As I recall, the market cap downgrade for a security breach is now only on the order of 2% of a company's value, unless its a security or internet company.
My copy of the security economics book is on loan right now, so I can't check the reference, but see.... http://www.cl.cam.ac.uk/users/rja14/econsec.html ... "The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers," which link is now broken, thanks to UT Dallas.
Posted by Adam Shostack at November 23, 2004 05:22 PMHere's what the Ross Anderson page says:
_The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers_ provides an analysis of the effect of security scares on share prices. A firm whose security is publicly breached can expect to lose 2.1% of its market capitalisation (an average of $1.61 bn per incident) while security vendors gain an average of 1.36% from each such announcement (giving a total gain of $1.06 bn per incident). Another study, of the February 2000 DDoS attacks, showed a slightly greater loss. (The Register has a more cynical view.)
Certainly seems interesting ... but I have searched the net, and it seems that the paper is no longer available. Bummer!
Posted by Iang at November 23, 2004 07:33 PM