Cybersecurity isn’t just a safeguard — it can help businesses perform better

The infamous Target data breach during the 2013 holiday shopping season, which cost the company more than $200 million in damages, has since been hailed as a landmark case in cybersecurity.

Exposure to these threats has only increased as businesses continue to expand their digital footprints. That’s why, as a new study involving Binghamton University’s School of Management found, businesses that sufficiently prepare to defend against cyberattacks are also more likely to perform better financially.

The study, part of an ongoing project, showed that investors value cybersecurity as a critical aspect of a firm’s risk management initiatives and its overall business strategy, describing it not only as a defensive mechanism but a key driver of financial performance.

“If a company has been affected by a cyberattack and ignores it or doesn’t make it clear they’re taking appropriate steps to deal with the problem, that will diminish customer trust and send a bad signal to shareholders, so the readiness and continuous investment are very important,” said Thi Tran, assistant professor in the School of Management, who co-authored the study. “We found that if the firms are more open about the situation and make it known they are attempting to do something about it, that will increase stakeholder trust and the firm will perform better.”

Researchers tested their theory by compiling data from conference calls held by most of the top-tier U.S. public companies from 2000 to 2023. They developed an algorithm that searched transcripts of those calls using a laundry list of cybersecurity-related keywords to detect whenever the subject was mentioned.

Tran said conference calls were used for the study because they offer a more accessible medium for investors to understand this type of information than studying the company’s cybersecurity risk disclosure documents.

By examining those conference call transcripts, researchers were able to gauge how public companies described their cybersecurity risks in conference calls and understand how that could affect their market valuation.

The study verified that cybersecurity readiness during the current year positively affected return on assets the following year. Researchers are expanding the study to include more context to better understand the mechanisms by which cybersecurity readiness affects firm performance, Tran said. In addition, researchers noted that exploring the issue at the international business level in future studies could reveal more regulatory and cultural nuances.

“It’s basic human psychology that people want to downplay or ignore problems that make them look bad, but this result demonstrates the importance of transparency and acknowledgement,” Tran said. “Hopefully, by seeing how it leads to good returns, more firm leaders will be motivated to recognize the actual value of why they should not ignore or downplay the cybersecurity issue.”

The study, “Effects of Cybersecurity Readiness on Firm Performance: Evidence from Conference Calls,” was presented at the 59th Hawaii International Conference on System Sciences in January. It was co-authored by Minh Nguyen of Florida Atlantic University, Hiep Dang of the University of Virginia and Jaekon Jung of the University of Hawaii at Manoa.