An Event Study Analysis of the Economic Impact of IT Operational Risk and Its Subcategories

By Goldstein, James; Chernobai, Anna et al. | Journal of the Association for Information Systems, September 2011 | Go to article overview

An Event Study Analysis of the Economic Impact of IT Operational Risk and Its Subcategories


Goldstein, James, Chernobai, Anna, Benaroch, Michel, Journal of the Association for Information Systems


Abstract

Organizations' growing exposure to IT operational risk, or the risk of failures of operational IT systems, could translate into significant losses. Despite this, there are notable theoretical and empirical gaps in the literature on IT operational risk. We propose the "resource weaknesses" framework, which extends the resource-based theory of the firm, as a theoretical lens for investigating IT operational risk and its impacts. We also theorize about and empirically examine the impact differences of two categories of IT operational failures: ones resulting in the disclosure, misuse, or destruction of data assets, and ones resulting in the loss of availability or the mis-operation of functional IT assets responsible for the handling of data assets. Whereas the former, data-related failures have had some coverage in the literature, little is known about the latter, function-related failures. We apply an event study analysis with a well-balanced data set of IT operational failure events that occurred in U.S. financial service firms over a 25-year period. We find that function-related events have a substantially larger negative wealth effect than data-related events, and that firm characteristics such as firm size and growth potential greatly influence the degree of wealth effect. We conclude with important implications for practice and research.

Keywords: IT Risk, Operational Risk, IT Security, Event Study.

(ProQuest: ... denotes formulae omitted.)

1. Introduction

As information technology (IT) systems are increasingly embedded in business processes, failures of these systems are exposing organizations to significant economic losses. The following are examples of such failures:

1. In August 2008, HSBC Bank suffered a failure of its core banking computer system due to a corrupted disk in its Amherst data center, resulting in four million customers experiencing a significant interruption in services for nearly a week.

2. In June 2005, more than 40 million credit card accounts at MasterCard International were compromised due to a computer security breach.

3. United Airlines suffered a shutdown of a mission-critical system in 2007 that caused the cancellation of more than 20 flights and the delay of 250, resulting in an overall loss exceeding $10 million.

4. EBay's servers crashed in 1999, costing the company $2 million a day in losses.

The above failures are manifestations of what we term IT operational risk. The Basel Committee on Banking Supervision (BCBS) defines operational risk as "the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events" (BCBS, 2001, p. 2). While given for use by financial firms, this definition is equally applicable to non-financial firms. IT operational risk is a specialized subset of operational risk and centers around potential failures in operational IT systems and/or business processes that they support.

The main objective of this paper is to theoretically investigate and empirically examine the impact differences of two broad classes of IT operational risk events. The distinction we make between the two classes is motivated primarily by the fact that extant research has focused on one class while being virtually silent on the other. We characterize these classes here and will define them formally later. At the core of our distinction is the recognition that an IT system comprises functional IT assets (hardware, software, telecommunications, end-users, system operators, and system management procedures), which are responsible for creating, processing, transporting, and storing data assets. For the purpose of this study, we respectively distinguish between the following two classes of IT operational risk events.

Class 1: IT operational risk events that result in disclosure of confidential data assets to unauthorized parties, misuse of data assets, or destruction of data assets. …

The rest of this article is only available to active members of Questia

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items

Items saved from this article

This article has been saved
Highlights (0)
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

Citations (0)
Some of your citations are legacy items.

Any citation created before July 30, 2012 will labeled as a “Cited page.” New citations will be saved as cited passages, pages or articles.

We also added the ability to view new citations from your projects or the book or article where you created them.

Notes (0)
Bookmarks (0)

You have no saved items from this article

Project items include:
  • Saved book/article
  • Highlights
  • Quotes/citations
  • Notes
  • Bookmarks
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited article

An Event Study Analysis of the Economic Impact of IT Operational Risk and Its Subcategories
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Help
Full screen

matching results for page

    Questia reader help

    How to highlight and cite specific passages

    1. Click or tap the first word you want to select.
    2. Click or tap the last word you want to select, and you’ll see everything in between get selected.
    3. You’ll then get a menu of options like creating a highlight or a citation from that passage of text.

    OK, got it!

    Cited passage

    Style
    Citations are available only to our active members.
    Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

    1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

    Cited passage

    Thanks for trying Questia!

    Please continue trying out our research tools, but please note, full functionality is available only to our active members.

    Your work will be lost once you leave this Web page.

    Buy instant access to save your work.

    Already a member? Log in now.

    Oops!

    An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.