Thanks to a heads-up from Walt Williams, I'm mulling over a report by CompariTech indicating that the announcement of serious "breaches" by commercial organizations leads to a depression in their stock prices relative to the stock market.
I'm using "breach" in quotes because the study focuses on public disclosures by large US commercial corporations of significant incidents involving the unauthorized release of large quantities of personal data, credit card numbers etc. That's just one type of information security incident, or breach of security, and just one type of organization. There are many others.
The situation is clearly complex with a number of factors,
some of which act in opposition (e.g. the publicity around a "breach"
is still publicity!). There are several constraints
and assumptions in the study (e.g. small samples) so personally
I'm quite dubious about the conclusions ... but it adds some weight to the not
unreasonable claim that "breaches" are generally bad for business. At the very least, it disproves the null
hypothesis that "breaches" have no effect on business.
Personally, I'm intrigued to find that "breaches"
do not have a more marked effect on stock price. The correlation seems surprisingly weak to me, suggesting that I am biased, over-estimating the
importance of infosec - another not unreasonable assumption given that I am an
infosec pro! It's the centre of my
little world after all!
Aside from the fairly weak "breach" effect, I'd
be fascinated to learn more about the approaches towards information risk,
security, privacy, governance, incident management, risk & security strategy,
compliance etc. that differentiate relatively strong from relatively weak
performers on the stock market, using that as an indicator of business
performance ... and indeed various other indicators such as turnover, profitability,
market share, brand value etc. I'm
particularly interested in leading indicators - the things that tend to precede
relatively strong or weak performance.
On the flip side, I'd be interested to know whether 'good
news' security disclosures/announcements (such as gaining ISO27k or other security certifications, or winning court cases over intellectual property) can be demonstrated to be
good for business. Given my inherent personal bias and focus on infosec, I rather
suspect the effect (if any) will be weaker than I expect ... but I'm working on it!
