Intraday Study of the Market Reaction to Distributed Denial of Service (DOS) Attacks on Internet Firms
Rao, Arundhati, Warsame, Mohamed, Williams, Jan L., Academy of Accounting and Financial Studies Journal
Computers have become an integral part of our personal and professional lives. Some companies in fact conduct all of their business solely through the use of computers; these firms are referred to as "internet firms." Denial of access to computer networks even for a brief period of time can result in a loss of business and can be devastating to internet firms. Distributed denial of service (DoS) attacks on internet firms encompass all conditions that deliberately prevent users from accessing network resources through which the firms conduct business, including the sale and purchase of products and access to data for various reasons. The attacks may also go beyond shutting down websites; it may damage computer software and systems, and compromise firm and customer data.
During a DoS attack, internet firms lose revenue and also suffer the consequences of exposure to their inherent "vulnerability" with permanent loss of future revenue (some customers shy away from internet businesses after news of a hacker attack). Using e-Bay as an example, Duh et al. (2002) show that concern over online security is a major impediment to the growth of internet businesses. They find that DoS, privacy, and authentication are three major sources of business risk for internet firms.
The impact of DoS attacks on market reaction remains questionable. Several studies have examined the market reaction of such attacks; the findings, however, are inconclusive. Hovav and D'Arcy (2003) and Hovav, Andoh-Baidoo and Dhillion (2007) find that the market does not significantly penalize internet companies that experience a DoS attack. Ettredge and Richardson (2003), Cavusoglu, Mishra and Raghunathan (2004), and Anthony, Choi and Grabski (2006), on the other hand, find a negative market reaction to internet firms that experience web outages. Each of these studies used an event study methodology and daily returns data. Telang and Wattal's (2007) examination of the impact of vulnerability announcements on security software vendors reveals that these companies do suffer a drop in their stock prices.
The purpose of this study is to further examine the relation between DoS attacks and market reaction. We build on the study by Ettredge and Richardson (2003) and examine the effects of the same DoS attacks at an intraday level using data obtained from the NASTRAQ database. Using intraday data further allows us to investigate the extent to which the DoS victim's stock prices are affected and the related length of time. Additionally, we analyze the impact of DoS attacks on other firms in the same industry by way of information transfer. We hypothesize that a DoS victim's stock will trade heavily; this increase in trading volume will become "news" resulting in an increase in trading of other stocks in the same industry. Furthermore, we examine the extent to which a DoS attack affects the stock price of Internet Security Provider (ISP) firms at an intraday level.
Our study advances the current knowledge of literature by using intraday data. This data is advantageous since the NASDAQ market price adjusts rapidly to new information on DoS attacks. The NASTRAQ database, which is intended for academic research, contains trades and quotes for NASDAQ stocks. The data must be extracted into spreadsheets. This poses a major difficulty with the large volume of trading data within the short window of interest in this paper. The seminal paper by Ball and Brown (1968) shows that the market does not adjust fully to new information and leads to a post announcement drift. Therefore, we examine the market adjustment to a DoS attack, on an intraday basis as trading occurs, and the cost of security in terms of price adjustment to firms in the industry that have not been attacked. Another significant contribution of this research will be the study of information transfer based on trading volume.
The rational pricing and market value of internet firms has been studied extensively. Schwartz and Moon (2000) find that high growth rates in revenues appear to justify astronomically high prices of technology firms during the internet bubble. This finding is reinforced by Kamstra (2001). He finds that the value of an internet firm can be determined by revenue, if the revenues are co-integrated with fundamental value. Lazer et al. (2001) also show that internet websites with higher traffic rates provide significantly higher returns than sites with low internet traffic. Therefore, a DoS attack that reduces the revenue of the internet firm directly by obstructing transactions and diminishing customer confidence in the firm's trading platform can have a major impact on its market value.
The market impact of different disclosures by internet trading firms has been widely analyzed in the accounting and finance literature. Subramani and Walden (2001) analyze the impact of e-commerce initiative announcements and find significant positive cumulative abnormal returns to investors. This result reveals that the market recognizes e-commerce events as value relevant in determining the market value of internet companies.
Several prior studies report a negative association between market value and web outages. Ettredge and Richardson (2003) study this DoS phenomenon over a three-day period, February 7, 2000 to February 9, 2000, and find that internet firms suffer a significantly negative stock market reaction even when the firm is not subject to the DoS attack. They also find that Internet Security Provider firms benefited from these hacker attack events. Cavusoglu et al. (2004) conduct a large-scale study on all types of security breaches (not just DoS attacks) over a seven-year period, 19952001. They find a negative relation between internet security breach announcements and market value, regardless of the type of security breach. Anthony et al.'s (2006) study of the stock market reaction to announcements of website outages further report that internet firms have negative returns when they experience internet outages.
Other studies, however, report that DoS attacks did not impact market value. Hovav and D'Arcy's (2003) study of DoS attacks over a 4.5 year period reveals that while internet firms had negative abnormal returns during the five days following the announcement, they were not significant. Hovav, Andoh-Baidoo and Dhillion (2007) further explore whether various characteristics of security breaches impact abnormal stock returns. This study examines the type of attackers, objectives of the attack, the results of the attack, tools used to attack and the access type. They report that not all attacks have the same effect on abnormal returns. While the overall end result of the attack had a significantly negative impact on market reaction, DoS attacks, a category within end result, did not.
All these studies employ the event study methodology using daily data. Event studies do not rely on expectations of accounting numbers but adjust a firm's expected returns to a systematic measure of risk, such as beta. Studies cited in Kothari (2001) show that short term event studies are usually consistent with market efficiency. The studies on market efficiency utilizing event study methodology face a variety of econometric issues that are summarized in Kothari (2001), such as expected returns mismeasurement, unusual and correlated samples of firms' returns, survivorship bias, clustering in calendar time, bias in the test statistics, model specification (such as the choice between price and returns models), and the comparison of the information content of alternative models. The incremental information content of a particular accounting signal can be analyzed by including a dummy variable for the accounting signal in a cross-sectional or time series study.
The event study methodology, as used by Ettredge and Richardson (2003), is not robust to clustering, which occurs when a significant number of the events take place within a short period of time. Harrington and Shrider (2007) also show that a short horizon event study ignores cross-firm variation in the event effects, thereby inducing a bias in the abnormal returns. Since DoS attacks by their dissimilarity and severity will induce cross-firm variations on their effects across other internet firms, we have expanded the dataset to use intraday data instead of daily data. Furthermore, in order to overcome these issues and improve the robustness of the results of the study, we utilize the portfolio approach.
All of the above methodologies rely on a returns metric to determine the market impact of the DoS attack. Cready and Hurtt (2002), however, show that a volume based metric to measure investor response provides more powerful tests than the measures based on abnormal stock returns in the event studies. Cready and Hurtt (2002) also show that the power of a returns based metric test can be improved by incorporating a trading (volume) based measure. We hypothesize that after a DoS attack the increased trading volume of the victim's stock will cause investors to trade other stocks in the same industry. That is to say, the reaction is to the increased trading volume and not to the DoS attack event. Therefore, we will conduct additional tests to detect investor responses based on event day trading volumes.
In this section, we present the hypotheses that are examined in this study. First we study the firm effect of a DoS attack. Yahoo suffered a service failure that lasted nearly three hours when computer hackers flooded Yahoo's network with a steady stream of data. Yahoo received nearly one gigabyte of traffic per second for three hours; this was estimated to be more data than most firms received over a one year period. This information overload prevented Yahoo from exchanging data with its customers and effectively shut down their site. While analysts did not expect Yahoo's revenues to suffer, this DoS attack was more than merely an inconvenience to the customers. The hackers sent a larger message that nobody's computer was safe. Unfortunately, this was just the start of the attacks; eBay and Amazon soon became victims too. Most DoS attacks are hard to trace, as hackers use several computers to perpetuate the crime. In most cases, the computer used to cause the attacks is hijacked through the internet.
If a DoS attack prevents firms from conducting business, the firms will lose revenue. Knowledge of the DoS attacks may also deter customers from conducting business online in the future. As such, firm value will be negatively affected by DoS attacks. Therefore, our first hypothesis is the following:
[H.sub.1]: The stock price of an internet firm will be negatively affected by a DoS attack.
Next we explore the impact of DoS attacks on Internet Security Providers (ISP) firms. DoS attacks draw attention to the vulnerability of internet firms and raise the demand for increased security on the internet. The demand for increased security will be predicated by the services provided by ISP firms. Accordingly, DoS attacks will result in higher revenue and an awareness of the need for ISP firms. Therefore, our second hypothesis is the following:
[H.sub.2]: The stock price of an ISP firm will be positively affected by a DoS attack in the internet industry.
Lastly, we investigate the impact of DoS attacks on market reaction based on trading volume. If the market is frightened by a DoS attack, investors will not purchase shares of the attacked firm's stock. On the other hand, if the market is not frightened by the DoS attack, investors will hold their stocks rather than sell them. Accordingly, regardless of the market reaction to the DoS attack, investors will not purchase additional stocks during the attack period. Therefore, trading volume will decrease during the attack period. Using intraday data we expect that unsophisticated investors will react to the DoS attack while sophisticated investors (larger percentage of investors) will not immediately react to the attack. Our third hypothesis is the following:
[H.sub.3] The trading volume of a firm subject to a DoS attack will decrease during the attack period.
DATA AND METHODOLOGY
The sample for this study consists of the three NASDAQ firms, Yahoo, eBay and Amazon.com, that experienced DoS attacks during the period February 7-9, 2000. Of the eight firms attacked during this period, five were excluded from our study for the following reasons: three firms were not listed (CNN, ZDNet and Excite), one firm (E*Trade) was listed on the NYSE, and one firm (Buy.com) went public on the same day it was attacked. Daily trades, volume and stock prices for February 2000, are obtained from the NASTRAQ database. The time and duration of DoS attacks in February 2000 and the NASDAQ market's trading hours are provided in Table 1 below. It is important to note that only the Yahoo attack took place entirely within the regular trading hours; the attack on eBay started during the regular trading hours and continued to the extended hours and later; and the Amazon attack started after the close of extended trading hours. This small sample size and the proximity of the attacks limit our ability to control for the market time in which the attack occurs.
The sample firms examined in this study are very unique. Yahoo, eBay and Amazon are industry leaders, and are much larger than other firms in the same industry. Due to the uniqueness of the sample firms, it is difficult to establish a control sample based on firms in the same industry with similar characteristics, such as market size, sales and assets. Therefore, to measure abnormal returns we use a control sample of internet firms that did not experience a DoS attack during the sample period. Our control sample consists of these same internet firms examined by Ettredge and Richardson (2003). They found that information transfer was no different in industries where internet firms were attacked than in internet industries not attacked. Likewise, we use the internet firms that were not attacked as the control sample to measure abnormal returns related to internet security providers. Our control sample consists of 134 internet firms listed on www.InternetStockList.com as of July 2000. The control sample was obtained from Professor Richardson. The internet security provider sample consists of10 firms that provide internet security products and services.
In Table 2 we present descriptive statistics for the DoS attack sample firms, control firms and internet security provider firms. The DoS attack firms have mean sales of $817.72 million and mean assets of $1,635.10 million. The DoS attack firms are significantly larger than the control firms and the internet security provider firms at the 0.01 level. This is consistent with hackers choosing to attack the large internet firms. The control firms have larger sales than the internet service provider firms. However, they are similar in size according to assets. Additionally, the standard deviations for control firms reflect a wide range in firm size according to sales (1,098.06) and assets (1,425.14).
In Table 3 we present the DoS attack firms and control firms by industry. SIC code descriptions are obtained from the U. S. Department of Labor Occupational Safety & Health Administration website (www.osha.gov). Two of the attacked firms are in the catalog, mail order houses industry (Amazon and eBay). The third DoS attack firm is in the computer programming, data processing industry (Yahoo). The majority of internet firms (69.8%) in the control firm sample are in the business services industry.
We use intraday data to examine investors' reaction to DoS attacks that completely prohibit internet firms from conducting business. We examine the market impact of DoS attacks by examining stock price returns. Returns are calculated as follows:
[R.sub.i,t] = [P.sub.i,t] - [P.sub.i,t-1] / [P.sub.i,t-1]
where [R.sub.i,t], the return for the attack period, is calculated as the percentage change in stock price between [P.sub.i,t], the average price of the first 15-minute interval after the start of the attack and [P.sub.it-1], the average price of the last 15-minute interval of the attack period.
We use a portfolio approach advocated by Campbell et al. (1993) to further test the impact of DoS attacks. The main advantages of the portfolio formation are that unique risk factors are diversified away and errors caused by the cross correlation of the error terms are mitigated. This approach estimates abnormal returns by comparing the return of the DoS sample firm to the average return of a portfolio of control firms for the same period. Our control sample consists of other internet firms traded on NASDAQ that were not attacked during the sample period. We choose these firms to overcome the intraday effects in stock returns (see Chan, Christie and Schultz (1995)). To further test the impact of DoS attacks, we also form a portfolio of internet security provider firms in order to compare their returns to those of the DoS attack firms.
We estimate abnormal returns for twenty 15-minute intervals before and twenty 15-minute intervals after the attack to assess the market's immediate reaction to the DoS attacks. The abnormal returns are calculated as the return for the DoS attack firm minus the average return for the control sample firms for the same period based on the following formula:
[A.sub.i,t] = [R.sub.i,t] - E [([R.sub.c]).sub.i,t]
where [A.sub.i,t] denotes the abnormal return for the ith 15-minute interval of day t, [R.sub.i,t] is the sample return for the ith 15-minute interval of day t and E(Rc) is the expected return of the control portfolio of equally weighted internet firms not affected by the DoS attacks for the ith 15-minute interval of day t. The equally weighted portfolio for control firms was utilized due to the size difference that could obscure the impact of the event in case of a value weighted approach. The cumulative abnormal returns during the event window are denoted as CARt, as shown below:
[CAR.sub.t] = [20.summation over (t=-20)] [A.sub.t]
We also examine trading volumes surrounding the DoS attacks to further test investor response to DoS attacks. Cready and Hurtt (2002) provide evidence that volume based metrics are more powerful in detecting investor responses to public disclosures than returns based methodology. In the literature, the alternative approaches on defining and measuring market reaction consist of the use of returns or volume as a measure of market reaction. Lee (1992) finds that the market reacts quickly to new information both in adjusting returns and volumes.
To determine whether there is a significant change in trading volume immediately surrounding the DoS attacks, we examine the difference between the mean trading volume in the pre- and post-attack periods. This methodology is used because we are unable to obtain the total shares outstanding of control firms for the related intraday periods, which would be necessary to standardize trading volume. The pre-attack period consists of the twenty 15-minute intervals prior to the attack and the post-attack period consists of the twenty 15-minute intervals subsequent to the attack.
EMPIRICAL ANALYSIS AND RESULTS
We investigate the effects of DoS attacks on stock price and abnormal returns. Although our primary interest is the impact of abnormal returns around DoS attacks, we begin our analysis by investigating stock price reactions surrounding the attacks. Figure 1 shows the stock prices and abnormal returns for twenty 15-minute intervals before the attack to twenty 15-minute intervals after the attack for each sample firm. The stock price for Amazon and Yahoo reaches its peak in the period of the DoS attack ($83.69 and $356.56, respectively) and declines after the attack. Amazon's stock price declines for the following four 15-minutes intervals before it begins to increase. Yahoo's stock price declines for the following two 15-minute intervals before it begins to increase. While Yahoo's stock price recovers and surpasses the attack stock price at t+18, Amazon's stock never reaches the peak of its DoS stock price in the post-attack period. eBay's slow stock price decline in the pre-attack period becomes more steady in the post-attack period.
To test hypothesis 1, we examine the abnormal stock returns of the three DoS attack firms. The results are presented in Table 4. All three firms experienced negative returns related to the DoS attacks. Yahoo experienced the greatest stock price decline of 2.6% while Amazon experienced the smallest decline of 0.7%. The mean abnormal returns are significantly negative at the 0.01 level for all three DoS attack firms. These results also show that the negative abnormal returns due to a DoS attack are in line with the duration and timing of the event. This is consistent with our hypothesis that the stock price of an internet firm will be negatively affected by a DoS attack.
[FIGURE 1 OMITTED]
Amazon and eBay show negative abnormal returns surrounding the event. Amazon's abnormal returns are negative from the first 15-minute interval before the attack t-1 until the sixth 15-minute interval after the attack t+6 while eBay's abnormal returns are negative from the first 15-minute interval before the attack t-1 until the third 15-minute interval after the attack t+3. Yahoo's abnormal return, however, is only negative at the point of the attack, t. In observing the twenty intervals before the attack to twenty periods after the attack, all three firms experienced their lowest abnormal return in the period immediately surrounding the DoS attack. These results suggest that while the internet firms are affected by the DoS attack, they appear to rebound and continue as normal shortly after the attack.
To test our second hypothesis that the stock price of an ISP firm will be positively affected by a DoS attack in the internet industry, we examine the differences between the mean returns for the ISP sample firms and the control sample firms during the time of the DoS attacks. Table 5 presents the mean returns for both samples along with the abnormal returns for the ISP firms.
Using intraday data for the event period, we find results similar to Ettredge and Richardson (2003) for the control sample firms. The mean returns for internet firms that were not attacked (control sample firms) are negative. This suggests that information about the attack is transferred to other firms that also conduct business on the internet. As we examine the differences between the ISP mean returns and the control sample mean returns, however, we find mixed results. The abnormal return is negative during the Amazon attack period and positive during the eBay and Yahoo attack periods. The negative ISP firm abnormal return during the Amazon attack period could be the result of this attack occurring after trading hours. Furthermore, we note that none of the abnormal returns are significant. This could be attributed to the brevity of the attacks and the resolution of the attacks during the same day. Overall, unlike Ettredge and Richardson (2003), we do not find that ISP firms experience positive abnormal returns when internet firms are attacked. To further ascertain the information impact of DoS attacks, we examine another investor metric, trading volume. Table 6 presents the mean volume of trades surrounding the DoS attacks. The pre-attack period represents the twenty 15-minute intervals prior to the denial of service attack. The post- attack period represents the twenty 15-minute intervals subsequent to the denial of service attack.
The results support our hypothesis that trading volume will decrease during the attack period. There is a significant decrease in the volume of trades for Amazon and eBay at the 1% and 10% levels, respectively. Amazon's volume of trades decreased 225,377 and eBay's decreased 27,504. While Yahoo's volume increases by 10,987 trades, the increase is insignificant. This increase in the Yahoo volume of trades could result from its DoS attack being resolved before the end of trading on that day. Overall, our results provide evidence that investors did not purchase significant shares of stock during the DoS attacks.
This paper investigates the market impact of distributed denial of service (DoS) attacks on internet firms and the information transfer affecting the market value of other internet and internet security firms. This study is unique in that we use intraday data obtained from the NASTRAQ database to examine the market impact of the DoS attacks. Our study suggests that the market reacts negatively to firms experiencing DoS attacks. We report negative abnormal returns during the DoS attack and a decline in stock price immediately following the DoS attack. Additionally, we report negative returns for a control sample of internet firms that were not attacked. As such, it appears that information transfer exists among internet firms. In contrast, we further report that Internet Security Provider firms do not experience positive stock price affects from the DoS attacks. We also used volume of trades as an investor metric to measure the impact of DoS attacks. Our findings provide evidence that the volume of trades decreases during the attack period. The implications of this study demonstrate that firms that operate online can experience negative market effects from DoS attacks, such as loss of sales, drop in stock price and market capitalization unlike traditional retail stores.
This study can be extended by segregating DoS attacks by nature of the attack (severity and ability to return network to normal operations differ) to determine whether the market reacts differently depending on the nature of the attack. There are also implications for the long-term consequences and the cost of security to address these DoS attacks. A second extension could segregate the firms attacked by size (i.e., market capitalization, revenue and internet traffic), since conceivably the impact of a DoS attack could be greater for firms with higher internet traffic resulting in higher revenue losses.
This study has two limitations that should be taken into account when considering its contributions. First, our study consists of a small sample size. In order to compare the immediate market reaction to the same DoS attacks investigated by Ettredge and Richardson (2003), our sample only consists of three firms. Second, one of the DoS attacks occurred after trading hours while two of the attacks ended after trading hours. Accordingly, we have taken steps in this study to mitigate the effects of these limitations.
Anthony, J., W. Choi & S. Grabski (2006). Market Reaction to E-Commerce Impairments and Web-site Outages. International Journal of Accounting Information Systems 7, (2): 60-78.
Ball, R. & P. Brown (1968). An empirical evaluation of accounting numbers. Journal of Accounting Research 6 (2): 159-178.
Brown, S. & J. Warner (1985). Using Daily Stock Returns: The Case of Event Studies. Journal of Financial Economics 14, 3-31.
Campbell, J., A. Lo & J. Wang (1993). Trading Volume and Serial Correlation in Stock Returns. Quarterly Journal of Economics 107, 905-939.
Cavusoglu, H., B. Mishra & S. Raghunathan (2004). The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce 9, 69-104.
Chan, K., W. Christie & P. Schultz (1995). Market structure and the intraday pattern on bid-ask spreads for NASDAQ securities. Journal of Business 68(1): 35-60.
Cready, W. & D. Hurtt (2002). Assessing Investor Response to Information Events using Return and Volume Metrics. The Accounting Review 77 (4): 891-909.
Duh, R., S. Sunder & K. Jamal (2002). Control and Assurance in E-Commerce: Privacy, Integrity, and Service at eBay. Taiwan Accounting Review 3(1): 1-27.
Ettredge, M. & V. Richardson (2003). Information Transfer among Internet Firms: The Case of Hacker Attacks. Journal of Information Systems 17(2): 71-82.
Glover, S., S. Liddle & D. Prawitt (2001). eBusiness: Principles & Strategies for Accountants. Upper Saddle River, NJ: Prentice Hall.
Harrington, S. & D. Shrider (2007). All Events Induce Variance: Analyzing Abnormal Returns When Effects Vary Across Firms. Journal of Financial and Quantitative Analysis 42(1): 229-256.
Hovav, A, & J. D'Arcy (2003). The Impact of Denial-of-Service Attack Announcements on the Market Value of Firms. Risk Management and Insurance Review 6 (2): 97-121.
Hovav, A., F. Andoh-Baidoo & G. Dhillion (2007). Classification of Security Breaches and their Impact on the Market Value of Firms. Proceedings of the 6th Annual Security Conference.
Kamstra, M. (2001). Rational Exuberance: The Fundamentals of Pricing Firms, From Blue Chips to Dot Com. Federal Reserve Bank of Atlanta.
Kothari, S. P. (2001). Capital Markets Research in Accounting. Journal of Accounting and Economics 31 (1-3): 105-231.
Lazer, R, B. Lev & J. Levant (2001). Internet Traffic and Portfolio Returns. Financial Analysts Journal 57(3): 30-40.
Lee, C. M. C. (1992). Earnings News and Small Traders. Journal of Accounting and Economics 15(2-3): 265-302.
Schwartz, E. & M. Moon (2000). Rational Pricing of Internet Companies. Financial Analysts Journal 56 (3): 62-75.
Subramani, M. & E. Walden (2001). The Impact of E-Commerce Announcements on the Market Value of Firms. Info Systems Research 12 (2): 135-154.
Telang, R. & S. Wattal (2007). An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price. IEEE Transactions on Software Engineering 33 (8): 544-557.
Arundhati Rao, Towson University
Mohamed Warsame, Howard University
Jan L. Williams, University of Baltimore
Table 1: Attack Periods and Trading Hours Panel A: Denial of Service Attack Periods Date Firm Start End 40580 Yahoo 0.42708333333 0.61458333333 40581 eBay 0.60416666667 0.8125 40581 Amazon 0.70833333333 0.86458333333 Panel B: NASDAQ Market Trading Hours Open Close Early Trading Hours 0.33333333333 0.39583333333 Regular Trading Hours 0.39583333333 0.6875 Extended Trading Hours 0.6875 0.77083333333 Table 2: Descriptive Statistics (in Smillions) n Mean Median Panel A: DoS Attack Firms Total Sales 3 817.72 588.61 Total Assets 3 1635.1 1469.82 Panel B: Control Firms Total Sales 126 159.86 32.73 Total Assets 126 430.43 130.82 Panel C: Internet Security Provider Firms Total Sales 10 88.36 85 Total Assets 10 369.96 157.68 Standard Range Deviation Panel A: DoS Attack Firms Total Sales 734.85 224.72-1,639.84 Total Assets 767.27 963.94-2,471.55 Panel B: Control Firms Total Sales 1098.06 0.36-12,154.00 Total Assets 1425.14 2.99-14,725.00 Panel C: Internet Security Provider Firms Total Sales 76.41 4.97-218.12 Total Assets 571.79 9.78-1,512.12 Table 3: Firms by Industry Attacked Firms Catalog, mail-order houses 2 Computer programming, data processing 1 Total 3 Control Firms Oil & Gas Extraction 2 Fabricated Metal Products Manufacturers 1 Industrial & Commercial Machinery Manufacturers 2 Electronic & Other Electrical Equipment Manufacturers 5 Miscellaneous Manufacturing Industries 1 Transportation Services 2 Communications 4 Wholesale Trade 3 Miscellaneous Retail 8 Depository Institutions 1 Non-depository Institutions 1 Security & Commodity Brokers 2 Insurance Agents Brokers & Services 1 Real Estate 1 Business Services 88 Amusement & Recreation Services 2 Engineering, Accounting Management Services 1 Total 126 Table 4: Abnormal Returns OF Denial of Service Attack Amazon eBay Yahoo Attack Period Abnormal Return(t0) -0.007 -0.014 -0.026 Std Deviation 0.019 0.025 0.039 t-stat -2.430 *** -3.580 *** -4.260 *** *** represents significance at the 1% level. Table 5: Abnormal Returns for Internet Service Providers Control Sample ISP Mean Mean Return (%) Return (%) Difference t-stat Amazon -0.166 -0.047 -0.119 -0.28 eBay -0.105 -0.258 0.153 0.51 Yahoo 0.029 -0.179 0.208 1.15 Table 6: Mean Volume of Trades Surrounding the Denial of Service Attacks Amazon eBay Yahoo Post-Attack Period 305138 64735 113627 Pre-Attack Period 530515 92239 102640 Difference -225377 -27504 10987 t-stat -2.56 *** -1.41 * 0.16 ***, ** and * represent significance at 1%, 5% and 10% levels, respectively.…