• Campbell, Katherine, Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou, “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market,” Journal of Computer Security, Vol. 11, No. 3, 2003, pp. 431-448.

This study examines the economic effect of information security breaches on the stock market value of corporations. This approach takes into account the indirect costs, as well as the direct costs, to the firm. The analysis shows that cyber security breaches in which confidential private information is compromised (e.g., the release of customer credit card numbers, bank account numbers, or medical records to unauthorized parties) have a significant negative effect on the stock market value of the attacked firm. However, security breaches not related to confidentiality (e.g., a temporary shut down of a corporate website) involve costs that are transitory and are unlikely to significantly affect shareholder value. Thus, market participants appear to discriminate across types of breaches and economically rational investment strategies should focus on protecting the firms’ most valuable information assets.