Volume 11 No. 1 SPRING 2010

Impact of Information Security Breaches

Investors—and consumers—may be desensitized to the dangers of information security breaches, according to a recent study by Lawrence Gordon, Ernst & Young Alumni Professor of Managerial Accounting, Martin Loeb, professor of accounting and information assurance and Deloitte & Touche LLP Faculty Fellow and Lei Zhou, visiting assistant professor of accounting and information assurance.

The study examined the stock prices of companies that experienced information security breaches between 1995 and 2007, a huge dataset that encompassed the longest period and the most companies ever studied. Before 2001, an information security breach had a noticeable negative impact on stock prices. But post 9/11, the effects of a breach on a firm’s stock price was insignificant.

That may be because these events have become so common, says Gordon. A few months ago his credit card company sent Gordon a letter saying that the firm’s system had been breached and personal customer information had been compromised. Rather than getting upset and canceling his account, Gordon just cut up his old card and activated his new one. Consumers don’t appear to be penalizing companies for security breaches, which means that investors aren’t raising the red flag either.

“That’s one of the dangers. You get lulled into looking at the averages, but a few companies every year suffer disastrous consequences as a result of a significant security breach,” says Gordon. “I think it makes it tougher for firms to make the financial case for investing in information security.”

A lax attitude toward the effect of breaches may lead to less vigilance, which could be problematic for national security, said Gordon. It is estimated that 85% of critical infrastructure in energy, healthcare, telecommunications and similar industries are part of the private sector. Loeb adds, “A breach of a single firm’s data and IT system can spill over to other firms, with the potential of causing severe harm to the nation. Thus, it’s not surprising to see Homeland Security and other government agencies interested in boosting incentives for investment in information security.”

The type of breach may also affect the impact—in a way the authors found surprising. Breaches of confidentiality, where customer information is compromised, actually had less of an impact on stock prices than breaches of availability, where customers can’t get onto the company Web site.

One silver lining may be that consumers—and thus investors—display less worry about breaches because companies have been quicker to detect and address security breaches and more transparent with their responses, leading to greater trust that companies will handle breaches effectively and safely. Gordon and Loeb plan to investigate this possibility in further research.

“The Impact of Information Security” is forthcoming from the Journal of Computer Security. For more information about this research, contact Lawrence Gordon or Martin Loeb.

what else is in this issue?