Abstract
Information security management has increasingly been recognized as one of the major business challenges of the last decade. While security research has widely recognized that breaches are detrimental to business value, the other side of the equation has received little attention. The literature on the value impact of proactive financial investments into information security management infrastructure and policy is very limited. Unlike most information technology investments, reinforcements to information security management programs suggest a reduction of a firm’s risk of damages in future attacks rather than an improvement in a firm’s revenue generation. Furthermore, contemporary information security management represents a process-based shift in a firm’s operations. In light of the unique information security risks faced by modern firms, we posit several hypotheses related to the value created from information security management program investments. We then present an empirical examination of the effects of information security management program investments on shareholder value. We use a firm’s successful completion of the ISO 27001 certification requirements as evidence of its commitment to developing a robust information security management program. Based on 111 public announcements, we find that the associated abnormal stock market reaction is both positive and statistically significant. We further control for firms’ industries, sizes, and dates of certification, and we find that they all affect the mean abnormal returns observed. This study demonstrates the capacity for information security management program investments to generate value for firms and further offers guidance for practitioners seeking to maximize shareholder value.
Published Version (Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.