Asia pacific journal of information systems

The Korea Society of Management Information Systems (한국경영정보학회)
권호 표지
DOI QR코드

DOI QR Code

Investigating the Impact of IT Security Investments on Competitor's Market Value: Evidence from Korea Stock Market

  • Received : 2020.01.10
  • Accepted : 2020.03.09
  • Published : 2020.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

If a firm announces an investment in IT security, how the market value of its competitors reacts to the announcement? We try to shed light on this question through an event study design. To test the relationship, we collected 143 announcements on cybersecurity investment and measured the subsequent impact on 533 competitors' abnormal returns, spanning from 2000 to 2019. Our estimation results present that, on average, the announcements have no observable impact on the market value of announcing firms and competitors as well, which is consistent with findings of a prior study. Interestingly, however, the impact becomes evident when we classify our samples by industries (Finance vs. non-Finance or ICT vs. non-ICT) and firm size (Big vs. Small). We interpret our empirical findings through the lenses of contagion effect and competition effect between announcing firms and their competitors. Key finding of our study is that, for financial service firms, the effect resulting from the announcement on cybersecurity investment transfers to competitors in the same direction (i.e., contagion effect).

Keywords

Acknowledgement

This work was supported by the Ministry of Education of the Republic of Korea and the National Research Foundation of Korea (NRF-2017S1A5A2A01025814).

References

  1. Anthony, J. H., Choi, W., and Grabski, S. (2006). Market reaction to e-commerce impairments evidenced by website outages. International Journal of Accounting Information Systems, 7(2), 60-78. https://doi.org/10.1016/j.accinf.2005.10.002
  2. Armitage, S. (1995). Event study methods and evidence on their performance. Journal of Economic Surveys, 9(1), 25-52. https://doi.org/10.1111/j.1467-6419.1995.tb00109.x
  3. Campbell, K., Gordon, L. A., Loeb, M. P., and Zhou, L. (2003). The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11(3), 431-448. https://doi.org/10.3233/JCS-2003-11308
  4. Chai, S., Kim, M., and Rao, H. R. (2011). Firms' information security investment decisions: Stock market evidence of investors' behavior. Decision Support Systems, 50(4), 651-661. https://doi.org/10.1016/j.dss.2010.08.017
  5. Chatterjee, D., Pacini, C., and Sambamurthy, V. (2002). The shareholder-wealth and trading-volume effects of information-technology infrastructure investments. Journal of Management Information Systems, 19(2), 7-42. https://doi.org/10.1080/07421222.2002.11045723
  6. Dann, L. Y., and Mikkelson, W. H. (1984). Convertible debt issuance, capital structure change and financing-related information: Some new evidence. Journal of Financial Economics, 13(2), 157-186. https://doi.org/10.1016/0304-405X(84)90022-9
  7. Dehning, B., Richardson, V. J., and Zmud, R. W. (2003). The value relevance of announcements of transformational information technology investments. MIS Quarterly, 27(4), 637-656. https://doi.org/10.2307/30036551
  8. Dehning, B., Richardson, V. J., Urbaczewski, A., and Wells, J. D. (2004). Reexamining the value relevance of e-commerce initiatives. Journal of Management Information Systems, 21(1), 55-82. https://doi.org/10.1080/07421222.2004.11045788
  9. Dewan, S., and Ren, F. (2007). Risk and return of information technology initiatives: Evidence from electronic commerce announcements. Information Systems Research, 18(4), 370-394. https://doi.org/10.1287/isre.1070.0120
  10. Dos Santos, B. L., Peffers, K., and Mauer, D. C. (1993). The impact of information technology investment announcements on the market value of the firm. Information Systems Research, 4(1), 1-23. https://doi.org/10.1287/isre.4.1.1
  11. Dyckman, T., Philbrick, D., and Stephan, J. (1984). A comparison of event study methodologies using daily stock returns: A simulation approach. Journal of Accounting Research, 22, 1-30. https://doi.org/10.2307/2490855
  12. Elberse, A. (2007). The power of stars: Do star actors drive the success of movies? Journal of Marketing, 71(4), 102-120. https://doi.org/10.1509/jmkg.71.4.102
  13. Flannery, M. J. (1986). Asymmetric information and risky debt maturity choice. The Journal of Finance, 41(1), 19-37. https://doi.org/10.1111/j.1540-6261.1986.tb04489.x
  14. Garvey, P. R., Moynihan, R. A., and Servi, L. (2013). A macro method for measuring economic benefit returns on cybersecurity investments: The table top approach. Systems Engineering, 16(3), 313-328. https://doi.org/10.1002/sys.21236
  15. Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Zhou, L. (2014). Externalities and the magnitude of cyber security underinvestment by private sector firms: A modification of the Gordon-Loeb model. Journal of Information Security, 6(1), 24-30. https://doi.org/10.4236/jis.2015.61003
  16. Gordon, L., and Loeb, M. (2006). Budgeting process for information security expenditures. Communications of the ACM, 29, 121-126. https://doi.org/10.1145/1107458.1107465
  17. Hayes, D. C., Hunton, J. E., and Reck, J. L. (2000). Information systems outsourcing announcements: Investigating the impact on the market value of contract-granting firms. Journal of Information Systems, 14(2), 109-125. https://doi.org/10.2308/jis.2000.14.2.109
  18. Herjavec Group (2019). 2019 official annual cybercrime report.
  19. Hoo, K. S. (2001). Tangible ROI through secure software engineering. Security Business Quarterly.
  20. Im, K. S., Dow, K. E., and Grover, V. (2001). Research report: A reexamination of IT investment and the market value of the firm. Information Systems Research, 12(1), 103-117.
  21. Jeong, C. Y., Lee, S. Y. T., and Lim, J. H. (2019). Information security breaches and IT security investments: Impacts on competitors. Information & Management, 56(5), 681-695. https://doi.org/10.1016/j.im.2018.11.003
  22. Kannan, K., Rees, J., and Sridhar, S. (2007). Market reactions to information security breach announcements: An empirical analysis. International Journal of Electronic Commerce, 12(1), 69-91. https://doi.org/10.2753/JEC1086-4415120103
  23. Khallaf, A., and Skantz, T. R. (2007). The effects of information technology expertise on the market value of a firm. Journal of Information Systems, 21(1), 83-105. https://doi.org/10.2308/jis.2007.21.1.83
  24. Kim, S., and Lee, H. J. (2005). Cost-benefit analysis of security investments: Methodology and case study. International Conference on Computational Science and Its Applications Proceeding, Springer.
  25. Lang, L. H., and Stulz, R. (1992). Contagion and competitive intra-industry effects of bankruptcy announcements: An empirical analysis. Journal of Financial Economics, 32(1), 45-60. https://doi.org/10.1016/0304-405X(92)90024-R
  26. Laux, P., Starks, L. T., and Yoon, P. S. (1998). The relative importance of competition and contagion in intra-industry information transfers: An investigation of dividend announcements. Financial Management, 27(3), 5-16. https://doi.org/10.2307/3666270
  27. Malkiel, B. G., and Fama, E. F. (1970). Efficient capital markets: A review of theory and empirical work. The Journal of Finance, 25(2), 383-417. https://doi.org/10.1111/j.1540-6261.1970.tb00518.x
  28. Michael, F. (1996) Dividend changes, abnormal returns, and intra-industry firm valuations. The Journal of Financial and Quantitative Analysis, 31(2), 189-211. https://doi.org/10.2307/2331179
  29. Nagurney, A., and Shukla, S. (2017). Multifirm models of cybersecurity investment competition vs. cooperation and network vulnerability. European Journal of Operational Research, 260(2), 588-600. https://doi.org/10.1016/j.ejor.2016.12.034
  30. Oh, W., Gallivan, M. J., and Kim, J. W. (2006). The market's perception of the transactional risks of information technology outsourcing announcements. Journal of Management Information Systems, 22(4), 271-303. https://doi.org/10.2753/MIS0742-1222220410
  31. Peak, D. A., Windsor, J. C., and James, C. (2002). Risks and effects of IS/IT outsourcing: A securities market assessment. Journal of Information Technology Case and Application Research, 4(1), 6-33. https://doi.org/10.1080/15228053.2002.10855990
  32. Purser, S. A. (2004). Improving the ROI of the security management process. Computers & Security, 23(7), 542-546. https://doi.org/10.1016/j.cose.2004.09.004
  33. Roztocki, N., and Weistroffer, H. R. (2009). Event studies in information systems research: An updated review. In 15th Americas Conference on Information Systems.
  34. Shah, P., and Arora, P. (2014). M&A announcements and their effect on return to shareholders: An event study. Accounting and Finance Research, 3(2), 170-190.
  35. Son, I., Lee, D., Lee, J. N., and Chang, Y. B. (2014). Market perception on cloud computing initiatives in organizations: An extended resource-based view. Information & Management, 51(6), 653-669. https://doi.org/10.1016/j.im.2014.05.006
  36. Sood, A., and Tellis, G. J. (2009). Do innovations really pay off? Total stock market returns to innovation. Marketing Science, 28(3), 442-456. https://doi.org/10.1287/mksc.1080.0407
  37. Subramani, M., and Walden, E. (2001). The impact of e-commerce announcements on the market value of firms. Information Systems Research, 12(2), 135-154. https://doi.org/10.1287/isre.12.2.135.9698
  38. Tony, C. K. H., Wang, T., and Tsai, Y. T. (2016). Market reactions to big data implementation announcements. In Pacific Asia Conference On Information Systems (PACIS).