Light Dark
November 25, 2014 By Linda Brock 2 min read
Intelligence & Analytics

In security intelligence, it is sometimes difficult to pinpoint and measure IT security investments because they are embedded throughout organizations to enable business strategies, process improvements or implement new capabilities. IT security investments typically span functional and organizational boundaries, including departmental, interdepartmental, enterprise and interorganizational. Also, for security intelligence, IT security expenditures are distributed over tools, policies, technologies, procedures and personnel.

As a result, organizations are often unable to identify all IT security expenditures and lack available cost data as a result. Firms are unlikely to invest in IT security without some type of measured financial costs and benefits. Decision-makers must be able to quantify costs and the resulting value from IT security investments in order to gain managerial and financial support for such expenditures. So how are IT security costs typically quantified?

Quantifying Security Intelligence Investments

Most IT security investments are rationalized using common accounting methods. However, accounting methods such as return on investment have provided mixed results because they are based on historical financial information, and expected benefits are not measured as part of these calculations. Correlations between investments and accounting measures are considered weak due to rapid depreciation, short useful life and the unpredictable operational aspects of IT in general.

Given the maniacal focus of senior executives on stock values, an alternative approach to expressing the value of IT security might be to use an event study approach. Eugene Fama, an American economist and Nobel laureate in economics, established the event study methodology based on his efficient market theory. This theory assumes stock market prices always immediately reflect all available information. Simply stated, event studies reflect the stock market reaction to a public announcement.

Many event studies have already been completed to assess the effects of various IT announcements concerning security breaches, viruses, hacking and denial-of-service (DoS) attacks and new software vulnerabilities. Unsurprisingly, the stock prices of firms making such announcements were negatively affected. Is it possible that firms making public announcements about IT security investments would see positive effects instead?

Stock Prices and Security

An event study composed of 34 different U.S. e-banking service providers examined how announcements of investments in IT security technologies and staff affected their stock prices. Security is one of the biggest concerns for customers considering adopting e-banking, so these types of announcements are common. IT security is also a legal obligation for U.S. banks. They must protect against cybercrime, DoS attacks, cybercriminals and data breaches, as well as identity and credit card theft and fraud.

The study showed that IT security investment announcements made by e-banking service providers did not positively affect their stock prices. This may be because it is expected that all e-banking providers are regularly investing in IT security due to regulatory compliance requirements. For example, the Federal Financial Institutions Examination Council requires financial institutions to implement multiple types of online security to support online authentication and fraud prevention. Investors already expect e-banking service providers to frequently utilize new technologies and strategies in order to accommodate new user demands or to mitigate new threats and vulnerabilities, so these types of announcements are just too commonplace.

Perhaps an event study of IT security investments outside of regulated industries (not health care or financial industries) would reveal positive effects on stock market prices. For regulated industries, IT security investments appear to be considered a cost of doing business. Based on the event studies I’ve examined, it would appear that only negative IT security announcements affect stock prices. For overall better security intelligence, does anyone have evidence of positive stock price effects resulting directly from IT security investments they’d be willing to share?

 |  |  | 
Linda Brock
IT Specialist

More from Intelligence & Analytics
February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

December 19, 2023

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

December 14, 2023

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature