The influence of data theft on the share prices and systematic risk of consumer electronics companies

https://doi.org/10.1016/j.im.2014.12.006Get rights and content

Abstract

Based on recent hacker attacks targeting consumer electronics companies, this article investigates the direct financial consequences for the owners of victim companies. To quantify this effect, we analyze whether the companies’ stock returns react to announcements of data theft. In addition, we also analyze the effects of such thefts on systematic risk. The results indicate that the share prices of both directly affected and similar companies decrease. However, market players do not change their evaluations of systematic risk, and hence, companies need not expect a higher cost of capital in the following years.

Introduction

A series of hacker attacks has demonstrated that data theft is a potential threat to a company's business success [10], [43]. Even governments (e.g., the USA) and international organizations (e.g., the United Nations, International Olympic Committee) are affected by security incidents [6]. The substantial influence that security has on consumers’ trust [26] and the damage that may be caused by security incidents raise questions regarding the form and amount of investments that companies should make in their IT infrastructure. This research area has been the subject of controversy [19], [65]. Since the beginning of the computer age, scholars have stressed how dangerous the use of information technology might be for companies with respect to the storage of sensitive data [55], [73]. Frequently, the necessary amount of IT investments is derived from the costs of security incidents. The reaction of the capital market is particularly relevant from the perspective of listed companies and their investors. A number of studies have therefore addressed the impact of privacy and security incidents on the share prices of companies [17], [20], [60].

While past studies at the beginning of the Internet age observed stronger negative effects of security breaches on the share prices of affected companies, more recent studies indicate that these influences have diminished over time [35], [79]. Gordon et al. [35] reported that the influence of security breaches on stock returns was stronger before 9/11/2001 than that in subsequent years. Yayla and Hu [79] studied the periods between 1994 and 2000 and between 2001 and 2006, showing that announcements of security breaches in the second period exert a less significant influence on share prices relative to those in the first. The number of hacker attacks reported in the press increased dramatically in recent years. While in 2005, DataLossDB.org reported 157 incidents, this number increased to 1651 in 2012.3 It is therefore unclear whether investors remain sensitive to security breaches or these events are already incorporated into market prices. Using a novel dataset covering the period between 2011 and 2012, our study will contribute to an improved understanding of capital market reactions to security breaches following the numerous hacker attacks that have occurred in recent years.

In addition to share price reactions of affected companies, we also seek to study the effects of information transfer in this article. This occurs when an event at one company affects the share prices of its competitors that are not directly affected by the event but operate in the same industry.

The third and central research question concerns the influence of security breaches on systematic risk, which has broad implications for the optimal amount of investments in IT security. To the best of our knowledge, this is the first study that analyzes the extent of losses by considering changes in systematic risk for an international sample of companies. Systematic risk, represented by the beta factor in the Capital Asset Pricing Model (CAPM, see [54], [59], [71], [78]), is a crucial parameter for the calculation of a company's cost of equity. The cost of equity reflects the return requirements of equity investors. The present study provides companies with information concerning both short-term share price developments following data thefts and investors’ risk assessments, and thus the long-term funding conditions. This has direct implications for the financial effort necessary to avoid such incidents.

Thus, our study makes three major contributions to the IS domain. First, we investigate whether information transfer and the influence of security incidents on share prices persist in contemporary financial markets. Previous studies generally collected data from the dot-com era [17], [20], [27], [32], [46]. We use a dataset that covers the years 2011 and 2012. Second, we extend previous findings on share price reactions and information transfer to the specific industry of consumer electronics. Third, our main contribution is the consideration of systematic risk when studying the influence of security incidents on international companies’ business success.

The paper is structured as follows: First, we will discuss the importance of IT for companies and introduce the consumer electronics industry. In Section 3, we develop our hypotheses before describing the database and the method employed in the empirical analysis. The results are presented in Section 5. The article concludes with a discussion of our findings, implications for companies and suggestions for future research.

Section snippets

Importance of information technology for companies

The importance of information technology and its value to a company's success is a permanent subject of debate in both academic and practical circles. Schryen [68] and Kohli and Grover [49] provide extensive literature reviews on studies focusing on the business value of IT. There is mixed evidence concerning the importance of IT in companies. In the context of this article, the stock market performance of companies is particularly interesting [25], [42]. Other measures of company performance

Theoretical background and hypothesis development

In the following sections, we derive our hypotheses from the previous literature on the relationship among security breaches, share prices and the systematic risk of the affected company. Section 3.1 refers to the influence of security incidents; this is followed by descriptions of information transfer (Section 3.2) and systematic risk (Section 3.3).

Data

The events we analyze are related to announcements of data thefts. We define data theft as illegally acquired access to personal information concerning a company's customers. The scope of the stolen data varies and in simple cases includes names, addresses, or dates of birth and in serious situations includes credit card information. We use the websites datalossdb.org and attrition.org as databases to select our events. These databases have proven suitable in comparable research areas [60].

Results of the event study

Table 3 reports the cumulative abnormal stock returns following the announcement of data theft. The numbers in columns two (mean) and three (median) represent the average abnormal changes in stock returns. The average abnormal returns are cumulated corresponding to the length of the event windows (column 1). Our evidence suggests that various event windows exhibit constant negative returns for both means and medians. All test statistics applied yield nearly identical values and the same level

Summary

This study examined the reactions of the capital market to data thefts at consumer electronics companies, which have implications for the economically optimal level of investment in IT security. We analyzed the impact of data theft on share prices and systematic risk. The results illustrate that the disclosure of a data theft leads to a significant decline in the affected company's share price. Negative returns can be observed not only on the day following the announcement but also over a

Oliver Hinz is chaired Professor of Information Systems, esp. Electronic Markets at the TU Darmstadt (Germany). His interests include electronic markets, economics of security and privacy, diffusion and social contagion processes, and interactive pricing. His research has been published in journals such as Electronic Markets, MIS Quarterly, Information Systems Research and Journal of Marketing.

References (80)

  • A. Acquisti et al.

    Is there a cost to privacy breaches?. An event study

  • N. Aggarwal et al.

    The more, the merrier?. How the number of partners in a standard-setting initative affects shareholder's risk and return

    MIS Quart.

    (2011)
  • L.R. Anderson et al.

    Information cascades in the laboratory

    Am. Econ. Rev.

    (1997)
  • H.M. Al Refai

    The impact of the Iraq war on the country beta of MENA markets

    Int. J. Econ. Finance

    (2011)
  • S.P. Baginski

    Information transfer associated with management forecasts of earnings

    J. Account. Res.

    (1987)
  • D. Barboza, K. Drew, Security firm sees global cyberspying, 2011,...
  • A. Beja

    On systematic and unsystematic components of financial risk

    J. Finance

    (1972)
  • A.S. Bharadwaj

    A resource-based perspective on information technology capability and firm performance: an empirical investigation

    MIS Quart.

    (2000)
  • G.D. Bhatt et al.

    Types of information technology capabilities and their role in competitive advantage: an empirical study

    J. Manage. Inf. Syst.

    (2005)
  • N. Bilton, B. Stelter, Sony says PlayStation hacker got personal data, 2011,...
  • J.J. Binder

    Measuring the effects of regulation with stock price data

    J. Econ.

    (1985)
  • R.D. Brooks et al.

    Time varying country risk: an assessment of alternative modelling techniques

    Eur. J. Finance

    (2002)
  • E. Brynjolfsson

    The productivity paradox of information technology

    Commun. ACM

    (1993)
  • E. Brynjolfsson et al.

    Paradox lost? Firm-level evidence on the returns to information systems spending

    Manage. Sci.

    (1996)
  • H.U. Buhl et al.

    An economic analysis of service-oriented infrastructures for risk/return management

  • K. Campbell et al.

    The economic cost of publicly announced information security breaches: empirical evidence from the stock market

    J. Comp. Security

    (2003)
  • J. Cardenas et al.

    The economic impact of security breaches on publicly traded corporations: an empirical investigation

    AMCIS Proc.

    (2012)
  • N.G. Carr

    IT doesn’t matter

    Harvard Bus. Rev.

    (2005)
  • H. Cavusoglu et al.

    The effect of Internet security breach announcements on market value: capital market reactions for breached firms and Internet security developers

    Int. J. Electron. Commer.

    (2004)
  • J.A. Chevalier

    Capital structure and product-market competition: empirical evidence from the supermarket industry

    Am. Econ. Rev.

    (1995)
  • B. Dehning et al.

    The value relevance of announcements of transformational information technology investments

    MIS Quart.

    (2003)
  • B.L. Dos Santos et al.

    The impact of information technology investment announcements on the market value of the firm

    Inf. Syst. Res.

    (1993)
  • M.L. Ettredge et al.

    Information transfer among internet firms: the case of hacker attacks

    J. Inf. Syst.

    (2003)
  • D.F. Feeny et al.

    In search of sustainability: reaping long-term advantage from investments in information technology

    J. Manage. Inf. Syst.

    (1990)
  • M.R. Galbreth et al.

    The impact of malicious agents in the enterprise software industry

    MIS Quart.

    (2010)
  • A. Garg et al.

    Quantifying the financial impact of IT security breaches

    Inf. Manage. Comp. Security

    (2003)
  • I. Geyskens et al.

    The market valuation of internet channel additions

    J Market.

    (2002)
  • L.A. Gordon et al.

    Market value of voluntary disclosures concerning information security

    MIS Quart.

    (2010)
  • L.A. Gordon et al.

    The impact of information security breaches: has there been a downward shift in costs?

    J. Comp. Security

    (2011)
  • A. Havenner et al.

    The effects of rate regulation on mean returns and non-diversifiable risk: the case of cable television

    Rev. Ind.l Org.

    (2001)
  • Cited by (0)

    Oliver Hinz is chaired Professor of Information Systems, esp. Electronic Markets at the TU Darmstadt (Germany). His interests include electronic markets, economics of security and privacy, diffusion and social contagion processes, and interactive pricing. His research has been published in journals such as Electronic Markets, MIS Quarterly, Information Systems Research and Journal of Marketing.

    Michael Nofer studied Business Administration at the Goethe University Frankfurt. During his studies he completed internships at Morgan Stanley, Deutsche B"rse AG and Knight Capital Group. Michael Nofer joined the Chair of Information Systems esp. Electronic Markets at the TU Darmstadt as doctoral candidate.

    Dirk Schiereck is chaired Professor of Corporate Finance at the TU Darmstadt (Germany). His interests include electronic payments, financial markets, risk shifts and asset pricing. His research has been published in journals such as Journal of Corporate Finance, Journal of Empirical Finance, Information Systems Management and Journal of Financial Markets.

    Julian Trillig is research assistant in the Department of Law and Economics at the TU Darmstadt (Germany). His interests include empirical capital market research, financial markets and sustainability, and risk shifts and asset pricing. His research has been published in journals such as Review of Managerial Science, Business Strategy and the Environment and International Journal of Entrepreneurship & Small Business.

    1

    Tel.: +49 6151 16 75221; fax: +49 6151 16 72220.

    2

    Tel.: +49 6151 16 4489; fax: +49 6151 16 5393.

    View full text