The impact of information security events to the stock market: A systematic literature review

Cyber terrorism cases and stock market valuation effects

Purpose

Cyber terrorism poses a serious technology risk to businesses and the economies they operate in. Cyber terrorism is a digital attack on computers, networks or digital information systems, carried out to coerce people or governments to further the social or political objectives of the attacker. Cyber terrorism is costly in terms of impaired operations and damaged assets. Cyber terrorism harms a firm’s reputation, thereby negatively affecting a firm’s stock market valuation. This poses grave worries to company management, financial analysts, creditors and investors. This study aims to evaluate the effect of cyber terrorism on the market value of publicly traded firms.

Design/methodology/approach

Financial information was obtained on business firms that were featured in news stories as targets of cyber terrorism. The firm’s stock price was recorded for 1, 3 and 7 days before and after the news article. Percentage changes in the firm’s stock price were compared to percentage changes in the Dow Jones Index to ascertain whether the firm’s stock price went up or down matching the market overall.

Findings

Results indicate that stock prices are significantly negatively affected by news of cyber terrorist attacks on companies. In all three time periods after the cyber terrorist attack, there was a significant negative decline in the stock value relative to the Dow Jones Index. Thus, the market valuation of the firm is damaged. As a result, the shareholders and institutions are financially damaged. Furthermore, exposed system vulnerability may lead to loss of business from consumers who have reduced confidence in the firm’s operations.

Practical implications

This paper examines the risks posed by cyber terrorism, including its impact on individual business firms, which in turn affect entire national economic systems. This makes clear the high value of cybersecurity in safeguarding computer systems. Taking steps to avoid being a victim of cyber terrorism is an important aspect of cybersecurity. Preventative steps are normally far less costly than rebuilding an information system after a cyber terrorist attack.

Originality/value

This study is original in examining the effect of cyber terrorism on the stock value of a company.

Data Breaches

Recent events have shown that online booking is vulnerable to hacking incidents such as data breaches. The primary purpose of this study is to investigate the effect of the risky decision-making factors on consumer post breach behavior. After a data breach, most of the companies offer monitoring services to restore customer trust and encourage them for future purchases. However, little research has been done to understand the impact of these monitoring services on consumer behavior. In this study, we examine whether monitoring services can mitigate the impact of risk perception on online booking. We utilized the Marriott data breach of November 2018 as the context. We manipulate data breach severity in our vignettes. The research model was tested using data gathered from 298 Mechanical Turk respondents. Our vignette-based survey design allowed us to incorporate situational details thought to be important in risky decision-making in a data breach context. We found strong support for our research model including the positive moderating effect of company suggested monitoring on online booking intention. The findings of this study could help firms in developing more influential post-breach monitoring services.

Limited usefulness of firm-provided cybersecurity information in institutional investors’ investment analysis

Purpose

The purpose of this study is to examine how financial analysts deal with cybersecurity information in their investment analysis process and whether they find cybersecurity disclosures in companies’ financial reports useful.

Design/methodology/approach

Investment managers/financial analysts and chief information security officers (CISOs) at seven institutional investors were interviewed.

Findings

Not all financial analysts consider cybersecurity risk in their investment analyses. Those who do look at company strategy, how the company integrates cybersecurity into its processes and whether it has certified its cybersecurity information. The financial analysts use this qualitative information to adjust the results of their quantitative analysis. They do not find boilerplate or cursory cybersecurity information in financial reports to be useful. In fact, they view it as unreliable and prefer drawing on other information sources to assess the company’s cybersecurity risk.

Practical implications

The results of this study highlight to securities regulators that reported cybersecurity information is of limited usefulness. Regulators are challenged to revisit their disclosure requirements. Companies wishing to improve the usefulness of their cybersecurity information should provide more company-specific information.

Originality/value

To the best of the authors’ knowledge, this study is the first to look at financial analysts’ perception of cybersecurity-related information. It complements findings from prior market studies by adding new insights into the way influential market participants deal with this information in their investment analysis process.

The impact of GDPR infringement fines on the market value of firms

Purpose

This paper aims to investigate the impact of the General Data Protection Regulation (GDPR) infringement fine announcements on the market value of mostly European publicly listed companies with a view to reinforcing the importance of data privacy compliance, thereby informing cyber security investment strategies for organisations.

Design/methodology/approach

Previous studies have shown (varying degrees of) evidence of a negative impact of data breach announcements on the share price of publicly listed companies. Following on from this research, further studies have been carried out in assessing the economic impact of the introduction of legislation in this area to encourage firms to invest in cyber security and protect the privacy of data subjects. Existing research has been predominantly US centric.

Findings

Using event study techniques, a data set of 25 GDPR fine announcement events was analysed, and statistically significant cumulative abnormal returns of around 1% on average up to three days after the event were identified. In almost all cases, this negative economic impact on market value far outweighed the monetary value of the fine itself, and relatively minor fines could result in major market valuation losses for companies, even those having large market capitalisations.

Originality/value

This research would be of benefit to business management, practitioners of cyber security, investors and shareholders as well as researchers in cyber security or related fields (pointers to future research are given). Data protection authorities may also find this work of interest.

Comparative Analysis of Recurrent Neural Networks in Stock Price Prediction for Different Frequency Domains

Investors in the stock market have always been in search of novel and unique techniques so that they can successfully predict stock price movement and make a big profit. However, investors continue to look for improved and new techniques to beat the market instead of old and traditional ones. Therefore, researchers are continuously working to build novel techniques to supply the demand of investors. Different types of recurrent neural networks (RNN) are used in time series analyses, especially in stock price prediction. However, since not all stocks’ prices follow the same trend, a single model cannot be used to predict the movement of all types of stock’s price. Therefore, in this research we conducted a comparative analysis of three commonly used RNNs—simple RNN, Long Short Term Memory (LSTM), and Gated Recurrent Unit (GRU)—and analyzed their efficiency for stocks having different stock trends and various price ranges and for different time frequencies. We considered three companies’ datasets from 30 June 2000 to 21 July 2020. The stocks follow different trends of price movements, with price ranges of $30, $50, and $290 during this period. We also analyzed the performance for one-day, three-day, and five-day time intervals. We compared the performance of RNN, LSTM, and GRU in terms of R2 value, MAE, MAPE, and RMSE metrics. The results show that simple RNN is outperformed by LSTM and GRU because RNN is susceptible to vanishing gradient problems, while the other two models are not. Moreover, GRU produces lesser errors comparing to LSTM. It is also evident from the results that as the time intervals get smaller, the models produce lower errors and higher reliability.

After the disclosure: measuring the short-term and long-term impacts of data breach disclosures on the financial performance of organizations

Purpose

This study aims to evaluate changes to the financial performance of organizations in the 1–4 quarters following a data breach event. The study introduces two new variables, “intangible assets” and “extraordinary losses” to the discussion on the impact of data breaches on an organization’s financial performance. Intangible assets allow us to gauge the data breach’s impact on the organization’s brand reputation and intellectual capital reserves. Extraordinary losses allow us to gauge if organizations considered data breaches truly detrimental to their operations that they rose to the level of “extraordinary” and not an event that could be incorporated into its usual operating expenses.

Design/methodology/approach

This study uses a matched sample comparison analysis of 47 organizations to understand the short-term and long-term impacts of data breach events on an organization’s financial performance.

Findings

Data breach events have some negative impacts on the organization’s profitability more than likely leading to a depletion of the organization’s assets. However, organizations do not perform better or worse in the short-term or long-term due to a data breach event; the organizations can be considered financially sustainable in the 1–4 quarters following a data breach disclosure.

Originality/value

This study takes two approaches to theory development. The first approach extends the current literature on data breach events as negative, value declining events to the organization’s performance, which is referred to as the “traditional view.” The second view posits that a data breach event may be a catalyst for enhanced long-term organization performance; this is referred to as the organizational sustainability and resiliency view.

The financial impacts of information systems security breaches on publicly traded companies: reactions of different sectors

Purpose

Today, information systems and technology provides a wide set of tools for companies to increase the efficiency of their businesses. Although technology offers many benefits to businesses, it also brings risks as the information systems security breaches. Security breaches and their financial impact is a constant concern of the researchers and practitioners. This paper explores information systems breaches and their financial impacts on the publicly traded companies in different sectors.

Design/methodology/approach

After a comprehensive data collection process, data from 192 events are analyzed by employing Event Study Methodology and a comparison of the results between the four highly affected sectors (Consumer Goods, Technology, Financial and Communications) is presented. The abnormal returns on the prices of stocks after the events are calculated with the Market Model. Also, the results of the Market Adjusted Model and Mean Adjusted Model are presented to support the results.

Findings

While information systems security breaches have a significant negative impact on the Financials and the Technology sectors for all the event windows in the study ([−5, 0], [−5, 1], [−5, 5], and [−5, 10]), the significant negative impact is observed only on the [−5, 5] and [−5, 10] event windows for the Consumer Goods sector. No significant negative impact is observed in the Communications sector, in fact, the cumulative abnormal returns are positive for this sector.

Originality/value

The contribution of this paper to provide evidence about the financial impacts of the information systems breaches for businesses in different sectors. While there are studies that have previously focused on the information systems breaches and their financial impacts on businesses, to the best of our knowledge, this is the first study that compares this effect between the four highly impacted sectors. With a relatively larger sample size and broader event windows than the past studies in the literature, statistical evidence is provided to managers to justify their investments in information security and build preventive measures to secure the market value of their firms.

The effect of data breaches on company performance

Purpose

This paper aims to analyze the effect of data breaches – whose concerns and implications can be legal, social and economic – on companies’ overall performance.

Design/methodology/approach

Information on data breaches was collected from online compilations, and financial data on breached companies was collected from the Mergent Online database. The financial variables used were related to profitability, liquidity, solvency and company size to analyze the financial performance of the breached companies before and after the data breach event. Nonfinancial data, such as the type and the size of the breaches, was also collected. The data was analyzed using multiple regression.

Findings

The results confirm that nonmandatory information related to announcements of data breaches is a signal of companies’ overall performance, as measured by profitability ratios, return on assets and return on equity. The study does not confirm a relationship between data breaches and stock market reaction when measuring quarterly changes in share prices.

Research limitations/implications

The main limitation of the study relates to ratio and trend analyses. Such analyses are commonly used when researching accounting information. However, they do not directly reflect the companies’ conditions and realities, and they rely on companies’ released financial reports. Another limitation concerns the confounding factors. The major confounding factors around the data breaches’ dates were identified; however, this was not enough to assure that other factors were not affecting the companies’ financial performance. Because of the nature of such events, this study needs to be replicated to include specific information about the companies using case studies. Therefore, the authors recommend replicating the research to validate the article’s findings when each industry makes more announcements available.

Practical implications

To remediate the risks and losses associated with data breaches, companies may use their reserved funds.

Social implications

Company data breach announcements signal internal deficiencies. Therefore, the affected companies become liable to their employees, customers and investors.

Originality/value

The paper contributes to both theory and practice in the areas of accounting finance, and information management.

Evaluating the factors that influence cloud technology adoption-comparative case analysis of health and non-health sectors: A systematic review

Cloud technology has brought great benefits to the health industry, including enabling improvement in the quality of services. The objective of this review study is to investigate the reported factors affecting the adoption of cloud in the health sector by comparing studies in the health and non-health sectors. This article is a systematized review of studies conducted in 2018. From 541 articles, 47 final articles were selected and classified into two categories: health and non-health studies; conclusions were drawn from the two sectors by comparing their effective factors. Based on the results of this review, the factors were categorized as technological, organizational, environmental, and individual. The results of this review study could be a beneficial guide to the health empirical research on cloud adoption. Individual domains have not been examined in health sector studies. Since the process of adoption of new technologies in organizations is time-consuming, due to the lack of managerial knowledge about the efficient factors, recognition of these factors by decision-makers while planning for cloud adoption becomes of great importance. The findings of this review study aim to help health decision-makers by increasing their awareness of the cloud and of the factors that impact decisions at both the organizational and individual levels.