Journal of Information Technology Services (한국IT서비스학회지)

Korea Society of IT Services (한국IT서비스학회)
권호 표지
DOI QR코드

DOI QR Code

The Effect of Information Security Certification Announcement on the Market Value of Firms

기업의 정보보호 인증이 기업가치에 미치는 영향

  • Received : 2016.07.12
  • Accepted : 2016.08.31
  • Published : 2016.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, many Korean firms have suffered financial losses and damaged firm's trust due to information security incidents. Hence, a lot of firms have realized the importance of the information security. In particular, the demand for information security certification has increased. This study examined the effect of information security certification using the event study methodology. Our research shows that the announcement of the information security certification significantly influences the market value of the corresponding firm. The certified firms rise, on average, o.4993% (-2 day), 0.5462% (+1 day) of their market value. Further, we found that the financial sector in our data showed a 1.4% higher abnormal returns than the nonfinancial sector. On the other hand, whether a firm first acquired the information security certification is not significant. Our paper presents that it is possible to analyze the effect of the information security certification using the event study. We are expected to be used in making a decision for the investment of information security. Also, our results indicate that the firm which have acquired the information security certification should actively announce that fact.

Keywords

References

  1. Anderson, R., "Why Information security is Hard-An Economic Perspective", Computer Security Applications Conference, 2001, acsac 2001, proceedings 17th annual, IEEE, 358-365.
  2. Bae, Y.S., "A Study of Effect of Information Security Management System[ISMS] Certification on Organization Performance", Journal of the Korea Academia-Industrial cooperation Society, Vol.13, No.9, 2012, 4224-4233. (배영식, "정보보호관리체계[ISMS] 인증이 조직성과에 미치는 영향에 관한 연구", 한국산학기술학회논문지, 제13권, 제9호, 2012, 4224-4233.) https://doi.org/10.5762/KAIS.2012.13.9.4224
  3. Bang, J.W., J.S. Kim, M.B. Lee, and S.H. Kim, "The Impact of ERP Implementation the Announcement on the Market Value of the Firm", Asia Pacific journal of Information Systems, Vol.12, No.1, 2002, 87-101. (방종욱, 김준석, 이문봉, 김성환, "ERP 도입의 공시가 기업의 시장 가치에 미치는 영향", 한국경영정보학회, 제12권, 제1호, 2002, 87-101.)
  4. Beaver, W.H., "The Information Content of Annual Earnings Announcements", Journal of Accounting Research, Vol.6, 1968, 67-92. https://doi.org/10.2307/2490070
  5. Beirao, G. and J.S. Cabral, "The Reaction of the Portuguese Stock Market to ISO 9000 Certification", Total Quality Management, Vol. 13, No.4, 2002, 465-474. https://doi.org/10.1080/09544120220149278
  6. Bharadwaj, A.S., S.G. Bharadwaj, and B.R. Konsynski, "Information Technology Effects on Firm Performance as Measured by Tobin's q", Management Science, Vol.45, No.6, 1999, 1008-1024. https://doi.org/10.1287/mnsc.45.7.1008
  7. Binder, J., "The Event Study Methodology Since 1969", Review of Quantitative Finance and Accounting, Vol.11, No.2, 1998, 111-137. https://doi.org/10.1023/A:1008295500105
  8. Brown, S.J. and J.B. Warner, "Measuring Security Price Performance", Journal of Financial Economics, Vol.8, No.3, 1980, 205-258. https://doi.org/10.1016/0304-405X(80)90002-1
  9. Brown, S.J. and J.B. Warner, "Using Daily Stock Returns : The Case of Event Studies", Journal of Financial Economics, Vol.14, No.1, 1985, 3-31. https://doi.org/10.1016/0304-405X(85)90042-X
  10. Campbell, K., L.A. Gordon, M.P. Loeb, and L. Zhou, "The Economic Cost of Publicly Announced Information Security Breaches : Empirical Evidence from The Stock Market", Journal of Computer Security, Vol.11, No.3, 2003, 431-448. https://doi.org/10.3233/JCS-2003-11308
  11. Canon-de-Francia, J. and C. Garces-Ayerbe, "ISO 14001 Environmental Certification : A Sign Valued by the Market?", Environmental and Resource Economics, Vol.44, No.2, 2009, 245-262. https://doi.org/10.1007/s10640-009-9282-8
  12. Cavusoglu, H., H. Cavusoglu, and S. Raghunathan, "Economics of IT Security Management : Four Improvements to Current Security Practices", Communications of the Association for Information System, Vol.14, No.1, 2004a, 65-75.
  13. Cavusoglu, H., B. Mishra, and S. Raghunathan, "The Effect of Internet Security Breach Announcements on Market Value : Capital Market Reactions for Breached Firms and Internet Security Developers", International Journal of Electronic Commerce, Vol.9, No.1, 2004b, 70-104.
  14. Cavusoglu, H., B. Mishra, and S. Raghunathan, "A Model for Evaluating IT Security Investments", Communications of the ACM, Vol.47, No.7, 2004c, 87-92.
  15. Cavusoglu, H., H. Cavusoglu, J.Y. Son, and I. Benbasat, "Information Security Control Resources in Organizations : A Multidimensional View and Their Key Drivers", working paper, Sauder School of Business, University of British Columbia, 2009.
  16. Chatterjee, D., C. Pacini, and V. Sambamurthy, "The Shareholder Wealth and Trading Volume Effects of IT Infrastructure Investments", Journal of Management Information Systems, Vol.19, No.2, 2002, 7-43.
  17. D'Arcy, J., A. Hovav, and D. Galletta, "User Awareness of Security Countermaesures and Its Impact on Information Systems Misuse : A Deterrence Approach", Information Systems Research, Vol.20, No.1, 2009, 79-98. https://doi.org/10.1287/isre.1070.0160
  18. Davis, A., "Return on Security Investment- Proving It's Worth It", Network Security, Vol. 2005, No.11, 2005, 8-10. https://doi.org/10.1016/S1353-4858(05)70301-9
  19. Dehning, B., V. Richardson, and R.W. Zmud, "The Value Relevance of Announcements of Transformational Information Technology Investments", MIS Quarterly, Vol.27, No.4, 2003, 637-656. https://doi.org/10.2307/30036551
  20. Dhillon, G. and J. Backhouse, "Current Directions in IS Security Research : Towards Socio-Organizational Perspectives", Information Systems Journal, Vol.11, No.2, 2001, 127-153. https://doi.org/10.1046/j.1365-2575.2001.00099.x
  21. Docking, D.S. and R.J. Dowen, "Market Interpretation of ISO 9000 Registration", Journal of Financial Research, Vol.22, No.2, 1999, 147-160. https://doi.org/10.1111/j.1475-6803.1999.tb00720.x
  22. Dos Santos, B.L., K. Peffers, and D.C. Mauer, "The Impact of Information Technology Investment Announcements on the Market Value of the Firm", Information Systems Research, Vol.4, No.1, 1993, 1-23. https://doi.org/10.1287/isre.4.1.1
  23. Ettredge, M. and V.J. Richardson, "Assessing the Risk in e-commerce", Available at SSRN 268737, 2001.
  24. Fama, E.F., "The Behavior of Sock Market Price", Journal of Business, Vol.38, No.1, 1965, 33-105.
  25. Fama, E.F., L. Fisher, M.C. Jensen, and R. Roll, "The Adjustment of Stock Prices to New Information", International Economic Review, Vol.10, No.1, 1969, 1-21. https://doi.org/10.2307/2525569
  26. Goel, S. and H.A. Shawky, "Estimating the Market Impact of Security Breach Announcements on Firm Values", Information and Management, Vol.46, No.7, 2009, 404-410. https://doi.org/10.1016/j.im.2009.06.005
  27. Gordon, L.A. and M.P. Loeb, "Economics of Information Security Investment", ACM Transactions on Information and System Security, Vol.5, No.4, 2002, 438-457. https://doi.org/10.1145/581271.581274
  28. Hong, K.H., "A Study on the Effect of Information Security Controls and Processes on the Performance of Information Security", Ph.D thesis, Kookmin University, 2003. (홍기향, "정보보호 통제와 활동이 정보보호 성과에 미치는 영향에 관한 연구", 박사학위논문, 국민대학교, 2003.)
  29. Hwang, H.S. and H.S. Lee, "The Relationship between Security Incidents and Value of Companies : Case of Listed Companies in Korea", Journal of the Korean Institute of Information Security and Cryptology, Vol.25, No.3, 2015, 649-664. (황해수, 이희상, "정보보안 사고가 기업가치에 미치는 영향 분석 : 한국 상장기업 중심으로", 정보보호학회논문지, 제25권, 제3호, 2015, 649-664.) https://doi.org/10.13089/JKIISC.2015.25.3.649
  30. Ifinedo, P., "Understanding information systems security policy compliance : An Integration of the Theory of Planned Behavior and the Protection Motivation Theory", Computers and Security, Vol.31, No.1, 2012, 83-95. https://doi.org/10.1016/j.cose.2011.10.007
  31. Im, K.S., E.D. Kevin, and V. Grover, "Research Report : A Reexamination of IT Investment and the Market Value of Firm-An Event Study Methodology", Information Systems Research, Vol.12, No.1, 2001, 103-177. https://doi.org/10.1287/isre.12.1.103.9718
  32. Jang, S.S. and S.C. Kim, "An Empirical Study on the Effects of Business Performance by Information Security Management System (ISMS)", Convergence Security Journal, Vol.15, No.3, 2015, 107-114. (장상수, 김상춘, "정보보호 관리체계 (ISMS)가 기업성과에 미치는 영향에 관한 실증적 연구", 융합보안논문지, 제15권, 제3호, 2015, 107-114.)
  33. Jang, S.S., "Estimating the Economic Value of Information Security Management System (ISMS) Certification by CVM", Journal of the Korea Academia-Industrial cooperation Society, Vol.15, No.9, 2014, 5783-5789. (장상수, "조건부가치측정법(CVM)을 이용한 정보보호 관리체계(ISMS) 인증의 경제적 가치 추정 연구", 한국산학기술학회논문지, 제15권, 제9호, 2014, 5783-5789.) https://doi.org/10.5762/KAIS.2014.15.9.5783
  34. Jang, S.S., B.N. No, and S.J. Lee, "The Effects of the Operation of an Information Security Management System on the Performance of Information Security", Journal of KISS : Information Networking, Vol.40, No.1, 2013, 58-69. (장상수, 노봉남, 이상준, "정보보호 관리체계 운용이 정보보호 성과에 미치는 영향", 정보과학회논문지 : 정보통신, 제40권, 제1호, 2013, 58-69.)
  35. Jang, S.S., H.B. Kim, and H.S. Lee, "An Introduction and Direction of Information Security Management System", Review of KIISC, Vol.11, No.3, 2001, 1-15. (장상수, 김학범, 이홍섭, "정보보호 관리체계 인증제도 소개 및 추진 방향", 정보보호학회지, 제11권, 제3호, 2001, 1-15.)
  36. Jung, M.K., J.I. Lim, and H.Y. Kwon, "A Study on North Korea's Cyber Attacks and Countermeasures", Journal of Information Technology Services, Vol.15, No.1, 2016, 67-79. (정민경, 임종인, 권헌영, "북한의 사이버공격과 대응방안에 관한 연구", 한국IT서비스학회지, 제15권, 제1호, 2016, 67-79.)
  37. Kang, H.S., "An Analysis of Information Security Management System and Certification Standard for Information Security", Journal of Security Engineering, Vol.11, No.6, 2014, 455-468. (강현선, "정보보안을 위한 정보보호 관리체계 및 인증체계 분석", 보안공학연구논문지, 제11권, 제6호, 2014, 455-468.) https://doi.org/10.14257/jse.2014.12.04
  38. Kang, Y.C. and S.T. Lim, "A Study on the Necessity of Introducing Information Security Management System", Review of KIISC, Vol.23, No.4, 2013, 7-14. (강윤철, 임성택, "정보보호 관리체계 도입의 필요성 고찰", 정보보호학회지, 제23권, 제4호, 2013, 7-14.)
  39. Kim, C.W. and K.W. Kim, "Measuring Security Price Performance in Event Studies", Korean Journal of Financial Studies, Vol.20, No.1, 1997, 301-327. (김찬웅, 김경원, "사건연구에서의 주식성과 측정", 한국증권학회지, 제20권, 제1호, 1997, 301-327.)
  40. Kim, D.H. and S.J. Lee, "A Method for Preemptive Intrusion Detection and Protection Against DDoS Attacks", Journal of Information Technology Services, Vol.15, No.2, 2016, 157-167. (김대환, 이수진, "DDoS 공격에 대한 선제적 침입탐지.차단 방안", 한국IT서비스학회지, 제15권, 제2호, 2016, 157-167.)
  41. Kim, H.K., K.M. Ko, and J.I. Lee, "A Status of Information Security System and a Comparative Study of Certification Criteria of Information Security Management System According to the Revision of Act On Promotion of Information and Communications Network Utilization and Information Protection, etc.", Review of KIISC, Vol.23, No.4, 2013, 53-58. (김환국, 고규만, 이재일, "정보통신망법 개정에 따른 기업 정보보호 제도 현황 및 정보보호 관리체계의 인증기준 비교", 정보보호학회지, 제23권, 제4호, 2013, 53-58.)
  42. Kim, I.K., J.M. Park, and J.Y. Jeon, "An Study on the Effects of ISMS Certification and the Performance of Small and Medium Enterprises", Journal of Digital Convergence, Vol.11, No.1, 2013, 47-60. (김인관, 박재민, 전중양, "중소기업에 대한 ISMS인증효과와 영향요인에 관한 연구", 디지털정책연구, 제11권, 제1호, 2013, 47-60.) https://doi.org/10.14400/JDPM.2013.11.1.047
  43. Kim, J.S., S.Y. Lee, and J.I. Lim, "Comparison of the ISMS Difference for Private and Public Sector", Journal of the Korea Institute of Information Security and Cryptology, Vol.20, No.2, 2010, 117-129. (김지숙, 이수연, 임종인, "민간기업 공공기관의 정보보호 관리체계 차이 비교", 정보보호학회논문지, 제20권, 제2호, 2010, 117-129.)
  44. Kim, J.Y., "Analyzing Effects on Firms' Market Value of Personal Information Security Breaches", The Journal of Society for e-Business Studies, Vol.18, No.1, 2013, 1-12. (김정연, "개인정보 유출이 기업의 주가에 미치는 영향", 한국전자거래학회지, 제18권 제1호, 2013, 1-12.) https://doi.org/10.7838/jsebs.2013.18.1.001
  45. KISA, "2014 National Information Security White Paper", 2015. (한국인터넷진흥원(KISA), "2014년 국가정보보호백서", 2015.)
  46. KISA, "2015 Information Security Survey", 2016. (한국인터넷진흥원(KISA), "2015년 정보보호실태 조사", 2016.)
  47. KISA, "Analyzing the Economic Impact of Information Security Management System (ISMS) Certification", Internet and Security Issue, No.2, 2010. (한국인터넷진흥원(KISA), "정보보호 관리체계(ISMS) 인증의 경제적 효과 분석", 인터넷 & 시큐리티 이슈, 제2호, 2010.)
  48. Kwon, Y.O. and B.D. Kim, "The Effect of Information Security Breach and Security Investment Announcement on the Market Value of Korean Firms", Information System Review, Vol.9, No.1, 2007, 105-120. (권영옥, 김병도, "정보보안 사고와 사고방지 관련 투자가 기업가치에 미치는 영향", 한국경영정보학회, 제9권, 제1호, 2007, 105-120.)
  49. Lee, K.B., T.H. Kim, and S.Y. Lee, "A Study on the Influence of Security Investment on Firm's Performance", The Korea Society of Management information Systems Spring Conference, 2015, 354-359. (이강백, 김태환, 이상용, "기업보안투자가 기업성과에 미치는 영향", 한국경영정보학회 춘계학술대회, 2015, 354-359.)
  50. Lee, J.J., J. Kim, and C.H. Lee, "A Comparative Study on the Priorities between Perceived Importance and Investment of the Areas for Information Security Management System", Journal of the Korea Institute of Information Security and Cryptology, Vol.24, No.5, 2014, 919-929. (이중정, 김 진, 이충훈, "정보보호 관리체계(ISMS) 항목의 중요도 인식과 투자의 우선순위 비교연구", 정보보호학회논문지, 제24권, 제5호, 2014, 919-929.) https://doi.org/10.13089/JKIISC.2014.24.5.919
  51. Lee J.Y. and T.H. Oh, "The Study on the Effect of Public Certification System on Logistics Company's Stock Price", Korean Journal of Logistics, Vol.20, No.2, 2012, 93-106. (이정윤, 오태형, "종합물류기업인증이 물류기업의 기업가치에 미치는 영향에 대한 연구", 로지스틱스연구, 제20권, 제2호, 2012, 93-106.) https://doi.org/10.15735/kls.2012.20.2.007
  52. Martinez-Costa, M. and A.R. Martinez-Lorente, "Effects of ISO 9000 Certification on Firms' Performance : A Vision from the Market", Total Quality Management and Business Excellence, Vol.14, No.10, 2003, 1179-1191. https://doi.org/10.1080/1478336032000107735
  53. Na, K.S., "A Comparative Study of the International and Korean ISMS", Journal of Science and Culture, Vol.8, No.1, 2011, 23-36. (나관식, "정보보호 관리체계(ISMS)의 국제표준과 국내표준 비교", 과학과 문화, 제8권, 제1호, 2011, 23-36.)
  54. Nam, S.H., "Empirical Study on the Impact of Security Events to the Stock Price in the Analysis Method of Enterprise Security Investment Effect", Ph.D thesis, Korea University, 2006. (남상훈, "기업 정보보호 투자효과 분석방법에서 보안 Event가 주식가격에 미치는 영향 실증 연구", 박사학위논문, 고려대학교, 2006.)
  55. Oh, B.S., J.Y. Park, S.H. Jung, and K.H. Choi, "Effect of Korean Service Quality Awards on the Market Value by using Event Study Methodology", Korea Management Science Review, Vol.27, No.3, 2010, 161-196. (오병섭, 박지영, 정승환, 최강화, "한국의 서비스 품질상 수상이 기업가치에 미치는 영향 : 사건연구방법론적 접근", 경영과학, 제27권, 제3호, 2010, 161-196.)
  56. Park, E.Y., J.W. Choi, and T.H. Cho, "A Case Study of Personal Information Security Management System", Review of KIISC, Vol.21, No.5, 2011, 27-36. (박은엽, 최진원, 조태희, "개인정보보호 관리체계 인증제도 구축 사례 연구", 정보보호학회지, 제21권, 제5호, 2011, 27-36.)
  57. Park, K.T. and S.H. Kim, "An Empirical Study on Expectation Factors and Certification Intention of ISMS", Journal of the Korea Institute of Information Security and Cryptology, Vol.25, No.2, 2015, 375-381. (박경태, 김세헌, "ISMS 인증 기대 요인 및 인증 의도에 관한 연구", 정보보호학회논문지, 제25권, 제2호, 2015, 375-381.) https://doi.org/10.13089/JKIISC.2015.25.2.375
  58. Park, K.T. and S.H. Kim, "An Empirical Study on the Obstacle Factors of ISMS Certification Using Exploratory Factor Analysis", Journal of the Korea Institute of Information Security and Cryptology, Vol.24, No.5, 2014a, 951-959. (박경태, 김세헌, "탐색적 요인 분석을 이용한 기업의 ISMS 인증 시 장애요인에 관한 연구", 정보보호학회논문지, 제24권, 제5호, 2014a, 951-959.) https://doi.org/10.13089/JKIISC.2014.24.5.951
  59. Park, K.T. and S.H. Kim, "A Study on The Preference Analysis of Personal Information Security Certification Systems : Focused on SMEs and SBs", Journal of the Korea Institute of Information Security and Cryptology, Vol.24, No.5, 2014b, 911-918. (박경태, 김세헌, "개인정보보호 인증제도 선호도 분석에 관한 연구-중소기업 및 소상공인을 중심으로", 정보보호학회논문지, 제24호, 제5권, 2014b, 911-918.) https://doi.org/10.13089/JKIISC.2014.24.5.911
  60. Paulraj, A. and P. Jong, "The Effect of ISO 14001 Certification Announcements on Stock Performance", International Journal of Operations and Production Management, Vol.31, No.7, 2011, 765-788. https://doi.org/10.1108/01443571111144841
  61. Pfleeger, C.P. and S.L. Pfleeger, Security in computing 4th edition, NJ : Pearson Education, Inc, 2006.
  62. Roztocki, N. and H.R. Weistroffer, "Event Studies in Information Systems Research : A Review", Proceedings of the Fourteenth Americas Conference on Information Systems, 2008.
  63. Shin, I.S., W.C. Jang, and H.Y Park, "Information Security Investment and Security Breach : Empirical Study on the Reverse Causality", Journal of the Korea Institute of Information Security and Cryptology, Vol.23, No.6, 2013, 1207-1217. (신일순, 장원창, 박희영, "정보보호 투자와 침해사고의 인과관계에 대한 실증분석", 정보보호학회논문지, 제23권, 제6호, 2013, 1207-1217.) https://doi.org/10.13089/JKIISC.2013.23.6.1207
  64. Siponen, M., M.A. Mahmood, and S. Pahnila, "Employees' Adherence to Information Security Policies : An Exploratory Field Study", Information and Management, Vol.51, No.2, 2014, 217-224. https://doi.org/10.1016/j.im.2013.08.006
  65. Siponen, M.T., "Analysis of Modern IS Security Development Approaches : Towards the Next Generation of Social and Adaptable ISS Methods", Information and Organization, Vol. 15, No.4, 2005, 339-375. https://doi.org/10.1016/j.infoandorg.2004.11.001
  66. Straub Jr, D.W., "Effective IS Security : An Empirical Study", Information Systems Research, Vol.1, No.3, 1990, 255-276. https://doi.org/10.1287/isre.1.3.255
  67. Tanaka, H., K. Matuura, and O. Sudoh, "Vulnerability and Information Security Investment : An Empirical Analysis of E-local Government in Japan", Journal of Accounting and Public Policy, Vol.24, No.1, 2005, 37-59. https://doi.org/10.1016/j.jaccpubpol.2004.12.003