“Economics of IT Security Management”
1) The article questions the loss estimate obtained from CSI/FBI security surveys since they exclude some categories of costs associated with security breaches. It suggests that cost estimate based on the loss in capital markets as a result of a breach in security may be a proxy to estimate true cost of security breaches.
a. What do you think about the quality of this cost estimate? Can you think of better ways to capture true cost of security breaches?
Although I can see the benefit to utilizing capital market losses as a basis for estimating the true costs of a security breach because it attempts to capture the intangible costs of a breach, ...view middle of the document...
As many ways as I have mulled over offering a more accurate estimate of the true cost of security breaches the more I come to the conclusion that methods that seek to capture the most accurate reflection of the true cost of security breaches are all going to suffer from the same problems: when trying to calculate intangible long term costs, attribution biases and overlap cannot be completely eliminated. Yes, we could actually take into account the cost of law suits, increased insurance and loan rates, the loss of revenue between periods, and even loss of key business partners, but at the end of the day it isn’t possible to eliminate all uncertainty as to the source of these losses.
Perhaps the one thing I would suggest is that a more accurate estimate of the costs of security breaches might take into account not only capital market changes but also a standard percentage increase for unreported events based on a company’s size, business model and quality of security infrastructure.
b. What factors can play an important role in determining the amount of reaction in capital markets as a result of a security breach?
Public perception of a company’s reaction to a breach, as well as their ability to prevent future attacks, play significant roles in the reaction of capital markets to any security breach.
A firm’s reaction to a breach may include such things as the speed with which a firm identifies the scope of and potential damage caused by an attack, the speed with which potential victims are notified and the treatment of those potentially harmed by it. If a firm fails to identify and the problem in a timely manner it is likely to lose public confidence and capital markets will reflect this; If communications are not timely and well crafted, customers may feel that the company lacks concern for their privacy, ignored or worse that the firm willfully hid a breach. Each of these will prompt capital markets to react negatively.
A company’s ability to deal with future attacks also plays a significant role in determining the market reaction to a breach. For example, a firm that is breached, but has in place industry “standard,” security protocols and moves quickly to upgrade their systems to account for an identified weakness is likely to still suffer initial losses from the event, but recoup those losses in the near time, because they have addressed the key issue that drives consumer/investor action: uncertainty.
Additional factors that play a role in the reaction of capital markets to security breaches include factors such as the composition and size of the business. “Pure play” or Internet-only businesses tend to suffer greater market share losses, regardless of their response in the aftermath, than conventional businesses. Given the interconnected nature of internet businesses and thus their greater exposure to risk than their traditional counterparts, this is understandable. Traditional businesses have the advantage of...