BIRENDRA MISHRA

Incremental Value-Relevance of SFAS 106

Review of Accounting and Finance, 2003

This study investigates the incremental value-relevance of non-pension postretire-ment benefit ob... more

The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers

Assessing the value of information technology (IT) security is challenging because of the difficu... more Assessing the value of information technology (IT) security is challenging because of the difficulty of measuring the cost of security breaches. An event-study analysis, using market valuations, was used to assess the impact of security breaches on the market value of breached firms. The information-transfer effect of security breaches (i.e., their effect on the market value of firms that develop security technology) was also studied. The results show that announcing an Internet security breach is negatively associated with the market value of the announcing firm. The breached firms in the sample lost, on average, 2.1 percent of their market value within two days of the announcement-an average loss in market capitalization of $1.65 billion per breach. Firm type, firm size, and the year the breach occurred help explain the cross-sectional variations in abnormal returns produced by security breaches. The effects of security breaches are not restricted to the breached firms. The market value of security developers is positively associated with the disclosure of security breaches by other firms. The security developers in the sample realized an average abnormal return of 1.36 percent during the two-day period after the announcement-an average gain of $1.06 billion in two days. The study suggests that the cost of poor security is very high for investors.

Download

The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers

Assessing the value of information technology (IT) security is challenging because of the difficu... more Assessing the value of information technology (IT) security is challenging because of the difficulty of measuring the cost of security breaches. An event-study analysis, using market valuations, was used to assess the impact of security breaches on the market value of breached firms. The information-transfer effect of security breaches (i.e., their effect on the market value of firms that develop security technology) was also studied. The results show that announcing an Internet security breach is negatively associated with the market value of the announcing firm. The breached firms in the sample lost, on average, 2.1 percent of their market value within two days of the announcement-an average loss in market capitalization of $1.65 billion per breach. Firm type, firm size, and the year the breach occurred help explain the cross-sectional variations in abnormal returns produced by security breaches. The effects of security breaches are not restricted to the breached firms. The market value of security developers is positively associated with the disclosure of security breaches by other firms. The security developers in the sample realized an average abnormal return of 1.36 percent during the two-day period after the announcement-an average gain of $1.06 billion in two days. The study suggests that the cost of poor security is very high for investors.

Download

A model for evaluating IT security investments

Communications of The ACM, 2004

While calculating ROSI seems taxing, increasing possibility and scope of IT security breaches due... more

ASSESSING THE VALUE OF DETECTIVE CONTROL IN IT SECURITY

... DETECTIVE CONTROL IN IT SECURITY Huseyin Cavusoglu Birendra Mishra ... CONTROL IN IT SECURITY... more

The Value of Intrusion Detection Systems in Information Technology Security Architecture

Information Systems Research, 2005

T he increasing significance of information technology (IT) security to firms is evident from the... more T he increasing significance of information technology (IT) security to firms is evident from their growing IT security budgets. Firms rely on security technologies such as firewalls and intrusion detection systems (IDSs) to manage IT security risks. Although the literature on the technical aspects of IT security is proliferating, a debate exists in the IT security community about the value of these technologies. In this paper, we seek to assess the value of IDSs in a firm's IT security architecture. We find that the IDS configuration, represented by detection (true positive) and false alarm (false positive) rates, determines whether a firm realizes a positive or negative value from the IDS. Specifically, we show that a firm realizes a positive value from an IDS only when the detection rate is higher than a critical value, which is determined by the hacker's benefit and cost parameters. When the firm realizes a positive (negative) value, the IDS deters (sustains) hackers. However, irrespective of whether the firm realizes a positive or negative value from the IDS, the IDS enables the firm to better target its investigation of users, while keeping the detection rate the same. Our results suggest that the positive value of an IDS results not from improved detection per se, but from an increased deterrence enabled by improved detection. Finally, we show that the firm realizes a strictly nonnegative value if the firm configures the IDS optimally based on the hacking environment.

Download

Impact Of Information Technology On The Accuracy Of Analyst Forecasts

We investigate the effect of information technology on analyst's forecast accuracy. Our anal... more

Uploads

Papers by BIRENDRA MISHRA

Log In