Cybersecurity & Strategic Defense Measures in Swiss Companies

Thank you for your interest in my master thesis. The questionnaire (discussed below) is available at

Project Description

Background Information and Main Questions

Cybersecurity is a pressing topic – in Switzerland as well as worldwide. US-President Barack Obama highlighted it in this year’s State of the Union Address. The current semiannual report of MELANI and the 2013 annual report of CYCO show that cybercrime is of increasing concern also in Switzerland. PwC’s Global Economic Crime Survey reported that 26% of Swiss companies having experienced economic crime in 2014 were affected by cybercrime (compared to 20% in the previous study from 2011). In recent years, several high-profile cyber-attacks have received substantial attention in media, such as those on Sony Pictures Entertainment (allegedly 100 terabytes of stolen data; November 2014), Target (40 million credit and debit card numbers stolen; December 2013, JPMorgan Chase (contact information for 76 million households and 7 million small businesses stolen; August 2014). In Switzerland, the recent data breach at Banque Cantonale de Genève resulted in 30’000 stolen emails. As the attitude in Switzerland towards cybercrime is still largely unexplored, the following questions arise: How is the current cybercrime threat perceived by Swiss companies? What is the awareness and readiness of Swiss companies to face it? What can, and what are Swiss companies doing to mitigate the threat and minimize the impact of cybercrime on their business? How closely do Swiss companies follow the evolution of cybercrime and how do they stay up to date?


This thesis will be conducted for the Department of Banking and Finance of the University of Zurich, and the work will be concentrated on firms in the financial services sector. The research will focus on the following aspects of cybersecurity in Switzerland:

  • Aim to answer questions regarding the cybersecurity-awareness of Swiss firms;
  • Intend to assess how Swiss companies handle the threats posed by cybercriminals and bring insight into possible variations between the companies in relation to their category (size, sector, private/public, etc.)¹;
  • It should, based on existing reports and by seeking complementary information on strategic cybercrime consulting, outline an anti-cybercrime best practice framework for Swiss companies;
  • Analyze the collected information with respect to the outlined best practice recommendations: Where are Swiss companies positioned? Which gaps can be identified?; and
  • Finally, look at the results of the analysis and best practice recommendations from the perspective of current cybercrime insurance coverage and propose key measures.

Expected Relevance of Findings/Results

The analysis of the questionnaire distributed to Swiss companies will provide insight into the current situation and identify potential needs for action. Furthermore, it will establish a benchmark for Swiss companies of (a) where they stand with respect to their peers, and (b) where they stand with respect to current best practice recommendations and available insurances.


The information will be collected through a survey directed to Swiss companies. The questionnaire will be distributed directly via email to the companies, with the incentive that the anonymized results of the analysis will be shared to all participants upon completion. The anti-cybercrime best practices for financial institutions should be based on existing reports and literature, expert interviews and advice from consulting firms. Additionally, lessons learned from previous incidents in other companies could provide further insights.²

Existing literature

Studies on corporate economic crime (including cybercrime) are regularly conducted by professional services firms like PwC, Deloitte etc. Cybersecurity in e.g. banks is a topic frequently covered by media (especially in the US) and numerous (security) consulting firms provide advice as a service. References are expected to predominantly stem from reports, articles, company white papers and anonymized expert interviews.


¹ Similar evaluations are regularly done by consulting firms. Still an own survey is necessary since many aspects interesting to me are not (fully) covered and it will furthermore most likely not be possible to get a hold of the raw data for an independent analysis.
² For example, according to the NY Times the breach at JPMorgan Chase in summer 2014 could possibly have been prevented if a single network server had been updated as planned to two-factor authentication (which seems to be a quite simple error for a company which spends $250 million on IT-security each year).