Analýza dopadu úniků dat na tržní hodnotu firem v období 2008 – 2012

Za posledních patnáct let dochází k nárůstu počtu i závažnosti datových úniků u firem nakládajících s důvěrnými daty zákazníků a dalších osob. Cílem řady zkoumání bylo posoudit dopad takovýchto incidentů na tržní hodnotu postižených firem, nicméně všechny se zabývaly úniky před rokem 2008. Cílem tohoto příspěvku je představit výzkum, v rámci kterého byla provedena analýza dopadu úniků dat na tržní hodnotu na vzorku 27 firem postižených takovýmto incidentem mezi léty 2008 a 2012

Investigation of the Effect of e-Platform Information Security Breaches: A Small and Medium Enterprise Supply Chain Perspective

Many small and medium enterprises (SMEs) engage in dyadic information integration partnerships or partial integration with their direct suppliers and customers. They often utilise e-commerce or cloud computing technology platforms hosted by third-party providers to leverage such partnerships. However, information security breaches and disruptions caused by cyber-attacks are commonplace in the IT industry. The effects of said disruptions and breaches on e-commerce businesses under varied disruption conditions are still uncertain. Furthermore, the effect of security breaches on non-participating members of the supply chain is poorly understood, especially under various disruption profiles. Using discrete event modelling, this study explores the impact of disruption caused by information security breaches on supply chain performance and the externality effect of partial integration on non-participants. We also examine the impact of breach disruption frequency and remediation length on supply chain performance with varying levels of information sharing. These impacts were studied under two typical inventory replenishment policies for SMEs. It was determined that remediation length should be a prioritised factor in impact management and that flexibility in the inventory replenishment policy can help mitigate the impact of information disruption on the inventory performance of businesses, especially that of non-participants, in information-sharing partnerships

UNDERSTANDING THE COST ASSOCIATED WITH DATA SECURITY BREACHES

To estimate the cost of a data breach to the inflicted firm, this study examines the relationship between a breach incident and changes in the inflicted firm’s profitability, perceived risk, and the inflicted firms’ information environment transparency. Profitability is measured as reported earnings and analysts’ earnings forecasts. Perceived risk is measured as reported stock return volatility and dispersion among analysts’ forecasts. Although a number of studies have investigated the stock market reaction surrounding the disclosure of a breach incident to quantify the cost associated with breaches, we argue that there exists information uncertainty and deficiency in the disclosure of the breach incident and stock market reaction surrounding a security breach announcement date may not be the best measure for the cost of security breaches. And research using other complementary measures is warranted. Our preliminary finding suggests that data breaches negatively impact firm profitability, perceived risk and information transparency. Nevertheless, the damage of a breach most likely stems from direct costs such as compensation and litigation costs rather than indirect costs such as tarnished reputation and a decrease in market share and sales. More sophisticated analysts are also found to add value in estimating the real cost of a security breach

WHEN TRAINING GETS TRUMPED: HOW DUAL-TASK INTERFERENCE INHIBITS SECURITY TRAINING

Security training programs are an important intervention to protect users and organizations against security threats. Unfortunately, users often ignore their training and engage in poor security behaviors. We explain how dual-task interference (DTI) is a primary cause of security training disregard. DTI is a cognitive limitation wherein humans cannot perform more than one task simultaneously without experiencing a deterioration of performance. In our context, we hypothesize how prompting users to perform security behaviors during high-DTI times may derail one’s previous security training, resulting in less secure behaviors. We test our hypotheses in an experiment that compares users’ adherence to security training during low-DTI and high-DTI times in a realistic context. We found that performing security behaviors during low-DTI times increased adherence to prior security training by 31% compared to performing behaviors during high-DTI times. The results have implications for using DTI as a theoretical framework for understanding security behaviors, prompting users to perform security behaviors during times that will maximize adherence to past security training, and considering humans’ neurological limitations when designing security training and intervention programs

Configuration and management of security procedures with dedicated ‘spa-lang’ domain language in security engineering

The security policy should contain all the information necessary to make proper security decisions. The rules and needs for specific security measures and methods should be explained in understandable way. None of the existing security mechanisms can guarantee complete protection against threats. In extreme cases, improperly used security mechanisms can lower the level of protection, giving the impression of security that is actually lacking. To enable simple and automated definition of security procedures for IT system of a company or organization, available not only to qualified IT professionals, e.g. system administrators, but also to the company\u27s management staff, it was decided to create an Intelligent System for Automation and Analysis of Security Procedures (iSPA). The paper presents the proposal of use the developed domain language, named \u27spa-lang\u27 for configuration and management of security procedures in security system engineering based on BPMN (Business Process Model and Notation) standard

Measuring The Organizational Impact of Security Breaches: Patterns of Factors and Correlates

As the use of technology permeates organizations, as well as our personal and professional lives, organizational research has aimed to report the incidence of security breaches. However, self-reporting in survey research is flawed given that organizations are hesitant to admit to loss of sensitive data and other security breaches. Furthermore, there are gradients of breaches, rather than binomial occurrences, or lack of occurrences. Hence, a more comprehensive and less obtrusive measure of the nature and impact of breaches is necessary in order to advance theory and practice. As such, we tested a new measure of impact with representatives from over 500 organizations intended to measure the extent of a breach and its subsequent impact on the organization. We developed the construct using exploratory and confirmatory factor analysis and report on convergent validity. We find the impact of breaches tends to be greater for decentralized organizations, smaller organizations, and those within the financial services industry

The Impact of CISO Appointment Announcements on the Market Value of Firms

Previous studies concerning the economic impact of security events on publicly listed companies have focussed on the negative effect of data breaches and cyberattacks with a view to encouraging firms to improve their cyber security posture to avoid such incidents. This paper is an initial study on the impact of investment in human capital related to security, specifically appointments of chief information security officers (CISO), chief security officers (CSO) or similar overall head of security roles. Using event study techniques, a dataset of 37 CISO type appointment announcements spanning multiple world markets between 2012 and 2019 was analysed and statistically significant (at the 5% level) positive cumulative abnormal returns (CAR) of around 0.8% on average were observed over the three-day period before, during and after the announcement. Furthermore, this positive CAR was found to be highest, at nearly 1.8% on average, within the financial services sector and showing statistical significance at the 1% level. In addition to the industry sector, other characteristics were investigated such as job title, reporting structure, comparison of internal versus external appointments, gender and variations between markets. Although these findings were not as conclusive they are, nevertheless, good pointers for future research in this area. This overall positive market reaction to CISO related announcements is a strong case for publicly listed firms to be transparent in such appointments and to, perhaps, review where that function sits within their organisation to ensure it delivers the greatest benefits. As 24% of the firms analysed were listed outside the US, this study also begins to counter the strong US bias seen in similar and related studies. This research is expected to be of interest to business management, cyber security practitioners, investors and shareholders as well as researchers in cyber security or related fields

Impact of Cloud Computing Announcements on Firm Valuation

With increasing demand for Cloud Computing services, a growing number of firms are citing business agility and costsavings as motivators for adopting Cloud Computing services. Extant literature does not provide any empirical evidence ofvalue of announcements made regarding the Cloud Computing environment. This paper examines impact of CloudComputing announcements on firm valuation, using event study methodology. This study explores the market impact ofadoption of Cloud Computing on the cloud vendors/providers and customers/adopters. The impact on firm value of thecompetitors, of the companies adopting Cloud Computing services, is also analyzed. The study shows that there is asignificant impact of those announcements on the firm value of the companies. However, it shows a contrasting impact on thecustomers, vendors and their respective competitors, when analyzed separately