Posted by:
admin
9 years, 6 months ago
I've been chewing on the this post since @dearestleader's BSidesATL talk and since reading this HBR piece.
First, know that stock investors care about the past only in how it might reflect potential future outcomes. By the time a breach is discovered it is history. Most companies have insurance that will cover some portion of the expense. There are PR firms ready to handle the press and information security consultants ready to proclaim the advanced nature of the attack. The dollar impact is proclaimed to be tiny compared to the revenue.
However, businesses flourish by creating capital at a rate higher than their weighted-average cost of capital. The lower the average cost of their stocks, loans, bonds and other forms of financing the easier it is to exceed that rate. The easier it is to exceed the cost of capital, the cheaper it becomes. It can be a highly virtuous circle. Or the opposite.
For a breach to have a negative impact, it would have to represent part of a larger issue. For example. the fact that Home Depot's lead security architect had a history of sabotaging his former employer might indicate other HR issues. The best way to evaluate the impact is to compare the performance of Home Depot versus the competition. I don't have the time to do this in detail, but I will share this graph comparing Home Depot to Lowes in the last 6 months (the HD breach press release was Nov 6th 2014 pdf) :
Both stocks did better than the S&P, but Lowes significantly outperformed HD, giving Lowes a lower weighted-average cost of capital. We'll see what the can do with it.
This is of course just anecdotal and there are many possible reasons for this. It could be enlightening to evaluate a portfolio of breached companies to their competitors and the market overall. It seems likely we will have sufficient data for that. But it's a mistake to say "after the breach the stock went up" without comparing the stock to the market and the competition.
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)