Forwarded from: "Marco M. Morana" <marco.m.morana (at) gmail.com>
To: Adam Shostack <adam (at) homeport.org>
Adam
I published my point of view on the lessons that learnt on TJ Maxx
incident from the security perspective on my blog.
http://securesoftware.blogspot.com/search/label/Compliance
The fact that according to recent studies the correlation between bad
security news and drop in stock price cannot be correlated is also
proved in market research herein:
http://www.allbusiness.com/technology/computer-networking-network-security/967200-1.html
If you evaluate the loss in the risk analysis as intangible factor (loss
of reputation) the impact should be more on the brand rather then on the
stock price. In the case of TJ Maxx the brand means Marshalls, and A.J.
Wright, Bob's and HomeGoods chain in USA, Winners chain and HomeSense
chain in Canada. Correlating bad news on security to TJ Maxx branding
should involve these brands since this is what the customer perceives.
From the stand point of the stock price information, the fact that the
news are cross-correlated means for example that the recent data loss
(650,000 Credit Card Numbers) suffered by JC Penney has linked history
on TJ Maxx loss so this impact on reputation will continue.
I think in this case there are not really tangible losses except for the
financial fraud component (estimated 1 ML dollar) and the liability loss
is also quantifiable in 257 millions. It would have different if TJ Maxx
had suffered a denial of service to the on-line web site of
http://www.marshallsonline.com/ to the loss of sales transactions per
day could be quantified and directly correlated to a vulnerability. (see
what SQL slammer worm did in February 2003, the estimates back then were
for 1 BL $ loss)
Regards
Marco
-----Original Message-----
From: isn-bounces (at) infosecnews.org
[mailto:isn-bounces (at) infosecnews.org]
On Behalf Of InfoSec News
Sent: Monday, January 21, 2008 1:21 AM
To: isn (at) infosecnews.org
Subject: Re: [ISN] One year later: Five takeaways from the TJX breach
Forwarded from: Adam Shostack <adam (at) homeport.org>
It's too bad Vijayan didn't bother to do enough research to find
Acquisiti, Freedman and Telang's work on the subject.
Breach disclosures almost never affect stock prices for more
than a few days.
Adam
On Fri, Jan 18, 2008 at 01:04:14AM -0600, InfoSec News wrote:
|
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9057758
|
| By Jaikumar Vijayan
| January 17, 2008
| Computerworld
...
| Here, on the one-year anniversary of the breach becoming known, are
| five takeways for security managers:
| Breach disclosures don't always affect revenue or stock prices ...
|
| Despite being the biggest, costliest and perhaps most written-about
| breach ever, customer and investor confidence in TJX has remained
Received on Tue Jan 22 00:09:18 2008