| Резюме: | Severe security breaches can be costly for publicly listed firms. In order to deploy scarce resources in the most efficient way, information security decision makers in such firms need to conduct holistic economic cost-benefit analyses that take into account all costs associated with security breaches and strategic investments in countermeasures. In addition to obvious direct costs following security breaches and investments, there are also multiple indirect underlying and consequential costs introduced or elevated by such events. In this dissertation, four novel cost elements affecting firms’ financing costs that are prone to be overlooked in basic cost-benefit analyses are discussed. Over the course of four empirical studies, the effect of security investments on firm value (via abnormal returns) as well as the effect of security breaches on cost of equity (via systematic risk), cost of debt (via credit default swap spreads), and information asymmetries (via insider trading-induced abnormal returns) are analysed. These studies reveal four cost elements that can all be characterised as indirect underlying/consequential financial costs, which ought to be considered in holistic economic information security cost analyses.
Analysing a US-centric sample of 202 severe security breaches between 2005 and 2019 revealed that severe security breaches are associated with significantly positive increases of insider trading abnormal returns (hence information asymmetries) and systematic risk (hence cost of equity). However, the examination of CDS spread changes following the same severe breach announcements indicated that CDS spreads (hence default spreads and by implication cost of debt) do not increase significantly in the immediate days surrounding the event, suggesting that costs of debt are subject to different dynamics.
Furthermore, assessing an international sample of 221 security investments, the dissertation reveals positive and negative effects on firms’ market value following upon small-scale and large-scale security certificate investments, respectively. These market reactions constitute secondary benefits and underlying/consequential costs that also ought to be taken into account for the purpose of expected net benefit of information security (ENBIS) analyses. Collectively, these insights suggest highly relevant information security-induced implications for cost of capital that need to be recognised in ENBIS calculations.
Given the absence of a formal definition of the cost type underlying/consequential costs and a framework or model to facilitate assessments of such costs, this dissertation also provides a novel nuanced definition of indirect costs of information security and the Iceberg Model of Information Security Costs, which will help guide further academic research and practitioners’ investment endeavours.
|
|---|