Wednesday, March 12, 2008

Again On Breaches and Stock Price

Richard "IDS is dead" Stiennon throws a bomb: "First, esoteric matters like IT security really do not matter to the overall performance of a retailer. Customers, employees, stakeholders, apparently don’t care. Second, no matter what the security industry says, you should not justify security spending based on potential impact of a data breach on your stock price. That theory is completely disproved by TJX."

Enraged? Think he is pushing it too far? Being illogical? Me too :-) I don't think TJX example just goes and "disproves" it; we don't really know how it works with breaches and stock prices (some say 4-8% down, some say none, some say 'major impact', whatever...)

He then clarifies: "
But let me point out that TJX has attributed $200 million in direct costs to this breach. It is easy to surmise this is bigger than just about anyone’s security budget. In TJX’s case some well known security practices and a little security spending would have avoided this whole incident."

Overall, a fun read. Still, I think breach impact assessment and breach's impact on anything (much less the stock price...) is not really well-defined or understood yet ...

Dr Anton Chuvakin