The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Information Systems Research
The Impact of E-Commerce Announcements on the Market Value of Firms
Information Systems Research
Assessing the Risk in E-commerce
HICSS '02 Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS'02)-Volume 7 - Volume 7
Journal of Computer Security - IFIP 2000
A model for evaluating IT security investments
Communications of the ACM - Has the Internet become indispensable?
Estimating Potential IT Security Losses: An Alternative Quantitative Approach
IEEE Security and Privacy
IEEE Security and Privacy
International Journal of Electronic Commerce
Communications of the ACM - Enterprise information integration: and other tools for merging data
Market Reactions to Information Security Breach Announcements: An Empirical Analysis
International Journal of Electronic Commerce
Did IT consulting firms gain when their clients were breached?
Computers in Human Behavior
Hi-index | 0.00 |
Several U.S. states have enacted laws that require organizations to notify the affected individuals if personal data under their control is believed to have been acquired by an unauthorized person. In the EU, where a similar legislation is still missing, several researchers have recommended the introduction of a security-breach notification law. The intention of these laws is twofold. On one hand, they should enable affected individuals to take appropriate steps to protect themselves against malicious impacts resulting from the breach. On the other hand, it was intended to create incentives for companies to undertake steps to improve their security measures. In this contribution, we explore these incentives and present an event study in order to examine the effects of privacy incident announcements on the stock prices of affected companies. Our results show that there are significant price reactions on the next day following the announcements. By comparing these price reactions with those observed for other event types, we detect that disclosed privacy incidents are perceived as marginal by the market. The results show that existing disclosure regulation provides little to no incentives to invest in security measures to prevent the occurrence of privacy breaches, since they are widely ignored by the capital markets. From the widely discussed incentive perspective, the privacy breach disclosure legislation does not appear to be effectively addressing this goal.