Author Information : Michel Benaroch (Whitman School of Management, Syracuse University)
Anna Chernobai (Whitman School of Management, Syracuse University)
James Goldstein (Canisuis College)
Year of Publication : Journal of the Association for Information Systems (2011)
Summary of Findings : Companies should care about all types of operational IT failures, not just cyber security breaches. Data from the past 25 years reveals that firms experiencing operational IT failures suffer, on average, a 2% drop in their stock prices, especially when the failures involve loss of availability or misoperation of IT systems and data assets.
Research Questions : 1. How damaging to the firm are operational IT failures?
2. Are all types of operational IT failures equally damaging?
What we know : Most researchers and practitioners have focused on malicious data breaches and cybersecurity attacks, even though these are only one type of operational IT failure.
Novel Findings : Operational IT failures of all kinds have a negative wealth effect on firms – experiencing firms suffer about a two percent drop in equity value around when the failures come to light.
Operational IT failures compromising the availability and integrity of IT systems are more damaging than failures compromising the confidentiality of data assets.
Implications for Practice : Operational IT failures present a major hazard, and firms must understand and manage risk factors giving rise to these failures.
Firms should pay greater attention to failures that compromise the availability and integrity of IT systems.
Implications on Research: Available data on, and methods for studying operational IT failures and their root causes are limited.
Full Citations : James Goldstein, Anna Chernobai, and Michel Benaroch, “An Event Study Analysis of the Economic Impact of IT Operational Risk and its Subcategories,” Journal of AIS, Vol. 12, No. 9, pp.606-631, September 2011.
Abstract : Our understanding of operational IT failures is limited despite their growing number and increasing negative impacts on firms. We suggest that operational IT failures are rooted in IT “resource weaknesses,” or flaws in the way data and IT assets are implemented and managed. We distinguish two categories of operational IT failures: (1) data failures involving disclosure, misuse, or destruction of data assets; and (2) functional failures involving loss of availability or mis-operation of functional IT assets responsible for the handling of data assets. Data-related IT failures get more attention, perhaps because of the publicity given to malicious Cybersecurity incidents. By contrast, little is known about the impact of function-related IT failures. We examined how equity markets react to the announcement of operational IT failures that occurred in U.S. financial service firms over a 25-year period. We find that all IT failures, on average, are followed by over a 2% drop in the equity value of firms experiencing them (figure 1). We also find that, surprisingly, function-related failures have a substantially larger negative wealth effect than data-related failures.
Latest posts by Michel Benaroch (see all)
- Real Options Models for Proactive Uncertainty-Reducing Mitigations and Applications in Cybersecurity Investment Decision-Making - January 30, 2017
- Operational IT Failures, IT Value-Destruction, and Board-Level IT Governance Changes - October 5, 2016
- Contract Design Choices and the Balance of Ex-Ante and Ex-Post Transaction Costs in Software Development Outsourcing - September 15, 2015