BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Data leaks hit share prices hard

From: Dennis Opacki <DOpacki () Covestic com>
Date: Mon, 9 Oct 2006 10:33:21 -0700
While I am not an economist, I feel somewhat uneasy about using stock price to directly measure the effect of PR events 
on organizations. While employees and executives of publicly-traded companies often hold company stock and options, the 
largest shareholders may actually be third parties like pension and mutual funds. As I understand it, once a company 
makes an initial or secondary public offering, they have little financial interest in the stock. Shareholders unhappy 
about a breach can simply sell their shares to value-minded investors, who happily buy them at a discount.

In certain circumstances, a low share price may actually benefit a company; stock buy-backs become easier and employees 
are less likely to exercise costly stock options. Where share price can hurt companies is in the run-up to stock based 
M&A activity and secondary offerings. In these situations, it seems like share price could be an indicator of long-term 
performance, assuming that the mergers, acquisitions and secondary offerings were good ideas to start with. I wonder if 
it would be interesting to isolate the impact of disclosures on these sort of strategic activities.

-Dennis



From: Allan Friedman
Sent: Mon 10/9/2006 9:20 AM
To: dataloss-bounces () attrition org
Cc: Dissent () pogowasright org; acquisti () andrew cmu edu; dataloss () attrition org
Subject: Re: [Dataloss] Data leaks hit share prices hard


For anyone interested, the most recent copy is online here:
http://www.heinz.cmu.edu/~acquisti/papers/acquisti-friedman-telang-privacy-b
reaches.pdf

We're working on a revised dataset that incorporates much of the
recent events that members of this list have found, as well as
pre-1386 events.  We look forward to sharing this data when it is
fully cleaned.  We'll post a copy of the revised results to this list
as soon as we have it.

We've asked the authors for details on this study, but I'm curious
about the long term implications. If you are trying to show a
significant effect with a conventional event study, it's very hard to
do for such a long time period and such a small sample size.

If anyone is interested in doing similar studies, feel free to contact
me offline. Verifying that you have the first published report and
that there are no conflicting news stories that might bias the results
is fairly time-intensive.


allan

Allan Friedman
PhD Candidate, Public Policy
Kennedy School of Government
Harvard University

On 10/9/06, dataloss-bounces () attrition org
<dataloss-bounces () attrition org> wrote:

We could probably come up with our own study just by finding every publicly
traded company in the database and look at stock price history for X days
following announcement of the breech. In fact, this could almost be
automated if we added the ticker symbol to the database and then created a
script that took advantage of a site containing access to stock trading data
via an API...


On 10/9/06, Adam Shostack <adam () homeport org> wrote:

Fascinating.  It contradicts "Is There a Cost to Privacy Breaches? An
Event Study," which Alan Friedman presented at the Workshop on
Economics of Infosec.

http://weis2006.econinfosec.org/docs/40.pdf

That study has a much larger dataset, and so I'm curious why EMA chose

such small datasets.

My thoughts on the paper are at


http://www.emergentchaos.com/archives/2006/07/does_lost_data_matter.html




Adam


On Mon, Oct 09, 2006 at 11:26:11AM -0400, Dissent wrote:
| Australian-based analyst Hydrasight has teamed up with Colorado-based
| researcher Enterprise Management Associates Inc. (EMA) to release a
| study on the current state of global enterprise information security.
|
| The report draws a comparison between the theft or breach of
| confidential information and computer-facilitated financial fraud and
| the impact it has on organizations in terms of share price. While the
| organizations studied were based in the U.S., the findings reflect a
| similar security environment in Australia.
|
| Scott Crawford, senior analyst with EMA, said within four weeks of
| public disclosure of details of an information breach, negative
| responses show up in the form of falling share prices. The impact can
| be disturbing, he added.
|
| "EMA recently followed the closing stock prices of six US companies
| which had disclosed an information security breach between February
| 2005 and June 2006.
|
| "Within a month of disclosure, the average price of these stocks fell
| by 5 percent, and remained in a range of 2.4 to 8.5 percent below
| that of the date of disclosure for another eight months," he said.
|
| "The stocks did not recover to pre-incident levels for nearly a year."
|
| [...]
|
|

http://www.webwereld.nl/articles/43234/data-leaks-hit-share-prices-hard.html

|
| _______________________________________________
| Dataloss Mailing List (dataloss () attrition org)
| http://attrition.org/dataloss
| Tracking more than 136 million compromised records in 403 incidents over

6 years.

|
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 136 million compromised records in 403 incidents over 6

years.








_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 136 million compromised records in 403 incidents over 6
years.






_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 136 million compromised records in 403 incidents over 6 years.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 136 million compromised records in 403 incidents over 6 years.
Previous By Date Next
Previous By Thread Next

Current thread: