Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event. As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact estimation method that might apply to Adam’s question. We use the WTP approach in a specific way, by posing this question to all affected stakeholders:
“Ex ante, how much would you be willing to spend on response and recovery for a breach of a particular type? Through what specific activities and processes?”
We hope this approach can bridge theoretical and empirical research, and also professional practice. We also hope that this method can be used in public disclosures.
In the next few months we will be applying this to half a dozen historical breach episodes to see how it works out. This model will also probably find its way into my dissertation as “substrate”. The dissertation focus is on social learning and institutional innovation.
Comments and feedback are most welcome.