Loading…

The effect of information security certification announcements on the market value of the firm

Information security management has increasingly been recognized as one of the major business challenges of the last decade. While security research has widely recognized that breaches are detrimental to business value, the other side of the equation has received little attention. The literature on...

Full description

Saved in:
Bibliographic Details
Published in:Information technology and management 2019-09, Vol.20 (3), p.107-121
Main Authors: Deane, Jason K., Goldberg, David M., Rakes, Terry R., Rees, Loren P.
Format: Article
Language:English
Subjects:
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Information security management has increasingly been recognized as one of the major business challenges of the last decade. While security research has widely recognized that breaches are detrimental to business value, the other side of the equation has received little attention. The literature on the value impact of proactive financial investments into information security management infrastructure and policy is very limited. Unlike most information technology investments, reinforcements to information security management programs suggest a reduction of a firm’s risk of damages in future attacks rather than an improvement in a firm’s revenue generation. Furthermore, contemporary information security management represents a process-based shift in a firm’s operations. In light of the unique information security risks faced by modern firms, we posit several hypotheses related to the value created from information security management program investments. We then present an empirical examination of the effects of information security management program investments on shareholder value. We use a firm’s successful completion of the ISO 27001 certification requirements as evidence of its commitment to developing a robust information security management program. Based on 111 public announcements, we find that the associated abnormal stock market reaction is both positive and statistically significant. We further control for firms’ industries, sizes, and dates of certification, and we find that they all affect the mean abnormal returns observed. This study demonstrates the capacity for information security management program investments to generate value for firms and further offers guidance for practitioners seeking to maximize shareholder value.
ISSN:1385-951X
1573-7667
DOI:10.1007/s10799-018-00297-3