More on Do Security Breaches Matter?
In responding to a question I asked yesterday, Ian Grigg writes:
In this case, I think the market is responding to the unknown. In other words, fear. It has long been observed that once a cost is understood, it becomes factored in, and I guess that’s what is happening with DDOS and defacements/viruses/worms. But large scale breaches of confidentiality are a new thing. Previously buried, they are now surfaced, and are new and scary to the market.
I like the idea that these are new and scary. Unfortunately, we can’t tell if this matches the data. In a 2004 paper, “Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers”, Cavusoglu argues that the market cap drop is 2.1% within 2 days. (Unfortunately no longer online, but mentioned in his paper the Camp-Lewis book.) So if Campbell et al found a 5% drop, then is the market is punishing companies more? Who did their research first? What was the time period studied? We can’t tell without both papers being available.
Otherwise I have a problem with a 5% drop in value. How is it that confidentiality is worth 5% of a company? If that were the case, companies like DigiCash and
Freedom[Zero-Knowledge?] would have scored big time, but we know they didn’t. Confidentiality just isn’t worth that much, ITMO (in the market’s opinion).
I don’t agree with this analysis. I’ve argued elsewhere (Will People Ever Pay For Privacy?) that privacy is a hard product to sell. Confidentiality could be worth 5% of a company in a lawsuit, especially if the breach causes clear harm (as in the Amy Boyer case. I’m hard pressed to argue that the market’s response is accurate and generalizable, but I expect tort law will evolve rapidly here, and in the absence of certainty, the market will extract a risk premium.