Cyberattacks do not strike companies at random: some organizations are structurally at higher risk than others. This is shown in new PhD research by Tal Strauss, who analyzed a large, self-constructed dataset of thousands of cyber incidents involving US public companies.
According to Strauss, company characteristics play a major role. Large firms are significantly more vulnerable to attacks, while organizations with stronger governance and higher profitability face lower risks. “We often assume cyberattacks are random, but they aren’t,” Strauss explains. “There are clear patterns. Some companies remain attractive targets year after year, and the data makes that visible.” “Regulations fall short on the EU and US” The research also reveals that existing laws meant to protect companies, both in the European Union and the United States, contain important gaps. In the EU, a coherent framework exists through GDPR and NIS2, but enforcement is too weak to achieve its full potential. In the US, stronger sector-based rules are offset by a fragmented patchwork of state and sector regulations. “The EU and US each hold part of the solution, but neither system offers companies the right incentives to truly invest in cybersecurity,” says Strauss. “As a result, structurally vulnerable firms continue to face unnecessary risks.” Stricter, better-enforced rules do work The study shows that stronger regulation can be effective. In states and sectors where stricter standards were implemented or enforced, the number of cyber incidents fell measurably. “When rules are clear and taken seriously, companies respond immediately,” Strauss says. “Cybersecurity isn’t just a technical issue: it’s a matter of governance and incentives.” Note to editors For more information or interview requests, please contact Tal Strauss (T.Strauss@tilburguniversity.edu) or communications officer Marie Roelofs (M.C.Roelofs@tilburguniversity.edu / +31 134664256).