acm-header
Sign In

Communications of the ACM

Virtual extension

Quantifying the Benefits of Investing in Information Security


Malicious attacks on enterprise IT infrastructures have become a serious threat with the growing importance of the Internet. Regulatory frameworks and legislations such as HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), and SOX (Sarbanes-Oxley Act) require organizations to implement the necessary safeguards to ensure the confidentiality, integrity, and availability of information. Failure to do so makes them vulnerable to heavy monetary penalties and loss of customer base and goodwill. Several quantitative models have been proposed in the literature to justify information security investments at the firm level. Risk-driven decision models are limited by the difficulty of reliably estimating the potential losses from security breaches and the probability of such breaches.12 Even a single security breach involving unauthorized access to customers' credit card information could prove catastrophic for the breached firm. Khansa and Liginlal8 proposed a real option-based model to value the flexibility of switching among compatible information security technologies. Other researchers have exposed the detrimental effects of security breaches on the market value of affected firms. For instance, Ettredge and Richardson4 found that the stock price of both B2C and B2B firms dropped significantly around the February 2000 denial-of-service attack. Campbell et al.2 found that breaches related to confidential information had a significant negative effect on the stock price of firms. Prior research has also reported an information-transfer effect of malicious attacks on the market value of information security firms. In particular, Cavusoglu et al.3 showed that the stock price of information security firms is positively associated with the disclosure of security breaches by other firms.

We measure overall investment in information security by the aggregated revenues of information security firms who control a prominent share of the various information security market segments. We propose to show the following.

  1. Investment in information security is effective in reducing the severity of malicious attacksa, which are known to adversely affect the stock price of breached firms.2,4
  2. Higher demand for information security products and services conveys a positive outlook for the information security sector and is associated with an increase in the stock price of information security firms.

Back to Top

Data Collection

* Investment in Information Security.

Measuring investment in information security is a challenge because firms are neither willing to disclose such strategic information, nor are they able to provide accurate records of such information. We propose that the sum of the revenues of information security firms, who control a major share of the information security market (as determined by severalb annual IDC and Gartner surveys) constitutes a good measure of overall investment in information security. In order to ensure that the revenues are only related to information security, and not other IT products and services, we select thirty public information security firms who control more than 50% market share of the information security sector and who offer no other IT products. These firms fall into three main information security market segments, namely content security, identity and access management (IDAM), and network security (the latter includes technologies such as VPN, SSL, and intrusion detection and prevention).

For the content security segment, our sample includes Symantec, McAfee and Trend Micro who have traditionally controlled a significant share of the market (for instance, a combined 53.8% of the content security market in 2006 according to Canalysc). The IDAM market segment includes the most influential players such as Entrust, Internet Security Systems, RSA Security, WatchGuard Technologies, and Secure Computing. For network security, we include companies such as Check Point Software, Network Engines, and SonicWALL. Although some of the firms in the sample, such as RSA, were acquired recently, we are fortunate that our analysis covers the period until their acquisition became effective. The acquiring firms offer other than information security products and services, so including their revenues beyond this point would result in a noisy and inaccurate measure of information security investment. The selected firms are mostly US-based (except for Checkpoint Software) but their customers are worldwide, so the revenues of these firms capture worldwide demand for information security products and services, which is consistent with the boundary-less characteristics of the Internet.

Severity of Malicious Attacks. We compile 6,400 instances of malicious attacks, (as is done in 11), from the Web site of Symantec,d the leading antivirus service provider, covering the period from January 1998 to December 2006. Their severity levels were rated by subject matter experts, based on three attributes, namely wildness, destructiveness, and distribution. Wildness refers to the extent to which a threat has already spread among computer users; destructiveness is an assessment of the damage that a given infection could cause; and distribution refers to how quickly a malicious entity spreads itself. The estimated severity comes in the form of a linguistic variable that takes values from the set S = {Low, Medium, High}. Many authors6 have argued that fuzzy logic is ideal for representing and processing such linguistic terms. We represent the linguistic variable using trapezoidal fuzzy numbers for ease of analysis.e Multiple malicious attacks could strike on the same day. Also, since revenues are reported quarterly, we use a fuzzy weighted sum method1 for aggregating the data on a quarterly basis. The fuzzy sets resulting from the aggregation, which is implemented in Mathematica's Fuzzy Logic Toolbox,f are defuzzified using the centroid method.1

For a quick cross validation of our compiled severity dataset, we relate the yearly-aggregated time series of the severity of malicious attacks to dollar losses data from the CSI/FBI (http://www.gocsi.com/) reports from 1998 to 2006. These data encompass the types of malicious attacks under study and are based upon surveys conducted by experts in the information security field. We find a correlation of 0.58 (significant beyond the 0.1 level) despite the small sample size of the dataset.

Back to Top

Analysis and Results

Figure 1 summarizes the framework of our empirical research. First, we postulate that investment in information security increases the revenues of information security firms, in turn boosting their present and forecasted fundamentals and positively impacting their stock price. This is indicative that the market performance of the information security sector is demand-driven, consistent with,5 which shows stock prices have been more sensitive to demand-driven output fluctuations than to supply-driven variations. Second, we hypothesize that when firms acquire protection against malicious attacks, they avoid the potential adverse effects of security breaches on their stock price.

* Time Series Models for Forecasting

We use both time series and vector auto-regression (VAR) analyses to demonstrate the benefits of investing in information security. All quarterly revenues and stock market data from 1998 to 2006 are gathered from the CRSPg database. A summary of the variables used in the analyses follows:

  1. Revenues: the sum of the quarterly revenues of the thirty selected information security firms.
  2. Market Return: the quarterly NASDAQ Composite Index, which is composed of technology stocks, including information security. Previous research has established that NASDAQ is representative of the worldwide technology stock market. For example, Jeon and Jang7 showed that NASDAQ affects the Korean market at every level of aggregation, and that no significant reverse effect existed.
  3. Stock Price: the average of the quarterly stock price of the firms in the sample.
  4. Severity: the quarterly-aggregated severity of malicious attacks.

Figure 2, which plots the time series of all four variables, reveals that the revenues of information security firms have followed an increasing trend over the past eight years. Given that the collected revenues represent the majority but not the entirety of the sales of the information security sector, the increasing investment trend bears proof that the information security sector is consolidating. This is expected since, in addition to the existing customers who need to upgrade their products, newer firms are investing to acquire protection. Prior to relating the Revenues, Severity, and Stock Price time series, using VAR analysis, we ensure the series are stationary and account for seasonality, if any. The Revenues and Severity time series trend upward and do not revolve around a fixed mean over time. Further the autocorrelation functions of both time series decay slowly to zero, with autocorrelations exceeding twice their corresponding standard errors past lag.6 This confirms that the means of both time series are non-stationary. Similarly, an examination of the autocorrelation function of the Stock Price time series reveals high first-order autocorrelation. Following the Box and Jenkins approach,10 we perform first-order differencing of all three time series to make them stationary. After differencing, the Revenues and Severity time series appear to be highly correlated with a lag effect.

The Revenues and Severity time series models serve as benchmarks, with which to compare the fit and accuracy of the VAR model. We use Lagi to denote a shift back by i time periods and Diffi to denote ith order differencing. The differenced Severity time series follows an autoregressive (AR) process, whose estimates are shown in Table 1. The AR model allows forecasting the severity of current malicious attacks from the time series' past values. The model corresponds to the lowest Akaike information criterion (AIC) value of 8.81 (AIC is a measure of the goodness of fit of the model10) and a standard error of 78.37. Coefficients are significant beyond the 5% significance level.

The differenced Revenues time series appears to exhibit seasonality, which we capture using a set of quarterly dummy variables to account for the seasonal pattern. These variables are Q1,t, Q2,t, Q3,t, where

ueq01.gif

Table 2 gives the significant coefficients and their estimates.

The constant variable in the model represents the change in the revenue level during fourth quarters. Q1,t, Q2,t, and Q3,t, are the amounts that must be added to these fourth quarter predictions to obtain the model's prediction for the first, second, and third quarters respectively. The coefficients in Table 2 are significant beyond the 1% significance level, with a standard error of 185.89 and an AIC value of 10.58. The negative sign on Q1,t suggests that the incremental revenues in the first quarter is, on average, below the fourth quarter average prediction, consistent with the findings of UBS Research.h

Next we use VAR analysis to relate each variable to its own lagged value as well as to the lagged values of the other two variables.

Relating Revenues, Severity, and Stock Price using VAR Analysis. The results of the VAR analysis shown in Table 3 are based on the multivariate model with the smallest AIC of 20.11. Coefficients are significant beyond the 5% significance level and standard errors are mostly lower than those of the corresponding time series models. The differenced revenues and stock prices in the 4th quarter appear to be higher than what they are in other quarters, as shown in the negative dummy variables of the differenced Revenues. A more interesting finding in Table 3 suggests that investment in information security has been instrumental in reducing the severity of malicious attacks in the short term (lag = 1 quarter; an average incremental reduction of 47.21%). Further, increased revenues translate into higher stock prices (lag = 3 quarters; average incremental increase of 0.61%). We conjecture that this increase in market value is actually an aggregation of prior incremental increases, as it has been shown there is an inherent momentum in the stock market's reactions. The information transfer effect, discussed in prior literature,3 is also reflected in Table 3 in the form of incremental stock price increases for information security firms (1.79%; lag = 2 quarters).

Upon relating the severity of malicious attacks, post-differencing, to the value-weighted NASDAQ return, we find a negative overall correlation (-.52; p-value = 0.03). We conjecture that the increase in the stock price of information security firms, such as the information transfer effect, is overshadowed by the reduction in the market value of firms who were breached. Finally, to complete the validation of the framework in Figure 1, we report that the value-weighted NASDAQ return and the differenced stock prices of information security firms, post-differencing, are highly correlated (0.78; p-value > 0.00), which is expected given that some of the information security firms in the sample are part of NASDAQ. Next, we extend our analyses by investigating how our results differ across the three identified information security segments, namely content security, IDAM, and network security.

Dissecting Information Security Segments. We repeat our analysis over the samples of firms covering the three market segments identified in the study. The influence of investment on reducing severity is the highest in the content security segment with a 33.23% incremental reduction (lag = 1 quarter; p-value < 0.00), followed by a 23.78% incremental reduction for IDAM (lag = 1 quarter; p-value = 0.03), and a 24.02% incremental reduction for network security, significant only at the 10% level (p-value = 0.09). The revenue trends in Figure 3 also show that IDAM has dominated the other two information security segments up until the first quarter of 2005, when the IDAM segment started seeing heavy competition from large IT players, such as IBM and Computer Associates. This has resulted in an erosion of the market share of the IDAM firms in our sample. A study by Research and Marketsi shows that sale of access control and security applications in the US skyrocketed after September 11 and is forecasted for additional growth as more than 39 percent of businesses across the world are considering integrating access control, including biometrics, to secure their premises and critical information. IDAM controls access to privileged information and is, thus, also essential in deterring insider attacks and theft of customer data and intellectual property. Although our analysis does not consider insider attacks, which might be a major cause of security breaches, we are still able to detect a significant reduction in the severity of malicious attacks, as defined earlier, as a result of investment in IDAM. In light of these results, we foresee significant investment in the IDAM market segment vis-à-vis the information security sector and the IT industry, as a whole.

Back to Top

Conclusion

We have demonstrated that with higher investment in information security comes more protection and resilience to malicious attacks. Lower severity of malicious attacks also implies fewer monetary damages for attack targets and reduced negative publicity, thereby benefiting the stock market. Revenues of information security firms above and beyond investors' expectations also raise investors' beliefs about the health and sustainability of the entire information security sector and are positively reflected on the stock price of information security firms. In parallel with the decreasing trend in the severity of malicious attacks, shown in Figure 2, Liginlal and Sim et al.9 showed that reported privacy breaches arising from malicious attacks on enterprises in the US, relative to those arising from acts of human error, have significantly gone down since 2006.

In sum, the contributions of this article lie in its use of revenues to quantify investment levels, and its analytical results and their implications to the stock market. At the least, several pertinent research questions have been raised that provide avenues for further research.

Back to Top

Acknowledgements

The authors would like to thank Dr. Elizabeth Odders-White for reviewing an earlier version of this article and for offering her time and expertise at the onset of this research. We would also like to thank the Editor, Dr. Diane Crawford, and three anonymous reviewers for their very helpful suggestions and comments.

Back to Top

References

1. Bárdossy, A. and Duckstein, L. Fuzzy rule-based modeling with applications to geophysical, biological and engineering systems. CRC Press Inc., Boca Raton, FL, 1995.

2. Campbell, K., Gordon, L.A., Loeb, M.P., and Zhou, L. The economic severity of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11, 3 (2003), 431–448.

3. Cavusoglu, H., Mishra, B., and Raghunathan, S. The effect of Internet security breach announcements on market value: Capital market reactions for breached firms and Internet security developers. International Journal of Electronic Commerce 9, 1 (2004), 69–104.

4. Ettredge, M. and Richardson, V. J. Assessing the risk in e-commerce. Proceedings of the 35th Hawaii International Conference on System Sciences (Hawaii, 2002), 2673–2682.

5. Fraser, P. and Groenewold, N. US share prices and real supply and demand shocks. The Quarterly Review of Economics and Finance 46, 1 (2006), 149–167.

6. Lee, V.C.S. A fuzzy multi-criteria decision model for information system security investment. Lecture Notes in Computer Science, 2690 (2003), 436–441.

7. Jeon, B.N. and Jang, B.S. The linkage between the US and Korean stock markets: The case of NASDAQ, KOSDAQ, and the semiconductor stocks. Research in International Business and Finance 18, 3 (2004), 319–340.

8. Khansa, L. and Liginlal, D. Valuing the flexibility of investing in security process innovations. The European Journal of Operational Research, 192 (2009), 216–235.

9. Liginlal, D., Sim, I., and Khansa, L. Human error and its impact on information privacy. Computers and Security, 28 (2009), 215–228

10. Pankratz, A. Forecasting with dynamic regression models. Wiley (New York, 1991).

11. Park, I., Sharman, R., Rao, H.R. and Upadhyaya, S. Short term and total life impact analysis of email worms in computer systems. Decision Support Systems 43, 3 (2007), 827–841.

12. Wang, J., Chaudhury, A., and Rao, H.R. An extreme value approach to information technology security investment. The International Conference on Information Systems (Las Vegas, NV, 2005).

Back to Top

Authors

Lara Khansa ([email protected]) is an assistant professor in the Department of Business Information Technology, Pamplin College of Business, at Virginia Polytechnic Institute and State University, VA.

Divakaran Liginlal ([email protected]) is an Associate Teaching Professor of Information Systems at Carnegie Mellon University's campus in Doha, Qatar.

Back to Top

Footnotes

a. For the purposes of this paper, this term refers to attacks by viruses, worms, macros, and Trojan horses.

b. For example, Worldwide Identity and Access Management 2007–2011 Forecast with Submarket Segments

c. http://www.canalys.com/pr/2007/r2007032.htm

d. http://www.symantec.com/business/security_response/threatexplorer/azlisting.jsp

e. http://www.wolfram.com/products/applications/fuzzylogic

f. http://www.wolfram.com/products/applications/fuzzylogic

g. The Center for Research in Security Prices (CRSP) maintains one the most comprehensive collection of financial and economic data.

h. Is there a Fourth Quarter IT Anomaly?

i. Access Control Technologies and Market Forecast World Over (2007)

DOI: http://doi.acm.org/10.1145/1592761.1592789

Back to Top

Figures

F1Figure 1. Quantifying the Benefits of Information Security Investment

F2Figure 2. Plots of the Revenues, Severity, Stock Price, and Market Return Time Series

F3Figure 3. Investment Trends by Market Segment

Back to Top

Tables

T1Table 1. AR Model for Differenced Severity

T2Table 2. AR Model with Seasonal Variation for Differenced Revenues

T3Table 3. Results of VAR Analysis for Overall Information Security Sector

Back to top


©2009 ACM  0001-0782/09/1100  $10.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.


 

No entries found