The effect of information security breaches on publicly listed companies’ business performance : Research about the impact of distinct information security breach types on stock market value of publicly listed companies

The negative repercussions of cyber threats on business entities are substantial. However, the existing body of research on this topic presents contradictory or imprecise findings, impeding the establishment of a consensus on effective prevention or mitigation strategies. Compounding this issue is the lack of precision and standardization in measuring and categorizing information security breaches. This study aims to enhance our understanding of the direct and long-term impacts of information security breaches on business performance, specifically by utilizing a novel classification to measure differential impacts on the stock market value of publicly listed companies. To achieve this, the following research question is posed: What are the respective impacts of disruptive and exploitative information security breaches on the stock market value of publicly listed companies, and how do these impacts evolve over time? Drawing on prior research indicating the relevance of disruptive and exploitative characteristics in understanding the effects of information security breaches on victim companies, this study seeks to improve precision and standardization in breach measurement. To answer the research question, an extensive quantitative analysis is conducted using the Cyber Event Database from the University of Maryland and historical stock market data. The investigation focuses on identifying correlations between information security breaches and stock market responses. The findings reveal that information security breaches significantly harm business performance in the short- and long-term, particularly when breaches exhibit exploitative characteristics. Moreover, these adverse effects persist long after the occurrence of the breach. The outcomes of this research provide decision-makers with valuable insights to better comprehend, anticipate, and prepare for the persistent threats posed by information security breaches. Additionally, this study contributes to existing research by expanding upon previous works. Nevertheless, further research is warranted to gain a more comprehensive understanding of the intricate dynamics within cyberspace

The effect of cyberattacks on European financial institutions: an event study approach

openCyber risk has been a widely debated issue in recent years. The financial world could prove particularly vulnerable when it comes to cyberattacks, given the high level of interconnection between all of the sector’s players. This paper uses the event study methodology to assess the reaction of 15 European financial institutions’ share prices to direct cyberattacks. The same methodology is used for testing the reaction of a sample of 22 financial institutions, based in the Eurozone, to a series of systemic cyberattacks with potential worldwide repercussions. Our research represents an original contribution to the literature in two ways. Firstly, to the best of our knowledge, no authors have previously applied the event study methodology to a sample of shares pertaining exclusively to financial institutions. Even less so to financial institutions exclusively based in the Eurozone. Secondly, to the best of our knowledge, no existing research applied our subdivision between direct and systemic cybersecurity events in a single study. Overall, our study provides empirical evidence on the effect of 14 direct and 3 systemic cyberattacks. These attacks were announced by newspapers between October 2014 and August 2023. This represents an opportunity to update the results of the older event study cybersecurity literature, as well as an opportunity to test the results by more recent studies. The results can also be useful in the interpretation and anticipation of current and future European legislation on cybersecurity. In the case of direct cyberattacks, which explicitly target banks, insurance companies or electronic money institutions, we find that stock prices exhibit negative and significant cumulative abnormal returns. Furthermore, these negative effects become more relevant when considering larger event windows after the attack date. We also divide, in accordance with other studies, direct events between ones that compromise the confidentiality of information and ones that do not. We interestingly find that attacks that do not reveal confidential information have a significant negative effect on their targets. Conversely, cyberattacks that do reveal confidential information held by financial institutions do not have a significant effect on stock prices. Regarding the three systemic events, we find contrasting but interesting results. The breach of a major US bank has an overall negative and significant effect on European companies, in particular the ones based in Italy and Spain. On the other hand, when SolarWinds was discovered to be the vector of a cyberattack on the US Government, no such negative effect was observed. Lastly in the case of the WannaCry ransomware epidemic, we find empirical evidence of negative abnormal returns only for companies based in Germany and Spain.Cyber risk has been a widely debated issue in recent years. The financial world could prove particularly vulnerable when it comes to cyberattacks, given the high level of interconnection between all of the sector’s players. This paper uses the event study methodology to assess the reaction of 15 European financial institutions’ share prices to direct cyberattacks. The same methodology is used for testing the reaction of a sample of 22 financial institutions, based in the Eurozone, to a series of systemic cyberattacks with potential worldwide repercussions. Our research represents an original contribution to the literature in two ways. Firstly, to the best of our knowledge, no authors have previously applied the event study methodology to a sample of shares pertaining exclusively to financial institutions. Even less so to financial institutions exclusively based in the Eurozone. Secondly, to the best of our knowledge, no existing research applied our subdivision between direct and systemic cybersecurity events in a single study. Overall, our study provides empirical evidence on the effect of 14 direct and 3 systemic cyberattacks. These attacks were announced by newspapers between October 2014 and August 2023. This represents an opportunity to update the results of the older event study cybersecurity literature, as well as an opportunity to test the results by more recent studies. The results can also be useful in the interpretation and anticipation of current and future European legislation on cybersecurity. In the case of direct cyberattacks, which explicitly target banks, insurance companies or electronic money institutions, we find that stock prices exhibit negative and significant cumulative abnormal returns. Furthermore, these negative effects become more relevant when considering larger event windows after the attack date. We also divide, in accordance with other studies, direct events between ones that compromise the confidentiality of information and ones that do not. We interestingly find that attacks that do not reveal confidential information have a significant negative effect on their targets. Conversely, cyberattacks that do reveal confidential information held by financial institutions do not have a significant effect on stock prices. Regarding the three systemic events, we find contrasting but interesting results. The breach of a major US bank has an overall negative and significant effect on European companies, in particular the ones based in Italy and Spain. On the other hand, when SolarWinds was discovered to be the vector of a cyberattack on the US Government, no such negative effect was observed. Lastly in the case of the WannaCry ransomware epidemic, we find empirical evidence of negative abnormal returns only for companies based in Germany and Spain

Business Model of a Botnet

Botnets continue to be an active threat against firms or companies and individuals worldwide. Previous research regarding botnets has unveiled information on how the system and their stakeholders operate, but an insight on the economic structure that supports these stakeholders is lacking. The objective of this research is to analyse the business model and determine the revenue stream of a botnet owner. We also study the botnet life-cycle and determine the costs associated with it on the basis of four case studies. We conclude that building a full scale cyber army from scratch is very expensive where as acquiring a previously developed botnet requires a little cost. We find that initial setup and monthly costs were minimal compared to total revenue.Comment: Proceedings of 2018, 26th Euromicro International conference on Parallel, Distributed, and Network-Based Processing (PDP

Ethical Issues in cybersecurity: employing red teams, responding to ransomware attacks and attempting botnet takedowns

The following four research questions are analysed in this thesis: What are the ethical issues that arise in cybersecurity in the business domain? Is it ethically appropriate for organisations to employ red teams to find security vulnerabilities? What is the ethically appropriate organisational response to a ransomware attack? Is it ethically appropriate for organisations to attempt a botnet takedown in response to a DDoS attack? The first research question is answered by way of a literature review which reveals that many ethical issues arise in cybersecurity in the business domain. The second, third and fourth research questions are analysed using a strategic method described by Robert A Phillips. This method, based on stakeholder theory and the political theory of John Rawls, provides a philosophical basis for stakeholder legitimacy and the prioritisation of stakeholders’ interests should conflict of interests amongst stakeholders arise. This method can be replicated by decision-makers to determine ethically appropriate courses of action to take

Measuring the changing cost of cybercrime

In 2012 we presented the first systematic study of the costs of cybercrime. In this paper, we report what has changed in the seven years since. The period has seen major platform evolution, with the mobile phone replacing the PC and laptop as the consumer terminal of choice, with Android replacing Windows, and with many services moving to the cloud. The use of social networks has become extremely widespread. The executive summary is that about half of all property crime, by volume and by value, is now online. We hypothe- sised in 2012 that this might be so; it is now established by multiple victimisation studies. Many cybercrime patterns appear to be fairly stable, but there are some interesting changes. Payment fraud, for example, has more than doubled in value but has fallen slightly as a proportion of payment value; the payment system has simply become bigger, and slightly more efficient. Several new cybercrimes are significant enough to mention, including business email compromise and crimes involving cryptocurrencies. The move to the cloud means that system misconfiguration may now be responsible for as many breaches as phishing. Some companies have suffered large losses as a side-effect of denial-of-service worms released by state actors, such as NotPetya; we have to take a view on whether they count as cybercrime. The infrastructure supporting cybercrime, such as botnets, continues to evolve, and specific crimes such as premium-rate phone scams have evolved some interesting variants. The over- all picture is the same as in 2012: traditional offences that are now technically ‘computer crimes’ such as tax and welfare fraud cost the typical citizen in the low hundreds of Eu- ros/dollars a year; payment frauds and similar offences, where the modus operandi has been completely changed by computers, cost in the tens; while the new computer crimes cost in the tens of cents. Defending against the platforms used to support the latter two types of crime cost citizens in the tens of dollars. Our conclusions remain broadly the same as in 2012: it would be economically rational to spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more on response. We are particularly bad at prosecuting criminals who operate infrastructure that other wrongdoers exploit. Given the growing realisation among policymakers that crime hasn’t been falling over the past decade, merely moving online, we might reasonably hope for better funded and coordinated law-enforcement action

Measuring the Changing Cost of Cybercrime

In 2012 we presented the first systematic study of the costs of cybercrime. In this paper, we report what has changed in the seven years since. The period has seen major platform evolution, with the mobile phone replacing the PC and laptop as the consumer terminal of choice, with Android replacing Windows, and with many services moving to the cloud. The use of social networks has become extremely widespread. The executive summary is that about half of all property crime, by volume and by value, is now online. We hypothesised in 2012 that this might be so; it is now established by multiple victimisation studies. Many cybercrime patterns appear to be fairly stable, but there are some interesting changes. Payment fraud, for example, has more than doubled in value but has fallen slightly as a proportion of payment value; the payment system has simply become bigger, and slightly more efficient. Several new cybercrimes are significant enough to mention, including business email compromise and crimes involving cryptocurrencies. The move to the cloud means that system misconfiguration may now be responsible for as many breaches as phishing. Some companies have suffered large losses as a side-effect of denial-of-service worms released by state actors, such as NotPetya; we have to take a view on whether they count as cybercrime. The infrastructure supporting cybercrime, such as botnets, continues to evolve, and specific crimes such as premium-rate phone scams have evolved some interesting variants. The overall picture is the same as in 2012: traditional offences that are now technically ‘computer crimes’ such as tax and welfare fraud cost the typical citizen in the low hundreds of Euros/dollars a year; payment frauds and similar offences, where the modus operandi has been completely changed by computers, cost in the tens; while the new computer crimes cost in the tens of cents. Defending against the platforms used to support the latter two types of crime cost citizens in the tens of dollars. Our conclusions remain broadly the same as in 2012: it would be economically rational to spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more on response. We are particularly bad at prosecuting criminals who operate infrastructure that other wrongdoers exploit. Given the growing realisation among policymakers that crime hasn’t been falling over the past decade, merely moving online, we might reasonably hope for better funded and coordinated law-enforcement action