If you have a credit card or buy anything online, chances are that you’ve received at least one letter from a bank or other business saying that your account information may have been compromised.
Binghamton University researcher Ali Yayla looks at companies’ announcements regarding IT security breaches and how these announcements affect their stock price. “In the past, these announcements used to have a more negative effect,” says Yayla, an assistant professor in the School of Management. “Now, the public is getting used to these security breaches. It’s just another normal part of business. Organizations lose data.”
Still, such attacks are far more widespread than customers generally believe, Yayla says. For one thing, companies themselves sometimes don’t know they’ve been attacked. Others are aware of a security breach but choose not to announce it, although this trend is changing slowly for two reasons: First, consider how tough it would be to keep an attack a secret if it results in a bank issuing new account numbers to a million customers. Second, while there isn’t any rule that says they must announce every attack, new regulations mandate that companies disclose any breach of confidential data to affected parties.
There are, of course, different kinds of breaches: A hacker may gain access to customer information, steal proprietary information or attack a website. The worst, Yayla has found, is a so-called “denial of service” attack, in which a website is shut down and customers are unable to access to the website for some period of time. They’re far more public and disruptive than other attacks. If the company doesn’t do a lot of business online, a denial of service attack may not be a huge problem. For e-commerce firms such as Amazon or eBay, however, even a short amount of downtime is a significant problem.
Calculating the costs of these attacks is difficult, when you consider the potential for damaged reputations and loss of customer loyalty. That’s why Yayla’s research has focused on changes in market value. As investors become less sensitive to such attacks, however, he’s looking for new ways to quantify the impact of information security issues.
In Yayla’s latest work, he tries to establish whether companies that experience security breaches are less successful than those that do not. Instinctively, it would seem that having secure IT is a competitive advantage, he says.
Yayla, who’s from Istanbul, Turkey, earned his doctorate in management information systems from Florida Atlantic University and received a master’s degree from Duquesne University. He did his undergraduate work at Istanbul Technical University. In addition to information security, his research interests include strategic use of IT in companies, mostly focusing on the alignment of IT strategy with business strategy, as well as designing appropriate compensation for chief information officers.
The next few years will see new types of IT security breaches, Yayla says, citing concerns about mobile banking and “social engineering” attacks in which someone is manipulated into disclosing sensitive information.
“Basically, the more information we store, the more we have to lose,” he says. “With smart phones, we are even more open to attacks. Mobile applications are not as secure. In the near future, we’ll be paying for products and services with our phones. What happens when we lose a smart phone that has direct access to our bank?”