Change search
ReferencesLink to record
Permanent link

Direct link
No protection, nu business: An event study on stock volatility reactions to cyberattacks between 2010 and 2015 for firms listed in the USA
Umeå University, Faculty of Social Sciences, Umeå School of Business and Economics (USBE), Business Administration.
Umeå University, Faculty of Social Sciences, Umeå School of Business and Economics (USBE), Business Administration.
2016 (English)Independent thesis Advanced level (professional degree), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

With the surge of Internet-based corporate communication, organization, andinformation management, financial markets have undergone radical transformation. Inthe interconnected economy of today, market participants are forced to acceptcyberattacks, data breaches, system failures, or security flaws as any other (varying)cost of doing business. While cyberspace encompasses practically any firm indeveloped economies and a large portion in developing ones, combatting such risks isdeemed a question of firm-specific responsibility: the situation resembles an ‘every manfor himself’ scenario. Consulting standard financial theory, rational utility-maximizinginvestors assume firm-specific (idiosyncratic) risk under expectations of additionalcompensation for shouldering such risk – they are economically incentivized.

The omnipresence of cyberattacks challenges fundamental assumptions of the CapitalAsset Pricing Model, Optimal Portfolio Theory, and the concept of diversifiability. Thethesis problematizes underlying rationality notions by investigating the effect of acyberattack on stock volatility. Explicitly, the use of stock volatility as a proxy for riskallows for linking increased volatility to higher risk premiums and increased cost ofcapital. In essence, we investigate the following research question: What is the effect ofa disclosed cyberattack on stock volatility for firms listed in the USA?.

Using event study methodology, we compile a cyberattack database for events between2010 and 2015 involving 115 firms listed on US stock exchanges. The specified timeperiod cover prevailing research gaps; due to literature paucity the focus on volatilityfits well. For a finalized sample of 189 events, stock return data is matched to S&P500index return data within a pre-event estimation window and a post-event window tocalculate abnormal returns using the market model. The outputs are used to estimateabnormal return volatility before and after each event; testing pre and post volatilityagainst each other in significance tests then approximates the event-induced volatility.Identical procedures are performed for all subsamples based on time horizon, industrybelonging, attack type, firm size, and perpetrator motivation.

The principal hypothesis, that stock volatility is significantly higher after a cyberattack,is found to hold within both event windows. Evidence on firm-specific characteristics ismore inconclusive. In the long run, inaccessibility and attacks on smaller firms seem torender significantly larger increases in volatility compared to intrusion and attacks onlarger firms; supporting preexisting literature. Contrastingly, perpetrator motive appearsirrelevant. Generally, stocks are more volatile immediately after an attack, attributableto information asymmetry. For most subsamples volatility seem to diminish with time,following the Efficient Market Hypothesis. Summing up, disparate results raisequestions of the relative importance of contingency factors, and also about futuredevelopments within and outside academic research.

Place, publisher, year, edition, pages
2016. , 113 p.
Keyword [en]
stock volatility, cyberattack, abnormal return, volatility, event study, information technology, US stock market, cybersecurity, reaction, financial impact, market efficiency, finance, fintech
National Category
Business Administration
URN: urn:nbn:se:umu:diva-123549OAI: diva2:946738
Educational program
International Business Program
Available from: 2016-07-06 Created: 2016-07-05 Last updated: 2016-07-06Bibliographically approved

Open Access in DiVA

fulltext(12621 kB)28 downloads
File information
File name FULLTEXT01.pdfFile size 12621 kBChecksum SHA-512
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Collin, ErikJuntti, Gustav
By organisation
Business Administration
Business Administration

Search outside of DiVA

GoogleGoogle Scholar
Total: 28 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 142 hits
ReferencesLink to record
Permanent link

Direct link