In security intelligence, it is sometimes difficult to pinpoint and measure IT security investments because they are embedded throughout organizations to enable business strategies, process improvements or implement new capabilities. IT security investments typically span functional and organizational boundaries, including departmental, interdepartmental, enterprise and interorganizational. Also, for security intelligence, IT security expenditures are distributed over tools, policies, technologies, procedures and personnel.

As a result, organizations are often unable to identify all IT security expenditures and lack available cost data as a result. Firms are unlikely to invest in IT security without some type of measured financial costs and benefits. Decision-makers must be able to quantify costs and the resulting value from IT security investments in order to gain managerial and financial support for such expenditures. So how are IT security costs typically quantified?

Quantifying Security Intelligence Investments

Most IT security investments are rationalized using common accounting methods. However, accounting methods such as return on investment have provided mixed results because they are based on historical financial information, and expected benefits are not measured as part of these calculations. Correlations between investments and accounting measures are considered weak due to rapid depreciation, short useful life and the unpredictable operational aspects of IT in general.

Given the maniacal focus of senior executives on stock values, an alternative approach to expressing the value of IT security might be to use an event study approach. Eugene Fama, an American economist and Nobel laureate in economics, established the event study methodology based on his efficient market theory. This theory assumes stock market prices always immediately reflect all available information. Simply stated, event studies reflect the stock market reaction to a public announcement.

Many event studies have already been completed to assess the effects of various IT announcements concerning security breaches, viruses, hacking and denial-of-service (DoS) attacks and new software vulnerabilities. Unsurprisingly, the stock prices of firms making such announcements were negatively affected. Is it possible that firms making public announcements about IT security investments would see positive effects instead?

Stock Prices and Security

An event study composed of 34 different U.S. e-banking service providers examined how announcements of investments in IT security technologies and staff affected their stock prices. Security is one of the biggest concerns for customers considering adopting e-banking, so these types of announcements are common. IT security is also a legal obligation for U.S. banks. They must protect against cybercrime, DoS attacks, cybercriminals and data breaches, as well as identity and credit card theft and fraud.

The study showed that IT security investment announcements made by e-banking service providers did not positively affect their stock prices. This may be because it is expected that all e-banking providers are regularly investing in IT security due to regulatory compliance requirements. For example, the Federal Financial Institutions Examination Council requires financial institutions to implement multiple types of online security to support online authentication and fraud prevention. Investors already expect e-banking service providers to frequently utilize new technologies and strategies in order to accommodate new user demands or to mitigate new threats and vulnerabilities, so these types of announcements are just too commonplace.

Perhaps an event study of IT security investments outside of regulated industries (not health care or financial industries) would reveal positive effects on stock market prices. For regulated industries, IT security investments appear to be considered a cost of doing business. Based on the event studies I’ve examined, it would appear that only negative IT security announcements affect stock prices. For overall better security intelligence, does anyone have evidence of positive stock price effects resulting directly from IT security investments they’d be willing to share?

More from Intelligence & Analytics

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read