Shostack + Friends Blog Archive

 

Breaches and Brand Damage

Tim Erlin runs some numbers in “Is Brand Damage a Myth” at Ncircle, and Nick Owen piles follows on with some diplomatically presented thoughts in “Brand Damage, Stock Price and Cockroaches:”

My theory is that information security breaches are an indicator of a lack of management competence. Moreover, as discussed previously, information security breaches are like cockroaches, they rarely travel alone and seeing one guarantees there are more that can’t be seen. The question becomes: does the bad security mean bad security, or bad management?

I refer (again) to “Is There a Cost to Privacy Breachs? An Event Study,” by Alessandro Acquisti, Allan Friedman, and Rahul Telang. Nick, why are they wrong? Why aren’t TJX and CPS outliers?

I also don’t buy the bad management argument. Allocating resources to security is an art, not a science. I’ll offer up a simple experiment to illustrate that shortly.

(Thanks to the several readers who sent in links.)

[Update: Don’t miss Allan’s informative reply in the comments.]

2 comments on "Breaches and Brand Damage"

  • After having banged my head on event studies for the past year and a half, I think the thing to remember is the number of things that drive stock price. It’s a noisy market out there, and long term trends are driven by a whole lot of things, many of them completely independent of primary news sources–a hedge fund isn’t going to unload because of a lost payroll backup tape. I really think we are pushing the limits of how small an event is detectable in stock price. Consider Iron Mountain, the data handler involved in the most unique events, according to my numbers. They behave irresponsibly and offer Rove-worthy denials, yet are still the market leader in an environment that is more and more demanding of document management services. So it is understandable that we get a little drop in a larger trend of growth. Also remember that a popular event study controls for time trends in evaluating the effect of news.
    The clearest example I’ve found of a short term drop is Merck in the Vioxx fallout: http://allan.friedmans.org/merck_after_vioxx.GIF
    The typical social science response to this is two-fold. First, throw lots more numbers at the regression so that smaller trends can be reliably measured. Second, be very clear what question your answer is measuring. We’ve tried to be very clear that we can detect a short term drop but that we cannot *measure* a long term drop. The noise of the data and the specifics of the tool remove confidence as we move past the initial event. Alessandro and I are trying to get the latest version of the paper with 2006 data into a draft to circulate, and we will be sure to share it with EC as soon as we can.
    A final note: if you are interesting in doing price effect studies, it is critical to examine when the news actually might have reached the market. Theory says that any news is instantly endogenous, but we suspect a front-page effect in a multi-day news story. As an example, see the effect of TWX after AOL disclosed search history: http://allan.friedmans.org/aol_after_searchHist.GIF

  • Nick Owen says:

    I’m not saying that they are wrong. I’m saying there is more analysis to be done. All but one of the companies mentioned by Tim had reduced price/sales ratios. This indicates to me that they have to work harder to keep their stock price up. IMO, price/sales is fairly clean in that revenue is less obscured by accounting practice.
    I think it would also be interesting to compare how breached companies faired against their competition over the same period.
    Bottom-line: something that increases costs or cost of capital will decrease share value.
    I look forward to seeing your art project. 🙂

Comments are closed.