[Dataloss] Data leaks hit share prices hard

[Alessandro Acquisti]

Hello Adam - 

> Fascinating.  It contradicts "Is There a Cost to Privacy Breaches? An
> Event Study," which Alan Friedman presented at the Workshop on
> Economics of Infosec.
> 
> http://weis2006.econinfosec.org/docs/40.pdf

My 2 cents (following up on what Allan already wrote): the results of the
two studies are difficult to compare.

- our (i.e., Allan, Rahul, and me) dataset contained hundreds of events - I
would hazard that focusing on six events means aiming at a qualitative type
of study, rather than a statistically significant one.

- the problem with simply checking whether stock prices have fallen or not
is that external market conditions may determine those outcomes - hence, as
a measurement of performance after the event, vanilla stock prices can be
misleading (the event studies methodologies we used in our paper attempt to
address this problem) 

- for similar reasons, one should be extra cautious about suggesting
linkages between an event and the stock price one year after that event -
the consensus in the financial literature that pioneered event studies is
that a few days after the event you can no longer exclude that what you are
getting from the stock prices is simply noise. 

Note, however, that our regressions showed that the size of a firm was a
significant predictor of its abnormal rate or return (in other words: larger
firms were more affected by the breaches). 

One last note on the problems with using stock prices to measure a (subset
of a) company's breach-related costs: even if we may not adhere to the
efficient markets hypothesis, we wanted to address a simpler (and, to me,
telling) question: how does the market react to privacy breaches, compared
to the way it reacts to security breaches, product vulnerabilities, or other
negative events? 

Thanks,

-alessandro