A Case Study on the Effects of Cyber Attacks on Firm Stock Price
IEORE4211 Applied Consulting Group 1: Cedric Canovas, Shravan Kumar Chandrasekaran, Michelle Liu,
Xiaomeng Luo, Andrew Tang, Ran Wang, and Ruyue Xu
Executive SummaryCyber Security Overview
Three Data Sets Used
Literature Review
Model 1: The Market Model
Model 2: Multiple Regression Analysis
Model 3: Machine Learning
Conclusion & Further Thoughts
Methodology
Introduction❖ Over 169 million personal records were
exposed in 2015, from 781 publicized breaches ❖ Average global cost for lost/stolen records
containing confidential and sensitive data was
$154/record, highest cost was $363/record for
health care
❖ In 2015, there were 38% more security incidents detected than in 2014
❖ Attackers stay dormant within a network before
detection for a median of over 200 days❖ 74% of CISOs are concerned about employees
stealing sensitive company information
❖ Only 38% of global organizations claim they are
prepared to handle a sophisticated cyberattack
Cyber security spending in the US, percent of GDP and USD billions, 2009 - 2017
IntroductionMost Prevalent Cyber Threats - Top TenTypes of Threats:
❖ Insider threats (employees)❖ Outside threats (hackers,
organized crime outfits, activists or other parties)
Common Methods of Attacks:
❖ Malware: Trojans, viruses, worms
❖ Phishing: emails❖ Password Attack: brute
force attack❖ Denial-of-Service (DoS)
Attack: distributed-denial-of-service (DDoS) attack
❖ SQL Injection
High-Target Industries:
❖ Healthcare: personal information, most highly targeted industry for data breaches
❖ Education: colleges and universities, educational records
❖ Government: foreign nation-states, militant groups, crime rings benefit from government-related data
❖ Retail: credit card information, which can be sold on the Dark Web
❖ Financial: bank account information
Top Cyber Attack Motives:
❖ Information Theft: acquire information owned by the target
❖ Espionage: monitor the activities of the targets and steal information that these targets may have
❖ Sabotage: destroy, defame or blackmail the target
Introduction
Three Datasets:
First Data Set
❖ 4000+ raw data from 2011-2016
❖ 500+ major incidents happened to public companies in US
❖ Source: Hackmageddon-Information Security Timelines and Statistics Website
❖ Number of major industries affected: 25+
Second Data Set:
❖ World’s largest data breaches (>30000 records)
❖ 185 raw data from 2004-2015
❖ 50 incidents happened to public companies at the time of incident
❖ Source: A data website- Information Is Beautiful
❖ Number of major industries affected: 5
Third Data Set:
❖ 400+ raw incident data from 2005-2016
❖ 150+ major public companies targeted in the US
❖ Source: Study on major data leakages by the Verizon Risk Team for their Verizon Data Breach Investigation Report
❖ Number of major industries affected: 15+
Evolution of the Number of Attacks
Source: Hackmageddon Dataset
Average monthly attacks has gradually steadied to around 90 from 2012, when the attacks were very erratic
Types of Attacks Across Time
Source: Hackmageddon Dataset
Cyber crime has steadily increased from 61.6% of total cyber attacks in 2012 to 94.3% in 2015
There was a sudden spurt in Hacktivism in 2013, contributing to almost 80% of total cyber attacks
Attacks Are Affecting Industries at Different Levels
❖ E- Commerce & Software reign as the two major technological submarkets that are most affected by cyber incidents
❖ Technology in general makes up 40% of the targeted industries consistently through the graphs of the three data sets above
❖ Retail next most significantly hit area in all 3 charts after technology
Literature ReviewAuthor Period
StudiedSample
SizeFocus of Study Major Findings
Campbell et al. (2003)
1995 - 2000 43 Two types (access to confidential or not)
❖ Significant negative return involving confidential information and no changes in return for other types of breaches
Garg et al. (2003)
1996 - 2002 22 All ❖ On average, the loss is 2.7% over one day and 4.5% over a 3-day period
Hovav & D’arcy (2003)
1998 - 2002 23 DOS attacks ❖ Negative abnormal returns of the Internet-specific companies were larger
Hovav & D’arcy (2004)
1988 - 2002 186 Virus attacks ❖ No negative returns over 5 days after the announcement
Telang & Wattal (2007)
1999 - 2004 147 Vulnerability announcements
❖ Average loss of 0.63% conditioned by various factors❖ Vendors lose more value in competitive markets, larger software
vendors are less affected❖ More severe and confidentiality-related vulnerabilities cause
more stock price losses
Arcuri & Brogi (2014)
1995 - 2012 128 All ❖ Cyber attack announcements affect stock market returns of firms❖ Stock market reaction differs with economic sector of firms
Methodology: Event—StudyEvent-Study
❖ Assume that returns on a stock are significantly impacted by an event of interest (a cyber security attack). The period of interest for which we observe is known as the event window.
❖ In practice and in academic research, the event window includes two days: day 0 and day 1 to capture the effect of an announcement. Sometimes -1 day is also used to incorporate possible information leaks before the announcement date.
❖ The methodology has been widely used in the banking and finance literature when analyzing information breaches and other related events. Based on efficient market theory.
Design of the testing
framework for the
abnormal returns
Determine the model for
computing the abnormal
returns:
Determine the entities
involved and choose the reasonable
event window:
MacKinlay (1997) presents a comprehensive review for this type of research and clearly defines the required steps:
❖ What are considered normal returns?❖ How to define abnormal returns? Test Statistic Z
Day 0 as the announcement day; Can vary according to research interests
Estimate Normal Stock Return
Event—Study: Three Important Calculations Define Abnormal Stock Return Calculate Cumulative Abnormal. Return
: the return of stock i in period t
: the return of market portfolio (benchmark)
: error term with mean 0
: risk-adjusted performance of stock i
: a measure of risk compared to the market
The equation is based on the assumption that daily stock returns are consistent with the Capital Asset Pricing Model (CAPM).
Used for running regressions to get the normal stock returns
Gather 120-day data prior to the announcement date for estimating the model
: abnormal return of stock i in period t
: actual return of stock i in period t
Aggregate the abnormal returns for stock i over time interval [t1, t2]. Could calculate a mean CAR if want to know average impact.
The shortest commonly accepted estimation period is 120 days. Many past literatures used the 120-day period. 120 data points for both stock returns as well as market returns within the same period.
A short-term event period (3 days, 5 days, etc.) is generally accepted in similar studies. K.Campbell et al. points out that extending the window would increase the likelihood of confounding events and adding much noise.
Model 1: The Market Model
Results
❖ How do we know if the abnormal returns are not random but due to the effects of cyber attacks?
Z statistics Null hypothesis (abnormal returns are not significantly different from 0 )
Method discussed by Arcuri et al. (2014):
N: number of stocks in the sample SCAR(t1,t2): the standardized CAR on stock i in period t : : average return on market index in period t
: : estimated standard deviation of Abnormal Return on stock i
T: number of days in the estimation periodTs: number of days in the event window Z-statistics has a t-distribution with T-2 degrees of freedom and converges to a unit normal
Days Event Wind
ow
Mean CAR
Total CAR
Z-Test Statisti
cs
Negative CARs
3-Day (-1,1) -0.63% -1.89% -4.962** 53.36%
5-day (-1,3) -0.42% -2.10% -2.125* 52.88%
7-day (-1,5) -0.21% -1.47% -1.207 51.06%
9-day (-1,7) -0.13% -1.17% -1.021 50.25%
The second dataset, World’s Major Attacks, is used. ** statistically significant at 5% level; * at 10% level
We can reject the null hypothesis that cyber attack does have an effect on the company’s stock returns over the event window (-1,1) and (-1,3). Hence 3-day and 5-day are critical. However, we did not find enough evidence to reject the null hypothesis for 7-day and 9-day, which means that the effect is not obvious 3 days after the announcement. Overall, the effect is relatively short-lived. A little more than 50% of the total incidents have seen negative CARs over (-1,1) and (-1,3).
Model 2: Multiple Regression ModelCyber attacks might not affect all firms in the same way.Company-specific characters would also influence how serious a cyber attack would be on the company stock return.
Total Assets (in $ billion)
Growth Rate
Competitive or Not
Diversification
Max 4,808.200 86.19% 1 0.74
Min 0.460 -9.58% 0 0
Mean 401.952 7.66% 0.44 0.43
S.D. 880.12 0.17 0.50 0.18
Follow the method adopted by Telang and Wattal (2007):Measure diversification in terms of the Herfindahl index. The index of a firm is calculated as:
N: the number of segments in which the firm operatesPi: the ratio of segment, represented as segment i’s revenue to total revenueDIV=0, not diversifiedDIV=1, diversified
Variable Coefficient
Total Asset (Natural Log) 0.0037*(0.08)
Growth Rate 0.0021 (0.56)
Competitive or Not -0.0015 (0.48)
Diversification 0.0054** (0.03)
Results ** statistically significant at 5% level; * at 10% level
: average abnormal return over 3-day period
Xi : company-specific factors
Model 3: Machine LearningThis analysis uses the third dataset with many input variablesAgain, we try to predict 3-day abnormal returnAlgorithms tested: Gradient Boosting, Generalized Linear Model, K-nearest-neighbors, Random Forest
Random Forest
Absolute RMSE: 0.01
Variables: Discovery method, industry, type of attack, employee count, type of affected asset, governance of affected asset
❖ Many parameters influence the market reaction, but hard to get a reliable predictive model due to the low number of datapoints
Example of a generated decision tree
Model 3: Machine Learning
Parameter Importance
Discovery method: employee
1.61
# of employees: 1001-10000
1.41
Type of attack 1.40
Industry 1.20
Relative importance of variables
❖ Some correlations between input variables and the impact on the stock price, no guarantee of causality
Conclusion
Industry analysts inferred that shareholders are numb to news of data breaches. A widely accepted notion goes that there are only two types of companies: those that have been breached and those that don’t know they have.
Deeper reasons for the market’s failure to respond to these incidents:
❖ Shareholders have neither enough information about security incidents nor sufficient tools to measure their impact.
❖ Shareholders only react to breach news when it has direct impact or immediate hit to a company’s expected profitability.
❖ Delays in disclosing information security incidents often contribute to shareholders’ hesitation and uncertainty with regard to how to factor in the effects of the breaches. Oftentimes, when an attack is disclosed, it is almost impossible for shareholders to assess its full implications. (example: an attack happened last June, discovered this January, but disclosed this March)
“... look beyond short-term effects and examine the impact on other factors, such as overall security plans, profitability, cash flow, cost of capital, legal fees associated with the breach, and potential changes in management ...”
Return on Assets (ROA)
Return on Sales (ROS)
Cost of Goods Sold to Sales (COGS/S)
Performance Variables
❖ Cyber attacks only affect stock return in a relatively short time window: 3- day and 5-day
❖ The size of the company and diversification are the two most important factors that determine the impact of an attack on a specific company
Based on our findings, firms should focus more not on the stock price, but on looking into factors that could affect profitability in the long-term in a more subtle way.
Further Thoughts
Cyber Attack Discovery
Full/Limited Disclosure
Recovery Plan/No
Action
Announcement
Abnormal Return
By Attack Source
By Firm By Third Party
Limited Disclosure
Only Report to Firm
Full Disclosure Limited Disclosure
Attack Type and Characteristics
Investor Expectation and Response
Cyber Attack Disclosure Process
❖ The most important factor that affects the accuracy of the study is the source and date, to better guarantee that the date of the stock market return we analyze is the correct one associated with the attack.
❖ However, in an age of information explosion with so many means to transfer information, it is getting much harder to pinpoint the first release date of a cyber attack.
❖ The process of attack disclosure also complicates the problem.
❖ Loss is ameliorated by 0.82% if the company provides a patch at time of disclosure. Presence of a patch reduces customer loss and reflects commitment to customers (Telang & Wattal).
Closing RemarksFactors that contribute to cyber security vulnerability: ❖ Technical Failure
➢ Lack of fundamental cyber security measures ➢ Outdated software➢ Failure to encrypt critical employee and user data
❖ Managerial Failure➢ Not understanding potential cyber security risks
■ Lack of financial and talent support■ Lack of awareness and training among
employees➢ Lack of cyber security oversight processes
■ Lack of a recovery plan➢ Not prioritizing cyber security policy
❖ Human Factor Failure➢ Motives and methods that can trigger an “inside job”
■ Damage inflicted from social engineering, remote access and laptop
➢ Allowing personal device at work➢ Lack of awareness in HR department
THANKS!— Special thanks to Brian Krebs for advice (former Washington Post journalist
and expert on cyber crimes and other Internet security topics) and Paolo Passeri for providing one of our datasets ( founder of www.hackmageddon.com, a website offering information security timelines and statistics)