Industry sector matters: mapping industry-specific cyber vulnerabilities through rational choice theory analysis

Abstract

Purpose This study applies rational choice theory (RCT) to understand how cyber attackers strategically select targets and attack vectors for data breaches. The purpose of the study is to demonstrate how complex, contextual risk-reward calculations influence attackers’ decisions, providing a foundation for aligning cybersecurity measures with sector-specific risks in an increasingly digital landscape. Design/methodology/approach The authors analyzed 631 global breach incidents from 2010 to 2023 across various industry sectors using logistic regression. The authors found sector-specific vulnerabilities and highlight the nonuniform nature of cyber risk. Findings The study analysis reveals that financial sector organizations face heightened risks from misconfiguration attacks despite sophisticated defenses, while operational technology sectors show elevated phishing attacks at the sector level. These findings indicate that cyber risks are not uniform across industry sectors and require tailored defensive strategies. The findings map directly to MITRE ATT&CK techniques, providing actionable defensive strategies aligned with industry-standard frameworks. The results inform RCT-based theoretical implications and offer practical insights aligned with the MITRE ATT&CK frameworks. Originality/value The findings suggest that more nuanced vulnerability patterns may require sector-specific cybersecurity strategies. The results inform RCT-based theoretical implications and offer practical insights aligned with the MITRE ATT&CK frameworks. By demonstrating how complex, contextual risk-reward calculations influence attackers’ decisions, this research provides a foundation for aligning cybersecurity measures with sector-specific risks in an increasingly digital landscape.