The stock market impact of information security investments: The case of security standards

Cyber security executives are inherently interested in developing, implementing, and reviewing cost-effective systems to safeguard their organisations from severe impacts of security breaches. Deciding which security projects to invest in can be a complex issue for such executives. One method that can help inform such decision making involves giving consideration to how the stock market reacts to security investments. One type of information security investment — complying with cyber security standards — is particularly interesting to consider, as these investments may not only have the potential to reduce financial penalties and losses associated with data breaches, but may also help to enhance reputation, win new business, and improve business processes. In this paper, we report upon a study that analysed the firm value impact of successful completion of such security investments by exploring two cases of cyber security certificates: the UK’s Cyber Essentials scheme and the global ISO/IEC 27001 standard. 145 Cyber Essentials events between 2014 and 2018 and 76 ISO/IEC 27001 certifications between 2001 and 2018 were analysed. We find that the award of a Cyber Essentials (Plus) certificate is systematically associated with significant and positive market reactions. Surprisingly, our international sample reveals that becoming ISO/IEC 27001-compliant elicits significant negative abnormal stock returns. Potential explanations and implications of our findings are discussed.