Comparing Alternatives to Measure the Impact of DDoS Attack Announcements on Target Stock Prices
CComparing Alternatives to Measure the Impactof DDoS Attack Announcements on Target StockPrices.
Abhishta Reinoud Joosten L.J.M. Nieuwenhuis
University of Twente University of Twente University of TwenteThe Netherlands The Netherlands The [email protected] [email protected] [email protected]
Abstract
The attack intensity of distributed denial of service (DDoS) attacksis increasing every year. Botnets based on internet of things (IOT) de-vices are now being used to conduct DDoS attacks. The estimation ofdirect and indirect economic damages caused by these attacks is a com-plex problem. One of the indirect damage of a DDoS attack can be onthe market value of the victim firm. In this article we analyze the impactof 45 different DDoS attack announcements on victim’s stock prices. Wefind that previous studies have a mixed conclusion on the impact of DDoSattack announcements on the victim’s stock price. Hence, in this articlewe evaluate this impact using three different approaches and compare theresults. In the first approach, we use the assume the cumulative abnormalreturns to be normally distributed and test the hypothesis that a DDoSattack announcement has no impact on the victim’s stock price. In thelatter two methods, we do not assume a distribution and use the empiricaldistribution of cumulative abnormal returns to test the hypothesis. Wefind that the assumption of cumulative abnormal returns being normallydistributed leads to overestimation/underestimation of the impact. Fi-nally, we analyze the impact of DDoS attack announcement on victim’sstock price in each of the 45 cases and present our results.
DDoS attacks are responsible for creating unavailability of online resourceswhich can lead to both direct and indirect losses [1]. In 2016 the intensityof DDoS attacks peaked at 1.4 Tb/s. The biggest distributed denial of serviceattack targeted the systems operated by DNS provider Dyn [2]. A few months The final version of this paper has been published in Journal of Wireless Mobile Networks,Ubiquitous Computing, and Dependable Applications (JoWUA), Volume 8, Number 4. a r X i v : . [ q -f i n . S T ] M a y ater this firm was bought by Oracle [3]. One can only speculate about thechange in the valuation of the firm as it is not publicly traded. In this studywe investigate the impact of DDoS attack announcements on the stock price ofthe victim firms.Figure 1: Impact of a DDoS attack announcement on market valuation of thefirmThe stock price of a firm is representative of its market value. In the pasteconomists have analyzed the impact of an economic event on the value ofthe firm [4]. A strategic business decision e.g. merger or an acquisition cansignificantly impact the future dividends. For instance, in the case of a possiblenegative impact on the future cash flows, it is beneficial for the investors to sellthe shares and invest in a different stock.DDoS attacks may lead to negative news articles about the firm. Thesenews articles come as a negative sentiment shock and can negatively influencethe demand of the victim firm’s shares [5]. This in-turn leads to the fall of stockprices of the attacked company. Figure 1 shows the conceptual relationshipbetween DDoS attack events and decrease in market valuation of the victimfirm. It also shows the empirical link that we investigate in this article.Estimating the impact of cyber security related events is a complex problem[6, 7]. Several studies have tried to investigate the impact of cyber securityrelated announcements on the victim stock prices and we discuss the results andlimitations of these studies in Section 2. In this article we use three differentmethods for analyzing the impact of these attack announcements on target stockprices and then discuss and explain the differences in results.This is an extended version of our study [8] that analyzed the impact of DDoSattack announcements on victim stock prices. In this article we compare themethod proposed in [8] with the traditional methods of event study and illustratethe disadvantages of using the assumptions and approximations considered inthose. We also analyze an extended set of DDoS attack announcements andre-emphasize the results of our previous study.2 Related Literature
Event studies have been used by researchers to study the impact of various firmrelated announcements on the stock price. Mackinlay [4] discussed a method ofconducting an event study including the various market estimation models. Inthis section we discuss the articles that have contributed to evaluation of theimpact cyber security event announcements have on victim stock prices.Hovav and D’Arcy [9] used a so-called one-factor market model in order toestimate the stock prices. Equation 1 shows the estimation model used by them,where r it represents the return rate of the stock i on day t and r mt representsthe rate of return of the market index on day t . As an example, r it can becomputed as ( P it − P it − ) /P it − , where P it is the price of the stock on day t .The parameters α i and β i are firm dependent coefficients and can be estimatedusing ordinary least square (OLS). The stochastic variable (cid:15) it is the error termwith E [ (cid:15) it ] = 0. Hovav and D’Arcy [9] analyzed a sample of 23 announcementsof denial of service attacks and were not able to find any significant impact ofthese announcements on the capital market. r it = α i + β i r mt + (cid:15) it (1)Later, Campbell et al. [10] used the above discussed estimation model toanalyze a sample of 43 announcements of all kinds of cyber attacks. The ab-normal returns were calculated by them using Equation 2 and the cumulativeabnormal returns ( CAR ) were computed with the use of Equation 3. Theyassumed these
CAR s to be normally distributed and used a Z -statistic to testtheir hypothesis (i.e. there was no impact of cyber attack announcements onvictim stock prices) and reported significant negative impact due to informationsecurity breach announcements. AR it = r it − ( ˆ α i + ˆ β i r mt ) (2) CAR n = n (cid:88) t = − AR it (3)Cavusoglu et al. [11] and Kannan et al. [12] also use the above describedmethod for analyzing the impact of security breach announcements. The for-mer concluded that these announcements not only influence the value of theannouncing firms but also the value of their internet security developers. Whilethe later considered a sample of 102 and reported a decrease of 1.4% in themarket valuation relative to the control group.Gordon et al. [13] used a so-called three factor Fama-French model [14] forthe estimation. This model estimates the stock price on the basis of companysize, company price-to-book ratio, and market risk, and can be mathematicallyrepresented as shown in Equation 4. SM B t is the difference between the returnon the portfolio of small stocks and the return on the portfolio of large stockson day t , and HM L t is the difference between the return on a portfolio of3ow-book-to-market stocks and the return on a portfolio of low-book-to-marketstocks on day t . The parameters a i , b i , s i and h i are Fama and French three-factor model estimated firm-dependent coefficients. The stochastic variable (cid:15) it is the error term with E [ (cid:15) it ] = 0. [13] reported no significant impact due topost 9/11 announcements. r it = a i + b i r mt + s i SM B t + h i HM L t + (cid:15) it (4)These mixed results motivate us to evaluate the impact of the choice ofmodel and the underlying assumptions in the study on the final results. Thus,in this article we evaluate the impact of DDoS attack announcements on victimstock prices using three different methods and compare their results in Section4. Section 3 discusses the methodology used by us in this study. Figure 2: Methodology for this study.The methodology used by us can be broadly subdivided in two parts:1. Data Collection2. AnalysisIn this study we analyze the impact on stock returns using three different meth-ods. Firstly, we use the event study method employed by many of the previousarticles [9–11]. In the second method, we use an additive market model for theestimation of return rates and then use the empirical distribution of abnormalreturns by generating random scenarios for analyzing the additive cumulativeabnormal return. In the last method we use the method proposed by us, that4akes use of a multiplicative model for estimation and later uses multiplicativecumulative abnormal returns for analysis [8]. Figure 2 illustrates the step bystep process used.
The data set in this study consists of all DDoS attack announcements madeon the web since December, 2010. The final list of announcements that wereevaluated for this study are shown in Table 1. It also shows the total numberof negative, positive and no impact periods in each case. In total 60 DDoSattack announcements were considered for this study. We further filter theseannouncements on the basis of the following criteria: • In case of multiple announcements made on consecutive days, the earliestannouncement was considered. • All announcements in relation with companies that were not publiclytraded at the time attack were removed from the dataset. • All such announcements that reported DDoS attacks were coupled withintegrity and confidentiality attacks were not considered. This was doneto analyze the impact of DDoS attack announcements in isolation on thecompany’s stock price.The above criterion of filtering is consistent with previous studies [8]. Yahoo!finance was used in order to collect stock prices for all the firms. We use S&P500 index values for calculating the market rate ( r mt ). Standard and Poor’s(S&P) 500 has been used by many of the previous studies as the index of themarket. Finally, after filtering the initial dataset we analyze a sample of 45announcements. For analysis of the data set we first establish the null hypothesis ( H ) as follows: H : There is no impact of DDoS attack announcements on victim stock prices.
In order to analyze the collected data we first need to calculate the rate ofreturn of the market index on day t ( r mt ) and r it the rate of return of the stock i on day t . The rate of return can be calculated as shown in Equation 5, where R it and R mt represent the stock price and market index for day t . The value ofthe market index shows the average of returns of all the firms included in themarket index. r it = R it − R i ( t − R i ( t − r mt = R mt − R m ( t − R m ( t − (5)5n this study we use three different methods to test our null hypothesis ( H ).After explaining in detail these methods in Sections 3.2.1, 3.2.2 and 3.2.3 wethen compare the results in Section 4 and conclude in Section 5. In the first method we consider an additive model to represent the normalbehavior of the market. The model can be mathematically represented as shownin Equation 6. This model is used to estimate the returns on a firm’s stock.The parameters r it and r mt are calculated as shown in Equation 5. r it = α i + β i r mt + (cid:15) it (6)The stochastic variable (cid:15) it is the error term with E [ (cid:15) it ] = 0. We use ordinaryleast square (OLS) in order to calculate the estimations ˆ α i and ˆ β i for the firmdependent parameters α i and β i by considering daily returns over a periodof 200 days. The estimation period starts 201 days before the date of attackannouncement and ends two days before the announcement. − − − Estimation Period[ − , −
2] [ − , − , − , − , − , Figure 3: Estimation and Event Periods.The additive abnormal return (
AAR it ) is the measurement of the deviationof the actual returns from the ones calculated with the help of additive modelequation 6. Hence AAR it can be mathematically represented as: AAR it = r it − ( ˆ α i + ˆ β i r mt ) (7)We measure the impact of DDoS attack announcements on the stock returnover the following five event periods :1. One day prior to the announcement to 1 days after it [ t − , t + 1].2. One day prior to the announcement to 3 days after it [ t − , t + 3].3. One day prior to the announcement to 5 days after it [ t − , t + 5].4. One day prior to the announcement to 7 days after it [ t − , t + 7].6. One day prior to the announcement to 9 days after it [ t − , t + 9].We keep these time periods consistent for all methods. The estimation period and the event periods are shown in Figure 3. We take the event periods from oneday prior to the announcements in order to compensate for any time lags. Inorder to calculate the combined effect over a certain number of days, we calculatethe additive cumulative abnormal return ( ACAR ) as shown in Equation 8 forthe period [ N , N ]. ACAR i = N (cid:88) t = N ( AAR it ) (8)We compute the mean ACAR for 45 events in our sample as follows:
ACAR = 1 K K (cid:88) i =1 ACAR i (9)Where K is the number of events. We then estimate the standard deviation( σ ACAR ) using Equation 10. σ ACAR = (cid:115) (cid:80) Ki =1 ( ACAR i − ACAR ) K − ACAR values and decision rule forimpact analysis.We now assume the
ACAR i values for a given event period to be normallydistributed and test for significance by making use of the Z -statistic at 10%confidence level. Hence we reject the null hypothesis if the | Z | > = 1 .
282 asshown in Figure 4. 7 a) 3-Day
ACAR
ActivisionBlizzard (b) 5-Day
ACAR
ActivisionBlizzard (c) 7-Day
ACAR
ActivisionBlizzard (d) 9-Day
ACAR
ActivisionBlizzard
Figure 5:
Empirical distribution of
ACAR (additive) for Activision Blizzard
In this method we again make use of the additive estimation model as shownin Equation 6. We avoid the widespread assumption of short-term returns be-ing approximately normally distributed. We also do not impose any alternativedistribution to these returns. Instead we use the technique of bootstrapping(e.g. Efron [15]). In this case we generate 5 million n -day returns by randomlydrawing n one-day returns from the empirical distribution. The relative fre-quencies of these 5 million multi-day returns are then used as the distributionfor hypothesis testing.In order to calculate the additive abnormal returns we again employ Equa-tion 7. After computing the AAR it s for the estimation period and the eventperiods as discussed in Section 3.2.1 we draw 3, 5, 7, 9 and 11 one-day abnor-mal returns from the estimation period AAR s. We then calculate the value of
ACAR i for each of these scenarios with the help of Equation 8. Figure 5 showsthe empirical distribution of ACAR for Activision Blizzard. Lastly, to asses theeffect of DDoS attack announcement on the stock returns we check the positionof
ACAR i for a certain event period in the empirical distribution of ACAR forthe same number of days of firm i . For example, if we are evaluating the ACAR of Activision Blizzard for event period [ t − , t + 1] then we check the position of8his ACAR in the 3-day empirical distribution for Activision Blizzard. In thisstudy we consider the 10 percentile scenarios in the left tail to be representativeof negative impact and 10 percentile scenarios to the right for positive impact.Hence, if
ACAR i is negative and lies in the bottom 10 percentile of the 5 millionscenarios then the impact on the stock returns is considered to be negative. In this final method we use a multiplicative model for the estimation of stockreturns. The multiplicative estimation model is shown in Equation 11.(1 + r it ) = α i (1 + r mt ) β i (11)Also, this time we also deviate from the wide spread practice of adding thecorresponding single-day returns to compute the cumulative returns. Insteadwe calculate the exact cumulative returns .We linearize Equation 11 as Equation 12. The stochastic variable (cid:15) it repre-sents the error term with E [ (cid:15) it ] = 0.ln(1 + r it ) = (cid:92) ln( α i ) + ˆ β i ln(1 + r mt ) + (cid:15) it (12)After estimating the stock returns we use Equation 13 for computing the ab-normal returns. As (cid:92) ln( α i ) is not an unbiased estimator for α i ( E [ˆ α ] (cid:54) = E [ e (cid:100) ln α ]),we use Equation 14 for estimating ˆ α . AR it = (1 + r it )ˆ α i (1 + r mt ) ˆ β i − α i = (cid:80) Tt =1 (1 + r it ) (cid:80) Tt =1 (1 + r mt ) ˆ β i , (14)After computing the AR it s for the estimation period and the event periodsas discussed in Section 3.2.1 we draw 3, 5, 7, 9 and 11 one-day abnormal returnsfrom the estimation period AR s. As discussed earlier we then calculate the valueof CAR i for each of these scenarios with the help of Equation 15. CAR = N (cid:89) t = N (1 + AR it ) − CAR for Activision Blizzard.Lastly, to asses the effect of DDoS attack announcements on the stock returnswe check the position of
CAR i for a certain event period in the empirical dis-tribution of CAR for the same number of days of firm i . For example, if we areevaluating the CAR of Activision Blizzard for event period [ t − , t + 1] then we An increase of 10%, followed by a 10% decrease implies a total decrease of 1% accordingto the multiplicative formula (1 . .
9) = 0 .
99. The additive approximation yields a changeof 0%, which is an overestimation of 1%. a) 3-Day CAR
ActivisionBlizzard (b) 5-Day
CAR
ActivisionBlizzard (c) 7-Day
CAR
ActivisionBlizzard (d) 9-Day
CAR
ActivisionBlizzard
Figure 6:
Empirical distribution of
CAR (multiplicative) for Activision Blizzard check the position of this
CAR in the 3-day empirical distribution for ActivisionBlizzard. In this study we consider the 10 percentile scenarios in the left tail tobe representative of negative impact and 10 percentile scenarios to the right forpositive impact. Hence, if
CAR i is negative and lies in the bottom 10 percentileof the 5 million scenarios then the impact on the stock returns is considered tobe negative.In the next section we discuss the results of our analysis and compare theresults. We now compare the results of our analysis. Table 1 summarizes the outcomesof using the three different methods. The table shows the number of positiveand negative event periods in each case. A negative event periods imply that theDDoS attack announcement did impact investor decisions. The positive eventperiods on the stock price actually show that the stock was well performing andthe DDoS attack announcement did not have any impact on the stock price.Later in Appendix A we present the impact on each firm analyzed in detail.First we compare the differences in the results when using Method 2 and10 ethod 1 Method 2 Method 3Company Name Date +ve periods -ve periods No impact +ve periods -ve periods No impact +ve periods -ve periods No impactMaster Card 2010-12-07 2 1 2 2 0 3 2 0 3Visa 2010-12-07 2 2 1 2 1 2 2 1 2Bank of America 2010-12-27 0 3 2 0 3 2 0 3 2Vodafone 2011-10-04 0 0 5 0 0 5 0 0 5Vivendi 2012-01-18 0 0 5 0 0 5 0 0 5Bursa Malaysia 2012-02-13 0 0 5 0 0 5 0 0 5Apple 2012-05-25 0 1 4 0 0 5 0 0 5AT&T 2012-08-15 0 0 5 1 0 4 1 0 4Wells Fargo 2012-12-19 0 0 5 0 0 5 0 0 5JP Morgan Chase 2013-03-12 0 0 5 3 0 2 3 0 2TD Canada Trust 2013-03-20 0 0 5 0 1 4 0 1 4American Express 2013-03-27 0 0 5 1 0 4 1 0 4ING 2013-04-08 0 3 2 0 2 3 0 2 3Linkedin 2013-06-20 0 1 4 0 0 5 0 0 5Microsoft 2013-11-26 0 0 5 0 0 5 0 0 5RBS 2013-12-03 0 0 5 0 0 5 0 0 5Electronic Arts 2014-01-02 0 0 5 0 0 5 0 0 5JP Morgan Chase 2014-01-29 0 0 5 0 0 5 0 0 5Bank of America 2014-01-29 0 0 5 0 0 5 0 0 5Facebook 2014-02-20 0 0 5 0 0 5 0 0 5Verizon Communications 2014-03-21 0 0 5 0 0 5 0 0 5Activision Blizzard 2014-03-28 1 0 4 2 0 3 2 0 3Danske Bank 2014-07-09 0 0 5 0 0 5 0 0 5Storebrand 2014-07-09 0 0 5 0 0 5 0 0 5Gjensidige Forsikr 2014-07-09 0 3 2 0 4 1 0 4 1Sony 2014-08-22 0 0 5 0 0 5 0 0 5Amazon 2014-08-26 0 0 5 0 0 5 0 0 5Activision Blizzard 2014-11-13 2 1 2 1 2 2 1 2 2Sony 2014-11-25 0 0 5 0 0 5 0 0 5Rackspace 2014-12-19 0 0 5 0 0 5 0 0 5Microsoft 2014-12-23 0 0 5 3 0 2 3 0 2Sony 2014-12-23 0 0 5 0 0 5 0 0 5Alibaba 2014-12-24 1 0 4 0 0 5 0 0 5Nordea Bank 2015-01-09 0 3 2 0 3 2 0 3 2Facebook 2015-01-26 0 0 5 0 0 5 0 0 5Amazon 2015-03-13 0 0 5 0 0 5 0 0 5Electronic Arts 2015-03-17 0 4 1 0 1 4 0 1 4Ziggo (Liberty Global) 2015-08-17 2 0 3 4 0 1 4 0 1Overstock.com 2015-09-02 0 0 5 0 0 5 0 0 5Nissan 2016-01-12 1 0 4 0 0 5 0 0 5HSBC 2016-01-28 3 0 2 3 0 2 3 0 2Activision Blizzard 2016-08-02 0 1 4 0 0 5 0 0 5Electronic Arts 2016-08-31 0 1 4 0 0 5 0 0 5StarHub 2016-10-26 0 0 5 2 0 3 2 0 3Deutsche Telekom 2016-11-28 0 1 4 0 2 3 0 2 3
Table 1: List of victim companies and summary of results (cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)
Method 2 Method 3 +ve No -ve+ve 24 0 0No 0 182 0-ve 0 0 19Table 2: Cross-table showing the number of differences between Method 2 andMethod 3.Method 3. Both methods do not take the assumption of normal distributionfor assessing cumulative abnormal returns. However, Method 2 uses an additivemodel for estimation and Method 3 uses a multiplicative model for the returnrate estimation. We find no differences between the results of the two modelsin the periods analyzed. Hence, we can conclude that the additive model doesprovide a good estimation for the computation of cumulative abnormal returns.Then we look for differences in the results of Method 1 and Method 3. Thedifferences between the models are as follows: • Method 1 uses additive estimation model while Method 2 employs themultiplicative model. 11
Method 1 computes cumulative abnormal returns by adding the succes-sive abnormal returns where as Method 2 calculates them by using themultiplicative approach (Equation 15). • Finally, Method 3 does not assume the abnormal returns or cumulativeabnormal returns to be normally distributed. (cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)(cid:96)
Method 1 Method 3 +ve No -ve+ve 11 3 0No 13 169 4-ve 0 10 15Table 3: Cross-table showing the number of differences between Method 1 andMethod 3.Table 3 summarizes the differences between the two methods. We believethat Method 3 is more accurate, or rather less inaccurate, than Method 1 due tothe reduced number of assumptions and approximations in the model. Hence,look at the number of times Method 1 overestimates or underestimates thesignificance of the results, i.e. gives a significant positive or negative impactwhen there is no impact or vice-versa. We observe that Method 1 overestimatesthe significance of the abnormal returns 5.77% (total 225 periods are consideredin this study) of the times and underestimates it 7.55% of the times. We findthese differences to be consistent between Method 1 and Method 2 as well.This suggests that the assumption of normally distributes abnormal returnsaccounts for these inconsistencies between the results of Method 1 and Method3 (or Method 2).
As an outcome of our study we draw two main conclusions. Firstly, by com-paring the various methods of conducting event studies we bring out the risk ofoverestimating or underestimating the impact of DDoS attack announcementson victim’s stock prices. The choice of additive or multiplicative model doesnot affect the results but the assumption of normally distributed cumulative re-turns can lead to an incorrect estimation of the impact. Hence, in this study wepropose the use of an empirical distribution in order to check the significance ofcumulative abnormal returns. Secondly, we also re-emphasize on the results ofour previous study [8], and show that all three methods result in a significantlynegative event periods on stock price when service to the customers was ham-pered due to the attack. We reported that the attacks on ING and Nordea bank[16, 17] resulted in significant negative returns where as Visa and Mastercard[18] resulted in no damage. Similarly, in case of the attack on Deutsche Telekom12hat drove nearly 1 million of its customers offline [19], we observe a negativeimpact on the stock price in the 9-day and 11-day period.
References [1] Ross Anderson, Chris Barton, Rainer Bhme, Richard Clayton, MichelJ. G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. “Measur-ing the Cost of Cybercrime”. In:
The Economics of Information Securityand Privacy . Ed. by Rainer Bhme. Springer Berlin Heidelberg, 2013. isbn :978-3-642-39498-0.[2]
Dyn Statement on 10/21/2016 DDoS Attack . 2016. url : http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/ .[3] Oracle just bought the company that brought down the internet. url : .[4] A. C. Mackinlay. “Event Studies in Economics and Finance.” AmericanEconomic Association
XXXV.March (1997), pp. 13–39.[5] Paul C. Tetlock. “Giving Content to Investor Sentiment: The Role of Me-dia in the Stock Market”.
The Journal of Finance
Economics of Information Security and Privacy III . Ed. by BruceSchneier. Springer New York, 2013, pp. 35–53.[7] Brian L. Dos Santos, Ken Peffers, and David C. Mauer. “The Impact ofInformation Technology Investment Announcements on the Market Valueof the Firm”.
Info. Sys. Research
Proc.of 25th Euromicro International Conference on Parallel, Distributed andNetwork-based Processing (PDP’17), St. Petersburg,Russia . IEEE, Mar.2017, pp. 354–362.[9] A. Hovav and J. D’Arcy. “Impact of Denial-of-Service attack announce-ments on the market value of firms”.
Risk Management And InsuranceReview
Journal of Computer Security
11 (2003),pp. 431–448. 1311] Huseyin Cavusoglu, Birendra Mishra, and Srinivasan Raghunathan. “TheEffect of Internet Security Breach Announcements on Market Value: Cap-ital Market Reactions for Breached Firms and Internet Security Devel-opers”.
Int. J. Electron. Commerce issn :1086-4415.[12] K. Kannan, J. Rees, and S. Sridhar. “Market Reactions to InformationSecurity Breach Announcements: An Empirical Analysis”.
InternationalJournal of Electronic Commerce
Journal ofComputer Security
19 (2011), pp. 33–56.[14] E.F. Fama and K.R. French. “Common risk factors in the returns of stocksand bonds.”
Journal of Financial Economics