Document Legalities

Copyright © 2010 Kunio Ito. All rights reserved. The entire contents of this publication are the
property of Kunio Ito. Users may not copy, reproduce, distribute, display, modify or create
derivative works based upon all or any portions of this publication in any medium whether
printed, electronic or otherwise, without the express written consent of NR Kunio Ito. Without
limiting the forgoing, users may not reproduce, distribute, re-publish, display, modify or create
derivative works based upon all or any portion of this publication for purposes of teaching any
computer or electronic security courses to any third party without the express written consent of
Kunio Ito.

FIRST EDITION: March, 2010 (Version 1.0)

International Standard Book Number: 978-0-615-35711-9
Printed in the United States of America

Warning and Disclaimer

Every effort has been made to make this book as complete and as accurate as possible, but no
warranty of fitness is implied. The information provided is on an “as is” basis. The authors and the
publisher shall have neither liability nor responsibility to any person or entity with respect to any
loss or damages arising from the information contained in this book.

0
Contents 
Information Security Governance to Enhance Corporate Value........................................................... 3 
1. Growing Interest in Information Security ...................................................................................... 3 
2. The reality of Information Security Governance in Japan .............................................................. 6 
3. Effects of Information Security Incidents on Evaluations by Stock Markets ................................. 13 
4. Effects of Information Security Incidents on the Value of Corporate Brands ................................ 18 
5. Effects of Information Security Disclosure on Evaluations by Stock Markets ............................... 28 
6. Effects of Information Security Governance on Corporate Brand Value....................................... 40 
Bibliography .................................................................................................................................. 47 
Brand Risk Management and Corporate Value................................................................................. 49 
1. Introduction ............................................................................................................................... 50 
2. Why Do Risk Events Occur Frequently Today? ........................................................................... 54 
3. Corporate Brand Crisis............................................................................................................... 61 
4. Making Brand Risks Visible ........................................................................................................ 65 
5. Beyond the Japanese Version of the SOX Act ............................................................................... 74 
Bibliography .................................................................................................................................. 76 

1
2
 Information Security Governance to Enhance Corporate Value

1. Growing Interest in Information Security

The aim of this paper is to examine the effects of initiatives on information security on corporate
value and demonstrate the significance of establishing information security governance so that
these effects can permeate into business corporations.

Interest in information security is growing rapidly. Figure 1, for example, shows the number of
search results for “information security,” “information leak,” “system failure,” and other
keywords published in four Nikkei newspapers. This figure confirms that the number of cases in
which these keywords were written about in these newspapers rose sharply after the twenty-first
century began. In particular, the number of such searches results grew dramatically in 2005 and
thereafter. It is presumed that the three factors mentioned below affected this dramatic growth.

Figure 1 : Number of Keyword Search Results Related to

Information Security in Four Nikkei Newspapers

900
800
700
600
500
400
300
200
100
0
990年
991年
992年
993年
994年
995年
996年
997年
998年
999年
000年
001年
002年
003年
004年
005年
006年
007年
1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

2005

2006

2007

Information security Information leak System failure

Since the start of the new century, interest in information incidents and
information security have grown dramatically.

3
 図２ 情報事故の日常化とその影響度の大きさ
Figure 2 :Increase in the number of malicious programs
悪意あるプログラムの数の増大

of malicious programs
■悪意あるプログラムの数
■Number

250000

200000 201958

150000

105334
100000

53950
50000
31726
20731
8821 11136
0
2001 2002 2003 2004 2005 2006 2007

(Source) Created based

（出所）Kaspersky on “Malware
Lab,”Malware Evolution: 2005,
Evolution:2005 Part 2” (Kaspersky Lab,
part.2”,April
April 2006) and “Kaspersky
2006.,Gostev,A.,” Security
Kaspersky Bulletin
Security 2007:2007:
Bulletin Malware Evolution
Malware in 2007”
evolution in
(A. 2007”,February
Gostev, February 2008) 3
2008.をベースに作成。

図３ 情報事故の日常化とその影響度の大きさ
Figure 3 : Damage caused by unauthorized access
不正アクセスによる被害発生状況

700
600
500
169
400 394
522 339
300
281 169
200 381 56
100 225 176
126 162 162
72
0
2001 2002 2003 2004 2005 2006 2007
Damage was caused No damage was caused
(Source) Information-Technology Promotion Agency, Japan

Formerly, unauthorized access was often perpetrated by people who

took pleasure in confusing a large number of people, but in recent
years, there have been many cases in which professional criminals
have carried out unauthorized access for gain, posing a growing
threat to the general public.

One factor is that the numbers of malicious programs and unauthorized accesses is on the
increase. Figure 2 indicates the results of surveys conducted by Kaspersky Lab. According to
these results, the number of malicious programs increased from less than 10,000 in 2001 to over
200,000 in 2007. In addition, Figure 3 shows the number of cases in which the damage caused by

4
unauthorized access was reported to the Information-Technology Promotion Agency, Japan. It is
noticeable that the number of cases in which unauthorized access caused damage, which had
continued to decline from 2001 to 2004, grew again in 2005 and thereafter. Formerly,
unauthorized access was often perpetrated by people who took pleasure in confusing a large
number of people, but in recent years, an increasing number of unauthorized accesses have been
perpetrated out of avarice and have become criminally vicious.

Another factor is that information incidents such as leaks of customer information, leaks of
confidential information, and system failures are occurring frequently. Recent years have
witnessed the frequent occurrence of incidents that have affected even ordinary consumers,
including leaks of large corporations’ customer information and failures of financial or transport
systems due to trouble with information systems. These incidents are highly likely to cause the
companies involved to lose the trust that customers and consumers have in them, and to cause
their corporate image to be injured. There are also an increasing number of cases in which
Japanese companies are losing their sources of competitiveness due to an outflow of
technological information to overseas competitors. As described above, interest in initiatives on
information security is growing with the frequent occurrence of information incidents that
seriously affect corporate value.

A third factor is that laws and regulations related to information security have been put in place.
The Act on the Protection of Personal Information, the Companies Act, and the Financial
Instruments and Exchange Act came into force in 2005, 2006, and 2008, respectively. The Act on
the Protection of Personal Information requires holders of personal information to manage it
properly and prevent its leakage. Under the Companies Act, which came into force in 2006,
corporate directors must take responsibility for establishing internal control systems. They are
required to make efforts to ensure information security and put in place related systems,
including those related to the possession and management of information, regulations and
systems for the management of losses and other risks, and systems aimed at ensuring that
employees comply with laws and regulations as well as articles of association when performing
their duties.

Meanwhile, the Financial Instruments and Exchange Act, which came into force in 2008, aims to
improve the reliability of financial reports and requires companies to put in place internal control
systems to achieve this goal. In particular, the Act stresses the importance of the role IT plays in
internal control systems. If information security plays the role of supporting continuous
utilization of IT for internal control systems, information security can be viewed as an issue
closely related to improvement of the reliability of financial reports.

5
2. The reality of Information Security Governance in Japan

(1) Japanese companies’ initiatives on information security

As described above, there is growing interest in initiatives on information security, but are
Japanese companies making progress in their initiatives to ensure information security? Do such
ongoing initiatives help reduce the amount of damage caused by incidents related to information
security?

Figure 4 : Magnitude of Effects of Information Incidents,

図４ 情報事故の日常化とその影響度の大きさ
Which Are Becoming Common Occurrences
情報漏えいの頻度と影響範囲の拡大
Frequency of information leaks and the widening scope of their effects

3500 25,000
万 22,711億円
¥2,271.1 billion
3000 Number of people who experienced
漏洩人数
leakage of their personal information
想定損害賠償総額 20,000

2500 Estimated total value of damages paid

15,000
2000

1500
10,000

1000 7,002

4,667 5,000
4,570
500

0 189 281 0
2002 2003 2004 2005 2006 2007

(Source) Japan Network Security Association, “Fiscal 2008 Information Security

Incident Survey Report”

This section bases its discussions on the Information Security Incident Survey Report, which is
published by the Japan Network Security Association annually. The Report confirms that the
number of people who experienced leakage of their personal information and the estimated total
value of damages paid both increased from 2002 to 2007 (see Figure 4).

Next, this section discusses the survey carried out by Ito at Hitotsubashi University in January
2007. This survey aimed to clarify the actual condition of information systems established at
listed companies in Japan by asking their chief information officers (CIOs) or those in similar
positions about them. Figure 5 identifies information security tasks to be addressed by those
companies. In this figure, an overwhelming number of companies cited “strengthening
information security” as a task they should address urgently.

6
 Figure 5 : What Are the Tasks to Be Addressed for
Making
図５ Effective Use of Information Systems?
情報システムの活用をめぐる課題は？
■Number of malicious programs Information security is one of the tasks
■情報処理システム活用上での課題 on which IT 専門家にとって特に重視
CIOs
ＣＩ Oなど and other IT experts
450 placeする課題の１つが情報セキュリティ
particular emphasis. 350
400 300
350
300 250
250 200
200 150
150
100
100
50 50
0 0

情報 共有

デ ー タ の一 元 管 理
売上 拡大

製 品 ・サー ビ ス の品 質 向

作 業 効 率 の改 善

社 員 の能 力 向 上

情 報 セ キ ュリ テ ィの強 化
機 会 損 失 の減 少

新 製 品 ・サー ビ ス の開 発

職 場 の活 性 化

意 思 決 定 の迅 速 化

問 題 の早 期 発 見
顧 客 満 足 度 の向 上

在 庫 の圧 縮

イ ン フラ設 備 の機 能 向 上

そ の他
リー ド タ イ ム の短 縮

シ ステ ム統 合 （連 携 ）
コス ト削 減

service quality

Improvement of work efficiency

Strengthening information security

Other
Cost reduction

satisfaction

Swifter decision-making

System integration (cooperation)

Unified data management
Increased sales

Shorter lead time

Reducing lost opportunities

Information sharing

Early detection of problems

functions
Reduced inventories

Revitalization of workplaces

Improvement of employees’ skills

Enhancement of customer
Improvement of product and/or
Improving the ability to develop
new products and/or services

Enhancement of infrastructure
力 向上

現状の課題 特に重視する課題；右軸
( 出典）一橋大学・伊藤邦雄研究室「情報システムの活用に関する質問調査」（ 2007 年 1 月）。

Current tasksEstimated total value of damages paid

Tasks on which particular emphasis is placed (right scale)

(Source) “Questionnaire survey concerning utilization of information systems”

(K. Ito and his research team, Hitotsubashi University, January 2007)

As indicated in the figure, it appears that Japanese companies have not yet made sufficient
progress in their initiatives on information security.

(2) What is information security governance?

What are companies required to do in order to advance their initiatives on information security?
One of the effective methods of achieving this goal is information security governance.

What is information security governance? The research group of METI on the information
governance defined information security governance as “establishing and applying corporate
governance, and the internal control systems that represent the mechanism supporting it, within a
company looking from the viewpoint of ensuring information security” in the research report in
March 2005. In order to encourage establishment and application of the information security
needed in light of corporate objectives, it is essential to motivate managers to advance these
undertakings, whether on their own initiative or otherwise, and establish internal control systems
to make the intentions of managers known to all levels of the organization.

7
What is the ideal form of information security governance? In particular, we believe that there
are two major types of information security governance which provide systems for motivating
managers to make efforts on information security, whether on their own initiative or otherwise
(see Figure 6).

Figure 6 : Framework for Information Security

Governance

Does information security governance not work sufficiently

well as a system for ensuring thorough information security?
System for ensuring well-disciplined
Corporate corporate management in the light of
corporate objectives
governance
System for enabling corporate managers
Internal controls to achieve management strategy and
business objectives in a systematic way

Governance through Governance through

market mechanisms organizational mechanisms

Are companies given a low evaluation How do companies establish a system

in the product/service, labor, and
stock markets if they do not ensure
thorough information security?
that requires managers to take
responsibility for information security
initiatives? How do they create a
corporate climate or system in which
none of their members performs, and
which allows none of their members to
perform, improper acts with regard to
information security?

One type of information security governance adopts the approach of maintaining the discipline
of companies through market mechanisms. This approach, for instance, involves establishing
systems and devices that encourage information security initiatives to produce positive effects in
the product/service market, thus inducing companies to make all-out efforts toward information
security. One example is governments including information security initiatives in the
requirements for suppliers to take part in the bidding when they procure products and services.
This approach is not limited to the product/service market. The capital market can also urge
companies to make all-out efforts toward information security by placing information security
initiatives as a requirement for the provision of finance.

Market mechanisms may use two approaches to the screening of companies: negative screening
and positive screening. While the negative screening approach restricts transactions with
companies that fail to meet certain requirements, the positive screening approach gives priority
to dealings with companies that carry out outstanding information security initiatives. Whichever

8
of the two approaches is taken, it becomes possible to advance information security initiatives by
establishing systems and devices that take information security initiatives into account in market
transactions.

The other type of information security governance takes the approach of maintaining the
discipline of companies through organizational mechanisms. Like global warming and other
environmental problems, information incidents caused by companies sometimes have grave
effects on other companies and ordinary consumers in the community in which they operate.
However, since external stakeholders of a company cannot ascertain how active the company is
in advancing its information security initiatives, there is a strong possibility that the company
will not be very willing to make investments in those initiatives. For this reason, it is necessary
to accelerate the progress of information security initiatives by requiring companies to take direct
responsibility for them through legislation, systems, and other measures.

As mentioned above, a series of legal systems relating to companies have been put in place in
Japan in recent years, and many of them require corporate managers to establish systems and
devices that ensure thorough implementation of information security initiatives at all levels of
the organization. They urge corporate organizations to have built-in systems (climate) in which
none of their members performs, and which allow none of their members to perform, improper
acts regarding information security by requiring their managers to take responsibility for
establishing these systems.

(3) Relationships between companies’ information security initiatives and their

competitiveness
In Japan, too, systems and devices that urge companies to make all-out efforts toward
information security through market mechanisms and organizational mechanisms are being
gradually established. Why, then, are Japanese companies’ information security initiatives not
always sufficient?

9
 Figure 7 : Progress in Taking Information Security
Measures
■Condition of information security measures
100
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% %

Training of information security experts 63.4 23.5 11.6 1.5

Adequate
information security Establishment of procedures and
systems for ensuring information security 59.3 29.8 9.2 1.7
measures have not
been taken in terms Continuous accumulation and sharing of
of intangibles. knowledge of and know-how in, 59.2 33.9 5.7 1.3
information security within the organization
Establishment and application of systems for
gathering information on security holes 50.9 45.1 3.1 1

Logging and auditing of access to 45.2 52.2 2.2 0.4

information systems and networks
Classification and organization of information assets and
management of access to information assets 42.4 56 1.2 0.4

Measures to prevent the leakage of

confidential and important information 38.5 60 1.2 0.4

Physical security measures 33.6 62.2 3.5 0.7

Information security
measures are being PC security measures
accelerated in terms 14.8 84.6 0.1 0.4
of equipment.
Network security measures 11.9 87.5 0.3 0.3

Being planned or considered Measures have already been taken

No plan No reply
(Source) “Survey concerning the Actual Condition of Corporate Information
Security” (NRI SecureTechnologies, Ltd., November 2007)

Figure 7 indicates the results of a questionnaire survey of listed companies which was conducted
by NRI SecureTechnologies, Ltd. in November 2007 to clarify the condition of information
security measures. The results confirm that all companies surveyed are working to take
information security measures in terms of equipment, including physical security, PC security,
and network security. On the other hand, it can also be seen that many companies have not yet
taken adequate information security measures in terms of intangibles such as “training of
information security experts,” “establishment of procedures and systems for ensuring
information security,” “continuous accumulation and sharing of knowledge of, and know-how in,
information security within the organization,” and “establishment and application of systems for
gathering information on security holes.”

Why, then, are Japanese companies sometimes not making progress in their information security
initiatives in terms of intangibles? One of the major reasons for this is that corporate managers
do not really feel that their information security initiatives lead to enhancement of their
companies’ competitiveness and value.

10
 Figure 8 : Effects of Information Security Measures

■Effects of information security measures

0 10 20 30 40 50 60 70
Greater awareness of information security among 59.4
employees 61.3
Better understanding and recognition of the 44.2
importance of risk management 43.3
Recognition of information security as corporate 35
social responsibility 39.5

Review of information assets 27.1

29.5
Taking information security into account when
making a decision to choose, and enter into 15.2
15.8
agreements with, business partners
Review and modification of business processes 13.2
14.4
Although employees have a
Internal information sharing and utilization 10.1
13 keener awareness of information
Almost no particular effects have been produced 7.6 security, corporate managers do
7.1
not really feel that their information
Higher evaluations by business partners and 4.5 security initiatives lead to
customers 5.6
enhancement of their company’s
Greater operational efficiency and productivity 4
competitiveness.
4.7

Improvement of products and services provided 2.6

3.6
Lower total security management costs 2.6
2.7
Enhanced competitive power, including the winning 1.3 Fiscal 2005 Fiscal 2006
of orders 1.6

(Source) Created based on the “Survey concerning the Actual Condition of Countermeasures against
(
Unauthorized Access etc.” conducted by the Metropolitan Police Department

For example, as shown in Figure 8, according to the “Survey concerning the Actual Condition of
Countermeasures against Unauthorized Access etc.” conducted by the Metropolitan Police
Department in Tokyo, corporate employees have an increasingly keen awareness of information
security as typified by high evaluations for effects of information security measures such as:
“greater awareness of information security among employees,” “better understanding and
recognition of the importance of risk management,” and “recognition of information security as
corporate social responsibility.” However, lower evaluations are given to the five items related to
the enhancement of corporate competitiveness: “higher evaluations by business partners and
customers,” “greater operational efficiency and productivity,” “improvement of products and
services provided,” “lower total security management costs,” and “enhanced competitive power,
including the winning of orders.”

Why, then, do corporate managers not really feel that their information security initiatives lead to
enhancement of their company’s competitiveness and value? Probably, one reason for this is that
only a few companies quantitatively measure and evaluate the progress they have made in their
information security initiatives, so they cannot ascertain the effects of their investments in
information security initiatives.

11
 Figure 9 : Problematic Points with Information Security
Measures
Difficulties in making the effects of information security initiatives visible render the
relationships between such initiatives and enhanced corporate competitiveness and
value difficult to perceive.

％ 70
60

50

40
30

20

10

0
2001 2002 2003 2004 2005 2006
Cost-effectiveness is invisible
There are no guidelines regarding how far we should go
Lack of know-how in taking information security measures
There is no practice of considering information as an asset
The understanding of top managers cannot be obtained
Too much cost is incurred
Adequate education and training is not provided
Too heavy a burden is placed on employees
Optimal tools and services are not available
(Source) Created based on the “Survey concerning the Actual Condition of Countermeasures
against Unauthorized Access etc.” conducted by the Metropolitan Police Department

The Metropolitan Police Department’s survey shows, for example, that more than half of
respondents cited issues related to the effects of investments—“cost-effectiveness is invisible,”
“too much cost is incurred,” and “there are no guidelines regarding how far we should go”—as
issues to be addressed in taking information security measures. To begin with, unless the effects
of information security initiatives are made visible, it is difficult for corporate managers to
realize that such initiatives lead to enhancement of their company’s competitiveness and value
(see Figure 9).

Furthermore, only a few companies actively disclose their information security initiatives to
external stakeholders, making it difficult for external stakeholders to recognize differences in
information security initiatives between companies, and this also probably affected the results of
the survey. Unless such differences are made clear, it is difficult for stock markets to evaluate the
information security initiatives of listed companies.

Do then information security measures and initiatives actually contribute to creation of corporate
value? In order to answer this question, we first examine what effects incidents involving
information security have on corporate value. If such incidents have serious effects on corporate

12
value, there is a strong likelihood that efforts to prevent them have positive effects on corporate
value.

3. Effects of Information Security Incidents on Evaluations by Stock Markets

How should the effects of information security incidents on corporate value be examined? One
possible approach is to examine evaluations by stock markets of information security incidents.
In this section, we follow the steps listed below to examine evaluations by stock markets of
information security incidents and initiatives for preventing such incidents.

Step 1:Summary of preceding studies

Step 2: Sampling of incidents involving information leaks or system failures
Step 3:Calculation of cumulative abnormal return on equity investment
before and after the day of the event

(1) Summary of preceding studies

Campbell et al. (2003) used 43 information leak incidents1 involving American companies
during the period from January 1995 to December 2000 to analyze the effects of such incidents
on stock prices. As a result of the analysis, the researchers reported that incidents involving the
leakage of confidential information had pushed down stock prices. Cavusoglu et al. (2004) used
66 information leak incidents2 involving American companies during the period from January 1,
1996 to December 31, 2001 to analyze the relationships between such incidents and stock prices.
As a result, they found that stock prices had fallen 2.1% two days after the information leaks
were reported.

In Japan, meanwhile, InterRisk Research Institute & Consulting, Inc. (2005), Ishiguro et al.
(2006), and Ito & Kagaya (2006) studied the effects of revealed risks on stock prices.
Researchers at InterRisk Research Institute & Consulting (2005) used 238 cases of revealed risks,
which were reported by The Nihon Keizai Shimbun during the year from April 1, 2004 to March
31, 2005 to analyze the effects of such risks on stock prices. As a result, they reported that
approximately 30% of the companies surveyed had seen their stock price drop ten days after the
information security risks became clear. They also found that in most cases, the stock price had
fallen about 8%, and that approximately 5% of the companies had witnessed their stock price
1The researchers extracted these incidents from articles published in The Wall Street Journal, The
New York Times, The Washington Post, The Financial Times, and USA Today using keyword
(information security breach, computer system security, hacker, cyber attack, computer attack,
computer break-in, and computer virus) searches.
2 The researchers extracted these incidents from websites and newspapers using keyword (attack,

breach, and break-in) searches.

13
plunge more than 15%. Ishiguro et al. (2006) used 70 information leak incidents extracted from
four Nikkei newspapers during the period from September 2002 to August 2005 using keyword
searches3 to analyze the effects of such incidents on stock prices. As a result, they reported that
ten days after the information leaks were reported, the stock prices had fallen 2.25% for incidents
involving the leakage of confidential information and 3.18% for those involving unauthorized
access.

Ito & Kagaya (2006) chose 14 companies covered by four Nikkei newspapers and The Asahi
Shimbun between 1998 and 2002 because they caused a scandal (defective product or service
quality, soil contamination or other environmental problems, breach of laws or ordinances, etc.)
and examined how the price of their stocks fluctuated before and after the scandal was reported.
As a result, they reported that the stock prices had plummeted immediately after the scandal was
exposed, and that during the subsequent week, the extent of fall in the stock prices reached
nearly 15%. Moreover, they revealed that the stock prices had not yet recovered even 30 days
after the scandal was uncovered.

As described above, analyses of evaluations by stock markets of information security incidents

confirm that these incidents generally result in a fall in stock prices.

(2) Sample Selection

Prior to analysis, it is necessary to sample information security incidents and accidents. In this
study, we focus on two categories of incidents and accidents: information leaks and system
failures.

In sampling information security incidents and accidents, we searched articles published in four
Nikkei newspapers during the period from January 2000 to December 2007, which included one
of the three keywords: “information leak,” “system failure,” and “software trouble” 4. Since this
study aimed to analyze fluctuations in stock price, companies that announced their financial
results or merged with or acquired another company during the period analyzed surrounding the
day of the event were excluded from the sampling. As a result, 45 cases were sampled using the
keyword “information leak,” and 34 cases were sampled using the keywords “system failure”
and “software trouble.”

3 The keywords used were “information” and (“leak”) and (“damage” or “accident” or “incident”) or
(“unauthorized access” or “virus”) and (“damage” or “accident” or “incident”).
4 The Nikkei Financial Daily, one of the four Nikkei newspapers mentioned above, discontinued

publication on January 31, 2008.

14
(3) Calculation of cumulative abnormal return on equity investment
Next, the Nikkei NEEDS-Financial QUEST database was used to obtain the ex-right and
ex-dividend price of stocks in each of the companies sampled above in order to calculate daily
return on equity investment. Then, based on market models, cumulative abnormal return (CAR)
was calculated using the day when the information incident was reported as the day of the event.

Rit = α + β × Rmt 　　・・・（１）

eit = Rit − (α + β × Rmt ) 　　・・・（２）
Rmt: Ex-right and ex-dividend monthly TOPIX return
Rit: Ex-right and ex-dividend monthly return for Company i

(4) Evaluations by stock markets of information security incidents

How, then, do stock markets evaluate information security incidents? First, the CARs for all of
the information security incidents (79 cases), information leak incidents (45 cases), and system
failure incidents (34 cases) respectively were calculated.

Figure 10 : Studies of Events on the Day When Information

Security Incidents Were Reported in Newspapers
◆Cumulative abnormal return (Day t: Day when the incident was reported)
1.00%
0.50%
0.00%
-0.50%
-1.00%
-1.50%
-2.00%
-2.50%
-3.00%
-3.50%
-4.00%
-4.50%
t
t-5

t+1

t+5
t+6
t-9
t-8
t-7
t-6

t-4
t-3
t-2
t-1

t+2
t+3
t+4

t+7
t+8
t+9
t-10

t+10
t+11

t+13
t+14
t+15
t+16
t+17
t+18
t+19
t+20
t+12

All incidents Information leaks System failures

Figure 10 indicates the CAR for each category of incidents. In this figure, it can be confirmed
that stock markets negatively evaluated information security incidents whether divided into
information leaks and system failures or looked at as a whole. While information leaks began to
push down stock prices even before the day when they were reported in newspapers, system
failures started to lower stock prices immediately after the day when newspaper reports appeared.

15
While information leaks allow companies to choose the timing for announcing them publicly at
their own discretion, system failures are often made public immediately after they occur.
Whether or not companies can choose the timing for announcing information security incidents
publicly at their own discretion may affect evaluations by stock markets of such incidents.

Statistical examinations confirm that the CAR over the entire sample was significantly negative,
at the 5% level, from five days prior to the day when the information security incidents were
reported in newspapers onward; that for information leaks the same negative level was observed
six days prior onward; and that for system failures this was from one day after in table 1. From
the results of these examinations, it can be confirmed that information security incidents are
negatively evaluated by stock markets.
Table 1 : Evaluations by Stock Markets of Information Security Incidents

Entire sample (n = 79) Information leaks (n = 45) System failures (n = 34)

Average t value p value Average t value p value Average t value p value
t-10 0.000 0.150 0.441 -0.002 -0.575 0.284 0.003 1.063 0.148
t-9 0.001 0.186 0.426 -0.003 -0.636 0.264 0.005 1.334 0.096
t-8 0.001 0.495 0.311 0.000 0.052 0.479 0.003 0.757 0.227
t-7 -0.002 -0.743 0.230 -0.005 -1.005 0.160 0.001 0.152 0.440
t-6 -0.006 -1.525 0.066 -0.011 -2.017 0.025 0.001 0.225 0.412
t-5 -0.008 -2.160 0.017 -0.012 -2.016 0.025 -0.004 -0.853 0.200
t-4 -0.007 -1.830 0.036 -0.014 -2.457 0.009 0.002 0.313 0.378
t-3 -0.009 -2.319 0.012 -0.015 -2.907 0.003 -0.001 -0.110 0.456
t-2 -0.013 -3.154 0.001 -0.021 -3.702 0.000 -0.002 -0.392 0.349
t-1 -0.015 -3.039 0.002 -0.024 -3.701 0.000 -0.002 -0.339 0.368
t -0.016 -3.235 0.001 -0.023 -3.789 0.000 -0.007 -0.819 0.209
t+1 -0.022 -4.172 0.000 -0.027 -4.059 0.000 -0.015 -1.794 0.041
t+2 -0.021 -3.756 0.000 -0.025 -3.668 0.000 -0.017 -1.714 0.048
t+3 -0.024 -3.810 0.000 -0.028 -3.762 0.000 -0.018 -1.686 0.051
t+4 -0.022 -3.556 0.000 -0.028 -3.489 0.001 -0.015 -1.492 0.073
t+5 -0.027 -4.275 0.000 -0.030 -3.779 0.000 -0.023 -2.232 0.016
t+6 -0.028 -4.215 0.000 -0.032 -3.723 0.000 -0.023 -2.169 0.019
t+7 -0.027 -3.757 0.000 -0.031 -3.539 0.000 -0.021 -1.764 0.043
t+8 -0.029 -4.257 0.000 -0.033 -3.852 0.000 -0.023 -2.102 0.022
t+9 -0.029 -4.042 0.000 -0.032 -3.461 0.001 -0.024 -2.172 0.019
t+10 -0.031 -4.297 0.000 -0.032 -3.511 0.001 -0.028 -2.496 0.009
t+11 -0.032 -4.650 0.000 -0.033 -3.723 0.000 -0.032 -2.798 0.004
t+12 -0.032 -4.516 0.000 -0.028 -3.124 0.002 -0.037 -3.240 0.001
t+13 -0.033 -4.341 0.000 -0.029 -3.010 0.002 -0.038 -3.107 0.002
t+14 -0.034 -4.156 0.000 -0.032 -2.988 0.002 -0.036 -2.855 0.004
t+15 -0.031 -3.975 0.000 -0.027 -2.641 0.006 -0.036 -2.982 0.003
t+16 -0.031 -4.020 0.000 -0.026 -2.658 0.005 -0.037 -3.022 0.002
t+17 -0.031 -3.977 0.000 -0.027 -2.491 0.008 -0.038 -3.186 0.002
t+18 -0.031 -3.877 0.000 -0.027 -2.523 0.008 -0.037 -2.970 0.003
t+19 -0.030 -3.587 0.000 -0.025 -2.149 0.019 -0.037 -3.027 0.002
t+20 -0.031 -3.688 0.000 -0.027 -2.283 0.014 -0.037 -3.027 0.002
What sampled incidents, then, were particularly severely evaluated by stock markets? This
section examines stock market evaluations by industry.

Examinations of the banking, IT, and communications industries, from which two or more
sample information leak incidents were obtained (eight, three and ten cases respectively),

16
indicate that while the incidents had practically no impact on stock prices in the communications
industry, they substantially pushed down stock prices in the banking and IT industries (see Figure
11).

A look at transport facilities (six cases), banking institutions (eleven cases), communications
carriers (nine cases), and companies that handle B2C products (five cases)—from each of which
two or more sample system failures or software trouble incidents were obtained—shows that
stock prices fell sharply irrespective of industry type (see Figure 12).

17
 Figure 11 : Stock Markets’ Reaction to Information Leaks by Industry

◆Cumulative abnormal return (Day t: Day when the information leaks were reported)

5.00%

0.00%

-5.00%

-10.00%

-15.00%

-20.00%

-25.00%
t

t+4

t+8
t+5
t+6
t+7

t+9
t-9
t-8

t-5
t-4

t-1

t+3

t+10

t+12
t+13
t+14

t+16
t+17
t+18

t+20
t-7
t-6

t-3
t-2

t+1
t+2

t+11

t+15

t+19
t-10

Banking institutions ＩＴ Communications carriers

Figure 12 : Evaluations by Stock Markets of System

Failures and Software Trouble by Industry
◆Cumulative abnormal return (Day t: Day when the system failures or
software trouble incidents were reported)
2.00%

1.00%

0.00%

-1.00%

-2.00%

-3.00%

-4.00%

-5.00%

-6.00%

-7.00%
t

t+4
t+5

t+9
t+2
t+3

t+6
t+7
t+8
t-6
t-5

t-1

t+1

t+10

t+12
t+13
t+14

t+20
t-9
t-8
t-7

t-4
t-3
t-2

t+11
t-10

t+15

t+18
t+19
t+16
t+17

Average for means of transportation Average for banking institutions

Average for communications carriers Average for companies that handle B2C products

4. Effects of Information Security Incidents on the Value of Corporate Brands

Stock markets are not the only stakeholder that rates companies much lower after they cause an
information security incident. If an information security incident leads to lower evaluations of

18
the company involved by not only stockholders but also all other stakeholders, it may also
substantially lower the value of the company’s corporate brand, which depends on intangible
characteristics that determine the image that major stakeholders, including customers, employees,
and stockholders, have of the company.

If, for example, a company causes an information security incident, increasing concern amongst
its customers, it may lose the premium that stockholders have paid for its reliability, or its
customers may switch to other companies, decreasing its sales. Alternatively, loss of trust in a
particular company may prevent it from retaining its continued business relationships with
others.

Figure 13 : Effects of Information Security Incidents on

Corporate Brand Value
How do information security incidents affect corporate value?

If a company causes an information security incident, increasing concern

amongst customers:
The premium that stockholders have paid for the reliability of the
company will be lost.
Customers Customers of the company will switch to other companies, decreasing its
sales.
The trust of business partners in the company will be lost, having adverse
effects on its future business relationships.
The number of new graduates or mid-career workers who seek
Employees employment with the company will decrease.
The loyalty of employees will decline.
Stockholders will be less willing to hold the company’s stocks for a long
period of time.
Stockholders If the company’s stocks are included in an investor’s portfolio of CSR
stocks, there is a strong possibility that they will be excluded from the
portfolio.
If hostility of local communities toward the company increases, the
Local company will have to pay greater political costs.
communities National and local governments will exclude the company from their list of
suppliers. etc…

The effects of information security incidents on corporate brand value are measured.

If the occurrence of an information security incident at a company leads to significantly lower

evaluations of the company by its current or future employees, the loyalty of its employees may
decline, or the number of new graduates or mid-career workers who seek employment with the
company may decrease.

If a company causes an information security incident, losing the trust of its current stockholders
or potential ones who may invest in its stocks in the future, it is highly likely to see these

19
stockholders less willing to hold its stocks for a long period of time. If its stocks are included in
an investor’s portfolio of CSR stocks, there is a strong possibility that they will be excluded from
the portfolio.

If an information security incident occurring at a company provokes heightened hostility towards

the company from local communities and their members, the political costs it has to pay are
highly likely to increase. As a result, national or local governments may exclude the company
from their list of suppliers.

As described above, information security incidents may significantly worsen the stakeholders’
image of the corporate brands involved, ruining their value.

(1) What is a corporate brand?

This section defines corporate brands.

The corporate brand is a set of intangible characteristics that determine the image people have of
a particular company. It serves to distinguish the company from others, and to make its presence
strongly felt and generate public trust in it.

Through products and services, a high value corporate brand provides customers with the
satisfaction and value that can only be experienced through the brand. As a result, customers
become fans and bring about stable or incremental cash flows over a long period of time. This
heightens stockholder value in two ways. One is that it has the effect of raising cash flow levels,
and the other is that it lowers cost of capital.
Furthermore, a corporate brand with a high value increases the remuneration paid to employees
and gives them pride and aspirations.

As explained above, the corporate brand connects the value of the three major stakeholders
(customers, employees, and stockholders) and brings about synergistic effects amongst the three.
As a result, it gives the power to enhance corporate value. In that sense, the corporate brand is
indeed the “fifth managerial resource” after personnel, equipment, money, and information.

20
 Figure 14 : Golden Triangle of Corporate Brand
Management

Customer value

Corporate brand

Employee value Corporate philosophy and vision Stockholder value

(2) Framework for the corporate brand valuator

In practicing corporate brand management, it is most important to firmly grasp current
evaluations of the corporate brand and draw up a robust scenario regarding how to enhance the
appeal of the brand in the future. Even if the importance of the corporate brand is recognized, its
effectiveness remains low unless its value is measured. This is because nothing can be controlled
unless it can be measured. Until recently, however, there had been no sufficient model to
measure corporate brand value.

Therefore, with the cooperation of Nihon Keizai Shimbun, Inc., Ito, one of the authors,
developed a “corporate brand (CB) valuator,” a model for evaluating corporate brand value, in
2001. The CB valuator is a corporate brand valuation model unparalleled in the world in that (1)
it grasps the images of a company’s corporate brand as seen from each of the company’s major
stakeholders—customers, employees, and stockholders—in a comprehensive manner and
integrates them into a single indicator; (2) it combines the questionnaire survey method and the
financial data method, whereas previous brand evaluation models depended on one or the other;
and (3) as methods used for value conversion, it integrates an approach using balance sheets or
stock figures with an approach using profit and loss statements or flow figures.

21
 Figure 15 : Making Corporate Brands Visible

Integrates the value of the three

ゴールデントライアングルに基づいて、
stakeholders based on the golden triangle
３つのステークホルダー価値を統合
CB valuator

Integrates the questionnaire survey

method and the financial data method
質問調査法と財務データ法の統合

Integrates the balance sheet method and

B/Sloss
the profit and P/L法の統合
法とstatement method

The important point in calculating corporate brand value is to clarify what images a corporate
brand conjures up in the minds of customers, employees, and stockholders and how such images
lead to financial results. In order to achieve this goal, not only corporate financial data but also
data on corporate images are utilized. As financial data, we used the Nikkei NEEDS-Financial
QUEST Database Information on corporate images is based on Nikkei surveys of 1,115 listed
and unlisted companies regarding their corporate images, which have been carried out by Nihon
Keizai Shimbun annually since 1988; global corporate image surveys, which have been
conducted by the same newspaper publisher since 2001; rankings of companies for which new
graduates wish to work; and surveys of securities analysts and fund managers regarding
corporate images, which have been carried out by Ito since 2001.

According to this framework, corporate brand value consists of CB advantages and CB leverages.
CB advantages (CB scores) indicate to what extent a corporate brand is attractive enough to
secure and retain first rate customers, employees, and stockholders. CB leverages (CB multiples)
show how much power a corporate brand has to convert CB advantages into cash flows. Even if
a corporate brand is highly appealing, its value is low if it lacks the power or business
opportunities to convert its appeal into cash flows (see Figure 16).

22
 Figure 16 : CB Valuator
(Integrated Corporate Branding Diagnosis System)
Corporate brand value tree

Corporate brand value

CB score (CB advantage) CB multiple (CB leverage)

Customer score Employee score Stockholder CB utilization

score CB utilization ability opportunities
Business models,
General public + General public + General public + managers, visions, guiding
business firms business firms New graduates business firms Analysts principles, etc.

Financial
Premium Premium Premium Return on assets (ROA)
data
× × × × • Risk
Image • Industry PER
data Recognition Recognition ＋ Recognition Recognition ＋ Recognition Analyst evaluation index • Growth
potential
× × × ×
Loyalty Loyalty Loyalty ＋ Loyalty ROA-CB relationship

Analyzing financial data and image data statistically to evaluate and estimate corporate brand value in a comprehensive manner.

(a) CB score
The CB score indicates how many first rate customers, employees, and stockholders a corporate
brand can attract and retain, and for how long. In other words, it is an indicator of the corporate
brand’s relative position—how attractive the corporate brand is—within its industry. The CB
score comprises three elements: the customer score, employee score, and stockholder score.

The customer, employee, and stockholder scores are used as indicators based on the three factors
that have been emphasized in previous brand theories: premium, recognition, and loyalty.
Premium, recognition, and loyalty symbolize, respectively, the quality of stakeholders attracted
to a corporate brand, the number of such stakeholders, and the length of time during which
stakeholders are attracted to the brand and the volatility of its results. It is difficult to enhance the
power of the corporate brand unless the levels of premium, recognition, and loyalty are raised in
a comprehensive manner. For this reason, the CB score for each stakeholder is calculated by
multiplying the three indicators premium, recognition, and loyalty. The figure for premium is
computed based on financial data and recognition and loyalty are based on corporate image
surveys. Each indicator is calculated based on the deviation value for the industry used as a
sample.

23
(b) CB utilization ability
Even if a company has a high CB score, the value of its corporate brand is not always high. This
is because the CB score is no more than an indicator that symbolizes the relative power of the
company’s corporate brand in the industry, so that the CB score alone does not necessarily
explain future cash flows derived from the corporate brand. For example, if the company makes
efficient use of its investments, it can generate cash flows even if the power of its corporate
brand is low. Conversely, if the company can effectively convert the power of its corporate brand
into cash flows with small amounts of investment, there is a possibility that its corporate brand
will rise in value even if the CB score is low. Ito calls the ability of companies to effectively
convert the power of their corporate brand into cash flows “CB utilization ability.” The CB
utilization ability serves, so to speak, as a lever for the CB score. The CB utilization ability is
calculated based on the profitability of the company, but in this process, variables are changed so
as to enhance its significance as a lever for the CB score.

Table 2 : 2008 Ranking of Corporate Brand Value

Company Customer Employee Stockholder Previous
Rank CB value CB score score score year’s rank
score
1 Toyota Motor 10,745,749 2,239 791 805 643 1
2 Canon 5,538,511 1,507 574 454 479 2
3 Takeda Pharmaceutical 3,807,698 1,587 506 497 584 5
4 Honda Motor 3,673,209 1,830 672 562 596 4
5 NTT DOCOMO 3,253,834 743 271 277 195 3
6 Mitsubishi UFJ Financial Group 2,999,104 960 301 337 323 6
7 NTT 2,798,012 610 235 204 170 7
8 Nintendo 2,737,732 2,332 568 1,061 703 10
9 Nissan Motor 2,142,363 1,452 571 490 391 8
10 Sony 1,935,144 1,279 447 460 372 9
11 Panasonic 1,930,435 1,126 407 378 341 11
12 Sumitomo Mitsui Financial Group 1,778,795 856 256 293 307 14
13 Mizuho Financial Group 1,598,015 789 244 281 264 12
14 Seven & i Holdings 1,238,665 839 290 272 278 13
15 FANUC 1,118,345 848 274 268 306 15
16 Sharp 1,004,289 1,101 391 369 341 17
17 East Japan Railway 973,458 743 285 232 226 21
18 Tokyo Electric Power 922,153 508 172 184 152 16
19 JFE Holdings 912,206 940 347 288 306 23
20 Nippon Steel 897,761 963 323 332 308 18
Copyright © 2008 Kunio Ito/ Nihon Keizai Shimbun,Inc All Rights Reserved

(c) CB utilization opportunities

Even if a company has a high CB score and a high CB utilization ability, the value of its
corporate brand is not always high. This is because business opportunities to convert the power
of a company’s corporate brand into cash flows vary from one industry to another. We call these
opportunities “CB utilization opportunities.” CB utilization opportunities increase or decrease
depending on the growth potential and stability of the industry in which companies operate, as

24
well as on whether opportunities for brand development are available or not.

Based on the CB valuator, The Nihon Keizai Shimbun and The Nikkei Sangyo Shimbun have
published a ranking of companies in CB value annually since 2001. Table 2 shows the CB value
ranking published on June 10, 2008.

(3) Effects of information security incidents on corporate brand value

Based on the CB valuator, this section examines the effects of information security incidents on
corporate brand value.

Table 3 : Effects on
of Information
Corporate Brand
Security
Value:
Incidents
An Corporate
on Approach to Brand
Verification
Value

[Approach to verification]
1. Choose companies that were covered by one or more of the four kkei Ni kkei
newspapers
newspapers between
between
2001 and 2006 because they caused an information security incide nt (information
nt (information leak,
leak,
system
system
failure, etc.).
2. Examine what effects the IT incidents had on the corporate image of of
those
thoseof of
thethe
companies
companies
which were covered by Nikkei corporate image surveys.
3. Choose five of the prominent companies that are considered to ha have
ve suffered
sufferedparticularly
particularly
serious damage in the second step above and calculate the effects
effect
s of the
of the
IT IT
incidents
incidentsonon
thethe
financial value of their corporate brand in numerical terms.

2001 2002 2003 2004 2005 Total

Information leak 1 case 2 cases 9 cases 9 cases 13 cases 34 cases
System failure 4 cases 2 cases 3 cases 6 cases 6 cases 21 cases

Calculating the value of a company’s corporate brand requires its financial data (accounting and
stock price data) and corporate image data (Nikkei corporate image surveys and analyst surveys).
Therefore, it is difficult to calculate the degree of damage to the value of their corporate brand
for all companies that have caused information security incidents. As shown in Table 3, we
conducted searches in four Nikkei newspapers using the keywords “information leak” and
“system failure” to choose companies reported as having caused an information security incident
between 2001 and 2006 and whose corporate brand value could be calculated. As a result, we
obtained 34 sample companies for information leaks and 21 sample companies for system
failures.

First, we examine the effects of information security incidents on the corporate image of which

25
corporate brand value is constituted. Figure 17 uses the average for corporate image scores
during the three-year period prior to the occurrence of the information leaks or system failures to
indicate how much the incidents caused these scores to decline. In this figure, it can be
confirmed that corporate images went down substantially in terms of “product and service
quality,” “being eager to meet customer needs,” and “being able to respond to social changes.” It
can also be confirmed that system failures generally cause greater damage to corporate image.

Figure 17 : Effects of Information Security Incidents on

Corporate Image

1.20
1.15
1.10
1.05
1.00
0.95
0.90
0.85
0.80
0.75
Friendly

Lively
quality
Eager to meet
customer needs

product development

Reliable

Having good taste

Product and service

changes

transformation

Active in disclosing
managerial information
sales capabilities

activities

Responsive to social
Active in research and

Strong marketing and

Active in self-
Refined advertising

System failure Information leak Serious incident

* In the verification process, the effects are calculated using the image score at the time when the IT incident had just
occurred as the numerator and the image score prior to the IT incident occurring as the denominator. Analysis is
performed focusing on 14 serious accidents that are considered to have affected 100,000 ordinary consumers or
more.

26
Furthermore, if information security incidents are narrowed down to those which affected over
100,000 people, it can be confirmed that they caused greater damage to corporate image in terms
of “product and service quality” and “having good taste.” This confirms that information security
incidents have serious effects on the image that external stakeholders have of the companies
concerned.

To what extent, then, do information security incidents affect corporate brand value? In order to
answer this question, we narrowed down the number of companies analyzed to five to estimate
the effects of information security incidents on corporate brand value. Among the companies that
caused information security incidents, the ones involving these five were all played up by the
mass media, and it is assumed that such incidents seriously affected corporate brand value.

Figure 18 : Effects of Information Security Incidents on

Corporate Brand Value

45,000 30.0%

40,000
25.0%
35,000
Unit: ¥1million

30,000 20.0%

25,000
15.0%
20,000

15,000 10.0%

10,000
5.0%
5,000

0 0.0%
Bank A Card Card Service Information &
company B company C company communications
D company E
Effect as amount Effect as ratio

Figure 18 indicates the amount of the damage caused by the information security incidents to
each of the companies and the loss as a percentage of the value of the corporate brand. This
figure shows that one of these information security incidents caused nearly 40 billion yen of
damage to the corporate brand value of the service company concerned. This represents 25% of
the corporate brand value the service company had maintained up till that point. The banking
institution also suffered nearly 40 billion yen of damage to its corporate brand value. As
exemplified by these two and other cases, information security incidents have grave effects on
corporate brand value.

27
Based on the foregoing, it can be said that information security incidents are likely not only to
lower evaluations of the companies involved by stock markets but also to substantially lower
evaluations by other stakeholders, including customers, employees, local communities, and the
global society.

5. Effects of Information Security Disclosure on Evaluations by Stock Markets

(1) Relationship between information security initiatives and disclosure

If information security incidents have grave effects on evaluations by stock markets of the
companies involved and on the value of their corporate brand, it is necessary to properly
establish systems and devices for ensuring information security.

Unfortunately, however, it is difficult for external stakeholders to obtain information on

companies’ information security initiatives. The reason for this is that it is hard to confirm the
actual state of such initiatives unless the companies disclose information on them.

How many companies, then, disclose information on their information security initiatives? In
order to clarify this, Ito conducted a survey of information disclosure officers at 3,931 listed
companies in Japan in October 2008. A total of 339 replies were received.

In addition to asking the information disclosure officers how their company disclosed
information on its risk management initiatives, including information security, the survey looked
at how they apprehend and disclose information on risk management. The following are the
results of the survey.

Figure 19 indicates how companies disclose information on corporate risk and its management,
including information security. According to this figure, it can be seen that many companies
disclose such information in the form of financial statements and corporate governance reports,
which stock exchanges require them to present.

28
 Figure 19 : Media by Which Information Is Disclosed N=362

350
300
250
200
150
100
50
0

individual investors
financial results

meetings
financial results
Financial Reports

Annual reports

Corporate
Business reports

Materials for
announcing

Environmental and
responsibility (CSR)
reports

governance reports
corporate social

Websites
Brief reports on

Booklets for
Information on corporate risk Information on risk management
Information on corporate governance Information on internal controls
Information on information security

Copyright (C).2008 Kunio Ito All Rights Reserved

Figure 20 : Effects of Revealed Risks on the Management

of Your Company
◆Effects of revealed risks on the management of your company

0% 20% 40% 60% 80% 100%

Compliance 192 100 34 710

Information leak 147 113 56 16 9

Related to defective
98 133 78 18 13
IT systems

Operational 54 115 99 23 41

Extremely large Quite large Quite small Extremely small Don’t know

Copyright (C).2008 Kunio Ito All Rights Reserved

How serious an effect do information disclosure officers think information security risks have on
corporate management? In Figure 20, information disclosure officers were asked about the

29
effects of information security risks on corporate management. This figure confirms that many
information disclosure officers think that risks involving compliance, information leaks, and
defective IT systems have serious effects on corporate management.

Figure 21 : Awareness Survey of Corporate Information

Disclosure Officers

100% 94% 93%

90% 83%
80% 70%
70% 59% 62%
60% 55%
50% 44%
40%
30%
20%
10%
0%
Compliance Information Related to defective Operational
leak IT systems

Establishment of risk management systems Information disclosure/effects are large

/effects are large

Copyright (C).2008 Kunio Ito All Rights Reserved

How far have companies established systems to manage risks that they think will have serious
effects on their management? Also, how far do they disclose information on such systems?
Figure 21 indicates how far companies replying that risks would have serious effects on their
management have established risk management systems5 and their disclosure of information on
the risks involved. This figure illustrates that while around 95% of companies have established
systems to manage risks involving compliance and information leaks, only around 60% of them
disclose information on such systems. With respect to risks involved in defective IT systems,
although 85% have established risk management systems, only around 45% disclose information
on these systems. It can be seen that even though systems are established to manage information
security risks, the incentive for disclosing information on these systems is small. Conversely, if,
despite the small incentive, companies disclose information on the information security risks that
face them and the systems in which they have to manage these risks, it may mean that they are
more enthusiastic about these initiatives, and their managers have a better understanding of these
initiatives than those of companies that do not.

5 In this context, that risk management systems have been established means meeting three
requirements: (1) where responsibilities lie is clearly defined; (2) methods for responding to risks in a
systematic way when they are revealed have been established; and (3) employee education and
training are provided.

30
(2) Building a hypothesis
If investors view the disclosure of risk information as a sign of active efforts to establish and
improve risk management systems, it can be assumed that they expect that companies disclosing
risk information in advance will take appropriate action after an information security incident
occurs.

On the other hand, if investors view the non-disclosure of risk information as a sign of the
inability to perceive the risk involved, the absence of risk management systems even if the risk is
perceived, or the unwillingness to establish such systems in the future, it can be assumed that
they do not expect that companies which do not disclose risk information in advance will take
appropriate action after an information security incident occurs. Therefore, it is supposed that
when a risk is revealed, the extent of the fall in the price of stocks in companies that disclose
information on risk is smaller than that for companies that do not. Based on this, the following
hypothesis is given.

Hypothesis: Other things being equal, when a risk is revealed, the extent of the
decrease in the price of stocks in companies that disclose risk information
in advance is smaller than that for companies that do not.

(3) Samples and databases

In this section, we performed online searches in four Nikkei newspapers published during the
period from April 2004 to December 2006 using the keywords listed below to extract incidents
involving the leakage of personal information.

Keyword: “Personal information” and (“leak” or “loss”)

Among the cases identified through keyword searches, only those which met the following three
requirements were used in the sample: (1) the companies that caused the incident were then
listed on the First Section of the Tokyo Stock Exchange and have been listed there to the present
day; (2) they did not merge with another listed company during the period analyzed; and (3)
information on stock prices required for analysis is obtainable. 6The reason the sampling was
limited to companies listed on the First Section of the Tokyo Stock Exchange is that we
attempted to identify the effects of incidents involving the leakage of personal information on
stock prices by making other factors that might affect stock transactions as uniform as possible.
If two or more risks were revealed at the same company within one month, the second and

6 The authors tried to minimize the effects of the trading environment and other external factors by
using only TOPIX data as indicators to estimate rates of cumulative abnormal return.

31
subsequent risks are excluded from the sampling. The reason for this is that the first incident
might have continued to affect stock prices. As a result, 67 cases7 were used in the sample.

Table 4 indicates the distribution of industries sampled. This table shows that the
information/communications and banking industries are more highly represented than others.
According to the results of the survey of personal information leak incidents conducted by the
Japan Network Security Association, incidents in the banking industry account for 13.7% of the
total, ranking first among all industries, and those in the information/communications industry
represent 11.2%, ranking second. This corresponds to the distribution of industries sampled in
the present study. For this reason, we do not believe that the manner in which incidents were
sampled seriously affected the results of this analysis.

Table 4 : Number of Sample Information Leak Incidents by Industry

Air transport 2 Retailing 1 Electrical equipment 4

Service 5 Securities and commodity futures trading 1 Real estate 3
Wholesaling 1 Information and communications 14 Insurance 3
Banking 22 Food 2 Transport equipment 3
Construction 1 Electricity and gas 3 Land transport 2
We then confirmed whether, in these 67 cases, financial statements submitted before the day
when the information leak was reported in newspapers included descriptions of information leak
risks in the column “Risks involved in business etc.” The result was that in 44 cases, information
leak risks had been disclosed before the information leak was reported, and that in 23 cases, such
risks had not been disclosed. We call the former “companies that disclose information leak risks
in advance” and the latter “companies that do not disclose information leak risks in advance.”

(4) Approach to verification

In order to examine these information security initiatives, this section studies evaluations by
stock markets of information on information security initiatives. This study involves using the
day when information leak incidents were reported in four Nikkei newspapers as the day of the
event and examining whether or not stock prices fluctuated differently between companies that
disclose information leak risks in advance (prior-disclosure companies) and companies that do
not disclose information leak risks in advance (non-prior-disclosure companies) 8 . The
cumulative abnormal return (CAR), calculated based on market models9, is used for verification.

7 Incidents were sampled manually, however. Therefore, there is a possibility that not all incidents
involving the leakage of personal information were sampled.
8 However, the day of the event for cases reported in the evening edition is the day following the day

when they were reported. If stock markets were closed on the day when cases were reported, the day
of the event is the next day when the stock markets opened.
9 In this study, the authors performed analysis using market-adjusted models and found that the

32
CAR is calculated according to the following procedures:
First, the parameters, αˆ i and βˆ i, are estimated using formula (1).

Ri ,t = α i + β i Rm,t + ε i ,t （1）

Ri,t represents the CAR for Company i on Day t, and Rm,t represents the CAR rate for the whole
market 10 on Day t. As in the studies by Campbell et al. (2003), Cavusoglu et al. (2004), and
Ishiguro et al. (2006), the estimation period is 120 days prior to the day when the information
leak incident was reported.

Next, based on formula (2), abnormal return (AR) on equity investment is calculated using the
parameters estimated from formula (1).

ARi ,t = Ri ,t − (αˆ i + βˆ i Rm,t )

（2）
The sum of AR rates is divided by the number in the sample (N = 67) to calculate average
abnormal return (AAR) on equity investments (3).
N
1
AARt =
N
∑ AR i ,t
i =1 （3）

Finally, all AAR rates are added up to give the CAR (4).
T
CAR = ∑ AARt
t = −1 （4）

The stock price data required for analysis were obtained from the Nikkei NEEDS-Financial
QUEST system.

(5) Evaluations by stock markets of information leak incident reports-1: Examinations

using CAR
Figure 22 shows changes in CAR rate during the period from one day prior to the day when the
information leak incident was reported to 15 days after.

results of this analysis were largely the same as those obtained by analysis using market models.
10 TOPIX was used to calculate the CAR rate for the whole market. The reason for this is that the

companies analyzed are limited to those listed on the First Section of the Tokyo Stock Exchange (TSE).
Analysis of the CAR rate for the whole market using TSE’s stock price index by industry obtained
similar results.

33
 Figure 22 : Changes in CAR Rates (t = –1 to 15)

3%
2%
1%
0%
-1%
-2%
-3%
-4%
-1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Companies that disclose information Companies that do not disclose

leak risks in advance information leak risks in advance

Figure 2211 shows that following the report of information leak incidents, the price of stocks in
both companies that disclose information leak risks in advance and those which do not fell.
While prior-disclosure companies saw their stock price begin to rise five days after the incident
was reported and after seven days had recovered the fall experienced in the first five days,
non-prior-disclosure companies saw their stock price continue to fall and failed to recover the
pre-incident stock price level even after 15 days had passed. Fifteen days after the incident was
reported, while the stock price for prior-disclosure companies had risen about 0.1% that for
non-prior-disclosure companies had fallen about 3.0%. From these trends, it can be seen that
after the information leak incident, the stock price for prior-disclosure companies fluctuated
differently from that for non-prior-disclosure companies. This means that prior-disclosure
companies were more positively assessed by markets than non-prior-disclosure ones. The
following paragraphs explain the reasons why the differences in stock price fluctuation described
above between prior-disclosure and non-prior-disclosure companies occur.

Investors might have decided that companies disclosing risk information in advance had solid
risk management systems and expected that they would swiftly take appropriate action even if
risks became tangible. Wakasugi (1999) pointed out that information disclosure exerts
motivational control over corporate activities. If this argument is invoked, it can be claimed that
investors might have decided that the ability of companies to disclose risk information in
advance meant that they perceived the risks involved and had systems to manage them. In fact, in
an awareness survey of information disclosure officers, 95% of companies disclosing
information leak risks replied that they had put in place systems to manage such risks.
11 The results of analysis of changes in CAR rate in the banking and information/ communications
industries indicate that the CAR rate for prior-disclosure companies and that for non-prior-disclosure
ones showed the same trends as in Figure 22. The changes in CAR rate are largely similar to those for
the entirety of the sample. Banking and information/communications are the only industries that
included both prior-disclosure companies and non-prior-disclosure companies and for which the
number of cases in the sample was sufficient for analysis.

34
Table 5 : Testing of Average Differences in CAR between Prior-disclosure
Companies and Non-prior-disclosure Companies
Prior Non-prior Prior Non-prior
CAR -disclosure -disclosure t value CAR -disclosure -disclosure t value
companies companies companies companies
0 -0.002 -0.008 1.019 8 0.003 -0.016 1.935*
1 -0.002 -0.009 0.953 9 0.005 -0.015 1.764*
2 -0.004 -0.008 0.522 10 0.006 -0.019 2.059**
3 -0.002 -0.009 0.697 11 0.004 -0.025 2.286**
4 -0.004 -0.013 1.004 12 0.001 -0.029 2.258**
5 -0.003 -0.013 1.235 13 0.005 -0.030 2.593**
6 -0.002 -0.014 1.252 14 0.003 -0.031 2.344**
7 0.001 -0.015 1.538 15 0.006 -0.030 2.480**
** significant at the 5% level(two-sided test)
* significant at the 10% level(two-sided test)

On the other hand, investors might have decided that companies that did not disclose risk
information in advance did not perceive the risks involved or had not put risk management
systems in place even if they perceived them. Therefore, the investors made a different decision
when they considered investing in companies that did not disclose risk information in advance
and those which did.

These differences in the fluctuation of stock prices need to be verified at statistically significant
levels. Therefore, tests of average differences in CAR rate between prior-disclosure companies
and non-prior-disclosure companies were performed. Table 5 lists the results of t tests.

Table 5 shows that differences in the fluctuation of stock prices can be verified at statistically
significant levels eight days after the information leak incident was reported. In the study by
Ishiguro et al. (2006), statistically significant results of stock price fluctuations were obtained ten
days after the information leak incident was reported. It can be said that the results of the present
study are generally consistent with those of the study by Ishiguro and his colleagues.

With regard to the reason that there is a delay in investors responding to information leak
incidents, Ishiguro et al. (2006) explain that immediately after the occurrence of the incidents,
investors cannot accurately grasp the amount of loss caused, and that only after exposure to
various reports following the incidents can they obtain a clear understanding of the scale of loss.
In the present study, we performed analysis from the viewpoint of risk information disclosure,
and from this standpoint, it can be inferred that investors collect information in various ways

35
immediately after the occurrence of information leak incidents, and that this collected
information includes risk information. Having confirmed this risk information after the incident,
they may make different investment decisions with respect to prior-disclosure companies and
non-prior-disclosure companies.

Therefore, it can be pointed out that there is a possibility that investors gradually incorporate
information on whether companies disclose risk information or not into their investment
decisions. In other words, immediately after the occurrence of information leak incidents,
investors do not know whether companies disclose risk information or not, but later, through
information gathering, they distinguish companies that disclose risk information in advance from
those which do not. By doing so, they realize in hindsight that prior-disclosure companies have
appropriate risk management systems. This might have had favorable effects on stock prices,
helping them to start rising. On the other hand, investors decide that non-prior-disclosure
companies do not have adequate risk management systems, and this might have caused stock
prices to continue falling.

(6) Evaluations by stock markets of information leak incident reports-2: Examinations

using multivariate analysis
The previous analysis suggests the possibility that risk information affects stock prices. This
section analyzes whether risk information affects stock prices even if factors that may affect
CAR are controlled.

(a) Approach to verification

Several existing studies have made it clear that when information leak incidents occur, the scale
of business, the price-to-book value ratio (PBR), and the type of industry affect CAR. Cavusoglu
et al. (2004) reported the positive relationship between CAR and business scale, arguing that
companies with a larger scale of business can absorb negative shocks. Ishiguro et al. (2006)
reported the negative relationship between CAR and PBR. If PBR is considered as an index for
valuing intangible assets, companies with a higher PBR are those whose intangible assets are
highly rated by investors. If information security investments are regarded as intangible assets,
the value of such assets is impaired when information leak incidents occur. Therefore, it is
assumed that when information leak incidents occur, companies with a high PBR see their stock
price fall more substantially than those with a low PBR. Meanwhile, Cavusoglu et al. (2004) and
Ishiguro et al. (2006) presented results showing that information leak incidents have different
effects on CAR rates depending on the industries involved.

36
This section examines the three above-mentioned factors and the scale of the incident as factors
that affect CAR when information leak incidents occur. This is because it is assumed that
companies that cause a larger information leak incident see their stock price fall more
substantially than those which minimize the scale of the incident they cause.

As in the study by Ishiguro et al. (2006), the index (Size) based on the natural logarithm of
sales12 for the settlement term immediately before the information leak incident was reported is
used as an indicator of business scale. PBR for one day prior to the day when the information
leak incident was reported is used. The number of pieces of personal information leaked
(Numbers) is used as a variable that indicates the scale of incident. Since discrepancies exist in
the numbers of pieces of personal information leaked, however, the index based on the natural
logarithm of the numbers is used. As is shown in Table 4, since there is a possibility that
information leak incidents are closely related to industry characteristics, an industry dummy
variable is incorporated into the multiple regression model.

An information leak risk information disclosure dummy variable (DiscDummy) is incorporated

into the multiple regression model with the variables mentioned above as its explanatory
variables and the CAR as its explained (dependent) variable (5). For the DiscDummy variable,
one (1) is given to companies that disclose information leak risks in advance and zero (0) to
those which do not. This model analyzes whether risk information affects stock prices or not
even if other factors that affect CAR are taken into account.

14
CARi ,t = α 0 + α 1 Salesi ,t + α 2 PBRi ,t + α 3 Numbersi ,t + α 4 DiscDummyi ,t + ∑ γ i INDi + ε i
i =1

Sales = Sales for the settlement term just before the information leak incident was
reported (natural logarithm)
PBR = PBR for one day prior to the day when the incident was reported
Numbers = Number of pieces of personal information leaked (natural logarithm)
DiscDummy = Information leak risk information disclosure dummy (1 for
prior-disclosure companies and 0 for non-prior-disclosure companies)

14

∑γ
i =1
i INDi ＝industry dummy

εi,t = Error term

12Even in cases in which the total market value was used for the business scale index as in the study
by Cavusoglu et al. (2004), largely similar results were obtained.

37
The number of cases used in the sample was 64 after three cases were excluded in which
information on PBR and the number of pieces of personal information leaked was not obtained.
The stock price data and financial information required for analysis were obtained from the
Nikkei NEEDS-Financial QUEST database.
Table 6 and Table 7 show descriptive statistics for explanatory variables and correlation
coefficients between variables, respectively.
Table 6 : Descriptive Statistics

mean std.dev min 1Q median 3Q max Obs.

Size 12.514 1.658 9.239 11.097 12.498 13.804 16.037 64
PBR 2.035 1.289 0.735 1.190 1.737 2.385 7.499 64
Numbers 8.160 2.889 3.526 5.570 8.499 10.092 15.498 64
DiscDummy 0.641 0.484 0.000 0.000 1.000 1.000 1.000 64

Table 7 : Pearson Correlation Coefficients

Size PBR Numbers DiscDummy

Size 0.144 -0.028 -0.066
PBR 0.232 -0.180 0.066
Numbers -0.038 -0.095 -0.049
DiscDummy -0.089 0.101 -0.009
* The lower left triangular matrix represents Spearman correlation coefficients, and the upper
right triangular matrix represents Pearson correlation coefficients.

Descriptive statistics in Table 6 indicate that there is no particularly abnormal value, suggesting
that there is no sampling bias. Pearson correlation coefficients in Table 7 show that all
correlation coefficients between explanatory variables are within ±0.180, and it is presumed that
problems of multicollinearity do not need to be taken into consideration13.

The multiple regression model is estimated using CAR (t = 1 to t = 15) for explained variables.

(b) Results
The results of the analysis are shown in Table 8.

13 The variance inflation factor (VIF) for each variable is estimated at 3.205 for Size, 1.367 for PBR,
1.439 for Numbers, and 1.719 for DiscDummy. In general, multicollinearity can be suspected if VIF is
estimated at ten or more, but the values shown above are much smaller than ten. Therefore, it is
assumed that there is no problem of multicollinearity among explanatory variables.

38
According to Table 8, all coefficients for Size are positive in all periods except t = 8. But in no
period are they statistically significant. Coefficients for PBR are all negative and statistically
significant until the fifth day (significant at the 1% level on all days except t = 1). From six days
after the incident was reported onward, however, they are not statistically significant.
Coefficients for Numbers are negative after the incident was reported and statistically significant
until the fifth day (significant at the 1% level for t = 2 to 4 and at the 5% level for t = 1 and t = 5).
As for PBR, however, the values are not statistically significant from the sixth day onward.
Coefficients for Type are also statistically significant though they are not listed in the table.

Table 8 : Results of Multiple Regression Analysis

Size PBR Numbers DiscDummy

CAR Adj.R 2 N
Coefficient t value Coefficient t value Coefficient t value Coefficient t value

1 0.002 0.687 -0.006 -2.568 ** -0.002 -2.225 ** 0.010 1.423 0.364 64

2 0.005 1.604 -0.008 -3.108 *** -0.004 -3.228 *** 0.004 0.581 0.357 64

3 0.007 1.886 -0.010 -2.960 *** -0.005 -3.516 *** 0.002 0.242 0.332 64

4 0.004 1.235 -0.009 -3.092 *** -0.004 -3.050 *** 0.007 0.832 0.450 64

5 0.006 1.712 -0.010 -3.532 *** -0.003 -2.131 ** 0.005 0.633 0.464 64

6 0.004 0.999 -0.006 -1.534 -0.002 -1.312 0.007 0.642 0.262 64

7 0.002 0.557 -0.003 -0.719 -0.001 -0.680 0.013 1.244 0.251 64

8 -0.001 -0.332 -0.002 -0.484 -0.001 -0.711 0.019 1.756 * 0.260 64

9 0.000 0.043 -0.005 -1.253 -0.001 -0.774 0.020 1.823 * 0.293 64

10 0.000 0.052 -0.006 -1.497 0.000 -0.123 0.027 2.282 ** 0.366 64

11 0.000 0.099 -0.005 -1.274 0.000 -0.075 0.032 2.615 ** 0.373 64

12 0.003 0.538 -0.004 -0.989 0.001 0.533 0.033 2.521 ** 0.401 64

13 0.006 1.128 -0.005 -1.063 -0.001 -0.366 0.034 2.399 ** 0.350 64

14 0.008 1.327 -0.008 -1.524 -0.001 -0.259 0.035 2.315 ** 0.288 64

15 0.009 1.545 -0.008 -1.657 -0.001 -0.244 0.032 2.123 ** 0.311 64

*** significant at the 1% level(two-sided test)
** significant at the 5% level(two-sided test)
* significant at the 10% level(two-sided test)

Finally, a look at coefficients for DiscDummy indicates that they are positive in all periods. It is
not until eight days after the incident was reported, however, that they become statistically
significant (significant at the 10% level for t = 8 and t = 9 and significant at the 5% level for t =
10 to 15). If the results for PBR and Numbers are taken into account, it can be seen that there is a
possibility that following the reported incident, investors made investment decisions in
accordance with PBR and incident scale for some time, but that after a certain length of time

39
passed, whether or not the companies involved disclosed risk information in advance affected
their decisions.

Why, then, do companies that disclose information security risks not see their stock price fall
substantially? Why do those which do not disclose them see their stock price fall substantially?

One convincing hypothesis indicates the possibility that there are investors who study the
financial statements of the companies involved again when reconsidering their investment
decisions after the occurrence of information leak incidents. Companies that disclose information
security risks in their financial statements are likely to be keener on information security
initiatives and establish risk management systems in a more solid manner than those which do
not. It is inferred that the investors confirm these points and reflect them in their investment
decisions.

6. Effects of Information Security Governance on Corporate Brand Value

Information security initiatives not only prevent information security incidents from pushing
down stock prices but may also have positive effects on corporate brand value. The reason for
this is that information security initiatives are highly likely to help gain the greater trust of
external stakeholders and enhance customer preference and satisfaction in business transactions.
Another reason is that the greater trust of employees in information security increases their trust
in information systems, encouraging them to utilize information systems in a more strategic way.

In order to verify this hypothesis, however, it is necessary to be able to confirm companies’

information security initiatives in a comprehensive way and clarify what effects these initiatives
have on the customers, employees, stockholders, and other stakeholders of the companies. This
section estimates the effects of information security initiatives on corporate brand value using the
results of surveys of corporate users who utilize IT equipment and the results of surveys of
administrators of information processing systems, both of which were designed by Ito at
Hitotsubashi University.

(1) Evaluations of information security in corporate user surveys

Ito conducted questionnaire surveys of corporate users of certain pieces of IT equipment between
2004 and 2007. These surveys involved examining how closely evaluations of IT-related
products and services were related to the preference and satisfaction of users when they dealt
with the supplier of these products and services. This section presents several interesting results
obtained regarding information security, although details of the surveys are omitted.

40
Figure 23 shows how corporate users evaluated the companies’ information security initiatives.
According to this figure, the percentage of corporate users who highly rated Company B’s and
Company C’s information security increased in 2005, 2006, and 2007.

Figure 23 ： Information Security Evaluations by

Corporate Users

■Surveys of corporate users regarding information security initiatives

Corporate users rated Companies
14% B and C increasingly highly with
regard to information security
12% because of their excellent
information security disclosure.
10%

8%
Evaluations of
6% competitors
remained almost
4% at the same level.

2%

0%
2004 2005 2006 2007

Company A Company B Company C Company D

In Japan, since 2005, the Ministry of Economy, Trade and Industry has taken a leading role in
establishing various systems and devices to encourage Japanese businesses to disclose
information security initiatives more actively. In line with this trend, Companies B and C made a
clear commitment to their stance of communicating their information security initiatives to
stakeholders inside and outside the companies, mainly through full information security
disclosure. The figure confirms that these initiatives have had a steady influence on corporate
users.
How, then, do high or low evaluations of companies’ information security affect user preference
when users purchase products and services from the companies? In order to answer this question,
we divided the corporate users into those which highly rated the companies’ information security
and those which did not and presented user evaluations when they dealt with the companies (see
Figure 24).

41
 Figure 24 : Effects of Information Security Initiatives on
Evaluations by Corporate Users

■Corporate users’ preference in dealings

0% 20% 40% 60% 80% 100%

Company A with
Security + 35 43 13 2 4 4

Company A with
Security – 16 40 21 4 3 16

Company B with
Security + 47 42 5222

Company B with
Security – 22 35 18 6 4 15

Company C with 0
Security + 28 54 15 11

Company C with
Security – 15 34 23 8 5 16

High Quite high Average Quite low Low Don’t know

* “Security +” indicates users who highly rated the company’s information security, and “Security –”
indicates users who did not.

According to Figure 24, it can be seen that the corporate users tended to prefer dealing with
companies that excelled in information security initiatives. Similar results were derived in terms
of overall user satisfaction, although details are omitted.
The results of the foregoing analysis confirm that information security initiatives led to high
customer preference and satisfaction in business transactions.

(2) Surveys of administrators of information processing systems

How, on the other hand, do a company’s information security initiatives alter the awareness of
employees who work for the company?

In order to answer this question, this section uses questions asked in a survey aimed at measuring
the effects of investment in information processing systems, which was carried out by Ito at
Hitotsubashi University on administrators of corporate information processing systems or
personnel in similar positions in January 2007, to present the relationship between the
information security awareness of companies and the awareness of employees working for those
companies. The survey covered 3,950 listed companies and collected a sample of 495 responses.

In the survey, respondents were asked whether their company was working hard to bolster
information security or how their company’s information processing systems were evaluated by

42
internal stakeholders. The survey used a combination of these questions to examine what effects
the presence or absence of efforts to strengthen information security had on evaluations by
internal stakeholders of information processing systems (see Figure 25).

Figure 25 : Relationship between Active Information

Security Initiatives and Overall Internal Evaluations of
Information Systems

■Overall evaluations by internal personnel of information systems

0% 20% 40% 60% 80% 100%

Information
8 25 48 10 4 4
security +

Information
20
security – 3 15 39 13 10

High Quite high Average Quite low Low Don’t know

* “Information security +” indicates companies that are active in strengthening information security,
and “Information security –” denotes companies that are not. Data are based on the questionnaire
survey conducted by K. Ito and his research team at Hitotsubashi University for CIOs or officers in
similar positions in January 2007.

This figure confirms that companies that were active in information security initiatives enjoyed
higher evaluations by their employees of their information processing systems than those which
were not. The greater trust of employees in information processing systems will encourage them
to utilize these systems in a strategic way, and if these efforts are successful, the employees will
be motivated to work harder, and they will have a greater awareness of, and take greater pride in,
their company’s corporate brand.

As described above, it can be seen that information security initiatives are closely related to
evaluations by customers and employees of the corporate brand of the companies concerned.

7. Information Security Governance Tasks and Outlook

The aim of this paper is to examine the effects of information security initiatives on corporate
value and demonstrate the significance of establishing information security governance so that
the effects permeate into business firms.

43
In order to achieve this goal, this paper first examined the effects of information security
incidents on evaluations by stock markets and on corporate brand value. It then showed the
possibility of information security incidents leading to significantly lower evaluations by stock
markets, and of them substantially damaging corporate brand value by lowering the level of the
corporate image.

Do, then, information security initiatives bring economic effects? In order to answer this question,
we performed the three analyses described below. One was to focus on companies that disclosed
information security risks in the “Risks involved in business etc.” column in their financial
statements and examine how differently stock markets evaluated such companies as compared to
those which did not when an information security incident occurred. As a result, it was
confirmed that companies that disclosed information security risks saw their stock price fall by a
smaller margin than those which did not.

Secondly, according to a questionnaire survey of corporate users who utilized IT-related

equipment, it could be seen that companies that properly disclosed their information security
initiatives enjoyed higher evaluations of those initiatives than those which did not. Furthermore,
it was confirmed that information security initiatives had positive effects on user preference and
satisfaction in business dealings.

Moreover, the questionnaire survey of administrators of information processing systems

confirmed that companies that were active in strengthening information security tended to
receive higher evaluations of their information processing systems from internal stakeholders.

Based on the results described above, it is considered that it is economically beneficial in two
ways to have internal and external stakeholders recognize that companies are carrying out
information security initiatives.

One benefit is that by explaining that they are carrying out information security initiatives as
expected by external stakeholders, companies can state that they are fulfilling their corporate
social responsibility, thus minimizing the concerns and distrust of external stakeholders.

Like global warming and other environmental problems, information security incidents, once
they occur, can have grave effects on companies and ordinary consumers in the community in
which the companies involved operate. Nonetheless, external stakeholders cannot ascertain how
active and enthusiastic the relevant companies are with regard to information security initiatives.
This may bring about underinvestment, viewed from the standpoint of social welfare. In order to

44
minimize the concerns and distrust of external stakeholders, companies are urged to disclose
information security initiatives as part of their corporate social responsibility.

Formerly, information security incidents did not occur as often as today. Also, there was a
“happy misunderstanding” that companies—which in fact were not intent on ensuring
information security—might be working hard to ensure information security even if they did not
disclose their information security initiatives. In recent years, however, many information
security incidents have occurred. In the light of these incidents, unless companies disclose
information security initiatives, external stakeholders cannot identify these initiatives even if the
companies are actively implementing them, and may consider the companies to be subject to
information incident risks in the same way that others are. In order to avoid such negative
evaluations and minimize the groundless concerns and distrust of external stakeholders,
companies have been urged to disclose their information security initiatives.

The other benefit lies in the aim of explaining about information security initiatives from the
viewpoint of raising future cash flow levels. If information security initiatives increase the trust
of business partners and customers, resulting in the establishment of stable relationships with
them, as well as in strategic management of customer loyalty, premiums, and information assets,
future cash flow levels can be raised or stabilized. This economic benefit, however, would rarely
lead to favorable evaluations by stockholders and other stakeholders of companies unless
information security initiatives are disclosed voluntarily. The results of the analysis in this paper
suggest that strengthening information security initiatives and disclosing them to external
stakeholders are effective in bringing these two benefits.

As shown in this paper, however, there are still comparatively few managers of Japanese
companies who believe that information security initiatives lead directly to enhanced corporate
competitiveness. For this reason, it is extremely important to have corporate managers
understand the importance of information security initiatives and engage themselves in these
initiatives more actively. In this sense, it is essential to establish and apply information security
governance, which is defined as “establishing and applying corporate governance, and the
internal control systems that represent the mechanism supporting it, within a company looking
from the viewpoint of ensuring information security.”

It is no easy matter to establish and apply information security governance. This is because, in
order to establish it, it is essential to establish systems to make information security governance
visible so that progress in information security initiatives can be properly managed from the
viewpoint of corporate managers and to establish risk communication systems to make

45
information security governance visible to external stakeholders. At present, however, it is no
easy matter to do this.

Why, then, is it not easy to establish systems to make information security governance visible
and to establish risk communication systems? One of the major reasons for this is the absence of
information security databases.

Lack of such databases makes it difficult to render the economic effects of information security
initiatives and those of investment in such initiatives tangible. For this reason, it is difficult to
make the aim of information security initiatives and the progress made with such initiatives
visible from the perspective of corporate managers. Corporate managers would not want to
actively communicate information to external stakeholders that does not allow them to confirm
the progress of these initiatives.

As shown in this paper, even among the companies that have established information security
risk management systems, only a few disclose them. It can be inferred that this is because many
of the corporate managers are afraid that actively disclosing risk information may in turn lead
stock markets to evaluate their company negatively.

The results of the analysis in this paper suggest that information security initiatives and their
disclosure are highly likely to bring positive economic effects.

Nonetheless, this paper does not give full consideration to what type of information security
governance brings positive economic effects to business firms or to other aspects of information
security governance. We regard these as issues that they should address in the future.

Acknowledgment
In writing this paper, the authors received support from the Center for Japanese Business
Studies—run by the Ministry of Education, Culture, Sports, Science and Technology’s Global
Center of Excellence (COE) Program—the main site of which is Hitotsubashi University
Graduate School of Commerce and Management. They also received science research subsidies
(basic research B) from the Japan Society for the Promotion of Science. They are deeply grateful
for this support.

46
Bibliography
Campbell,K., L.A.Gordon,M.P.Loeb, and L.Zhou,(2003)“The Economic Cost of Publicly
Announced Information Security Breaches: Empirical Evidence from the Stock Market,”Journal
of Computer Security, Vol.11.

Cavusoglu,H., B.Mishra, and S.Raghunathan,(2004)“The Effect of Internet Security Breach

Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet
Security Developers,”International Journal of Electronic Commerce,Vol.9 No.1:69-104.

Ishiguro,M.,H.Tanaka,K.Matsuura, and I.Murase,(2006 ） “The Effect of Internet Security

Incidents on Corporate Value in the Japanese Stock Market,”Proceedings of The 2006 Workshop
on the Economics of Seruting the Information Infrastracture.

Ito, K., Corporate Brand Management, Nikkei Publishing Inc., 2000.

Ito, K., Seminar: Valuation of Corporate Value, Nikkei Publishing Inc., 2007.

Ito, K., “New Development of Corporate Brand Management,” Hitotsubashi Business Review,
Vol. 51, No. 3, 2003.

Ito, K., “Corporate Brand Management for Higher Reputation,” Risk Management Business, Vol.
19, No. 9, 2004.

Ito, K. and T., Kagaya “Brand Risk Management and Corporate Value,” Hitotsubashi Business
Review, Vol. 54, No. 3, 2006.

Metropolitan Police Department, “Survey concerning the Actual Condition of Countermeasures

against Unauthorized Access etc,” 1999–2004.

Ministry of Economy, Trade and Industry, “Research Group on Corporate Information Security
Governance,” March 2005.

Kim, H. O., “The Effects of the Advance Disclosure of Risk Factors on Stock Returns When There
Are Information Security Incidents,” Hitotsubashi Review of Commerce and Management, Vol. 2,
No. 2, November 2007.

Japan Network Security Association, “Information Security Incident Survey Report,” 2002–2007

47
InterRisk Research Institute & Consulting, Inc., “An Analysis of Revealed Risks in Fiscal 2004,”
June 2005.

NRI SecureTechnologies, Ltd. “A Questionnaire Survey concerning the Condition of Information

Security Measures,” November 2007.

Wakasugi, A., Accounting Disclosure and Corporate Ethics, Zeimukeiri Kyokai Co., Ltd., 1999.

48
 Brand Risk Management and Corporate Value

Kunio Ito, Professor, Graduate School of Commerce and Management, Hitotsubashi University
Tetsuyuki Kagaya, Associate Professor, Graduate School of Commerce and Management,
Hitotsubashi University

October 2006

49
1. Introduction

There has been growing interests on corporate risk management in Japan. The reason is related to
the three trends described below.

One is that since the new century began, there have been a string of scandals betraying the trust
and expectation of consumers in various industries such as food, transport equipment, electrical
machinery, insurance, machinery, and public utilities. Recently, such incidents have occurred
even at some of the excellent companies that are representative of Japan. The frequent
occurrence of these scandals has led consumers to turn a more critical eye toward companies
than before. Formerly, companies were able to gain public trust in the quality and safety of their
products and services simply because they were large. The “quality myth” that large companies
had enjoyed crumbled easily, however. With the collapse of the quality myth, there is growing
interest in corporate risk among consumers as they consider how to protect themselves.

Another trend is that advances are being made in the reform of legal systems dealing with
corporate risk. In the United States, corporate scandals that involved Enron, WorldCom, and
other companies led capital markets to demand more reliable financial reports. In response to
these needs, the Sarbanes-Oxley (SOX) Act was enforced in 2002. Not only the U.S. but also
various other countries have taken the opportunity presented by the series of corporate scandals
occurring on a worldwide scale to step up their efforts to improve systems related to the
establishment of internal controls.

Japan is no exception. In March 2003, major financial institutions began to attach a written
confirmation to their financial statements in accordance with the framework of the Basel
Committee on Banking Supervision. Starting April of the same year, the Cabinet Office
Ordinance on Disclosure of Corporate Information etc. required company managers submitting
financial statements and other documents to present documents confirming that they did not
include false descriptions. Furthermore, in December 2005, a document entitled
“Recommendations on standards for evaluations and audits of internal controls related to
financial reports” was published. In November 2004, the Tokyo Stock Exchange issued a
document entitled “Review of the listing system to increase public trust in corporate information
etc.,” requiring listed companies to submit a document confirming the appropriateness of the
content of descriptions in financial statements and other documents starting from financial results
for the term ending March 2005. Moreover, the Companies Act, which came into force in May
2006, requires companies that appoint corporate auditors to have their board of directors decide
basic policy for the establishment of internal control systems and to disclose the outline of its

50
resolutions in their business reports.

These system reforms aim to clarify who should take responsibility for corporate scandals and
other incidents and to urge corporate managers to take precautions against possible scandals.
With these system reforms forming a turning point, the interest of businesspeople in corporate
risk has grown dramatically.

The last of the three trends is that reputation risks are increasing. In recent years, the authors
have often heard businesspeople point out that even the type of scandals that were not covered by
mass media before are often played up by them nowadays, attracting public attention and
bringing criticism. Many businesspeople are concerned that as a result of their exposure to mass
media, these scandals may come to be widely known to the public, having serious effects on
corporate value and brands14.

Chart 1 indicates the number of online search results for the keyword “scandal” in four Nikkei
newspapers and The Asahi Shimbun. According to this chart, if 1991 and 1997, when many
sokaiya (racketeer) incidents and financial scandals occurred, are excluded, the number of
business or management related scandals covered from 2002 onwards has risen to 600–800 for
the four Nikkei newspapers and 200–300 for The Asahi.

What one should pay particular attention to is that these business or management related scandals
have serious effects on the sustainability and other aspects of companies.

Chart 2 below, for example, examines the effects of corporate scandals covered by newspapers
between 1998 and 2002 (14 cases such as defective product and service quality, soil
contamination or other environmental problems, and breaches of laws and regulations) on
corporate value. The analysis involves examining how stock prices fluctuated before and after
the day when the corporate scandal was reported by mass media. According to this chart, stock
prices fell substantially immediately after the day when the scandal was reported, with the extent
of the fall in the subsequent week growing to nearly 15%. Even 30 days after the scandal was
uncovered, the stock prices
had not recovered to the pre-scandal level.

14 For the relationship between reputation risks and corporate brands, see Ito (2004).

51
 Chart 1 : Changes in the Number of Online Search
Results for the Keyword “Scandal” in Four Nikkei
Newspapers and The Asahi Shimbun

2,000 1,000
Four Nikkei newspapers
1,800 900
1,600 800
1,400 700

Asahi
1,200 600
1,000 500
800 400
600 300
400 200
200 100
0 0
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
Four Nikkei newspapers Four Nikkei newspapers
(“Scandal” and “management”) (“Scandal” and “business”)
Asahi (“Scandal” and Asahi (“Scandal” and “business”)
“management”)

Stricter laws and regulations, revealed reputation risks, governance crisis

Copyright (C).2006 Tetsuyuki Kagaya All Rights Reserved

The authors then analyzed the amount of economic loss suffered (sales loss and scandal-related
loss) and the amount of damage caused to the aggregate market value of stocks 30 days after the
scandal was discovered. Since the effects of the scandal itself cannot be separated from the
financial and accounting information disclosed by the company involved, the economic loss and
damage are inferred by analogy, and therefore, the effects of factors other than the scandal may
be included in the loss and damage. However, the amount of damage to the aggregate market
value of stocks during the period when the scandal occurred is much larger than the actual
economic loss during the same period, with the former at 169.3 billion yen on average and the
latter at 81.9 billion yen on average.

52
 Chart 2 : Percentage of Damage Caused by Corporate
Scandals to Corporate Value
Rate of cumulative abnormal return on equity during the 30-day period after the corporate scandal was
revealed
The rate of cumulative abnormal return on equity is measured with that for the day when the scandal
was revealed as zero.
Changes in the rate of cumulative abnormal return on equity
(average for 14 companies)
5.0%

0.0%

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
-6
-5
-4
-3
-2
-1

-5.0%

-10.0%

-15.0%

-20.0%

Copyright (C).2005 Tetsuyuki Kagaya All Rights Reserved

Why, then, is the amount of damage to the aggregate market value of stocks larger than that of
actual operational loss? One of the convincing hypotheses is that stock markets consider that the
effects of scandals at companies on their financial results do not subside by the end of the year
when they occur but continue in the following year and thereafter. Of course, the degree of such
effects varies depending on the nature and characteristics of the corporate scandal, but it can be
confirmed that stock markets evaluate the companies involved, predicting that the effects of
scandals will generally continue in the following year and thereafter.

If a company’s stock value is left damaged for a long period of time, the damage may have
serious effects on the sustainability of the company. This is because the various systems,
including cross-holdings, which have served to stabilize Japanese companies, have practically
collapsed, and because, if their stock value remains low, there is a strong possibility that they
will be taken over by fund managers, foreign enterprises, or other Japanese companies in the
same industry15. In particular, the Companies Act, which was enacted in May 2006, allows
companies to acquire others and give stocks as compensation starting from May 2007, one year
after the law coming into force, and this makes the acquisition of Japanese companies by foreign
ones a practical possibility. As this new age of M&A starts, Japanese companies are being urged
to establish appropriate systems to cope with and respond to the risks that face them.

15 For this trend, see Ito (2003).

53
2. Why Do Risk Events Occur Frequently Today?

The first step towards establishing appropriate systems to cope with and respond to corporate
risk is to consider why corporate scandals have frequently occurred in Japan in recent years.

So, to start with, why have corporate scandals that seriously affected corporate value been
occurring so frequently in Japan in recent years? One reason for this is that the number of laws
with which businesses and businesspeople need to comply has been increasing. The scope of
statutes that businesspeople have to comply with, including the Product Liability Act, the Act on
the Protection of Personal Information, the Labor Standards Act, the Act on Securing, etc. of
Equal Opportunity and Treatment between Men and Women in Employment, and laws and
regulations related to intellectual property rights and insider trading, is expanding. On the other
hand, as consumers and the general public view listed corporations with an increasingly critical
eye, as mentioned above, mass media cover violations of laws and regulations more often than
before as they increase in number. Against this background, employees who were not fully aware
of changes in the business environment such as the revision of legal systems continued to
perform their duties as they had done before, and this may have led to an increase in the number
of corporate scandals, as described above.

In order to prevent scandals attributable to gaps in employee awareness, it is effective to educate

and train employees regarding compliance with laws and regulations. It is difficult, however, to
assert that the many scandals that have occurred in recent years can all be attributed to an
awareness gap on the part of employees. Several years have already passed since scandals began
to occur frequently at large corporations in Japan. During this interval, many Japanese companies
launched initiatives for compliance with laws and regulations. Therefore, if these scandals are
entirely attributable to the awareness gap, the number of these scandals should have gradually
decreased as Japanese businesses made progress in their attempts at filling the gap. However,
even some of the excellent companies that are representative of Japan have caused quality
problems and non-compliance scandals, and the number of corporate scandals itself has
continued to grow. From this fact, it can be inferred that these scandals have been caused not
only by the awareness gap, but rather by structural changes in Japanese companies, and that
because of this, the growth in the number of corporate scandals is not being stemmed.

What did the “lost decade” bring to Japanese businesses?

What are the structural changes in Japanese companies? This section looks back upon the first
half of the 1990s, which is called the “lost decade.” At that time, the business performance of
many Japanese companies deteriorated greatly. The deterioration of their business performance

54
led to widespread criticism of Japanese style management, which had held sway over the minds
of businesspeople during the 1980s. Japanese style management came under fire from many,
who argued that the weakening of individual businesses due to the pursuit of all-round
management, the lack of specialization due to personnel development centered on generalists, the
harmful influences of centralized management by a bloated head office, life employment,
personnel systems that, because of seniority, failed to evaluate personnel properly even if they
brought satisfactory results, and other factors eroded the competitiveness of Japanese businesses.
For this reason, Japanese companies began to implement policies to meet these criticisms in the
second half of the 1990s.

One example of these policies was the introduction of performance-based pay systems to bring
out the abilities of individual employees. In order to achieve good business results while curbing
personnel expenses, as they were becoming higher than overseas, it became indispensable to
properly reward personnel who brought excellent results. In order to attain this goal, Japanese
companies resolutely carried out reforms in personnel systems so that they revolved around
performance-based pay. At the same time, they implemented many policies to reduce costs,
including the invitation of applications for voluntary retirement, the relocation of plants to
overseas sites, and the utilization of temporary workers.

They also carried out organizational reforms to overcome the limits of all-round management,
which is symbolized by the term “conglomerate discount” or “diversification discount,” and to
enhance the competitiveness of individual businesses. So Japanese companies overcome
“conglomerate discount” or “diversification discount,” they began to accelerate the management
of individual businesses through organizational reforms such as thorough internal company and
business unit systems and spin-off operations, with the aim being to develop competitive
businesses. The availability of information technology backed up the decentralization of
resources for individual businesses.

Furthermore, Japanese companies streamlined their head office in parallel with efforts to enhance
the competitiveness of individual business units. The aim was to achieve greater efficiency in the
operation of the head office, a major cost center, by outsourcing part of its functions.

These management reforms contributed greatly to the recovery of Japanese companies’ business
performance. Chart 3, for example, shows the percentage of companies that posted their largest
income from 1988 to each year. It can be confirmed that in terms of operating income, ordinary
income, and net income for the current term, the percentage of such companies was highest in
2004.

55
 Chart 3 : Percentage of Japanese companies that posited
their largest income from 1988 to each year

40%

35%

30%

25%

20%

15%

10%

5%

0%
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004

Operating income Ordinary income Net income for the current term

* The chart shows the percentage of companies that, in a given year, posted their largest income
since 1988. The survey covers 871 companies for which consolidated financial statements for the
period from fiscal 1988 to 2004 were obtainable.

Copyright (C).2006 Kunio Ito All Rights Reserved

However, while the business performance of Japanese companies recovered as described above,
the nature of management at Japanese companies steadily underwent changes in a manner that
would cause an increasing number of corporate scandals.

Reforms of personnel systems to revolve around performance-based pay, for example, were
introduced to make all employees aware of the emphasis on results and encourage them to
display their abilities to the full. These reforms contributed greatly to making each and every
employee aware of this emphasis. But on the other hand, many of the reforms, when they were
carried out, were restricted by the drive to reduce personnel expenses and this encouraged the
negative aspects of reform in the following two ways. One is that many of these reforms made
employees in a division indifferent to other divisions, group companies, and their company as a
whole. The other is that since too much emphasis was placed on performance, employees
neglected to expend sufficient effort on various other activities such as complying with laws and
regulations and establishing a competitive edge for the future, which affects the sustainability of
the company and forms a source of medium and long-term competitive power. In other words,
while Japanese companies made all-out efforts to emphasize performance, employees reduced
the range of their interest and lost their long-term point of view—a twofold “narrowing of
employees’ perspectives.”

56
Due to personnel reductions introduced to improve business performance, the workload of each
employee is increasing. In addition, as compliance and corporate social responsibility (CSR) gain
importance due to the series of corporate scandals that have occurred in recent years, a wide
range of new legal systems have been put in place. With the establishment of these legal systems,
there are ongoing moves to ensure thorough internal controls. Due to increases in documentation
and approval processes, which were not necessary in the past, the workload of employees, which
has already been growing, is becoming even larger. Moreover, the reason for the growing
workload and its significance are often not properly understood by all employees. Under these
circumstances, tighter internal controls end up making employees feel that they are just being
forced to work hard for the of sake of it—a sense of being busy without a vision.

Furthermore, Japanese companies stepped up their efforts to enhance the competitiveness of

individual businesses by decentralizing power and organizing spin-off operations. While they
accelerated management decision making by extensively delegating authority to each business
unit, they ensured that each business unit managed its performance thoroughly and clarified the
manager’s responsibility for operations in his or her own unit. On one hand, these attempts
successfully improved the performance of individual businesses, but on the other, divisions,
internal companies, and group companies became less active in sharing information and
promoting cooperation with each other. What is known as “partial optimization” and
“sectionalism” was in progress.

The narrowing of employees’ perspectives, being busy without a vision, and partial optimization,
all of which were taking hold at Japanese companies, widened the psychological distance
between the company and its employees and consequently weakened the sensitivity of
employees to risk events and lowered their morale and sense of allegiance—elements that had
played an important role in preventing the occurrence of corporate scandals.

Up to that time, Japanese companies had prevented the occurrence of risk events by relying on
the sensitivity of employees to risks as well as their morale and sense of allegiance rather than
establishing particular risk prevention systems and devices. There is a strong possibility, however,
that the structural changes Japanese companies have undergone in recent years are weakening
their ability to prevent and respond to risks, resulting in the frequent occurrence of corporate
scandals.

Changes in the risk structure of Japanese companies

There are survey results that show changes in the risk structure of Japanese companies. The
authors worked with Tokio Marine & Nichido Risk Consulting Co., Ltd. to conduct a

57
questionnaire survey in October 2004. The survey covered 1,600 businesspeople who worked
with companies in eight industries: (1) food, agriculture, forestry, and fisheries, (2) textiles, pulp
and papermaking, chemicals, pharmaceuticals, rubber products, petroleum, and cement, ceramics
and glass, (3) iron and steel, nonferrous metals, and metal products, (4) electrical and precision
machinery, (5) transport equipment, (6) information and communications, (7) transport, electric
power, and gas (public utilities), and (8) services (finance, insurance, service, commerce, etc.).

Based on the survey results, this section shows how the risk structure of Japanese companies has
changed. In order to confirm how the nature of management at Japanese companies had changed,
the survey assessed changes in the perceptions of employees regarding changes in managerial
events, classifying responses into five levels (“I strongly think so,” “I think so,” “I do not know
whether I think so or not,” “I do not really think so,” and “I do not think so at all”). Chart 4
indicates its results.

This chart shows that an increasing number of employees had the following impressions: “we are
asked to achieve aggressive performance goals more often than before,” “it is becoming difficult
to achieve goals due to fierce competition in core businesses,” and “a large proportion of bonus
is now linked to performance.” In addition, many businesspeople pointed out that “it takes time
to coordinate between divisions” and that “the scope of business managers’ responsibility and
authority is becoming unclear.” Furthermore, the number of companies in which “cost reductions
drive profit generation” and “profits are secured through the hard work of sales personnel and
efforts to meet work quotas” was on the rise.

From these survey results, it can be confirmed that such problems as excessive emphasis on
performance and lack of interdivisional cooperation were becoming increasingly tangible to
employees.

58
 0%
10%
20%
30%
40%
50%
60%
Asked to achieve aggressive
performance goals

A large portion of bonus is

linked to performance
years?

It is difficult to achieve goals

Copyright (C).2004 Kunio Ito

due to fierce competition in
core businesses
Competition between group
companies and business units
to achieve better business
results is fierce
Business units that earn the

All Rights Reserved

most profit get preferential
treatment
Highly likely to be acquired by

Manufacturing

Branding governance and compliance

another company

Most of the compensation is

linked to stock prices

59
A wider range of authority is
delegated
Profits are secured through the
business environment

hard work of sales personnel

and efforts to meet work quotas
Cost reductions drive profit
generation
Business performance levels
fluctuate significantly
Services

Systems to prevent managers

from behaving recklessly do not
work
Greater attention is being paid
to our company’s products and
Chart 4 : What has your company changed in ten

services
“I think so,” in response to 15 questions relating to the

It takes time to coordinate

Percentage of people who replied, “I strongly think so” or

between divisions
The scope of business
managers’ responsibility and
authority is unclear
How, then, should occurrence of the risk events underlying corporate scandals be prevented?
In recent years, Japanese companies have carried out, in earnest, compliance programs aimed at
educating and training employees in the legal systems and social conventions with which they
should comply. Furthermore, the Companies Act, which came into force in May 2006, requires
boards of directors to establish internal controls, with plans calling for the Financial Instruments
and Exchange Act to be enacted as a Japanese version of the SOX Act by the end of the same
financial year. As exemplified by these pieces of legislation, Japanese companies are being urged
to establish systems to preclude corporate scandals. Education and training as well as
establishment of internal controls will also enable Japanese companies to reduce the corporate
scandals that have been occurring frequently.

These various attempts will contribute to deepening the recognition and understanding of
employees regarding various situations that are considered to constitute a breach of laws and
regulations. What Japanese companies should pay attention to, however, is that unless the
intentions and aims of these attempts are properly communicated, including to rank-and-file
employees, they may come across to employees only as efforts to tighten internal controls and
strictly enforce extremely detailed rules, further weakening the sensitivity of employees to the
risks and lowering their morale and sense of allegiance.

What is important is to sharpen the sensitivity of employees to various events that are involved in
corporate scandals and encourage them to make voluntary efforts to prevent such scandals. What,
then, should be done to achieve the goal?

The authors believe that it is effective to make all employees realize, and take pride in, the fact
that they play their part in maintaining the corporate brand. This is because employees who
realize the importance of the corporate brand and take high pride in it can be expected to
voluntarily prevent actions that may damage corporate brand value and to actively engage
themselves in various compliance related activities. The authors call this approach of enhancing
the awareness of employees regarding discipline and preventing corporate scandals by making
them realize the importance of, and take pride in, the corporate brand “branding governance.”

60
3. Corporate Brand Crisis

—Effects of scandals on corporate brands—

Corporate brands and corporate value

The first step in practicing branding governance is to make all employees aware of the
importance of the corporate brand and to examine how much the occurrence of risk events such
as corporate scandals affects the corporate brand.

Chart 5 : 2006 Ranking of Corporate Brand Value

Rank Company CB value CB score Customer Employee Stockholder Rank in the Rank in the
2004 2005
score score score ranking ranking
1 Toyota Motor 8,725,701 2,182 798 781 603 1 1
2 Canon 4,217,472 1,514 588 476 450 3 3
3 NTT DOCOMO 3,483,694 750 258 289 203 2 2
4 Honda Motor 3,116,152 1,850 682 568 600 4 4
5 ＮＴＴ 2,835,506 593 218 192 184 5 5
6 Takeda Pharmaceutical 2,668,407 1,406 435 475 497 8 7
7 Nissan Motor 2,111,048 1,733 672 570 491 6 6
8 Sony 2,088,093 1,287 464 474 349 7 8
9 Nintendo 1,883,365 2,001 515 939 547 10 10
10 Seven & i Holdings 1,811,239 896 312 312 272 - -
11 Matsushita Electric Industrial 1,652,368 1,168 429 400 339 11 11
12 Mitsubishi Tokyo Financial Group 1,361,425 803 254 273 276 15 15
13 Tokyo Electric Power 1,023,374 537 180 192 165 12 12
14 Mizuho Financial Group 989,236 598 182 188 228 43 26
15 East Japan Railway 833,708 712 285 215 212 17 13
16 Bridgestone 812,868 1,594 591 515 488 16 17
17 Sharp 806,138 1,044 373 364 306 18 18
18 Central Japan Railway 803,258 715 301 236 177 14 14
19 Nomura Holdings 766,813 675 226 225 224 19 19
20 Hitachi 760,612 681 273 239 169 24 28
Copyright (C).2006 Kunio Ito ／ Nihon Keizai Shimbun,Inc All Rights Reserved

In the autumn of 2001, Ito, one of the authors, worked with Nihon Keizai Shimbun, Inc. to
develop the “corporate brand (CB) valuator,” an evaluation model aimed at measuring corporate
brand value. Since then, he has annually published the top 20 companies in the corporate brand
value ranking in The Nihon Keizai Shimbun and the top 200 in The Nikkei Sangyo Shimbun (see
Chart 5).

Ito & Kagaya (2006) and other researchers verified the close relationship between corporate
brand value and corporate value. According to these studies, it has been proven that companies
with high corporate brand value can be expected to make a profit in a sustainable and stable
manner in the future, and that as a result, they are able to create corporate value.

In fact, corporate brand value represents a high percentage of total corporate value. Chart 6, for

61
example, gives data for companies with high corporate brand power (high CB score × high CB
utilization ability) in the selected industries. From this chart, it can be confirmed that corporate
brand value accounts for over 25% of total corporate value in the food, retail, and pharmaceutical
industries, and that it represents around 50% in the electrical machinery and transport equipment
industries.

Chart 6 : Percentage of the Aggregate Market Value of Stocks for Major Companies
Made Up by Corporate Brand Value

Percentage of the aggregate market

value of stocks made up by CB value

Food 26.994％

Electrical machinery 59.632％

Transport equipment 41.052％

Retailing 25.955％

Pharmaceuticals 26.162％

Impact of corporate scandals on corporate brand value

How much then do corporate scandals damage corporate brand value?

From among the companies they had chosen to calculate corporate brand value, the authors
selected a sample of seven, which had caused, or whose group companies had caused, a
corporate scandal in the past. They then showed how much the corporate brand value and related
indicators for these seven companies fell in the year when the scandal occurred as compared to
their average corporate brand value during the five-year period prior to the occurrence of the
scandal (see Chart 7).

According to this analysis, the effects of corporate scandals on corporate brand value vary greatly.
While one company, which was affected seriously, saw its corporate brand value decline to as
low as around 12% of the previous level, another used the opportunity presented by the scandal
to heighten its corporate brand value through various customer services. On average, however,
the reputation of these companies fell sharply, with their corporate brand value at about 65% of
the previous level and their CB score, an indicator of the corporate brand’s appeal, down to about
70% as compared to the previous level. In addition, the premium, recognition (preference), and
loyalty indicators for customers, employees, and stockholders, which constitute the CB score,

62
also declined steeply.

Chart 7 : Degree of Damage to Brand-related

Indicators of Companies that Caused Scandals
To what extent do risk events caused by companies result in
damage to their brand value?: A case study

120%

100%

80%

60%

40%

20%

0%
CB value CB score Premium Recognition Loyalty
Copyright (C).2006 Kunio Ito All Rights Reserved

How, then, does the image of corporate brands change due to corporate scandals? In order to
examine only events that jeopardize the safety and quality of products and services, this section
focuses on five of the seven companies sampled above and analyzes the effects of the scandals
on their corporate brand images. The magnitude of effects varies from one company to another,
but it can be confirmed that all companies saw the image of their corporate brand damaged
substantially in terms of perceived reliability, product and service quality, and quality of
managers.

What about the degree of image recovery after the year when the scandal occurred? Chart 9
indicates changes in corporate image in the year t and the year t + 1 with the image score for one
year prior to the year when the scandal occurred (year t – 1) as 100%. According to the chart,
while the corporate image recovered in terms of “excellent managers,” “active in
self-transformation,” “positive in disclosing managerial information,” and so on, they remained
low in terms of “reliability,” “product and service quality,” etc. In terms of “technological
capabilities” and “superior human resources,” there was a further decline. This indicates that it is
difficult to recover elements of the corporate image such as “reliability,” “product and service
quality,” and “technological capabilities” once they are tarnished by scandals.

63
 Chart 8 : Changes in the Image of Companies That Caused
Scandals Affecting the Safety of Products and Services
Effects of concern about the safety of products and services on corporate image
Levels of corporate image in the year when the scandal occurred with the pre-scandal level as 1

120%

100%

80%

60%

40%

20%

0%
Stability
Reliability

quality

Energy

Individuality
Friendliness
Response to customer
needs

Marketing and sales

capabilities

Managers
Technological capabilities
Superior human resources
development capabilities

Product and service

Refined advertising

Tradition

changes

Financial condition
Swift management

Global environment
decision making
Self-transformation

information
Research and product

Growth potential

Ability to respond to social

Disclosure of managerial
Company A Company B Company C Company D Company E

Copyright (C).2006 Kunio Ito All Rights Reserved

As described above, it has become clear that corporate scandals have grave effects on corporate
image and thus harm corporate brand value significantly. Spreading recognition of this
throughout the company will, to a certain extent, enable employees to share an understanding of
the significance of advancing initiatives for preventing the occurrence of various risk events that
may harm the corporate brand.

If then, there is a shared awareness that corporate scandals have major effects on corporate brand
value and thus on corporate value, can we prevent the occurrence of scandals?

Unfortunately, it is difficult to prevent risks on a continuous basis because shared awareness

alone doesn’t enable top managers and employees to engage with branding governance in real
earnest and to build a corporate mold. The reason is that the progress of initiatives to prevent
employees from causing scandals cannot be confirmed, and that how far carrying out these
initiatives seriously leads to corporate value and profitability cannot be ascertained.

64
 Chart 9 : Changes in the Degree of Image Recovery
Effects of concern about the safety of products and services on corporate image
Changes in the degree of image recovery with the pre-scandal level as 1

120%

100%

80%

60%

40%
Corporate image
elements that take time to Corporate image elements
20% recover that are recovering

0%
Reliability

quality
Stability

Individuality
Energy
needs

development capabilities

Managers

Superior human resources

Friendliness

capabilities

changes

Technological capabilities
Research and product

Marketing and sales

Product and service

Swift management

Global environment
Financial condition
Response to customer

Refined advertising

Tradition

decision making
Ability to respond to social

Self-transformation

information
Growth potential

Disclosure of managerial
Year t – 1 Year t Year t + 1
Copyright (C).2006 Kunio Ito All Rights Reserved

4. Making Brand Risks Visible

First, this section defines brand risks. Brand risks refer to risks that impair brand value when the
expectations of customers and other stakeholders are betrayed. These risks include not only those
which stem from violations of laws and regulations and other inappropriate acts but also those
which arise from the gap between the common practices of companies and industries and those
of consumers and the general public.

According to the survey mentioned above, which was conducted jointly with Tokio Marine &
Nichido Risk Consulting in October 2004, around 5% of respondents who were asked what they
did when faced with a situation that clashed with compliance and corporate social responsibility
replied that they “disregard it,” and around 65% replied that they “take action on a case-by-case
basis.” Reasons cited by many respondents include “it has never been considered as a problem,”
“where the responsibility lies is unclear,” and “people’s impression of the company does not
change if I am the only one taking action.”

65
 Chart 10 : Action Taken When Faced with a Situation
That Clashes with Compliance and CSR
What action do you take when you are faced with a situation that clashes with
compliance and CSR?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Manufacturing 5% 66% 29%

N=1,000

Services 6% 63% 31%

N=600

Total 6% 65% 30%

N=1,600

Disregard it Take action on a case-by-case basis Take action in all situations

(Source) Brand risk survey conducted by K. Ito and his research team at Hitotsubashi University jointly with
TRC in October 2004
Copyright (C).2006 Kunio Ito All Rights Reserved

As mentioned above, there are many cases in which companies have not made it clear how
employees should take action if they are faced with situations that clash with compliance and
corporate social responsibility. In cases in which employees can clearly determine whether
situations violate laws and regulations, it is possible to make it clear what action they should take.
The reality is, however, that many cases occur in gray areas. Deciding in detail what action
should be taken for cases that occur in these gray areas results in a great expansion in the range
of business operations employees have to manage. This would generate an increased sense of
restriction and fatigue among employees.

66
 Chart 11 : Reasons for Disregarding or Taking Action
on a Case-by-Case Basis in a Situation That Clashes
with Compliance and CSR
What action do you take when you are faced with a situation that clashes with
compliance and CSR?
60%
Manufacturing
50%
Services
40%
30%
20%
10%
0%
A B C D E F
A) Such a situation has never been considered as a problem.
B) I think that even if I become aware of the need to take action in such a situation and actually
do so, it does not necessarily mean that the company as such will respond accordingly.
C) Since it is unclear where the responsibility lies, I do not know who has authority to stop
operations that are halfway through being performed.
D) Even if the company talks about compliance and CSR, it only professes this as a public
stance. In reality, it gives priority to performance goals, managers’ expectations, and so forth.
E) Our company does not have systems, such as a hotline etc, sufficient for protecting
employees. Employees are not given opportunities for future promotion or other kinds of
favorable treatment unless they follow their superiors’ orders.
F) The company does have a full array of systems, but I do not know any employees who have
ever used them (or many of the employees do not know how to use them).
(Source) Brand risk survey conducted by K. Ito and his research team at Hitotsubashi University jointly with TRC in October 2004
Copyright (C).2006 Kunio Ito All Rights Reserved

On the other hand, if companies classify these risks, which arise from gray areas, from the
viewpoint of brand risk management, the question as to whether such risks may betray the
expectation of stakeholders, thereby harming the value of their corporate brand, should be used
by these companies as a criterion to decide what action employees should take.

Brand assets and brand liabilities

How, then, is corporate brand value related to corporate brand risk?
If viewed in relation to corporate brand value, corporate brand risk refers to how seriously
something that is still unknown to external stakeholders is likely to harm corporate brand value
when it becomes known.

The authors define the monetary amount of the damage caused to brand value when such a risk is
revealed as a brand liability. In order to enhance corporate value continuously, it is necessary to
seriously consider what each and every employee can do to reduce brand liabilities and
implement corresponding policies (see Chart 12).

67
 Chart 12 : Relationship between Corporate Brand Value
and Corporate Brand Risk

Value of corporate brand assets (fair value)

Brand risks (brand liabilities)

Net corporate brand assets

If brand risks (liabilities) are

reduced, net corporate brand
assets are increased.

Outline of efforts to make brand risks visible

How, then, should brand risks (brand liabilities) be quantified? Brand risks can be quantified by
examining how likely brand risks are to affect the components of the CB valuator, a corporate
brand valuation model. In the CB valuator, the value of a corporate brand consists of a CB score,
which indicates the appeal of the corporate brand to external stakeholders, and a CB multiple
representing the brand’s ability to convert its appeal into cash flows. If a risk to the brand arises,
it may have serious effects on the CB score and CB multiple (see Chart 13).
The first step in quantifying brand risks involves clarifying what impact a risk event, once it
occurs in relation to a corporate brand, has on the image that customers, employees, and
stockholders have of that brand and on the its appeal. In order to achieve this goal, the authors
examined how the occurrence of such a risk event affected the stakeholders’ image of the brand
(1) by conducting a survey of businesspeople to find out how events that jeopardized life and
health, breaches of laws and regulations and other events that ran counter to the common practice
of local communities and the general public affected the stakeholders’ image of the brand if they
occurred, and (2) by measuring the percentage of damage caused to the brand image when brand
risks actually occurred.

68
 Chart 13 : Approach to Making Brand Risks Visible
Approach to making brand risks visible
Relationship between the corporate brand value tree and brand risks

Corporate brand value

CB score CB multiple
CB Advantage CB Leverage

Customer Employee Stockholder CB utilization CB utilization

score score score ability opportunity

Customer, employee, and

Customer Employee Stockholder stockholder risks reduce
risks risks risks customer, employee, and
stockholder scores.
Risk environments and factors
increase or decrease
Risk environments and factors (performance customer, employee, and
pressure, interdivisional information sharing, stockholder risks.
business diversity, degree of globalization, product CSR, compliance, and basic
characteristics, and organizational complexity) brand strength reduce risks.

CSR, compliance, and basic brand strength

Copyright (C).2004 Kunio Ito All Rights Reserved

Chart 14 : Percentage of Damage Caused to Corporate

Image in the Food Industry for Each Risk Type
What is the percentage of damage caused to corporate image in the food industry for
each risk type?

The chart shows how much risks involving life and health hazards, breaches of laws and regulations,
and violations of the common practice of local communities and the general public lower levels
pertaining to corporate image when they occur.

80%
70%
60%
50%
40%
30%
20%
10%
0%
with the company

Friendly
Popularity

company

quality

Full of energy
Strong marketing and

Pays attention to the

global environment
Willingness to work

Reliable

sales capabilities
purchase stocks in the

Product and service

Eager to respond to
customer needs
Willingness to

Excellent managers

Life and health hazards Breaches of laws and regulations

Violations of the common practice of local communities and the general public
Copyright (C).2004 Kunio Ito /All Rights Reserved

69
Chart 14 indicates the results of such a survey of businesspeople. Chart 8 examines the effects on
corporate image of risk events that harm the safety of products and services when they occur, and,
in the same way as the results shown in Chart 8, Chart 14 confirms that the percentage of
damage is high in terms of “reliability,” “product and service quality,” and “quality of
managers.”

The second step of quantification clarifies how likely these risk events are to actually occur. In
order to estimate how often these risk events occur, it is necessary to (1) ascertain how willing
employees are to recommend their company to other people from the viewpoint of a customer,
employee, or stockholder (it is assumed that the less willing they are to do so, the more risk
factors their company has within its organization; see Charts 15 to 17), and (2) identify factors
that affect the probability of risk events (see Chart 18).

Chart 15 : How much would you like to buy the

products or services in your companies?
■Evaluations of key products and services
a. I want to introduce my company’s key products and services to my friends and family members, as
well as colleagues at my company, and I myself want to use them in the medium to long term.
b. I do not introduce my company’s key products and services to my friends, family members, or
colleagues at my company, but I want to purchase and use them in the medium to long term.
c. I am not attracted by my company’s key products and services, but I do not feel that there is a
problem with purchasing and using them.
d. If I were a customer, I would not purchase or use my company’s key products and services unless
the company offered major pricing benefits such as especially low prices.
e. I do not introduce my company’s key products and services to my friends, family members, or
colleagues at my company, and in addition, if they were going to purchase them, I would advise
them not to do so.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Total 41% 12% 31% 14% 2%

Manufacturing 41% 12% 32% 13% 2%

Services 39% 13% 29% 17% 2%

Percentage of employees
a b c d e who do not recommend their
company’s products and
services (reflected in
Copyright (C).2006 Kunio Ito All Rights Reserved customer risk)

According to Chart 15, when businesspeople put themselves in the customer’s position, 14% of
them replied that they did not intend to purchase their company’s products and services unless
the company offered special benefits such as pricing. Two percent replied that they did not intend
to introduce their company’s products and services to their friends, colleagues, and family
members, and that moreover, they would even advise them not to purchase them if they were

70
going to do so. It can be judged that the more such replies businesspeople give, the more likely it
is that some harm will occur in the future to the appeal of their company’s corporate brand (in
other words, the higher is their company’s brand risk).

Chart 16 : How much would you like to get the jobs of

your companies?
■Evaluations of the work environment
a.I always introduce my company to my fiends, relatives, and family members as a
potential place of employment, irrespective of which industry they work in.
b.If in the same industry, I always introduce my company as a potential place of
employment.
c.I tell other people that my company is one of the main candidates if considering
employment in the industry, but that it is worth them investigating whether it is the best
choice as a workplace or not.
d.I do not particularly introduce my company to others.
e.I recommend other people to find employment with a company in the same industry
other than mine.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Total 8% 12% 32% 37% 11%

Manufacturing 7% 12% 33% 37% 11%

Services 10% 12% 31% 38% 9%

Percentage of employees
a b c d e who do not recommend their
company as a place of
employment (reflected in
employee risk)
Copyright (C).2006 Kunio Ito All Rights Reserved

Similarly, the authors investigated whether respondents recommended their company as a place
of employment when they introduced it to their friends and family members (Chart 16) and
whether they recommended it, from the stockholder’s standpoint, as an equity investment (Chart
17). These charts confirm that a significant percentage of businesspeople do not recommend their
company as a place of employment or as an equity investment. For companies with these high
levels of negative response, there is an extremely strong possibility that the attractiveness of their
corporate brand, as seen from employees or stockholders, will be lost.

71
 Chart 17 : How much would you like to acquire the
stock of your companies?
■Evaluations of companies as an equity investment
a.I always introduce my company to my friends, relatives, and family members as an
attractive equity investment irrespective of which industry they work in.
b.If in the same industry, I always introduce my company as an attractive equity
investment.
c.I tell other people that my company is one of the major candidates as an attractive
equity investment in the industry, but that it is worth them investigating whether it is the
best equity investment choice or not.
d.I do not particularly introduce my company as an attractive equity investment.
e.Rather than my company, I recommend other people to invest in its competitors.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Total 7% 10% 22% 47% 14%

Manufacturing 6% 10% 24% 46% 14%

Services 9% 10% 19% 48% 14%

a b
Copyright (C).2006 Kunio Ito All Rights Reserved
Percentage of employees
c d e who do not recommend their
company as an attractive
equity investment (reflected
in stockholder risk)

Chart 18 : Percentage of Damage Caused to Corporate

Image in the Food Industry for Each Risk Type
Items that influence risk environments and factors
Items related to risk environments and factors are classified into five categories: performance pressure,
information flows, business diversity, product characteristics, and risk awareness and sensitivity. The
percentage of people who, in response to the questions regarding each category, replied that the
corresponding risk was high or quite high was analyzed.
45%

40%

35%

30%

25%

20%
Information Performance Business Product Risk awareness
flows pressure diversity characteristics and sensitivity

Food Materials Metals Electrical

machinery
Transport Information and Transport and Services
equipment communications electric power

Copyright (C).2004 Kunio Ito /All Rights Reserved

72
 Chart 19 : Companies’ Ability to Respond to Risk Events
Items that influence compliance, CSR, and basic brand strength

Compliance, CSR, and basic brand strength are classified into three categories: prior prevention ability,
early detection ability, and immediate response ability. The percentage of people who, in response to
the questions regarding each category, replied that the compliance, CSR, and basic brand strength
were relatively high was analyzed.

50%

40%

30%

20%

10%

0%
CSR and compliance

Shared

defined and shared

principles and values are

Whether or not there are

departments with

Processes that should

are revealed are clearly
Degree to which guiding

relevant responsibility

manual
Scope of application of

Degree of coolness of

Importance of
awareness

be followed after risks

organizations

organizations
Initiatives for branding

Prior prevention ability Early detection ability Immediate response ability

Food Materials Metals Electrical machinery

Transport Information and Transport and Services
equipment communications electric power
Copyright (C).2004 KunioIto All Rights Reserved

Chart 18, meanwhile, indicates whether the companies of the businesspeople surveyed had an
environment that might easily cause scandals. In other words, in order to confirm whether risk
events might easily be caused at the companies, the chart shows the state of five elements shared
by companies that cause scandals: (1) lack of information flows, (2) performance pressure, (3)
business diversity, (4) product characteristics, and (5) lack of initiatives to cope with risks. The
results of the survey confirm that on average, performance pressure and the lack of initiatives to
cope with risks are conspicuous at Japanese companies.

The third step of quantification examines how far corporate climates and systems for minimizing
the possibility of occurrence of such risk factors have been established. In this quantification
process, it is necessary to consider, among other factors, the extent of the company’s ability to
prevent the occurrence of risk events beforehand (permeation of CSR and compliance awareness
into the organization, the degree to which guiding principles and values are shared, and

73
initiatives for branding); the extent of the company’s ability to detect the occurrence of risk
events (whether or not there are departments with relevant responsibility, and the scope of
application of manuals); and the extent of the company’s ability to respond immediately to risks
if they actually occur (how far processes that should be followed after risks are revealed are
clearly defined and shared, the degree of coolness of organizations, and the importance of
organizations). Chart 19 indicates the average score for the ability to reduce and respond to risks
in various industries. A comparison of these figures shows the levels of companies’ abilities to
reduce and respond to risks.

Through the three steps outlined above, companies can clarify the actual condition of their brand
risks and then reduce them by considering measures to deal with them.

5. Beyond the Japanese Version of the SOX Act

In Japan, with the enactment of the Companies Act in May 2006 and the Japanese version of the
Sarbanes-Oxley Act by the end of fiscal 2006, corporate boards of directors are required to take
practical action to establish internal controls. Following these and other developments, Japanese
companies are currently stepping up their efforts to establish these internal controls. Their efforts
will, to a certain extent, enable them to reduce the number of corporate scandals.

What Japanese companies should pay attention to, however, is that depending on the way
internal controls are established, they may sometimes have adverse effects on corporate value.

For example, in the United States, which enacted a corporate reform law, called the
Sarbanes-Oxley (SOX) Act, in July 2002 (earlier than in Japan) requiring American companies to
establish internal controls, the Securities and Exchange Commission and the Public Company
Accounting Oversight Board identified the issues listed below in the discussions they held on
May 10, 2006 to review two years of the SOX Act.

1. Costs exceed benefits.

2. Internal controls at the business process level make business activities inflexible.
3. Internal controls need to be documented and tested in a way that does not affect financial
reports.
4. Auditors of accounts are motivated to document and evaluate as many internal controls as
possible in order to reduce litigation risks and increase their own profits. As a result, the
volume of less important documentation and evaluations has grown.

74
In fact, results from a substantial amount of research show that stock markets do not necessarily
evaluate the introduction of the SOX Act positively. For example, Chhaochharia & Grinstein
(2004) published the results of their studies, arguing that the application of the SOX Act has
positive effects on the value of large corporations, but does not bring economic benefits to small
companies. Jain & Razafe (2005) confirmed that when the SOX Act is applied, companies that
put more effective corporate governance in place, issue reliable financial reports, and have
dependable audit functions are positively evaluated by stock markets. Zhang (2005) estimated,
on the other hand, that $1.4 trillion in market value had been lost after the SOX Act was enacted,
and showed that in particular, stock markets had responded negatively to clauses related to
corporate governance and restrictions in clauses related to non-audit operations. In this way, the
results of studies generally demonstrate positive assessments of the SOX Act, but some
evaluations of the Act are negative, making it difficult to assert that the introduction of the Act
consistently has positive effects on evaluations by stock markets of corporate value.

The application of the SOX Act, meanwhile, has brought another economic effect—encouraging
small public companies to stop offering their stocks publicly. In fact, around the time when the
SOX Act came into force, an increasing number of companies chose to stop offering stocks
publicly. It became clear that many of the companies had chosen to stop after realizing the costs
that would be incurred (see Engel, Hayes, and Wang, 2004).

Of course, it is true that internal controls are being discussed in Japan while taking into
consideration the actual conditions and issues regarding internal controls that have been
identified in the U.S. On the other hand, however, the authors hear a considerable number of
businesspeople criticize initiatives to establish compliance and internal control systems, saying
that they lead to tighter controls on internal organizations, bloated head offices, and other
undesirable effects, which generate a greater sense of restriction and fatigue among employees
(see the May 1, 2006 issue of Nikkei Business magazine).

In order to ensure that the Japanese version of the SOX Act and other undertakings aimed toward
internal controls and compliance work truly effectively, it is essential to boost the vitality and
morale of employees and establish the ability of employees to voluntarily reduce and cope with
risks as part of the corporate climate.

In order to achieve this goal, it is important that each and every employee is a “small yet
important window” on the corporate brand, in other words, that they recognize properly that their
actions determine the image that customers and other external stakeholders have of the company.
If each and every employee sees that a single corporate scandal, once it occurs, has such a large

75
impact that it may significantly harm—and sometimes almost destroy—corporate brand value,
they will have a deeper understanding of the significance and aim of ensuring thorough internal
controls and compliance.

Furthermore, companies are urged to make brand risks visible. Making them visible enables
companies to clarify the results of initiatives and the progress made therein, as well as to
continue ongoing efforts to nip brand risks in the bud while achieving, together with their
employees, a concrete sense of the effects of the initiatives. Through the quantification of brand
risks, the authors hope that Japanese companies will build a corporate character that enables
continuous value creation.

Bibliography
Chhaochhari,V. and Y.Grinstein, “Corporate Governance and Firm Value - The Impact of the
2002 Governance Rules.” AFA 2006 Boston Meetings Paper. Johnson School Research Paper
Series No. 23-06, 2005.

Engel,E.,R.M.Hayes and X.Wang,“The Sarbanes-Oxley Act and Firms' Going-Private

Decisions.” Working Paper. University of Chicago, 2004.

Ito, K., Corporate Brand Management, Nihon Keizai Shimbun, Inc., 2000.

Ito, K., “New Development of Corporate Brand Management,” Hitotsubashi Business Review,
51(3), 2003.

Ito, K., “Corporate Brand Management for Higher Reputation” Risk Management Business,
19(9): 2004.

Edited by Ito, K., The Accounting of Intangible Assets, Chuokeizai-sha, Inc., 2006.

Saito, T., Hosoda, T., and Shinohara, T., “Employees and Companies Break Down in Offices
with Low Spirits—Why Tighter Controls?” Nikkei Business.

Rezaee,Z. and P.Jain, The Sarbanes-Oxley Act of 2002 and Security Market Behavior: Early
Evidence.” Working Paper. University of Memphis, 2005.

Zhang,I, “Economic Consequences of the Sarbanes-Oxley Act of 2002.” Working Paper.

University of Rochester, 2005.

76