Loading ...
At the current time, an indirect measurement of reputation through investor confidence (such as stock price) is the best indicator we may have of reputational risk and damage.
Unfortunately this indirect measurement leads some to feel that is not firm footing on which to place our conclusions about reputational risk.
If a reputation will affect the prospects of a company, investors will take this into consideration. Sure, it’s not a direct measurement. And hence:
My challenge to you is to create a methodology and set of metrics that can directly measure reputational damage.
If direct measurements do not exist and indirect measurements — such as stock prices/investor confidence — are discounted, it seems to me that reputational arguments are then very similar to the theory of Phlogiston: there may be something happening, only we really cannot talk about anything causally.
8 Comments
% Increase in average monthly customer churn?
Alex,
How does one as an outsider get access to internal information across many different organizations?
At times public companies release acquisition and retention statistics.
A more obvious one might be gross revenues.
I suppose your point of contention isn’t necessarily where to pull them from, but the precision of the data?
Exactly. Theoretically we might be able to create a way of determining the impact of a breach or other reputational factors, but pragmatically it would be very difficult. That’s why I chose stock prices and market analysis.
So, in my opinion, theory without practice/results is empty in the business world. Imagine: “Well, we comply in theory, but pragmatically we don’t.”
Well, then it’s a good thing it’s not our job to come up with those numbers!
I don’t think there is any freely available way to measure impact of security incidents on corporate reputation. As we agree, share price is an indirect one and can show close to the full gamut of reputational damage done to a company if the incident directly affects the company’s ability to perform (I.e. meet the expectations of the market).
However, large corporations measure such and other incidents’ effect on their reputation in a wide range of communities: from their customers, to investors, to competition, to community the company does business in.
The company I work for has a department dedicated to managing reputation. They do a good deal of work to measure it, gather information on how our reputation could be impacted - positively or negatively - by different events, and what the most preferential response to such events would be.
Granted, it is not only security breaches that are measured, but the metrics include:
% of monthly churn as compared to the average;
top 5 reasons for customers leaving;
top 5 reasons for customers joining;
% of monthly referal rate as compared to the average;
surveys done by independent agencies on behalf of the company;
% of customers not renewing their contract as compared to the average(rolling metric);
…
Taken together, they give you a good idea on how much an incident cost you in short and long-term reputational damage.
Is it cheap? No. Is it available to outsiders? No.
Doesn’t every large organisation perform such activities on an ongoing basis?
Yes, but it’s not infosec’s job. It’s a marketing task.
They’re the subject matter experts. We should be using them. You wouldn’t expect them to configure their own firewall, would you?
Alex,
Exactly. It isn’t InfoSec’s job, but InfoSec should help ‘them’ help InfoSec.
Now, can we put this “share price is the best way to ascertain the impact of security breach on a company’s reputation” to bed?
It may be the best way for an outsider to scratch the surface of the reputational risk; but one has to keep in mind that sharemarkets aren’t rational, and worry only about a company’s performance to make, admittedly short-term, profits.