Stock price value: Using event study analysis on the effect of information security incidents to your advantage
MetadataVis full innførsel
Understanding which elements affect a company’s value is one of the main goals for the board of directors and senior management. By understanding these, they can make appropriate decisions to ensure a beneficial business for them and their shareholders. In recent time, the amount of reported security incidents has radically increased, and the affected companies are being held more accountable than ever. Justification for investing in information security controls has proven to be a challenging task. Still, in an age where new legislation, for instance the General Data Protection Regulation in Europe, an ever-evolving threat landscape, and the general increased availability of information, is demanding more transparency and commitment by companies to secure information, measuring the cost efficiency of an information security investment proves difficult. Since there is no clear scientific method for assessing the actual financial impact of a security event, different approaches are used to estimate the loss. The stock value of a company decides the monetary worth of a company. If a security event should lead to decline in stock value, the company needs to evaluate whether investing in information security can affect this change. In this thesis I therefore explores the possibility that there is a correlation between the monetary worth of a company and a public disclosure of information security incidents. Using event study methodology, I investigate this by analysing the fluctuation of the stock price in a predefined time window around the announcement of the incident. In order to answer this hypothesis, I have analysed 57 security events occurring over the span of 13 years from 52 companies. The results show that announcing a breach can have an effect on the value of the company in certain situations. In addition, I have elaborated on different ways for security professionals to use this research to communicate the need for investments in information security more efficiently to senior management.