Authentication mechanisms are widely adopted by organizations as a means of securing and controlling access to information systems and their accompanying information. While account credentials in the form of text-based passwords have been employed as an authentication mechanism since the 1970s, some security experts have argued the password’s ineffectiveness. Passwords can either be the cause of a data breach or information that is compromised during a data breach. This investigation examines the difference in annual firm profit, annual sales, and annual operating expenses between firms that experience an account credential data breach and firms that experience a non-account credential data breach.Chu, Scott, Evaluating The Financial Impact of Data Breaches Involving Account Credentials (September 18, 2021). Available at SSRN: https://ssrn.com/abstract=3926497 or http://dx.doi.org/10.2139/ssrn.3926497
We use ordinary least squares (OLS) regression and cluster-robust standard errors to estimate all equations. Cluster-robust standard errors are used in hypothesis testing to address the potential issues of within-cluster error correlation and heteroskedasticity (Xue et al. 2017). We cluster the standard errors by firm because financial performance in different time periods for the same organization is likely to be correlated. It is worth considering that clustering by industry might be an attractive alternative to clustering by firm. Romanosky (2016) reports that certain industries are more prone to data breaches while others are more prone to suffer higher costs per incident.5 This provides some support for correlations between firms within a given industry, in this context. However, if we were to cluster by industry there may be a small number of clusters since we eliminate a substantial number of firms from the original PRC database. This would not
id: 2b9c25512333757200809a6d4481736d - page: 13
13 Electronic copy available at: (Goldfarb and Tucker 2014). Since 169 firms in our dataset have multiple data breach incidents over our sample period and we observe 413 different firms, it appears reasonable to define clusters by firm. Furthermore, it is reasonable to conclude that observations belonging to the same organization are more likely to be correlated with each other compared to observations within the same industry.6 3.3 Variables Table 1 summarizes the definitions and data sources of the variables that we include in our empirical models. Table 1. Variable Definitions and Data Sources
id: 646414851bc6d8cdc00b68b0a77c0003 - page: 13
Variable Name Profit Variable Construction/Definition Operating income before depreciation (OIBDP from Compustat), which is expressed in millions of dollars. Data Source Compustat Sales SALE from Compustat, which is expressed in millions of dollars. Compustat Operating Expenses Account Credential Data Breach Total Liabilities Retained Earnings Total operating expenses (XOPR from Compustat), which is expressed in millions of dollars. A dummy variable equal to 1 if account credentials are involved in the data breach, and 0 otherwise. See the explanation and the appendix for more details. Total liabilities (LT from Compustat), expressed in millions of dollars. Retained earnings (RE from Compustat), expressed in millions of dollars. Compustat PRC Compustat Compustat Equity Stockholder equity of the parent company (TEQ from Compustat), expressed in millions of dollars. Compustat
id: af02a277b3d4dbea313aa6c390ad6b16 - page: 14
Firm Size The natural logarithm of one plus total assets (AT from Compustat). AT is first multiplied by 1 million so that we are working with the actual value of total assets. Compustat 6 When investigating the economic impacts of data breaches, Makridis and Dean (2018) cluster their standards errors at the firm-level as well. 14 Electronic copy available at: Industry Concentration The sum of the squares of the market shares of the four firms with the highest sales in that industry. Compustat Records An estimate of the number of compromised records from the incident. PRC Multiple Breach in a Year A dummy variable equal to 1 if the firm suffers multiple breaches in a year, and 0 if the firm only experiences one breach throughout the year. PRC
id: 1fee5fe5520aada3a2e135382524ad10 - page: 14