Reputation Damage & Measurement


  • Reputation damage can be one of the most difficult concepts to build measurements around.  In fact, it can be difficult to develop the actual metrics for the measurements, as well.  Damage to things like “corporate reputation” and “goodwill” and “brand equity” can be difficult to wrap even reasonable dollar estimates around (When I use FAIR, I really only care to use one metric when describing loss magnitudes – the almighty currency).

    Complicating factors is the impact (or lack thereof) of incidents on stock price.  Many researchers who identify themselves with the New School of Information Security (yours truly included) want to immediately look at stock price as a bell-weather metric for incident impact.  I think this stems from our days of slinging FUD, back when we could scream “Buy a firewall or we’ll have an incident and you’ll be on the front page of the paper and the stock price will go down!”  But these days notable incidents seem to suggest that the impact on stock price for an incident is short lived.  With qualifications, of course.

    So what would/should we make of this from Money.co.uk?

    £12million ($24m) Wiped off Helphire Stock after Malicious Email Sent to Clients

    Car hire firm Helphire have taken Google to court after a malicious email sent from a Gmail account saw their shares plummet £12million in a single day.

    The Bath-based business who specialise in providing replacement cars to ‘no-fault’ drivers involved in accidents on behalf of car insurance companies, initiated legal proceedings against the search engine giant as part of their attempt to find out who is responsible for sending the defamatory mailing.

    Google are now known to have complied with the court order and have controversially supplied details of the email account and ISP used by the meddler.

    Written under the psudoname Peter Franks, the 1200 word email is know to have been sent from a gmail account that was opened specifically for this purpose and closed a few minutes after the damage had been done…

    …The misdemeanour couldn’t have come at a worse time for the struggling firm who have undergone a £45million rights issue and seen a 75% drop in the value of their stock already this year.

    That last paragraph, for me, explains some of the difficulty in tying reputation damage to stock decreases.  It’s like when you read the headlines from Bloomberg about why the days stocks (or commodity) prices are up or down.  You know, the “Oil closes $3 higher on news that a notable South American dictator has a rather unpleasant boil in a very uncomfortable area” type of headlines.  You really do have to question the causality and correlation.  So in the Helphire case above – is this new drop in stock really because of the email sent?  If so, should we view that $24mil number as an independent data point to describe this sort of attack on reputation, or is the magnitude aggravated due to the long-term trend of stock price?

    Even when we have “Objective Data” (an in-joke for Adam S.) like this decline in stock price, it is really difficult to provide any sort of precise estimate or measurement – about the future, present or past.  The best we can do is use ranges, distributions, that are reasonable based on evidence and observation.

    So it’s worth filing away this sort of datum for future use – while dutifully acknowledging the qualifiers we might place around it.

    So the questions I ask here – what should we make of this new information, and how should we view the $24million drop – they’re not rhetorical.  I am very interested in your views and welcome your comments!

    Posted on

  • 12 comments

    1. James Arlen Aug 22

      Alex,

      I think that the impact security errors or breaches on reputation has significantly changed over the last 5 years.

      Without making any attempt to cite sources, compare and contrast some of the early breach notifications (those which caused California SB1386) to the recent TJX issue. Big difference. TJX is doing better today than prior to the breach.

      My suspicion is that like with so many other aspects of humanity, the increased tempo of breach notifications has created an implied “Everyone’s Doin’ It” mentality amongst the group which generates the reputation.

      Loose mores?

    2. Alex Aug 22

      @James – That’s kind of where I’m at in my thinking. Right with the no attempt to cite sources and such.

    3. How to Get Six Pack Fast Apr 15

      The topic is quite hot on the Internet at the moment. What do you pay attention to when choosing what to write ?

    4. Neil HB Mar 22

      Cheers Alex

      This is such an important area as it goes to the heart of many of the questions that those interested in how we think and what we do pose to us.

      I agree very much with your illustration. For Jacks Bald Tire scenario its like the rope has snapped and the tire is heading to the ground but on the way it happens to strike a small rocky outcrop. This mid fall impact may or may not (depending on size, angle etc.) do little to affect the overall fall and consequent ‘terrain interface event’.

      An interesting WP from Templeton College Oxford “Impact of Crisis on Shareholder Value” (Rory Knight and Deborah Pretty) some years ago (1995-OMG Im Old) used some complicated algorithms to attempt to determine the effect of untoward incidents on share price.

      Because most security professionals think of Risk Management almost exclusively in terms of mitigation, the natural option is to try to determine which controls would/could be used to prevent incidents that result in damage to reputation. My approach is though that the complexity of understanding/measuring the indicators that relate to reputational harm is such that thinking in mitigation mode is not always going to cut the mustard.

      In this case, one must employ risk transfer using selective insurance.

      Of course, organisational controls in the form of responsive controls (incident management plans) are a must.

      Neil HB

    5. buy hip hip instrumentals Jul 20

      Hi to all, how is the whole thing, I think every one is
      getting more from this web page,and your views are nice for new visitors.

    6. Overdrive Strategies Sep 23

      Spot on with this write-up, I seriously think this amazing
      site needs a great deal more attention. I’ll probably be back again to read through
      more, thanks for the info!

    7. Mandy Oct 2

      ya, ok, all this just hurts my head. What the heck did I just read. Now I have to read it again.

    8. Used Cars West Palm Beach Oct 4

      I visit eeryday some websites and blogs to read content, except this
      website offers quality based content.

    9. Latoya Oct 20

      Unquestionably believe that which you stated. Your favorite justification seemed to be
      on the web the simplest thing to be aware of.

      I say to you, I certainly get annoyed while people think about
      worries that they plainly don’t know about. You managed to
      hit the nail upon the top and defined oout the whole thing without having side-effects , people can take a signal.

      Will probwbly be back to get more. Thanks

    1. You Don’t Own Your Reputation
    2. RPM Data Security » Blog Archive » Who Own’s Your Reputation
    3. Definition of Risk Management and Damage to Reputation | Lumina | Can reputational risk be assessed or do you have to wait for the damage to occur?

    Leave a reply