All security breaches are arguably a bad thing for a company, but recent empirical evidence suggests that most breaches actually don't have a significant economic impact in terms of direct expenses imposed on the companies that suffer them. That's the good news. The bad news is that the indirect costs associated with cybersecurity breaches can lead to significant economic punishment.

The financial beating we're talking about here is over and above what people usually talk about when they discuss the costs of cybercrime. This is because the difficulties of measuring those costs tend to focus any discussion on the more measurable costs--those that are direct expenses.

But, of course, there are both direct and indirect costs associated with cybersecurity breaches. The direct costs to companies include the money spent on intrusion-detection systems, overtime for staff members fixing compromised systems, and the productivity lost during virus attacks. Although these costs add up fast, spikes in expenses aren't a story that's unknown in other aspects of the day-to-day operations of a business. These costs can be thought of as akin to other operating expenditures. They are the costs of doing business in an Internet world. These costs can be measured, albeit not perfectly. And in total, these costs don't significantly impinge on a company's revenue.

The real financial damage as a result of cybersecurity breaches comes from indirect costs. These can be damages caused by lost sales, weakened customer relations, and legal liabilities. It's hard to measure indirect costs, but it's worth worrying about them because, unlike direct costs, they can add up to a substantial figure.

To try to get a handle on the full cost of cybercrime, Professor Lawrence A. Gordon and I led a team of researchers at the University of Maryland's Smith School of Business in examining the impact of cybersecurity breaches on the stock-market value of companies. The premise of our study was that stock-market pricing reflects the consensus of all the best minds in the market (and even the worst ones, for that matter) about all the information in the market at any given moment.

Once news of a breach reaches the market, the collective wisdom of investors will quickly work to evaluate the present value of all future effects of a breach, and this estimate will inherently include both the direct and indirect costs to the company.

In our research, looking at the stocks of businesses that had suffered breaches showed that most cybercrimes didn't have a significant effect on the market value of those companies. Shareholders recognize that an incident that, say, shuts down a company's Web site (as for example when SCO Group was pummeled by a denial-of-service attack as part of the MyDoom virus) may cost the business something but only in a transitory way.

When a breach leaks confidential private information (such as credit-card and bank-account numbers or sensitive medical information), that's an entirely different matter. In these cases, the breach has a marked negative impact on the market value of the company.

If a bank gets a virus and its ATMs shut down for a few hours, it's annoying, but customers probably won't change banks over such an incident. But if a bank is hacked and customer data is circulated on the Internet, customers may well decide to take their business elsewhere. You'd expect the stock market to react noticeably only in the latter case, because of the real potential for lost future revenue as customers opt to change banks.

Cybercrimes where confidentiality is violated are crimes that cause measurable negative impact in the stock-market value of companies. In our study, we found that companies lost an average of slightly more than 5% of their market valuation. If there is a perception that a business can't safeguard its confidential data, it can send investors running for the exits.

The message is clear: No company can achieve 100% security from cybercrimes, and trade-offs will have to be made. The key to those trade-offs is for companies to make sure to concentrate more of their information-security dollars on safeguards that will prevent breaches in confidentiality.

Photograph by Stone

Return to the story: The New Economics Of Information Security