the effect of it hack announcements on the market value of
TRANSCRIPT
The Effect of IT Hack Announcements on the Market Value of
Publicly Traded Corporations
Nishant Patel1
Duke University
Durham, North Carolina
April 2010
Faculty Advisor: Edward Tower
1 After graduating from Duke, the author will be working in investment banking for Bank of America Merrill Lynch in New York City starting in July of 2010. Nishant Patel can be reached at [email protected].
Patel | 1
Abstract
Estimating the financial impact of a hack on a corporation is a particularly difficult
task. Firms must assess direct costs including the detection and repair and more ambiguous
indirect costs including lost future business, and negative reputation effects. The financial
performance of a firm following the event can shed some insight on the costs associated with
a hack. An event study analysis was applied to determine the effects of hack announcements
on the changes in market valuations of publicly traded firms. Cross sections of the sample
based on the type of data lost and market capitalizations of the breached firms were used to
control for factors that may vary the impacts of hack announcements. In contrast to the
hypothesis, the results do not show significantly negative returns among firms that have been
hacked. The implications of the results are discussed.
Patel | 2
Acknowledgements
I would like to thank my thesis advisor, Professor Edward Tower, for his time and advice
throughout this year. I am especially grateful for the guidance and insightful feedback during
the research and writing process provided by my Econ198S and 199S professor, Michelle
Connolly. I would like to thank Professor Sam Veraldi for all of his thoughtful suggestions,
helping guide my paper. Finally, I appreciate all of the comments from my fellow seminar
classmates.
Patel | 3
I. Introduction
The Information Age has cultivated radical changes in the corporate world. The
widespread use of computers in the workplace has made it imperative to develop digital
databases of sensitive company information. These databases have made information access
and transfer efficient within the office and across the globe. However, it has also increased
the vulnerability of this information to external attacks. Over the past decade, unauthorized
access to sensitive company data has increased dramatically. In fact, the Computer
Emergency Response Team (CERT) Coordination Center recorded over a 20-fold increase in
e-commerce related vulnerabilities in the decade spanning from 1996 to 2006 (“CERT
Statistics”, 2008).
Estimating the cost of a breach is a complex matter. Firms that have experienced a
breach must evaluate both the direct and indirect costs that arise as a consequence of the
breach. The direct costs are generally more straightforward and include the costs associated
with detecting and repairing breaches as well as any exposure to legal liability expenses. The
indirect costs are much less certain and therefore difficult to estimate. These costs account
for lost future business, consumer confidence, as well as negative reputation and trust effects.
Assuming efficient markets, one way to assess the economic costs associated with a breach is
to use the change in market value of a company from the event. My research aims to
evaluate the economic costs of hacks by measuring significant changes in market
capitalizations of publicly traded corporations. The magnitude and statistical significance of
abnormal returns will be calculated over specific event windows, which will range from three
to 30 days, in order to measure both the short and long term effects of hack announcements.
Patel | 4
The implications of the aforementioned costs are crucial for information security
professionals and managers to understand. Many firms spend a portion of their budget on
information security measures. According to the “Computer Crime and Security Survey” by
the Computer Security Institute, 53 percent of the surveyed firms allocated 5 percent or less
of their overall information technology budget to information security (Richardson, 2008).
Armed with a better understanding of the costs associated with breaches, firms can
implement more efficient IT budgets that balance the potential losses associated with a
breach against costs of deterrence.
The focus of this study is on hacks. For the purposes of this study, a hack is defined
as unauthorized access to private company information through digital means, including
access via Internet or directly into a network. In the context of a hack, two different types of
sensitive information can be lost: permanent or temporary. Specifically, hacked Social
Security numbers represent permanent losses since they cannot be replaced and can lead to
long-term identity theft. On the other hand, hacked credit card numbers are recognized as
temporary losses since they can be discontinued and replaced. By discriminating between
the two types of confidential data, I expect to see the costs associated with losing permanent
information to be greater than that of losing temporary information. Contrary to
expectations, firms often only consider securing credit card data. A study by the Ponemon
Institute has found that in a survey of over 500 IT security practitioners, 55% focus solely on
securing credit card data and have not attempted to protect other sensitive information
including Social Security numbers (Ponemon Institute, 2009). It is important to understand
implications of both types of losses in order to devise more effective information security
solutions for firms in the Digital Age.
Patel | 5
II. Literature Review
Information security in the Digital Age is a relatively young topic of research. Much
of the literature examines the costs associated with information security breaches through
event studies focusing on market reactions. For example, Campbell, Gordon, Loeb, and
Zhou (2003) studied the stock market reaction to public announcements of information
security breaches. Their study of abnormal returns among all of the firms in their data set
provides only limited evidence that information security breaches have a negative impact on
the share price of a firm. Over a two-day event window, the cumulative abnormal return of
the entire data set of breaches was not statistically significant. However, by distinguishing
between the types of the breaches, they were able to conclude that breaches involving
unauthorized access to confidential information result in highly significant negative stock
market reactions (Campbell et al., 2003). In comparison, breaches that do not involve
confidential information, such as denial of service attacks, have no significant reaction
because investors in the market may differentiate between the two types of breaches and
perceive the loss of confidential data in a breach to have greater economic consequences.
Using a similar approach, Cavusoglu, Mishra, and Raghunathan (2004) assessed the
impact of breaches across different types and sizes of firms. Again, the change in market
value of the affected firms is used to evaluate the economic consequences. Their findings
indicate that breached firms lose on average 2.1 percent of their market value within the two
days following the announcement of the event. Taking a cross-sectional regression of the
general results, Cavusoglu et al. (2004) are able to determine that smaller firms witness a
greater loss in the market than larger firms, implying that information security is often crucial
to the survival of small firms. Taking a closer look at the different types of firms breached,
Patel | 6
they find that Internet firms experience greater negative abnormal returns than other firms.
These firms are considered pure-play firms because they generate revenue from only one
source, the Internet. For these firms, information security is crucial to maintain revenue.
Hovav and D’Arcy (2004) also find that distributed denial-of-service attacks tend to impact
pure-play firms2 in the market greater than other firms with similar breaches.
In addition to comparing different types of firms, past researchers have also
conducted analyses based on differing event windows. Both Campbell et al. and Cavusoglu
et al. (2004) established two-day event windows around the breaches. An empirical study by
Kannan, Rees, and Sridhar (2007) tested a number of different hypotheses on the impacts of
security breaches. They established 3, 8, and 30-day event windows around the
announcement of a breach to test if the firms hold the negative returns in both the short- and
long-term. It is also important to note that each of the hypotheses was tested with and
without breach announcements six months after the September 11th attacks (heretofore
referred to as 9/11). They found that in many cases the market’s general negative trend after
the 9/11 attacks presented significant negative abnormal returns and skewed the results.
Over short- and long-run event windows, the announcement of information security
breaches does not reflect a significant negative return in the Kannan et al. study. The result
is striking because security breaches would be expected to create losses for a firm that should
be reflected in the share price. To attempt to explain the absence of negative returns, the
Kannan et al. study tested for changes in investor attitudes in the dot-com era. Breach
announcements during the dot-com boom, had significantly more negative cumulative
abnormal returns than those after the burst but only in the short-run. Therefore, firms having
public announcements of security breaches during the dot-com era earned more negative
2 Firms that do business purely through the internet (ie. Amazon.com, eBay.com, Monster.com)
Patel | 7
abnormal returns in the short-run than those after the burst. The study also was able to test
and reject the hypothesis that smaller firms (small to medium market capitalization) earn
more negative abnormal returns than larger firms in both the short- and long-run. Each of the
breaches in the data set was also classified into different types of attacks: confidentiality,
integrity, and availability. Confidentiality-breaching attacks put a firm’s sensitive data at
risk; this category includes hacks. Integrity-breaching attacks, such as viruses and worms,
compromise the integrity of a firm’s data. Moreover, availability-breaching attacks involve a
loss of availability of information assets or data; these include denial-of-service attacks.
Once again, the results were not significant and the hypothesis that each of these types of
breaches has a negative impact on returns was rejected. A limitation of the Kannan et al.
paper is that it is unable to definitively explain the lack of negative abnormal returns. It may
be due to irrationality and inefficiency in the market, or simply that these security breaches
do not cause significant financial losses for firms.
It is inconclusive from the past literature whether the market reacts negatively to
breaches in which confidential information is lost. The present study aims to ascertain why
this discrepancy exists. To address the discrepancy, this study examines the different types
of confidential data that may be compromised. It may become evident that the loss of Social
Security numbers results in a greater negative financial impact for a firm than credit card
numbers. As a result, the market may not be as irrational as previously expected and it may
be able to differentiate between the magnitudes of potential losses to which firms may be
exposed.
Patel | 8
III. Theoretical Framework
According to the efficient market theory, the valuation of a firm in the market reflects
all future cash flows. Both the direct and indirect costs associated with a hack can be derived
from the changes in market valuations of a firm. The following model is heavily based on
the framework developed by Campbell et al. (2003) and Cavusoglu et al. (2004) and also
applied by Kannan et al. (2007).
Let Vt denote the discounted value of all expected future cash flows at time period t.
The term ft | nt represents the net cash flow in period t, conditional on the available
information in the market n, at period t. The discount rate is established by rj at period j and
time t . The value of a firm is
Vt = E t
f t | nt
1+ rj
t( )j= t
i
∏i= t
∞
∑
where Et denotes the expectation at time t. The change in a firm’s market value between
period t and (t +1) is
∆V = E t +1
f t +1 | nt +1
1+ rj
t +1( )j= t +1
i
∏i= t +1
∞
∑
− E t
f t | nt
1+ rj
t( )j= t
i
∏i= t
∞
∑
Though the definition of a period can be arbitrary, values for t and (t + 1) can be such that
the period captures the hack information so that ∆V accounts for the change in value because
Patel | 9
of the breach announcement. During the period, both firm and market-specific forces impact
the firm’s value. Let ∆Vm represent the change in value due to market forces. Thus,
∆Vh = ∆V − ∆Vm
∆Vh represents the change in value due to the hack. In this manner, the model is able to
capture all of the costs associated with the hack, but unable to differentiate the specific direct
and indirect costs.
IV. Data
The primary data set used for the present study comes from a database compiled at
the DatalossDB organization by the Open Security Foundation. Members of the foundation
as well as volunteers add data about information security breaches on a daily basis and
provide primary and secondary sources for reference. DatalossDB gathers variables useful
for this study including the name of the firm breached, breach date, country of the firm, type
of information lost, and total units of data lost. DatalossDB compiles all incidents of lost
information, however, for this study, the only breach type that will be assessed is a hack.
The database provides a thorough list of breaches recorded, with the date of their
announcement, by many different sources including government agencies and news outlets.
The list of breaches is more up to date than samples used in prior research because it includes
the most recent breaches.
After the sample is narrowed down to only hacks, all of the breached firms that are
not publicly traded are removed from the sample. This includes government agencies,
universities, non-profit organizations, and privately held companies. Of the publicly traded
corporations, only those traded on U.S exchanges are considered. In addition, the hacks that
Patel | 10
do not involve either the loss of credit card information or Social Security numbers are also
discarded. Any breaches without sufficient historical data around the event are also removed
from the sample. The remaining sample includes 34 incidents. Twenty-one of the 34 hacks
resulted in the loss of credit card information and the other 13 involved hacked Social
Security numbers. One of the incidents resulted in both credit card and Social Security data
losses but those were included with the permanent losses because Social Security numbers
are of more value. This sample is paired with financial data on securities returns.
Patel | 1
1
Table 1. Sample of Firms with Hack Announcement Date, Type of Data Lost, Control Firm,
and Market Capitalization
Market Cap
365.22
1380
3870
13140
3320
55350
155220
7550
2020
1060
96560
122680
2550
6700
3250
3130
19580
589.51
15590
406.95
143230
108.17
7970
1280
5310
205370
7250
21410
10260
131.54
17490
2210
10980
4240
Control Firm
Fifth Third Bancorp
Harte-Hanks, Inc.
O'Reilly Automotive
CIGNA
Kroger
eBay
Verizon Communications
Applied Industrial Technologies
Costco Wholesale
Marine Products Corp
Bank of America
PepsiCo
PPG Industries
Priceline.com
First Financial Bankshares
Nucor
Southern Company
Global Payments
Nokia
United Stationers Inc.
Merck
New Frontier Media
Guess Inc
Owens & Minor
KeyCorp
Target
Marriott
Zimmer Holdings
E*TRADE Financial
ITT Educational Services
Kohl's
Hudson City Bancorp
MoneyGram International
Intercontinental Hotels
Data Lost
CCN
CCN
CCN
SSN
CCN
CCN
CCN
CCN
CCN
SSN
CCN
SSN
SSN
CCN
CCN
SSN
SSN
CCN
CCN
SSN
SSN
CCN
CCN
SSN
SSN
CCN
CCN
SSN
SSN
SSN
CCN
CCN
CCN
CCN
Name
1st Source Bank - 1st Source Corp
Acxiom Inc.
Advance Auto Parts Inc.
Aetna Inc.
Albertsons - SuperVALU
Amazon
AT&T
AW Direct Inc. - W.W. Grainger
BJ's Wholesale Club
Brunswick Corp.
Citibank
Coca-Cola
DAP Products Inc. - RPM
Expedia
Frost Bank - Cullen/Frost Bankers
Gerdau Ameristeel
Gexa Energy - FPL Holdings
Heartland Payment Systems
Motorola
Neo/SCI Corporation - School Specialty
Pfizer
Playboy
Polo Ralph Lauren
PSS World Medical Inc.
Sallie Mae Inc - SLM
Sam's Club - Walmart
Starwood Hotels and Resorts Worldwide Inc.
Stryker Instruments - Stryker Corp
TD Ameritrade
The Princeton Review
TJX Companies Inc.
Valley National Bank - Valley National Bancorp
Western Union
Wyndham Hotels
Date
6/10/08
12/18/03
3/31/08
5/27/09
4/20/07
3/5/01
8/29/06
8/31/07
3/19/04
2/16/07
1/25/08
5/13/03
12/15/08
11/27/06
5/19/06
4/11/08
4/10/09
1/20/09
2/6/09
3/4/09
6/11/07
11/20/01
4/15/05
9/15/08
6/23/06
12/12/05
12/10/08
4/10/08
9/14/07
2/16/06
1/17/07
2/14/06
7/17/07
12/22/08
Patel | 12
To minimize the effects of confounding factors, the sample is screened for major
announcements including special dividends, unexpected earnings, mergers and acquisitions,
and stock splits. Moreover, firms that have significant announcements thirty days around the
event are discarded from the sample.
The market data utilized to calculate abnormal returns is heavily influenced by the
methodology used by Kannan et al. (2007). Similar to their assessment, abnormal returns are
computed relative to both a market index and a separate control firm. The control firm is
another comparable publicly traded firm that did not experience an information security
breach around the event. The firm must be in the same industry, have similar geographical
market or scope, and to some extent, must have comparable financials including market
capitalization. The closest competitor for each firm in the same industry is derived from the
Standard Industrial Classification (SIC) codes and the competitors listed in the Hoover’s
Company Profiles Database. The competitor list is also screened for significant company
announcements. By using both a market index and a specific control group, biases from
breached firms present in the index and from breaches impacting the overall industry are
minimized.
V. Empirical Specification
The methodology used to determine the abnormal returns of each hacking incident is
similar to a number of other event studies examining market reactions to news
announcements. Consistent with the literature, the first step is to estimate what the return of
the firm would have been had the event not occurred. The estimation model
Ri,t = α i + βiRp,t + εi,t
Patel | 13
determines expected return from a linear relationship between market return and the return of
a stock. The return for stock i on day t, is given by Ri,t ; α i and βi represent the intercept and
slope parameters for firm i; and εi,t ' is the disturbance term for stock i on day t. The control
group return, denoted by R p ,t , may be the return of the market, the return of a comparable
firm, or an equally weighted combination of both.
With market data, a regression can be used to establish the intercept and slope
parameters, α i and βi . In this study, the estimation window will be adapted from the paper
by Kannan et al. (2007). As per their study, ˆ α i and ˆ β i are calculated over a window that
starts 50 days before the announcement and ends the day before. These parameters for firm i
can be used to predict the expected return. Therefore, the abnormal returns for firm i on day t
are
ARi,t = Ri,t − ˆ α i + ˆ β iRp ,t( ).
Abnormal returns represent deviations from the expected returns as a result of a
specific event, in this case, the announcement of a hack. They are unbiased estimates of
changes in the market value of a firm during the event window and are associated with
investor reactions to the information announced. Announcements may reach investors
through a number of different media outlets including, but not limited to, the Internet,
television, and newspapers.
Patel | 14
Each estimate of abnormal returns is established for a given day t. The sum of the
abnormal returns, given by
CARi = ARi,t
t=1
k
∑
can be used to determine the cumulate abnormal returns for windows starting from the day of
the announcement to day k. The variance over each event window is as follows
var CAR( )= var ARi,t( )t=1
k
∑
Cumulative abnormal returns for firms i for a given event window k, can be aggregated as
follows where N denotes the number of events
C A R =1
NCARi
i=1
N
∑
along with variance,
var C A R ( )=1
N2
var CAR i( )i=1
N
∑ .
The following hypotheses will be tested comparing the cumulative abnormal returns:
1. Firms that experience a public announcement of a hack, in which permanent
information is lost, exhibit greater negative abnormal returns than those where
temporary information is lost, over a short-term time horizon.
Patel | 15
2. Firms that experience a public announcement of a hack, in which permanent
information is lost, exhibit greater negative abnormal returns than those where
temporary information is lost, over a long-term time horizon.
3. The magnitude of negative abnormal returns is greater for smaller firms that
experience a public announcement of a hack, in which information is lost,
than for larger firms.
VI. Results
To examine the overall effects of hack announcements on the valuation of firms, the
cumulative abnormal returns (“CARs”) were calculated over 3, 8, and 30-day event
windows. To control for market-wide and industry-wide shocks, the CARs calculated are in
relation to both the S&P 500 market index and a comparable firm. The CAR of the control
firm in relation to the S&P 500 was also calculated. This final CAR should give some
indication of the significance of random market noise on the CARs.
A hack announcement is expected to produce a negative financial impact on the firm.
However, a broad overview of hack announcements does not provide substantial information
about the changes in valuations of the firms. Assessing the short-term event window (i.e., 3-
day window), none of the values is significant, nor are they consistently positive or negative.
All CARs that are two standard deviations from the mean are considered outliers; the CARs
of Heartland Payment Systems and Amazon.com are well over three standard deviations
from the mean.3 Moreover, the 8-day event window shows significant negative abnormal
returns when the two extreme outliers, Heartland Payment Systems and Amazon.com, are
3 It is likely that there are singular firm specific events that are driving the returns and may be confounded with the effects of the hack if kept in the sample. The firm specific events are not identified but are not any of the screened major announcements.
Patel | 16
removed from the sample. However, this finding only holds true in relation to the control
firm, which also exhibits significant abnormal returns in relation to the S&P 500. The
presence of both significant values raises question to the causal relationship between the hack
announcement and the negative abnormal returns. An industry-wide shock could have
caused negative returns in both the hacked firm and control firm. It is also important to note
that none of the CARs is significant again in the 30-day window. Based on the
insignificance of the CARs, the hypotheses that firms that experience a hack exhibit negative
abnormal returns in both the short and long term are rejected. The results from this test
imply that either hack announcements have little impact on the outlook of a firm’s future
performance or that there are external factors that differentiate the events.
The type of information exposed or lost in a hack may play a role in the market’s
reaction to the event. The sample includes 21 firms that lost credit card numbers and 13 that
Table 2. Overall Cumulative Abnormal Returns (%) as a Result
of Hack Announcements.
3-Day Event Window
8-Day Event Window
30-Day Event Window
All Data (N=34)
Relative to S&P500 0.6028 (.2281)
0.0838 (.4815)
2.3167 (.2794)
Relative to Control Firm
-0.196 (.3534)
-1.6836 (.1334)
1.3359 (.2810)
Control Firm Relative
to S&P500
-0.3854 (.2290)
-2.2797
(.0715)
-0.6376 (.3907)
Excluding Outliers (N=32)
Relative to S&P500 0.6380 (.1223)
0.7242 (.1533)
2.3810 (.1064)
Relative to Control Firm
-0.4114 (.2066)
-2.0633
(.0951)
-0.0343 (.4924)
Control Firm Relative
to S&P500
-0.3016
(.2904)
-2.4555
(.0687)
-0.8462
(.3642)
In parenthesis are p-values of a one-tailed t-test as a percentage. Note: Outliers include Heartland Payment Systems and Amazon.com. Results significant at the 10% confidence level are highlighted in bold.
Patel | 17
lost Social Security numbers. A loss of Social Security numbers is expected to generate
more significant negative abnormal returns because it is a more severe loss to firms and
clients than the loss of credit card numbers. Examining the entire sample set, the group of
firms that lost Social Security numbers in a hack experienced significant negative returns
relative to the S&P 500 over an 8-day event window. However, this result did not hold
against a control firm nor did it hold over 3 or 30-day windows. Removing again the
extreme outliers (i.e., Heartland Payment Systems and Amazon.com, both of which
experienced losses of credit card numbers) changes the significance of some of the values.
Surprisingly, the set of firms that experienced credit card number losses yielded positive,
significant abnormal returns over 8 and 30-day windows. In comparison to the control firm,
the sample experienced significant negative returns over the 8-day window only. The Social
Security sample also presented negative and significant abnormal returns over the 8-day
window, but only in relation to the market. Due to the lack of consistency, the results do not
support the hypotheses that firms that experience a public announcement of a hack, in which
permanent information is lost, exhibit greater negative abnormal returns than those where
temporary information is lost, over both a short and long-term time horizon. It is important
to note that when the original sample set is broken down into Social Security and credit card
losses, the subsequent sample sizes are both less than 30.
Patel | 18
Table 3. Cumulative Abnormal Returns (%) and Type of Data
Lost.
3-Day Event Window
8-Day Event Window
30-Day Event Window
All Data
Relative to S&P500
CCN (N=21) 0.6611 (.2957)
0.7735 (.3957)
3.5166 (.2895)
SSN (N=13) 0.5088 (.2688)
-1.0303
(.0794)
0.3782 (.4374)
Relative to Control Firm
CCN (N=21) -0.1807 (.4090)
-2.8712 (.1147)
3.4442 (.1556)
SSN (N=13) -0.2206 (.3469)
0.2349 (.4112)
-2.070 (.2123)
Control Firm Relative to S&P500
CCN (N=21) -0.5952 (.1903)
-3.4663
(.0696)
-0.0697 (.4891)
SSN (N=13) -0.0464 (.4782)
-0.3629 (.4106)
-1.5548 (.3680)
Excluding Outliers
Relative to S&P500
CCN (N=19) 0.7264 (.1691)
1.9245
(.0349)
3.7513
(.0921)
SSN (N=13) 0.5088 (.2688)
-1.0303
(.0794)
0.3782 (.4374)
Relative to Control Firm
CCN (N=19) -0.5419 (.2419)
-3.6358
(.0786)
1.3585 (.2950)
SSN (N=13) -0.2206
(.3469)
0.2349
(.4112)
-2.070
(.2123)
Control Firm Relative to S&P500
CCN (N=19) -0.4761 (.2602)
-3.8873
(.0666)
-0.3613 (.4891)
SSN (N=13) -0.0464 (.4782)
-0.3629 (.4106)
-1.5548 (.3680)
In parenthesis are p-values of a one-tailed t-test as a percentage. Note: Outliers include Heartland Payment Systems (CCN) and Amazon.com (CCN). Results significant at the 10% confidence level are highlighted in bold. CCN = Credit Card Number. SSN = Social Security Number.
Patel | 19
To examine the impact of hack announcements on firms of different sizes, the sample
was broken down into two groups of firms, those with market capitalizations larger than $5
billion and those below. Again the subsequent samples have fewer than 30 events. Within
this dissection of all the data, none of the CARs of the hacked firms is significant or
consistently negative. Without the extreme outliers, the small firms exhibit positive
significant abnormal returns relative to the market over all three windows. The results are
the opposite of what was expected and could largely be due to the size of the sample. These
results also do not provide enough evidence to support the hypothesis that the magnitude of
negative abnormal returns is greater for smaller firms that experience a public announcement
of a hack, in which information is lost, than for larger firms.
Patel | 20
Table 4. Cumulative Abnormal Returns (%) and Firm Size.
3-Day Event Window
8-Day Event Window
30-Day Event Window
All Data
Relative to S&P500 Large Firms
(N=18) 0.9399 (.1972)
1.5755 (.1931)
4.7489 (.1834)
Small Firms (N=16)
0.2237 (.4287)
-1.5942 (.3160)
-0.4196 (.4732)
Relative to Control
Firm
Large Firms (N=18)
0.2357 (.3506)
-0.5409 (.3125)
0.6029 (.4376)
Small Firms (N=16)
-0.6815 (.2221)
-2.9691 (.1647)
2.1604 (.1959)
Control Firm Relative to S&P500
Large Firms (N=18)
-0.2611 (.3156)
-1.4598 (.1187)
-3.8109
(.0916)
Small Firms (N=16)
-0.5252 (.2903)
-3.2021 (.1497)
2.9324 (.2150)
Excluding Outliers
Relative to S&P500
Large Firms (N=17)
0.1308 (.4320)
0.0282 (.4879)
0.0678 (.4879)
Small Firms (N=15)
1.2129
(.0684) 1.513
(.0880)
5.0026
(.0617)
Relative to Control
Firm
Large Firms (N=17)
-0.1695 (.3629)
-1.156 (.1207)
-2.420 (.1652)
Small Firms (N=15)
-0.6855 (.2359)
-3.0917 (.1712)
2.6695 (.1576)
Control Firm Relative to S&P500
Large Firms (N=17)
-0.2317 (.3438)
-1.6271 (.1060)
-4.3878
(.0715)
Small Firms (N=15)
-0.3807 (.3520)
-3.3943 (.1518)
3.1677 (.2126)
In parenthesis are p-values of a one-tailed t-test as a percentage. Note: Outliers include Heartland Payment Systems (Small) and Amazon.com (Large). Results significant at the 10% confidence level are highlighted in bold. Large Firm is defined by a market capitalization greater than $5 billion.
Patel | 21
VII. Conclusion
The impact of a hack announcement on the market value of a firm has a number of
practical applications for potential investors, clients and customers, and the firm itself. This
study attempted to highlight the many direct and indirect costs associated with a negative
shock, such as a hack, through a change in firm value. The direct costs in the short-term,
including legal fees, IT repair costs, and credit monitoring fees for those affected, should not
have had an impact on the firm’s value. However, the potential investor would probably be
most concerned with the long-term costs, which include lost future business, consumer
confidence, and negative reputation and trust effects. Previous literature has suggested that
in some cases IT breaches yield negative financial performance, especially when confidential
information is lost (Campbell et al., 2003). However, this conclusion was not supported by
the analysis in this study. The results are not consistently significant across the different
cross-sections, which may suggest a number of different possibilities.
1. The lost future business and consumer confidence, as well as the negative
reputation and trust effects may not be as large as first expected. The market
may assume that a firm will take proper action to address the IT security
breach and this will be a one-time occurrence. In this case, a firm should not
see any loss in profitability or value.
2. The market may not have a clear understanding of the costs associated with a
security breach. Firms often have a difficult time pinning a dollar value to
their losses during a security breach. It is not improbable to assume that the
market also experiences the same difficulty estimating these losses.
Patel | 22
3. Another possibility stems back to the market efficiency debate. If the market
does not absorb the information about a security breach as readily as other
announcements, it would be difficult to see significant abnormal returns.
A firm could also use the results of this type of research to budget IT security
expenditures. Prior research suggests that breaches involving confidential information
prompt the greatest losses in value (Campbell et al., 2003). However, in taking a deeper look
at different types of confidential information, this study does not yield consistent results.
This result, as I have discussed, is most likely due to the relatively small sample size. Future
studies may also benefit from using an industry index as a benchmark measure in addition to
the ones used in this study.
As hack incidence continues to grow, additional research in coming years will benefit
from an ever-increasing sample size. In 2010 alone, we have seen multiple high-profile
companies hacked, including web-giant Google and software developer Adobe (Zetter,
2010). The effects of hacks may become more clear: whether or not they indicate negative
impacts on market value of firms may be better understood in the future.
Patel | 23
References
Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly
announced information security breaches: Empirical evidence from the stock market.
Journal of Computer Security, 11(3), 431. Retrieved from
http://proxy.lib.duke.edu:2164/login.aspx?direct=true&db=aph&AN=9972866&site=eh
ost-live&scope=site
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach
announcements on market value: Capital market reactions for breached firms and
internet security developers. International Journal of Electronic Commerce, 9(1), 69-
104. Retrieved from
http://proxy.lib.duke.edu:2164/login.aspx?direct=true&db=bth&AN=15362982&site=eh
ost-live&scope=site
CERT statistics. (2009). Retrieved October 7, 2009, from http://www.cert.org/stats/
Gaudin, S. (2007). Companies say security breach could destroy their business . Retrieved
October 7, 2009, from
http://www.informationweek.com/news/security/showArticle.jhtml?articleID=19920108
5
Hovav, A., & D'Arcy, J. (2004). The impact of virus attack announcements on the market
value of firms. Information Systems Security, 13(3), 32-40. Retrieved from
http://proxy.lib.duke.edu:2164/login.aspx?direct=true&db=aph&AN=14071497&site=e
host-live&scope=site
Patel | 24
Kannan, K., Rees, J., & Sridhar, S. (2007). Market reactions to information security breach
announcements: An empirical analysis. International Journal of Electronic Commerce,
12(1), 69-91.
Open Security Foundation. DatalossDB. Retrieved August, 2009, from
http://www.datalossdb.org
Ponemon Institute. (2009). 2009 PCI DSS compliance survey
Richardson, R. (2008). CSI computer crime and security survey.
Zetter, K. (2010). Google Hackers Targeted Source Code of More Than 30 Companies.
Retrieved March 30, 2010, from http://www.wired.com/threatlevel/2010/01/google-
hack-attack/#ixzz0lOrN1vNi