Do phishing alerts impact global corporations? A firm value analysis

Phishing is a form of online identity theft that is increasingly becoming a global menace. In this research, we analyze the impact of phishing alerts released in public databases on the market value of global firms. Using a sample of 1942 phishing alerts related to 259 firms in 32 countries, we show that the release of each phishing alert leads to a statistically significant loss of market capitalization that is at least US$ 411 million for a firm. We propose a theoretical framework for analyzing the impact of threats on firm value, and determine that the negative investor reaction is strongly significant for alerts released in 2006-2007 and for those targeted to financial holding companies, and weakly significant for firms listed in the US. We derive and validate these results using a combination of event study, subsampling analysis, and cross-sectional regression analysis. Our research makes a contribution by providing a new model for conducting multi-country event studies. We also contribute to the information systems literature by quantifying the loss in market value caused by phishing, and provide compelling evidence to information security administrators of firms that urge them to adopt adequate countermeasures to prevent phishing attacks.