Do phishing alerts impact global corporations? A firm value analysis
Introduction
“Cyber-crime has become a $105 billion business that now surpasses the value of the illegal drug trade worldwide.” — David DeWalt, CEO of McAfee [67]
With an increasing number of Internet crimes, online security has become a major concern for the general public. Among various online frauds, phishing, “a form of social engineering in which an attacker attempts to fraudulently retrieve legitimate users' confidential or sensitive credentials by mimicking electronic communications from a trustworthy or public organization”, is one of the biggest threats to the online community [50]. This online crime has grown tremendously in recent years. According to the Anti-Phishing Working Group (APWG) the number of phishing incidents has increased from 47,324 in the first half of 2008 to 126,697 in the second half of December 2009. Since its first appearance around 1995, phishing has spread all over the world affecting millions of customers and numerous firms. Fig. 1 shows how phishing attacks take place and various associated financial losses. The actual financial loss due to phishing attacks may be ten times more than the estimated numbers for direct loss due to the indirect and the opportunity loss inflicted by phishing — an estimate of which is unavailable in literature [41]. Indirect losses take the form of increased customer support to phishing victims as well as efforts of customers to deal with credit-rating agencies to prevent themselves from being blacklisted due to the attacks. According to Meg Whitman, the former CEO of eBay, phishing has caused deterioration of trust of online customers and impaired e-commerce [10]. Her concern about opportunity loss is supported by the fact that the rate of opening of legitimate emails has dropped by 20% [9], and in a survey 89% of the respondents expressed concern about phishing attacks [79].
Motivated by the lack of research on the indirect and opportunity loss of phishing and particularly the lack of analysis of the impact of phishing on a worldwide basis, we embarked on analyzing the impact of phishing on the market value of firms. We collected data on phishing alerts targeted to global firms that were released by anti-phishing organizations. These alerts either included emails that were being sent to customers of public companies or notifications about fake websites that were being set up to lure customers. Using the event study method, we determined the impact of such alerts on the market value of global public firms by evaluating the change in their stock prices and trading volume after the release of the alerts. We also determined the various factors that influenced the impact.
Phishing has been a subject of intense research recently. The social and legal responsibilities of phishing were studied by researchers [7], [88]. Technical research on phishing included development of anti-phishing tools such as AntiPhish, which is a browser extension that generates warning messages when users give away personal information to fake websites [58], and BogusBiter, which is a browser extension that feeds fake user information to phishing websites [89]. In business focused research on phishing, researchers analyzed anti-phishing preparedness of Hong Kong banks [8] and identified antecedents for the severity of phishing attacks [20]. Experimental studies discovered that user related behavioral and dispositional factors and phisher related social relationship mining skills led to success of phishing [49]. In summary, phishing has spurred enormous interest in academia and many anti-phishing tools and behavioral studies were conducted. Nevertheless, do industrial practitioners believe that the benefits of anti-phishing products justify the cost of adoption? This paper aims at providing a reasonable estimation of the loss in market value due to phishing. Through this study, we hope to arouse the awareness of managers to phishing and encourage them to adopt appropriate anti-phishing tools.
Our research is similar to past research conducted on information security breaches and their market impact. Using an event study, researchers showed that mishandling of confidential information [12], unauthorized access, hacking, denial of service (DoS), website vandalism [14], online credit cards thefts, website defacements [35], data breaches [36], and security breaches related to loss of integrity [52] caused a significant negative impact. The online nature of firms and tools used for attacks influenced the impact on firm value [2]. Prior research also reported negative but insignificant market reaction to DoS attacks [45]. Virus attacks resulted in contradictory positive and insignificant returns [46] as well as negative and insignificant returns [47] when different datasets were used.
The past research on the impact of security breaches examined only US firms. But there is no denying that security breaches in general and phishing attacks in particular are a global phenomenon. The insignificant market reaction observed in some prior studies could be due to the non-global nature of the research. Past research focused on discovering the link between security attacks and financial loss has often grouped various types of security breaches together [12], [52]. Although DoS attacks and virus attacks have been studied separately [35], [45], [46], the impact of phishing on market value has not caught the attention of researchers. Phishing is a menace in its own right, and is different from other security breaches such as vandalism, DoS, and hacking. Those attacks are company oriented, and reveal the weakness of corporate security. On the contrary, phishing is customer oriented, and affects the perception of the customers about the targeted firm. This unique nature of phishing as a security breach motivates us to study its impact on global firms using 1942 alerts from 259 firms belonging to 32 countries. We also observe the lack of a theoretical framework in extant literature for studying the consequences of security breaches like phishing. We propose a risk-components based framework that explains why phishing causes a negative impact on firm value, and identifies factors at the firm, industry, country, and temporal levels that moderate the impact. Since our research involves firms from multiple countries, we improve on the traditional Capital Asset Pricing Model (CAPM) based event study method commonly used in Information Systems (IS) research, by proposing a refined asset pricing model that combines the Fama–French three factor model with the Fama–French international model, and is able to explain the risk in the cross-sectional abnormal return of global firms better. We conduct subsampling and cross-sectional regression to identify the significant moderating factors. Our results show that phishing alerts create statistically significant negative impact on stock prices and trading volume and lead to a loss of market capitalization that is at least US$ 411 million per alert. The market reaction becomes more pronounced for phishing alerts released in 2006–07 and for alerts targeted to financial holding companies. This research contributes to the literature on information security by quantifying the loss in market value caused by phishing, and providing hard evidence to security administrators to encourage adoption of adequate countermeasures to prevent phishing.
Section snippets
Theoretical framework
Our proposed framework for assessing the impact of security risks on market value of firms is shown in Fig. 2. According to Drucker, “risk is inherent to the commitment of present resources to future expectations” [27]. To model risk for a firm, we adapt the idea of risk-components proposed by Crockford [22]. The first component of risk is threats that can disrupt the functioning of an organization. These can include direct or indirect “natural forces, human error, deliberate damage, and
Hypothesis development
The consequences of phishing affect not only individual customers, but also corporate owners. To an extent, companies that are targeted by phishers are responsible for financial loss under specific ordinances. The US Truth in Lending Act requires companies to bear most of the losses due to unauthorized purchases [64]. The cost of lawsuits and potential compensation to customers may also drive down future profits of the companies. Furthermore, phishing incidents may undermine the confidence of
Research method and data analysis
According to McWilliams and Siegel, “an event is anything that results in new relevant information”, and events in this research are phishing alerts released on public databases [68]. We collected data primarily from Millersmiles — the largest phishing alert database in the world with over 7000 announcements at the time of research. Since phishing alerts collected from a single database could be potentially biased and incomplete [70], we also collected alerts from alternative repositories such
Research findings
The average adjusted R2 for the CAPM for the entire sample was 0.465, and that for the FFM was 0.483. With the inclusion of additional risk factors, the explanatory power of the model increased. Panel A of Table 2 shows that the impact was the most significant one day after the alert was released. The event window [− 1] did not show a significant result, implying no serious news leakage. Multiple day event windows, like [0,1] and [− 1,1], showed significant results at the 5% level for all tests.
Discussion
This research provided evidence that phishing alerts caused negative abnormal returns of stock prices and negative abnormal changes in trading volume. The mean CAR was low when compared to event studies related to catastrophes, where the CAR ranged from − 2.48% to − 11.86% on the event day [66]. The trading volume reaction of phishing alerts was different when compared to that of catastrophes. The low trading volume in the event windows showed that investors became indecisive about the future
Conclusion and future research
Using a framework grounded on risk-components, we showed that phishing alerts led to statistically significant decrease in stock prices and trading volume of firms from 32 countries. The decrease in firm value was strongly significant for financial holding companies, and for alerts released after 2005, and weakly significant for all firms listed in the US. We found that the release of each phishing alert could cause a loss of at least US$ 411 million in market capitalization for a firm.
Future
Acknowledgements
The authors thank Professor John Bacon-Shone, Director of Social Science Research Centre, The University of Hong Kong, for statistics advice and Thomson Reuters for retrieval of some delisted stock data. The second author also thank the generous financial support of Swire Group to sponsor his trip to attend International Conference on Information Systems (ICIS) 2008 and valuable feedback received from the conference.
Indranil Bose is Professor and Group Co-ordinator of Management Information Systems at the Indian Institute of Management, Calcutta. He holds a B.Tech. from the Indian Institute of Technology, M.S. from the University of Iowa, and M.S. and Ph.D. from Purdue University. His research interests are in business analytics, information security, telecommunications, and business value of information technology. His publications have appeared in Communications of the ACM, Communications of AIS,
References (89)
- et al.
Exploring the characteristics of Internet security breaches that impact the market value of breached firms
Expert Systems with Applications
(2007) - et al.
Market reaction to e-commerce impairments evidenced by website outages
International Journal of Accounting Information Systems
(2006) - et al.
Assessing anti-phishing preparedness: a study of online banks in Hong Kong
Decision Support Systems
(2008) - et al.
Strategic context and patterns of IT infrastructure capability
The Journal of Strategic Information Systems
(1999) - et al.
Analysis of hedge fund performance
Journal of Empirical Finance
(2004) - et al.
Assessing the severity of phishing attacks: a hybrid data mining approach
Decision Support Systems
(2011) Market efficiency, long-term returns, and behavioral finance
Journal of Financial Economics
(1998)- et al.
Common risk factors in the returns on stocks and bonds
Journal of Financial Economics
(1993) - et al.
Estimating the market impact of security breach announcements on firm values
Information & Management
(2009) - et al.
Capital market reaction to defective IT products: the case of computer viruses
Computers & Security
(2005)
Modelling corporate wireless security and privacy
The Journal of Strategic Information Systems
The complexity of price discovery in an efficient market: the stock market reaction to the challenger crash
Journal of Corporate Finance
Information security — the third wave?
Computers & Security
Is there a cost to privacy breaches? An event study
Phishing Activity Trends Report: Report for the Month of January, 2008
Global Phishing Survey: Trends and Domain Name Use in 2H2009
Effects of web traffic announcements on firm value
International Journal of Electronic Commerce
Unveiling the mask of phishing: threats, preventive measures, and responsibilities
Communications of the Association for Information Systems
Phishing anxiety may make you miss messages
PC World
Ebay CEO: Phishers Threaten User Trust, ZDNet News, March 8th, 2007
The economic cost of publicly announced information security breaches: empirical evidence from the stock market
Journal of Computer Security
The effect of Internet security breach announcements on market value: capital market reactions for breached firms and Internet security developers
International Journal of Electronic Commerce
The shareholder-wealth and trading-volume effects of information-technology infrastructure investments
Journal of Management Information Systems
Examining the shareholder wealth effects of announcements of newly created CIO positions
MIS Quarterly
Regression Analysis by Example
The link between resources and type of diversification: theory and evidence
Strategic Management Journal
The wealth effect of international joint ventures: the case of U.S. investment in China
Financial Management
A nonparametric test for abnormal security price performance in event studies
Journal of Financial Economics
An Introduction to Risk Management
The valuation of ecommerce announcements during fluctuating financial markets
Journal of Electronic Commerce Research
Reexamining the value relevance of e-commerce initiatives
Journal of Management Information Systems
The value relevance of announcements of transformational information technology investments
MIS Quarterly
The impact of information technology investment announcements on the market value of the firm
Information Systems Research
Management: Tasks, Responsibilities, Practices
Examining Internet privacy policies within the context of user privacy values
IEEE Transactions on Engineering Management
UK Online Banking Forecast: 2007 to 2012
A simple test of the Fama and French model using daily data: Australian evidence
Applied Financial Economics
The cross-section of expected stock returns
Journal of Finance
Value versus growth: the international evidence
Journal of Finance
Quantifying the financial impact of IT security breaches
Information Management & Computer Security
The effect of data breaches on shareholder wealth
Risk Management and Insurance Review
Identity Theft Driven by Dramatic Spikes in Threats, InformationWeek, March 28th, 2007
A cross-country investigation of the determinants of scope of e-commerce use: an institutional approach
Electronic Markets
The economics of information security investment
ACM Transactions on Information and System Security
Cited by (46)
To alert or alleviate? A natural experiment on the effect of anti-phishing laws on corporate IT and security investments
2024, Decision Support SystemsA hybrid framework using explainable AI (XAI) in cyber-risk management for defence and recovery against phishing attacks
2024, Decision Support SystemsData breaches (hacking) and trade credit
2023, Global Finance JournalPhishing websites detection using a novel multipurpose dataset and web technologies features
2022, Expert Systems with ApplicationsStock market reactions to favorable and unfavorable information security events: A systematic literature review
2021, Computers and SecurityCitation Excerpt :Ultimately, the effects on CARs will depend on the use of IT in that specific industry (Bose and Leung, 2014; Cavusoglu et al., 2004; Im et al., 2001; Morse et al., 2011; Tweneboah-Kodua et al., 2018; Yayla and Hu, 2011). The factors associated with an ISec event that can influence the magnitude of substantial CARs include ISec-breach or -attack characteristics (Arcuri et al., 2017; Bose and Leung, 2014; Hovav and D'Arcy, 2004), the type of ISec measure or investment announced by a firm (Deane et al., 2019; Khansa et al., 2012), firm characteristics (Cavusoglu et al., 2004; Goel and Shawky, 2009; Rosati et al., 2017), and industry characteristics (Pirounias et al., 2014; Yayla and Hu, 2011). According to Yayla and Hu (2011), these factors are collectively termed “information security contingency factors” (see Fig. 1).
Informing cybersecurity strategic commitment through top management perceptions: The role of institutional pressures
2021, Information and ManagementCitation Excerpt :This could be perceived as failed fiduciary responsibility and could impact future employment opportunities for the executive. In addition, cybersecurity breaches often negatively impact a firm's market value and stock prices [56–58], and in turn, the top manager's stock options. Top executives who perceive the severity of the risk of cybersecurity breaches to their personal stock options have been known to take extreme actions, such as dumping their stocks ahead of a breach announcement by their firm [62].
Indranil Bose is Professor and Group Co-ordinator of Management Information Systems at the Indian Institute of Management, Calcutta. He holds a B.Tech. from the Indian Institute of Technology, M.S. from the University of Iowa, and M.S. and Ph.D. from Purdue University. His research interests are in business analytics, information security, telecommunications, and business value of information technology. His publications have appeared in Communications of the ACM, Communications of AIS, Computers and Operations Research, Decision Support Systems, Ergonomics, European Journal of Operational Research, Information & Management, International Journal of Production Economics, Journal of Organizational Computing and Electronic Commerce, Journal of the American Society for Information Science and Technology, Operations Research Letters etc. He serves on the editorial board of Decision Support Systems, Information & Management, Communications of AIS, and several other IS journals.
Alvin Chung Man Leung is Assistant Professor at City University of Hong Kong. He received his Ph.D. from McCombs School of Business, The University of Texas at Austin. He obtained his BBA (Information Systems), BEng (Software Engineering), and Master of Philosophy degrees from the University of Hong Kong and MSc in Information, Risk, and Operations Management from the University of Texas at Austin. His research interests include social networks and information security. His works have been published in various journals and international conference proceedings such as Decision Support Systems, Communications of the Association of Information Systems, Communications of the ACM, and the International Conference on Information Systems.
- 1
Tel.: +852 3442 8521 ; fax: +852 3442 0370 .