This paper presents a statistical framework for analyzing cybersecurity breach data, with a focus on delayed reporting dynamics. Using legally mandated breach notification records from U.S. state attorneys general, we construct a monthly panel of breach occurrences and disclosures for California and Indiana from 2015 to 2025. We implement a Bayesian model with a negative binomial likelihood, incorporating structured temporal, delay-specific, and seasonal effects, and estimate it using Integrated Nested Laplace Approximation (INLA). The model adjusts for reporting lags and enables probabilistic estimation of latent breach incidence. Empirical results reveal significant cross-state differences in breach volume and reporting behavior, underscoring the importance of jurisdiction-specific models. Our findings contribute to the literature on cyber risk forecasting and offer actionable insights for insurers, regulators, and policymakers. The proposed framework supports delay-adjusted risk monitoring and can be extended to additional jurisdictions or enriched with covariates to capture sectoral or organizational heterogeneity.
Delay-Adjusted Modeling of Cybersecurity Breaches Using INLA: Evidence from State Attorney General Data
Pirra, Marco;Sarubbo, Sofia
;Viviano, Fabio
2025-01-01
Abstract
This paper presents a statistical framework for analyzing cybersecurity breach data, with a focus on delayed reporting dynamics. Using legally mandated breach notification records from U.S. state attorneys general, we construct a monthly panel of breach occurrences and disclosures for California and Indiana from 2015 to 2025. We implement a Bayesian model with a negative binomial likelihood, incorporating structured temporal, delay-specific, and seasonal effects, and estimate it using Integrated Nested Laplace Approximation (INLA). The model adjusts for reporting lags and enables probabilistic estimation of latent breach incidence. Empirical results reveal significant cross-state differences in breach volume and reporting behavior, underscoring the importance of jurisdiction-specific models. Our findings contribute to the literature on cyber risk forecasting and offer actionable insights for insurers, regulators, and policymakers. The proposed framework supports delay-adjusted risk monitoring and can be extended to additional jurisdictions or enriched with covariates to capture sectoral or organizational heterogeneity.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
