Intraday study of the market reaction to distributed denial of service (DOS) attacks on internet firms.
Rao, Arundhati ; Warsame, Mohamed ; Williams, Jan L. 等
INTRODUCTION
Computers have become an integral part of our personal and
professional lives. Some companies in fact conduct all of their business
solely through the use of computers; these firms are referred to as
"internet firms." Denial of access to computer networks even
for a brief period of time can result in a loss of business and can be
devastating to internet firms. Distributed denial of service (DoS)
attacks on internet firms encompass all conditions that deliberately
prevent users from accessing network resources through which the firms
conduct business, including the sale and purchase of products and access
to data for various reasons. The attacks may also go beyond shutting
down websites; it may damage computer software and systems, and
compromise firm and customer data.
During a DoS attack, internet firms lose revenue and also suffer
the consequences of exposure to their inherent "vulnerability"
with permanent loss of future revenue (some customers shy away from
internet businesses after news of a hacker attack). Using e-Bay as an
example, Duh et al. (2002) show that concern over online security is a
major impediment to the growth of internet businesses. They find that
DoS, privacy, and authentication are three major sources of business
risk for internet firms.
The impact of DoS attacks on market reaction remains questionable.
Several studies have examined the market reaction of such attacks; the
findings, however, are inconclusive. Hovav and D'Arcy (2003) and
Hovav, Andoh-Baidoo and Dhillion (2007) find that the market does not
significantly penalize internet companies that experience a DoS attack.
Ettredge and Richardson (2003), Cavusoglu, Mishra and Raghunathan
(2004), and Anthony, Choi and Grabski (2006), on the other hand, find a
negative market reaction to internet firms that experience web outages.
Each of these studies used an event study methodology and daily returns
data. Telang and Wattal's (2007) examination of the impact of
vulnerability announcements on security software vendors reveals that
these companies do suffer a drop in their stock prices.
The purpose of this study is to further examine the relation
between DoS attacks and market reaction. We build on the study by
Ettredge and Richardson (2003) and examine the effects of the same DoS
attacks at an intraday level using data obtained from the NASTRAQ
database. Using intraday data further allows us to investigate the
extent to which the DoS victim's stock prices are affected and the
related length of time. Additionally, we analyze the impact of DoS
attacks on other firms in the same industry by way of information
transfer. We hypothesize that a DoS victim's stock will trade
heavily; this increase in trading volume will become "news"
resulting in an increase in trading of other stocks in the same
industry. Furthermore, we examine the extent to which a DoS attack
affects the stock price of Internet Security Provider (ISP) firms at an
intraday level.
Our study advances the current knowledge of literature by using
intraday data. This data is advantageous since the NASDAQ market price
adjusts rapidly to new information on DoS attacks. The NASTRAQ database,
which is intended for academic research, contains trades and quotes for
NASDAQ stocks. The data must be extracted into spreadsheets. This poses
a major difficulty with the large volume of trading data within the
short window of interest in this paper. The seminal paper by Ball and
Brown (1968) shows that the market does not adjust fully to new
information and leads to a post announcement drift. Therefore, we
examine the market adjustment to a DoS attack, on an intraday basis as
trading occurs, and the cost of security in terms of price adjustment to
firms in the industry that have not been attacked. Another significant
contribution of this research will be the study of information transfer
based on trading volume.
LITERATURE REVIEW
The rational pricing and market value of internet firms has been
studied extensively. Schwartz and Moon (2000) find that high growth
rates in revenues appear to justify astronomically high prices of
technology firms during the internet bubble. This finding is reinforced
by Kamstra (2001). He finds that the value of an internet firm can be
determined by revenue, if the revenues are co-integrated with
fundamental value. Lazer et al. (2001) also show that internet websites
with higher traffic rates provide significantly higher returns than
sites with low internet traffic. Therefore, a DoS attack that reduces
the revenue of the internet firm directly by obstructing transactions
and diminishing customer confidence in the firm's trading platform
can have a major impact on its market value.
The market impact of different disclosures by internet trading
firms has been widely analyzed in the accounting and finance literature.
Subramani and Walden (2001) analyze the impact of e-commerce initiative
announcements and find significant positive cumulative abnormal returns
to investors. This result reveals that the market recognizes e-commerce
events as value relevant in determining the market value of internet
companies.
Several prior studies report a negative association between market
value and web outages. Ettredge and Richardson (2003) study this DoS
phenomenon over a three-day period, February 7, 2000 to February 9,
2000, and find that internet firms suffer a significantly negative stock
market reaction even when the firm is not subject to the DoS attack.
They also find that Internet Security Provider firms benefited from
these hacker attack events. Cavusoglu et al. (2004) conduct a
large-scale study on all types of security breaches (not just DoS
attacks) over a seven-year period, 19952001. They find a negative
relation between internet security breach announcements and market
value, regardless of the type of security breach. Anthony et al.'s
(2006) study of the stock market reaction to announcements of website
outages further report that internet firms have negative returns when
they experience internet outages.
Other studies, however, report that DoS attacks did not impact
market value. Hovav and D'Arcy's (2003) study of DoS attacks
over a 4.5 year period reveals that while internet firms had negative
abnormal returns during the five days following the announcement, they
were not significant. Hovav, Andoh-Baidoo and Dhillion (2007) further
explore whether various characteristics of security breaches impact
abnormal stock returns. This study examines the type of attackers,
objectives of the attack, the results of the attack, tools used to
attack and the access type. They report that not all attacks have the
same effect on abnormal returns. While the overall end result of the
attack had a significantly negative impact on market reaction, DoS
attacks, a category within end result, did not.
All these studies employ the event study methodology using daily
data. Event studies do not rely on expectations of accounting numbers
but adjust a firm's expected returns to a systematic measure of
risk, such as beta. Studies cited in Kothari (2001) show that short term
event studies are usually consistent with market efficiency. The studies
on market efficiency utilizing event study methodology face a variety of
econometric issues that are summarized in Kothari (2001), such as
expected returns mismeasurement, unusual and correlated samples of
firms' returns, survivorship bias, clustering in calendar time,
bias in the test statistics, model specification (such as the choice
between price and returns models), and the comparison of the information
content of alternative models. The incremental information content of a
particular accounting signal can be analyzed by including a dummy
variable for the accounting signal in a cross-sectional or time series
study.
The event study methodology, as used by Ettredge and Richardson
(2003), is not robust to clustering, which occurs when a significant
number of the events take place within a short period of time.
Harrington and Shrider (2007) also show that a short horizon event study
ignores cross-firm variation in the event effects, thereby inducing a
bias in the abnormal returns. Since DoS attacks by their dissimilarity
and severity will induce cross-firm variations on their effects across
other internet firms, we have expanded the dataset to use intraday data
instead of daily data. Furthermore, in order to overcome these issues
and improve the robustness of the results of the study, we utilize the
portfolio approach.
All of the above methodologies rely on a returns metric to
determine the market impact of the DoS attack. Cready and Hurtt (2002),
however, show that a volume based metric to measure investor response
provides more powerful tests than the measures based on abnormal stock
returns in the event studies. Cready and Hurtt (2002) also show that the
power of a returns based metric test can be improved by incorporating a
trading (volume) based measure. We hypothesize that after a DoS attack
the increased trading volume of the victim's stock will cause
investors to trade other stocks in the same industry. That is to say,
the reaction is to the increased trading volume and not to the DoS
attack event. Therefore, we will conduct additional tests to detect
investor responses based on event day trading volumes.
HYPOTHESIS DEVELOPMENT
In this section, we present the hypotheses that are examined in
this study. First we study the firm effect of a DoS attack. Yahoo
suffered a service failure that lasted nearly three hours when computer
hackers flooded Yahoo's network with a steady stream of data. Yahoo
received nearly one gigabyte of traffic per second for three hours; this
was estimated to be more data than most firms received over a one year
period. This information overload prevented Yahoo from exchanging data
with its customers and effectively shut down their site. While analysts
did not expect Yahoo's revenues to suffer, this DoS attack was more
than merely an inconvenience to the customers. The hackers sent a larger
message that nobody's computer was safe. Unfortunately, this was
just the start of the attacks; eBay and Amazon soon became victims too.
Most DoS attacks are hard to trace, as hackers use several computers to
perpetuate the crime. In most cases, the computer used to cause the
attacks is hijacked through the internet.
If a DoS attack prevents firms from conducting business, the firms
will lose revenue. Knowledge of the DoS attacks may also deter customers
from conducting business online in the future. As such, firm value will
be negatively affected by DoS attacks. Therefore, our first hypothesis
is the following:
[H.sub.1]: The stock price of an internet firm will be negatively
affected by a DoS attack.
Next we explore the impact of DoS attacks on Internet Security
Providers (ISP) firms. DoS attacks draw attention to the vulnerability
of internet firms and raise the demand for increased security on the
internet. The demand for increased security will be predicated by the
services provided by ISP firms. Accordingly, DoS attacks will result in
higher revenue and an awareness of the need for ISP firms. Therefore,
our second hypothesis is the following:
[H.sub.2]: The stock price of an ISP firm will be positively
affected by a DoS attack in the internet industry.
Lastly, we investigate the impact of DoS attacks on market reaction
based on trading volume. If the market is frightened by a DoS attack,
investors will not purchase shares of the attacked firm's stock. On
the other hand, if the market is not frightened by the DoS attack,
investors will hold their stocks rather than sell them. Accordingly,
regardless of the market reaction to the DoS attack, investors will not
purchase additional stocks during the attack period. Therefore, trading
volume will decrease during the attack period. Using intraday data we
expect that unsophisticated investors will react to the DoS attack while
sophisticated investors (larger percentage of investors) will not
immediately react to the attack. Our third hypothesis is the following:
[H.sub.3] The trading volume of a firm subject to a DoS attack will
decrease during the attack period.
DATA AND METHODOLOGY
Data
The sample for this study consists of the three NASDAQ firms,
Yahoo, eBay and Amazon.com, that experienced DoS attacks during the
period February 7-9, 2000. Of the eight firms attacked during this
period, five were excluded from our study for the following reasons:
three firms were not listed (CNN, ZDNet and Excite), one firm (E*Trade)
was listed on the NYSE, and one firm (Buy.com) went public on the same
day it was attacked. Daily trades, volume and stock prices for February
2000, are obtained from the NASTRAQ database. The time and duration of
DoS attacks in February 2000 and the NASDAQ market's trading hours
are provided in Table 1 below. It is important to note that only the
Yahoo attack took place entirely within the regular trading hours; the
attack on eBay started during the regular trading hours and continued to
the extended hours and later; and the Amazon attack started after the
close of extended trading hours. This small sample size and the
proximity of the attacks limit our ability to control for the market
time in which the attack occurs.
The sample firms examined in this study are very unique. Yahoo,
eBay and Amazon are industry leaders, and are much larger than other
firms in the same industry. Due to the uniqueness of the sample firms,
it is difficult to establish a control sample based on firms in the same
industry with similar characteristics, such as market size, sales and
assets. Therefore, to measure abnormal returns we use a control sample
of internet firms that did not experience a DoS attack during the sample
period. Our control sample consists of these same internet firms
examined by Ettredge and Richardson (2003). They found that information
transfer was no different in industries where internet firms were
attacked than in internet industries not attacked. Likewise, we use the
internet firms that were not attacked as the control sample to measure
abnormal returns related to internet security providers. Our control
sample consists of 134 internet firms listed on
www.InternetStockList.com as of July 2000. The control sample was
obtained from Professor Richardson. The internet security provider
sample consists of10 firms that provide internet security products and
services.
In Table 2 we present descriptive statistics for the DoS attack
sample firms, control firms and internet security provider firms. The
DoS attack firms have mean sales of $817.72 million and mean assets of
$1,635.10 million. The DoS attack firms are significantly larger than
the control firms and the internet security provider firms at the 0.01
level. This is consistent with hackers choosing to attack the large
internet firms. The control firms have larger sales than the internet
service provider firms. However, they are similar in size according to
assets. Additionally, the standard deviations for control firms reflect
a wide range in firm size according to sales (1,098.06) and assets
(1,425.14).
In Table 3 we present the DoS attack firms and control firms by
industry. SIC code descriptions are obtained from the U. S. Department
of Labor Occupational Safety & Health Administration website
(www.osha.gov). Two of the attacked firms are in the catalog, mail order
houses industry (Amazon and eBay). The third DoS attack firm is in the
computer programming, data processing industry (Yahoo). The majority of
internet firms (69.8%) in the control firm sample are in the business
services industry.
METHODOLOGY
We use intraday data to examine investors' reaction to DoS
attacks that completely prohibit internet firms from conducting
business. We examine the market impact of DoS attacks by examining stock
price returns. Returns are calculated as follows:
[R.sub.i,t] = [P.sub.i,t] - [P.sub.i,t-1] / [P.sub.i,t-1]
where [R.sub.i,t], the return for the attack period, is calculated
as the percentage change in stock price between [P.sub.i,t], the average
price of the first 15-minute interval after the start of the attack and
[P.sub.it-1], the average price of the last 15-minute interval of the
attack period.
Portfolio Approach
We use a portfolio approach advocated by Campbell et al. (1993) to
further test the impact of DoS attacks. The main advantages of the
portfolio formation are that unique risk factors are diversified away
and errors caused by the cross correlation of the error terms are
mitigated. This approach estimates abnormal returns by comparing the
return of the DoS sample firm to the average return of a portfolio of
control firms for the same period. Our control sample consists of other
internet firms traded on NASDAQ that were not attacked during the sample
period. We choose these firms to overcome the intraday effects in stock
returns (see Chan, Christie and Schultz (1995)). To further test the
impact of DoS attacks, we also form a portfolio of internet security
provider firms in order to compare their returns to those of the DoS
attack firms.
We estimate abnormal returns for twenty 15-minute intervals before
and twenty 15-minute intervals after the attack to assess the
market's immediate reaction to the DoS attacks. The abnormal
returns are calculated as the return for the DoS attack firm minus the
average return for the control sample firms for the same period based on
the following formula:
[A.sub.i,t] = [R.sub.i,t] - E [([R.sub.c]).sub.i,t]
where [A.sub.i,t] denotes the abnormal return for the ith 15-minute
interval of day t, [R.sub.i,t] is the sample return for the ith
15-minute interval of day t and E(Rc) is the expected return of the
control portfolio of equally weighted internet firms not affected by the
DoS attacks for the ith 15-minute interval of day t. The equally
weighted portfolio for control firms was utilized due to the size
difference that could obscure the impact of the event in case of a value
weighted approach. The cumulative abnormal returns during the event
window are denoted as CARt, as shown below:
[CAR.sub.t] = [20.summation over (t=-20)] [A.sub.t]
Trading Volumes
We also examine trading volumes surrounding the DoS attacks to
further test investor response to DoS attacks. Cready and Hurtt (2002)
provide evidence that volume based metrics are more powerful in
detecting investor responses to public disclosures than returns based
methodology. In the literature, the alternative approaches on defining
and measuring market reaction consist of the use of returns or volume as
a measure of market reaction. Lee (1992) finds that the market reacts
quickly to new information both in adjusting returns and volumes.
To determine whether there is a significant change in trading
volume immediately surrounding the DoS attacks, we examine the
difference between the mean trading volume in the pre- and post-attack
periods. This methodology is used because we are unable to obtain the
total shares outstanding of control firms for the related intraday
periods, which would be necessary to standardize trading volume. The
pre-attack period consists of the twenty 15-minute intervals prior to
the attack and the post-attack period consists of the twenty 15-minute
intervals subsequent to the attack.
EMPIRICAL ANALYSIS AND RESULTS
We investigate the effects of DoS attacks on stock price and
abnormal returns. Although our primary interest is the impact of
abnormal returns around DoS attacks, we begin our analysis by
investigating stock price reactions surrounding the attacks. Figure 1
shows the stock prices and abnormal returns for twenty 15-minute
intervals before the attack to twenty 15-minute intervals after the
attack for each sample firm. The stock price for Amazon and Yahoo
reaches its peak in the period of the DoS attack ($83.69 and $356.56,
respectively) and declines after the attack. Amazon's stock price
declines for the following four 15-minutes intervals before it begins to
increase. Yahoo's stock price declines for the following two
15-minute intervals before it begins to increase. While Yahoo's
stock price recovers and surpasses the attack stock price at t+18,
Amazon's stock never reaches the peak of its DoS stock price in the
post-attack period. eBay's slow stock price decline in the
pre-attack period becomes more steady in the post-attack period.
To test hypothesis 1, we examine the abnormal stock returns of the
three DoS attack firms. The results are presented in Table 4. All three
firms experienced negative returns related to the DoS attacks. Yahoo
experienced the greatest stock price decline of 2.6% while Amazon
experienced the smallest decline of 0.7%. The mean abnormal returns are
significantly negative at the 0.01 level for all three DoS attack firms.
These results also show that the negative abnormal returns due to a DoS
attack are in line with the duration and timing of the event. This is
consistent with our hypothesis that the stock price of an internet firm
will be negatively affected by a DoS attack.
[FIGURE 1 OMITTED]
Amazon and eBay show negative abnormal returns surrounding the
event. Amazon's abnormal returns are negative from the first
15-minute interval before the attack t-1 until the sixth 15-minute
interval after the attack t+6 while eBay's abnormal returns are
negative from the first 15-minute interval before the attack t-1 until
the third 15-minute interval after the attack t+3. Yahoo's abnormal
return, however, is only negative at the point of the attack, t. In
observing the twenty intervals before the attack to twenty periods after
the attack, all three firms experienced their lowest abnormal return in
the period immediately surrounding the DoS attack. These results suggest
that while the internet firms are affected by the DoS attack, they
appear to rebound and continue as normal shortly after the attack.
To test our second hypothesis that the stock price of an ISP firm
will be positively affected by a DoS attack in the internet industry, we
examine the differences between the mean returns for the ISP sample
firms and the control sample firms during the time of the DoS attacks.
Table 5 presents the mean returns for both samples along with the
abnormal returns for the ISP firms.
Using intraday data for the event period, we find results similar
to Ettredge and Richardson (2003) for the control sample firms. The mean
returns for internet firms that were not attacked (control sample firms)
are negative. This suggests that information about the attack is
transferred to other firms that also conduct business on the internet.
As we examine the differences between the ISP mean returns and the
control sample mean returns, however, we find mixed results. The
abnormal return is negative during the Amazon attack period and positive
during the eBay and Yahoo attack periods. The negative ISP firm abnormal
return during the Amazon attack period could be the result of this
attack occurring after trading hours. Furthermore, we note that none of
the abnormal returns are significant. This could be attributed to the
brevity of the attacks and the resolution of the attacks during the same
day. Overall, unlike Ettredge and Richardson (2003), we do not find that
ISP firms experience positive abnormal returns when internet firms are
attacked. To further ascertain the information impact of DoS attacks, we
examine another investor metric, trading volume. Table 6 presents the
mean volume of trades surrounding the DoS attacks. The pre-attack period
represents the twenty 15-minute intervals prior to the denial of service
attack. The post- attack period represents the twenty 15-minute
intervals subsequent to the denial of service attack.
The results support our hypothesis that trading volume will
decrease during the attack period. There is a significant decrease in
the volume of trades for Amazon and eBay at the 1% and 10% levels,
respectively. Amazon's volume of trades decreased 225,377 and
eBay's decreased 27,504. While Yahoo's volume increases by
10,987 trades, the increase is insignificant. This increase in the Yahoo
volume of trades could result from its DoS attack being resolved before
the end of trading on that day. Overall, our results provide evidence
that investors did not purchase significant shares of stock during the
DoS attacks.
CONCLUSION
This paper investigates the market impact of distributed denial of
service (DoS) attacks on internet firms and the information transfer
affecting the market value of other internet and internet security
firms. This study is unique in that we use intraday data obtained from
the NASTRAQ database to examine the market impact of the DoS attacks.
Our study suggests that the market reacts negatively to firms
experiencing DoS attacks. We report negative abnormal returns during the
DoS attack and a decline in stock price immediately following the DoS
attack. Additionally, we report negative returns for a control sample of
internet firms that were not attacked. As such, it appears that
information transfer exists among internet firms. In contrast, we
further report that Internet Security Provider firms do not experience
positive stock price affects from the DoS attacks. We also used volume
of trades as an investor metric to measure the impact of DoS attacks.
Our findings provide evidence that the volume of trades decreases during
the attack period. The implications of this study demonstrate that firms
that operate online can experience negative market effects from DoS
attacks, such as loss of sales, drop in stock price and market
capitalization unlike traditional retail stores.
This study can be extended by segregating DoS attacks by nature of
the attack (severity and ability to return network to normal operations
differ) to determine whether the market reacts differently depending on
the nature of the attack. There are also implications for the long-term
consequences and the cost of security to address these DoS attacks. A
second extension could segregate the firms attacked by size (i.e.,
market capitalization, revenue and internet traffic), since conceivably
the impact of a DoS attack could be greater for firms with higher
internet traffic resulting in higher revenue losses.
This study has two limitations that should be taken into account
when considering its contributions. First, our study consists of a small
sample size. In order to compare the immediate market reaction to the
same DoS attacks investigated by Ettredge and Richardson (2003), our
sample only consists of three firms. Second, one of the DoS attacks
occurred after trading hours while two of the attacks ended after
trading hours. Accordingly, we have taken steps in this study to
mitigate the effects of these limitations.
REFERENCES
Anthony, J., W. Choi & S. Grabski (2006). Market Reaction to
E-Commerce Impairments and Web-site Outages. International Journal of
Accounting Information Systems 7, (2): 60-78.
Ball, R. & P. Brown (1968). An empirical evaluation of
accounting numbers. Journal of Accounting Research 6 (2): 159-178.
Brown, S. & J. Warner (1985). Using Daily Stock Returns: The
Case of Event Studies. Journal of Financial Economics 14, 3-31.
Campbell, J., A. Lo & J. Wang (1993). Trading Volume and Serial
Correlation in Stock Returns. Quarterly Journal of Economics 107,
905-939.
Cavusoglu, H., B. Mishra & S. Raghunathan (2004). The Effect of
Internet Security Breach Announcements on Market Value: Capital Market
Reactions for Breached Firms and Internet Security Developers.
International Journal of Electronic Commerce 9, 69-104.
Chan, K., W. Christie & P. Schultz (1995). Market structure and
the intraday pattern on bid-ask spreads for NASDAQ securities. Journal
of Business 68(1): 35-60.
Cready, W. & D. Hurtt (2002). Assessing Investor Response to
Information Events using Return and Volume Metrics. The Accounting
Review 77 (4): 891-909.
Duh, R., S. Sunder & K. Jamal (2002). Control and Assurance in
E-Commerce: Privacy, Integrity, and Service at eBay. Taiwan Accounting
Review 3(1): 1-27.
Ettredge, M. & V. Richardson (2003). Information Transfer among
Internet Firms: The Case of Hacker Attacks. Journal of Information
Systems 17(2): 71-82.
Glover, S., S. Liddle & D. Prawitt (2001). eBusiness:
Principles & Strategies for Accountants. Upper Saddle River, NJ:
Prentice Hall.
Harrington, S. & D. Shrider (2007). All Events Induce Variance:
Analyzing Abnormal Returns When Effects Vary Across Firms. Journal of
Financial and Quantitative Analysis 42(1): 229-256.
Hovav, A, & J. D'Arcy (2003). The Impact of
Denial-of-Service Attack Announcements on the Market Value of Firms.
Risk Management and Insurance Review 6 (2): 97-121.
Hovav, A., F. Andoh-Baidoo & G. Dhillion (2007). Classification
of Security Breaches and their Impact on the Market Value of Firms.
Proceedings of the 6th Annual Security Conference.
Kamstra, M. (2001). Rational Exuberance: The Fundamentals of
Pricing Firms, From Blue Chips to Dot Com. Federal Reserve Bank of
Atlanta.
Kothari, S. P. (2001). Capital Markets Research in Accounting.
Journal of Accounting and Economics 31 (1-3): 105-231.
Lazer, R, B. Lev & J. Levant (2001). Internet Traffic and
Portfolio Returns. Financial Analysts Journal 57(3): 30-40.
Lee, C. M. C. (1992). Earnings News and Small Traders. Journal of
Accounting and Economics 15(2-3): 265-302.
Schwartz, E. & M. Moon (2000). Rational Pricing of Internet
Companies. Financial Analysts Journal 56 (3): 62-75.
Subramani, M. & E. Walden (2001). The Impact of E-Commerce
Announcements on the Market Value of Firms. Info Systems Research 12
(2): 135-154.
Telang, R. & S. Wattal (2007). An Empirical Analysis of the
Impact of Software Vulnerability Announcements on Firm Stock Price. IEEE
Transactions on Software Engineering 33 (8): 544-557.
Arundhati Rao, Towson University
Mohamed Warsame, Howard University
Jan L. Williams, University of Baltimore
Table 1: Attack Periods and Trading Hours
Panel A: Denial of Service Attack Periods
Date Firm Start End
40580 Yahoo 0.42708333333 0.61458333333
40581 eBay 0.60416666667 0.8125
40581 Amazon 0.70833333333 0.86458333333
Panel B: NASDAQ Market Trading Hours
Open Close
Early Trading Hours 0.33333333333 0.39583333333
Regular Trading Hours 0.39583333333 0.6875
Extended Trading Hours 0.6875 0.77083333333
Table 2: Descriptive Statistics (in Smillions)
n Mean Median
Panel A: DoS Attack Firms
Total Sales 3 817.72 588.61
Total Assets 3 1635.1 1469.82
Panel B: Control Firms
Total Sales 126 159.86 32.73
Total Assets 126 430.43 130.82
Panel C: Internet Security Provider Firms
Total Sales 10 88.36 85
Total Assets 10 369.96 157.68
Standard Range
Deviation
Panel A: DoS Attack Firms
Total Sales 734.85 224.72-1,639.84
Total Assets 767.27 963.94-2,471.55
Panel B: Control Firms
Total Sales 1098.06 0.36-12,154.00
Total Assets 1425.14 2.99-14,725.00
Panel C: Internet Security Provider Firms
Total Sales 76.41 4.97-218.12
Total Assets 571.79 9.78-1,512.12
Table 3: Firms by Industry
Attacked Firms
Catalog, mail-order houses 2
Computer programming, data processing 1
Total 3
Control Firms
Oil & Gas Extraction 2
Fabricated Metal Products Manufacturers 1
Industrial & Commercial Machinery Manufacturers 2
Electronic & Other Electrical Equipment Manufacturers 5
Miscellaneous Manufacturing Industries 1
Transportation Services 2
Communications 4
Wholesale Trade 3
Miscellaneous Retail 8
Depository Institutions 1
Non-depository Institutions 1
Security & Commodity Brokers 2
Insurance Agents Brokers & Services 1
Real Estate 1
Business Services 88
Amusement & Recreation Services 2
Engineering, Accounting Management Services 1
Total 126
Table 4: Abnormal Returns OF Denial of Service Attack
Amazon eBay Yahoo
Attack Period Abnormal
Return(t0) -0.007 -0.014 -0.026
Std Deviation 0.019 0.025 0.039
t-stat -2.430 *** -3.580 *** -4.260 ***
*** represents significance at the 1% level.
Table 5: Abnormal Returns for Internet Service Providers
Control
Sample
ISP Mean Mean
Return (%) Return (%) Difference t-stat
Amazon -0.166 -0.047 -0.119 -0.28
eBay -0.105 -0.258 0.153 0.51
Yahoo 0.029 -0.179 0.208 1.15
Table 6: Mean Volume of Trades Surrounding the Denial of Service
Attacks
Amazon eBay Yahoo
Post-Attack Period 305138 64735 113627
Pre-Attack Period 530515 92239 102640
Difference -225377 -27504 10987
t-stat -2.56 *** -1.41 * 0.16
***, ** and * represent significance at 1%, 5% and 10% levels,
respectively.
