis in the Cloud

  2022cites this paper
• Analyzing spillover effects from data breaches to the US (cyber) insurance industry

  2022cites this paper
• Data Breaches: Vulnerable Privacy

  2022cites this paper
• Exploring the information content of cyber breach reports and the relationship to internal controls

  2022cites this paper
• How Hard Is Cyber-risk Management in IT/OT Systems? A Theory to Classify and Conquer Hardness of Insuring ICSs

  2022cites this paper
• Analysis of Common Vulnerabilities and Exposures to Produce Security Trends

  2022influential citation
• Unraveling heterogeneity in cyber risks using quantile regressions

  2022cites this paper
• Replication: The Effect of Differential Privacy Communication on German Users' Comprehension and Data Sharing Attitudes

  2022cites this paper
• Predicting the Occurrence of a Data Breach

  2022cites this paper
• Analyzing and Predicting Cyber Security Violations using Machine Learning Techniques

  2021influential citation
• The County Fair Cyber Loss Distribution

  2021influential citation
• Dynamic cyber risk estimation with competitive quantile autoregression

  2021cites this paper
• Aggregate Cyber-Risk Management in the IoT Age Cautionary Statistics for (Re)Insurers and Likes

  2021cites this paper
• Will Catastrophic Cyber-Risk Aggregation Thrive in the IoT Age? A Cautionary Economics Tale for (Re-)Insurers and Likes

  2021cites this paper
• What Works? Measuring the Efficacy of Cyber Policy Interventions with Quasi-Experiments

  2021cites this paper
• Merging Datasets of CyberSecurity Incidents for Fun and Insight

  2021influential citation
• A comprehensive model for cyber risk based on marked point processes and its application to insurance

  2021cites this paper
• Cyber risk management: History and future research directions

  2021cites this paper
• Best Security Measures to Reduce Cyber-Incident and Data Breach Risks

  2021cites this paper
• Detection time of data breaches

  2021cites this paper
• The spillover effect of focal firms’ cybersecurity breaches on rivals and the role of the CIO: Evidence from stock trading volume

  2021cites this paper
• A Systematic Literature Review on the Cyber Security

  2021cites this paper
• Continuous Distributions in Engineering and the Applied Sciences - Part I

  2021cites this paper
• Cyber claim analysis using Generalized Pareto regression trees with applications to insurance

  2021cites this paper
• Stages of Processing an Information Security Incident

  2021cites this paper
• Propagation of cyber incidents in an insurance portfolio: counting processes combined with compartmental epidemiological models

  2021cites this paper
• Cyber Risk Frequency, Severity and Insurance Viability

  2021cites this paper