Sidebar: The Indirect Cost Of Cybercrime
New research suggests that some security breaches are considerably more harmful than others. Though recent empirical evidence suggests that most breaches don't have a significant economic impact on the companies that suffer them, there's one class of cybersecurity breach that will noticeably lighten the pockets of corporate shareholders -- a broken trust.
The financial beating is over and above what people usually talk about when they discuss the costs of cybercrime. Those discussions tend to focus on the measurable costs -- direct expenses, such as money spent on intrusion-detection systems, overtime for staff members fixing compromised systems and productivity lost during virus attacks. These run up fast, but they're the costs of doing business in an Internet world. At the end of the day, these costs don't significantly impinge on revenue.
The real financial damage from cybersecurity breaches is inflicted in the form of indirect costs -- from lost sales, weakened customer relations and legal liabilities. Indirect costs, though hard to measure, can be a substantial part of revenue.
To comprehend the full cost of cybercrime, Lawrence Gordon and I led a team of researchers in examining the impact of cybersecurity breaches on companies' stock-market value. Our premise was that stock-market pricing reflects the consensus of all the best minds in the market -- and the worst ones -- about all the information available at any given moment. Once news of a breach reaches the market, investors will quickly evaluate the present value of all future effects of a breach, and this estimate will inherently include both the direct and indirect costs to the company.
Our research showed that most cybercrimes didn't have a significant effect on companies' market value. Shareholders recognize that an incident that shuts down a corporate Web site -- for example, when SCO was pummeled by a denial-of-service attack as part of the MyDoom virus -- may cost the company something, but only in a transitory way.
However, when a breach leaks confidential, private information, such as credit-card and bank-account numbers or medical information, that's a different matter. That sort of breach has a marked negative impact on market value.
If a bank gets a virus and its ATMs shut down for a few hours, that's annoying, but customers won't likely change banks. But if a bank's systems are hacked and customer data is circulated on the Internet, customers may well decide to take their business elsewhere. You'd expect the stock market to react noticeably only in the latter case, because of the potential for lost future revenue as customers jump ship.
In fact, cybercrimes in which confidentiality is violated cause a measurable negative impact on stock market value. In our study, companies lost an average of slightly more than 5 percent of their market valuation. If there's a perception that a company can't safeguard its confidential data, it can send investors running for the exits.
It should be very apparent to upper management that no company can achieve 100 percent security and trade-offs are necessary. The key is to concentrate more information-security dollars on safeguards against breaches in confidentiality. CEOs must prioritize the protection of confidential data or prepare to endure the wrath of shareholders.
-Martin Loeb is a professor at the University of Maryland's Smith School of Business. He's part of the team preparing the 2004 CSI/FBI cybercrime study.