Stock market values and information security investement

There has been some excellent research done on the impact of information security breaches on the market cap of affected firms (which directly impacts their cost of capital): "The economic cost of publicly announced information security breaches: empirical evidence from the stock market Katherine Campbell, Lawrence A. Gordon, Martin P. Loeb and Lei Zhou Accounting and Information Assurance, Robert H. Smith School of Business, University of Maryland, 2003" (http://brief.weburb.dk/archive/00000130/01/2003-costs-security-on-stockvalue-9972866.pdf)

This UMD study found that a firm suffering a breach of 'confidential information' saw a 5% drop in stock price while firms suffering a non-confidential breach saw no impact.

I read it as the market over time learning the difference between a DOS attack and the posting of customer's credit cards online. Which is interesting, because the market will be most forgiving of the attacks that are the most basic to prevent (web defacement, viruses & worms) or which are 'unpreventable' (DOS attacks - unpreventable isn't the 100% correct word, but you know what I mean) and it will punish you severely (a 5% market cap drop according to the UMD study) for succumbing to a more viscous, targeted attack that results in exposure of confidential information such as customer credit cards. So are you putting your money in the right places?

The market correctly places a higher value to companies that can increase cash flow by reducing costs or increasing revenues using information technology. But it will increase the cost of capital to those firms that do not manage the risks of being online, potentially erasing any gains.

To make it simple, you can just trot out this study and tell your CEO that not investing in information security may result in a 5% drop in share price. They probably won't read it ;).

In the UMD study, almost all of the "confidential breaches" were described "Unauthorized Access to (subscriber data, credit card numbers, etc.). It clearly points to the importance of identity management and authentication. The other factor to consider is that there are now automated tools to create phishing sites and spyware on 1/3 of all computers . How will you manage user authorization in a world where you have to give access to customers, vendors, partners, consultants, and employees? It is doable and the firms that do it securely will be the winners.