Classification of security breaches and their impact on the market value of firms

Transcription

1 Classification of security breaches and their impact on the market value of firms Anat Hovav Korea University Business School Seoul, Korea Francis K. Andoh-Baidoo State University of New York at Brockport Gurpreet Dhillion Virginia Commonwealth University Abstract While studies in other industries suggest that firm type, firm size, and time are important factors that explain the cross-sectional variations in abnormal stock market returns, studies in the area of IS security are inconclusive. In this study, we examine whether the characteristics of the incident Attacker type, attacker s objective, results of the attack, attack tools and access type - influence the abnormal stock market return. Our results indicate that not all attacks have the same effect on the market value of companies. The results also help us create taxonomy of attacks and identify the factors that the market views as detrimental to the organization. We found that certain attacker type, the result of the attack and objective of the attacker and the tools used for the attack have significant impact on the abnormal stock market returns while the type of access obtained have marginal effect on the market value of the firm. Keywords: Internet security breaches, event study, market value, attack characteristics Introduction The importance of Internet commerce to the success of businesses in the modern information age is unquestionable. Research has shown that information security is one of the critical issues that cannot be ignored for successful implementation of e-commerce solutions and operations (Torkzadeh and Dhillon, 2002; Chang, Torkzadeh, and Dhillon, 2004). Also in a 2000 Financial Times report, the director of the National Consumer Council was quoted as saying, Unless the total online shopping environment sites and payment mechanisms is made more secure, some consumers will never have confidence to explore the opportunities (Mackintosh, 2000, p2). Further, the 2006 CSI/FBI Survey on computer crime and security reports that the percent of organizations that reported computer intrusion to law enforcement agents has reversed its yearly decline from a 20% the previous year to an all-time high of 25% albeit organizations concern over the negative publicity for making such reports (Gordon, Loeb, Lucyshyn and Richardson, 2006). The reports also note economic and security risk management as of critical concern to organizations.

2 Pg 14-2 In this paper, we define Internet security in terms of preserving data confidentiality, integrity and authenticity. Hence a security breach occurs if the confidentiality, integrity and authentication of a firm s network or computers are compromised. Internet security breaches could lead to lower sales revenues, higher expenses, a decrease in future profits and dividends, and a reduction in the market values of companies which are compromised (Power, 2002; Gordon, Loeb, and Lucyshyn, 2003). Measuring the economic impact on Internet security breaches will help in risk management and information security planning. However, making information systems security investment decisions is very complex and difficult (Gordon and Loeb, 2002). Similar to the productivity paradox challenges identified in the information systems literature (Dewan and Kraemer, 1998), productivity paradox arguments have also been made in the information security domain. Dhillon (2004), for example identifies this as an information security investment paradox. While there has been an increased spending on information security measures, there has also been an exponential increase in the losses because of security breaches. Although information security researchers and practitioners recognize the seriousness of Internet security breaches, the relationship of the security incidents to the economic impact and valuation of the firm is not well understood. The market value of a firm corresponds to the confidence that investors have in that firm. Hence measuring the market value of a firm that has been compromised is one way of calculating the impact of Internet security breaches and augments other economic studies. Prior studies investigated the relationships between an announcement of a security breach and market value of a firm (e.g., Cavusoglu, Mishra, and Raghunathan, 2004; Hovav and D Arcy 2003, Hovav and D Arcy 2004). The results were inconclusive. These studies did not differentiate between the type of attackers, the objectives of the attack, the results of the attack, tools used to attack, and the access type. The goal of this study is to extend current knowledge by investigating the relationships between the above mentioned dimensions of an attack and the market value of the firm. Recently, Andoh-Baidoo and Osei-Bryson (2007) have considered these variables. Our study differs from that work in two ways: (1) we use traditional confirmatory approach rather than decision tree; and (2) our sample size is larger. The study uses an event study methodology. Such a methodology has been widely used to investigate the effect of unexpected IT related events (e.g., Dos Santos, Peffers, and Mauer 1993, Im, Dow, and Grover, 2001; Oh and Kim, 2001; Chatterjee, Pacini, and Sambamurthy, 2002; Dehning, Richardson, and Zmud, 2002). Literature Review Early studies in the area of IS security risk focused on the evaluation of financial damage caused by various types of security breaches. Ettredge et al. (2001) studied the spill-over effect of denial-of-service (DOS) attacks that occurred over a very short period - February The study found significant negative impact on the stock value of firms similar to the attacked companies. However, due to clustering effect, the significance of the results needs to be interpreted with caution. None of the subsequent studies were able to replicate the significance of the effect of the attacks on the market value of the attacked companies and the overall results are mixed. Hovav and D Arcy (2003) studied the impact of DOS attacks on the stock price of attacked companies and found little overall impact. However, the DOS attacks did have a larger

3 Pg 14-3 impact on Internet-centric companies than on other companies. Hovav and D Arcy (2004) studied the impact of computer virus announcements on the stock prices of attacked companies and found no significant effects. Other studies (Anthony et al., 2006; Cavusoglu et al., 2004) that examined the impact of various security breaches on the market value of firms found only a minor effect. This effect was mostly limited to e-commerce companies. Campbell et al. (2003) found that the market differentiates across types of breaches. Specifically, they found a higher negative market reaction for breaches involving confidential data relative to other types of breaches. Cavusoglu et al. (2004) studied the affect of the firm size and firm type on the market reaction to security attacks. Although prior research made some progress in classifying security attacks and their varied affect on firms market value, the mixed results of these studies suggest that more work in the area is necessary. We believe that the characteristics of the attack, the objectives of the attackers and the goal of the attack will influence the abnormal (negative) stock market return (Andoh-Baidoo and Osei-Bryson, 2007). For example, an attack that did not cause major financial damage is expected to have lower impact than an attack that reported a major financial damage. To effectively examine the above assertion, we use Howard s (1997) taxonomy of Internet security attacks and Internet security incidents. While Howard (1997) developed the taxonomy for computer and network attacks, he showed that it can also be used to classify Internet security incidents. In the current study, we employ Howard s taxonomy to investigate the moderating effect of the incident characteristics on the market value of the attacked companies. Specifically we examine the impact of the attacker type, attacker s objective, attack results, attack tools, and access type, on the abnormal (negative) stock market return. Howard s taxonomy appears in Appendix B 1. Hypothesis Development Based on the discussion above, we develop five hypotheses related to each of the five characteristics described in Howard (1997). Attacker Type In this paper we define attacker to mean an individual or group of individuals responsible for the Internet security incident. Howard (1997) identifies six categories of attackers. In our sample only three attacker types were identified. These are described briefly. In a particular announcement, the attacker left a note telling the attacked firm about how vulnerable its systems were. Howard (1997) refers to this group of attackers as hackers. What motivates hackers to attack is the desire to show their prowess and to raise their status in the community in which they operate. Professional criminals are individuals who operate on their own seeking financial gain from their activities. Vandals break into computer systems mainly to cause damage. Other kinds of attackers could use the vulnerabilities resulting from hackers activities to launch other attacks with more disastrous outcomes. However, if a firm responds quickly to the hackers activities, those vulnerabilities could be eliminated, preventing further attacks. While vandals cause damage, it may not be a financial damage. However, a response to a vandal could 1 Attackers, Objective, Results, Tools, and Access presented in Howard s Taxonomy are represented as Attacker type, Attacker s objective, Attack results, Attack tools, and Access type respectively in this paper.

4 Pg 14-4 be too when detected since damage could have been done already. Thus the Attacker type will influence the abnormal stock market return. Specifically we hypothesis that the negative abnormal returns from an attack by a professional criminal will be higher than the negative returns from the other type of attacks We therefore state the hypothesis that: H1 There are significant differences between the negative abnormal returns of attacks by hackers, vandals and professional criminals. Attacker s Objective Howard (1997) identified four types of objectives: challenge/status, damage, financial gain, and political gain. None of the announcements in the sample was classified with a political gain objective. An announcement where there is clear intention that the attacker intended to inform the breached firm or firms that provide computer systems, software, or network vulnerabilities is classified as having challenge/status objective. Here the attacker is challenging big IT firms while demonstrating their superior expertise to a community of hackers. An announcement where it is found that the attacker threatens to publish information or perform further damage if not compensated is classified as having financial gain as its objective. Attacks that cause damage without any negotiations are classified as damage for the attacker s objective variable. Clearly, an attack geared towards financial gain will have greater financial impact than an attack where the attacker challenges the firm s claim that its system is secured. Such an attack will receive more attention from investors and will therefore have different impacts on stock market return. Therefore, we hypothesis that: H2: There are significant differences between the negative abnormal returns of attacks depending on the objectives of the attackers. Attack Results Howard (1997) identifies four different results of attack: corruption of information, denial of service, theft of service, and disclosure of information. Prior studies found little impact of Denial of service attacks on the market value of firms (Hovav and d Arcy 2003). Companies can also avoid reporting the extent of damage resulting from attacks that corrupt their data. However, attacks that compromise or disclose private information often affects a large number of people and are likely to get much attention. Therefore, each of these results could have a different impact on the breached firms, investors will also react differently. Thus we develop the following hypothesis: H3: There are significant differences between the negative abnormal returns of attacks depending on the results of the attacks. Attack Tools Howard (1997) claims that the level of sophistication of the tools used to attack, continues to increase. The kinds of destruction and the level of access that the attacker can gain increase with the increased sophistication of tools employed. Two specific tools that were identified in our sample are: Scripts/Programs, and Autonomous agents. Scripts/Programs

5 Pg 14-5 involve attacks that resulted from defaults in software applications. Autonomous agents include viruses and worm attacks. It is likely that since more sophisticated tools can create more damage, their impact on investors reaction will be higher. Thus, the tool employed in the attack could impact the abnormal stock market return. We develop the hypothesis: H4: There are significant differences between the negative abnormal returns of attacks depending on the tools used for the attack. Access type Attacks can be internal or external. Internal attacks include disgruntled employees taking advantage of privileged access to corporate networks to perform unauthorized activities. Outsiders usually take advantage of vulnerabilities to gain unauthorized access to corporate networks. There are differing opinions (Howard, 1997) as to which type of access attackers use most. In spite of the different views, investors reactions could depend on which access type was employed by the attacker. Investors may consider unauthorized use as an error and unauthorized access as an organization s failure to prevent intruders from getting access to secured data or network systems leading to increase negative market returns. Firms can control the amount of information published regarding internal attacks. External attacks are more likely to get more publicity. In an asymmetric information environment, investors will be more concerned with one type of access to another. Thus we define our final hypothesis as: Methodology H5: There are significant differences between the negative abnormal returns of attacks depending on the type of access. Data Collection An event is defined as an announcement in one of the major newspapers about a security breach in a firm. Our sample included announcements for the period 1990 through Keywords for searching events include: virus names (love bug, sobig, and blaster worm); attacker type (hacker, vandal); result of attack (denial of service, theft of service), names of organizations reported in previous studies (Yahoo, ebay), or a term or combination of such terms as (information security breach, computer system security, Internet security incident, and breach). All events involving governmental, state, local and non-profit organizations were not considered. Only events involving publicly traded firms were included in this study. We recorded 310 events. However, we eliminated some events using the following criteria: (1) some of the events were reported more than once in single or different newspapers. In such cases, we kept only the first announcement; (2) only firms that were listed on New York Stock Exchange (NYSE), NASDAQ, or American Stock Exchange (AMEX) and had return data in the CRSP 2 2 CRSP is a financial research center at University of Chicago. It generates and maintains leading historical US databases for stock (NASDAQ, AMEX, and NYSE), indices, bond, and mutual fund securities used by leaders in the academic and corporate communities for financial, economic, and accounting research.

6 Pg 14-6 database were included for analysis; (3) for firms in the CRSP database, the returns data had to be available for 120 days before the event for the computation of stock market return; and (4) where there were confounding effects such as earning announcements, dividends or any major announcement during the event window involving the breached firm, the event was dropped. After eliminating events based on the above criteria, our sample size was 185. Statistical Analysis and Measures of Variables A three-day event period covering the day before the event through the day after the event was used in this study. One of the previous studies used the same event window (Cavusoglu et al., 2004). The rationale behind this length of period is that investors may have pre-announcement information about the security breach and may react before the market closes a day before the announcement. Alternatively, breach announcement might have been made after 4PM on day t, which means that the entire reaction will occur on day t+1. We used 120 days before the event to estimate the expected stock market return which is consistent with prior studies. We use the Market Model to define the return of a specific stock in the absence of the security breach as: R i, t = return of stock i on day t; R i, t= α i+ β ir m, t+ ε i, t R, is the return of the market portfolio on day t, m t α i, β i are the intercept and slope parameters respectively for firm i, and ε i, t is the disturbance term for stock i on day t. We define the abnormal return (prediction error) for firm i on day t of the event window as: AR = R α + β R ) ^ α and ^ ti i, t ( i i m, t β are the ordinary least square estimates of α and β which are parameters estimated using the market model over 120 day period starting from the day immediately preceding the first day of the event window, i.e. day (-2). The cumulative abnormal return for stock i over the event window ( D 1, Dd) is Dd CARi( D1, Dd) = ARi The cumulative abnormal return for n stocks over the event window is computed as n 1 CARR ( D 1, Dd ) = CARi ( D 1, Dd ) n i= 1 n is the number of events in the sample. Coding of the data Table 1 summarizes the five characteristics and their coded value. We have explained the differences among the different categories in previous section. Howard (1997) provides comprehensive definition of these categories. t= D1, t

7 Pg 14-7 Table 1. Categories of the five attack Characteristics presented in the sample Attacker Results Tools Access Objectives 0 Others [i.e. other categories or not known] 1 Unauthorized 2 3 Vandal Denial of Service Scripts/Programs Corruption of Autonomous Hacker Information Agents Disclosure of Professional Criminal Information Results and Analysis Use Unauthorized Access Damage Challenge/Status Financial Gain Table 2 describes the sum of the CAR for each group of attacks. Attacks with unknown or other characteristics were eliminated. Table 2. CAR for the five attack characteristics Attacker Results Tools Access Objective Given the categorical nature of the data we use ANOVA to examine the differences between the affect of each of the characteristics on the market reaction to the various attack types. Table 3 below summarizes the ANOVA results. Table 3.ANOVA results Variable Variability Sum of Df Mean F Sig. Squares Square Objective Between Groups Within Groups Total Attacker Between Groups Within Groups Total Access Between Groups Within Groups Total Results Between Groups Within Groups Total Tools Between Groups Within Groups Total

8 Pg 14-8 In addition to the above analysis we also ran partial ANOVA. These partial runs did not change the significance of the results. For additional details see Appendix A. Analysis The above results indicate that there is a difference in the market reaction based on the characteristics of the attack. The type of tool used by the attacker has a significant impact on the market reaction, thus supporting hypothesis 4. Specifically, attacks using scripts resulted in a negative market reaction while attacks using autonomous agents such as viruses and worms did not. These results support the findings in Hovav and d Arcy (2004). The type of access used by the attacker also has a significant affect on the market reaction thus supporting hypothesis 5. However, looking at the data, neither access type resulted in a negative abnormal return. Thus our conclusions regarding the affect of the access type on the market reaction are limited. The objective of the attacker had a significant impact on the market reaction thus supporting hypothesis 2 (α = 0.038). Specifically, attacks intended for financial gain (type = 3) resulted in significantly larger negative market reaction than attacks aimed at challenge or non-financial damage (types 1 and 2). The type of the attacker also had a significant impact on the market reaction thus supporting hypothesis 1 (α = 0.015). Specifically, attacks by professional criminals (type = 3) resulted in significantly higher negative market reaction than attacks by hackers or vandals (types 1 and 2). The most significant characteristic is the end result of the attack. The results of the attack had a significant impact on the market reaction thus supporting hypothesis 4 (α = 0.003). Specifically, disclosure of private information had a significantly larger impact on the market reaction (type = 3) while denial of service attacks and corruption of information had less affect on the market reaction. From a theoretical perspective, our study advances our understanding of the types of attacks, and the type of attackers that pose higher risks to firms. Our findings also have some implications for practitioners. Security managers need to decide where and how to allocate their security budget. Knowing that certain security breaches have larger impact on the value of a company, managers can allocate larger portion of their budgets to prevent the more damaging attacks. Conclusion We have presented our results on an event study that seeks to examine the impact of the announcement of information security breaches on breached firms. Most prior studies treat all events equally. Our study attempts to identify attack and attacker characteristics that affect investor reactions and differentiate between the various attacks. Our results suggest that the objective of the attack, the type of the attacker and the results of the attack have significant moderating effect on the market reaction. Specifically, attacks by professional criminals, attacks that aim to increase financial damage and attack that result in the disclosure of private information have significantly larger negative impact on the market than other attacks

9 Pg 14-9 References Andoh-Baidoo, F.K., and Osei-Bryson, K-M (2007) Exploring the Characteristics of Internet Security Breaches that impact the Market Value of Breached Firms, Expert Systems with Applications, 32, Campbell, K., Gordon, L. A., Loeb, M. P. and Zhou, L (2003) The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market, Journal of Computer Security, 11, 3, Chang, J.C., Torkzadeh, G, and Dhillon, G (2004) Re-examining the Measurement Models of Success for Internet Commerce, Information and Management, 41, 5, Cavusoglu, H., Mishra, B., and Raghunathan, S (2004) The effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers, International Journal of Electronic, Commerce, 9, Chatterjee, D., Pacini, C., and Sambamurthy, V (2002) Shareholder Wealth Effects of IT Infrastructure Investments, Journal of Management Information Systems, 19, 2, Dehning, B., Richardson, V.J., and Zmud, R.W (2002) The Value Relevance of Information Technology Investment Announcements: Incorporating Industry Strategic IT Role, Proceedings of the 35 th Annual Hawaii International Conference on Systems Science, 216. Dewan, S., and Kraemer, K. L (1998) International Dimensions of the Productivity Paradox, Communications of the ACM, 41,8, Dhillon, G (2004) Guest Editorial: The Challenge of Managing Information Security, International Journal of Information Management, 24 (2) Dos Santos, B.L., K. Peffers, and Mauer, D.C (1993) The impact of information technology Investment announcements on the market value of the firm, Information Systems Research, 4, 1, Ettredge, M. and Richardson, V.J. (2001) Assessing the Risk in E-Commerce, in the Proceedings of the 22 nd International Conference on Information Systems, Gordon, L.A., Martin P. Loeb, M.P., Lucyshyn, W., and Richardson, R (2006) CSI/FBI Computer Crime and Security Survey. Gordon, L A., Loeb, M.P., and Lucyshyn, W (2003) Information Security Expenditures and Real Options: A Wait-and-See Approach, Computer Security Journal, 19, 2, 1-7. Gordon, L. A. and Loeb, M.P (2002). Return on Information Security Investments: Myths vs. Reality, Strategic Finance, Howard, J (1997) An Analysis of Security Incidents on the Internet, PhD Thesis, Carnegie Mellon University. Hovav, A. and D Arcy, J (2003) The Impact of Denial-of-Service Attack Announcements on the Market Value of Firms Risk Management and Insurance Review, 6, 2, Hovav, A. and D Arcy, J. (2004) The Impact of Virus Attack Announcements on the Financial Value of Firms, Information Systems Security Journal, 13, 3, Mackintosh, J. Barclay s gremlins raise big questions about Online Trust: Teething troubles at Internet Banks could have wider Repercussions, Financial Times, August 2, Oh, W. and Kim, J. (2001) The Effects of Firm Characteristics on Investor reaction to IT Investment Announcements, Proceedings of the International Conference on Information Systems, New Orleans, LA. Power, R (2002) CSI/FBI Computer Crime and Security Survey, Computer Security Issues and Trends, 8, 1, Richardson, V.J. and Zmud, R.W (2002) The Effects Accompanying Appointments of Outside Directors to the Boards of Internet Companies, Working Paper, University of Kansas. Torkzadeh, G., and Dhillon, G (2002) Measuring Factors that Influence the Success of Internet Commerce, Information Systems Research, 13, 2,

10 Pg Appendix A: Additional analysis

11 Pg Appendix B: Computer and Network Attack Taxonomy (Howard 1997) Attackers Tools Access Results Objective s Hackers User Implementation Unauthorized Corruption of Files Challenge, Command Vulnerability Access Information Status Spies Script Program or Design Vulnerability Unauthorized Use Processes Data in Transit Disclosure of Information Political Gain Terrorists Autonomo us Agent Configuration Vulnerability Theft of Financial Service Gain Corporate Raiders Professional Criminals Toolkit Denial-ofservice Damage Distributed Tool Vandals Data Tap