We study the information transfer effect (ITE) of the stock price among intra-industry competitors when a victim firm announces a security incident. The main focus of this work is to better understand the cause of inconsistency in current empirical studies that examined ITE in the context of security breaches. For this, we analyzed data gathered from a sample of incident cases that took place in Korea between 2010 and 2018. The general finding of our research suggests that a security incident resulted in relatively short-term negative effects on the victim firm’s stock return. The degree of loss, however, differed depending on the context of the victim firm. When the analysis was undertaken separately in terms of attack types and of attack objectives, different patterns emerged in the duration of victim firms’ negative stock performance. Overall, the general effect of ITE was weak as the industry competitors’ stock prices were less affected by the security incident of a victim firm. However, when the analysis is undertaken grouped by the industry type (i.e., IT vs finance), the results paint a different picture. In the IT group, there was a contagion-effect as both the victim’s and its competitors’ stocks performed negatively. In the finance industry, meanwhile, ITE was working in the opposite direction in which competitor stocks displayed a competition-effect when a victim firm is attacked. The empirical results suggest that more context-driven analysis is necessary to truly understand ITE dynamics between the security incident and investor behaviors.

Keywords: Information security, Cybersecurity, Information Transfer Effects, Stock Price