Firms' information security investment decisions: Stock market evidence of investors' behavior

摘要

In the information society, it is important for firms to manage their core information resources securely. However, the difficulty of measuring the return on an IT security investment is one of the critical obstacles for firms in making such investment decisions. By utilizing event methodology, this study examines the value of an investment in IT security, based on stock market investors' behavior toward a firms' IT security investment announcements. Based on a sample of 101 investment announcements of firms whose stocks are publicly traded in the U.S. stock market between 1997 and 2006, we find substantial support for the hypotheses that information security investment leads to positive abnormal returns for firms. Interestingly, security investments with commercial exploitation tend to result in higher returns than those for IT security improvement. Another interesting finding is that stock market reaction to security investments shows higher abnormal returns after the Sarbanes–Oxley Act (SOX) than any of those before it.