In security intelligence, it is sometimes difficult to pinpoint and measure IT security investments because they are embedded throughout organizations to enable business strategies, process improvements or implement new capabilities. IT security investments typically span functional and organizational boundaries, including departmental, interdepartmental, enterprise and interorganizational. Also, for security intelligence, IT security expenditures are distributed over tools, policies, technologies, procedures and personnel.

As a result, organizations are often unable to identify all IT security expenditures and lack available cost data as a result. Firms are unlikely to invest in IT security without some type of measured financial costs and benefits. Decision-makers must be able to quantify costs and the resulting value from IT security investments in order to gain managerial and financial support for such expenditures. So how are IT security costs typically quantified?

Quantifying Security Intelligence Investments

Most IT security investments are rationalized using common accounting methods. However, accounting methods such as return on investment have provided mixed results because they are based on historical financial information, and expected benefits are not measured as part of these calculations. Correlations between investments and accounting measures are considered weak due to rapid depreciation, short useful life and the unpredictable operational aspects of IT in general.

Given the maniacal focus of senior executives on stock values, an alternative approach to expressing the value of IT security might be to use an event study approach. Eugene Fama, an American economist and Nobel laureate in economics, established the event study methodology based on his efficient market theory. This theory assumes stock market prices always immediately reflect all available information. Simply stated, event studies reflect the stock market reaction to a public announcement.

Many event studies have already been completed to assess the effects of various IT announcements concerning security breaches, viruses, hacking and denial-of-service (DoS) attacks and new software vulnerabilities. Unsurprisingly, the stock prices of firms making such announcements were negatively affected. Is it possible that firms making public announcements about IT security investments would see positive effects instead?

Stock Prices and Security

An event study composed of 34 different U.S. e-banking service providers examined how announcements of investments in IT security technologies and staff affected their stock prices. Security is one of the biggest concerns for customers considering adopting e-banking, so these types of announcements are common. IT security is also a legal obligation for U.S. banks. They must protect against cybercrime, DoS attacks, cybercriminals and data breaches, as well as identity and credit card theft and fraud.

The study showed that IT security investment announcements made by e-banking service providers did not positively affect their stock prices. This may be because it is expected that all e-banking providers are regularly investing in IT security due to regulatory compliance requirements. For example, the Federal Financial Institutions Examination Council requires financial institutions to implement multiple types of online security to support online authentication and fraud prevention. Investors already expect e-banking service providers to frequently utilize new technologies and strategies in order to accommodate new user demands or to mitigate new threats and vulnerabilities, so these types of announcements are just too commonplace.

Perhaps an event study of IT security investments outside of regulated industries (not health care or financial industries) would reveal positive effects on stock market prices. For regulated industries, IT security investments appear to be considered a cost of doing business. Based on the event studies I’ve examined, it would appear that only negative IT security announcements affect stock prices. For overall better security intelligence, does anyone have evidence of positive stock price effects resulting directly from IT security investments they’d be willing to share?