Financial Impact of Information Security Breaches on Breached Firms and their Non-Breached Competitors

Financial Impact of Information Security Breaches on Breached Firms and their Non-Breached Competitors

Humayun Zafar (Kennesaw State University, USA), Myung Ko (The University of Texas at San Antonio, USA) and Kweku-Muata Osei-Bryson (Virginia Commonwealth University, USA)
Copyright: © 2012 |Pages: 17
DOI: 10.4018/irmj.2012010102
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Information security breaches pose a growing threat to organizations and individuals, particularly those that are heavily involved in e-business/e-commerce. An information security breach can have wide-ranging impacts, including influencing the behaviors of competitors and vice versa within the context of a competitive marketplace. Therefore, there is a need for further exploration of implications of information security breaches beyond the focus of the breached firm. This study investigates the financial impact of publicly announced information security breaches on breached firms and their non-breached competitors. While controlling for size and the industry the firm operates in, the authors focus on specific types of information security breaches (Denial of Service, Website Defacement, Data Theft, and Data Corruption). Unlike previous studies that have used event study methodology, the authors investigate information transfer effects that result from information security breaches using the matched sampling method. The study reveals statistically significant evidence of the presence of intra-industry information transfer for some types of security breaches. The authors also found evidence of contagion effects, but no similar evidence concerning competition effect.
Article Preview

Introduction

Over the past decade, more and more organizations and individuals have been using the Internet to conduct business transactions. While this e-business/e-commerce trend has provided important benefits to both organizations and individuals, it has also offered increased opportunities for hackers to breach information systems. So it is not surprising that information security breach incidents have also risen sharply (Bagchi & Udo, 2003; Cavusoglu, Mishra, & Raghunathan, 2004; Claburn, 2009; Gatzlaff & McCullough, 2010; Hovav & D'Arcy, 2004; Khansa & Liginlal, 2011) For example, when malware compromised IT systems at Heartland Payment Systems in 2008, over 94 million credit card accounts were compromised (Claburn, 2009). It is estimated that about 85% of all U.S. companies have experienced one or more information security breaches (Riddell, 2011). Costs associated with information security breaches have also increased. The Ponemon Institute in its annual study in 2010 reported that the average cost of a data breach for a firm was $7.2 million, an increase of 7% from the year before (Ponemon Institute, 2010). The report also stated that lost business represented 63% of the total cost in the U.S. A study by McAfee also estimated that global economic losses due to information security breaches in 2008 amounted to over $1 trillion (Mills, 2009).

Given the potentially significant impact that an information security breach may have on individuals and organizations, several researchers have previously investigated implications of this phenomenon on organizational performance (Acquisti, Friedman, & Telang, 2006; Bass, 2000; Cavusoglu et al., 2004; Kim, Lacina, & Park, 2008; Straub & Nance, 1990; Whitworth & Zaic, 2003). For the most part, these studies have focused on the short-term impact of publically announced security breaches on the stock market value of the breached firm (Campbell, Gordon, Loeb, & Zhou, 2003; Ettredge & Richardson, 2003). Some studies have also focused on the medium term impact on the breached firm via accounting performance measures (Ko & Dorantes, 2006; Ko, Osei-Bryson, & Dorantes, 2009).

Events such as information security breaches in firms have a wide-ranging impact. For example, they can influence the behavior of competitors and vice versa within the context of a competitive marketplace. Therefore, there is a need for further exploration of implications of information security breaches beyond the focus of the breached firm. As observed by previous researchers (Kim et al., 2008; Aharony & Swary, 1983; Foster, 1981), information transfer exists between a firm making a public announcement regarding an event, and industry counterparts that are its close competitors. The subject of information transfer effect has been investigated at length in various fields including accounting, economics, and finance (Clinch & Sinclair, 1987; Kim et al., 2008; Szewczyk, 1992), but has been relatively unexplored in information systems (IS) research. Also, past research on the effects of information transfer has shown disparate results (Coroama & Röthenbacher, 2003; Helal, Giraldo, Kaddoura, Lee, El Zabadani, & Mann, 2003), thus suggesting the need for further research on this topic, particularly in regard to IS security.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 30: 4 Issues (2017)
Volume 29: 4 Issues (2016)
Volume 28: 4 Issues (2015)
Volume 27: 4 Issues (2014)
Volume 26: 4 Issues (2013)
Volume 25: 4 Issues (2012)
Volume 24: 4 Issues (2011)
Volume 23: 4 Issues (2010)
Volume 22: 4 Issues (2009)
Volume 21: 4 Issues (2008)
Volume 20: 4 Issues (2007)
Volume 19: 4 Issues (2006)
Volume 18: 4 Issues (2005)
Volume 17: 4 Issues (2004)
Volume 16: 4 Issues (2003)
Volume 15: 4 Issues (2002)
Volume 14: 4 Issues (2001)
Volume 13: 4 Issues (2000)
Volume 12: 4 Issues (1999)
Volume 11: 4 Issues (1998)
Volume 10: 4 Issues (1997)
Volume 9: 4 Issues (1996)
Volume 8: 4 Issues (1995)
Volume 7: 4 Issues (1994)
Volume 6: 4 Issues (1993)
Volume 5: 4 Issues (1992)
Volume 4: 4 Issues (1991)
Volume 3: 4 Issues (1990)
Volume 2: 4 Issues (1989)
Volume 1: 1 Issue (1988)
View Complete Journal Contents Listing