As firms are increasingly connected through information technologies, information security is of greater concern. Information security measures of protecting the accessibility, integrity and confidentiality of information must also include avoiding the costs of breaches – both in remediating any infrastructure damage and repairing reputation. This important concern competes with other organizational financial and operational priorities. This research uses market value, as an indicator of shareholder confidence, to examine the potential risk from information security breaches from cyber attack.
In this study, the authors look for change in the market value of a firm in the days surrounding an announcement of a cyber attack, using an ‘event study’ methodology. This approach assumes that the market will reflect changes in customer behaviour in response to a particular event, isolated from other factors. A cybersecurity breach is anticipated to have an economic cost evidenced by a change in stock price. This hypothesis is tested using reports of 128 cyber attacks on 81 firms, from a wide range of industries, including soft drink producers, computer and software retailers, aircraft manufacturers, interior design services, and more. Of these, 34 events concerned 17 financial and insurance sector institutions. Information on cyber attacks over the period from 1995 to 2012 was drawn from a database of newspaper reports (Factiva) and stock market price of firms was obtained from the Datastream database. For each of the 128 attacks, the ‘cumulative abnormal return’ was calculated over several different time periods. Abnormal returns are a measure of how the stock return on the day a cyber attack is announced differs from the predicted or normal stock return. The cumulative abnormal return is the sum of these differences over several days.
The results demonstrate an overall negative stock market reaction to public announcements of information security breaches. The findings are less conclusive when the results are examined separately for firms from different sectors. For firms in the financial sector, the impact is not always negative, especially in shorter time frames. For firms from other sectors, the average impact of announcements about cyber attacks is a negative market return. This confirms the results of other studies showing that, although the impact is often a negative, the effect of cyber attacks is, in fact, variable.
Understanding the impact of a cyber attack on stock market return is key to making well-informed decisions about investments in information security activities. Any risk assessment must consider changes to market value among the impacts of a cyber attack.
A change in stock market return should be included in the risk assessment of cyber security for firms.