Author: Smith, Katherine T; Smith, L Murphy; Smith, Jacob L
Date published: July 1, 2011
E-commerce is a fundamental part of marketing activity. Most e-commerce takes place on the websites of publicly traded companies. The term 'cyberspace' refers to the electronic medium of computer networks, principally the Web, in which online communication takes place. A challenge facing e-business or cyber-business is that it is vulnerable to e-crime, also called cybercrime. Cybercrime can totally disrupt a company's marketing activities. Cybercrime costs publicly traded companies billions of dollars annually in stolen assets, lost business, and damaged reputations. Cybercrime costs the US economy over $100 billion per year (Kratchman et al. 2008, Mello 2007). Cash can be stolen, literally with the push of a button. If a company website goes down, customers will take their business elsewhere.
In addition to the direct losses associated with cybercrime, a company that falls prey to cyber criminals may lose the confidence of customers who worry about the security of their business transactions. As a result, a company can lose future business if it is perceived to be vulnerable to cybercrime. Such vulnerability may even lead to a decrease in the market value of the company, due to legitimate concerns of financial analysts, investors, and creditors. This study examines types of cybercrime and how they affect marketing activity. In addition, the study reviews 10 case studies of publicly traded companies affected by cybercrime, and its impact on shareholder value.
The research questions addressed by this study include: (1) What are some ways that cybercrime affects marketing activity? and (2) Do cybercrime news stories negatively affect shareholder value? Results suggest that there are a number of types of cybercrime that have detrimental effects on marketing activity. Furthermore, the costs of cybercrime go beyond stolen assets, lost business, and company reputation, but also include a negative impact on the company's stock price.
E-Business and E-Risk
Corporate managers must consider e-risks, that is, potential problems associated with ebusiness. Precautions must be taken against e-fraud, malicious hackers, computer viruses, and other cybercrimes. To some extent, electronic business (e-business) began with the early computers in the 1950s. However, not until development of the World Wide Web in the 1990s did e-business really take off. E-business is exchanging goods or services using an electronic infrastructure.
Only a short time ago, using the Internet as a primary way to do business was considered too risky. Today, e-business is simply business; it's the way business is done in the twenty-first century. The Internet is widely used for both business-to-business (B2B) transactions and business-to-consumer (B2C) transactions. The B2B market is from five to seven times larger than B2C. The B2B market is predicted to exceed $5 trillion in the early 21st century. The B2C market is growing as fast but is characterized by a much smaller average transaction size (Kratchman et al. 2008).
In a span of about 50 years, computers transformed the way people work, play, and communicate. The first electronic computer was built in 1946. The computer network that would evolve into the Internet was established in 1969. By the mid- 1 990 's, millions of people were using their personal computers to "surf the web." A brief history of the Web and e-commerce is shown in Exhibit 1 .
E-risk is the potential for financial and technological problems resulting from doing business on the Web (e-business). Changes in economic, industrial, and regulatory conditions mean new challenges. Troublemakers in cyberspace seek systems to infiltrate and misuse. Just for the fun of it, there are some people who try to hack into a business firm's computer system. Once access to the system is achieved, intruders can potentially cause major problems by deleting or changing data. Poorly developed accounting systems threaten a company's survivability and profitability of e-business operations.
Risks related to e-business on the Web include the following (Smith et al. 2003):
* The changing e-business environment alters risks, so old solutions may no longer work.
* International business activity expands the scale and scope of risks.
* Computing power, connectivity, and speed can spread viruses, facilitate system compromise, and compound errors in seconds potentially affecting interconnected parties.
* Hackers never stop devising new techniques; thus, new tools mean new vulnerabilities.
* Digitization creates unique problems for digital information and transactions.
There have been many research studies on the topic of e-commerce marketing and some specifically related to cybercrime. A selection of representative studies will be briefly reviewed here. Smith (2009) identified the annual growth rate of e-commerce to be as high as 28%, while individual countries may have much higher growth rates. In India, for example, which has a younger market, the e-commerce growth rate has been projected as high as 51%. Kotabe et al. (2008) evaluate the role of e-commerce, performance, and outsourcing. Gregory et al. (2007) study the impact of e-commerce on marketing strategy.
E-commerce websites are vulnerable to various risks, including cybercrime. These risks can be minimized by establishing effective controls. In addition, Web assurance services can be used to provide various levels of assurances that controls are in place (Runyan et al. 2008). Cybercrime is distinct from other threats facing business today, as described by Speer (October 2000), and contains unique characteristics. Zomori (2001) examines potential and real risks of ebusiness, caused by cyber-crime and money laundering. He emphasizes that trust is fundamental to doing e-business. Loss of trust and the ability to conduct e-business would not only represent a financial loss of e-business companies, but in society at large.
Oates (2001) stresses the importance of preventing, detecting, investigating, and prosecuting cybercrimes with the goal of reducing their impact on business and the public's confidence. In order to stop cybercrime, the private, public, and international sectors must openly share information on the methods they are successfully using to detect and prevent these crimes.
Kshetri (2005) draws upon literatures of psychology, economics, international relations and warfare to examine the behavior of cyber criminals. He finds that countries across the world differ in terms of regulative, normative and cognitive legitimacy regarding different types of Web attacks. The cyber criminal's selection criteria for the target network include symbolic significance and criticalness, degree of digitization of values and weakness in defense mechanisms.
Riem (2001) found that the greatest threat to computer security comes from employees, consultants and contractors working within the company, rather than from outside hackers attempting to obtain access. Yapp (2001) agrees that the greatest threat to security is still from the inside, which is where nearly 70% of all frauds, misuses and abuses originate. Inadequate password policies and controls are the root of the most problems.
The corporate reputation or image of a company benefits from good news and suffers from bad news; the results often include a corresponding increase or decrease in the company's stock price. Prior studies have examined stock market consequences of news regarding ethical behavior (Blazovich and Smith 2008), firm reputation and corporate governance characteristics (Fukami et al. 1997), workplace quality (Ballou et al. 2003), and firm environmental reputation (Clarkson et al. 2004).
With regard to e-commerce, prior studies have used event studies to evaluate the impact of e-commerce initiatives (Subramani and Waiden 2001, Chen and Siems 2001) and to identify special characteristics of e-commerce firms to evaluate firm valuation or stock returns (Hand 2000; Trueman et al. 2000; Rajgopal et al. 2002). This study adds to the research literature regarding stock market performance and e-commerce, by investigating the effect of cybercrime on a company's stock price and e-commerce marketing activity.
Types and Costs of Cybercrime
Cybercrimes are the modern-day counterparts of age-old crime. Before the electronic age, con artists went door-to-door and used verbal communication to gain the confidence of their victims. The modern con artist uses the Internet and online communications to commit crimes. xhibit 2 lists some of the common types of cybercrime.
The problems caused by the various cybercrimes vary over time. For example, computer viruses are not regarded as serious a threat as they once were. Infections by computer viruses are decreasing, most likely as a result of better anti-viral software and anti-viral procedures. In addition, the decrease in computer virus infections may be partly due to new laws against computer viruses and criminal prosecution of perpetrators of computer viruses. Federal, state, and local agencies share information and team up for operations. For example, the Secret Service and Federal Bureau of Investigation created a joint cybercrime task force in Los Angeles (Grow and Bush 2005).
The direct costs of cybercrime for a sample of firms are shown in Exhibit 3. In just four years, for this sample, the cost of cybercrimes escalated from about 100 million to over $250 million. Theft of proprietary information topped the list, going from about $20 million to over $60 million. Financial fraud was second on the list, almost doubling in four years. Also incurring a substantial increase was "Insider abuse of Net access." Sabotage became a major problem in the final year.
Case Studies of Cybercrime
The following cases were obtained by conducting a search of news stories regarding ecrime, cybercrime, and computer fraud on the ProQuest online database of current periodicals and newspapers. The ProQuest Research Library provides online access to a wide range of academic subjects. The ProQuest database includes over 4,070 tiles, nearly 2,800 in full text, from 1971 forward (ProQuest 2010). These cases examined in this study were used because they were listed at the top of the search, involved publicly traded companies, and included full news stories.
In February 2000, Amazon.com, Ebay.com, and Yahoo.com were among many Internet sites affected by a group of cyber-terrorists who hacked into the company websites and made alterations to program coding. The problem was so severe that the companies were forced to shut down in order to repair the damage and stop the unauthorized activity. As a result of the site closing, program changes were made to help prevent future break-ins (Kranhold 2000).
The Western Union branch of First Data Corp came under attack by a private hacker. In September 2000, the perpetrator hacked into the company site and stole credit-card information for 15,700 customers. Apparently, the theft was made possible during a routine maintenance process when an employee left the files unprotected and vulnerable to attack. First Data Corp immediately notified authorities and both the FBI and CIA became involved with the investigation (Colden 2000).
In October 2004, the perpetrator gained access to the ChoicePoint Inc.' s database and thereby managed to pilfer 145,000 credit card files before leaving the system. The perpetrator did not have to crack the system with hacking procedures; however, he simply lied about his identity over the phone and on a few forms. As a result, the data was simply handed over to him. As a normal course of business, companies like ChoicePoint Inc. distribute this type of information for a price to individuals for legitimate business purposes. In this case, the perpetrator made up false information about himself and was given access to the files. As a result of the incident, the company has taken steps to prevent this problem from recurring (Perez and Brooks 2005).
The Federal Trade Commission in November 2004 conducted a survey in which its operatives posed as distraught customers of numerous banks in order to gauge the banks' ability to respond to and prevent e-theft. Citizen's Financial Group and Hibernia Corporation were ranked among the bottom five banks in terms of preventing and fixing e-theft (Saranow 2004).
A half million customers at Wachovia Inc. had confidential information illegally acquired by a professional criminal in May 2005. The criminal did not use a sophisticated hacking technique but employed traditional bribery to enlist eight former employees of Wachovia Corp. and Bank of America Corp. These former employees acquired and then sold the information to the criminal for $10 a name. The criminal buyer subsequently sold the information to collection agencies and law firms. The New Jersey police investigated the crime (Yuan 2005).
In June 2005, a hacker accessed credit card files in the CardSystems Inc.' s database. The company processes credit card transactions for small to mid-sized businesses. The hacker compromised the security of over 40 million cards issued by MasterCard, Visa USA Inc., American Express Co., and Discover. Because of the security breach, several banks were negatively affected. J.P. Morgan Chase was forced to investigate the security of its clients in June 2005. The company did not close any accounts immediately but began looking through the millions of potentially affected accounts (Sidel and Pacelle 2005).
Washington Mutual Inc., like J.P. Morgan Chase, was affected by the security failure at CardSystems Inc. In Washington Mutual Inc.' s case, the company was forced to close down over 1,400 debit-card accounts (Sidel and Pacelle 2005).
Exhibit 4 provides the following information about the cases previously described: company name, ticker symbol, type of crime, perpetrator, and damage sustained.
Impact of Cybercrime on Company Stock Market Performance
In many cybercrime news stories, the perpetrator is a hacker. In other stories, the perpetrator has relatively little computer expertise. Types of crime included cyber-terrorism, etheft, netspionage, online credit card fraud, and phishing. Affected companies include dot-com giants Yahoo, Amazon, and EBay, and banks such as JP Morgan Chase and Washington Mutual. Damages vary from the closure of websites to stolen confidential information.
Exhibit 5 shows the effect of the cybercrime news story on the company's stock price. Shown in the exhibit are the company name, date of the news story pertaining to the cybercrime, the stock price on the date of the news story, the percent change in the company stock price for one and three days before the story, and the percent change for one and three days after the story. The short time period (three days before and after) was used, as is common in events studies, because wider time periods tend to be influenced by confounding events other than the one under investigation.
To determine if the cybercrime news story had a significant impact on the company's stock price, a matched pair t-test was used. The change in the company stock price was compared to the percent change in the Standard & Poor's 500 stock market index. For -1 day and -3 days, there was no significant difference between the change in company stock price and the S&P 500 index. However, after the story, the change was significant for both +1 day (prob>.01) and +3 days (prob>.02). Thus, for this sample, the cybercrime results in a significant impact on the average company's stock price in the short term.
The Internet companies, Amazon, Ebay, and Yahoo, were affected most by the cybercrime news stories. Their stock prices dropped from 2 to 6 percent on +1 day and 7 to 9 percent on +3. The research question addressed by this study was: Do cybercrime news stories negatively affect shareholder value? The answer appears that cybercrime and resulting news stories do affect shareholder value, at least in the short term, via significant decreases in stock price. Since this is an event study, based on cybercrime news stories, it does not investigate the longer-term impact. Such analysis would be problematic given other factors, beyond the event of the cybercrime, which would affect stock market performance.
Cybercrime is detrimental to marketing operations and to a company's stock market performance; consequently, business firms and their stakeholders clearly benefit from stopping cybercrime. Preventive measures can be employed to help prevent cybercrime. However, no matter how many preventive measures are used, unless properly and continuously "fine tuned," a single intrusion detection technique may tend to under-report cybercrimes or over-report such as excessive false alarms. Companies generally find it necessary to employ multiple intrusion detection techniques to efficiently and effectively detect electronic crimes. Intrusion detection techniques include tripwires, configuration-checking tools, and anomaly detection systems. Since prevention techniques are fallible, business firms should also establish procedures for investigation of and recovery from cybercrimes after they occur.
Qualified professionals can help resolve cybercrimes. Business firms often lack qualified computer security personnel; thus, hiring outside professionals, e.g. forensic accountants, may be necessary. For a company with computer security personnel, outside professionals may still be needed if the electronic crime resulted from negligence on the part of the company's computer security personnel. Law enforcement agencies can help with cybercrime investigations; although, many law enforcement agencies lack the technical expertise to investigate electronic crimes. Most can obtain warrants and seize computer equipment, but may be unable to find the evidence needed to resolve the cybercrime.
Additional Threats to Computer Security
Based on movies and television shows, many people think that the greatest threat to computer security is intentional sabotage or unauthorized access to data or equipment. While sabotage and unauthorized access are serious problems, they are not the main threat to computer security. There are five basic threats to computer security: (1) natural disasters, (2) dishonest employees, (3) disgruntled employees, (4) persons external to the organization, and (5) unintentional errors and omissions. The extent that each of these threats is actually realized is shown in Exhibit 6.
As shown in the exhibit, human errors cause the great majority of the problems concerning computer security. Unintentional errors and omissions are particularly prevalent in systems of sloppy design, implementation, and operation. However, if the systems development process is done properly, errors and omissions will be minimized. An effective internal control structure is an integral part of any reliable information system.
The key to computer security and the success of any control structure is in the people of the organization. Research has shown that systems development is most effective when the users are involved, and most likely to fail when they are not. The following steps by management are integral to effective computer security (Kratchman et al. 2008):
* Design controls and security techniques to ensure that all access to and use of the information system can be traced back to the user.
* Restrict access by users to the parts of the system directly related to their jobs.
* Conduct periodic security training.
* Assign an individual or committee to administer system security in an independent manner.
* Clearly communicate and consistently enforce security policies and procedures.
Marketing information systems should be well defended against internal and external threats, including interruptions to information processing, whether resulting from natural disasters or manmade sabotage. According to the AICPA' s 2009 Top Technology Initiatives, information security management is the top-rated key factor in doing business. In fact, in most recent years, information security management has been identified as the technology initiative likely to have the greatest effect in the upcoming year (AICPA 2009). While not in the top ten, another important technology initiative identified in the study was customer relationship management, which includes sales force automation, sales history, and campaign marketing, applications.
This study identifies types and costs of cybercrimes, how they interrupt marketing and business activity, and specific cases in which publicly traded companies are affected by cybercrime. In addition, the study analyzes the impact of the cybercrime news stories on shareholder value. Results suggest that costs of cybercrime go beyond stolen assets, lost business, and company reputation, but also include a negative impact on the company's stock price. Consequently, publicly traded companies must do all that they can to avoid becoming a victim of cybercrime and its negative impact on marketing activity and shareholder value.
To defend against cybercrime, intrusion detection techniques should be established. Techniques include tripwires, configuration-checking tools, and anomaly detection systems. Since prevention techniques are fallible, business firms should also establish procedures for investigation of and recovery from cybercrimes after they occur.
Future research could extend the current study by analyzing a larger sample of publicly traded companies that have been the victim of cybercrime. By employing a larger sample, future research might investigate the specific impact of different types of cybercrime on firms according to industry type and/or specific categories of marketing activity (e.g. customer order processing, supply chain, etc.). In addition, a longitudinal study might investigate whether different time periods affect the impact of the cybercrime. Perhaps as time goes by, investors may be less alarmed by news stories about cybercrime if such crimes become more commonplace.
AICPA (American Institute of CPAs). 2009. 2009 Top Technology Initiatives and Honorable Mentions. AICPA, website: aicpa.org (December).
Ballou, B., N. Godwin, and R. Shortridge. 2003. Firm Value and Employee Attitudes on Workplace Quality. Accounting Horizons, 17 (3): 329-341.
Chen, A.H. and T. F. Siems. 2001. B2B e-marketplace announcements and shareholder wealth. Economic and Financial Review, First Quarter: 12-22.
Clarkson, P, Y. Li, and G. Richardson. 2004. The Market Valuation of Environmental Capital Expenditures by Pulp and Paper Companies. The Accounting Review (April).
Colden, Anne. 2000. Western Union reassures clients No financial fraud found since hacking. Denver Post (Sep 12): p. Cl.
Fukami, C, H. Grove and F. Selto. 1997. Market Value of Firm Reputation and Executive Compensation Structure. Working paper, University of Colorado at Boulder.
Gregory, Gary, Munib Karavdic, and Shaoming Zou. 2007. The Effects of E-Commerce Drivers on Export Marketing Strategy. Journal of International Marketing, Vol. 15, No. 2: 30-57.
Grow, Brian and Jason Bush. 2005. Hacker Hunters. Business Week Online, Website: http://biz.yahoo.corn/special/hacker05_articlel.html (June 8).
Hand, J.R.M. 2000. Profit, losses and the non-linear pricing of Internet stocks. Working paper, University of North Carolina, Chapel Hill, NC.
Kotabe, Masaaki, Michael J. MoI, Janet Y. Murray. 2008. Outsourcing, performance, and the role of e-commerce: A dynamic perspective. Industrial Marketing Management. Vol. 37, No. 1 (January): 37-45.
Kranhold, Kathryn. 2000. Handling Aftermath of Cybersabotage. Wall Street Journal (February 10): B22.
Kratchman, Stan, J. Smith, and L.M. Smith. 2008. Perpetration and Prevention of Cyber Crimes. Internal Auditing. Vol. 23, No. 2 (March-April): 3-12.
Kshetri, Nir. 2005. Pattern of Global Cyber War and Crime: A Conceptual Framework. Journal of International Management, Vol. 11, No. 4 (December): 541-562.
Luehlfing, M., C. Daily, T. Phillips, and LM Smith. 2003. Cyber Crimes, Intrusion Detection, and Computer Forensics. Internal Auditing, 18:5 (September-October): 9-13.
Blazovich, Janell and L. Murphy Smith. 2008. Ethical Corporate Citizenship: Does it Pay? Working Paper. Available at http://ssrn.com/abstract=l 125067.
Mello, John, Jr. 2007. Cybercrime Costs US Economy at Least $117B Each Year. TechNews World, Website: ecommercetimes.com (July 26).
Oates, Brad. 2001. Cyber Crime: How Technology Makes it Easy and What to do About it. Information Systems Management, 18 (3) (June): 92-96.
Perez, Evan and Rick Brooks. 2005. File Sharing: For Big Vendor of Personal Data, A Theft Lays Bare the Downside; ChoicePoint Struggles to Gauge How Much Information Fell Into Wrong Hands; The Model: Small-Town Life.' Wall Street Journal (May 3): Al.
ProQuest. 2010. Online information service. Website: http://www.proquest.com/ (February 25).
Rajgopal, S., M. Venkatachalam, and S. Kotha. 2002. Managerial actions, stock returns, and earnings: The case of business-to-business Internet firms. Journal of Accounting Research 40 (2): 529-557.
Runyan, B., K. Smith, and L.M. Smith. 2008. Implications of Web Assurance Services on E-Commerce. Accounting Forum, Vol. 32: 46-61.
Riem, A. 2001. Cybercrimes Of The 21st Century. Computer Fraud & Security (April): 12-15.
Saranow, Jennifer. 2004. Guarding Identities: Banks Fall Short; Survey Finds Wide Gaps In Consumer Safeguards At Some Large Institutions. Wall Street Journal (Nov 17): D2.
Sidel, Robin and Mitchell Pacelle. 2005. Credit-Card Breach Tests Banking Industry's Defenses. Wall Street Journal (June 21): Cl.
Smith, K.T. 2009. Worldwide Growth of E-Commerce. E-Business (March): 29-34.
Smith, L.M., K. Smith, and D. Kerr. 2003. Accounting Information Systems, 4th Ed. Boston, Mass.: Houghton Mifflin.
Speer, David L. 2000. Redefining borders: The challenges of cyber crime. Crime, Law and Social Change 34 (3): 259-273.
Subramani, M. and E. Waiden. 2001. The Impact of e-commerce announcements on the market value of firms. Information System Research 12 (2): 135-154.
Trueman, B., M. H. F. Wong and X. J. Zhang. 2000. The eyeballs have it: Searching for the value in Internet stocks. Journal of Accounting Research 38: 137-163.
Yapp, P. 2001. Passwords: Use and Abuse. Computer Fraud & Security (September): 14-16.
Yuan, Li. 2005. Companies Face System Attacks From Inside, Too. Wall Street Journal (June 1): Bl.
Zombori, Gyula. 2001. e + Finance + Crime, A Report on Cyber-Crime and Money. Laundering Nathanson Centre for the Study of Organized Crime and Corruption, York University (Canada). Working Paper.
Katherine T. Smith, Business Author
L. Murphy Smith, Texas A&M University
Jacob L. Smith, Grace Bible Church