Do Information Security Breach and Its Factors Have a Long-Run Competitive Effect on Breached Firms’ Equity Risk?

A breach in information security (infosec) can materially impact a firm’s long-term competitiveness. For publicly listed firms, an infosec breach can have a long-lasting effect on their competitive stock performance, including their equity risk. Despite its significance, past research has focused primarily on examining the short-term effect of infosec breaches while ignoring its long-term effect on the firm’s equity risk. Therefore, in this research, we examined the long-run effect of 276 infosec breaches at publicly traded firms on equity risk from 2009 to 2018. We analyzed each firm’s equity risk compared to its competitive control firms of similar sizes and performances for three years, from one year before to two years after the breach, using a one-to-one matching methodology. The univariate analysis of infosec breaches on equity risk indicated that breach firms have a 7% higher equity risk than competitive control firms. Additionally, the quantile regression analysis of the effect of infosec breach factors on long-run equity risk showed that the rise in equity risk is higher if the breach involves the compromise of confidential information and is a repeat breach for the same firm. The findings provide a valuable resource for investors, managers, and researchers interested in understanding the long-term relationship between infosec breaches and a firm’s stock competitiveness.


INTRODUCTION
With the extensive use of digital technology and the developing nature of digital assets, the number of infosec breaches has increased, putting businesses at risk and eroding their competitiveness.As a result, a resilient approach for infosec risk management is vital for organizational growth and can help a firm outperform the competition.Cybercriminals are among the many competitors but are not included in a competitive analysis because they are not direct business competitors.These hackers want to steal money, sensitive data, and password-protected information such as credit card details.The reason hackers are considered competitors is because they are typically not one-person hacker bands but rather profit-driven business entities (Kolodgy, 2021).In today's competitive business climate, the presumption of a cybersecurity breach or its broader form, the infosec breach, has become the new norm (Njenga & Lowry, 2018;Olcott, 2019), and breaches are expanding in size and impact (De Groot, 2020).
When a firm suffers an infosec breach, it may sustain both tangible and intangible damages that impair future cash flows and overall competitiveness, including the stock market (Hovav et al., 2017;Smith et al., 2019).Measuring such competitiveness is challenging.Thus, several researchers have attempted to measure this effect (Sinanaj & Muntermann, 2013;Tweneboah-Kodua et al., 2018).Most of these studies' findings showed an unfavorable effect on competitiveness, as measured by the breached firm's market value.The semi strong efficient market hypothesis (EMH), according to which stock prices react quickly to new information, underpinned these studies (Fama, 1970).As a result, scholars have analyzed stock price behavior displaying an immediate analysis of a firm's stock competitiveness.Whereas short-run analysis helps gauge a firm's short-term competitiveness to an event, long-run analysis is required to assess the actual economic impact on the firm's competitiveness.Studies on this issue have not provided a clear answer as to whether a breach will affect stock competitiveness in the long term.
An infosec breach can have a long-run effect on business operations, especially on investors in the stock market.For instance, the risk of infosec to operations, profits, and competitiveness is growing for many firms.The time required to identify and contain an infosec breach has increased from 257 days in 2017 to 282 days in 2020, with projected response costs ranging from about USD 1 million per organization (IBM & Ponemon, 2020).This reflects the increasing complexity of infosec breaches, which requires firms to commit more time and resources to counteract.The costs might linger for years because detecting and containing a breach are now slower.A firm's breach may necessitate assistance from cybersecurity, public relations, and legal firms, all of which add to the post-event cost.In addition to helping restore service, operations, and morale, brand harm and stakeholder confidence can take months to heal (McAfee, 2021).These are anticipated to have a long-term impact on the firm's operational excellence and competitiveness, particularly in the stock market.Second, firms are hesitant to provide signals that disclose complete details of a breach in their initial announcement.If a company has not detected a breach, it cannot report it.Even if a breach is detected, it still might not be reported.In recent years, incidents of infosec breaches have occurred in which the details of the breach have been revealed months after the initial breach announcement.For example, in July 2019, Equifax was fined USD 700 million by the Federal Trade Commission and the Consumer Financial Protection Bureau for concealing material details of a massive data breach that occurred in 2017.Similarly, the SEC fined Yahoo!USD 35 million in 2018 for allegedly misleading investors by failing to report a 2014 personal data breach affecting over 500 million user accounts (Rutta & Diamond, 2018).According to a report by McAfee (2021), only 26% of organizations that experienced security incidents shared real-time information about the most severe incident with customers and investors.From a stock market perspective, disclosures after infosec breaches by the firms and other parties provide signals to stock investors for long-run decision-making, thus affecting overall firm risk (Aman et al., 2021).How infosec breaches affect equity risk is critical to understand because they can affect stock competitiveness (Ali et al., 2020).This may increase the firm's cost of capital and deter investors from investing in a stock.
The factors contributing to abnormalities in a firm's stock competitiveness as measured by equity risk are critical to investigate.Therefore, in this study, we also examined the relationship between infosec breach factors and long-term equity risk abnormalities.We assert that an infosec breach can have a long-term detrimental effect on equity risk, with varying magnitudes depending on the contributing infosec breach factors.With an underpinning of signaling theory, the magnitude of abnormality in equity risk is determined by the signals gained by investors after an infosec breach (Helm & Mark, 2007;Ray et al., 2011).Signaling factors revealed after an infosec breach may influence the extent of the abnormality in the equity risk.The nature of the breach may be one factor.That is, the reaction of an investor (receiver) depends on whether the confidential information of the breached firm has been compromised (confidential/non-confidential) (Chang et al., 2020;Yayla & Hu, 2011).Similarly, an investor's reaction may differ depending on whether the firm has been breached for the first time or repeatedly (repeat/no-repeated) (Chen et al., 2011;Hovav et al., 2017).Additionally, a breach affecting a large conglomerate may have different ramifications for investors than a breach affecting a conglomerate's subsidiary (conglomerate/ subsidiary) (Bose & Leung, 2014;Smith et al., 2019).Finally, the industry in which a breached firm operates may have a varied impact on investors (Hovav et al., 2017), mainly if the breached firm is in the financial sector (financial/non-financial). Considering this scenario, we aimed to achieve the following research objectives (ROs) in this study: 1.To evaluate the long-run effect of infosec breaches on equity risk.2. To examine the role of infosec breach factors in determining the magnitude of long-run abnormalities in equity risk (stock volatility) following an infosec breach.
Section 2 reviews the literature on the effect of infosec breaches on equity risk and discusses the theoretical foundations upon which the research hypotheses were developed for this research.Section 3 outlines the long-term equity risk forecasting methodology.Section 4 presents the results on the long-run effect on equity risk along with a discussion given the study's ROs and the findings of other studies.Section 5 concludes this study by first describing the theoretical and practical contributions and then identifying the limitations and future research opportunities in this field.

LITERATURE REVIEW AND HYPOTHESIS DEVELOPMENT
An influential research group focused on the market implications of disclosures linked to infosec breaches underpinning the EMH and the methodology of an event study (Chang et al., 2020;Smith et al., 2019).The event study tested the EMH by tracking and analyzing major postannouncement stock price changes.Researchers have used this methodology to study infosec breach events such as denial-of-service attacks (Rosati et al., 2019;Smith et al., 2019), virus attacks, and software vendor vulnerability announcements (Telang & Wattal, 2007).These researchers all focused on the short-term effects of breaches while disregarding their long-term consequences.
In the current study, we used signaling theory to account for the long-term influence of infosec breaches on a firm's stock competitiveness as manifested by its equity risk (Spence, 1978(Spence, , 2002)).According to the theory, a firm's products or services may signal customers, allowing them to make indirect judgments based on available information.An infosec breach sends a strong signal to investors about the resilience of a firm's infosec system and its prospects.To begin, an infosec breach raises the risk of online transactions (Pavlou et al., 2007), hence affecting the firm's future cash flows and stock competitiveness.Second, investors' subsequent actions will be based on the infosec breach signals shared by breached firms, which will impact possible litigation expenses from customers (Gordon et al., 2010).Prior findings on patent infringement indicated that litigation may hurt the market value of defendants (Raghu et al., 2008).Third, an infosec breach may attract other adversaries or competitors who prefer firms with lax security measures.Lower security and privacy assurance levels may create transactional uncertainty and reduce purchase conversion (Özpolat et a., 2013).Finally, a security breach may exacerbate market information asymmetry due to the breached firms' restricted disclosure.Higher information asymmetry can affect market returns and lemon market difficulties (Gordon et al., 2010).Thus, the events can be considered a signal for investors.Investors' expectations of a company's future performance and outlook are revised after a breach, causing a market reaction to the firm's stock competitiveness.
The ramifications for the firm's long-term competitiveness, particularly in the stock market, are a common concern for researchers because the term long-run firm's stock competitiveness refers to the degree of change in stock price from one to three years after an occurrence.Long-run firm stock competitiveness is influenced by the scenarios that surround an event.Similarly, an infosec breach can have long-term effects on a firm's finances and stock competitiveness.However, most researchers have focused on infosec breaches' short-term stock competitiveness.
To the best of our knowledge, only two recent studies (Ali et , 1999).According to the one-to-one matching approach, each sample firm's performance is compared to that of a competitive matching firm with a similar size and prior performance.Considering this research gap, Ali et al. (2021b) employed a one-to-one matching methodology; however, their study was limited to 73 breach events.Furthermore, the analysis was confined to only one year.As such, in this study, a framework was created using a robust and reliable one-to-one matched methodology.Additionally, equity risk for three years was examined, from one year before to two years after the breach.A larger sample of 276 breach events was used.To the best of the author's knowledge, the literature does not provide an adequate answer regarding the long-run effect of infosec breaches on equity risk.

Infosec breaches and long-run equity risk of firms
Understanding how business events and their opinions affect equity volatility is critical given the economic ramifications.An infosec breach event was proved, in past studies, to substantially affect the stock market prices of breached firms.In addition to the consequences on stock prices, an infosec breach can remarkably impact the level of equity risk faced by firms and their investors.Regarding making financial investment decisions, equity risk is a critical factor to consider.According to our knowledge, only a few researchers have analyzed the impact of an infosec breach on equity risk.Hinz et al. (2015) and Tweneboah-Koduah et al. ( 2020) have explored the influence of infosec breaches on equity risk.However, their research was limited to a short time frame.In the long run, firms that are found to be vulnerable to infosec breaches may be perceived as systematically more vulnerable to further assaults, and investors may demand larger compensations for this exposed risk.Further, infosec breaches are predicted to adversely affect investors' expectations about a firm's future cash flows, increasing the equity risk.Taking the above into consideration, the first hypothesis as developed as follows: H1: Infosec breaches augment the long-run equity risk of breached firms (σ2e).
The literature provides no guidance on the ideal time frame for assessing post-announcement equity risk with reasonable assumptions.The literature covers a period of one to five years.However, using more than two years of abnormal returns create misspecified and unbiased test statistics (Huang, 2012;Kothari & Warner, 1997).The event determines the suitable timeframe for examination and the scholars' clear choice (Huang, 2012).This post-event study is consistent with that of Hendricks & Singhal (2005, 2014), who examined complex incidents that cannot be appraised in the absence of additional information.We estimated equity risk following the disclosure of an infosec breach over three years, commencing one year prior to the incident and ending two years after the breach.This demonstrates the negative implications of infosec breaches and any constructive effects of corrective actions.Overall, we examined the SD of stock returns over three distinct periods, including the pre-and post-breach periods of one year, between the first and second years following the breach, and over three years beginning one year before and ending two years following the breach.

Infosec breach factors and long-run equity risk
An infosec breach signals a firm's information system's vulnerabilities based on signaling theory.Investors' reactions may vary based on the factors that created the infosec breach.In addition to the long-term effect of an infosec breach on equity risk, these factors must be examined.
Elements connected with infosec breaches can help explain the magnitude of abnormalities in a firm's stock competitiveness (Yayla & Hu, 2011).Among the factors are the characteristics of the infosec breach or attack (Arcuri et  ).As a result, the following hypothesis was constructed for each infosec breach factor.
H2: Infosec breach factors affect the magnitude of abnormalities in long-run equity risk.
H2 was further divided into four sub-hypotheses, H2A, H2B, H2C, and H2D, based on the four factors of infosec breach conceptualized and examined in this study.These factors can also be demonstrated by signaling theory and integrated into a signaling framework to aid in comprehending investor decision-making.These factors can be classified as the signaler (the party disclosing the new information), signal (the information being disclosed), receiver (the party receiving/interpreting the signal and their response), and signaling environment (the context in which all of this occurs) (Connelly et al., 2011;Hamad et al., 2020).We used these classifications to identify infosec breach factors that may affect equity risk in the event of an infosec breach.We argue that the net effect of infosec breaches on the investor (signal receiver) is contingent on the following factors: (1) the signal content, i.e., the disclosed infosec breach; (2) the signaler, i.e., the firm in question; and (3) the signaling environment surrounding the infosec breach.
The nature of the breach serves as the signal content and is thus conceptualized in H2A ( ).The majority of the researchers have focused on the short-term effects of an infosec breach.A short-term examination of an infosec breach event cannot reveal its actual impact on a firm's stock competitiveness.For instance, in the case of SONY, the number of breaches escalated following the initial notice, owing to the attacker's opportunistic stealing behavior and the access gained to the organization's information system (IS), resulting in the compromise of additional confidential information (Goode et al., 2017).As a result, long-term equity risk is projected to be higher when confidential information is compromised.The study's RO2 suggests that a security breach that compromises confidential information will serve as a warning to investors, increasing long-term equity risk.
H2A: Long-run abnormal equity risk is higher for infosec breaches that compromise confidential information than for other types of breaches.
The first breach is seen differently than a second, third, or additional breach.Simultaneously experiencing multiple breaches signals a great deal to investors about a firm's infosec resilience.As a result, they are likely to punish firms that fail to protect sensitive data.Suppose the market's reaction to a repeated incident is the same.In that case, this suggests investors are seeking longterm signals that can help them create trust in the market.Investors who penalize firms for failing to improve in infosec may show indifference or even preference in the long run.As a result, if the same firm is repeatedly breached, the effect on equity risk must be assessed.Some attempts to understand this relationship have been made by Gatzlaff et al. (2010); Schatz & Bashroush (2016).Despite the importance of long-term analysis (highlighted earlier), both of these attempts solely focused on the short-term firm stock performance.As a result, the following sub-hypothesis was formulated: H2B: Long-run abnormal equity risk following an infosec breach is higher for firms that experience repeated breaches.
A breached firm's ownership structure also provides a distinct signal.In the event of an infosec breach, a firm's ownership status may influence investor reaction.Conglomerates with subsidiary firms are more likely to diversify risk (Du et al., 2021).The implications of an infosec breach in a conglomerate's subsidiary may be less severe.The status of the subsidiary has a mitigating effect in the case of data breach notifications (Bose & Leung, 2014) and DoS attack announcements.
The rationale is that investors pay more attention to news that affects a conglomerate's overall profitability and competitiveness than to information that influences a single subsidiary's profitability.Because of the risk diversification, whereas infosec breaches may have long-term adverse effects on the target firm, they have less impact on a subsidiary of a more prominent firm.Due to these signals, equity risk may be higher when a conglomerate is breached.Thus, the following sub-hypothesis was proposed: H2C: Long-run abnormal equity risk is higher if the breach directly targets a conglomerate firm than if it targets a conglomerate firm's subsidiary.
As a component of the signaling environment, the industry plays a role in signaling to investors after an infosec breach.Cybercriminals target financial organizations because they have access to sensitive data, including client PINs, social security numbers, and credit card details.Among all the major industries, firms in the financial industry spend the most time identifying and managing infosec breaches at 233 days (IBM & Ponemon, 2020).Additionally, the average cost of an infosec breach is substantially higher in the finance industry than in other industries (Bissell & Ponemon, 2019).The cost of a breach exhibits the threat of cybercrime to financial services firms.Moreover, financial firms face higher legal, financial, and client risks than firms in other industries (Bouveret, 2018).Thus, breaches in the financial sector can lead to customer distrust and possibly legal action from customers and regulators, as was the case for Equifax (Fung, 2018).So, an infosec breach in the financial industry will have stronger impacts on future cash flows and stock prices than in other industries.The cumulative effect of all of these aspects can substantially enhance the long-term equity risk of a financial firm compared to other types of firms.It may impair long-term equity risk.As a result, the following sub-hypothesis was constructed: H2D: Long-run abnormal equity risk after an infosec breach will be higher for financial sector firms than non-financial sector firms.

METHODOLOGY AND DATA
The methodology and estimation procedures used in this study are different from those used in event studies to assess the short-term effect of events on firm stock competitiveness.Event studies frequently produce skewed estimates of eventual economic impact and test statistics (Barber & Lyon, 1997;Kothari & Warner, 1997).This study's findings are based on modern, more precise approaches that were used in a few studies (Ali et

Sample selection:
The sample was compiled using web data sources such as The Privacy Rights Clearinghouse (PRCH) and the Identity Theft Resource Center (ITRC).Previously, researchers used these data sources (Richardson et al., 2019;Rosati et al., 2019).Event denotes the date of a security breach disclosure.The breadth of an infosec breach varies and may contain names, addresses, dates of birth, passwords, and credit card information.In this study, the inclusion criteria of all infosec breach announcements from a firm were: 1.The firm was listed on one of the U.S. stock markets (NYSE or NASDAQ).
2. The firms had provided data to the Center for Research in Security Prices database.
3. The firm had traded for a year prior to the infosec breach.
4. The firm had no other infosec breaches in the two years before and after the breach.
5. When the breach occurred on an unlisted subsidiary firm, the parent company was tracked.
6.The firm had a book value greater than zero.
Obtaining a large enough event sample size for statistical analysis has challenged event study scholars.This challenge involves identifying relevant press releases that influenced investor trading.As per the systematic literature review by Ali et al. (2021a), 90% of studies that examined the effect of infosec breaches on firm stock competitiveness used a sample size of approximately 200 events.The sample data for this study were obtained from the PRCH and ITRC, which allowed for the collection of 763 breach events from 2009 to 2018 (Table 1).The samples were then screened for long-term analysis using the above criteria.To begin, 245 samples were discarded because the breached firm was not publicly traded.Another 100 samples were removed because they occurred within two years after an infosec breach at the same firm, restricting long-term analysis.Next, 100 samples were excluded due to a lack of data for a two-year analysis.Lastly, 37 samples were eliminated for failing to meet the inclusion criteria (Section 3.1).For instance, firms had a book value of less than zero.Using this procedure, 276 breaches were used to gauge long-term equity risk.Figure 1 depicts the industry classification for the breach events included in our final sample. Tab.

Assessing the long-run equity risk:
The main challenge in this long-term stock market research was predicting abnormalities for the firms in our sample.In this situation, abnormal equity risk is the difference between a sample firm's equity risk and a competitive benchmark risk over a period.After controlling for the indicated variables, whatever is unexplained is considered abnormal and can be linked to the event.The literature provides different views on measuring long-term abnormality (Barber & Lyon, 1997;Fama, 1998).The present consensus is that long-run abnormalities must be determined after controlling for size, market-to-book (M/B) ratio, and previous performance through the use of matched sampling methodology (Barber & Lyon, 1997; Lyon et al., 1999).) and appeared to be most appropriate for testing the hypotheses.According to this methodology, each sample firm was matched to a competitive control firm of similar size and performance.Then, two one-to-one samples (control firms) were established as follows: 1. Choosing a control firm in the same industry that is 70% to 130% of the asset size of the sample firm (size-matched).
2. Choosing a control firm from the same industry as the sample firm with an M/B ratio of 70% to 130% (performance-matched).
Equity risk (i.e., equity volatility) can be expected to change after an infosec breach is reported.Additionally, some information may leak about market-wide infosec breaches.Infosec breaches may also affect information risk, financial leverage, and operational levers.So, volatility fluctuations were studied before and after an infosec breach.The pre-event period (days -259 to -10) was used to assess volatility variations.The post-announcement volatility fluctuations were investigated to determine if they were temporary or irreversible.Volatility is the SD of the portfolio's abnormal returns over time.A minimum of 125 daily returns should be accessible in one year to predict SDs.The SD is a financial statistic that shows the investment's historical volatility compared to the average return.
where x i is the return on the i th day for a firm's stock, xis the average return in each period, and n is the number of days in the timeline.
We compared the percentage changes in our sample firms' equity standard deviations with the competitive control firms using matched sampling methodology.Thus, each sample firm's equity risk was matched with two similar competitive control firms.This controlled for industrymatched size and performance.The study calculated percentage increases in volatility as follows:

%Δ volatility=%Δ in volatility of sample firm -%Δ in volatility of control firm (2)
Once the equity risk (i.e., abnormal stock volatility) was analyzed through equation 2, its significance was tested through parametric (t-test) and nonparametric tests (Wilcoxon signedrank test).The test results finally revealed the acceptance or rejection of H1 for this study.To collect findings over time, we calendared each entity's occurrence in our sample.The day of the announcement was the day '0', and the next trading day was day '1' the day before was day -1, and so on.Abnormal equity SDs were analyzed for three years, from one year before to two years after the event.A year has 250 trading days.Additionally, a two-week term (10 trading days) was deducted from both sides.This ensured that estimates of equity SDs were not skewed by abnormal trading activity leading up to the event.As exhibited in Table 2, we evaluated stock volatility over three years, beginning one year before and after the breach.
Tab. 2 -Time mapping to compute equity SDs.Source: own research

Post-event period
Year -1 to +1 Year +1 to +2 Year -1 to +2 Stock volatility (in days) -259 to +259 days +260 to 509 days -259 to 509 days The equity SDs were computed for three separate windows: 1) one year prior to and following the event (Equity SD-1,+1); 2) between one and two years following the event (Equity SD+1,+2); and 3) between one and two years following the event (Equity SD-1,+2).Parametric and nonparametric tests were used to assess the statistical significance of these equity SDs and H1.

Cross-sectional regression for infosec breach factors on equity risk:
For testing H2, infosec breach factors were regressed at windows where equity SDs were significant.Time frame, breached firm size, and M/B ratio were all unrelated control variables.The natural log of the breached firm's total assets reported in the year of disclosure determines the firm's size (Bose & Leung, 2014, 2019).The timeframe was ten years, from 2009 to 2018, so it had a maximum value of ten (the year 2018) and a minimum value of 1 (the year 2009) (Ali et al., 2021a;Chang et al., 2020).Each sample firm was paired with a competitive control firm.Controlling the sample firms' M/B was crucial because M/B determines their performance (Barber & Lyon, 1997;Lyon et al., 1999).The hypothesized variables for infosec breach factors are were 1 and 0. Table 3 shows the operationalization of these dummy variables, which is in line with the infosec literature, where code 1 denotes dimension that is expected to create a higher abnormality in equity risk.Quantile regression (QR) was used instead of ordinary least squares (OLS) to assess H2A-H2D because it is robust to the non-normality of error terms and outliers and minimizes cross-sectional and cross correlational heteroskedasticity (

RESULTS AND DISCUSSION
The correlations of all study variables are exhibited in Table 4.In line with the second research objective, a positive correlation was found between some infosec breach factors and the equity SDs.However, a comprehensive investigation of these relationships was necessary before drawing any conclusions.Tables 5 and 6 provide comprehensive details of these relationships.
Tab.To achieve RO1, we examined the long-term equity risk of breached firms from 2009 to 2018.
To evaluate the equity risk of sample firms following the disclosure of an infosec breach event (year t = 0), the sample firm's equity SD was compared to that of a matched control firm.
During the pre-and post-event period, the average change in equity SD -1,+1 of sample firms compared to size-matched competitive control firms was positive.The mean abnormal change in equity SD was 8%, significant at the 5% level (t=2.475).In contrast, the Z-statistic for the Wilcoxon signed-rank test was 2.425.However, the change in equity risk was insignificant for equity SD+1,+2 (t=1.068).A substantial rise in equity risk was revealed in the cumulative period of three years (i.e., equity SD -1,+2 ).Therefore, H1 was supported.The results for performancematched competitive control firms were analogous to those of size-matched competitive control firms.Accordingly, further analysis and discussion centered on the size-matched control group.
Tab. 5 -Evidence for abnormal equity risk for sample breached firms when matched with sizecontrol and performance-control firms at SD -1,+1 , SD +1,+2 and SD The higher equity risk revealed during these periods may have led to negative abnormal returns, as witnessed previously (Ali et al., 2021b;Chang et al., 2020).The equity risk outcomes are noteworthy for various reasons: First, when infosec breaches were publicly disclosed, equity risk significantly increased.Second, the increase in equity SDs prior to and during the infosec breach was not the result of a nonstationary SD range.SDs did not significantly differ between one and two years following the event.Finally, no temporary increase occurred in equity risk over the one year prior and following the infosec breach incident, as the risk did not diminish in the months following.Breach of infosec increased the risk to the firm and, as a result, the equity risk in the months ahead.Increased equity risk may also imply that sample firms' cost of equity will increase by 7% compared to controls.This will reduce the equity value of sample firms by 7%.Using SONY as an example, an infosec breach event would result in a market value loss of USD 293 million per year after the occurrence and a total loss of USD 937 million two years later.
Considering RO2, infosec breach factors were regressed on equity risk when it was significant: equity SD (-1,+1) and equity SD (-1,+2) .Based on these results, the hypotheses connected with RO2 were assessed, namely H2A-H2D.The infosec breach factors were initially regressed using the OLS method.However, the regression functions failed to fully satisfy the OLS assumptions.Following the procedure of similar studies, QR was used.The QR results for equity SD (-1,+1) and equity SD (-1,+2) are shown in Table 6.The adjusted r-square values were 26% and 29%, respectively, implying that about 26-29% of the change in the conditional median in equity SD (-1,+1) and equity SD (-1,+2) was related to the infosec breach factors included in the model.The significance level for the quasi-LR statistic was less than 0.05, indicating that the models were stable.Common infosec breach factors were found to be significant in determining the long-term equity SDs within one year before and after a breach (i.e., Equity SD -1,+1 ) and in the cumulative period of one year before the breach to two years after the breach (i.e., Equity SD -1,+2 ).The nature of the breach was significantly positive (t=2.67,t=2.46) for Equity SD -1, +1 and Equity SD -1, +2 ,.Therefore, H2A was strongly supported.This implies that the breached firm's stock will be at higher risk when compromised by a breach affecting its confidential information.These findings are consistent with earlier research demonstrating how investors' confidence is influenced due to a firm's confidential information being compromised (Das et al., 2012).Researchers have studied this effect on the short-term horizon.In contrast, this analysis extends prior conclusions by arguing that an increase in equity risk caused by a breach of a firm's confidential information will occur in the short and long terms.Additionally, these findings imply that investors do not provide leverage to firms after a breach of confidential or sensitive information in the long run.
On the contrary, investors may continue to offer leverage to firms when their ISs experience a breach of integrity or availability, as they are not directly involved in the loss of sensitive information or other major information assets (Bose & Leung, 2014;Hovav et al., 2017).Additionally, a breach of confidential information may result in the loss of additional consumers and a disproportionately higher legal liability, thereby exacerbating the incident's long-term effect (Ali et al., 2021b;Chang et al., 2020).Hence, a security breach of confidential information sends a strong signal to investors.As a result, increased abnormality in investors' long-run equity risk can be projected when a breach involves compromising confidential information.
Repeated breaches for the same organization (t = 3.79, t =2.32) were also significantly positive for Equity SD -1,+1 and Equity SD -1,+2 .We can infer that if breaches repeatedly occur for the same firm, its stock will be at higher risk.Therefore, H2B was supported.This means that the increase in equity risk associated with infosec breaches will be markedly higher if a firm is repeatedly the victim of breaches.Additionally, the results indicate that repeated breaches at the same firm send an exceedingly negative signal to investors compared to when a firm is breached for the first time.As a result, investors will be more punitive of firms that fail to learn from previous breaches and establish an IS resilient to the risk of infosec breaches.These findings corroborate those of Gatzlaff & McCullough (2010); Schatz & Bashroush (2016), who evaluated the shortterm effect of repeated breaches.The current study's findings indicate that the negative effect of a repeated breach lasts longer than that of an initial infosec breach on a firm.
No significant evidence was found as to a breached firm's ownership structure on equity SD on either of the timelines (t= -0.06, t= 0.35).Hence, H2C was rejected.A statistically insignificant association was found between the breached firm's ownership structure and long-run equity risk.The conclusion is that investors, in penalizing the breached firm, make no distinction between conglomerate and subsidiary firms.As a result, investors' reactions to an infosec breach event will be independent of the firm's ownership structure.These findings contradicted those of Bose & Leung (2014) when they examined the effect of infosec breaches on short-run market value.From the current study, it can be concluded that the negative effect of an infosec breach may endure only in the short term for a conglomerate and not in the long term for either the conglomerate or subsidiary firm.Thus, investors do not differentiate the negative effects of an infosec breach based on the firm's ownership structure as a conglomerate or subsidiary in the long run.
Finally, the breach effect concerning the breached firm's industry was also insignificant.This implies that equity risk did not differ between the breached firms' industries (t= 0.56, t= 0.44).
Therefore, H2D was rejected.Additionally, it was established that investors, when penalizing a breached firm, make no distinction between its industry classification as financial or nonfinancial.No connection was found between the industry in which the breach occurred and the long-term equity risk.This is also consistent with the findings of prior research, which indicates that the effect of infosec breach on firm stock performance is independent of the breached firm's industry (Acquisti et al., 2006;Kannan et al., 2007).Overall, the study's findings imply that an infosec breach has a long-term, unfavorable effect on equity risk if a firm is a continued victim of breaches that compromises its confidential information.

CONCLUSION
By concluding that infosec breaches have a long-term equity risk effect, the current study provides two contributions to signaling theory: by widening its reach to encompass long-term analysis and by deepening the theory in unfavorable situations such as infosec breaches.Thus, a new link between infosec breaches and long-term equity risk was revealed in this study.The current contributions may open new research possibilities by examining the effects of an infosec breach on other long-run measures of a firm's competitiveness.This study further contributes to the signaling theory by identifying antecedent factors that influence the value of a signal in the infosec context.Abnormalities in equity risk show that signal and signal factors play a crucial role in shaping the receiver's reaction.Concerning signal content factors, it was discovered that breaching confidential information has a more significant effect on long-term equity risk than compromising nonconfidential information.If the signaler (i.e., the firm) has been compromised several times, the adverse effect on the receiver (i.e., the investor) is worse.This has implications for signaling theory and the long-term relationship between infosec breaches and equity risk.
Our findings of long-run equity risk are essential for risk managers for several reasons.First, managers value long skyline estimates; they gradually broaden their view on a firm's competitiveness concerning the stock market.The timeframe of abnormal equity performance was highlighted here, the extent to which it continues, and whether firms swiftly recover from infosec breaches.Second, the results show that breached firms incur higher equity risks than competitive control firms.Infosec breaches may increase a firm's financial and operational leverage.As a result, firms can lower financial leverage by raising equity or retiring debt.Our findings may help a firm's competitors (i.e., experienced hackers and other cyber experts) identify the most vulnerable firms.These types of unforeseen effects are rather typical in infosec studies.
The current study has some limitations.First, the study exclusively included publicly listed firms in the U.S., where the most stringent data breach reporting rules exist.Other countries' security breach notification regulations are in their infancy.Our findings currently only apply to U.S.based firms.However, future research may look at breached firms beyond the U.S. when other countries develop infosec breach disclosure laws.Second, the classification of infosec breach factors was built based on a content analysis of news.A content analysis is a subjective procedure that incorporates researcher bias.Future research should examine the long-term effect of various types of breach incidents, such as phishing, advanced persistent threat, and computer virus infections, on a firm's stock competitiveness.Finally, further research might integrate security breach and security investment: how security investment plays a role in improving the firm's competitiveness after an infosec breach.To conclude, the ramifications of infosec incidents on stock competitiveness are substantial, severe, and lasting.However, little research on the subject has been conducted.As a result, the field is amenable to novel research approaches that may aid a firm in sustaining a competitive edge in the digital era.
(Bose & Leung, 2014;Hovav et al., 2017iness stakeholders are more concerned about the theft of confidential information than denial-of-service attacks, virus attacks, or other infosec breaches(Bose & Leung, 2014;Hovav et al., 2017 4 -Person correlation matrix between hypothesized and control variables.Source: own research