In the information society, it is important for firms to manage their core information resources securely. However, the difficulty of measuring the return on an IT security investment is one of the critical obstacles for firms in making such investment decisions. By utilizing event methodology, this study examines the value of an investment in IT security, based on stock market investors' behavior toward a firms' IT security investment announcements. Based on a sample of 101 investment announcements of firms whose stocks are publicly traded in the U.S. stock market between 1997 and 2006, we find substantial support for the hypotheses that information security investment leads to positive abnormal returns for firms. Interestingly, security investments with commercial exploitation tend to result in higher returns than those for IT security improvement. Another interesting finding is that stock market reaction to security investments shows higher abnormal returns after the Sarbanes-Oxley Act (SOX) than any of those before it.
Bibliographical noteFunding Information:
The authors would like to thank editors for the special issue and three anonymous reviewers for their constructive comments. The research of the third author was funded in part by NSF 0830814. The usual disclaimer applies. The work of the third author has been partly supported by Sogang Business School’s World Class University Project (R31-20002) funded by Korea Research Foundation.
- Abnormal returns
- Event methodology
- Information security investment
- Investors' behavior
- Market value
- Sarbanes-Oxley Act (SOX)