Forwarded from: "Marco M. Morana" <marco.m.morana (at) gmail.com> To: Adam Shostack <adam (at) homeport.org> Adam I published my point of view on the lessons that learnt on TJ Maxx incident from the security perspective on my blog. http://securesoftware.blogspot.com/search/label/Compliance The fact that according to recent studies the correlation between bad security news and drop in stock price cannot be correlated is also proved in market research herein: http://www.allbusiness.com/technology/computer-networking-network-security/967200-1.html If you evaluate the loss in the risk analysis as intangible factor (loss of reputation) the impact should be more on the brand rather then on the stock price. In the case of TJ Maxx the brand means Marshalls, and A.J. Wright, Bob's and HomeGoods chain in USA, Winners chain and HomeSense chain in Canada. Correlating bad news on security to TJ Maxx branding should involve these brands since this is what the customer perceives. From the stand point of the stock price information, the fact that the news are cross-correlated means for example that the recent data loss (650,000 Credit Card Numbers) suffered by JC Penney has linked history on TJ Maxx loss so this impact on reputation will continue. I think in this case there are not really tangible losses except for the financial fraud component (estimated 1 ML dollar) and the liability loss is also quantifiable in 257 millions. It would have different if TJ Maxx had suffered a denial of service to the on-line web site of http://www.marshallsonline.com/ to the loss of sales transactions per day could be quantified and directly correlated to a vulnerability. (see what SQL slammer worm did in February 2003, the estimates back then were for 1 BL $ loss) Regards Marco -----Original Message----- From: isn-bounces (at) infosecnews.org [mailto:isn-bounces (at) infosecnews.org] On Behalf Of InfoSec News Sent: Monday, January 21, 2008 1:21 AM To: isn (at) infosecnews.org Subject: Re: [ISN] One year later: Five takeaways from the TJX breach Forwarded from: Adam Shostack <adam (at) homeport.org> It's too bad Vijayan didn't bother to do enough research to find Acquisiti, Freedman and Telang's work on the subject. Breach disclosures almost never affect stock prices for more than a few days. Adam On Fri, Jan 18, 2008 at 01:04:14AM -0600, InfoSec News wrote: | http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9057758 | | By Jaikumar Vijayan | January 17, 2008 | Computerworld ... | Here, on the one-year anniversary of the breach becoming known, are | five takeways for security managers: | Breach disclosures don't always affect revenue or stock prices ... | | Despite being the biggest, costliest and perhaps most written-about | breach ever, customer and investor confidence in TJX has remained ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Mon Jan 21 2008 - 22:22:09 PST