<HTML><HEAD></HEAD>
<BODY>
<DIV id=idOWAReplyText26684 dir=ltr>
<DIV dir=ltr><FONT face=Arial size=2>While I am not an economist, I feel somewhat uneasy about using stock price to directly measure the effect of PR events on organizations. While employees and executives of publicly-traded companies often hold company stock and options, the largest shareholders may actually be third parties like pension and mutual funds. As I understand it, once a company makes an initial or secondary public offering, they have little financial interest in the stock. Shareholders unhappy about a breach can simply sell their shares to value-minded investors, who happily buy them at a discount.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>In certain circumstances, a low share price may actually benefit a company; stock buy-backs become easier and employees are less likely to exercise costly stock options. </FONT><FONT face=Arial size=2>Where share price can hurt companies is in the run-up to stock based M&A activity and secondary offerings. In these situations, it seems like share price could be an indicator of long-term performance, assuming that the mergers, acquisitions and secondary offerings were good ideas to start with. I wonder if it would be interesting to isolate the impact of disclosures on these sort of strategic activities.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>-Dennis</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Allan Friedman<BR><B>Sent:</B> Mon 10/9/2006 9:20 AM<BR><B>To:</B> dataloss-bounces@attrition.org<BR><B>Cc:</B> Dissent@pogowasright.org; acquisti@andrew.cmu.edu; dataloss@attrition.org<BR><B>Subject:</B> Re: [Dataloss] Data leaks hit share prices hard<BR></FONT><BR></DIV>
<DIV><PRE style="WORD-WRAP: break-word">For anyone interested, the most recent copy is online here:
http://www.heinz.cmu.edu/~acquisti/papers/acquisti-friedman-telang-privacy-b
reaches.pdf
We're working on a revised dataset that incorporates much of the
recent events that members of this list have found, as well as
pre-1386 events. We look forward to sharing this data when it is
fully cleaned. We'll post a copy of the revised results to this list
as soon as we have it.
We've asked the authors for details on this study, but I'm curious
about the long term implications. If you are trying to show a
significant effect with a conventional event study, it's very hard to
do for such a long time period and such a small sample size.
If anyone is interested in doing similar studies, feel free to contact
me offline. Verifying that you have the first published report and
that there are no conflicting news stories that might bias the results
is fairly time-intensive.
allan
Allan Friedman
PhD Candidate, Public Policy
Kennedy School of Government
Harvard University
On 10/9/06, dataloss-bounces@attrition.org
<dataloss-bounces@attrition.org> wrote:
> We could probably come up with our own study just by finding every publicly
> traded company in the database and look at stock price history for X days
> following announcement of the breech. In fact, this could almost be
> automated if we added the ticker symbol to the database and then created a
> script that took advantage of a site containing access to stock trading data
> via an API...
>
>
> On 10/9/06, Adam Shostack <adam@homeport.org> wrote:
> > Fascinating. It contradicts "Is There a Cost to Privacy Breaches? An
> > Event Study," which Alan Friedman presented at the Workshop on
> > Economics of Infosec.
> >
> > http://weis2006.econinfosec.org/docs/40.pdf
> >
> > That study has a much larger dataset, and so I'm curious why EMA chose
> >
> > such small datasets.
> >
> > My thoughts on the paper are at
> >
> http://www.emergentchaos.com/archives/2006/07/does_lost_data_matter.html
> >
> >
> >
> > Adam
> >
> >
> > On Mon, Oct 09, 2006 at 11:26:11AM -0400, Dissent wrote:
> > | Australian-based analyst Hydrasight has teamed up with Colorado-based
> > | researcher Enterprise Management Associates Inc. (EMA) to release a
> > | study on the current state of global enterprise information security.
> > |
> > | The report draws a comparison between the theft or breach of
> > | confidential information and computer-facilitated financial fraud and
> > | the impact it has on organizations in terms of share price. While the
> > | organizations studied were based in the U.S., the findings reflect a
> > | similar security environment in Australia.
> > |
> > | Scott Crawford, senior analyst with EMA, said within four weeks of
> > | public disclosure of details of an information breach, negative
> > | responses show up in the form of falling share prices. The impact can
> > | be disturbing, he added.
> > |
> > | "EMA recently followed the closing stock prices of six US companies
> > | which had disclosed an information security breach between February
> > | 2005 and June 2006.
> > |
> > | "Within a month of disclosure, the average price of these stocks fell
> > | by 5 percent, and remained in a range of 2.4 to 8.5 percent below
> > | that of the date of disclosure for another eight months," he said.
> > |
> > | "The stocks did not recover to pre-incident levels for nearly a year."
> > |
> > | [...]
> > |
> > |
> http://www.webwereld.nl/articles/43234/data-leaks-hit-share-prices-hard.html
> > |
> > | _______________________________________________
> > | Dataloss Mailing List (dataloss@attrition.org)
> > | http://attrition.org/dataloss
> > | Tracking more than 136 million compromised records in 403 incidents over
> 6 years.
> > |
> > _______________________________________________
> > Dataloss Mailing List (dataloss@attrition.org)
> > http://attrition.org/dataloss
> > Tracking more than 136 million compromised records in 403 incidents over 6
> years.
> >
> >
> >
> >
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss@attrition.org)
> http://attrition.org/dataloss
> Tracking more than 136 million compromised records in 403 incidents over 6
> years.
>
>
>
>
>
_______________________________________________
Dataloss Mailing List (dataloss@attrition.org)
http://attrition.org/dataloss
Tracking more than 136 million compromised records in 403 incidents over 6 years.
</PRE></DIV></BODY></HTML>