Making better IS security investment decisions: discovering the cost of data breach announcements during the COVID-19 pandemic
| DOI | https://doi.org/10.1108/IMDS-06-2022-0376 |
| Published date | 24 November 2022 |
| Date | 24 November 2022 |
| Pages | 630-652 |
| Subject Matter | Information & knowledge management,Information systems,Data management systems,Knowledge management,Knowledge sharing,Management science & operations,Supply chain management,Supply chain information systems,Logistics,Quality management/systems |
| Author | Tianxi Dong,Suning Zhu,Mauro Oliveira,Xin (Robert) Luo |
Making better IS security
investment decisions:
discovering the cost of data breach
announcements during
the COVID-19 pandemic
Tianxi Dong, Suning Zhu and Mauro Oliveira
Finance and Decision Sciences, Trinity University, San Antonio, Texas, USA, and
Xin (Robert) Luo
Department of MIDS, The University of New Mexico,
Albuquerque, New Mexico, USA
Abstract
Purpose –Stock price reactions have often been used to evaluate the cost of data breaches in the current
information systems (IS) security literature. To further this line of research, this study examines the impact of
data breaches on stock returns, information asymmetry and unsystematic firm risk in the context of COVID-19.
Design/methodology/approach –This paper employs an event study methodology and examines data
breach events released in public databases, spanning pre- and post-COVID settings. This study investigated
283 data breaches of the US publicly traded firms, and the economic cost was measured by cumulative
abnormal returns (CARs), trading volume, bid-ask spread and unsystematic risk.
Findings –The authors observe that data breaches during the COVID pandemic make investors react more
negatively to data breach announcements, as reflected in the significantly negative difference in CARs between
breached firms before COVID and those after COVID. The findings also indicate that, after the disclosure of
data breach incidents, information asymmetry is reduced to a lesser extent compared with that in the
pre-COVID setting. The authorsalso find that data breach events lead to an increase in the unsystematic risk of
breached companies in the pre-COVID era but no change in the post-COVID era.
Originality/value –This study is the first effort to examine the economic consequences of data breachesby
investigating the effects in the form of trading activities and risk measurement in the COVID setting.
Keywords Data breach, Event study, Stock return, Information asymmetry, Unsystematic risk, COVID-19
Paper type Research paper
1. Introduction
The recent COVID-19 pandemic has caused unprecedentedchallenges for business operations
due to its global scale and far-reaching disruptions (Xiong et al., 2021). In response to the
challengesbrought by COVID,many firms have accelerated digitaltransformation andshifted
workforcesfrom onsite toonline, creating anideal environmentfor hackers to strike.According
to the 2021Global InformationSecurity Survey,more than 70% of seniorcybersecurity leaders
haveseen a clear rise in cyberattacksin the past 12 months(Lovejoy, 2021). It is reported that the
average annual security spending per employee increased from $2,337 in 2019 to $2,691 in 2020,
accompanying a clear rise in cyberattacks since the pandemic (Bernard, 2020). Within this
context, it is essential for researchers to probe and quantify the economic consequences of data
breaches during the COVID-19 pandemic from a variety of perspectives, using more
comprehensive evidence of data breach costs to better justify investment decision-making
vis-
a-vis security technologies and innovation in the post-COVID era.
Even though substantial pioneering studies have been published in this area, the majority
of them have starkly focused on the impact on stock prices of variousaffected entities such as
IMDS
123,2
630
The current issue and full text archive of this journal is available on Emerald Insight at:
https://www.emerald.com/insight/0263-5577.htm
Received 17 June 2022
Revised 1 September 2022
24 October 2022
Accepted 3 November 2022
Industrial Management & Data
Systems
Vol. 123 No. 2, 2023
pp. 630-652
© Emerald Publishing Limited
0263-5577
DOI 10.1108/IMDS-06-2022-0376
breached firms and their competitors (Jeong et al., 2019), security vendors (Cavusoglu et al.,
2004) and insurance carriers (Garg et al., 2003). Nevertheless, to the best of our knowledge, no
prior research has investigated whether and how the COVID-19 pandemic plays a role in
affecting stock price reactions due to data breach announcements. According to the signaling
theory, a receiver’s interpretation of a signal depends on the signaling environment. In this
study, we apply the signaling theory to the context where companies deliver data breach
announcements to the public before and after the pandemic. Here, the COVID-19 condition
(signaling environment) affects the impacts of data breach announcements, which affect
investors’interpretation of the announcements. Therefore, it is meaningful and necessary to
investigate how investors react to a data breach in different signaling environments (pre- and
post-COVID). Hence, our primary research question is as follows: Do investors react differently
to data breaches before and after the COVID-19 pandemic?
Additionally, from the perspective of an investor that is assessing the purchase, sale or
holding of the stock in her portfolio before or after the COVID-19 pandemic, not only stock
returns are important, but also the reliability and availability of information about the
targeted firm, as well as the firm risk associated with that stock. From the perspective of
firms, both financial outcomes (i.e. stock prices) and nonfinancial outcomes (i.e. confidence,
proxied by firm risk; and availability of information, proxied by information asymmetry) are
important. Traditionally, stock price represents the valuation of the firm based on expected
future cash flows, which are directly related to expectations of future financial performance of
the firm (Subrahmanyam and Titman, 2001). Both firm valuation and risk assessment impact
managerial and investment decisions. Thus, the investigation of the impact of data breaches
on information asymmetry and firm risk is suitable to complement a picture of the costs that
are associated with data breach events for investors.
Information asymmetry is a product of information differences and conflicts of interest
between managers and stockholders (Healy and Palepu, 2001). It may not be always in the
interest of inside managers to disseminate all available information about the firm to
stockholders and potential investors.[1] Examining the effect of data breaches on information
asymmetry can provide evidence for investors on whether data breach events are exploited
by informed traders before they are reported to the public (Rosati et al., 2017). To the best of
our knowledge, no prior research besides Rosati et al. (2017) has attempted to investigate this
issue in the information systems (IS) field, with information asymmetry operationalized using
trading volume and bid-ask spread. Albeit its inspirational findings, this study only spans
2005 to 2014, therefore it may not accurately reflect the impact of data breaches on
information asymmetry during the pandemic time. With an increasing number of data breach
events each year, especially after the outbreak of COVID-19, it would be important to examine
the effect using more updated data during the COVID period. This study exploits data
spanning the pre- and post-COVID periods to investigate the following question: How do data
breaches affect information asymmetry in the context of COVID-19?
Aside from information asymmetry and stock returns, it is also important to discover the
effects of data breaches on firm risk. Firm risk is a crucial parameter in determining a
company’s cost of equity, which reflects the return expectations of investors and, as a result,
has an impact on the stock price of the affected firm (Hinz et al., 2015). Firm risk subsumes
systematic risk and unsystematic risk. Systematic risk describes the uncertainties in
earnings that are determined by market-wide factors (Dewan and Ren, 2007;Fama and
French, 1996;Mishra et al., 2013), such as macroeconomic conditions, natural disasters and
wars. Unsystematic risk refers to the uncertainties in earnings that are determined by firm or
industry-specific factors (Aggarwal et al., 2011;Dewan and Ren, 2007;Fama and French,
1996;Mishra et al., 2013). So far, although Hinz et al. (2015) look into systematic risk in the data
theft context, no study has surveyed the impact of data breaches on unsystematic risk, as well
as not in the context of COVID-19. Moreover, the study of unsystematic risk is more relevant
Making better
IS security
investment
decisions
631
To continue reading
Request your trial