November 25, 2014 By Linda Brock 2 min read

In security intelligence, it is sometimes difficult to pinpoint and measure IT security investments because they are embedded throughout organizations to enable business strategies, process improvements or implement new capabilities. IT security investments typically span functional and organizational boundaries, including departmental, interdepartmental, enterprise and interorganizational. Also, for security intelligence, IT security expenditures are distributed over tools, policies, technologies, procedures and personnel.

As a result, organizations are often unable to identify all IT security expenditures and lack available cost data as a result. Firms are unlikely to invest in IT security without some type of measured financial costs and benefits. Decision-makers must be able to quantify costs and the resulting value from IT security investments in order to gain managerial and financial support for such expenditures. So how are IT security costs typically quantified?

Quantifying Security Intelligence Investments

Most IT security investments are rationalized using common accounting methods. However, accounting methods such as return on investment have provided mixed results because they are based on historical financial information, and expected benefits are not measured as part of these calculations. Correlations between investments and accounting measures are considered weak due to rapid depreciation, short useful life and the unpredictable operational aspects of IT in general.

Given the maniacal focus of senior executives on stock values, an alternative approach to expressing the value of IT security might be to use an event study approach. Eugene Fama, an American economist and Nobel laureate in economics, established the event study methodology based on his efficient market theory. This theory assumes stock market prices always immediately reflect all available information. Simply stated, event studies reflect the stock market reaction to a public announcement.

Many event studies have already been completed to assess the effects of various IT announcements concerning security breaches, viruses, hacking and denial-of-service (DoS) attacks and new software vulnerabilities. Unsurprisingly, the stock prices of firms making such announcements were negatively affected. Is it possible that firms making public announcements about IT security investments would see positive effects instead?

Stock Prices and Security

An event study composed of 34 different U.S. e-banking service providers examined how announcements of investments in IT security technologies and staff affected their stock prices. Security is one of the biggest concerns for customers considering adopting e-banking, so these types of announcements are common. IT security is also a legal obligation for U.S. banks. They must protect against cybercrime, DoS attacks, cybercriminals and data breaches, as well as identity and credit card theft and fraud.

The study showed that IT security investment announcements made by e-banking service providers did not positively affect their stock prices. This may be because it is expected that all e-banking providers are regularly investing in IT security due to regulatory compliance requirements. For example, the Federal Financial Institutions Examination Council requires financial institutions to implement multiple types of online security to support online authentication and fraud prevention. Investors already expect e-banking service providers to frequently utilize new technologies and strategies in order to accommodate new user demands or to mitigate new threats and vulnerabilities, so these types of announcements are just too commonplace.

Perhaps an event study of IT security investments outside of regulated industries (not health care or financial industries) would reveal positive effects on stock market prices. For regulated industries, IT security investments appear to be considered a cost of doing business. Based on the event studies I’ve examined, it would appear that only negative IT security announcements affect stock prices. For overall better security intelligence, does anyone have evidence of positive stock price effects resulting directly from IT security investments they’d be willing to share?

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today