Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Dataloss] Methods: security price analysis (was 'Data leaks hit share prices hard')
From: Allan Friedman (allan_friedmanksgphd.harvard.edu)
Date: Mon Oct 09 2006 - 18:19:03 CDT
First, I must admit that I lack the industry experience of Dennis and
many others. I'm approaching this as a researcher.
I think that share price is not a perfect indicator of company
performance; heck, I'm not sure it's a terribly valid measure for how
investors view a company future
But in the short run, investors should and do react to news. It's not
instantaneous, there are transaction costs, strategic investors, etc.
. And remember, we're only interested in the marginal effect. A change
in oil price doesn't fundamentally alter the underlying soundness of
an oil company, but it does shift their bottom line, so a few
investors might change their behavior. I believe that we should be
able to learn something from examining the impact of a breach
announcement on share price:
1) Does the market even notice? Here, we want to measure the effect,
and test for statistical significance. Econometrics is sometimes as
much art as science, but there are many ways to test whether an
observed phenomenon is different from random noise. We learn
something if the market does have a reaction; we also learn something
if it doesn't. (I should add that demonstrating the *absence* of an
effect is durn hard to validate).
2) Does the effect change over time? If market prices used to change,
but now they don't, that's an interesting piece of information.
3) Other factors: In our project we are testing a long list of
potential influencing factors that might affect the severity of the
breach. Some of them are probably relevant to investors in particular
(sector, whether it was customer or employee data) while some may not
be directly applicable (type of data breached).
Interpreting these findings beyond an "oh, that's interesting"
involves going back to a model of incentives. We also look at
announcement details and a host of other variables. Our sample size is
small, but growing (I confess that I am one of the few people happy to
see breach announcements in the news).
OT - for anyone interested in the broader question of methods in
security economics and policy, I will be chairing a panel at the
Workshop on the Economics of Securing Information Infrastructure
(http://wesii.econinfosec.org/workshop/) in DC on October 23.
Registration is free and open to anyone interested.
PhD Candidate, Public Policy
Kennedy School of Government
Dataloss Mailing List (datalossattrition.org)
Tracking more than 136 million compromised records in 403 incidents over 6 years.