The effect of information security certification announcements on the market value of the firm

Information security management has increasingly been recognized as one of the major business challenges of the last decade. While security research has widely recognized that breaches are detrimental to business value, the other side of the equation has received little attention. The literature on the value impact of proactive financial investments into information security management infrastructure and policy is very limited. Unlike most information technology investments, reinforcements to information security management programs suggest a reduction of a firm’s risk of damages in future attacks rather than an improvement in a firm’s revenue generation. Furthermore, contemporary information security management represents a process-based shift in a firm’s operations. In light of the unique information security risks faced by modern firms, we posit several hypotheses related to the value created from information security management program investments. We then present an empirical examination of the effects of information security management program investments on shareholder value. We use a firm’s successful completion of the ISO 27001 certification requirements as evidence of its commitment to developing a robust information security management program. Based on 111 public announcements, we find that the associated abnormal stock market reaction is both positive and statistically significant. We further control for firms’ industries, sizes, and dates of certification, and we find that they all affect the mean abnormal returns observed. This study demonstrates the capacity for information security management program investments to generate value for firms and further offers guidance for practitioners seeking to maximize shareholder value.

[1]  Andrew B. Whinston,et al.  Outsourcing Contracts and Equity Prices , 2013, Inf. Syst. Res..

[2]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[3]  Andrew Fisher,et al.  Using linkography to understand cyberattacks , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[4]  Andrew B. Whinston,et al.  Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements , 2013, J. Manag. Inf. Syst..

[5]  John J. Binder The Event Study Methodology Since 1969 , 1997 .

[6]  H. Berkman,et al.  Event Day 0? After-Hours Earnings Announcements , 2009 .

[7]  Ken Peffers,et al.  The Impact of Information Technology Investment Announcements on the Market Value of the Firm , 1993, Inf. Syst. Res..

[8]  Arvind Malhotra,et al.  Evaluating Customer Information Breaches as Service Failures: An Event Study Approach , 2011 .

[9]  Raktim Pal,et al.  Do green supply chain management initiatives impact stock prices of firms? , 2012, Decis. Support Syst..

[10]  Rossouw von Solms,et al.  From information security to cyber security , 2013, Comput. Secur..

[11]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[12]  K. B. Hendricks,et al.  Quality awards and the market value of the firm: an empirical investigation , 1996 .

[13]  Wolfgang Boehmer,et al.  Appraisal of the Effectiveness and Efficiency of an Information Security Management System Based on ISO 27001 , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[14]  Yajiong Xue,et al.  Cloud computing research in the IS discipline: A citation/co-citation analysis , 2016, Decis. Support Syst..

[15]  Sharad Borle,et al.  Estimating the Contextual Risk of Data Breach: An Empirical Approach , 2015, J. Manag. Inf. Syst..

[16]  Carol V. Brown,et al.  ERP Investments and the Market Value of Firms: Toward an Understanding of Influential ERP Project Variables , 2006, Inf. Syst. Res..

[17]  Varun Grover,et al.  The Impact of Information Technology Investments on Downside Risk of the Firm: Alternative Measurement of the Business Value of IT , 2012, J. Manag. Inf. Syst..

[18]  Hüseyin Tanriverdi,et al.  Cross-Business Information Technology Integration and Acquirer Value Creation in Corporate Mergers and Acquisitions , 2011, Inf. Syst. Res..

[19]  Daniel E. O'Leary,et al.  Event Study Methodologies in Information Systems Research , 2011, Int. J. Account. Inf. Syst..

[20]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[21]  Mark M. Carhart On Persistence in Mutual Fund Performance , 1997 .

[22]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[23]  Alok Gupta,et al.  Growth and Sustainability of Managed Security Services Networks: An Economic Perspective , 2012, MIS Q..

[24]  Jerold B. Warner,et al.  Using daily stock returns: The case of event studies , 1985 .

[25]  M. Porter,et al.  How Information Gives You Competitive Advantage , 1985 .

[26]  René M. Stulz,et al.  Firm size and the gains from acquisitions , 2004 .

[27]  A. Mackinlay,et al.  Event Studies in Economics and Finance , 1997 .

[28]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[29]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[30]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[31]  Godwin J. Udo,et al.  Privacy and security concerns as major barriers for e-commerce: a survey study , 2001, Inf. Manag. Comput. Secur..

[32]  Jackie Rees Ulmer,et al.  Market Reactions to Information Security Breach Announcements: An Empirical Analysis , 2007, Int. J. Electron. Commer..

[33]  Zhaoli Meng,et al.  The value of IT to firms in a developing country in the catch-up process: An empirical comparison of China and the United States , 2007, Decis. Support Syst..

[34]  P. Weill,et al.  Leveraging the New Infrastructure: How Market Leaders Capitalize on Information Technology , 1998 .

[35]  E. Fama,et al.  Common risk factors in the returns on stocks and bonds , 1993 .

[36]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[37]  L. Brown,et al.  An Evaluation of Alternative Proxies for the Market's Assessment of Unexpected Earnings , 2008 .

[38]  Wei T. Yue,et al.  Intrusion Prevention in Information Systems: Reactive and Proactive Responses , 2007, J. Manag. Inf. Syst..

[39]  Seth Armitage,et al.  EVENT STUDY METHODS AND EVIDENCE ON THEIR PERFORMANCE , 1995 .

[40]  Fei Ren,et al.  Risk and Return of Information Technology Initiatives: Evidence from Electronic Commerce Announcements , 2007, Inf. Syst. Res..

[41]  Juhee Kwon,et al.  Proactive Versus Reactive Security Investments in the Healthcare Sector , 2014, MIS Q..

[42]  Charles Cresson Wood Why information security is now multi-disciplinary, multi-departmental, and multi-organizational in nature , 2004 .

[43]  Jerold B. Warner,et al.  MEASURING SECURITY PRICE PERFORMANCE , 1980 .

[44]  G. Knolmayer,et al.  The Effects of Outsourcing Announcements on Market Values of Swiss Firms. An Event Study , 2009 .

[45]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[46]  James W. Kolari,et al.  Nonparametric Rank Tests for Event Studies , 2010 .

[47]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[48]  Varun Grover,et al.  Research Report: A Reexamination of IT Investment and the Market Value of the Firm - An Event Study Methodology , 2001, Inf. Syst. Res..

[49]  Abagail McWilliams,et al.  Event Studies In Management Research: Theoretical And Empirical Issues , 1997 .

[50]  Indranil Bose,et al.  The impact of adoption of identity theft countermeasures on firm value , 2013, Decis. Support Syst..

[51]  Ivan P. L. Png,et al.  The Deterrent and Displacement Effects of Information Security Enforcement: International Evidence , 2008 .

[52]  Sungjune Park,et al.  Understanding the Value of Countermeasure Portfolios in Information Systems Security , 2008, J. Manag. Inf. Syst..

[53]  H. Raghav Rao,et al.  Firms' information security investment decisions: Stock market evidence of investors' behavior , 2011, Decis. Support Syst..

[54]  E. Fama,et al.  The Adjustment of Stock Prices to New Information , 1969 .

[55]  Rajiv Kishore,et al.  Market reactions to E-business outsourcing announcements: An event study , 2006, Inf. Manag..

[56]  Houston H. Carr,et al.  Risk Analysis for Information Technology , 1991, J. Manag. Inf. Syst..

[57]  Jerold B. Warner,et al.  On corporate governance: A study of proxy contests , 1983 .

[58]  Indranil Bose,et al.  Do phishing alerts impact global corporations? A firm value analysis , 2014, Decis. Support Syst..