Abstract

When a company is hacked, market participants take notice. This has been observed consistently for at least a decade, mostly through calculating abnormal returns of individual corporate stocks after a company’s information security incident an-nouncement. Some researchers have found that information security incidents have had a decreasing effect on stock price over time. Their reports suggest that breach related stock price impacts have become increasingly shallow and short-lived. This has led some information security economists to suggest that market forces are not enough to incentivize sufficient cor-porate investment to information security. They argue that further regulation is necessary to remedy what seems like a rise in investor apathy toward corporate breaches. Other researchers, though, have cautioned that further examination is required and that other market metrics—beyond individual stock price movements—are available to better understand the effects of an information security incident. Sector-wide systematic risk is a measure of the sector’s exposure to exogenous shock. Here, this risk measurement is applied to measure the spillover effects of a corporate information security incident. I conduct 203 event studies between the years 2006 and 2016, calculating sector-wide systematic risk within American stock markets, to measure the spillover effects of data breaches within finance, healthcare, technology and services sectors. The novel application of a longitudinal analysis of variance between repeated event studies reveals that the sector-wide spillover of an incident is both significant and growing. This suggests that an increasingly compelling market incentive exists for sectors to police themselves. Also, further inquiry into common factors among outliers to these sector-wide trends may reveal best-practice strategies for information security risk management.

Creative Commons License

Creative Commons Attribution 4.0 License
This work is licensed under a Creative Commons Attribution 4.0 License.

Publication Date

12-1-2018

Comments

The final, published version can be found here: doi: 10.5281/zenodo.1485567

Document Type

Article

Department, Program, or Center

Department of Computing Security (GCCIS)

Campus

RIT – Main Campus

Share

COinS