Brand Damage, Stock Price and Cockroaches
Yesterday, Tim Erlin had an interesting and very thought provoking post about breach and brand damage.. Tim rightly takes offense at the idea of the infinite "brand damage" often used to sell information security products. With as little as infosec geeks know about marketing, it's probably best to avoid that phrase altogether. A "brand" is a nebulous idea at best and security probably does not matter at all in most brands. I think it is also hard to try to tie stock performance to brand value. There a lots of great stocks that sell commodity goods. If Exxon/Mobil had a security breach when oil was at $30/barrel, how would you measure the impact of the breach as oil goes to $60?
My theory is that information security breaches are an indicator of a lack of management competence. Moreover, as discussed previously, information security breaches are like cockroaches, they rarely travel alone and seeing one guarantees there are more that can't be seen. The question becomes: does the bad security mean bad security, or bad management?
The impact of information security breaches on stock prices should also vary by industry. Choicepoint's business depends on its network and ability to securely deliver data. Ameriprise needs to convince users that it is as secure as talking to broker. For TJX, purchasing, marketing and inventory turnover are probably more important. Still just looking at the stock price is not enough. You need to look at what it takes the company to maintain that stock price and you need to compare the stock to the return you could have had in the less-risky stock market (in this case the S&P500).
Looking at Tim's data again in this light points out a few things. While ADP's stock was up 2.72% in the 6 month's after the breach, the market was up 7.69% and it took ADP 8% more revenue to get that 2.72% rise in stock price. Choicepoint's stock was only down 1.8%, but the market was up 4.23% in the same period - and CPS's revenue was up 2% in that period (roughly that period, I used the quarterly report numbers). Looking the stock/revenue numbers shows the extra effort needed to maintain stock price.
| TJX (1/17/2007) | Stock Price | Change | S&P 500 | Change | Revenue | Report Date | Price/Revenue |
| Stock Price 3 months before incident (October 2006): | 28.97 | 1364.05 | 4501073 | 10/28/06 | 0.00064% | ||
| Stock Price today (March 2007): | 26.46 | -8.66% | 1402.06 | 2.79% | 4716327 | 01/28/06 | 0.00056% |
| Stock Price 6 months after incident: N/A | |||||||
| Ameriprise AMP (1/29/2006) | |||||||
| Stock Price 3 months before incident (October 2005): | 37.1 | 1198.41 | 1869 | Q405 | 1.98502% | ||
| Stock Price 3 months after incident (April 2006): | 49.04 | 32.18% | 1310.61 | 9.36% | 1949 | Q106 | 2.51616% |
| Stock Price 6 months after incident (July 2006): | 44.54 | 20.05% | 1278.55 | 6.69% | 1977 | Q306 | 2.25291% |
| Choicepoint CPS (2/15/2005) | |||||||
| Stock Price 3 months before incident (November 2004): | 44.01 | 1183.81 | 232.5 | Q404 | 18.92903% | ||
| Stock Price 3 months after incident (May 2005): | 37.16 | -15.56% | 1165.69 | -1.53% | 227.4 | Q205 | 16.34125% |
| Stock Price 6 months after incident (August 2005): | 43.22 | -1.80% | 1233.87 | 4.23% | 237 | Q305 | 18.23629% |
| ADP (7/6/2006) | |||||||
| Stock Price 3 months before incident (April 2006): | 46.78 | 1309.04 | 2030.4 | Q206 | 2.30398% | ||
| Stock Price 3 months after incident (October 2006): | 47.47 | 1.47% | 1349.59 | 3.10% | 2473.8 | Q406 | 1.91891% |
| Stock Price 6 months after incident (January 2007): | 48.76 | 2.72% | 1409.71 | 7.69% | 2199.1 | Q107 | 2.21727% |
Tim's post struck a chord with me because it was something I was chewing on for a while. I had done some digging to see if a stock's beta, which is supposed to represent its riskiness relative to the market was a good way to see if a security breach raised the weighted average cost of capital for a company, but beta is problematic in a number of ways. I think Tim would agree that this handful of stocks does not a study make. I would also point out that I really didn't have time to dig too far into this. The revenue numbers are quarterly numbers from MSN finance and I just choose the quarter in which the month fell. This also does not include added investment. For example, if a company has to invest additional capital to secure itself and that results in no additional revenue, that is not reflected here.
- Category(s)
- Security and Economics
- Phishing and Fraud
- The URL to Trackback this entry is:
- http://www.wikidsystems.com/WiKIDBlog/brand-damage-stock-prices/tbping
Digg this!
Del.ico.us
Google
Yahoo bookmarks
Reddit
Spurl
Simpy
I'd expect beta to be a lagging indicator, whereas price can adjust instantaneously.
On the "handful of stocks" question, a paper presented by Friedman and Acquisti at the last Workshop on Economics and Information Security included all US publicly-traded firms for which breach info was available. I think the sample size was about 150-200. Enough statistical power to estimate parameters. The findings were roughly in agreement with Tim's conjecturem -- short-term effect, no big whoop long-term. Whether this observation would hold for a firm whose "core competence" was securely holding info is something others have looked at, and many more have ruminated on, but I think the data are not sufficient to draw more than tentative conclusions at this point.