최근 IT환경의 변화와 해킹공격의 발전은 기업의 보안사고 발생위험을 높이고 있다. 특정 사건이 기업에 미치는 주가변화를 측정할 수 있는 사건연구방법론은 보안사고 기업의 시장가치의 피해비용을 분석하기 위한 대표적인 방법론으로 주로 사용되어 왔다. 그러나 기업의 일시적인 주가변화 분석은 모든 기업들에게 공통된 시사점으로 활용하는데 제약이 있고, 기업에 발생한 평판의 손실분석에 대한 필요성 또한 강조되고 있다. 본 연구는 국내에서 최근 10년간 발생된 상장기업의 보안사고 52건을 대상으로 기업의 가치평가 방법론인 Tobin's q가 제시한 기업의 기준을 세분화함으로써, 보안사고로 인한 평판손실이 유의하게 발생함을 정량분석하였다. 이러한 접근방법은 q로 분류된 기업 별 피해범위에 해당하는 정보보호 투자예산 책정과 효율적인 리소스 투입 산정의 판단기준으로 활용 가능할 것이다.
Recently, the risk of security incidents has been increased due to change of IT environment and development of new hacking methods. Event study methodology that measures the effect of a specific security incident on the stock price is widely adopted to analyze the damage cost of security incidents on market value. However, analysis of company's temporary stock price change is limited to immediate practical implication, and reputation loss should be considered as a collateral damage caused by security incidents. We analyzed 52 security incidents of listed Korean companies in the last decade; by refining the criteria presented by Tobin's q, we quantitatively showed that the companies has significantly higher reputation loss due to security loss than the other companies. Our research findings can be used in order that the companies can efficiently allocate its resource and investment for information security.
S.W. Chai, "Economic effects of personal information protection," Korea Consumer Agency, vol. 33, pp. 43-64, Apr. 2008.
D.B. Parker, "The strategic values of information security in business," Computers & Security, pp. 572-582, Jun. 1997.
L.A. Gordon and M.P.Loeb, "Economics of information security investment," ACM Transactions on Information and System Security, vol. 5, no. 4, pp. 438-457, Nov. 2002.
R. Bojanc and B. Jerman-Blazic, "An economic modeling approach to information security risk management," International Journal of Information Management, vol. 28, pp. 413-422, Oct. 2008.
S.W. Nam and J.I. Lim, "An empirical study on the impact of security events to the stock price in the analysis method of enterprise security investment effect," Ph.D. Thesis, Korea University, Feb. 2006.
A. Bharadwaj, M. Keil and M. Mahring, "Effects of information technology failures on the market value of firms," Journal of Strategic Information Systems, vol. 18. pp. 66-79, Jun. 2009.
K. Campbell, L.A. Gordon, M.P Loeb and L. Zhou, "The economic cost of publicly announced information security breaches: empirical evidence from the stock market," Journal of Computer Security, vol. 11, pp. 431-448. Mar. 2003.
H. Cavusoglu, B. Mishra and S. Raghunathan, "The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers," International Journal of Electronic Commerce 9, pp. 69-104, Feb. 2002.
K. Kannan, J. Rees and S. Sridhar, "Market reactions to information security breach announcements: an empirical analysis," International Journal of Electronic Commerce, vol. 12, no. 1, pp. 69-91, Fall 2007.
A. Hovav and J. D'Arcy, "The impact of denial-of-service attack announcements on the market value of firms," Risk Management and Insurance Review, vol. 6, pp. 97-121. Oct. 2003.
A. Hovav and J. D'Arcy, "The impact of virus attack announcements on the market value of firms," Information System Security, vol. 13, no. 3, pp. 46-156. Dec. 2004.
A. Hovav and J. D'Arcy, "Capital market reaction to defective IT products: the Case of Computer Viruses," Computers & Security, vol. 24, pp. 409-424. Aug. 2005.
I. Bose and A.C.M. Leung, "The impact of adoption of identity theft countermeasures on firm value," Decision Support Systems, vol. 55, pp. 753-763, Jun. 2013.
S. Goel and H.A. Shawky, "Estimating the Market Impact of Security Breach Announcements on Firm Values," Information & Management, vol. 46, pp. 404-410, Oct. 2009.
M. Ko and C. Dorantes, "The impact of information security breaches on financial performance of the breached firms: an empirical investigation," Journal of Information Technology Management, vol. 17, pp. 3-29, Nov. 2006.
A. Grag, J. Curtis and H. Halper, "Quantifying the financial impact of IT security breaches," Information Management and Computer Security, vol. 11, pp. 74-83. 2003.
B. Jerlod and J.Stephen, "Using daily stock returns: the case of event studies," Journal of Financial Economics, vol. 14, pp. 3-31, Mar. 1985.
A.G. Kotulic and J.G. Clark, "Why there aren't more information security research studies," Information and Management, vol. 41, pp. 597-607, May 2004.
J. Perry and P.De. Fontnouvelle, "Measuring reputational risk: the market reaction to operational loss announcements," Federal Reserve Bank of Boston, Oct. 2005.
Basel Committee on Banking Supervision, International convergence of capital measurement and capital standards. A Revised Framework. Comprehensive Version, Jun. 2006.
Basel Committee on Banking Supervision, Proposed enhancements to the Basel II rramework, Consultative Document, Jan. 2009.
F. Fiordelisi, M-G. Soana and P. Schwizer, "Reputational Losses and Operational Risk in Banking," The European Journal of Finance, vol. 20, pp. 1-20, Mar. 2011.
Y. Konchitchki and D.E. O'Leary, "Event study methodologies in information systems research," International Journal of Account Information Systems 12, pp. 99-115, Jan. 2011.
E.B. Lindenberg and S.A. Ross, "Tobin's q and industrial organization," The Journal of Business, vol. 54, no. 1, pp. 1-32, Jan. 1981.
A.S. Bharadwaj, S.G. Bharadwaj and B.R. Konsynski, "Information technology effects on firm performance as measured by Tobin's q," Management Science, vol. 45, no. 6, pp. 1008-1024, Jun. 1999.
Y.O. Kwon and B.D. Kim, "The effect of information security breach and security investment announcement on the market value of korean firms," Information System Review, 9(1), pp. 105-120, Apr. 2007.
The Economist Intelligence Unit, Sharing the blame how companies are collaborating on data security breaches, Jun. 2014.
Juniper Networks, Juniper networks third annual mobile threats report, Jun. 2013.
A. Hovav and J.Y. Han, "The impact of security breach announcements on the stock value of companies in south Korea," Korea Internet e-Commerce Association, vol. 13, pp. 43-67, Sep. 2013.
S.H. Jeong, J.S. Yoon, J.I. Lim and K.H. Lee, "Study on the effect of information security investment executive," Journal of The Korea Institute of Information Security & Cryptology, 24(6), pp. 1271-1284, Dec. 2014.
R. Gillet, G. Hubner and S.Plunus, "Operational risk and reputation in the financial industry," Journal of Banking and Finance, vol. 34, pp. 224-235, Jan. 2009.
G. Sinanaj and J. Muntermann, "Assessing corporate reputational damage of data breaches: an empirical analysis," Association for Information System BLED 2013 Proceedings Paper 29, Jun. 2013.
Ponemon Institute LLC, 2011 cost of data breach study, Traverse City, Mar. 2011.
S. Bond, A. Klemm, R. Newton-Smith, M. Syed and G. Vllieghe, "The roles of expected profitability, Tobin's q and cash flow in econometric models of company investment," Bank of England Working Paper, vol. 43, Jun. 2004.
H. Zafar, M. Ko and K. Osei-Bryson, "Does a CIO matter? Investigating the impact of IT security breaches on firm performance using Tobin's q," System Sciences, pp. 1-7, Jan. 2011.
D.Y. Jeong, K.B. Lee and T.H. Park, "A study on improving the electronic financial fraud prevention service: focusing on an analysis of electronic financial fraud cases in 2013," Journal of The Korea Institute of Information Security & Cryptology, 24(6), pp. 1243-1261, Dec. 2014.
C.L. Choi, J.H. Yun and K.H. Lee, "A study on IT outsourcing policy based on operational risks of financial industries," Journal of The Korea Institute of Information Security & Cryptology, 24(4), pp. 681-694, Aug. 2014.
E.F. Fama, L. Fisher, M.C. Jensen and R. Roll, "The adjustment of stock price to new information," International Economic Review, vol. 10, no. 1, pp. 1-21, Feb. 1969.
Korea Online Privacy Association, Social cost analysis of the personal information infringement and valuation, Nov. 2013.
K.H. Chung and S.W. Pruitt, "A simple approximation of Tobin's q," Financial Management, vol. 23, no. 3, pp. 70-74, 1994.
A. McWilliams and D. Siegel, "Event studies in management research: theoretical and empirical issues," Academy of Management Journal, vol. 40, no. 3, pp. 626-657, Jun. 1997.
P.W. Roberts and G.R. Dowling, "Corporate reputation and sustained superior financial performance," Strategic Management Journal, vol. 23, pp. 1077-1093, Sep. 2002.
J.B. McGuire, T. Schneeweis and B. Branch, "Perceptions of firm quality: a cause or result of firm performance," Journal of Management, vol. 16, no. 1, pp. 167-180, Mar. 1990.
W.G. Simpson and T. Kohers, "The link between corporate social and financial performance: evidence from the banking industry," Journal of Business Ethics, vol. 35, pp. 97-109, Jan. 2002.
이 논문을 인용한 문헌 (1)
Lee, Kyong Eun ; Kim, Jung Yoon ; Hyun, Jung Suk ; Park, Chan Jung 2015. "The Effects of Information Security Vaccine User's Construal Level and Message Type on the Information Security Behavior" 컴퓨터교육학회논문지 = The Journal of Korean association of computer education, 18(6): 33~42