Via The Carnival of the Capitalists, I found a series of posts (Thinking WiKID Thoughts, Emergent Chaos, Financial Cryptography 1, Financial Cryptography 2) about a study on "the economic cost of publicly announced information security breaches." According to WIKID, the study says "that a firm suffering a breach of 'confidential information' saw a 5% drop in stock price."
It's hardly much of a surprise that a public release of bad news causes the stock price to go down. Every CEO of a publicly traded company knows this, and it's a basic rule of efficient markets that stock prices adjust to reflect new information about a company.
But I also feel that this study is yet another example of IT propaganda. The IT industry is always trying to convince those outside of IT that IT matters, that if you don't spend enough money on IT it will hurt your company.
But most of us are not convinced. IT is not a profit center, it's a cost center. Once your IT department grows past the minimum size needed to maintain your company, additional money spent on IT is a loss. But IT is always trying to shake down extra unnecessary money in order to bleed away profits.
I really can't recall reading any company news releases about IT security breaches, but I certainly recall reading news about companies writing off tens of millions of dollars after an "investment" in new enterprise software failed and was abandoned.