The influence of data theft on the share prices and systematic risk of consumer electronics companies
Introduction
A series of hacker attacks has demonstrated that data theft is a potential threat to a company's business success [10], [43]. Even governments (e.g., the USA) and international organizations (e.g., the United Nations, International Olympic Committee) are affected by security incidents [6]. The substantial influence that security has on consumers’ trust [26] and the damage that may be caused by security incidents raise questions regarding the form and amount of investments that companies should make in their IT infrastructure. This research area has been the subject of controversy [19], [65]. Since the beginning of the computer age, scholars have stressed how dangerous the use of information technology might be for companies with respect to the storage of sensitive data [55], [73]. Frequently, the necessary amount of IT investments is derived from the costs of security incidents. The reaction of the capital market is particularly relevant from the perspective of listed companies and their investors. A number of studies have therefore addressed the impact of privacy and security incidents on the share prices of companies [17], [20], [60].
While past studies at the beginning of the Internet age observed stronger negative effects of security breaches on the share prices of affected companies, more recent studies indicate that these influences have diminished over time [35], [79]. Gordon et al. [35] reported that the influence of security breaches on stock returns was stronger before 9/11/2001 than that in subsequent years. Yayla and Hu [79] studied the periods between 1994 and 2000 and between 2001 and 2006, showing that announcements of security breaches in the second period exert a less significant influence on share prices relative to those in the first. The number of hacker attacks reported in the press increased dramatically in recent years. While in 2005, DataLossDB.org reported 157 incidents, this number increased to 1651 in 2012.3 It is therefore unclear whether investors remain sensitive to security breaches or these events are already incorporated into market prices. Using a novel dataset covering the period between 2011 and 2012, our study will contribute to an improved understanding of capital market reactions to security breaches following the numerous hacker attacks that have occurred in recent years.
In addition to share price reactions of affected companies, we also seek to study the effects of information transfer in this article. This occurs when an event at one company affects the share prices of its competitors that are not directly affected by the event but operate in the same industry.
The third and central research question concerns the influence of security breaches on systematic risk, which has broad implications for the optimal amount of investments in IT security. To the best of our knowledge, this is the first study that analyzes the extent of losses by considering changes in systematic risk for an international sample of companies. Systematic risk, represented by the beta factor in the Capital Asset Pricing Model (CAPM, see [54], [59], [71], [78]), is a crucial parameter for the calculation of a company's cost of equity. The cost of equity reflects the return requirements of equity investors. The present study provides companies with information concerning both short-term share price developments following data thefts and investors’ risk assessments, and thus the long-term funding conditions. This has direct implications for the financial effort necessary to avoid such incidents.
Thus, our study makes three major contributions to the IS domain. First, we investigate whether information transfer and the influence of security incidents on share prices persist in contemporary financial markets. Previous studies generally collected data from the dot-com era [17], [20], [27], [32], [46]. We use a dataset that covers the years 2011 and 2012. Second, we extend previous findings on share price reactions and information transfer to the specific industry of consumer electronics. Third, our main contribution is the consideration of systematic risk when studying the influence of security incidents on international companies’ business success.
The paper is structured as follows: First, we will discuss the importance of IT for companies and introduce the consumer electronics industry. In Section 3, we develop our hypotheses before describing the database and the method employed in the empirical analysis. The results are presented in Section 5. The article concludes with a discussion of our findings, implications for companies and suggestions for future research.
Section snippets
Importance of information technology for companies
The importance of information technology and its value to a company's success is a permanent subject of debate in both academic and practical circles. Schryen [68] and Kohli and Grover [49] provide extensive literature reviews on studies focusing on the business value of IT. There is mixed evidence concerning the importance of IT in companies. In the context of this article, the stock market performance of companies is particularly interesting [25], [42]. Other measures of company performance
Theoretical background and hypothesis development
In the following sections, we derive our hypotheses from the previous literature on the relationship among security breaches, share prices and the systematic risk of the affected company. Section 3.1 refers to the influence of security incidents; this is followed by descriptions of information transfer (Section 3.2) and systematic risk (Section 3.3).
Data
The events we analyze are related to announcements of data thefts. We define data theft as illegally acquired access to personal information concerning a company's customers. The scope of the stolen data varies and in simple cases includes names, addresses, or dates of birth and in serious situations includes credit card information. We use the websites datalossdb.org and attrition.org as databases to select our events. These databases have proven suitable in comparable research areas [60].
Results of the event study
Table 3 reports the cumulative abnormal stock returns following the announcement of data theft. The numbers in columns two (mean) and three (median) represent the average abnormal changes in stock returns. The average abnormal returns are cumulated corresponding to the length of the event windows (column 1). Our evidence suggests that various event windows exhibit constant negative returns for both means and medians. All test statistics applied yield nearly identical values and the same level
Summary
This study examined the reactions of the capital market to data thefts at consumer electronics companies, which have implications for the economically optimal level of investment in IT security. We analyzed the impact of data theft on share prices and systematic risk. The results illustrate that the disclosure of a data theft leads to a significant decline in the affected company's share price. Negative returns can be observed not only on the day following the announcement but also over a
Oliver Hinz is chaired Professor of Information Systems, esp. Electronic Markets at the TU Darmstadt (Germany). His interests include electronic markets, economics of security and privacy, diffusion and social contagion processes, and interactive pricing. His research has been published in journals such as Electronic Markets, MIS Quarterly, Information Systems Research and Journal of Marketing.
References (80)
- et al.
Event-study methodolgy under conditions of event-induced variance
J. Finan. Econ.
(1991) - et al.
Intra-industry information releases: a recursive system approach
J. Account. Econ.
(1987) - et al.
Understanding online B-to-C relationships: an integrated model of privacy concerns, trust, and commitment
J. Bus. Res.
(2006) - et al.
An earnings prediction approach to examining intercompany information transfers
J. Account. Econ.
(1992) Intra-industry information transfers associated with earnings releases
J. Account. Econ.
(1981)- et al.
A trust-based consumer decision-making model in electronic commerce: the role of trust, perceived risk, and their antecedents
Decis. Support Syst.
(2008) - et al.
Risk changes around convertible debt offerings
J. Corp. Finance
(2002) - et al.
The business value of information technology and inputs substitution: the productivity paradox revisited
Decis. Support Syst.
(2006) - et al.
Does successful investment in information technology solve the productivity paradox?
Inf. Manage.
(2000) - et al.
Herding and information based trading
J. Empir. Finance
(2009)
Is there a cost to privacy breaches?. An event study
The more, the merrier?. How the number of partners in a standard-setting initative affects shareholder's risk and return
MIS Quart.
Information cascades in the laboratory
Am. Econ. Rev.
The impact of the Iraq war on the country beta of MENA markets
Int. J. Econ. Finance
Information transfer associated with management forecasts of earnings
J. Account. Res.
On systematic and unsystematic components of financial risk
J. Finance
A resource-based perspective on information technology capability and firm performance: an empirical investigation
MIS Quart.
Types of information technology capabilities and their role in competitive advantage: an empirical study
J. Manage. Inf. Syst.
Measuring the effects of regulation with stock price data
J. Econ.
Time varying country risk: an assessment of alternative modelling techniques
Eur. J. Finance
The productivity paradox of information technology
Commun. ACM
Paradox lost? Firm-level evidence on the returns to information systems spending
Manage. Sci.
An economic analysis of service-oriented infrastructures for risk/return management
The economic cost of publicly announced information security breaches: empirical evidence from the stock market
J. Comp. Security
The economic impact of security breaches on publicly traded corporations: an empirical investigation
AMCIS Proc.
IT doesn’t matter
Harvard Bus. Rev.
The effect of Internet security breach announcements on market value: capital market reactions for breached firms and Internet security developers
Int. J. Electron. Commer.
Capital structure and product-market competition: empirical evidence from the supermarket industry
Am. Econ. Rev.
The value relevance of announcements of transformational information technology investments
MIS Quart.
The impact of information technology investment announcements on the market value of the firm
Inf. Syst. Res.
Information transfer among internet firms: the case of hacker attacks
J. Inf. Syst.
In search of sustainability: reaping long-term advantage from investments in information technology
J. Manage. Inf. Syst.
The impact of malicious agents in the enterprise software industry
MIS Quart.
Quantifying the financial impact of IT security breaches
Inf. Manage. Comp. Security
The market valuation of internet channel additions
J Market.
Market value of voluntary disclosures concerning information security
MIS Quart.
The impact of information security breaches: has there been a downward shift in costs?
J. Comp. Security
The effects of rate regulation on mean returns and non-diversifiable risk: the case of cable television
Rev. Ind.l Org.
Cited by (0)
Oliver Hinz is chaired Professor of Information Systems, esp. Electronic Markets at the TU Darmstadt (Germany). His interests include electronic markets, economics of security and privacy, diffusion and social contagion processes, and interactive pricing. His research has been published in journals such as Electronic Markets, MIS Quarterly, Information Systems Research and Journal of Marketing.
Michael Nofer studied Business Administration at the Goethe University Frankfurt. During his studies he completed internships at Morgan Stanley, Deutsche B"rse AG and Knight Capital Group. Michael Nofer joined the Chair of Information Systems esp. Electronic Markets at the TU Darmstadt as doctoral candidate.
Dirk Schiereck is chaired Professor of Corporate Finance at the TU Darmstadt (Germany). His interests include electronic payments, financial markets, risk shifts and asset pricing. His research has been published in journals such as Journal of Corporate Finance, Journal of Empirical Finance, Information Systems Management and Journal of Financial Markets.
Julian Trillig is research assistant in the Department of Law and Economics at the TU Darmstadt (Germany). His interests include empirical capital market research, financial markets and sustainability, and risk shifts and asset pricing. His research has been published in journals such as Review of Managerial Science, Business Strategy and the Environment and International Journal of Entrepreneurship & Small Business.