Information security breaches and IT security investments: Impacts on competitors
Introduction
Presently, a firm’s information system security is no longer independent from the security environment of the industry as a whole. According to a Ponemon Institute [1] study, US firms reported the highest average cost per information security breach at $15 million. Furthermore, cyberattacks become costlier the longer they remain undetected and unaddressed. Ponemon reported an average of 46 days, at a cost of $21,155 per day, to detect and resolve a cyberattack. Failure to implement or maintain information security mechanisms can influence a business’ bottom line owing to lost customer confidence and brand switching.
Recent high-profile information security breaches have also raised concerns for the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB), thus leading them to consider whether firms should be required to disclose potential threats and the consequences of information security breaches, such as reputation loss or even the continuity of business operations.1 Such operational uncertainties and/or concerns about continuity increase the firm’s risks and generate negative market consequences.
In 2013, Target was the victim of a severe information security breach involving the release of millions of customers’ credit and debit card numbers, making them vulnerable to theft. With customer information compromised, Target paid $10 million in a settlement resulting from a class-action lawsuit. As a result of the Target data breach, the retailer had to pay an additional $162 million to update its information security and to get the firm back on track. In fact, Target lost an estimated 2–10% in market share, and its profits plummeted following the data breach: sales dropped by 5.3% in the fourth quarter of 2013 when the breach occurred, and its profits fell by 46%. Profits continued to fall in early 2014 owing to continuing customer reluctance to shop at Target.2
The wide-ranging impacts of information security breaches on the breached firms are clear. What, then, are the impacts on their competitors? Do they benefit from the breached firm’s sufferings? If Target’s once loyal customers begin making purchases from its competitors such as Amazon and Walmart, then one might expect that Target’s security breach would affect the competitors positively. The story, however, might not be that simple. Customers may start to distrust shopping malls in general, suspecting that other firms would have similar security problems. An interconnected Internet also makes the issue more complicated. It is well known that the LinkedIn security breach in 2012 allowed Mark Zuckerberg’s Facebook account to be hacked in 2016 because, like many Internet users, he had been using the same password for different accounts.3 This incident offers a simple example to show how one firm’s security breach might be bad news for other firms as well.
Aware of this type of security threat from an interconnected network, firms are trying to find ways to minimize the potential negative side effects from a competitor’s security breach. For example, after the Target breach, Karenann Terrell, Walmart’s CIO, emphasized the need for continuous testing and enhanced security of networks because “single points of failure anywhere can have really drastic effects, and the ability for an attack to go undetected for a period of time just exponentially increases the damage that can occur.”4
Approximately 6 months after Target’s massive data breach became public, Gartner’s (2015) survey indicated that worldwide spending on information security reached an estimated $71.1 billion in 2014, a 7.9% increase over 2013. In 2015, total information security spending continued to grow a further 8.2%, reaching $76.9 billion. Firms are becoming increasingly aware of the need to invest in sound security systems capable of securing valuable firm data. For example, Home Depot is spending billions of dollars to upgrade its registers to accept chip-enabled cards5, whereas in the post attack at Sony, Sony hired the independent security contractor FireEye to assess the damage and help clean up its systems.6 Anecdotal evidence suggests that many other competitors have also been affected and motivated to action by recent information security breach incidents, leading to an overall increase in IT security investments. With today’s interwoven networks, however, more information security investments do not necessarily guarantee better security.
Our research takes up this question of the impact on competitors of an individual firm’s efforts to ensure information security in an environment of interwoven networks. We examined the following research questions: Are the security risks of a firm affected by competitors’ security-related activities (or events)? If so, would this interdependence of security events be captured in market value? To answer these questions, we used the event study methodology to investigate how security breaches and IT security investment announcements influence other competitors. We further examined firm-level characteristics such as industry and size effects that might have contributed to the security breach and IT security investments. We also compared the effect on competitors based on the timing of the breaches and security investments.
Our paper contributes to the literature in several ways. First, this study extends the literature on the economic consequences of security breach announcements or IT security investment announcements [[2], [3], [4], [5], [6]] by looking at the impact on the competitors. As firms compete with their industry peers in the same product market, they serve as benchmarks for each other in their relative performance evaluation and are exposed to similar technology shocks. Hence, investors are likely to pay attention to both a firm and its competitors. However, prior research papers mostly focused on the direct effects of security-related announcements or on their suppliers only [2,3,[7], [8], [9]].
Hinz et al. [10] were the first study to see the impact on the competitors using an event study method. In this sense, our work is in line with their study. However, Hinz et al. [10] paid attention mostly to the information transfer effect on the competitors without looking at the negative or positive externalities. Moreover, their work was limited to the small number of data theft announcements and the target category was the electronic industry only. Thus, comparison by industry type was not possible. In contrast, our work includes other types of security breaches as well as IT security investment announcements. Therefore, our study provides more generalizable results regarding security issues on competitors. To the best of our knowledge, this is the first comprehensive study that attempts to examine the market reactions not only of firms announcing security issues, but also of their competitors as well.
Second, our study extends the growing literature on information security risk management [11,12] by analyzing IT security investments in pre- and post-security breach incidents. After several high-profile breaches (e.g., Target, Yahoo!, Sony, etc.), the importance of IT security investments has been recognized more by managers. Consistent with this notion, we further investigated how IT security investment decisions by breached firms and competitors affect market value. In doing so, our study enables managers to make better decisions by providing a richer understanding of the impact of security breaches and investments.
Section snippets
Event study on security issues
A considerable body of research has explored various issues related to information security risk management, such as information security investments [13,14], institutional influence on innovation [15], and security policy [15]. Another line of study focuses on market consequences of information security-related disclosures [8,16] and security breach announcements [[2], [3], [4], [5], [6],10,16,17]. Among all AIS event studies, we did include the event study by focusing on “security breaches
Own firm effects
Prior event studies showed that information security breaches have significantly negative effects on the breached firm in general [2,7,8,10,16,17]. Campbell et al. [2] especially found that announcements of information security breaches affect stock market reaction only when the event was related to violation of confidentiality. Their further findings showed that highly significant negative market reaction only occurred when the information security breaches involved unauthorized access to
Event study
Using an event study approach, this study examined stock price changes corresponding to a firm’s disclosure of information security breaches. The basic idea of an event study is to identify abnormal returns or price fluctuations in the market that are attributable to the event. We estimated the abnormal excess return by using a market model based on the capital asset price model (CAPM). The estimation window was 180 days, and the gap between the estimation and the event window was 30 days. We
Results and discussions
We tested the data for each of the security breach and investment firms and compared the results. By comparing two completely different events, we could understand why and how the security announcements affected the market value of non-announced competitors.
Theoretical implications
Despite these limitations, the expected academic contributions of this research are as follows. First, to our knowledge, this is the first comprehensive event study to empirically measure the impact of security-related events (information security breaches and IT security investments) on competitors based on externalities and information transfer effect. Second, we compared data on both security breaches and security investments and tried to interpret what role the information security in
Conclusion
With an increasing number of devices connected to the Internet, an increasing number of participants in information security are also linked in a network. The interdependence of information security fundamentally creates externalities or information transfer effects. This research aimed to find an empirical evidence to prove the impact of security breaches and investment announcements on competitors’ market value. We used the event study methodology, and we identified competitors using Google
Acknowledgement
This work was supported by the research fund of Hanyang University (HY-2017-N).
Christina Y. Jeong received her master’s degree from the School of Business, Hanyang University. She is currently a Ph.D. student at the Carlson School of Management, University of Minnesota.
References (58)
- et al.
Firms’ information security investment decisions: stock Market evidence of investors’ behavior
Decis. Support Syst.
(2011) - et al.
The influence of data theft on the share prices and systematic risk of consumer electronics companies
Inf. Manage.
(2015) - et al.
Estimating the market impact of security breach announcements on firm values
Inf. Manage.
(2009) Intra-industry information transfers associated with earnings releases
J. Account. Econ.
(1981)- et al.
Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources
Inf. Manage.
(2015) - et al.
Value-relevance of nonfinancial information: The wireless communications industry
J. Account. Econ.
(1996) The information content of losses
J. Account. Econ.
(1995)- et al.
Using daily stock returns: The case of event studies
J. Finance Econ.
(1985) - et al.
Market reactions to E-business outsourcing announcements: an event study
Inf. Manage.
(2006) 2015 Cost of Cybercrime Study: Global
(2015)
The economic cost of publicly announced information security breaches: empirical evidence from the stock Market
J. Comput. Security
The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers
International J. Electron. Commerce
Information transfer among internet firms: The case of hacker attacks
J. Inf. Syst.
Market reactions to information security breach announcements: An empirical study
Int. J. Electron. Commerce
Event study analysis of the economic impact of IT operational risk and its subcategories
J. Assoc. Inf. Syst.
The effect of information security incidents on corporate values in the Japanese stock Market
International Workshop on the Economics of Securing the Information Infrastructure (WESII) on Citeseer
"Market value of voluntary disclosures concerning information security
MIS Quarterly
Correlated failures, diversification, and information security risk management
MIS Q.
Information security policy compliance model in organizations
Comput. Secur.
The economics of information security investment
ACM Trans. Inf. Syst. Security
Budgeting process for Information security expenditures
Commun. ACM
Institutional influences on information systems security innovations
Inf. Syst. Res.
The association between the disclosure and the realization of information security risk factors
Inf. Syst. Res.
The financial impact of IT security breaches: what Do investors think?
Inf. Syst. Security
A survey of interdependent information security games
ACM Comput. Surveys (CSUR)
The economics of information security
Science
Economics of malware: epidemic risks model, network externalities and incentives
Proceedings of the 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton 2009).
Protecting against network infections: A game theoretic perspective
Proceedings of the 28th IEEE Conference on Computer Communications (INFOCOM 2009)
Selfish response to epidemic propagation
IEEE Trans. Automat. Control.
Cited by (79)
Developing a data breach protection capability framework in retailing
2024, International Journal of Production EconomicsTo alert or alleviate? A natural experiment on the effect of anti-phishing laws on corporate IT and security investments
2024, Decision Support SystemsThe impact of customer firm data breaches on the audit fees of their suppliers
2023, International Journal of Accounting Information SystemsDoes privacy breach affect firm performance? An analysis incorporating event-induced changes and event clustering
2022, Information and ManagementTowards an integrated risk analysis security framework according to a systematic analysis of existing proposals
2024, Frontiers of Computer Science
Christina Y. Jeong received her master’s degree from the School of Business, Hanyang University. She is currently a Ph.D. student at the Carlson School of Management, University of Minnesota.
Sang-Yong Tom Lee is a professor at the School of Business, Hanyang University. He previously worked at the National University of Singapore. His research interests include economics of information systems, online information privacy, and value of IT. His publications have appeared in MIS Quarterly, Management Science, Journal of Management Information Systems, Information & Management, the IEEE Transactions on Engineering Management, and others.
Jee-Hae Lim is a Shidler College Distinguished Professor of Accounting, University of Hawaii at Manoa. Her research interests focus on the impact of Accounting Information Systems (AIS) events (e.g., IT investments, IT controls, IT governance, outsourcing, and XBRL) on financial measures in short- and long-term value creation and pre- and postrealized value. Her publications have appeared in Contemporary Accounting Research, Information Systems Research, Journal of Management Information Systems, Information & Management, Journal of Information Systems, and others.