The impact of information security breaches: Has there been a downward shift in costs?

Authors:
Lawrence A. Gordon;Martin P. Loeb;Lei Zhou
Affiliations:
(Correspd. Tel.: +1 301 405 2255/ Fax: +1 301 314 9414/ E-mail: lgordon@rhsmith.umd.edu) Dept. of Accounting and Information Assurance, Robert H. Smith School of Business, Univ. of Maryland, Colle ...;Department of Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, College Park, MD 20742, USA. E-mails: {lgordon, mloeb, lzhou}@rshmith.umd.edu and Af ...;Department of Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, College Park, MD 20742, USA. E-mails: {lgordon, mloeb, lzhou}@rshmith.umd.edu
Venue:
Journal of Computer Security
Year:
2011

Citing 15
Cited 1

The ARBAC97 model for role-based administration of roles

ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
Identification of host audit data to detect attacks on low-level IP vulnerabilities

Journal of Computer Security
NetSTAT: a network-based intrusion detection system

Journal of Computer Security
Abstraction-based intrusion detection in distributed environments

ACM Transactions on Information and System Security (TISSEC)
Principles of Corporate Finance with Cdrom

Principles of Corporate Finance with Cdrom
Security in Computing

Security in Computing
The economics of information security investment

ACM Transactions on Information and System Security (TISSEC)
Using internal sensors and embedded detectors for intrusion detection

Journal of Computer Security
Why Information Security is Hard-An Economic Perspective

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
The economic cost of publicly announced information security breaches: empirical evidence from the stock market

Journal of Computer Security - IFIP 2000
Cost effective management frameworks for intrusion detection systems

Journal of Computer Security
Exploring the characteristics of Internet security breaches that impact the market value of breached firms

Expert Systems with Applications: An International Journal
The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers

International Journal of Electronic Commerce
An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price

IEEE Transactions on Software Engineering
Market Reactions to Information Security Breach Announcements: An Empirical Analysis

International Journal of Electronic Commerce

Market value of voluntary disclosures concerning information security

MIS Quarterly

Quantified Score

Hi-index	0.00

Visualization

Abstract

By analyzing evidence of stock returns using a sophisticated market model over a long period and over two distinct and naturally arising sub-periods, this study helps resolve conflicting evidence from previous studies concerning the effect of information security breaches on market returns of firms. This study has three major findings. First, the impact of the broad class of information security breaches on stock market returns of firms is significant. Second, when breaches are classified by their primary effect in terms of (i) confidentiality, (ii) availability or (iii) integrity, attacks associated with breaches of availability are seen to have the greatest negative effect on stock market returns. Third, there has been a significant downward shift in the impact of the security breaches in the sub-period following the 9/11/2001 attacks versus the impact in the pre-9/11 period. Apparently, with increased media reporting of information security breaches without apparent devastating effects on targeted corporations, investors lowered their assessment of the costs of such breaches. Two possible reasons for this downward shift are (1) more effective remediation and disaster recovery and (2) a perceived decrease in the tendency of customers to refrain from doing business with firms experiencing an information security breach.