[Dataloss] Data leaks hit share prices hard

[Alessandro Acquisti]

Adam:

> Note, however, that our regressions showed that the size of a firm was a
> significant predictor of its abnormal rate or return (in other words:
> larger
> firms were more affected by the breaches).

that should have been "smaller" firms, as discussed in the paper.
(thanks to Allan for catching this slip) 
Thank you,
-aa

> -----Original Message-----
> From: dataloss-bounces at attrition.org [mailto:dataloss-
> bounces at attrition.org] On Behalf Of Alessandro Acquisti
> Sent: Tuesday, October 10, 2006 9:42 AM
> To: 'Adam Shostack'; 'Dissent'
> Cc: 'Alessandro Acquisti'; 'dataloss-attrition.org'
> Subject: Re: [Dataloss] Data leaks hit share prices hard
> 
> Hello Adam -
> 
> > Fascinating.  It contradicts "Is There a Cost to Privacy Breaches? An
> > Event Study," which Alan Friedman presented at the Workshop on
> > Economics of Infosec.
> >
> > http://weis2006.econinfosec.org/docs/40.pdf
> 
> My 2 cents (following up on what Allan already wrote): the results of the
> two studies are difficult to compare.
> 
> - our (i.e., Allan, Rahul, and me) dataset contained hundreds of events -
> I
> would hazard that focusing on six events means aiming at a qualitative
> type
> of study, rather than a statistically significant one.
> 
> - the problem with simply checking whether stock prices have fallen or not
> is that external market conditions may determine those outcomes - hence,
> as
> a measurement of performance after the event, vanilla stock prices can be
> misleading (the event studies methodologies we used in our paper attempt
> to
> address this problem)
> 
> - for similar reasons, one should be extra cautious about suggesting
> linkages between an event and the stock price one year after that event -
> the consensus in the financial literature that pioneered event studies is
> that a few days after the event you can no longer exclude that what you
> are
> getting from the stock prices is simply noise.
> 
> Note, however, that our regressions showed that the size of a firm was a
> significant predictor of its abnormal rate or return (in other words:
> larger
> firms were more affected by the breaches).
> 
> One last note on the problems with using stock prices to measure a (subset
> of a) company's breach-related costs: even if we may not adhere to the
> efficient markets hypothesis, we wanted to address a simpler (and, to me,
> telling) question: how does the market react to privacy breaches, compared
> to the way it reacts to security breaches, product vulnerabilities, or
> other
> negative events?
> 
> Thanks,
> 
> -alessandro
> 
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 136 million compromised records in 403 incidents over 6
> years.