Shostack + Friends Blog Archive


More on Do Security Breaches Matter?

In responding to a question I asked yesterday, Ian Grigg writes:

In this case, I think the market is responding to the unknown. In other words, fear. It has long been observed that once a cost is understood, it becomes factored in, and I guess that’s what is happening with DDOS and defacements/viruses/worms. But large scale breaches of confidentiality are a new thing. Previously buried, they are now surfaced, and are new and scary to the market.

I like the idea that these are new and scary. Unfortunately, we can’t tell if this matches the data. In a 2004 paper, “Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers”, Cavusoglu argues that the market cap drop is 2.1% within 2 days. (Unfortunately no longer online, but mentioned in his paper the Camp-Lewis book.) So if Campbell et al found a 5% drop, then is the market is punishing companies more? Who did their research first? What was the time period studied? We can’t tell without both papers being available.

Otherwise I have a problem with a 5% drop in value. How is it that confidentiality is worth 5% of a company? If that were the case, companies like DigiCash and Freedom [Zero-Knowledge?] would have scored big time, but we know they didn’t. Confidentiality just isn’t worth that much, ITMO (in the market’s opinion).

I don’t agree with this analysis. I’ve argued elsewhere (Will People Ever Pay For Privacy?) that privacy is a hard product to sell. Confidentiality could be worth 5% of a company in a lawsuit, especially if the breach causes clear harm (as in the Amy Boyer case. I’m hard pressed to argue that the market’s response is accurate and generalizable, but I expect tort law will evolve rapidly here, and in the absence of certainty, the market will extract a risk premium.

3 comments on "More on Do Security Breaches Matter?"

  • Chris Walsh says:

    The Wayback Machine knows where the paper is.

  • Asteroid says:

    I think “How is it that confidentiality is worth 5% of a company?” and “Confidentiality could be worth 5% of a company in a lawsuit” both miss the point a bit. It seems to me the corelation between confidentiality and market value is indirect. What a 5% drop is really measuring is an inpact to generic “repuatation”. I don’t think many traders see a report of a confidentiality leak and think “hey, they could get sued for $X”. Traders couldn’t care less about someone elses confidentiality. Instead, they think “hey, those guys don’t know what they are doing”. If this observation surprises them, the value goes down.
    Wall Street is all about confidence. And irrationality. The actual dollar cost of confidentiality leaks (or any other reputational stains) doesn’t particularly matter as far as market value goes. The visibility of the stain and the nature of the one stained do.

  • The market punishes bad news, not bad not-news

    Adam responded over on his blog to my claim that it was FUD that the market was shifting to, not the loss of confidentiality. So I’ll try and argue my case more. The market responds to news. It doesn’t respond…

Comments are closed.