The business value of infosec

Thanks to a heads-up from Walt Williams, I'm mulling over a report by CompariTech indicating that the announcement of serious "breaches" by commercial organizations leads to a depression in their stock prices relative to the stock market.

I'm using "breach" in quotes because the study focuses on public disclosures by large US commercial corporations of significant incidents involving the unauthorized release of large quantities of personal data, credit card numbers etc. That's just one type of information security incident, or breach of security, and just one type of organization. There are many others.

The situation is clearly complex with a number of factors, some of which act in opposition (e.g. the publicity around a "breach" is still publicity!). There are several constraints and assumptions in the study (e.g. small samples) so personally I'm quite dubious about the conclusions ... but it adds some weight to the not unreasonable claim that "breaches" are generally bad for business. At the very least, it disproves the null hypothesis that "breaches" have no effect on business.

Personally, I'm intrigued to find that "breaches" do not have a more marked effect on stock price. The correlation seems surprisingly weak to me, suggesting that I am biased, over-estimating the importance of infosec - another not unreasonable assumption given that I am an infosec pro! It's the centre of my little world after all!

Aside from the fairly weak "breach" effect, I'd be fascinated to learn more about the approaches towards information risk, security, privacy, governance, incident management, risk & security strategy, compliance etc. that differentiate relatively strong from relatively weak performers on the stock market, using that as an indicator of business performance ... and indeed various other indicators such as turnover, profitability, market share, brand value etc. I'm particularly interested in leading indicators - the things that tend to precede relatively strong or weak performance.

On the flip side, I'd be interested to know whether 'good news' security disclosures/announcements (such as gaining ISO27k or other security certifications, or winning court cases over intellectual property) can be demonstrated to be good for business. Given my inherent personal bias and focus on infosec, I rather suspect the effect (if any) will be weaker than I expect ... but I'm working on it!