An Event Study Analysis of the Economic Impact of IT Operational Risk and Its Subcategories
Goldstein, James, Chernobai, Anna, Benaroch, Michel, Journal of the Association for Information Systems
Organizations' growing exposure to IT operational risk, or the risk of failures of operational IT systems, could translate into significant losses. Despite this, there are notable theoretical and empirical gaps in the literature on IT operational risk. We propose the "resource weaknesses" framework, which extends the resource-based theory of the firm, as a theoretical lens for investigating IT operational risk and its impacts. We also theorize about and empirically examine the impact differences of two categories of IT operational failures: ones resulting in the disclosure, misuse, or destruction of data assets, and ones resulting in the loss of availability or the mis-operation of functional IT assets responsible for the handling of data assets. Whereas the former, data-related failures have had some coverage in the literature, little is known about the latter, function-related failures. We apply an event study analysis with a well-balanced data set of IT operational failure events that occurred in U.S. financial service firms over a 25-year period. We find that function-related events have a substantially larger negative wealth effect than data-related events, and that firm characteristics such as firm size and growth potential greatly influence the degree of wealth effect. We conclude with important implications for practice and research.
Keywords: IT Risk, Operational Risk, IT Security, Event Study.
(ProQuest: ... denotes formulae omitted.)
As information technology (IT) systems are increasingly embedded in business processes, failures of these systems are exposing organizations to significant economic losses. The following are examples of such failures:
1. In August 2008, HSBC Bank suffered a failure of its core banking computer system due to a corrupted disk in its Amherst data center, resulting in four million customers experiencing a significant interruption in services for nearly a week.
2. In June 2005, more than 40 million credit card accounts at MasterCard International were compromised due to a computer security breach.
3. United Airlines suffered a shutdown of a mission-critical system in 2007 that caused the cancellation of more than 20 flights and the delay of 250, resulting in an overall loss exceeding $10 million.
4. EBay's servers crashed in 1999, costing the company $2 million a day in losses.
The above failures are manifestations of what we term IT operational risk. The Basel Committee on Banking Supervision (BCBS) defines operational risk as "the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events" (BCBS, 2001, p. 2). While given for use by financial firms, this definition is equally applicable to non-financial firms. IT operational risk is a specialized subset of operational risk and centers around potential failures in operational IT systems and/or business processes that they support.
The main objective of this paper is to theoretically investigate and empirically examine the impact differences of two broad classes of IT operational risk events. The distinction we make between the two classes is motivated primarily by the fact that extant research has focused on one class while being virtually silent on the other. We characterize these classes here and will define them formally later. At the core of our distinction is the recognition that an IT system comprises functional IT assets (hardware, software, telecommunications, end-users, system operators, and system management procedures), which are responsible for creating, processing, transporting, and storing data assets. For the purpose of this study, we respectively distinguish between the following two classes of IT operational risk events.
Class 1: IT operational risk events that result in disclosure of confidential data assets to unauthorized parties, misuse of data assets, or destruction of data assets. …