Many firms and organizations are at risk of cyberattack nowadays. For example, in 2018 alone, 443 data breaches in Japan compromised some 5.61 million records of personal information. To respond to this threat, firms asset a risk of cybersecurity and introduce IT security management practices. However, it is unclear whether firms are able to identifying the tradeoff between effect of development of IT security practices and the risk of data breach. To address this, we propose a probabilistic model that estimates the risk of a data breach for a given firm using the Japan Network Security Association incident dataset, being a historical collection of cyber incidents from 2005 to 2018. This model yields the conditional probabilities of a data breach given conditions, which follows a negative binomial distribution. We highlight the difference in inter-arrival time between firms with security management and one without it. Based on the experimental results, we evaluate effects of security management and discuss some reasons for these differences.