Impact of CISO Appointment Announcements on the Market Value of Firms

Previous studies concerning the economic impact of security events on publicly listed companies have focussed on the negative effect of data breaches and cyberattacks with a view to encouraging firms to improve their cyber security posture to avoid such incidents. This paper is an initial study on the impact of investment in human capital related to security, specifically appointments of chief information security officers (CISO), chief security officers (CSO) or similar overall head of security roles. Using event study techniques, a dataset of 37 CISO type appointment announcements spanning multiple world markets between 2012 and 2019 was analysed and statistically significant (at the 5% level) positive cumulative abnormal returns (CAR) of around 0.8% on average were observed over the three-day period before, during and after the announcement. Furthermore, this positive CAR was found to be highest, at nearly 1.8% on average, within the financial services sector and showing statistical significance at the 1% level. In addition to the industry sector, other characteristics were investigated such as job title, reporting structure, comparison of internal versus external appointments, gender and variations between markets. Although these findings were not as conclusive they are, nevertheless, good pointers for future research in this area. This overall positive market reaction to CISO related announcements is a strong case for publicly listed firms to be transparent in such appointments and to, perhaps, review where that function sits within their organisation to ensure it delivers the greatest benefits. As 24% of the firms analysed were listed outside the US, this study also begins to counter the strong US bias seen in similar and related studies. This research is expected to be of interest to business management, cyber security practitioners, investors and shareholders as well as researchers in cyber security or related fields.