The economic cost of publicly announced information security breaches: empirical evidence from the stock market

Authors:
Katherine Campbell;Lawrence A. Gordon;Martin P. Loeb;Lei Zhou
Affiliations:
Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, College Park, MD;Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, College Park, MD;Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, College Park, MD;Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, College Park, MD
Venue:
Journal of Computer Security - IFIP 2000
Year:
2003

Citing 18
Cited 46

An Intrusion-Detection Model

IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Cryptanalysis and protocol failures

Communications of the ACM
Accessibility, security, and accuracy in statistical databases: the case for the multiplicative fixed data perturbation approach

Management Science
A taxonomy for key escrow encryption systems

Communications of the ACM
Productivity, business profitability, and consumer surplus: three different measures of information technology value

MIS Quarterly
The ARBAC97 model for role-based administration of roles

ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
Coping with systems risk: security planning models for management decision making

MIS Quarterly
Information Technology Effects on Firm Performance As Measured by Tobin's Q

Management Science
Balancing cooperation and risk in intrusion detection

ACM Transactions on Information and System Security (TISSEC)
Identification of host audit data to detect attacks on low-level IP vulnerabilities

Journal of Computer Security
Configuring role-based access control to enforce mandatory and discretionary access control policies

ACM Transactions on Information and System Security (TISSEC)
Using information security as a response to competitor analysis systems

Communications of the ACM
The economics of information security investment

ACM Transactions on Information and System Security (TISSEC)
The Impact of Information Technology Investments on Firm Performance and Evaluation: Evidence From Newly Industrialized Economies

Information Systems Research
The Impact of E-Commerce Announcements on the Market Value of Firms

Information Systems Research
Why Information Security is Hard-An Economic Perspective

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Information System Security: A Management Challenge

Information System Security: A Management Challenge
Examining the shareholder wealth effects of announcements of newly created CIO positions

MIS Quarterly

Inoculation strategies for victims of viruses and the sum-of-squares partition problem

SODA '05 Proceedings of the sixteenth annual ACM-SIAM symposium on Discrete algorithms
Business process-based valuation of IT-security

EDSER '05 Proceedings of the seventh international workshop on Economics-driven software engineering research
Budgeting process for information security expenditures

Communications of the ACM - Personal information management
Inoculation strategies for victims of viruses and the sum-of-squares partition problem

Journal of Computer and System Sciences
Exploring the characteristics of Internet security breaches that impact the market value of breached firms

Expert Systems with Applications: An International Journal
Embedding Information Security into the Organization

IEEE Security and Privacy
Viruses, Worms, and Trojan Horses: Serious Crimes, Nuisance, or Both?

Social Science Computer Review
An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions

Journal of Management Information Systems
Archetypal behavior in computer security

Journal of Systems and Software
Towards a standard approach for quantifying an ICT security investment

Computer Standards & Interfaces
Market Reactions to Information Security Breach Announcements: An Empirical Analysis

International Journal of Electronic Commerce
The Deterrent and Displacement Effects of Information Security Enforcement: International Evidence

Journal of Management Information Systems
Why IT managers don't go for cyber-insurance products

Communications of the ACM - Scratch Programming for All
Quantifying the benefits of investing in information security

Communications of the ACM - Scratch Programming for All
Estimating the market impact of security breach announcements on firm values

Information and Management
Native Client: a sandbox for portable, untrusted x86 native code

Communications of the ACM - Amir Pnueli: Ahead of His Time
Information security investment decisions: evaluating the Balanced Scorecard method

International Journal of Business Information Systems
Assessing the impact of knowledge management strategies announcements on the market value of firms

Information and Management
On the Effectiveness of Privacy Breach Disclosure Legislation in Europe: Empirical Evidence from the US Stock Market

NordSec '09 Proceedings of the 14th Nordic Conference on Secure IT Systems: Identity and Privacy in the Internet Age
Information security economics - and beyond

CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
References

Dependability metrics
Are security experts useful? Bayesian Nash equilibria for network security games with limited information

ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Firms' information security investment decisions: Stock market evidence of investors' behavior

Decision Support Systems
Uncertainty in interdependent security games

GameSec'10 Proceedings of the First international conference on Decision and game theory for security
The impact of information security breaches: Has there been a downward shift in costs?

Journal of Computer Security
Market value of voluntary disclosures concerning information security

MIS Quarterly
Practicing safe computing: a multimedia empirical examination of home computer user security behavioral intentions

MIS Quarterly
Information systems resources and information security

Information Systems Frontiers
A comparison of market approaches to software vulnerability disclosure

ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Did IT consulting firms gain when their clients were breached?

Computers in Human Behavior
Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements

International Journal of Information Management: The Journal for Information Professionals
An economic modelling approach to information security risk management

International Journal of Information Management: The Journal for Information Professionals
Predicting stock market returns from malicious attacks: A comparative analysis of vector autoregression and time-delayed neural networks

Decision Support Systems
Availability of enterprise IT systems: an expert-based Bayesian framework

Software Quality Control
Explaining investors' reaction to internet security breach using deterrence theory

International Journal of Electronic Finance
A hybrid decision tree based methodology for event studies and its application to e-commerce initiative announcements

ACM SIGMIS Database
Theorizing Information Security Success: Towards Secure E-Government

International Journal of Electronic Government Research
An agent-based model to simulate coordinated response to malware outbreak within an organisation

International Journal of Information and Computer Security
Investigating the Impact of Publicly Announced Information Security Breaches on Three Performance Indicators of the Breached Firms

Information Resources Management Journal
The Impact of Information Technology Internal Controls on Firm Performance

Journal of Organizational and End User Computing
Financial Impact of Information Security Breaches on Breached Firms and their Non-Breached Competitors

Information Resources Management Journal
Growth and sustainability of managed security services networks: an economic perspective

MIS Quarterly
The economic impact of cyber terrorism

The Journal of Strategic Information Systems
Supply Risk Structural Equation Model of Trust, Dependence, Concentration, and Information Sharing Strategies

International Journal of Risk and Contingency Management
A qualitative analysis of effects of security risks on architecture of an information system

ACM SIGSOFT Software Engineering Notes
A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis

Information Sciences: an International Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

This study examines the economic effect of information security breaches reported in newspapers or publicly traded US corporations. We find limited evidence of an overall negative stock market reaction to public announcements of information security breaches. However, further investigation reveals that the nature of the breach affects this result. We find a highly significant negative market reaction for information security breaches involving unauthorized access to confidential data, but no significant reaction when the breach does not involve confidential information. Thus, stock market participants appear to discriminate across types of breaches when assessing their economic impact on affected firms. These findings are consistent with the argument that the economic consequences of information security breaches vary according to the nature of the underlying assets affected by the breach.