Public markets DGAF about cybersecurity. The infosec industry shills the harrowing narrative of how damaging data breaches are to businesses – that if a super sophisticated nation state targets your company, you face reputational devastation and stock market decimation. There is no evidence to support this propaganda. In fact, two recent studies presented at WEIS find explicit evidence to the contrary.
In this post, I’ll summarize those paper’s findings and elucidate their importance to how we think about information security.
Trade secret breaches + company performance
The paper: Surprisingly Small: The Effect of Trade Secret Breaches on Firm Performance by Nicola Searle and Andrew Vivian.
TL;DR: Protecting trade secrets from cyberattack shouldn’t be a priority because trade secret theft doesn’t negatively affect an organization’s market valuation. Oh, and whether the attack is “sophisticated” or “targeted” or “nation state” has zero effect on a firm’s stock market outcomes.
What’s the problem: There’s a lot of hullabaloo around how important it is to protect trade secrets from theft, because such espionage is allegedly so damaging to organizations – but those are just theoretical claims. This theory is used by vendors and security practitioners to justify cybersecurity investments despite a lack of empirical evidence to support those claims.
What this paper contributes: This paper studies the impact of trade secrets theft on stock market valuations along numerous dimensions. Despite industry folk wisdom, the authors find an insignificant relationship between a victim’s announcement of trade secret theft and their subsequent stock market performance. That is, attackers stealing a company’s trade secrets does not hurt the company’s stock price1.
Therefore, if organizations seek to protect shareholders, this empirical evidence actually justifies investing in freedom of information rather than in cybersecurity of information. Prioritizing freer information flows at least supports innovation, whereas prioritizing protection of information slows down innovation without any compensating market benefit.
Digging deeper: Their findings also refute the oft-spouted infosec industry claims that targeted, sophisticated attacks conducted by nation state actors are especially dangerous to businesses:
- An attack’s level of sophistication has no impact on market response
- An attack being “targeted” or not has no impact on market response
- The involvement of foreign agents (i.e. an attack constituting economic espionage) has no impact on market response
Key quote: “Counterintuitively, the findings suggest managers should not prioritise trade secret protections and cybersecurity if the main goal is protecting shareholders. In addition to savings, this has the added benefit of allowing information to flow more freely within the firm, which is conducive to increased firm innovation.”
Kelly’s hot takes: Cybersecurity really isn’t very important2. This evidence suggests that an appropriate first step in your security program is to have fewer secrets and to care less about them. There is negligble business benefit to protecting secrets and so the opportunity cost of investing in this protection is hefty – not to mention its costs in terms of lost productivity.
The infosec industry should also really stop fetishizing “sophisticated” and “targeted” attacks by nation states. It was already an embarrassing practice, but the evidence from this study only makes it more cringeworthy and manipulative.
Data breach announcements + company value
The paper: The Impact of Data Breach Announcements on Company Value in European Markets by Adrian Ford, Ameer Al-Nemrat, Seyed Ali Ghorashi, and Julia Davidson
TL;DR: This paper is yet more proof that stonk prices aren’t actually affected by data breaches, despite the wishes of the infosec community. The budget justification you seek is elsewhere.
What’s the problem: One oft-touted justification for cybersecurity budget is avoiding “reputational damage,” often framed as the organization’s stock market valuation being at risk. There is no supporting evidence that this is true beyond the first few days after a breach announcement. However, existing empirical analysis focuses on publicly-traded companies in the United States rather than companies in European markets.
What this paper contributes: This paper looks at the effect of data breach announcements on the stock prices of companies in European markets (vs. in the U.S.). Their study did not find evidence of negative stock impact (in any industry sector); none of the measured effects were statistically significant across industries and geographies, except for in Spain3. These results are consistent with prior research finding that the discussion of financial market impact by data breach announcements is basically “much ado about nothing.”4
Key quote: “Overall we have seen no clear impact on share price of data breach announcements in European companies… Based on this evidence it is difficult to support business cases for investment in cyber security measures.”
Kelly’s hot takes: The ROI problem in infosec is the proverbial elephant in the room and security leaders will eventually run out of straws to grasp to justify their security budgets. You can only handwave for so long until it becomes clear that the business impact is minimal, especially as new evidence emerges5.
For instance, with the current rise of data extortion, the only real reputational risk is if attackers dox you and expose criminal activity… and it’s unlikely that security vendors will run with the tagline “we will help you conceal your corporate crimes.” So how long before it’s priced-in as a basic cost of doing business and no one cares?
Anyway, I’ve been telling infosec people that cybersecurity doesn’t matter to stonk market investors for eight years; perhaps with even more evidence, they’ll finally reconcile their professional self-image with the market reality and stop taking it out on me.
The study looks at short-term stock market impacts, so it’s possible that trade secret theft results in longer-term impacts – but there’s no evidence to support that notion yet, so it remains an untested theory. ↩︎
Odlyzko, A. (2019). Cybersecurity is not very important. Ubiquity, 2019(June), 1-23. http://www.dtc.umn.edu/~odlyzko/doc/cyberinsecurity.pdf ↩︎
They found a statistically significant negative impact in the Spanish stonk market, but there were only four breach events so that’s a pretty teeny sample size imo. ↩︎
Richardson, V. J., Smith, R. E., & Watson, M. W. (2019). Much ado about nothing: The (lack of) economic impact of data privacy breaches. Journal of Information Systems, 33(3), 227-265. http://web.csulb.edu/colleges/cba/intranet/vita/pdfsubmissions/26629-jis19-much-ado-about-nothing.pdf ↩︎
This is why I advise security teams to study their engineering peers' metrics and figure out how they can support them. There is natural alignment to be found and aligning your efforts with the burgeoning engine of business is a savvier strategy than sticking to textbook security gospel. ↩︎