PUBLIC DISCLOSURE OF INFORMATION SECURITY BREACH INCIDENTS: SHORT-TERM STOCK MARKET REACTION ON INDIAN LISTED FIRMS

ABSTRACT

Data breach incidents are growing by the day and firms struggle to detect, defend, and respond to such breaches. Nowadays, security breaches are considered one of the major concerns for corporate organizations around the world. Hence, it is essential to assess the impact of such breaches on organizations. This article reports stock price reaction due to public disclosure of information security breach (ISB) incidents on publicly traded firms of India. Using the event study methodology on a sample of 120 publicly announced ISB incidents between January 2004 and April 2019 pertaining to 69 publicly listed firms of India, we found that exposure to an ISB incident exacerbates negative stock price reactions based on both one-factor market model and Fama-French three-factor model. On average, breached firms lost 0.55% of their market value within two days post the announcement of ISB incidents. Further, we found some factors that significantly negatively impacted Cumulative Abnormal Return (CAR). Important emerging factors such as type of compromised data, sentiment, subjectivity, and remedial strategy significantly impact CAR. According to our study findings, we suggest that firms should mention remedial measures in terms of apology and/or compensation in the ISB disclosure. Furthermore, the result indicates that investors penalize listed firms for subsequent ISB incidents. Thus, our findings may guide Chief Information Officers (CIOs), information security managers, and IT managers of publicly traded firms to devise various strategies in terms of IT security measures and content of the ISB disclosure.

KEYWORDS:

• Public disclosure
• Information security breach
• event study
• CAR
• cost of data breach

View correction statement:

Correction notice

Disclosure statement

No potential conflict of interest was reported by the author(s).

Correction Statement

This article was originally published with errors, which have now been corrected in the online version. Please see Correction [10.1080/10919392.2024.2360775].

Additional information

Notes on contributors

Surjit Paul

Surjit Paul is a PhD research scholar at Vinod Gupta School of Management, Indian Institute of Technology Kharagpur in India. He holds an M. Tech in Computer Science & Engineering from National Institute of Technology Jamshedpur, India. His areas of research interests are information security, websites usability, privacy and security, and network security. He has published his research work in various international journals of repute.

Saini Das

Saini Das is an Assistant Professor in the Information Systems area at Vinod Gupta School of Management, Indian Institute of Technology Kharagpur in India. She received her Ph.D. from Indian Institute of Management Lucknow, India. Her research interests are managing information security risks in networks, management information systems (MIS), e-commerce technology and applications, data privacy, digital piracy and data analytics. She has published her research work in various international journals of repute such as Decision Support Systems, Information & Management, International Journal of Information Management, Information Systems Frontiers, Behaviour & Information Technology, Journal of Global Information Technology Management (JGITM), Journal of Information Technology Case and Application Research (JITCAR), etc.