Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.3.649

The relationship between security incidents and value of companies : Case of listed companies in Korea  

Hwang, Haesu (Sungkyunkwan University, Management of Technology)
Lee, Heesang (Sungkyunkwan University, Management of Technology)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.3, 2015 , pp. 649-664 More about this Journal
Abstract
Recently, the risk of security incidents has been increased due to change of IT environment and development of new hacking methods. Event study methodology that measures the effect of a specific security incident on the stock price is widely adopted to analyze the damage cost of security incidents on market value. However, analysis of company's temporary stock price change is limited to immediate practical implication, and reputation loss should be considered as a collateral damage caused by security incidents. We analyzed 52 security incidents of listed Korean companies in the last decade; by refining the criteria presented by Tobin's q, we quantitatively showed that the companies has significantly higher reputation loss due to security loss than the other companies. Our research findings can be used in order that the companies can efficiently allocate its resource and investment for information security.
Keywords
Security incidents; Event study; Reputation analysis; Tobin's q; Valuation;
Citations & Related Records
Times Cited By KSCI : 3  (Citation Analysis)
연도 인용수 순위
1 K. Kannan, J. Rees and S. Sridhar, "Market reactions to information security breach announcements: an empirical analysis," International Journal of Electronic Commerce, vol. 12, no. 1, pp. 69-91, Fall 2007.   DOI
2 A. Hovav and J. D'Arcy, "The impact of denial-of-service attack announcements on the market value of firms," Risk Management and Insurance Review, vol. 6, pp. 97-121. Oct. 2003.   DOI
3 A. Hovav and J. D'Arcy, "The impact of virus attack announcements on the market value of firms," Information System Security, vol. 13, no. 3, pp. 46-156. Dec. 2004.   DOI
4 A. Hovav and J. D'Arcy, "Capital market reaction to defective IT products: the Case of Computer Viruses," Computers & Security, vol. 24, pp. 409-424. Aug. 2005.   DOI
5 I. Bose and A.C.M. Leung, "The impact of adoption of identity theft countermeasures on firm value," Decision Support Systems, vol. 55, pp. 753-763, Jun. 2013.   DOI
6 S. Goel and H.A. Shawky, "Estimating the Market Impact of Security Breach Announcements on Firm Values," Information & Management, vol. 46, pp. 404-410, Oct. 2009.   DOI
7 M. Ko and C. Dorantes, "The impact of information security breaches on financial performance of the breached firms: an empirical investigation," Journal of Information Technology Management, vol. 17, pp. 3-29, Nov. 2006.
8 A. Grag, J. Curtis and H. Halper, "Quantifying the financial impact of IT security breaches," Information Management and Computer Security, vol. 11, pp. 74-83. 2003.   DOI
9 B. Jerlod and J.Stephen, "Using daily stock returns: the case of event studies," Journal of Financial Economics, vol. 14, pp. 3-31, Mar. 1985.   DOI
10 A.G. Kotulic and J.G. Clark, "Why there aren't more information security research studies," Information and Management, vol. 41, pp. 597-607, May 2004.   DOI   ScienceOn
11 J. Perry and P.De. Fontnouvelle, "Measuring reputational risk: the market reaction to operational loss announcements," Federal Reserve Bank of Boston, Oct. 2005.
12 Basel Committee on Banking Supervision, International convergence of capital measurement and capital standards. A Revised Framework. Comprehensive Version, Jun. 2006.
13 Basel Committee on Banking Supervision, Proposed enhancements to the Basel II rramework, Consultative Document, Jan. 2009.
14 F. Fiordelisi, M-G. Soana and P. Schwizer, "Reputational Losses and Operational Risk in Banking," The European Journal of Finance, vol. 20, pp. 1-20, Mar. 2011.
15 Y. Konchitchki and D.E. O'Leary, "Event study methodologies in information systems research," International Journal of Account Information Systems 12, pp. 99-115, Jan. 2011.   DOI
16 E.B. Lindenberg and S.A. Ross, "Tobin's q and industrial organization," The Journal of Business, vol. 54, no. 1, pp. 1-32, Jan. 1981.   DOI
17 A.S. Bharadwaj, S.G. Bharadwaj and B.R. Konsynski, "Information technology effects on firm performance as measured by Tobin's q," Management Science, vol. 45, no. 6, pp. 1008-1024, Jun. 1999.   DOI
18 Y.O. Kwon and B.D. Kim, "The effect of information security breach and security investment announcement on the market value of korean firms," Information System Review, 9(1), pp. 105-120, Apr. 2007.
19 The Economist Intelligence Unit, Sharing the blame how companies are collaborating on data security breaches, Jun. 2014.
20 Juniper Networks, Juniper networks third annual mobile threats report, Jun. 2013.
21 A. Hovav and J.Y. Han, "The impact of security breach announcements on the stock value of companies in south Korea," Korea Internet e-Commerce Association, vol. 13, pp. 43-67, Sep. 2013.
22 S.H. Jeong, J.S. Yoon, J.I. Lim and K.H. Lee, "Study on the effect of information security investment executive," Journal of The Korea Institute of Information Security & Cryptology, 24(6), pp. 1271-1284, Dec. 2014.   DOI
23 R. Gillet, G. Hubner and S.Plunus, "Operational risk and reputation in the financial industry," Journal of Banking and Finance, vol. 34, pp. 224-235, Jan. 2009.
24 G. Sinanaj and J. Muntermann, "Assessing corporate reputational damage of data breaches: an empirical analysis," Association for Information System BLED 2013 Proceedings Paper 29, Jun. 2013.
25 Ponemon Institute LLC, 2011 cost of data breach study, Traverse City, Mar. 2011.
26 S. Bond, A. Klemm, R. Newton-Smith, M. Syed and G. Vllieghe, "The roles of expected profitability, Tobin's q and cash flow in econometric models of company investment," Bank of England Working Paper, vol. 43, Jun. 2004.
27 H. Zafar, M. Ko and K. Osei-Bryson, "Does a CIO matter? Investigating the impact of IT security breaches on firm performance using Tobin's q," System Sciences, pp. 1-7, Jan. 2011.
28 D.Y. Jeong, K.B. Lee and T.H. Park, "A study on improving the electronic financial fraud prevention service: focusing on an analysis of electronic financial fraud cases in 2013," Journal of The Korea Institute of Information Security & Cryptology, 24(6), pp. 1243-1261, Dec. 2014.   DOI
29 E.F. Fama, L. Fisher, M.C. Jensen and R. Roll, "The adjustment of stock price to new information," International Economic Review, vol. 10, no. 1, pp. 1-21, Feb. 1969.   DOI
30 C.L. Choi, J.H. Yun and K.H. Lee, "A study on IT outsourcing policy based on operational risks of financial industries," Journal of The Korea Institute of Information Security & Cryptology, 24(4), pp. 681-694, Aug. 2014.   DOI
31 Korea Online Privacy Association, Social cost analysis of the personal information infringement and valuation, Nov. 2013.
32 K.H. Chung and S.W. Pruitt, "A simple approximation of Tobin's q," Financial Management, vol. 23, no. 3, pp. 70-74, 1994.   DOI
33 A. McWilliams and D. Siegel, "Event studies in management research: theoretical and empirical issues," Academy of Management Journal, vol. 40, no. 3, pp. 626-657, Jun. 1997.   DOI
34 P.W. Roberts and G.R. Dowling, "Corporate reputation and sustained superior financial performance," Strategic Management Journal, vol. 23, pp. 1077-1093, Sep. 2002.   DOI
35 J.B. McGuire, T. Schneeweis and B. Branch, "Perceptions of firm quality: a cause or result of firm performance," Journal of Management, vol. 16, no. 1, pp. 167-180, Mar. 1990.   DOI
36 W.G. Simpson and T. Kohers, "The link between corporate social and financial performance: evidence from the banking industry," Journal of Business Ethics, vol. 35, pp. 97-109, Jan. 2002.   DOI
37 R. Bojanc and B. Jerman-Blazic, "An economic modeling approach to information security risk management," International Journal of Information Management, vol. 28, pp. 413-422, Oct. 2008.   DOI
38 S.W. Chai, "Economic effects of personal information protection," Korea Consumer Agency, vol. 33, pp. 43-64, Apr. 2008.
39 D.B. Parker, "The strategic values of information security in business," Computers & Security, pp. 572-582, Jun. 1997.
40 L.A. Gordon and M.P.Loeb, "Economics of information security investment," ACM Transactions on Information and System Security, vol. 5, no. 4, pp. 438-457, Nov. 2002.   DOI
41 S.W. Nam and J.I. Lim, "An empirical study on the impact of security events to the stock price in the analysis method of enterprise security investment effect," Ph.D. Thesis, Korea University, Feb. 2006.
42 A. Bharadwaj, M. Keil and M. Mahring, "Effects of information technology failures on the market value of firms," Journal of Strategic Information Systems, vol. 18. pp. 66-79, Jun. 2009.   DOI
43 K. Campbell, L.A. Gordon, M.P Loeb and L. Zhou, "The economic cost of publicly announced information security breaches: empirical evidence from the stock market," Journal of Computer Security, vol. 11, pp. 431-448. Mar. 2003.   DOI
44 H. Cavusoglu, B. Mishra and S. Raghunathan, "The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers," International Journal of Electronic Commerce 9, pp. 69-104, Feb. 2002.