Date of Award

Summer 8-2020

Document Type


Degree Name

Doctor of Philosophy (PhD)


Engineering Management & Systems Engineering


Engineering Management and Systems Engineering

Committee Director

C. Ariel Pinto

Committee Member

Steven Cotter

Committee Member

Michael McShane


Cyber-systems provide convenience, ubiquity, economic advantage, and higher efficiency to both individuals and organizations. However, vulnerabilities of the cyber domain also offer malicious actors with the opportunities to compromise the most sensitive information. Recent cybersecurity incidents show that a group of hackers can cause a massive data breach, resulting in companies losing competitive advantage, reputation, and money. Governments have since taken some actions in protecting individuals and companies from such crime by authorizing federal agencies and developing regulations. To protect the public from losing their most sensitive records, governments have also been compelling companies to follow cybersecurity regulations. If companies are unsuccessfully protecting their customers' records, they are levied by the government agencies. Companies also may face litigation from individuals after the breach. If the company is a public company, then it must provide more details about the incident.

Data breach incidents are one of the significant concerns that organizations have been experiencing for a while. Quantifying the data breach risk into monetary language is a problem that organizations still try to solve due to the unavailability of the data and indirect costs. The cost incurred by personally identifiable information (PII) data breaches may even exceed one billion dollars. Therefore, the monetary cost of a PII data breach is an essential phenomenon that organizations need to forecast and be prepared to mitigate the impact.

The purpose of this study is to identify the correlation between the dependent and independent variables and to develop a predictive model to quantify the monetary value of the PII data breaches with multiple regression.

This study introduces two new categories for personal information; these are PII and sensitive PII. This new taxonomy accentuates the impact of sensitive information, which is more costly than not sensitive personal information. Next, this study also presents significant results that demonstrate the correlations between revenue, PII, SPII, and class-action lawsuits, and the dependent variable, which is the total cost of the data breach. Also, specific models developed in this study are able to predict the responses for new observations.