You are here: Home Contents V11 N2 V11N2_Sinanaj.html
Personal tools

The Intangible Cost of Information Security Breaches: A State of the Art Analysis



Full text

Journal of Information System Security
Volume 11, Number 2 (2015)
Pages 111130
ISSN 1551-0123
Griselda Sinanaj — University of Göttingen, Germany
Information Institute Publishing, Washington DC, USA




Information security breaches constitute a major concern for businesses in today’s interconnected digital economy. Practice and previous research mention that security breaches have various tangible and intangible consequences on organizations. Decreased sales and lost revenue are tangible effects, while loss of investors’ confidence, reputation damage, loss of competitiveness and loss of consumer trust are intangible costs. In contrast to the tangible costs of security breaches, the quantification of the intangible costs is not straightforward, therefore this literature review study focuses on the intangible costs of security breaches. The analysis reveals that while certain costs, such as loss of investors’ confidence, have received considerable attention in research, others, such as reputation damage or loss of consumer trust remain barely explored and require further inquiry. In addition, several studies show a lack of theory, as they do not build upon specific reference theories to address their research objectives.




Information Security Breaches, Tangible Costs, Intangible Costs, Investors' Confidence, Reputation Damage, Loss of Consumer Trust




Acquisti, A., Friedman, A., and Telang, R. (2006). Is there a cost to privacy breaches? An event study. In Proceedings of the 21st International Conference on Information Systems (ICIS 2006), Milwaukee, Wisconsin.

Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179-211.

Andoh-Baidoo, F. K., Amoako-Gyampah, K., and Osei-Bryson, K. M. (2010). How Internet security breaches harm market value. IEEE Security & Privacy, (1), 36-42.

Andress, J. (2014). The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.

Bandara, W., Miskon, S., and Fielt, E. (2011). A systematic, tool-supported method for conducting literature reviews in information systems. In Proceedings of the19th European Conference on Information Systems (ECIS 2011), Helsinki, Finland.

Barney, J. B. (1996). The resource-based theory of the firm. Organization Science, 7, 469-469.

Benaroch, M., Chernobai, A., and Goldstein, J. (2012). An internal control perspective on the market value consequences of IT operational risk events. International Journal of Accounting Information Systems, 13(4), 357-381.

Benthaus, J., Pahlke, I., Beck, R., and Seebach, C. (2013). Improving sensing and seizing capabilities of a firm by measuring corporate reputation based on social media data. In Proceedings of the 21st European Conference on Information Systems (ECIS 2013), Utrecht, Netherlands.

Bharadwaj, A., Keil, M., and Mähring, M. (2009). Effects of information technology failures on the market value of firms. The Journal of Strategic Information Systems, 18(2), 66-79.

Bishop, M. (2003). Computer Security: Art and Science. Addison-Wesley Publishing Company, Boston.

Bocij, P. and Hickie, S. (2008). Business information systems: technology, development and management. Pearson education.

Bolster, P., Pantalone, C. H., and Trahan, E. A. (2010). Security breaches and firm value. Journal of Business Valuation and Economic Loss Analysis, 5(1).

Campbell, K., Gordon, L. A., Loeb, M. P., and Zhou, L. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security, 11(3), 431–448.

Cavusoglu, H., Cavusoglu, H., and Raghunathan, S. (2004). Economics of IT security management: four improvements to current security practices. Communications of the Association for Information Systems, 14(1), 65- 75.

Cavusoglu, H., Mishra, B., and Raghunathan, S. (2004). The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1), 70-104.

Cooper, H. M. (1988). Organizing knowledge syntheses: A taxonomy of literature reviews. Knowledge in Society 1, 104-126.

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., and Baskerville, R. (2013). Future directions for behavioral information security research. Computers & Security, 32, 90-101.

Dibbern, J., Goles, T., Hirschheim, R., and Jayatilaka, B. (2004). Information systems outsourcing: A survey and analysis of the literature. ACM SIGMIS Database, 35(4), 6–102.

Ettredge, M. L. and Richardson, V. J. (2003). Information transfer among internet firms: The case of hacker attacks. Journal of Information Systems, 17(2), 71–82.

Fama, E. F., Fisher, L., Jensen, M. C., and Roll, R. (1969). The adjustment of stock prices to new information. International Economic Review, 10(1), 1-21.

Farahmand, F., Navathe, S. B., Sharp, G. P., and Enslow, P. H. (2005). A management perspective on risk of security threats to information systems. Information Technology and Management, 6(2-3), 203–225.

French, A. M., Guo, C., and Shim, J. P. (2014). Current Status, Issues, and Future of Bring Your Own Device (BYOD). Communications of the Association for Information Systems, 35(10), 191-197.

Galliers, R. (1992). Information systems research: Issues, methods and practical guidelines. Blackwell Scientific.

Garg, A., Curtis, J., and Halper, H. (2003). Quantifying the financial impact of IT security breaches. Information Management & Computer Security, 11(2), 74–83.

Gatzlaff, K. M. and McCullough, K. A. (2010). The effect of data breaches on shareholder wealth. Risk Management and Insurance Review, 13(1), 61–83.

Goel, S. and Shawky, H. A. (2009). Estimating the market impact of security breach announcements on firm values. Information & Management, 46(7), 404–410.

Goel, S. and Shawky, H. A. (2014). The impact of federal and state notification laws on security breach announcements. Communications of the Association for Information Systems, 34(3), 37–50.

Goldstein, J., Chernobai, A., and Benaroch, M. (2011). An event study analysis of the economic impact of IT operational risk and its subcategories. Journal of the Association for Information Systems, 12(9), 606-631.

Gordon, L. A., Loeb, M. P., and Zhou, L. (2011). The impact of information security breaches: Has there been a downward shift in costs? Journal of Computer Security, 19(1), 33–56.

Hinz, O., Nofer, M., Schiereck, D., and Trillig, J. (2015). The influence of data theft on the share prices and systematic risk of consumer electronics companies. Information & Management, 52(3), 337–347.

Hovav, A. and D'Arcy, J. (2003). The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review, 6(2), 97–121.

Hovav, A. and D'Arcy, J. (2004). The impact of virus attack announcements on the market value of firms. Information Systems Security, 13(3), 32–40.

Hovav, A. and D'Arcy, J. (2005). Capital market reaction to defective IT products: The case of computer viruses. Computers & Security, 24(5), 409-424.

Hovav, A. and Gray, P. (2014). The ripple effect of an information security breach event: A stakeholder analysis. Communications of the Association for Information Systems, 34(50), 893–912.

Hua, J. and Bapna, S. (2013). The economic impact of cyber terrorism. The Journal of Strategic Information Systems, 22(2), 175–186.

Jones, B., Temperley, J., and Lima, A. (2009). Corporate reputation in the era of Web 2.0: The case of Primark. Journal of Marketing Management, 25(9-10), 927–939.

Kahneman, D. and Tversky, A. (1979). Prospect theory: An analysis of decision under risk. Econometrica: Journal of the Econometric Society, 263-291.

Kannan, K., Rees, J. and Sridhar, S. (2007). Market reactions to information security breach announcements: An empirical analysis. International Journal of Electronic Commerce, 12(1), 69–91.

Kanti, T., Richariay, V. and Richariya, V. (2011). Implementing a web browser with web defacement detection techniques. World of Computer Science and Information Technology Journal (WCSIT), 1 (7), 307–310.

Kim, S., Sohn, S. and Koh, S. (2014). The impact of personal information breaches on the firm‘s value in the south korean stock market–A comparative study of IT and non-IT industries. International Journal of Applied Mathematics and Informatics, 8, 42-49.

Konchitchki, Y. and O'Leary, D. E. (2011). Event study methodologies in information systems research. International Journal of Accounting Information Systems, 12(2), 99-115.

Laudan, L. (1984). Science and values: An essay on the aims of science and their role in scientific debate. Berkeley.

Laux, P., Starks, L. T. and Yoon, P. S. (1998). The relative importance of competition and contagion in intra-industry information transfers: An investigation of dividend announcements. Financial Management, 27(3), 5–16.

Lee, M. and Lee, J. (2012). The impact of information security failure on customer behaviors: A study on a large-scale hacking incident on the internet. Information Systems Frontiers, 14(2), 375-393.

Leung, A. and Bose, I. (2008). Indirect financial loss of phishing to global market. ICIS 2008 Proceedings, 5.

Levy, Y. and Ellis, T. J. (2006). A systems approach to conduct an effective literature review in support of information systems research. Informing Science: International Journal of an Emerging Transdiscipline, 9(1), 181–212.

Liu, B. (2012). Sentiment Analysis and Opinion Mining. In: Synthesis Lectures on Human Language Technologies. Morgan & Claypool Publishers.

Malhotra, A. and Malhotra, C. K. (2011). Evaluating customer information breaches as service failures: An event study approach. Journal of Service Research, 14(1), 44–59.

McWilliams, A. and Siegel, D. (2001). Corporate social responsibility: A theory of the firm perspective. Academy of Management Review, 26(1), 117-127.

Mercuri, R.T. (2003). Analyzing security costs. Communications of the ACM, 46(6), 15–18.

Modi, S. B., Wiles, M. A., and Mishra, S. (2014). Shareholder value implications of service failures in triads: The case of customer information security breaches. Journal of Operations Management.

Morse, E. A., Raval, V., and Wingender Jr, J. R. (2011). Market price effects of data security breaches. Information Security Journal: A Global Perspective, 20(6), 263–273.

Nofer, D. K. M., Hinz, O., Muntermann, J., and Rossnagel, H. (2014). The economic impact of privacy violations and security breaches: A laboratory experiment. Business & Information Systems Engineering, 6(6), 339-348.

Open Security Foundation (2014). URL: (visited on 20/11/2014).

Pirounias, S., Mermigas, D., and Patsakis, C. (2014). The relation between information security events and firm market value, empirical evidence on recent disclosures: An extension of the GLZ study. Journal of Information Security and Applications, 19(4), 257-271.

Ponemon, L. (2014). Cyber Security Incident Response: Are we as prepared as we think? Ponemon Institute Research Report. Sponsored by Lancope independently conducted by Ponemon Institute LLC.

PwC (2014). Information Security Breaches Survey. Technical report conducted by PwC in association with Infosecurity Europe.

Rao, A., Warsame, M., and Williams, J. L. (2011). Intraday study of the market reaction to distributed denial of service (Dos) attacks on internet firms. Academy of Accounting and Financial Studies Journal, 15(2), 59.

Romanosky, S., Telang, R., and Acquisti, A. (2011). Do data breach disclosure laws reduce identity theft? Journal of Policy Analysis and Management, 30(2), 256–286.

Silic, M. and Back, A. (2014). Information security: Critical review and future directions for research. Information Management & Computer Security, 22(3), 279–308.

Sinanaj, G., Muntermann, J., and Cziesla, T. (2015). How data breaches ruin firm reputation on social media!–Insights from a sentiment-based event study, in: Thomas. O.; Teuteberg, F. (Hrsg.): Proceedings of the 12th International Conference Wirtschaftsinformatik (WI 2015), Osnabrück, p. 902-916.

Su, X. (2006). An overview of economic approaches to information security management. Technical Report TR-CTIT-06-30, University of Twente.

Telang, R. and Wattal, S. (2007). An empirical analysis of the impact of software vulnerability announcements on firm stock price. Software Engineering, IEEE Transactions, 33(8), 544-557.

Tsiakis, T. and Stephanides, G. (2005). The economic approach of information security. Computers & Security, 24(2), 105–108.

Varvasovszky, Z., and Brugha, R. (2000). A stakeholder analysis. Health policy and planning, 15(3), 338-345.

vom Brocke, J., Simons, A., Niehaves, B., Riemer, K., Plattfaut, R., and Cleven, A. (2009). Reconstructing the giant: On the importance of rigour in documenting the literature search process. In Proceedings of the 17th European Conference on Information Systems. Ed. by Newell, S. et al. Hampton Press. pp. 1–13.

Walker, K. (2010). A systematic review of the corporate reputation literature: Definition, measurement, and theory. Corporate Reputation Review, 12(4), 357-387.

Wang, J., Chaudhury, A., and Rao, H. R. (2008). A value-at-risk approach to information security investment. Information Systems Research, 19(1), 106–120.

Webster, J., and Watson, R. T. (2002). Analyzing the past to prepare for the future: Writing a literature review. Management Information Systems Quarterly, 26(2), xiii-xxiii.

Wernerfelt, B. (1984). A resource-based view of the firm. Strategic Management Journal, 5(2), 171-180.

Willison, R., and Siponen, M. (2007). A critical assessment of IS security research between 1990 -2004. In Proceedings of 15th European Conference on Information Systems (ECIS 2007), St. Gallen, Switzerland.

Yayla, A. A. and Hu, Q. (2011). The impact of information security events on the stock value of firms: The effect of contingency factors. Journal of Information Technology, 26(1), 60–77.

Zafar, H. and Clark, J. G. (2009). Current state of information security research in IS. Communications of the Association for Information Systems, 24(34), 557-596.