The relationship between security incidents and effect on the affected organisation/equity is a topic that continues to inspire discussions. There are numerous academic papers available (e.g. by Kannan,Rees and Sridhar (2007), Yayla and Hu (2011), Cavusoglu,Mishra and Raghunathan (2004), Campbell et al. (2003), Gatzlaff and McCullough (2010), Garg,Curtis and Halper (2003), Rees and Kannan (2007), Andoh-Baidoo,Amoako-Gyampah and Osei-Bryson (2010)) presenting sample studies with as many conclusions. With less rigor but very vigorously we see media picking up the thematic and jumping to conclusions one way or the other. Often it feels like this conclusion is based on little more than a casual glance at the 3 month stock chart mapping the underlying equity against its most likely index.
So when i came across the CNNMoney article discussing the recent Adobe breach i decided to take a few minutes to see if facts back up the rather attention grabbing headline. A common approach for this is the use of event studies where a measure of the event’s economic impact can be constructed using security prices observed over a relatively short time period. In this case i’ve retrieved daily price data for Adobe to cover a 180 day estimation window. As we know that the breach was publicly announced on 2013-10-03 the event window is nicely defined and can be very narrow (0,+1) covering a two day span to account for information lag. The CNN article is charting the stock price against NASDAQ 100 so time series data for this index was retrieved but i was also interested how the equity mapped against S&P 500.
As this was supposed to be a quick exercise i’m using the ‘Market Model’ approach with simple returns based on Ordinary Least Squares (OLS).
Adobe vs. NASDAQ 100
Looking at the Cumulative Average Abnormal Residual it appears that CNN was indeed right. A mere 0.0016 negative result on the event day is hardly reason for concern.
Day | AAR | CAAR |
0 | -0.0016 | -0.0016 |
1 | 0.0041 | 0.0025 |
The event window chart is as expected decidedly indifferent.
A quick look at the statistical data confirms the suspicion that CNN may have actually been right. Not even a shade of statistical significance.
Date | CAAR | t-Test TS | Prob. | Patell Z | Prob.2 | Corrado Rank | Prob.3 | Sign Test | Prob.4 |
(0…1) | 0.0025 | 0.1501 | 0.8807 | 0.1505 | 0.8804 | 0.5114 | 0.609 | 1.0932 | 0.2743 |
(0…0) | -0.0016 | -0.1372 | 0.8908 | -0.1365 | 0.8915 | -0.1237 | 0.9015 | -0.9147 | 0.3603 |
Adobe vs. S&P 500
Running Adobe against S&P 500 returns shows very similar results. Again only a minor CAAR.
Day | AAR | CAAR |
0 | -0.0034 | -0.0034 |
1 | 0.004776 | 0.00138 |
As expected the chart looks almost identical to the NASDAQ study.
And again not a trace of statistical significance.
Date | CAAR | t-Test TS | Prob. | Patell Z | Prob.3 | Corrado Rank | Prob.5 | Sign Test | Prob.6 |
(0…1) | 0.0014 | 0.085 | 0.9323 | 0.0854 | 0.932 | 0.4038 | 0.6864 | 1.239 | 0.2153 |
(0…0) | -0.0034 | -0.2956 | 0.7675 | -0.2939 | 0.7688 | -0.4092 | 0.6824 | -0.8071 | 0.4196 |
Conclusion
It looks CNN was indeed right all along the market did not care much about the data breach announcement by Adobe. Having done research in this area i have to admit this was entirely expected but it is always good to verify. Now one interesting question is of course – assuming EMH hold does this mean the market already expected Adobe to be breached in this magnitude and priced this expectation in previously? Many security professionals would likely attest to the shaky information security history of Adobe but would the finance world really be aware? We’ll probably never truly know.