The Impact of Denial‐of‐Service Attack Announcements on the Market Value of Firms

The increase in security breaches in the last few years and the need to insure information assets has created an intensified interest in information risk within organizations and for insurance companies. Risk assessment is an important component in the establishment of security policies. However, very little is known of the financial impact and the risk associated with security breaches. This article reports the impact of Denial-of-Service (DOS) attack announcements on the market over a period of 4.5 years. The study was conducted using event study methodology. The results show that in general the market does not penalize companies that experience such an attack. However, there is an indication that the market penalizes “Internet-specific” companies more than other companies. Our results indicate that large companies who are not “Internet-specific” might be overreacting to the media hype and may be investing resources to prevent a problem that has marginal impact on their shareholder value.

[1]  E. Fama,et al.  The Adjustment of Stock Prices to New Information , 1969 .

[2]  Donna R. Philbrick,et al.  A Comparison of Event Study Methodologies Using Daily Stock Returns: A Simulation Approach , 1984 .

[3]  John Mcconnell,et al.  Corporate capital expenditure decisions and the market value of the firm , 1985 .

[4]  Sam Peltzman,et al.  The Impact of Product Recalls on the Wealth of Sellers , 1985, Journal of Political Economy.

[5]  David R. Peterson,et al.  SECURITY PRICE REACTIONS AROUND PRODUCT RECALL ANNOUNCEMENTS , 1985 .

[6]  Ahmad Etebari,et al.  To Be Or Not to Be ‐ Reaction of Stock Returns to Sudden Deaths of Corporate Chief Executive Officers , 1987 .

[7]  George E. Hoffer,et al.  The Impact of Product Recalls on the Wealth of Sellers: A Reexamination , 1988, Journal of Political Economy.

[8]  Colin Haynes,et al.  Computer Viruses, Worms, Data Diddlers, Killer Programs, and Other Threats to Your System: What They Are, how They Work, and how to Defend Your PC or Mainframe , 1989 .

[9]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[10]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[11]  R. B. Corbett,et al.  Catastrophic Events and Retroactive Liability Insurance: The Case of the MGM Grand Fire , 1991 .

[12]  George J. Siomkos Conceptual and Methodological Propositions for Assessing Responses to Industrial Crises , 1992 .

[13]  Claudio Loderer,et al.  Corporate Dividends and Seasoned Equity Issues: An Empirical Investigation , 1992 .

[14]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[15]  Ken Peffers,et al.  The Impact of Information Technology Investment Announcements on the Market Value of the Firm , 1993, Inf. Syst. Res..

[16]  Mary J. Cronin,et al.  Doing Business on the Internet , 1994 .

[17]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[18]  Roy D. Pea,et al.  The Collaboratory Notebook , 1996, CACM.

[19]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[20]  Ravi Ganesan,et al.  How to use key escrow , 1996, CACM.

[21]  Dorothy E. Denning,et al.  A taxonomy for key escrow encryption systems , 1996, CACM.

[22]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[23]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[24]  Brian J. Kelly PRESERVE, PROTECT, AND DEFEND , 1999 .

[25]  Eric Walden,et al.  The Impact of E-Commerce Announcements on the Market Value of Firms , 2001, Inf. Syst. Res..

[26]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[27]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[28]  Deborah A. Frincke,et al.  Balancing cooperation and risk in intrusion detection , 2000, TSEC.

[29]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[30]  M. Warren,et al.  Cyber attacks against supply chain management systems: A short note , 2000 .

[31]  R. Power CSI/FBI computer crime and security survey , 2001 .

[32]  Vernon J. Richardson,et al.  Assessing the Risk in E-Commerce , 2001 .

[33]  Varun Grover,et al.  Research Report: A Reexamination of IT Investment and the Market Value of the Firm - An Event Study Methodology , 2001, Inf. Syst. Res..

[34]  E. Eugene Schultz,et al.  Security Views , 2002, Comput. Secur..

[35]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[36]  Der-Chyuan Lou,et al.  Steganographic Method for Secure Communications , 2002, Comput. Secur..

[37]  Bill Hancock Security crisis management the basics , 2002, Comput. Secur..

[38]  William J. Caelli Trusted ...or... trustworthy: the search for a new paradigm for computer and network security , 2002, Comput. Secur..

[39]  Jan H. P. Eloff,et al.  Information Security Policy - What do International Information Security Standards say? , 2002, ISSA.

[40]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[41]  Marit Hansen,et al.  The Open Source approach opportunities and limitations with respect to security and privacy , 2002, Comput. Secur..

[42]  Andrew Grant-Adamson Cyber Crime , 2003 .

[43]  Raymond R. Panko,et al.  Slammer: The First Blitz Worm , 2003, Commun. Assoc. Inf. Syst..

[44]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.