How Do Investors Perceive the Materiality of Data Security Incidents

Abstract

Data security incidents are continually increasing; hackers, governments, and other actors increasingly attempt to gain unauthorized access to confidential data. Information systems (IS) users are becoming more vulnerable to the risks of data breaches. Many stakeholders perceive cybersecurity incidents as indicators of firms’ operational and technological internal deficiencies. Previous research has revealed that investors react negatively to data breaches, yet little is known about investors’ reactions to material data security incidents. Using a sample of 232 data security incidents for 132 publicly traded companies in the United States, the authors applied an event study methodology to discern investors’ reactions to material versus immaterial incidents. They also use multivariate regression and time-to-event analysis to examine what determines the degree of investors’ reactions, considering several intervals around the event day. The results show that investors perceive material data security incidents as a deficiency of breached companies in comparison to immaterial incidents.