In security intelligence, it is sometimes difficult to pinpoint and measure IT security investments because they are embedded throughout organizations to enable business strategies, process improvements or implement new capabilities. IT security investments typically span functional and organizational boundaries, including departmental, interdepartmental, enterprise and interorganizational. Also, for security intelligence, IT security expenditures are distributed over tools, policies, technologies, procedures and personnel.

As a result, organizations are often unable to identify all IT security expenditures and lack available cost data as a result. Firms are unlikely to invest in IT security without some type of measured financial costs and benefits. Decision-makers must be able to quantify costs and the resulting value from IT security investments in order to gain managerial and financial support for such expenditures. So how are IT security costs typically quantified?

Quantifying Security Intelligence Investments

Most IT security investments are rationalized using common accounting methods. However, accounting methods such as return on investment have provided mixed results because they are based on historical financial information, and expected benefits are not measured as part of these calculations. Correlations between investments and accounting measures are considered weak due to rapid depreciation, short useful life and the unpredictable operational aspects of IT in general.

Given the maniacal focus of senior executives on stock values, an alternative approach to expressing the value of IT security might be to use an event study approach. Eugene Fama, an American economist and Nobel laureate in economics, established the event study methodology based on his efficient market theory. This theory assumes stock market prices always immediately reflect all available information. Simply stated, event studies reflect the stock market reaction to a public announcement.

Many event studies have already been completed to assess the effects of various IT announcements concerning security breaches, viruses, hacking and denial-of-service (DoS) attacks and new software vulnerabilities. Unsurprisingly, the stock prices of firms making such announcements were negatively affected. Is it possible that firms making public announcements about IT security investments would see positive effects instead?

Stock Prices and Security

An event study composed of 34 different U.S. e-banking service providers examined how announcements of investments in IT security technologies and staff affected their stock prices. Security is one of the biggest concerns for customers considering adopting e-banking, so these types of announcements are common. IT security is also a legal obligation for U.S. banks. They must protect against cybercrime, DoS attacks, cybercriminals and data breaches, as well as identity and credit card theft and fraud.

The study showed that IT security investment announcements made by e-banking service providers did not positively affect their stock prices. This may be because it is expected that all e-banking providers are regularly investing in IT security due to regulatory compliance requirements. For example, the Federal Financial Institutions Examination Council requires financial institutions to implement multiple types of online security to support online authentication and fraud prevention. Investors already expect e-banking service providers to frequently utilize new technologies and strategies in order to accommodate new user demands or to mitigate new threats and vulnerabilities, so these types of announcements are just too commonplace.

Perhaps an event study of IT security investments outside of regulated industries (not health care or financial industries) would reveal positive effects on stock market prices. For regulated industries, IT security investments appear to be considered a cost of doing business. Based on the event studies I’ve examined, it would appear that only negative IT security announcements affect stock prices. For overall better security intelligence, does anyone have evidence of positive stock price effects resulting directly from IT security investments they’d be willing to share?

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…