The Long-Run Impact of Information Security Breach Announcements on Investors’ Conﬁdence: The Context of Efﬁcient Market Hypothesis

: Information and communication technologies (ICTs) are the cornerstone for sustainable development, but if they are not appropriately managed, they will impede progress towards the United Nations Global Sustainable Development Goals. Among undesirable impacts, emphasis must be put on the risk of information security (ISec) breaches, as they pose a potential threat to businesses there. Especially for publicly traded ﬁrms, they could create a long-lasting inﬂuence on their ﬁnancial performance and, thus, stock investors’ conﬁdence. Following the efﬁcient market hypothesis’s footsteps, previous studies have examined only the short-run impact on investors’ conﬁdence ensuing to ISec breach announcements. Therefore, this study investigates the long-run impact of ISec breach announcements on investors’ conﬁdence. Based on a sample of 73 ISec breach announcements during 2011–2019, this paper examines the impact on investors’ conﬁdence, as demonstrated by long-run abnormal returns and equity risk of those ﬁrms. Using a one-to-one matched sampling approach, each ﬁrm’s performance is analyzed with its control ﬁrm over eighteen months, starting six months before the announcement, through twelve months after the announcement. Firms experienced a signiﬁcant negative abnormal return of 15% to 18% during the twelve months following the breach announcement. In comparison, equity risk increased by 11% within six months before and after an announcement. This study can help investors, managers, and researchers better understand a long-term relationship between ISec breaches and investor conﬁdence in the context of efﬁcient market hypothesis.


Introduction
In an attempt to accomplish many of the Sustainable Development Goals (SDGs) adopted by the United Nations General Assembly in September 2015, as SDG 9 ("Industry, Innovation and Infrastructure Development") and SDG 17 ("Revitalize the Global Partnership for Sustainable Development"), the adoption and development of information and communication technologies (ICTs) is essential for businesses and, from a macro-economic perspective, is crucial. Indeed, ICTs can link individuals and organizations, encourage inclusive and sustainable industrialization, facilitate knowledge sharing and creativity across sectors [1][2][3][4]. Hence, digitalization is gradually being demonstrated as a crucial element for sustainable development for these reasons [5,6].
Safety and security are crucial within cyberspace for innovations to deliver their developmental impact effectively. In other words, ICTs can accomplish the 2030 SDGs of the United Nations, but at the expense of information security (ISec) risk management [2,3,7]. A Harvard's business review defines ISec breach as "an event in which important, secure or confidential data is accessed [8], manipulated or used by a nonauthorized person [9]". The victimized company has to deal with losses (e.g., loss of reputation and trust) and various litigations. Illegally accessing passwords, the manipulation of data, the shutdown of computer facilities, modification, and stealing of computer software are examples of breaches of data and violation. According to a global survey report by Ponemon [10], the number of security breaches suffered by firms has increased gradually from an average of 130 breaches in 2017 to 145 breaches in 2019.

Impact on Investors' Confidence
A firm that suffers an ISec breach will have to bear the tangible and intangible costs after such an event [11][12][13]. Tangible costs are the costs for labor, material, and services incurred in fixing the damage to information assets and failure to earn extra profits. In comparison, intangible costs incorporate the loss of trust and confidence of business stakeholders, including the investors in the stock market. Measuring such an effect on investors' confidence is a challenging task. Therefore, various studies have measured the loss in investor's confidence using theory for Efficient Markets [11,[14][15][16][17][18][19][20]. In most of these studies, the negative impact was witnessed on investors' confidence manifested by negative abnormal returns. These studies were underpinned by the "Semistrong Efficient Market Hypothesis" (EMH) [21,22], according to which stock prices adjust quickly to all new information. Accordingly, the short-run examination of the ISec breach event has been performed in these studies by analyzing the stock price behavior (i.e., from few days before an event to few days after an event), exhibiting an immediate analysis of investors' confidence. While the short-run analysis helps get the market's quick reaction to an event announcement, it is imperative to explore the long-run analysis to estimate a more realistic economic impact of a breach announcement. Studies addressing this problem are unclear whether an ISec breach will affect the long-run confidence of investors.

Long-Run Impact on Investors' Confidence
According to the Global Cost of Data Breach Report [10], the time to identify and contain a data breach has been continuously increasing, from 257 days in 2017 to 280 days in 2020, with estimated response costs ranging around $1 million for each firm. The announcements such as ISec breaches indicate that the firms are reluctant to disclose complete details of a breach on their first announcement. In recent times, we have witnessed events of ISec breaches where the details concerning a breach are disclosed months after the first breach announcement. For instance, in July 2019, Equifax was penalized with US$ 700 million by the Federal Trade Commission and Consumer Financial Protection Bureau, ensuring an enormous data breach in 2017. From the investors' perspective, they will probably have a close watch on subsequent disclosures and announcements by the firm concerning an ISec breach announcement that can influence their investment decision making. Hence, an ISec-event's impact, especially concerning investors' confidence, cannot be judged only by analyzing the announcement effect. Especially in cases where the announcement and economic impact vary.
Second, market efficiency hypothesizes that the stock price movement ensuing to the announcement of an event will not be abnormal. Nevertheless, as per the studies on the revamped shape of EMH, the impact of new information on the stock market is not fully exhibited at the time of announcement [23]. Few studies have suggested that a declaration of an event would result in a slow shift in the share price and subsequent abnormal returns. Although there is an extensive argument concerning the methodology [23,24], it is vital to estimate the post-announcement abnormality to analyze a more wide-ranging impact of an event.
Considering the above arguments, probably, the abnormal effect of the ISec breach announcement by a listed firm can have a meaningful impression on future cash flows, the required rate of return, financial distress, and credit rating. All these concerns will be Sustainability 2021, 13, 1066 3 of 27 manifested in investors' confidence in the long run as well. Overall, it can be hypothesized that the ISec breach announcement might lead to abnormality in long-run indicators of investors' confidence in the stock market, such as long-run abnormal returns and the equity risk. To the best of our knowledge, the literature did not discuss the long-term effect on investors' confidence following an ISec breach.

Impact on Long-Run Abnormal Returns
Examining the stock price behavior and subsequent stock returns is one of the proxies for investors' confidence is crucial because they reflect current, expected future costs and risks associated with a particular ISec-event from the investor's perspective [25]. It is also crucial to the affected firm's management teams because stock price reflects the firm value, which indicates the overall strength and health of a company. These factors are critical in determining factors such as the firm's future cost of capital, credit ratings, employees' and manager's compensation, management team's firing decision. Most importantly, publicly traded companies' management teams are hired to represent the owners, who are the shareholders. Hence, an increase (decrease) in share price often indicates the increasing (decreasing) investors' confidence in the firm's future cash flows.

Impact on Equity Risk
Another proxy for investors' confidence has been the firms' equity risk as an announcement of an ISec breach might influence it. After such an unfavorable announcement, stock price changes might result from an abnormality in forecasted risk or volatility in future cash flows [26]. Thus, change in future cash flow expectations can affect the overall equity risk of the firm. As per the author's best knowledge, previous studies have yet to explore ISec breaches' impact on equity risk.
Understanding the impact of ISec breaches on equity risk is noteworthy because adjustments in equity risk expectations can meaningfully affect the firm and its stakeholders, especially the investors [27,28]. Consequently, investors may expect a higher return, which can augment the firms' cost of capital and lowers the appeal of firms' equity. There will be higher financial distress costs and lowered ratings from credit rating agencies with a higher capital cost. Hence, equity risk changes have wide-ranging economic consequences; it is vital to comprehend the impact of ISec breaches on equity risk. This article uses equity volatility to measure the overall firm risk, calculated as the standard deviation of equity returns. Equity volatility is a widely used business risk measure by academics and practitioners alike.
Considering the alarming rise of ISec breach incidents, ISec breach announcements are expected to create a long-run negative influence on investors' confidence in a listed firm. An unfavorable abnormality might manifest that influence in its long-run stock returns and equity risk (stock volatility). Thus, the research question of this study will be as follows: What is the long-run impact of the ISec breach announcement on investors' confidence?
Likewise, the study aims to achieve the following research objectives (RO): To evaluate the long-run impact of ISec breach announcements on abnormal returns of breached firms.

RO 2 :
To evaluate the long-run impact of ISec breach announcements on the equity risk of breached firms.
The next section reviews the literature on the influence of ISec breach on investor confidence and why it is imperative to study both the long-run stock price effects and the firms' equity risk. Section 2 also highlights the theoretical foundations underpinning this research. Based on that, Section 3 exhibits the development of the hypothesis and conceptual framework of this study. Section 4 describes the methodology for forecasting the long-run confidence of investors. Section 5 presents the long-run impact of investors' confidence, as demonstrated by long-run abnormal returns and equity risk. Whereas the theoretical and practical implications of this study will be encapsulated in Section 6 along with limitations and future research opportunities in this domain.

Literature Review
One priority issue concerning information events has emerged in the wake of more pervasive Internet technology: How can organizations effectively measure the damages from breaches in ISec? Several extensive private sector reports, such as the Computer Security Institute/Federal Bureau for Inquiry (CSI/FBI) and Computer Emergency Response Team (CERT), have been available. However, they have not investigated the incident's influence on the financial structure of a firm. Furthermore, many companies tend to reveal incident information because reporting by the media of their flaws in ISec would lead to customer complaints and overreactions.

Efficient Market Theory and Studies on Short-Run Impact
It is not easy to gather incident data and address the standardized way of measuring its impact. Such phenomena were traditionally explored through the methodology of event studies in previous research. This methodology has been well established in finance, accounting, and management. It offers a statistical mechanism to assess an efficient market hypothesis by tracking and evaluating significant stock value changes in the postannouncement period. Likewise, in information systems (IS) fields, event studies are now a proven instrument for studying the market responses to numerous IT-related events, such as IT expansion, electronic commerce ventures, or creating a new organizational position as a Chief Information Officer (CIO). As ISec is becoming more critical to organizations, the methodology for event research has also become a useful technique for assessing security incidents' influence on firm values and investors' confidence. Studies have employed this methodology to investigate favorable ISec-events, such as IT security investment announcements by firms [39] and ISec certification [36], as well as unfavorable security events such as a denial of service (DoS) attack [11,17,40,41] virus attacks [42] and software vendor vulnerability announcements [43]. While some researchers have explored the impact on breached firms' stock returns in the light of various types of ISec breaches [11,16,42,44]. Our research may only concentrate on one sort of incident: data misuse involving illegal information access. Even though some studies are conducted to explore the effect of ISec breaches on firm value, the outcomes were inconclusive together.
For instance, a significant negative abnormal return of −3.8% was observed by Reference [45], using a three-day event window when they analyzed the stock return of 22 breach events between 1999 and 2002. Research by Reference [15] indicates a substantial adverse market reaction to a sample of 43 events between 1995 and 2000. Their analysis was based on a two-day event window, following ISec breaches involving unauthorized access to sensitive information. However, they also confirmed that the breaches did not cause a significant market response if the breach did not involve the compromise of confidential information.
A statistically significant abnormal return of −2.1% with two-day event windows [11] of 66 breaches from the 1996-2001 study was reported. Reference [46] finds an abnormal return of −0.4 percent, but still statistically meaningful at day zero, for a study of 79 breaches from 2000 to March 2006. An analysis by Reference [47] reveals statistically significant abnormal returns of −0.23% in the one-day event window of 152 breach samples from 117 firms between 2000 and 2007. Their research also reveals that the magnitude of negative abnormal returns will be higher if the breach involves a compromise of employees' data rather than clients' data. The study by Reference [48] of the six data thefts between 2011 and 2012 revealed that the compromised firm's share price had decreased significantly. They recorded that the negative yields are seen on a ten-day event window.
Although the studies mentioned above recorded significant adverse outcomes, other studies have argued differently. For example, Reference [17] studied 72 firms that have suffered confidential information breaches from 1997 to 2003 and found statistically insignificant results during an announcement window (−1, 2). Likewise, in Reference [49], an analysis of 58 ISec breach incidents between 1994 and 2006 found statistically negligible findings for a one-day to five-day incident duration.
Among all event studies on ISec, the current paper is compatible with those scholarly works which have inspected the impact of the ISec breach on the stock market. Table 1 depicts the list of those studies and the time frame, event size, event window, model used, and the main findings. It can be elucidated from most of the studies that the ISec breach will have a significant unfavorable influence on the confidence of investors as signaled by negative abnormal returns within one or two days of the breach announcement.
All these systematic research works have based only on the short-run impacts of breaches while only anecdotally exploring the long-run implications of ISec breaches. For instance, Reference [50] investigates the element of insider trading, ensuing to an announcement of ISec breach by employing a 41-day event window, which covers 258 ISec breaches. Even though they have reported a negative −1.44% stock losses, the time-span used was relatively short for representing firms' long-run market value.

Studies on Long-Run Impact
It is essential to understand first the significance of long-lasting influence before investigating the impact of ISec breach on a firm's long-run market value. As stated, the methodology of event study has been extensively used in the finance literature. It has been widely used to research how mergers, acquisitions, stock splits confront firms. All these activities demand a firm's long-run appraisal. For instance, stock returns' long-run performance after the merger and acquisition was investigated by References [51][52][53][54]. Among these studies, Reference [51] observed an abnormal 10 percent negative returns over the five years after the merger. References [55][56][57][58][59] used the event study methodology to analyze the influence on the long-run valuation of the firm of the dividend policy occurrence. The long-run impact of the dividend payment on the share price of a company has been studied by References [55,59] with a long-run view of one to three years. The study by Reference [59] used the one-to-three-year long-run Buy-and-Hold Abnormal Returns (BHARs) model to examine the long-run effect on the firm's stock price of corporate dividends and dis-issue announcement incidents. Research by Reference [56] analyzed treasury implementation announcements and recorded an average long-run abnormal return of 12.1 percent over a four-year study period. The event study methodology has also been employed to analyze the long-run outcome on the business market value of initial offerings and capital increases [60][61][62][63][64]. Among these, Reference [61] advocates that the effect of stock listing on the market values of the United States (US) firms were studied one to three years after the declaration of the event.      The review of existing works reveals that the implications of events for the firm's long-run prospects, especially investors' confidence, have become a common concern for researchers. Long-run effects have been mostly explored with the BHAR model, one to three years after the incident. Within the information management avenue, the BHAR model was used to address the long-run value of the company about the impact of Capability Maturity Model [93], Enterprise Resource Planning, Supply Chain Management, and Customer Relationship Management [94,95]. As far as we know, the impact of an ISec breach on the company's long-run market value has not yet been researched in the avenue of ISec. This research is foremost to investigate the effects of the ISec breach on the investor's confidence in the long-run. Consequently, it is of great significance to conduct empirical research in this regard.
The term "long-run investors' confidence" itself is a function of the "long-run market value", which is the degree of change in stock price from one to three years after the event. Investors' confidence is a function of the scenarios prevalent around an event announcement, lasting for some time after an event [96]. Likewise, the event of an ISec breach can have a long-lasting impact on the firm's financials and, eventually, investors' confidence. However, most scholars have narrowed their findings to a short-run impact of ISec breach on investors' confidence.
To the author's best knowledge, a recent study by Reference [92] has been the only study that has addressed the long-run impact on investors' confidence ensuing to ISec breach. In their study, breached firm's market performance was analyzed over one to three years by employing a traditional Buy-and-Hold Abnormal Returns (BHARs) model. Using a sample of 84 firms, they have concluded that the breached firm's market performance, as proxied by long-run abnormal returns, will be negatively influenced by 10% over one year after the breach announcement. Despite being the pioneer study investigating the long-run impact of ISec breach on investors' confidence, their study was not without limitations. First, they have used the traditional event study methodology by comparing the breached firms' performance to that of the market. According to References [97,98], event study methodology makes it impossible to assess the true importance of reported abnormal returns, both in terms of the total economic effect and the test statistics. The prevalence of cross-sectional dependency is the key cause of misspecification since sample firms usually have a time-limit overlapping in long-run market prices. Cross-sectional dependency (positive or negative) contributes to skewed test results. The latest simulations show that one-to-one matching of abnormal returns produces well-specific tests [97,99,100]. According to the one-to-one matching approach, each sample firm's performance is similar to that of a similar matching firm with similar size and prior performance.
Therefore, the present study has employed a more robust and reliable methodology of one-to-one-matched-sampling to examine long-run abnormal returns for such events. Furthermore, this study also examines the impact of ISec breach on another indicator of investor confidence that is "equity risk". The existence of abnormal returns annexed with ISec breaches results from a shift in investors' expectations concerning the future cash flows of a firm that might become volatile, thereby raising the equity risk. Studies investigated how ISec-events influences the confidence of investors, and thus the cash flows of companies. The literature did not answer the effect of ISec violations on equity risk in the best of our knowledge.

Hypothesis Development and Conceptual Framework
The previous chapter elaborates in detail the empirical literature concerning this study, along with a theoretical framework. Based on that discussion, the current section will formulate the hypothesis and conceptual framework for this study.

ISec Breaches and Long-Run Abnormal Returns
The current study examines ISec breaches, which were publicly disclosed by the breached firms. In some cases, it was revealed that firms were announcing the ISec breaches along with earnings announcements. Thus, giving an expression that firms delay such announcements or reluctant to disclose such information more precisely. There could be several factors behind this firm's behavior. First, firms want to control the panic and uncertainty among stakeholders, which is generally created in such situations and can eventually affect the performance of those not affected by a breach. Second, the remedial action after a breach might have already been taken by a firm, and thus there might be no urgency to announce the breach. Third, the firms might want to prohibit their competitors from any significant gain amid the post-breach scenario. Hence, other than the commission's regulatory requirement, there might not be any compulsive need to announce the ISec breach as soon as it occurs.
Despite breached firms' intention to delay the announcement, there could be signs by which ISec breaches can somewhat be anticipated, for example, the firm's webpage might become inaccessible for their customers and other stakeholders, a sluggish Internet browsing, customers might face access issues on the firm's website, pointless popping up of messages at the time of customer's log-in, abrupt changes to system passwords or accounts, and browser warning of errors. Moreover, the concerned users might face infection alarms through antivirus toolkits installed in their systems. Thus, these signals of system malfunction can negatively influence the trust and confidence of customers. Likewise, investors' confidence in the stock market might be influenced, and they might have allocated a likelihood of an ISec breach for the concerned firm. It is also probable that an ISec breach's financial impact might have already incorporated by investors in their stock returns even before the actual ISec breach announcement. Hence, the following can be hypothesized: Hypothesis 1a (H 1a ). In the period before the announcement, abnormal returns of ISec breached firms will be negative.
As regards the pre-announcement period that should be analyzed, the literature has provided limited guidance in this regard. Despite the firms' incentive to postpone the ISec breach's announcement, excessive postponement can influence the firms' credibility and lead to a possible lawsuit from investors. Considering this scenario, we analyzed the six months' pre-announcement stock returns of breached firms.
To fully evaluate the financial influence of ISec breaches, it is also vital to analyze stock price behavior in the post-announce era. Recent studies have also reported statistically unusual long-run stock price reaction ensuing to an event's announcement. Examples include repurchase offers, spin-offs, initiations and omissions on dividends, open market repurchases, stock splits, seasoned equity offerings, shareholder fights, and initial public bidding (see Reference [23] for all such studies).
There is an increasing number of studies showing a slow stock market reaction to new information, a valid reason to study the impact of ISec breaches on stocks in the post-announcement era. ISec breaches can also impact firm financials even after the announcement as consumers and suppliers respond to ISec breaches. Parallel to that, firms are also expected to take remedial measures to resolve ISec breaches. Based on these measures' success, firms might recover from these real losses due to ISec breaches or prevent any of the expected losses. Since these impacts must be part of the quantification of the overall economic impact of ISec breaches, stock returns should be measured over extended timelines ensuing to an announcement. Accordingly, there are equal possibilities of positive and negative returns in the post-announcement period. Our second hypothesis is as follows: Hypothesis 1b (H 1b ). In the period after the announcement, abnormal returns of ISec breached firms will be negative.
As has been the situation with modest expectations, the literature offers no guidance on the optimal time frame for evaluating the post announcements stock returns. The literature has time frames ranging from one to five years. The appropriate timeframe to examine is a function of the event being studied and scholars' lucid preference. After an ISec breach disclosure, we examine stock returns over one year comprising of two intervals of six months each. This will identify the negative effects of ISec breaches and any positive effects due to remedial measures. In general, we analyze the output of stock prices at every six-month interval, starting six months before the announcement through a one year after the announcement.

ISec Breaches and the Equity Risk of the Firm
Another critical matter delved into in this study was the influence of ISec breaches on the firm's risk. Numerous authors have analyzed corporate events' effect on risk by concentrating on equity risk (volatility), as calculated by the standard deviation in the return percentage of the firm's equity, σ e [101][102][103][104]. Nevertheless, the literature has limited evidence on the impact of ISec-events on equity volatility. It is startling because equity volatility for many of the stakeholders is a standard measure of value.
According to traditional asset price theory, equity risk is bifurcated into unsystematic and systematic volatility. It is contended that unsystematic volatility can be minimized and will not impact the capital cost. However, both types of volatilities need to be considered. The first reason is that equity volatility is predicted by a range of theoretical models concerning anticipated stock returns [105,106]. Unsystematic volatility is a risk factor that could affect capital costs, as References [107,108] show; however, Reference [109] argues this claim. Second, a significant portion of a firm's investment cannot be diversified; therefore, managers worry about unsystematic volatility, and this concern can be expressed in their decisions. Third, unsystematic volatility is essential because equity volatility depends on the option's price for a specific stock. Considering the above, this study's secondary emphasis is to evaluate ISec breaches' relationship on overall equity volatility.
Given the significant economic implications of shifts in equity volatility, understanding how corporate events and their opinions influence equity volatility is significant. These comprise stock repurchases [102], primary equity offers [101], CEO turnover [104], quarterly earnings announcements [110], and internal control deficiencies [111]. However, little is documented about ISec's breaches on risks related to the firm's equity. Through understanding the connection between ISec breaches and equity volatility (risk), our research addresses the gap in the finance and information-system literature. Our third hypothesis is, therefore, the following: Hypothesis 2 (H 2 ). Firms with ISec breaches would face an elevated equity risk (σ 2 e ).

Methodology
In the case of ISec breach announcements, there could be a gradual adjustment in stock prices.

Methodology
In the case of ISec breach announcements, there could be a gradual adjustment in stock prices. Therefore, its exhaustive impact on the stock market and, thus, on the investors' confidence cannot be exhibited by the traditional event study methodology as examined by References [13,88]. The methods and estimation techniques we use in measuring the long-run abnormal returns are different from those usually used in event studies when the short-run impact of events is analyzed on the stock market. The event study methodology frequently provides skewed approximations of both the ultimate economic influence and the test statistics [97,98]. Our findings are based on robust and more accurate methods, which were newly established and used frequently in studies other than ISec [95,99,100,[112][113][114].

Sample Selection
The sample data of firms suffering from ISec breaches were extracted from online data sources such as "The Privacy Rights Clearing House, Identity Theft Resource Centre, and Carnage". The quest was carried out between 2011 and 2019 and scanned for announcements that encompass ISec breaches affecting the confidentiality, integrity, and availability of information systems. All ISec breach announcements by a firm should qualify the following in order to remain in our sample: 1.
The firm is publicly listed in any of the stock exchange in US (i.e., New York Stock Exchange (NYSE) or the National Association of Securities Dealers Automated Quotations (NASDAQ).

2.
The firms must have returned information on the Center for Research on Security Prices (CRSP) database.

3.
The firm must trade on at least 80 percent of their trading days within one year before the ISec breach announcement.

4.
The firm did not report any other ISec breach within 18 months of this date of notification.

5.
When the breach occurred on an unlisted subsidiary firm, the parent company was tracked. 6.
The firm must have a book value greater than zero.
Criterion 4 was implemented to prevent duplication of announcements in the same period. We analyze each ISec breach's impact on a period that starts six months before through twelve months after the ISec breach announcement date. Thus, including ISec breach announcements that happened within eighteen months of each other will result in overlapping periods. Similar results counted more than once on the cumulative averages, which could theoretically skew our results.
We gathered our sample data from the sources mentioned in the beginning of this sub-section. A sample of 155 ISec breach events was gathered during 2011-2019 (Table 2). Using the selection criteria discussed above, these samples were then screened for long-run analysis. Due to confounding events in the range of 2 years before and after the ISec breach event, 59 samples were screened out. Furthermore, 19 samples were screened out as they have an overall time frame of less than one year, limiting the feasibility of long-run analysis. Among that, 15 samples of breached events from 2019 were screened out, as sufficient data to conduct a one-year analysis were not available. Lastly, four samples were withdrawn, as they could not meet our inclusion criteria, as discussed in Section 3. An example is breached firms with book values less than zero. In this way, long-run investors' confidence was assessed on a sample of 73 breached firms. Among

Assessing the Long-Run Abnormal Returns
The fundamental issue in long-run stock market studies is forecasting abnormal returns for the concerned firms included in our sample. Abnormal returns are hypothesized. An abnormal return is the difference between a stock return and a comparable benchmark return equivalent to zero over the concerned era. The benchmark is employed in controlling variables to support stock returns. The notion is that whatever appears unknown after controlling for the identified variables is abnormal and linked to the event being addressed. Anything which remains unexplained is known to be abnormal and can be related to the event.
The literature argues about the way long-run irregular returns can be calculated [23,97]. The first problem is the relevant variables to be controlled for calculating abnormal long-run returns. Previous studies on long-run stock valuation have been primarily controlled for its systemic risk (or beta). According to current research, the size, market-to-book ratio, and previous performance are imperative predictors of stock returns [115][116][117]. Therefore, the present consensus appears that abnormal returns have to be determined after controlling size, market-to-book ratio, and previous performance [100].
The second question is to grasp the statistical significance of abnormal long-run returns. Studies by References [97,98] noted that the test statistics of many widely employed approaches are highly flawed, making it challenging to comprehend the real significance of abnormal returns reported. The measurement error's principal cause is the cross-sectional correlation that exists due to overlaid periods between sampled firms, which typically occurs in long-run stock price examinations. Cross-sectional correlation leads to bias test statistics (positive or negative). Recent regression findings indicate that abnormal returns by one-to-one match sampling methodology [97,99] provide well-defined tests.

Buy-and-Hold Abnormal Returns (BHARs) Using One-to-One Match Samples
Our approach was one-to-one matching in which each sample firm is compared to the appropriate control firm having similar size, market-to-book ratio, and prior performance. Then we created two individual samples of one-to-one:

1.
Choose a firm nearest in size to the sample firm from the sample firm's industry (size-matched).

2.
Choose a firm nearest to the sample firm regarding its previous performance from the sample firm's industry (market-book ratio).
This paper provides an estimate of BHARs by daily return statistics as advocated by References [97,99]. BHAR calculation, therefore, requires that the sample firm's and its matched control firm's raw returns be initially compounded over time. Mathematically, we get the following: where BHAR i is the buy-and-hold abnormal return for stock i, R it is the rate of return for stock i on day t, R mct is the rate of return for the matched control firm for stock on day t, and T is the number of days in the period of interest. By summing the abnormal returns of all event samples, divided by the number of event samples (N), the average Buy-and-Hold Abnormal Returns are calculated by using the following expression.
With the updated version of the standard t-test, the statistical value was assessed for results obtained by using the BHAR process. The measurement formula developed by Reference [118] was employed here: where σ 2 i is the variance of firm i, and σ 2 mc is the variance of the matched control firm.

Assessing the Equity Risk
The general approach in assessing the equity risk from the market perspective is by analyzing the volatility of equity stock returns concerning a corporate event. To determine any significant changes in equity risk, studies have analyzed the equity volatilities before and after the event [104,111]. Most researchers measure irregular deviation shifts by utilizing matched control samples to test the equity market and industrial factors.
The expectation that changes in volatility will occur after the report of the ISec violations is justifiable. Moreover, there might probably be some information leakage about ISec breaches prevalent in the market. Besides, the information risk, financial leverage, and operating levers might be effected in the light of ISec breaches. The volatility changes can be compared in the six months before (days −135 to −11) and after the ISec breach announcement (days +11 to +260). Furthermore, the volatility of six months before the announcement (days −135 to −10) should be compared with the volatility within one year (days +10 to +260) after the ISec breach announcement to analyze any significant deviations. The pre-announcement duration (i.e., days −135 to −11) is the period used as a base to evaluate volatility changes. The volatility changes are examined in the post-announcement period to assess if the shift in volatility is transient or irreversible. Volatility in each timeframe is the standard deviation of the regular returns of the firm's portfolio over that time. To predict standard deviations, a minimum of 125 daily returns should be accessible in one year. Standard deviation is a financial, statistical measurement that indicates the historical volatility of that investment compared to the average return.

Standard Deviation
where x i = return on an ith day for a firm's stock, x = the average return in each period, and n = the number of days in the timeline. Most of those papers which examine the impact of corporate events on changes in risk analyze the risk level of sampled firms comparing before and after the announcement date [102,103,119,120]. This strategy may misjudge actual risk adjustments, as certain macro-factor variables may not have anything to do with the event being considered. It might comprise interest rates, investor views, consumer trust, industry, and business world perceptions. It is vital to compare the percentage changes in our sample firms' equity standard deviations to that of the matched control sample to handle these factors. To that end, the same two control samples used to measure the Buy-and-Hold Abnormal Returns by a one-to-one matching approach are used to estimate the changes in equity risk (see Section 4.2.1). These controls match size, matching performance, and matching samples for the industry (Figure 2). For each sample firm, we compare percentage changes in volatility as follows: where xi = return on an ith day for a firm's stock, ̅ = the average return in each period, and n = the number of days in the timeline. Most of those papers which examine the impact of corporate events on changes in risk analyze the risk level of sampled firms comparing before and after the announcement date [102,103,119,120]. This strategy may misjudge actual risk adjustments, as certain macro-factor variables may not have anything to do with the event being considered. It might comprise interest rates, investor views, consumer trust, industry, and business world perceptions. It is vital to compare the percentage changes in our sample firms' equity standard deviations to that of the matched control sample to handle these factors. To that end, the same two control samples used to measure the Buy-and-Hold Abnormal Returns by a one-to-one matching approach are used to estimate the changes in equity risk (see Section 4.2.1). These controls match size, matching performance, and matching samples for the industry (Figure 2). For each sample firm, we compare percentage changes in volatility as follows: Figure 2. One-to-one matched sampling methodology [97].

Mapping of ISec-Events for Assessment of Investors' Confidence
To collect findings over time, we map the calendar to date for each entity's occurrence in our sample. The day of the announcement is day 0, the next day for trade is day 1, and the day before the announcement is day −1, and so on. It is advised to forecast abnormal returns and equity standard deviations for at least 18 months, beginning six months prior to announcements, through two periods of six months each after the ISec breach notification. It consists of 250 trading days each year.
Furthermore, it is contemplated to deduct from both sides a 2-week duration (10 trading days) while measuring abnormal changes in stock returns and equity volatility. It is advised to ensure that our assessments of investors' confidence cannot be unduly influenced by the unexpected trading practices that may occur around the announcement date. That is expected to give a more exact picture

Mapping of ISec-Events for Assessment of Investors' Confidence
To collect findings over time, we map the calendar to date for each entity's occurrence in our sample. The day of the announcement is day 0, the next day for trade is day 1, and the day before the announcement is day −1, and so on. It is advised to forecast abnormal returns and equity standard deviations for at least 18 months, beginning six months prior to announcements, through two periods of six months each after the ISec breach notification. It consists of 250 trading days each year.
Furthermore, it is contemplated to deduct from both sides a 2-week duration (10 trading days) while measuring abnormal changes in stock returns and equity volatility. It is advised to ensure that our assessments of investors' confidence cannot be unduly influenced by the unexpected trading practices that may occur around the announcement date. That is expected to give a more exact picture of investors' confidence in the long-run. It is fair to expect that there will be immediate changes in investors' confidence ensuing to notification of ISec breaches. It is also conceivable that the market will prevail over whether ISec breach announcements are likely to occur for a firm.
Moreover, ISec breaches may, in the period before the disclosure, have already impacted stock prices, and thus, the investors' confidence. Therefore, before the actual announcement, abnormal changes may occur (Figure 3). In the following three periods of six months each, we degree Buy-and-Hold Abnormal Returns and standard deviation from daily stock returns: prices, and thus, the investors' confidence. Therefore, before the actual announcement, abnormal changes may occur (Figure 3). In the following three periods of six months each, we degree Buy-and-Hold Abnormal Returns and standard deviation from daily stock returns: • Six months pre-announcement: trading days −135 to −11, • Six months post-announcement: trading days 11 to 135, • Twelve months post-announcement: trading days 136 to 260.

Results
The current paper has analyzed the long-run impact on the confidence of investors ensuing to ISec breaches that occurred from 2011 to 2019. Abnormal returns and equity risk demonstrates the investors' long-run confidence. This study's principal objective was to explore whether the announcement of ISec breaches influences the long-run confidence of investors. Table 3 presents statistics on the sample based on the most recent fiscal year completed before the date of the ISec breach announcement. The mean (median) observation represents a firm with annual sales of nearly $52,495 million ($21,285.6 million), total assets of $501,915.3 million ($60,850 million), and net income of $6127 million ($2887 million).
This section depicts the results of abnormal returns and abnormal equity standard deviations for our sample firms matched with their respective control firms. Using a one-to-one matching approach, stock returns and standard deviations were matched to an appropriately chosen control firm.

Results
The current paper has analyzed the long-run impact on the confidence of investors ensuing to ISec breaches that occurred from 2011 to 2019. Abnormal returns and equity risk demonstrates the investors' long-run confidence. This study's principal objective was to explore whether the announcement of ISec breaches influences the long-run confidence of investors. Table 3 presents statistics on the sample based on the most recent fiscal year completed before the date of the ISec breach announcement. The mean (median) observation represents a firm with annual sales of nearly $52,495 million ($21,285.6 million), total assets of $501,915.3 million ($60,850 million), and net income of $6127 million ($2887 million). This section depicts the results of abnormal returns and abnormal equity standard deviations for our sample firms matched with their respective control firms. Using a one-to-one matching approach, stock returns and standard deviations were matched to an appropriately chosen control firm.

Evidence of Long-Run Abnormal Returns
As mentioned previously, each sample firm has two different control samples to fit a controller based on proximity in sizes and performance from the same industry. The results can be found in Table 4. Since the findings in the two controls are quite similar, we have focused our discussion on the size-matched control sample in our argument. When sample firms are matched on size, the mean abnormal returns in the period before the ISec breach are 4% positive, but they were not significant. At the same time, 40% of the sample firms experience negative abnormal performance. Therefore, H 1a is rejected. It means that there will have no effect on stock returns before ISec breach announcement. However, in the period after the announcement, i.e., within six months of the announcement, sample firms have negative abnormal returns, with nearly 60% of sample firms having negative abnormal returns. The mean abnormal returns were negative at 15%. These performance levels were significant at 5% level (t-statistic = −3.81). Likewise, significant negative abnormal returns of 18.5% (t-statistic = −4.98) were found in the next six months (i.e., 136 days to 260 days), with 55% of the sample firms experience significant negative abnormal returns. Hence H 1b is accepted. In general, the average abnormal return over eighteen months was −12.5% (t-statistic = −2.97), and nearly 57% of sample companies had negative abnormal returns. The findings are consistent with earlier research [121,122]. The results showed that investors' short-run response did not adequately exhibit the announcement effect and was balanced over the long run. The findings are consistent with earlier research [100,113,121,122]. In the context of information security, results are similar to those concluded by Reference [92]. It can be inferred that investors underestimated the detrimental impact of an ISec breach initially. According to [123], inefficiencies in a market result from arbitrage limitations and information processing bias by investors [124]. Reference [98] also claimed that "continuous behavioral biases can take a long time, and arbitration forces can rectify the mispricing". The findings of this study affirm H 1b that the announcement of a breach has a substantial negative impact on the long-run confidence of investors of breached firms. If investors buy and hold the firm's stock after the incident: In six months, they will suffer a −15% loss; holding twelve months will expand the loss to −18.5%, respectively.

Evidence of Changes in Equity Standard Deviations
To evaluate equity risk on sample firms after an ISec breach announcement, we analyzed the volatility changes in sample firms to a matched control sample firm. Table 5 depicts such statistics using two separate control samples as benchmarking. Abnormal volatility change is then the difference between the percent change in the equity standard deviation of the sample firm and its matched control firm. Abnormal equity standard deviations are depicted in two intervals here. One is the six months before and after the ISec breach announcement. In comparison, other period analyzes the abnormal equity standard deviations that starts six months before the ISec breach announcement to 12 months after the announcement. The estimation of data was based on parametrical as well as non-parametric testing. Likewise, the results for abnormal returns, the outcomes for equity deviations in the two control samples are quite similar; the results of the size-matched control sample are the subject of our discussion.
During the six-monthly pre-and post-announcement period, the average change in equity standard deviations of sample firms compared to control firms was positive. The mean abnormal change in equity standard deviation is 13.5%, significant at 5% (t-statistic = 7.54). In comparison, the median shift in the equity standard deviation is 9.8%, significant at 5% (the Z-statistical figure for the Wilcoxon signed-rank test is 6.93). The abnormal shifts are 58.82% positive and substantially different from 50% at 5% (Z-statistic of the Binomial sign test is 5.03). Accordingly, the parametric and non-parametric measures suggest a substantial rise in equity risk for six months before and after the ISec breach announcement. The higher risk over this duration may have contributed in part to the negative abnormal returns we see over this duration.
When we look at the equity changes for six months before the announcement to twelve months after the announcement, the outcomes are much different. Despite observing positive changes in mean and median during this period, none of those changes were significant at the conventional five percent level (t-statistic = 1.47). For a variety of reasons, this is an exciting outcome. First, it suggests that a considerable rise in equity risk is witnessed when the ISec breaches are officially reported. Second, the spike in standard equity deviations between the six months before and after the announcement is not attributed to a non-stationary range of standard deviations. There were statistically no noticeable differences in standard deviations between six months before and 12 months after the announcement. Finally, there is no temporary rise in equity risk in six months before and after the announcement, since the risk is not decreased in the following months. Firms were encountering a lower level of equity risk before ISec breaches, however. ISec breaches raise the business risk and, thus, the following months' equity risk. Therefore, H 2 is accepted to the extent that the equity risk will stand at a higher level for at least six months after an ISec breach.

Discussion of Findings
This study sought to answer the research question that concerns the long-run impact of ISec breach announcements on the confidence of investors. The study is, therefore, aimed at achieving two research objectives. The first objective aims to evaluate the long-run impact of ISec breach on long-run abnormal returns of breached firms. Grounded on a sample of 73 ISec breaches reported by publicly traded firms during 2011-2019, we examine its long-run impact on investors' confidence exhibited by stock returns over eighteen months, starting six months before the announcement through twelve months after the announcement. Using one-to-one matched sampling methodology, the findings indicated that the breached firm, as compared to its matched control firm, will suffer negative abnormal returns ranging between −15 and −18.5% over a one-year post-announcement period. However, there was no significant evidence as to any abnormal stock returns in the pre-announcement period. The second research objective aims to evaluate the longrun impact of the ISec breach on the breached firm's equity risk. Using abnormal stock returns volatility as a proxy for equity risk, the findings indicated that the breached firm, as compared to its matched control firm, will be confronted with an 11% higher equity risk over six months before and after the announcement. This section puts forward the theoretical and practical implications of these findings in Sections 6.1 and 6.2, respectively. Lastly, Section 6.3 discusses the study limitations and directions for future research.

Theoretical Contribution
This paper looks at the ISec breaches' impact on investors' confidence, as shown by long-run abnormal returns on stock and equity risk. In the area of ISec, several studies have examined the effect of breach events on investors' short-run confidence based on short-run abnormal returns. Whereas few [92] have investigated investors' long-run confidence in such events. Nevertheless, the current study has used a one-to-one matched sampling methodology, which is more robust in analyzing the confidence of investors in the long run. According to this method, results (in our case, long-run abnormal returns and equity standard deviations) of each sample firm is matched with a respective control firm before drawing any noteworthy conclusion. It was revealed that the breached firms would suffer unfavorable consequences, in the form of negative abnormal returns (−18%) and higher equity risk (11%), in the one year after an announcement. In this way, the study is an extension of EMH theory, by advocating that unexpected events can have a long-run impact on the stock market. Therefore, stock prices do incorporate the effect of information not only in the short run but also in the long run.
Our findings exhibited that the long-run abnormal returns will be negative over one year after an announcement. This finding is, to some extent, similar to those concluded by Reference [92], using event study methodology. However, for a few reasons, we believe that the long-run abnormal returns, as observed in the current study, are more compelling and reliable. First, a more robust methodology of one-to-one-matched sampling is employed for long-run analysis. The former computed the abnormal returns through event study methodology in which the sample firms' returns were matched with a benchmark of a market index. There is an influential research group that advocates that size and market-to-book ratio [116] and prior performance [115,117] are major estimators of stock returns. Thus, the sample firms' returns should be matched with similar firms having similar size and performance. Our study has followed the same consensus that abnormal returns should be estimated after controlling for size, market-to-book ratio, and prior performance [99]. Second, the statistical significance of the long-run abnormal returns observed is difficult to interpret. References [97,98] report on the severely misspecified testing statistics from many widely used methods, making it difficult to assess the true significance of observed abnormal returns. The existence of cross-sectional dependence resulting from the overlap between sampling firms seen in long-term stock price studies is a primary cause of misspecification. Cross-sectional (positive or negative) dependence contributes to testing statistics that are skewed. The literature's simulation results indicate that abnormal returns determined using one-to-one matching provide well-specified tests [97,99]. For these reasons, we can claim that the study findings are robust and more accurate than previous research.
This study also examines ISec breaches' impact on firm risk by analyzing the adjustments in equity volatility associated with ISec breaches. Most of the previous studies concentrated on stock price performance and operational performance, ensuing to ISec breaches. This study examines the foremost consequences of ISec breaches on equity risk (volatility). The higher equity risk, as depicted from this study elaborates in part to the negative abnormal returns we see over the six-monthly period after an announcement. Given that stock fluctuations may have substantial effects on the firm and its stakeholder, it is essential to recognize these consequences in designing and implementing overall information systems. Reducing the extent or magnitude of ISec breaches will limit the firm's exposure to the negative impacts of increased volatility. This includes investment in improving new technologies, such as awareness of ISec and the capacity to detect and respond more effectively to ISec breaches. A further theoretical implication of the above findings is that the increased volatility associated with ISec breaches may raise capital costs.
Given that the whole rise in abnormal volatility is expressed in the cost of capital, sample firms' capital expense will rise by 11% compared to the controls. Conversely, this will decrease the equity value of sample firms by 11%. Taking SONY as an example, this reveals that SONY's loss of market value of 293 million dollars a year after the incident and total loss of 937 million two years after the event would result from an ISec breach event. This study's findings indicate that ISec violation incidents have significant adverse effects on the long-run confidence of investors and the long-run valuation of the company. Investors would reevaluate the company's worth in the stock exchange as they face tangible and intangible risks from ISec's breach incidents. This analysis should then be a benchmark assuming that management will consider the quality of investment in ISec in the firm's market valuation more carefully.

Practical Contribution
Our examination of the long-run confidence of investors is practically significant for a few reasons. The estimates based on long skylines are more of value to investors and managers. It furnishes them with a progressively wide-ranging image of the financial ramifications of ISec breaches. By investigating the long-run impact of ISec breaches, we have revealed some insight into the timeline of abnormal stock price performance as far as when it begins, to what extent it keeps going, and whether firms recuperate ISec breaches rapidly. Our results revealed that the event of ISec breach would affect the confidence of investors in the post-announcement period (i.e., from six months to one year). Nevertheless, we do not find any significant abnormality in the confidence of investors in the pre-announcement period. These findings are significant in setting practical anticipations concerning the possible ramifications of ISec breaches.
Second, these findings emphasize the significance of ISec and determine that it cannot be disregarded. Events of ISec breach do not occur unwittingly, and over time, users have a lower level of tolerance for such events. Moreover, the news or media attention exposes the presence of flaws in the firm's ISec, rendering the firm more likely to be the victim of such assaults in the future. ISec breaches are expected to continue and grow further along with the invention of breach techniques. Breached firms are also confronted with legal action risks, charges of litigation, reconstruction, and other expenditures. These all influence investor confidence in the long run, and hence on the stock valuation of the company. For instance, there is a record size of 70 million data files revealed in recent events such as Target's data breach in 2013, with a legal settlement of about $39 million [125]. Likewise, in 2014, Home Depot's data of 56 million elements were breached, resulting in a legal payout of $13 million [126]. Likewise, the case with Equifax is discussed in Section 1.1. From these three large-scale breaches, we can conclude that the effect lasted for at least a year following ISec breaches' disclosure before litigation of the punitive damages for the follow-up. As per the authors' best knowledge, the current study is the pioneer study to explore such a long-run effect. We believe that this study's findings will allow firms to effectively determine the right level of ISec investment to safeguard sensitive data and personal information about their customers.
Lastly, our findings also revealed a higher level of equity risk for breached firms than its matched control firm. The rise in equity volatility resulting from ISec breaches might lead to an increase in the financial and operational leverage of the firm. Accordingly, firms can take counterbalancing measures to reduce financial leverage by issuing additional equity or retiring the debt. Likewise, augmented operating leverage can be neutralized by adjusting the firm's cost structure (lessen fixed or variable costs). Changes in financial and operational indicators can be costly, and the future advantages of reduced stock volatility should be weighed against these costs.

Limitations of the Study and Future Research Directions
In this study, there are certain limitations and future research needs. Despite analyzing sample firms' performance through a one-to-one matching approach, there could still be an endogeneity problem. The matching portfolio approach can further improve future research reliability for forecasting investors' confidence ensuing to an ISec breach.
Second, our sample comes from breached firms listed in US stock exchanges such as NASDAQ, NYSE, and AMEX. The impact of our findings can, therefore, not be applied to other countries' stock exchanges at this point. Furthermore, the most frequent occurrence was in 2014 concerning the sample distribution gathered in this study. Such distribution reduces the number of samples to approximate the different long-run valuation intervals and results in a minimal long-run survey.
Future research can also explore the influence on long-run investors' confidence concerning contingency factors of ISec breach. For example, future studies can examine the impact on investors' confidence in the light of ISec breach contingency factors such as type of breach, firm characteristics, and type of industry. Past studies have found a significant impact of these factors on short-run investors' confidence. It will be interesting to explore how the abnormality in investors' confidence is influenced in the long-run by ISec contingency factors. Future studies can also analyze in detail the long-run impact on investors' confidence ensuing to other types of breach events such as phishing, Advanced Persistent Threat (APT), computer viruses, and DoS attacks. Researchers who are interested in exploring this issue are urged to follow this thread.
Moreover, an extensive research avenue still exists concerning the financial impact of ISec regulations or frameworks being announced by regulators. An attempt has been made by Reference [127] by examining the short-run influence on the firm value ensuing to ISec legislations in the healthcare sector. Likewise, researchers can examine the long-run financial impact of such legislation in other vulnerable sectors such as Internet-based firms and the firms in the financial and energy sector. Perhaps, imposed ISec legislations at one end can provide some long-run assurance of ISec but, on another end, will require hefty investments by firms on account of the system upgrade, employee training and so on. Therefore, it will be exciting to delve into the behavior of investors ensuing in such regulations.
Future studies in this area could be an integration of security breach and security investment event; how the security investment events play their role in mitigating the loss in investors' confidence ensuing to an ISec breach. Likewise, cyber-insurance is an emerging phenomenon. Future research can contemplate the role of cyber insurance as a moderating factor in mitigating the stock losses at the event of a security breach. Likewise, the impacts of ISec-events should be investigated on the firm performance concerning profitability and activity. In general, we have concluded that even though the influence of ISec-events on the stock market is critical, severe, and stimulating, the studies related to it are less in numbers. Therefore, the field is vast and open to applying more sophisticated, innovative, and compelling research methodologies.

Conclusions
This paper addresses the challenges of ISec confronted by firms, which could hurt sustainable economic growth. ISec is a substantial distinguishing factor for firms and is a critical sustainable economic development factor, according to the literature. This article addresses the challenges of information security, especially for publicly traded companies, which could affect sustainable economic growth. Using a sample of 73 ISec breach announcements, the current study examines the long-run impact of ISec breach events on the confidence of investors, as expressed by an abnormality in long-run stock returns and equity risk. We find negative abnormal returns (−15 to −18%), following the twelve months after the announcements of the ISec breach. Furthermore, a rise in equity risk (10%) was also noted for sample firms, compared to their matched control firms in the six-monthly pre-and post-announcement.
The adverse economic effects of ISec breaches and the lack of proof of a successful turnaround reinforce the need to pay careful attention to the threat of ISec breaches. Today, information systems are conceivably more vulnerable to ISec breaches than they were previously. While serious ISec breaches are not common, they can seriously hinder a firm's stock performance and decrease investor confidence in the years ahead. Firms must do whatever they can to avoid significant intrusions of ISec and reduce the extent of the breach of ISec. Moreover, companies must establish the ability to anticipate ISec breaches, including the detection, classification, and oversight of any ISec compliance incidents affecting internal processes, vendors, and customers. Because the harmful effects of ISec breaches are exacerbated when breaches remain undetected, firms must develop the ability to learn earlier and better about ISec breaches and aspire for a time interval of zero between an ISec breach and its identification. Sooner or later, firms must cope with ISec breaches' challenges and strategies to prevent the worsening and degradation of the situation. For this, a systematic approach must be developed to deal with and respond to ISec breaches, with clear identification of liability and resource allocation and learnings from previous ISec breaches, the prediction of ISec breaches, and the prevention of adverse economic impacts of ISec breaches. Traditional approaches to ISec are based on reporting intrusions, i.e., "incident response", after the attack. Nevertheless, a more constructive approach is needed nowadays; in other words, preventive action needs to be put in place. ISec should be viewed as a matter of corporate social responsibility by firms to protect their customers, investors, and sustainable growth.  Data Availability Statement: Publicly available data has been extracted from Privacy Rights Clearing House (PRCH) and were used to analyze the long-run impact of information security breaches. This data can be found at: https://privacyrights.org/data-breaches.