Skip to main content


Brand Damage versus Corporate Competence

Yesterday, Tim Erlin had an interesting and very thought provoking post about breach and brand damage.. Tim rightly takes offense at the idea of the infinite "brand damage" often used to sell information security products. With as little as infosec geeks know about marketing, it's probably best to avoid that phrase altogether. A "brand" is a nebulous idea at best and security probably does not matter at all in most brands. I think it is also hard to try to tie stock performance to brand value. There a lots of great stocks that sell commodity goods. If Exxon/Mobil had a security breach when oil was at $30/barrel, how would you measure the impact of the breach as oil goes to $60?

My theory is that information security breaches are an indicator of a lack of management competence. Moreover, as discussed previously, information security breaches are like cockroaches, they rarely travel alone and seeing one guarantees there are more that can't be seen. The question becomes: does the bad security mean bad security, or bad management?

The impact of information security breaches on stock prices should also vary by industry. Choicepoint's business depends on its network and ability to securely deliver data. Ameriprise needs to convince users that it is as secure as talking to broker. For TJX, purchasing, marketing and inventory turnover are probably more important. Still just looking at the stock price is not enough. You need to look at what it takes the company to maintain that stock price and you need to compare the stock to the return you could have had in the less-risky stock market (in this case the S&P500).

Looking at Tim's data again in this light points out a few things. While ADP's stock was up 2.72% in the 6 month's after the breach, the market was up 7.69% and it took ADP 8% more revenue to get that 2.72% rise in stock price. Choicepoint's stock was only down 1.8%, but the market was up 4.23% in the same period - and CPS's revenue was up 2% in that period (roughly that period, I used the quarterly report numbers). Looking the stock/revenue numbers shows the extra effort needed to maintain stock price.

TJX (1/17/2007) Stock Price Change S&P 500 Change Revenue Report Date Price/Revenue
Stock Price 3 months before incident (October 2006): 28.97
4501073 10/28/06 0.00064%
Stock Price today (March 2007): 26.46 -8.66% 1402.06 2.79% 4716327 01/28/06 0.00056%
Stock Price 6 months after incident: N/A

Ameriprise AMP (1/29/2006)

Stock Price 3 months before incident (October 2005): 37.1
1869 Q405 1.98502%
Stock Price 3 months after incident (April 2006): 49.04 32.18% 1310.61 9.36% 1949 Q106 2.51616%
Stock Price 6 months after incident (July 2006): 44.54 20.05% 1278.55 6.69% 1977 Q306 2.25291%

Choicepoint CPS (2/15/2005)

Stock Price 3 months before incident (November 2004): 44.01
232.5 Q404 18.92903%
Stock Price 3 months after incident (May 2005): 37.16 -15.56% 1165.69 -1.53% 227.4 Q205 16.34125%
Stock Price 6 months after incident (August 2005): 43.22 -1.80% 1233.87 4.23% 237 Q305 18.23629%

ADP (7/6/2006)

Stock Price 3 months before incident (April 2006): 46.78
2030.4 Q206 2.30398%
Stock Price 3 months after incident (October 2006): 47.47 1.47% 1349.59 3.10% 2473.8 Q406 1.91891%
Stock Price 6 months after incident (January 2007): 48.76 2.72% 1409.71 7.69% 2199.1 Q107 2.21727%

Tim's post struck a chord with me because it was something I was chewing on for a while. I had done some digging to see if a stock's beta, which is supposed to represent its riskiness relative to the market was a good way to see if a security breach raised the weighted average cost of capital for a company, but beta is problematic in a number of ways. I think Tim would agree that this handful of stocks does not a study make. I would also point out that I really didn't have time to dig too far into this. The revenue numbers are quarterly numbers from MSN finance and I just choose the quarter in which the month fell. This also does not include added investment. For example, if a company has to invest additional capital to secure itself and that results in no additional revenue, that is not reflected here.

Current rating: 1

Recent Posts







RSS / Atom