Abstract
The stock market reactions to information technology (IT)-related events have often been used as proxies to the value or cost of these events in the information systems literature. In this paper, we study the stock market reactions to information-security-related events using the event analysis methodology with consideration of the effects of a number of contingency factors, including business type, industry, type of breach, event year, and length of event window. We found that pure e-commerce firms experienced higher negative market reactions than traditional bricks-and-mortar firms in the event of security breach. We also found that denial of service attacks had higher negative impact than other types of security breaches. Finally, security events occurred in recent years were found to have less significant impact than those occurred earlier, suggesting that investors may have become less sensitive to the security events. Most interestingly, our analyses showed that the magnitude and longevity of security breaches vary with time across sub-samples. This raises some serious questions regarding the validity of analyzing only short-term stock market reactions as an indicator of the cost of security breaches, and in general, an indicator of the value of IT-related events. The implications of these results are discussed and potential future research directions are proposed.
Similar content being viewed by others
References
Barber, B.M. and Lyon, J.D. (1997). Detecting Long-run Abnormal Stock Returns: The empirical power and specification of test statistics, Journal of Financial Economics 43 (3): 341–372.
Benbunan-Fich, R. and Fich, E.M. (2004). Effects of Web Traffic Announcements on Firm Value, International Journal of Electronic Commerce 8 (4): 161–181.
Bosworth, S. and Kabay, M.E. (2002). Computer Security Handbook, New York, NY: John Wiley & Sons, Inc.
Briney, A. (2001). Industry Survey, Information Security.
Brown, S.J. and Warner, J.B. (1985). Using Daily Stock Returns: The case of event studies, Journal of Financial Economics 14 (1): 3–31.
Campbell, C. and Wasley, C. (1993). Measuring Security Price Performance Using Daily NASDAQ Returns, Journal of Financial Economics 33 (1): 73–92.
Campbell, K., Gordon, L.A., Loeb, M.P. and Zhou, L. (2003). The Economic Cost of Publicly Announced Information Security Breaches: Empirical evidence from the stock market, Journal of Computer Security 11 (3): 431–448.
Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004a). A Model for Evaluating IT Security Investments, Communications of the ACM 47 (7): 87–92.
Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004b). The Effect of Internet Security Breach Announcements on the Market Value: Capital market reactions for breached firms and Internet security developers, International Journal of Electronic Commerce 9 (1): 69–104.
Cavusoglu, H., Mishra, B. and Raghunathan, S. (2005). The Value of Intrusion Detection Systems in Information Technology Security Architecture, Information Systems Research 16 (1): 28–46.
CERT Coordination Center (2003a). CERT/CC Overview Incident and Vulnerability Trends. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
CERT Coordination Center (2003b). Frequently asked questions about the Melissa virus, [WWW document] http://www.cert.org/tech_tips/Melissa_FAQ.html (accessed 19th July 2009).
CERT Coordination Center (2004a). CERT/CC Statistics 1988–2004. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
CERT Coordination Center (2004b). 2004 E-Crime Watch Survey Shows Significant Increase in Electronic Crimes. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
Chatterjee, D., Pacini, C. and Sambamurthy, V. (2002). The Shareholder-wealth and Trading-volume Effects of Information-technology Infrastructure Investments, Journal of Management Information Systems 19 (2): 7–42.
Chatterjee, D., Richardson, V.J. and Zmud, R.W. (2001). Examining the Shareholder Wealth Effects of Announcements of Newly Created CIO Positions, MIS Quarterly 25 (1): 43–70.
Corrado, C. (1989). A Nonparametric Test for Abnormal Security Price Performance in Event Studies, The Journal of Financial Economics 23 (2): 385–395.
Cowan, A. (1992). Nonparametric Event Study Tests, Review of Quantitative Finance and Accounting 2 (4): 343–358.
CSO Magazine (2007). E-Crime Watch Survey, Framingham, MA: CXO Media Inc.
D’Amico, A.D. (2000). What Does a Computer Security Breach Really Cost? Northport NY: Secure Division, A Division of Applied Visions, Inc.
Dehning, B., Richardson, V.J. and Zmud, R.W. (2003). The Value Relevance of Announcements of Transformational Information Technology Investments, MIS Quarterly 27 (4): 637–656.
Deloitte Touche Tohmatsu (2003). 2003 Global Security Survey. New York, NY: Deloitte Touche Tohmatsu.
Denning, D. (2000). Reflections on Cyberweapons Controls, Computer Security Journal 16 (4): 43–53.
Dewan, S. and Ren, F. (2007). Risk and Return of Information Technology Initiatives: Evidence from electronic commerce announcements, Information Systems Research 18 (4): 370–394.
Dombrow, J., Rodríguez, M. and Sirmans, C.F. (2000). A Complete Nonparametric Event Study Approach, Review of Quantitative Finance and Accounting 14 (4): 361–380.
Dos Santos, B., Peffers, K. and Mauer, D. (1993). The Impact of Information Technology Investment Announcements on the Market Values of the Firms, Information Systems Research 4 (1): 1–23.
Dutta, A. and McCrohan, K. (2002). Management's Role in Information Security in a Cyber Economy, California Management Review 45 (1): 67–87.
Evers, J. (2005). Credit card breach exposes 40 million accounts, CNET News.com [WWW document] http://news.com.com/Credit+card+breach+exposes+40+million+accounts/2100-1029_3-5751886.html (accessed 16th June 2008).
Ernst & Young (2003). Global Information Security Survey 2003, London, UK: Ernst & Young LLP.
Ernst & Young (2008). Global Information Security Survey 2008, London, UK: Ernst & Young LLP.
Ettredge, M. and Richardson, V.J. (2003). Information Transfer Among Internet Firms: The case of hacker attacks, Journal of Information Systems 17 (2): 71–82.
Fama, E.F. (1970). Efficient Capital Markets: A review of theory and empirical work, Journal of Finance 25 (2): 383–417.
Fama, E.F. (1998). Market Efficiency, Long-term Returns, and Behavioral Finance, Journal of Financial Economics 49 (3): 283–306.
Garg, A., Curtis, J. and Halper, H. (2003). Quantifying the Financial Impact of IT Security Breaches, Information Management & Computer Security 11 (2/3): 74–83.
Gaynor, P. (2005). Data Security Breaches Pushing States into Action, Knight Ridder Tribune Business News, 8 June.
Gordon, L.A, Loeb, M.P., Lucyshyn, W. and Richardson, R. (2004). 2004 CSI/FBI Computer Crime and Security Survey, Computer Security Institute, San Francisco, CA.
Hovav, A. and D’Arcy, J. (2003). The Impact of Denial-of-service Attack Announcements on the Market Value of Firms, Risk Management and Insurance Review 6 (2): 97–121.
Hovav, A. and D’Arcy, J. (2004). The Impact of Virus Attack Announcements on the Market Value of Firms, Information Systems Security 13 (3): 32–40.
Im, K.S., Dow, K.E. and Grover, V. (2001). Research Report: A reexamination of IT investment and the market value of the firm - An event study methodology, Information Systems Research 12 (1): 103–117.
Krebs, B. (2005). Hackers Break into Computer-security Firm's Customer Database, The Washington Post, 19 December.
Krim, J. (2005). States Scramble to Protect Data; Dozens of Privacy Bills Introduced after Spate of Security Breaches, The Washington Post, 9t April.
Lemos, R. (2003). Software ‘fixes’ routinely available but often ignored, CNET news.com [WWW document] http://news.cnet.com/2009-1017-251407.html (accessed 16th June 2008).
Luftman, J., Kempaiah, R. and Nash, E. (2006). Key Issues for IT Executives 2005, MISQ Executive 5 (2): 81–99.
Lyon, J.D., Barber, B.M. and Tsai, C.L. (1999). Improved Methods for Tests of Long-run Abnormal Stock returns, Journal of Finance 54 (1): 165–201.
MacKinlay, A.C. (1997). Event Studies in Economics and Finance, Journal of Economic Literature 35 (1): 13–39.
McWilliams, A. and Siegel, D. (1997). Event Studies in Management Research: Theoretical and empirical issues, Academy of Management Journal 40 (3): 626–657.
Mercuri, R.T. (2003). Analyzing Security Costs, Communications of the ACM 46 (6): 15–18.
Nash, S.K. (2008). The Global State of Information Security, CIO Magazine.
Niccolai, J. (2000). Analyst Puts Hacker Damage at $1.2 Billion and Rising, IDG News Service.
O’Harrow, R. (2005). ID Data Conned from Firm: Choicepoint case points to huge fraud, The Washington Post, 17 February.
Pavlou, P.A. (2003). Consumer Acceptance of Electronic Commerce: Integrating trust and risk with the Technology Acceptance Model, International Journal of Electronic Commerce 7 (3): 101–134.
PricewaterhouseCoopers (2004). Information Security Breaches Survey. London, UK: PricewaterhouseCoopers.
Reuters (2006). IDs of 50,000 Bahamas resort guests stolen, CNET News.com [WWW document] http://news.com.com/IDs+of+50%2C000+Bahamas+resort+guests+stolen/2100-7348_3-6025591.html (accessed 16th June 2008).
Richardson, R. (2008). CSI Computer Crime & Security Survey, San Francisco, CA: Computer Security Institute.
Rosencrance, L. (2005). Kaiser Permanente Fined $200k for Patient Data Breach, Computerworld, 27 June: 16.
Subramani, M. and Walden, E. (2001). The Impacts of E-commerce Announcements on the Market Value of Firms, Information Systems Research 12 (2): 135–154.
Whitman, M.E. (2004). In Defense of the Realm: Understanding the threats to information security, International Journal of Information Management 24 (1): 43–57.
Wikipedia (2009). Timeline of computer viruses and worms, [WWW document] http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms (accessed 22nd September 2009).
ZDNet (2004). PC Viruses Spawn $55 Billion Loss in 2003, 16 January.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Yayla, A., Hu, Q. The impact of information security events on the stock value of firms: the effect of contingency factors. J Inf Technol 26, 60–77 (2011). https://doi.org/10.1057/jit.2010.4
Published:
Issue Date:
DOI: https://doi.org/10.1057/jit.2010.4