Cybersecurity Nightmares and How To Avoid Them

Imagine you’re a successful executive at a large IT company. You’re in charge of security. Your decade-old firm is well established, selling complex, popular IT solutions to large corporations and government bodies. It’s an ordinary Saturday morning, you’re having your coffee and your phone rings. The caller informs you that your company has been subject…

Roni MICHAELY

18 May 2023

One bad morning

This sounds like a movie plot, but it actually happened to a US-based company called SolarWinds in late 2020. In what was one of the largest, most meticulous and most sophisticated cyberattacks in history, operatives inserted a trojan horse (which disguises itself as a harmless file but has malicious code inside) into the update of SolarWind’s Orion software – used by corporations, government entities and other organisations to monitor and manage their own IT systems. Such was the intricacy of the attackers’ method, an expert likened it to a razor blade being secretly inserted into candy just before the package is sealed inside the candy factory – no-one would think anything was amiss.

The software then lay dormant for around two weeks before springing to life, taking control of computers and, in some cases, stealing highly important and sensitive files and disguising the transfers as ordinary network traffic to evade detection – which the hack did successfully for upwards of nine months before being discovered. In the meantime, top-level US Treasury Department emails were accessed, the Justice Department and other federal departments were breached, and prominent institutions around the world including the European Parliament, Britain’s Home Office, Boeing, AstraZeneca, and Los Alamos National Laboratory were all targeted.

The damage caused, both financial and security-related, was extreme – the perpetrators covered their tracks and removed evidence so effectively that the only fix was often to rebuild entire IT systems from the ground up.

Finding a way to measure cybersecurity risk

The SolarWinds attack catapulted cybersecurity issues into the headlines and had IT departments in firms everywhere scrambling to improve their defences. It also caught the attention of The University of Hong Kong’s Roni Michaely; Chris Florackis (University of Liverpool), Christodoulos Louca (Cyprus University of Technology), and Michael Weber (University of Chicago), who were studying how cybersecurity risks affect the value of companies. The news galvanised their work and eventually led to the publication of their paper, titled: “Cybersecurity Risk” in the prestigious Review of Financial Studies journal.

Michaely et al. sought to achieve two aims: Propose a way to measure cybersecurity risk for all listed companies in the US; and to see if cybersecurity risk is priced into the companies’ stock returns.

Their measurement was built on two ideas: the first being that firms hit by cyberattacks had actually been more vulnerable to these attacks before the event and that they had expressed this heightened risk in their corporate disclosures. The second was that firms with similar levels of cybersecurity risk will describe these risks in similar ways.

The team devised a web-crawling algorithm that extracted text relating to cybersecurity risks in firms’ 10-K forms from 2007 to 2018. Filed every year by publicly-traded companies in the US, 10-Ks are more than mere forms – they are complicated, comprehensive reports that provide an overview of a business, its risk factors, selected financial data, discussion and analysis by management of the company’s results, as well as financial statements and other data.

They then identified firms that were subject to a major cyberattack to create a training sample. By scanning both cybersecurity risk disclosures and news reports, they found 69 major cyberattacks that had occurred between 2005 and 2018. By comparing the wording in the relevant parts of the 10-K risk disclosure section of the attacked firms with those of all other firms, they concluded that “firms that use similar words to describe their risk exposure and exposure management exhibit similar levels of cybersecurity risk”.

Here was the cybersecurity risk measure: The higher the measured similarity in cybersecurity risk disclosures made by firms, the greater their general exposure to cybersecurity risk. Firms with high scores tended to extensively discuss risk in their 10-K forms – revealing previous cyberattacks or attempts, or admitting to the difficulties involved in defending against these risks – while firms with low scores either believed that their preventative measures had mitigated cybersecurity risks, or did not even include a separate cybersecurity section in their 10-Ks.

Validating the findings

The team validated their findings in several ways. They found that firms with higher scores provided “lengthier and more comprehensive cybersecurity risk disclosures in their 10-Ks, discuss[ed] legal consequences associated with cybersecurity risk, use[d] more precise language, and use[d] more negative words in their discussions, which potentially lowers their exposure to litigation risk”. These high-scoring firms also actively managed their risk exposure by taking action like purchasing cyber insurance policies.

Most directly, the risk measure was validated by the fact that firms with higher cybersecurity risk scores were more likely to experience a future cyberattack. They found that “a one-standard-deviation increase in [their] cybersecurity risk score increases the probability of a future cyberattack by 92.70%”, adding that “This predictability is reassuring and provides direct evidence that our measure reliably captures firms’ exposure to cybersecurity risk.”

Essentially, the more that firms are concerned about and disclose cybersecurity risks, the more at risk they are – meaning their measure can actually predict cyberattacks!

Are cybersecurity risks priced into stocks?

In the second part of their paper, the team used the measure to examine whether cybersecurity is priced in to stock returns; theorising that the higher a firm’s exposure to cyberattacks, the greater the return expected by investors.

To determine this, they sorted stocks into portfolios based on their cybersecurity risk scores and then tracked their returns over time. They found that a portfolio that held on to stocks in firms with higher cybersecurity risk and sold stocks with a low such risk earned an excess return of over 8% per year. After checking these results by sorting them in numerous other ways – including by firm size, book-to-market ratio, profitability, institutional ownership, illiquidity, idiosyncratic volatility, risk section length, and 10-K readability – they determined that this excess return remained valid.

After running yet more statistical tests, a strong positive relationship between cybersecurity risk and stock returns was not only found, but determined to predict stock returns up to a year into the future. Finally, they executed an economic significance test – if risk is truly priced into stock returns, they theorised, then “high cybersecurity risk stocks should perform poorly and significantly worse than low cybersecurity risk stocks on the days when cybersecurity risk concerns materialize”.

They sorted stocks into groups based on market value, then into groups based on their risk measure; and then calculated daily returns mimicking a cybersecurity risk factor from 2008-2019. Using daily search volume index data from Google Trends, they identified days when there was increasing attention to cybersecurity risk by looking at spikes in the use of words like “hacker” and “data breach”. After a lot of regression analysis, they determined with confidence that according to this model, firms with high cybersecurity risk generally earn high returns, but “perform poorly on days with heightened concerns about cybersecurity” – this shows without a doubt that cybersecurity risk is priced into returns – thus compensating investors for their elevated level of risk.

Helping thwart future attacks

Concluding with a flourish, Michaely and his partners used the SolarWinds hack to provide additional evidence for both parts of their paper. They found that firms with higher forecast cybersecurity risk scores saw negative returns around the time of the SolarWinds incident; they also found that the cybersecurity risk measure they devised was positively associated with the probability of being in the group of firms affected by the attack – i.e. those that the measure identified as having a higher cybersecurity risk beforehand were more likely to have been hacked.

Their work has opened a number of doors to new research into the very real and very worrying field of cyberattacks. A highly non-scientific glance at today’s headlines reveals recent attacks across the world: Indigo Books & Music in Canada was hit in early February 2023, knocking their website and payment methods offline. The Indonesian unit of Australia’s Commonwealth Bank just experienced “unauthorised access of a web-based software application used for project management”, while cyberattacks have crippled a major hospital in Barcelona, Spain, an Israeli university and Northern Essex Community College near Boston. Horrifically, hackers also appear to have distributed photos of cancer patients undergoing treatment. These were stolen from a Pennsylvania health group in a ransomware attack, in which hackers steal sensitive photos or files and threaten to publish them unless they are paid.

Truly a “nightmare scenario” for companies and society at large.

Michaely et al.’s cybersecurity risk measure and its underlying methodology will help enable the systematic analysis of cybersecurity risk and its implications for firms in terms of their value, corporate policies and operations. In turn this will help boost cyber-defences around the planet and make the online world a little safer for all of us.

About this Research

Chris Florackis, Christodoulos Louca, Roni Michaely and Michael Weber. Cybersecurity Risk, The Review of Financial Studies, Volume 36, Issue 1, January 2023, Pages 351–407

Read the original article

References

Brown, L., (March 8, 2023). ‘Russian hackers post nude photos of US cancer patients to dark web in sick extortion plot’. New York Post. https://nypost.com/2023/03/08/russian-hackers-post-nude-photos-of-us-cancer-patients-to-dark-web/

Fama, E. F., and J. D. MacBeth. 1973. Risk, return, and equilibrium: Empirical tests. Journal of Political Economy 81:607–36.

Florackis, C., Louca, C., Michaely, R., and M. Weber. 2023. Cybersecurity risk. The Review of Financial Studies, 36(1), 351-407.

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor. Fireeye (December 13, 2020). Retrieved March 8, 2023 from https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Hvistendahl, M., Lee, M., Smith, J., (December 17, 2020). ‘Russian Hackers Have Been Inside Austin City Network for Months’. The Intercept. https://theintercept.com/2020/12/17/russia-hack-austin-texas/

Kenton, W., (April 18, 2022). 10-K: ‘Definition, What’s Included, Instructions, and Where to Find it’. Investopedia. https://www.investopedia.com/terms/1/10-k.asp

Loughran, T., and B. McDonald. 2011. When is a liability not a liability? Textual analysis, dictionaries, and 10-Ks. Journal of Finance 66:35–65.

One month after cyberattack hit, what’s next for Indigo?. CTV News (March 8, 2023). Retrieved March 8, 2023 from https://www.ctvnews.ca/business/one-month-after-cyberattack-hit-what-s-next-for-indigo-1.6303819

Schwartz, S., (October 26, 2021). ‘A conversation with SolarWinds’ CISO. Cybersecurity Dive. https://www.cybersecuritydive.com/news/solarwinds-ciso-tim-brown-leadership/608847/

Temple-Raston, D., (April 16, 2021). ‘A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack’. NPR. https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack

Timberg, C. and Nakashima, N., (December 14, 2020). ‘Russian hack was ‘classic espionage’ with stealthy, targeted tactics’. The Washington Post. https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/

Translation

Long held assumptions about the mutually incremental relationship between quantities and discounts have been upended by new research. The rule of thumb that the bigger the purchase quantity, the higher the discount is shown not to hold true for medium-sized customers buying products such as semiconductors, with implications for other products and industries.

Pile them high and sell them cheap. Buy more, save more. These slogans, and the thinking that lies behind them, have been accepted principles of product sales and marketing for generation.

The logic seems indisputable from the points of view of both the seller and manufacturer and that of the buyers. If a seller or manufacturer makes a large number of identical items and a single customer wants to buy a large part of this total production, then that buyer will receive the goods at a cheaper price than a buyer who wishes to buy a much smaller amount of the same product. The accepted theory has been that the seller is eager to dispose of his stock as quickly and as easily as possible, and so a big customer will get a better deal. By the same logic, it follows that customers who buy progressively smaller amounts of the same product will receive progressively smaller discounts.

However, the underlying premise behind these assumptions – that the bigger the purchase, the bigger the discount – has now been shown to be valid for only part of the story. In a new study by Wei ZHANG, Sriram DASU and Reza AHMADI entitled “Higher Prices for Larger Quantities? Nonmonotonic Price-Quantity Relations in B2B Markets,” published in 2017 by the Institute for Operational Research and the Management Sciences in Maryland, USA, the first part of the established belief holds true: the biggest customers do receive the biggest discounts. These customers remain the most valuable to a seller or manufacturer as they account for the bulk of sales. They are therefore typically able to use their size and bandwidth to exert pressure successfully on the seller to get a large discount.

The research focused on investigating the impact of a buyer’s purchase quantity on the discount offered. In this case, the seller was a microprocessor company selling semi-conductors, which are a short-life cycle product. The company negotiates with each of its buyers to set a price for the product. The buyers are mainly large electronic consumer goods manufacturers. In line with established beliefs, the research showed that the discounts received by smaller customers increased in line with the quantities they purchased, and the smaller the quantity they purchased, the smaller the discount they received.

What is unexpected is the experience of medium sized buyers. According to established logic, these customers would be expected to receive bigger discounts on their purchase price than smaller buyers. But this is not the case. In fact, the researchers found that as the quantities bought increase, the discount decreases, and then increases again for the biggest quantities.

“Contrary to our intuition, larger quantities can actually lead to higher prices,” say ZHANG, DASU and AHMADI.Thus, while previous beliefs of a bigger purchase quantity meaning a bigger discount would have resulted in a curve heading steadily north-eastwards, the results of ZHANG, DASU and AHMADI’s studies is an N-shaped curve. This unexpected result is rooted in the importance of capacity to the seller and its impact on the price negotiation process, explain ZHANG, DASU and AHMADI.

To understand the importance of capacity in price setting requires a switch in focus from the buyer’s mind-set to that of the seller. The seller or manufacturer is not concerned solely with getting the best possible price for the product, they also place a value on capacity.

‘’Large buyers accelerate the selling process and small buyers are helpful in consuming the residual capacity,” write ZHANG and his team. “However, satisfying midsized buyers may be costly because supplying these buyers can make it difficult to utilise the remaining capacity, which may be too much for small buyers but not enough for large buyers. Therefore, midsized buyers are charged a “premium.”

To get the best price for all his products, the seller needs to avoid transactions of a medium size and instead plan his sales based on a rationing decision. The rationing decision depends on the remaining capacity level, purchase quantity, demand distribution and the buyer’s profit margin before subtracting the cost of this product. The calculation can be done by following a dynamic capacity rationing formula devised by the researchers. The formula is based on the need for the seller to find a balance between controlling the capacity allocated to each buyer while still offering a capacity range that is acceptable to the buyer.

Ultimately, ZHANG & Co, say, “The seller should reserve capacity for buyers who are willing to pay more.”

The pertinence of the research is clearly of most use to firms manufacturing or selling semi-conductors. This is a highly competitive industry with several unique features and is characterised in particular by fast changing technological developments. In the semi-conductor industry, manufacturing costs are high and lead times are long and these factors lead to inflexible capacities. It is common practice in the industry for sellers to allocate capacity to different product lines based on demand forecasts and to start work on the related production several months ahead of the planned delivery date. Customers arrive sequentially and differ mainly in the quantities of product they order. Although products have a set price, the actual price paid is typically agreed after a process of negotiation, with big buyers usually driving a hard bargain. Because of the nature of the business, negotiation on prices is inevitable, explain the researchers.

“Buyers know that the marginal production cost of microprocessors is low and that sellers are eager to discount prices to fully utilise their capacities. Moreover, buyers can allocate their business among competing sellers.”

But while buyers may have an advantage when it comes to price, sellers often have an advantage when it comes to selling and controlling capacity. Buyers are free to meet their needs by buying from different semiconductor suppliers, but they tend to decide on suppliers early on in the purchasing process. This is because the technical features offered by different suppliers vary, and once selected, these features will impact the design of the buyers’ products and will be difficult and costly to change. That means that buyers tend to keep to their chosen supplier.

The lessons that can be drawn from the study may also be useful to some degree to other businesses and products. Inflexible capacities are also a feature of many businesses in the tourism industry, for example, although the researchers note there are different characteristics and constraints involved – for example, hotel rooms do not go out of date in the same way that semiconductor products become obsolete. Hotel rooms, airline and coach seats are all fixed number items that the seller or owner needs to sell in quantities to his best advantage. The main customers in these industries include bulk buyers such as travel agencies and resellers who want to buy in large quantities but who also want to negotiate the best prices. As in the semi conductor business, the individually agreed deals are closely interconnected, with the price and quantity agreed for one buyer impacting the price and quantity to be agreed for the remaining buyers. The researchers recommend that sellers develop a price-quantity analysis model that can help them optimise their prices. As with semi-conductors, the key point for the seller is the need to control the quantity being sold to each buyer before negotiating the price.

“Basically, given that each transaction has an impact on subsequent transaction, a good model of the price-quantity relation is necessary for the optimisation of the trade-off between the profit from the current buyers and that of future buyers,” they explain.

Contributing Reporter: Liana Cafolla

Source: Wei Zhang, Sriram Dasu, Reza Ahmadi (2017). Higher Prices for Larger Quantities? Nonmonotonic Price–Quantity Relations in B2B Markets. Management Science 63(7): 2108-2126.

https://pubsonline.informs.org/doi/10.1287/mnsc.2016.2454

Share with