PLANNING TECHNOLOGY INVESTMENTS FOR HIGH PAYOFFS: A RATIONAL EXPECTATIONS APPROACH TO GAUGING POTENTIAL AND REALIZED VALUE IN A CHANGING ENVIRONMENT

This paper examines the impact of information security breaches on organizational performance. Up to date, there have been only a few empirical academic studies that have investigated this issue and they have investigated information security breaches with the focus on the short-term impact on the market value of the firm. This study offers an alternate approach to investigate this issue as it explores the impact of breaches on financial performance of the firm, one year after the breach. Using a “matched sampling” methodology, we explored the impact of each type of breach (i.e. confidentiality, integrity, and availability) and also by IT intensity and size. Our results suggest that the direction of the impact (i.e. positive, negative) is dependent on the type of security breaches and also the impact of IT intensive firms is different from non-IT intensive firms. Our study also includes some important implications for managers and stock market investors.Information security, impact, security breach, organizational performance,confidentiality, integrity, availability

Intra-Industry Effects of Information Security Breaches on Firm Performance

Instances of information security breaches are wide ranging, and can affect companies of different industries and sizes. We investigate the impact of publicly announced information security breaches of public organizations on their competitors that are comparable in size and operate in the same industry. This is called intra-industry information transfer, and has not been subject to extensive research in IS. We use matched-sampling methodology to measure the difference in firm performance using financial ratios, and interpret the results using paired samples t and Wilcoxon matched pair tests. Our results present a departure from intuition regarding the efficacy of security breaches on firm performance even though we do find an instance of information transfer

Breaching News: Does Media Coverage Increase the Effects of Data Breach Event Disclosures on Firm Market Value?

Characterized as negative events, data breaches can disrupt an organization’s operations and lead to financial losses. Media coverage is often seen as exacerbating negative events such as data breach disclosures, and have also been found to influence financial markets. This research in progress presents a theoretical framework and methodology to empirically test the moderating and mediating influences of media coverage on the impact of data breach events on firms. We articulate the research gap, present hypotheses, and discuss the implications of this research for theory and practice

Three Essays on Information Security Breaches and Big Data Analytics: Accounting and Auditing Perspective

The dissertation examines two separate yet significant Information Technology (IT) issues: one dealing with IT risk and the other involving the adoption of IT. The IT risks that the dissertation focuses are information security breaches and the adoption/outsourcing of big data analytics. Using competitive dynamics theory and the theory of information transfer, the dissertation examines whether there is a spillover effect from information security breaches of breached firms to those firms’ rivals. Market reaction from spillover effects is captured from market activity and information asymmetry. The results suggest that the market of rival firms react to the focal firm’s experience of a data breach. However, the overall effects of data breaches on rival firms are the opposite to those to focal firms, although in many cases rival firms also experience negative reactions in the financial markets. Specifically, the results suggest that the characteristics of data breach types and previous data breach histories of focal firms have implications for rivals. However, strong information technology governance capabilities of rivals play a shielding role in mitigating those negative effects. The dissertation also examines the adoption of big data analytics by Internal Audit Function (IAF). Particularly, the dissertation examines the implications of data analytics challenges to the adoption of big data analytics by IAF. The results suggest that dataspecific IT knowledge rather than general IT knowledge is a significant predictor of adoption of big data analytics. Additionally, critical thinking skills and business knowledge also contributes to the adoption of big data analytics. Furthermore, if IAFs face management challenges, such as fraud risk detection, they are also more likely to adopt big data analytics. Results from interaction effects analysis suggest that Chief Audit Executives (CAEs) with CPA certifications are more likely to adopt big data analytics than the CAEs without CPA certification, when the size of the organization is small, when the size of the IAF is small, or when there is a lack of data-specific IT knowledge or business skills. Another important finding is that when two groups of IAFs have similar size and data-specific IT knowledge, IAFs with fraud detection responsibilities are more likely to adopt big data analytics. Finally, IAFs in Anglo culture countries are more likely to adopt big data analytics than IAFs in non-Anglo culture countries, even when both IAFs have the same size and data-specific IT knowledge. Finally, the dissertation examines the motivation of outsourcing of data analytics by IAF. The results suggest, contrary to conventional wisdom, that economic factors are not a significant predictor. Rather, strategic and sociological factors are significant in predicting the outsourcing of big data analytics. Specifically, IAFs outsource big data analytics when they lack data skills and are tasked with fraud risk management. Additionally, the role Chief Audit Executives (CAEs) is also significant. There is also a cultural variation of the outsourcing decision: IAFs from developing nations are more likely to outsource than are the IAFs from the developed countries. Further analysis of the interaction effects of these significant variables suggests that as the data skills of IAFs increase, the conditional difference of the likelihood of outsourcing decreases, suggesting that IAFs recognize both the value of data analytics and their lack of competencies. The three-way interactions of the variables support the same conclusion. The findings have implications about the formation of effective internal controls designed to mitigate the risks in the outsourcing decision. Moreover, external auditors will find the results useful when they evaluate the competence and objectivity of IAFs before they rely on their work

The Impact of Data Breach Announcements on Company Value in European Markets

Recent research on the economic impact of data breach announcements on publicly listed companies was found to be sparse, with the majority of existing studies having a strong US bias. Here, a dataset of 45 data breach disclosures between 2017 and 2019 relevant to European publicly listed companies was hand-gathered (from various sources) and detailed analyses of share price impact carried out using event study techniques with the aim of supporting business cases for firms to invest in cyber security. Differences from existing studies (in particular, the US market) are highlighted and discussed along with pointers to future research in this area. Although some evidence of negative cumulative abnormal returns (CAR) in the days surrounding the announcement were observed, along with one extreme case leading to insolvency, the results were not statistically significant overall with the notable exception of the Spanish market, which appeared to be more sensitive to data breaches, reacting rapidly. Therefore, justification for cyber security investment purely based on the market value effect of a data breach disclosure would be challenging. Other factors would need to be taken into consideration such as risk appetite, industry sector and nature of the information compromised as well as relevant legislation. Certain other observations were noted such as the lack of a comprehensive breach database for Europe (unlike US) and the effect of the introduction of the General Data Protection Regulation (GDPR). This research would be of benefit to business management, practitioners of cyber security, investors and shareholders as well as researchers in cyber security or related fields

On the economic impact of information security announcements: an event study analysis

This research is concerned with the economic impact of information security events both unfavourable (data breaches and GDPR infringement fines) and favourable (CISO appointment announcements). Literature in this area was found to be sparse and with a strong US bias, therefore this study focusses on UK and European markets. Using event study methodology, the impact on share price of a hand-gathered (due to lack of a comprehensive breach database for Europe) dataset of 45 data breach announcements concerning UK/European publicly listed companies was analysed and only weak evidence was found of a negative impact overall, although the Spanish market showed a greater reaction. Regarding GDPR infringement fine announcements (25 examples), statistically significant CARs of -1% on average were observed over a three-day period. Spanish and Romanian markets were shown to be particularly reactive. Such a loss in market capitalisation was, in almost all cases, much greater than the monetary value of the fine itself, actually ca. 29,000 times greater on average. Announcements of CISO type role appointments (37 examples) showed an uplift in share price of around 0.8% on average over a three-day period before, during and after the announcement. The financial services sector was found to respond more positively (+1.8%) with statistical significance at the 1% level. As well as highlighting the benefits of transparency by publicly listed firms and disclosure regulations in early-adopter nations such as the US, the results of these studies should encourage firms to improve their cyber security postures overall to emulate highly regulated sectors such as financial services. A review of security investment strategies is also included for convenience, as well as pointers for future research. This research would be of benefit to business management, practitioners of cybersecurity, investors and shareholders, policy makers as well as researchers in cyber security or related fields

Customer Cybersecurity and Supplier Cost Management Strategy

In this paper, we explore the spillover effect of customer firms’ data breaches on their upstream supplier firms’ cost management strategies, proxied by cost stickiness. Our primary analyses suggest that data breaches suffered by customer firms are associated with a decrease in cost stickiness among supplier firms. Furthermore, the reductions in supplier cost stickiness are stronger if suppliers are managed by CEOs from national cultural groups with high uncertainty avoidance, low long-term orientations, and/or low individualism. In sum, the findings contribute to both Information Systems (IS) and Operations Management (OM) disciplines in terms of data breach, cost management strategy, and the role of national culture in OM. In particular, the findings can facilitate the management and regulation of data breaches for managers and regulators

The Stock Market and Audit Market Effects of a Big 4 Security Breach

This research provides insights into how audit clients and investors respond to a breach of confidential client data by an audit firm. Specifically, on September 25, 2017, Deloitte & Touche (a.k.a., Deloitte), an international Big 4 audit firm, reported that its systems had sustained a six month long cyber-attack lasting from October 2016 to March 2017 (Hopkins 2017). We examine whether Deloitte’s reputation was impacted. We find that Deloitte’s audit clients at the time of the breach did not experience a change in audit fees, nor were they more likely to dismiss Deloitte. However, Deloitte experienced a decrease in the number of new audit clients after the breach announcement as well as decreased first year audit fees for new clients. A negative market reaction was only found for clients that dismissed Deloitte. Thus, Deloitte’s reputation appears to be only tarnished for companies searching for a new auditor