Timing plays a crucial role in the context of information security investments. We regard timing in two dimensions, namely the time of announcement in relation to the time of investment and the time of announcement in relation to the time of a fundamental security incident. The financial value of information security investments is assessed by examining the relationship between the investment announcements and their stock market reaction focusing on the two time dimensions. Using an event study methodology, we found that both dimensions influence the stock market return of the investing organization. Our results indicate that (1) after fundamental security incidents in a given industry, the stock price will react more positively to a firm’s announcement of actual information security investments than to announcements of the intention to invest; (2) the stock price will react more positively to a firm’s announcements of the intention to invest after the fundamental security incident compared to before; and (3) the stock price will react more positively to a firm’s announcements of actual information security investments after the fundamental security incident compared to before. Overall, the lowest abnormal return can be expected when the intention to invest is announced before a fundamental information security incident and the highest return when actual investing after a fundamental information security incident in the respective industry.

Achy, L. & Joekes, S., 2016. Competition Policies and Consumer Welfare: Corporate Strategies and Consumer Prices in Developing Countries, Edward Elgar Publishing.

Acquisti, A., Friedman, A. & Telang, R., 2006. Is There a Cost to Privacy Breaches? An Event Study. ICIS 2006 Proceedings, p.94.

Agrawal, J. & Kamakura, W.A., 1995. The economic worth of celebrity endorsers: An event study analysis. The Journal of Marketing, pp.56–62.

Allam, S., Flowerday, S.V. & Flowerday, E., 2014. Smartphone information security awareness: A victim of operational pressures. Computers & Security, 42, pp.56–65.

Arthur, M.M., 2003. Share price reactions to work-family initiatives: An institutional perspective. Academy of Management Journal, 46(4), pp.497–505.

Aytes, K., Byers, S. & Santhanakrishnan, M., 2006. The Economic Impact of Information Security Breaches: Firm Value and Intra-industry Effects. AMCIS 2006 Proceedings, p.399.

Besanko, D. et al., 2009. Economics of Strategy, John Wiley & Sons.

Binder, J., 1998. The Event Study Methodology since 1969. Review of quantitative Finance and Accounting, 11(2), pp.111–137.

Blume, M.E., 1971. On the Assessment of Risk. The Journal of Finance, 26(1), pp.1–10. Böhme, R. & Holz, T., 2006. The Effect of Stock Spam on Financial Markets.

Bose, I. & Leung, A.C.M., 2013. The Impact of Adoption of Identity Theft Countermeasures on Firm Value. Decision Support Systems, 55(3), pp.753–763.

Bouraoui, T., 2009. Stock Spams: An Empirical Study on Penny Stock Market. International Review of Business Research Papers, 5(4), pp.292–305.

Brock, L. & Levy, Y., 2013. The Market Value of Information System (IS) Security for e-Banking. Online Journal of Applied Knowledge Management, 1(1), p.1.

Campbell, K. et al., 2003. The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security, 11(3), pp.431–448.

Cavusoglu, H., Mishra, B. & Raghunathan, S., 2004. The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce, 9(1), pp.70–104.

Chai, S., Kim, M. & Rao, H.R., 2011. Firms’ Information Security Investment Decisions: Stock Market Evidence of Investors’ Behavior. Decision Support Systems, 50(4), pp.651–661.

Chatterjee, D. & Carl Pacini, V.S., 2002. The shareholder-wealth and Trading-volume Effects of Information-technology Infrastructure Investments. Journal of Management Information Systems, 19(2), pp.7–42.

Deane, Jason K., et al. "The effect of information security certification announcements on the market value of the firm." Information Technology and Management 20.3 (2019): 107-121.

Ettredge, M.L. & Richardson, V.J., 2003. Information Transfer among Internet Firms: The Case of Hacker Attacks. Journal of Information Systems, 17(2), pp.71–82.

Fama, E.F. et al., 1969. The Adjustment of Stock Prices to new Information. International Economic Review, 10(1), pp.1–21.

Forbes, 2017. How Can We Stop All These High-Profile Cyber Attacks And Security Breaches. Available at: https://www.forbes.com/sites/quora/2017/09/22/how-can-we-stop-all- these-high-profile-cyber-attacks-and-security-breaches/#17b735c37efe.

Forbes, 2013. Yahoo Account Hacked? How To Prevent Getting Hacked Again. Available at: https://www.forbes.com/sites/ericbasu/2013/06/26/help-my-yahoo-account-was- hacked-forensic-on-the-latest-yahoo-attack/#5509ef641dcd.

Frieder, L. & Zittrain, J., 2007. Spam Works: Evidence from Stock Touts and Corresponding Market Activity. Hastings Comm. & Ent. LJ, 30, p.479.

Garg, A., Curtis, J. & Halper, H., 2003. Quantifying the Financial Impact of IT Security Breaches. Information Management & Computer Security, 11(2), pp.74–83.

Gatzlaff, K.M. & McCullough, K.A., 2010. The Effect of Data Breaches on Shareholder Wealth. Risk Management and Insurance Review, 13(1), pp.61–83.

Goel, S. & Shawky, H.A., 2009. Estimating the Market Impact of Security Breach Announcements on Firm Values. Information & Management, 46(7), pp.404–410.

Gordon, L.A. & Loeb, M.P., 2002. The Economics of Information Security Investment. ACM Transactions on Information and System Security (TISSEC), 5(4), pp.438–457.

Hovav, A. & D’arcy, J., 2005. Capital Market Reaction to Defective IT Products: The Case of Computer Viruses. Computers & Security, 24(5), pp.409–424.

Hovav, A. & D’Arcy, J., 2003. The Impact of Denial-of-service Attack Announcements on the Market Value of Firms. Risk Management and Insurance Review, 6(2), pp.97–121.

Hovav, A. & D’Arcy, J., 2004. The Impact of Virus Attack Announcements on the Market Value of Firms. Information Systems Security, 13(3), pp.32–40.

Im, K.S., Dow, K.E. & Grover, V., 2001. A Reexamination of IT Investment and the Market Value of the Firm - An Event Study Methodology. Information Systems Research, 12(1), pp.103–117.

Jeong, S., Jeong, C.Y. & Lee, S.-Y.T., 2016. The Effect of Firms’ Information Security Investment Announcements on Competitors’ Market Values. , pp.300–307.

Kankanhalli, A. et al., 2003. An integrative study of information systems security effectiveness. International journal of information management, 23(2), pp.139–154.

Kruger, H.A. & Kearney, W.D., 2006. A prototype for assessing information security awareness. Computers & Security, 25(4), pp.289–296.

Laux, P., Starks, L.T. & Yoon, P.S., 1998. The Relative Importance of Competition and Contagion in Intra-industry Information Transfers: An Investigation of Dividend Announcements. Financial Management, pp.5–16.

Lee, C.F. & Wu, C., 1985. The Impacts of Kurtosis on Risk Stationarity: Some Empirical Evidence. Financial Review, 20(4), pp.263–269.

Markowitz, H.M., 1968. Portfolio Selection: Efficient Diversification of Investments, Yale University press.

Mortanges, C.P. de & Rad, A.T., 1998. Marketing Strategy and Market Value: An Event-study Analysis. European Management Journal, 16(3), pp.365–371.

Pettit, R.R. & Westerfield, R., 1974. Using the capital asset pricing model and the market model to predict security returns. Journal of Financial and Quantitative Analysis, 9(4), pp.579– 605.

Pirounias, S., Mermigas, D. & Patsakis, C., 2014. The relation between information security events and firm market value, empirical evidence on recent disclosures: An extension of the GLZ study. Journal of Information Security and Applications, 19(4), pp.257–271.

Ranganathan, C., Ye, C. & Jha, S., 2013. Market Value Impacts of Information Technology Enabled Supply Chain Management Initiatives. Information Resources Management Journal (IRMJ), 26(3), pp.1–16.

Dos Santos, B.L., Peffers, K. & Mauer, D.C., 1993. The Impact of Information Technology Investment Announcements on the Market Value of the Firm. Information Systems Research, 4(1), pp.1–23.

Smith, T., 2011. Pricing Strategy: Setting Price Levels, Managing Price Discounts and Establishing Price Structures, Nelson Education.

Spanos, G. & Angelis, L., 2016. The Impact of Information Security Events to the Stock Market: A Systematic Literature Review. Computers & Security, 58, pp.216–229.

Subramani, M. & Walden, E., 2001. The Impact of e-commerce Announcements on the Market Value of Firms. Information Systems Research, 12(2), pp.135–154.

Swanson, E.T., 2011. Let’s twist again: a high-frequency event-study analysis of operation twist and its implications for QE2. Brookings Papers on Economic Activity, 2011(1), pp.151– 188.

Tatsumi, K. & Goto, M., 2010. Optimal timing of information security investment: A real options approach. Economics of Information Security and Privacy, pp.211–228.

Wang, J., Xiao, N. & Rao, H.R., 2010. Drivers of Information Security Search Behavior: An Investigation of Network Attacks and Vulnerability Disclosures. ACM Transactions on Management Information Systems (TMIS), 1(1), p.3.

Wang, T., Ulmer, J.R. & Kannan, K., 2013. The textual contents of media reports of information security breaches and profitable short-term investment opportunities. Journal of Organizational Computing and Electronic Commerce, 23(3), pp.200–223.

Xu, F. et al., 2017. Do Strategy and Timing in IT Security Investments Matter? An Empirical Investigation of the Alignment Effect. Information Systems Frontiers, pp.1–15.

Zafar, H., Ko, M. & Osei-Bryson, K.-M., 2012. Financial Impact of Information Security Breaches on Breached Firms and their Non-breached Competitors. Information Resources Management Journal (IRMJ), 25(1), pp.21–37.