Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Copyright © 2010 Kunio Ito. All rights reserved. The entire contents of this publication are the
property of Kunio Ito. Users may not copy, reproduce, distribute, display, modify or create
derivative works based upon all or any portions of this publication in any medium whether
printed, electronic or otherwise, without the express written consent of NR Kunio Ito. Without
limiting the forgoing, users may not reproduce, distribute, re-publish, display, modify or create
derivative works based upon all or any portion of this publication for purposes of teaching any
computer or electronic security courses to any third party without the express written consent of
Kunio Ito.
0
Contents
Information Security Governance to Enhance Corporate Value........................................................... 3
1. Growing Interest in Information Security ...................................................................................... 3
2. The reality of Information Security Governance in Japan .............................................................. 6
3. Effects of Information Security Incidents on Evaluations by Stock Markets ................................. 13
4. Effects of Information Security Incidents on the Value of Corporate Brands ................................ 18
5. Effects of Information Security Disclosure on Evaluations by Stock Markets ............................... 28
6. Effects of Information Security Governance on Corporate Brand Value....................................... 40
Bibliography .................................................................................................................................. 47
Brand Risk Management and Corporate Value................................................................................. 49
1. Introduction ............................................................................................................................... 50
2. Why Do Risk Events Occur Frequently Today? ........................................................................... 54
3. Corporate Brand Crisis............................................................................................................... 61
4. Making Brand Risks Visible ........................................................................................................ 65
5. Beyond the Japanese Version of the SOX Act ............................................................................... 74
Bibliography .................................................................................................................................. 76
1
2
Information Security Governance to Enhance Corporate Value
The aim of this paper is to examine the effects of initiatives on information security on corporate
value and demonstrate the significance of establishing information security governance so that
these effects can permeate into business corporations.
Interest in information security is growing rapidly. Figure 1, for example, shows the number of
search results for “information security,” “information leak,” “system failure,” and other
keywords published in four Nikkei newspapers. This figure confirms that the number of cases in
which these keywords were written about in these newspapers rose sharply after the twenty-first
century began. In particular, the number of such searches results grew dramatically in 2005 and
thereafter. It is presumed that the three factors mentioned below affected this dramatic growth.
900
800
700
600
500
400
300
200
100
0
990年
991年
992年
993年
994年
995年
996年
997年
998年
999年
000年
001年
002年
003年
004年
005年
006年
007年
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
3
図2 情報事故の日常化とその影響度の大きさ
Figure 2 :Increase in the number of malicious programs
悪意あるプログラムの数の増大
of malicious programs
■悪意あるプログラムの数
■Number
250000
200000 201958
150000
105334
100000
53950
50000
31726
20731
8821 11136
0
2001 2002 2003 2004 2005 2006 2007
図3 情報事故の日常化とその影響度の大きさ
Figure 3 : Damage caused by unauthorized access
不正アクセスによる被害発生状況
700
600
500
169
400 394
522 339
300
281 169
200 381 56
100 225 176
126 162 162
72
0
2001 2002 2003 2004 2005 2006 2007
Damage was caused No damage was caused
(Source) Information-Technology Promotion Agency, Japan
One factor is that the numbers of malicious programs and unauthorized accesses is on the
increase. Figure 2 indicates the results of surveys conducted by Kaspersky Lab. According to
these results, the number of malicious programs increased from less than 10,000 in 2001 to over
200,000 in 2007. In addition, Figure 3 shows the number of cases in which the damage caused by
4
unauthorized access was reported to the Information-Technology Promotion Agency, Japan. It is
noticeable that the number of cases in which unauthorized access caused damage, which had
continued to decline from 2001 to 2004, grew again in 2005 and thereafter. Formerly,
unauthorized access was often perpetrated by people who took pleasure in confusing a large
number of people, but in recent years, an increasing number of unauthorized accesses have been
perpetrated out of avarice and have become criminally vicious.
Another factor is that information incidents such as leaks of customer information, leaks of
confidential information, and system failures are occurring frequently. Recent years have
witnessed the frequent occurrence of incidents that have affected even ordinary consumers,
including leaks of large corporations’ customer information and failures of financial or transport
systems due to trouble with information systems. These incidents are highly likely to cause the
companies involved to lose the trust that customers and consumers have in them, and to cause
their corporate image to be injured. There are also an increasing number of cases in which
Japanese companies are losing their sources of competitiveness due to an outflow of
technological information to overseas competitors. As described above, interest in initiatives on
information security is growing with the frequent occurrence of information incidents that
seriously affect corporate value.
A third factor is that laws and regulations related to information security have been put in place.
The Act on the Protection of Personal Information, the Companies Act, and the Financial
Instruments and Exchange Act came into force in 2005, 2006, and 2008, respectively. The Act on
the Protection of Personal Information requires holders of personal information to manage it
properly and prevent its leakage. Under the Companies Act, which came into force in 2006,
corporate directors must take responsibility for establishing internal control systems. They are
required to make efforts to ensure information security and put in place related systems,
including those related to the possession and management of information, regulations and
systems for the management of losses and other risks, and systems aimed at ensuring that
employees comply with laws and regulations as well as articles of association when performing
their duties.
Meanwhile, the Financial Instruments and Exchange Act, which came into force in 2008, aims to
improve the reliability of financial reports and requires companies to put in place internal control
systems to achieve this goal. In particular, the Act stresses the importance of the role IT plays in
internal control systems. If information security plays the role of supporting continuous
utilization of IT for internal control systems, information security can be viewed as an issue
closely related to improvement of the reliability of financial reports.
5
2. The reality of Information Security Governance in Japan
3500 25,000
万 22,711億円
¥2,271.1 billion
3000 Number of people who experienced
漏洩人数
leakage of their personal information
想定損害賠償総額 20,000
15,000
2000
1500
10,000
1000 7,002
4,667 5,000
4,570
500
0 189 281 0
2002 2003 2004 2005 2006 2007
This section bases its discussions on the Information Security Incident Survey Report, which is
published by the Japan Network Security Association annually. The Report confirms that the
number of people who experienced leakage of their personal information and the estimated total
value of damages paid both increased from 2002 to 2007 (see Figure 4).
Next, this section discusses the survey carried out by Ito at Hitotsubashi University in January
2007. This survey aimed to clarify the actual condition of information systems established at
listed companies in Japan by asking their chief information officers (CIOs) or those in similar
positions about them. Figure 5 identifies information security tasks to be addressed by those
companies. In this figure, an overwhelming number of companies cited “strengthening
information security” as a task they should address urgently.
6
Figure 5 : What Are the Tasks to Be Addressed for
Making
図5 Effective Use of Information Systems?
情報システムの活用をめぐる課題は?
■Number of malicious programs Information security is one of the tasks
■情報処理システム活用上での課題 on which IT 専門家にとって特に重視
CIOs
CI Oなど and other IT experts
450 placeする課題の1つが情報セキュリティ
particular emphasis. 350
400 300
350
300 250
250 200
200 150
150
100
100
50 50
0 0
情報 共有
デ ー タ の一 元 管 理
売上 拡大
製 品 ・サー ビ ス の品 質 向
作 業 効 率 の改 善
社 員 の能 力 向 上
情 報 セ キ ュリ テ ィの強 化
機 会 損 失 の減 少
新 製 品 ・サー ビ ス の開 発
職 場 の活 性 化
意 思 決 定 の迅 速 化
問 題 の早 期 発 見
顧 客 満 足 度 の向 上
在 庫 の圧 縮
イ ン フラ設 備 の機 能 向 上
そ の他
リー ド タ イ ム の短 縮
シ ステ ム統 合 (連 携 )
コス ト削 減
service quality
Other
Cost reduction
satisfaction
Swifter decision-making
Information sharing
functions
Reduced inventories
Revitalization of workplaces
Enhancement of infrastructure
力 向上
現状の課題 特に重視する課題;右軸
( 出典)一橋大学・伊藤邦雄研究室「情報システムの活用に関する質問調査」( 2007 年 1 月)。
As indicated in the figure, it appears that Japanese companies have not yet made sufficient
progress in their initiatives on information security.
What is information security governance? The research group of METI on the information
governance defined information security governance as “establishing and applying corporate
governance, and the internal control systems that represent the mechanism supporting it, within a
company looking from the viewpoint of ensuring information security” in the research report in
March 2005. In order to encourage establishment and application of the information security
needed in light of corporate objectives, it is essential to motivate managers to advance these
undertakings, whether on their own initiative or otherwise, and establish internal control systems
to make the intentions of managers known to all levels of the organization.
7
What is the ideal form of information security governance? In particular, we believe that there
are two major types of information security governance which provide systems for motivating
managers to make efforts on information security, whether on their own initiative or otherwise
(see Figure 6).
One type of information security governance adopts the approach of maintaining the discipline
of companies through market mechanisms. This approach, for instance, involves establishing
systems and devices that encourage information security initiatives to produce positive effects in
the product/service market, thus inducing companies to make all-out efforts toward information
security. One example is governments including information security initiatives in the
requirements for suppliers to take part in the bidding when they procure products and services.
This approach is not limited to the product/service market. The capital market can also urge
companies to make all-out efforts toward information security by placing information security
initiatives as a requirement for the provision of finance.
Market mechanisms may use two approaches to the screening of companies: negative screening
and positive screening. While the negative screening approach restricts transactions with
companies that fail to meet certain requirements, the positive screening approach gives priority
to dealings with companies that carry out outstanding information security initiatives. Whichever
8
of the two approaches is taken, it becomes possible to advance information security initiatives by
establishing systems and devices that take information security initiatives into account in market
transactions.
The other type of information security governance takes the approach of maintaining the
discipline of companies through organizational mechanisms. Like global warming and other
environmental problems, information incidents caused by companies sometimes have grave
effects on other companies and ordinary consumers in the community in which they operate.
However, since external stakeholders of a company cannot ascertain how active the company is
in advancing its information security initiatives, there is a strong possibility that the company
will not be very willing to make investments in those initiatives. For this reason, it is necessary
to accelerate the progress of information security initiatives by requiring companies to take direct
responsibility for them through legislation, systems, and other measures.
As mentioned above, a series of legal systems relating to companies have been put in place in
Japan in recent years, and many of them require corporate managers to establish systems and
devices that ensure thorough implementation of information security initiatives at all levels of
the organization. They urge corporate organizations to have built-in systems (climate) in which
none of their members performs, and which allow none of their members to perform, improper
acts regarding information security by requiring their managers to take responsibility for
establishing these systems.
9
Figure 7 : Progress in Taking Information Security
Measures
■Condition of information security measures
100
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% %
Figure 7 indicates the results of a questionnaire survey of listed companies which was conducted
by NRI SecureTechnologies, Ltd. in November 2007 to clarify the condition of information
security measures. The results confirm that all companies surveyed are working to take
information security measures in terms of equipment, including physical security, PC security,
and network security. On the other hand, it can also be seen that many companies have not yet
taken adequate information security measures in terms of intangibles such as “training of
information security experts,” “establishment of procedures and systems for ensuring
information security,” “continuous accumulation and sharing of knowledge of, and know-how in,
information security within the organization,” and “establishment and application of systems for
gathering information on security holes.”
Why, then, are Japanese companies sometimes not making progress in their information security
initiatives in terms of intangibles? One of the major reasons for this is that corporate managers
do not really feel that their information security initiatives lead to enhancement of their
companies’ competitiveness and value.
10
Figure 8 : Effects of Information Security Measures
(Source) Created based on the “Survey concerning the Actual Condition of Countermeasures against
(
Unauthorized Access etc.” conducted by the Metropolitan Police Department
For example, as shown in Figure 8, according to the “Survey concerning the Actual Condition of
Countermeasures against Unauthorized Access etc.” conducted by the Metropolitan Police
Department in Tokyo, corporate employees have an increasingly keen awareness of information
security as typified by high evaluations for effects of information security measures such as:
“greater awareness of information security among employees,” “better understanding and
recognition of the importance of risk management,” and “recognition of information security as
corporate social responsibility.” However, lower evaluations are given to the five items related to
the enhancement of corporate competitiveness: “higher evaluations by business partners and
customers,” “greater operational efficiency and productivity,” “improvement of products and
services provided,” “lower total security management costs,” and “enhanced competitive power,
including the winning of orders.”
Why, then, do corporate managers not really feel that their information security initiatives lead to
enhancement of their company’s competitiveness and value? Probably, one reason for this is that
only a few companies quantitatively measure and evaluate the progress they have made in their
information security initiatives, so they cannot ascertain the effects of their investments in
information security initiatives.
11
Figure 9 : Problematic Points with Information Security
Measures
Difficulties in making the effects of information security initiatives visible render the
relationships between such initiatives and enhanced corporate competitiveness and
value difficult to perceive.
% 70
60
50
40
30
20
10
0
2001 2002 2003 2004 2005 2006
Cost-effectiveness is invisible
There are no guidelines regarding how far we should go
Lack of know-how in taking information security measures
There is no practice of considering information as an asset
The understanding of top managers cannot be obtained
Too much cost is incurred
Adequate education and training is not provided
Too heavy a burden is placed on employees
Optimal tools and services are not available
(Source) Created based on the “Survey concerning the Actual Condition of Countermeasures
against Unauthorized Access etc.” conducted by the Metropolitan Police Department
The Metropolitan Police Department’s survey shows, for example, that more than half of
respondents cited issues related to the effects of investments—“cost-effectiveness is invisible,”
“too much cost is incurred,” and “there are no guidelines regarding how far we should go”—as
issues to be addressed in taking information security measures. To begin with, unless the effects
of information security initiatives are made visible, it is difficult for corporate managers to
realize that such initiatives lead to enhancement of their company’s competitiveness and value
(see Figure 9).
Furthermore, only a few companies actively disclose their information security initiatives to
external stakeholders, making it difficult for external stakeholders to recognize differences in
information security initiatives between companies, and this also probably affected the results of
the survey. Unless such differences are made clear, it is difficult for stock markets to evaluate the
information security initiatives of listed companies.
Do then information security measures and initiatives actually contribute to creation of corporate
value? In order to answer this question, we first examine what effects incidents involving
information security have on corporate value. If such incidents have serious effects on corporate
12
value, there is a strong likelihood that efforts to prevent them have positive effects on corporate
value.
How should the effects of information security incidents on corporate value be examined? One
possible approach is to examine evaluations by stock markets of information security incidents.
In this section, we follow the steps listed below to examine evaluations by stock markets of
information security incidents and initiatives for preventing such incidents.
In Japan, meanwhile, InterRisk Research Institute & Consulting, Inc. (2005), Ishiguro et al.
(2006), and Ito & Kagaya (2006) studied the effects of revealed risks on stock prices.
Researchers at InterRisk Research Institute & Consulting (2005) used 238 cases of revealed risks,
which were reported by The Nihon Keizai Shimbun during the year from April 1, 2004 to March
31, 2005 to analyze the effects of such risks on stock prices. As a result, they reported that
approximately 30% of the companies surveyed had seen their stock price drop ten days after the
information security risks became clear. They also found that in most cases, the stock price had
fallen about 8%, and that approximately 5% of the companies had witnessed their stock price
1The researchers extracted these incidents from articles published in The Wall Street Journal, The
New York Times, The Washington Post, The Financial Times, and USA Today using keyword
(information security breach, computer system security, hacker, cyber attack, computer attack,
computer break-in, and computer virus) searches.
2 The researchers extracted these incidents from websites and newspapers using keyword (attack,
13
plunge more than 15%. Ishiguro et al. (2006) used 70 information leak incidents extracted from
four Nikkei newspapers during the period from September 2002 to August 2005 using keyword
searches3 to analyze the effects of such incidents on stock prices. As a result, they reported that
ten days after the information leaks were reported, the stock prices had fallen 2.25% for incidents
involving the leakage of confidential information and 3.18% for those involving unauthorized
access.
Ito & Kagaya (2006) chose 14 companies covered by four Nikkei newspapers and The Asahi
Shimbun between 1998 and 2002 because they caused a scandal (defective product or service
quality, soil contamination or other environmental problems, breach of laws or ordinances, etc.)
and examined how the price of their stocks fluctuated before and after the scandal was reported.
As a result, they reported that the stock prices had plummeted immediately after the scandal was
exposed, and that during the subsequent week, the extent of fall in the stock prices reached
nearly 15%. Moreover, they revealed that the stock prices had not yet recovered even 30 days
after the scandal was uncovered.
In sampling information security incidents and accidents, we searched articles published in four
Nikkei newspapers during the period from January 2000 to December 2007, which included one
of the three keywords: “information leak,” “system failure,” and “software trouble” 4. Since this
study aimed to analyze fluctuations in stock price, companies that announced their financial
results or merged with or acquired another company during the period analyzed surrounding the
day of the event were excluded from the sampling. As a result, 45 cases were sampled using the
keyword “information leak,” and 34 cases were sampled using the keywords “system failure”
and “software trouble.”
3 The keywords used were “information” and (“leak”) and (“damage” or “accident” or “incident”) or
(“unauthorized access” or “virus”) and (“damage” or “accident” or “incident”).
4 The Nikkei Financial Daily, one of the four Nikkei newspapers mentioned above, discontinued
14
(3) Calculation of cumulative abnormal return on equity investment
Next, the Nikkei NEEDS-Financial QUEST database was used to obtain the ex-right and
ex-dividend price of stocks in each of the companies sampled above in order to calculate daily
return on equity investment. Then, based on market models, cumulative abnormal return (CAR)
was calculated using the day when the information incident was reported as the day of the event.
t+1
t+5
t+6
t-9
t-8
t-7
t-6
t-4
t-3
t-2
t-1
t+2
t+3
t+4
t+7
t+8
t+9
t-10
t+10
t+11
t+13
t+14
t+15
t+16
t+17
t+18
t+19
t+20
t+12
Figure 10 indicates the CAR for each category of incidents. In this figure, it can be confirmed
that stock markets negatively evaluated information security incidents whether divided into
information leaks and system failures or looked at as a whole. While information leaks began to
push down stock prices even before the day when they were reported in newspapers, system
failures started to lower stock prices immediately after the day when newspaper reports appeared.
15
While information leaks allow companies to choose the timing for announcing them publicly at
their own discretion, system failures are often made public immediately after they occur.
Whether or not companies can choose the timing for announcing information security incidents
publicly at their own discretion may affect evaluations by stock markets of such incidents.
Statistical examinations confirm that the CAR over the entire sample was significantly negative,
at the 5% level, from five days prior to the day when the information security incidents were
reported in newspapers onward; that for information leaks the same negative level was observed
six days prior onward; and that for system failures this was from one day after in table 1. From
the results of these examinations, it can be confirmed that information security incidents are
negatively evaluated by stock markets.
Table 1 : Evaluations by Stock Markets of Information Security Incidents
Examinations of the banking, IT, and communications industries, from which two or more
sample information leak incidents were obtained (eight, three and ten cases respectively),
16
indicate that while the incidents had practically no impact on stock prices in the communications
industry, they substantially pushed down stock prices in the banking and IT industries (see Figure
11).
A look at transport facilities (six cases), banking institutions (eleven cases), communications
carriers (nine cases), and companies that handle B2C products (five cases)—from each of which
two or more sample system failures or software trouble incidents were obtained—shows that
stock prices fell sharply irrespective of industry type (see Figure 12).
17
Figure 11 : Stock Markets’ Reaction to Information Leaks by Industry
◆Cumulative abnormal return (Day t: Day when the information leaks were reported)
5.00%
0.00%
-5.00%
-10.00%
-15.00%
-20.00%
-25.00%
t
t+4
t+8
t+5
t+6
t+7
t+9
t-9
t-8
t-5
t-4
t-1
t+3
t+10
t+12
t+13
t+14
t+16
t+17
t+18
t+20
t-7
t-6
t-3
t-2
t+1
t+2
t+11
t+15
t+19
t-10
1.00%
0.00%
-1.00%
-2.00%
-3.00%
-4.00%
-5.00%
-6.00%
-7.00%
t
t+4
t+5
t+9
t+2
t+3
t+6
t+7
t+8
t-6
t-5
t-1
t+1
t+10
t+12
t+13
t+14
t+20
t-9
t-8
t-7
t-4
t-3
t-2
t+11
t-10
t+15
t+18
t+19
t+16
t+17
Average for communications carriers Average for companies that handle B2C products
Stock markets are not the only stakeholder that rates companies much lower after they cause an
information security incident. If an information security incident leads to lower evaluations of
18
the company involved by not only stockholders but also all other stakeholders, it may also
substantially lower the value of the company’s corporate brand, which depends on intangible
characteristics that determine the image that major stakeholders, including customers, employees,
and stockholders, have of the company.
If, for example, a company causes an information security incident, increasing concern amongst
its customers, it may lose the premium that stockholders have paid for its reliability, or its
customers may switch to other companies, decreasing its sales. Alternatively, loss of trust in a
particular company may prevent it from retaining its continued business relationships with
others.
The effects of information security incidents on corporate brand value are measured.
If a company causes an information security incident, losing the trust of its current stockholders
or potential ones who may invest in its stocks in the future, it is highly likely to see these
19
stockholders less willing to hold its stocks for a long period of time. If its stocks are included in
an investor’s portfolio of CSR stocks, there is a strong possibility that they will be excluded from
the portfolio.
As described above, information security incidents may significantly worsen the stakeholders’
image of the corporate brands involved, ruining their value.
The corporate brand is a set of intangible characteristics that determine the image people have of
a particular company. It serves to distinguish the company from others, and to make its presence
strongly felt and generate public trust in it.
Through products and services, a high value corporate brand provides customers with the
satisfaction and value that can only be experienced through the brand. As a result, customers
become fans and bring about stable or incremental cash flows over a long period of time. This
heightens stockholder value in two ways. One is that it has the effect of raising cash flow levels,
and the other is that it lowers cost of capital.
Furthermore, a corporate brand with a high value increases the remuneration paid to employees
and gives them pride and aspirations.
As explained above, the corporate brand connects the value of the three major stakeholders
(customers, employees, and stockholders) and brings about synergistic effects amongst the three.
As a result, it gives the power to enhance corporate value. In that sense, the corporate brand is
indeed the “fifth managerial resource” after personnel, equipment, money, and information.
20
Figure 14 : Golden Triangle of Corporate Brand
Management
Customer value
Corporate brand
Therefore, with the cooperation of Nihon Keizai Shimbun, Inc., Ito, one of the authors,
developed a “corporate brand (CB) valuator,” a model for evaluating corporate brand value, in
2001. The CB valuator is a corporate brand valuation model unparalleled in the world in that (1)
it grasps the images of a company’s corporate brand as seen from each of the company’s major
stakeholders—customers, employees, and stockholders—in a comprehensive manner and
integrates them into a single indicator; (2) it combines the questionnaire survey method and the
financial data method, whereas previous brand evaluation models depended on one or the other;
and (3) as methods used for value conversion, it integrates an approach using balance sheets or
stock figures with an approach using profit and loss statements or flow figures.
21
Figure 15 : Making Corporate Brands Visible
The important point in calculating corporate brand value is to clarify what images a corporate
brand conjures up in the minds of customers, employees, and stockholders and how such images
lead to financial results. In order to achieve this goal, not only corporate financial data but also
data on corporate images are utilized. As financial data, we used the Nikkei NEEDS-Financial
QUEST Database Information on corporate images is based on Nikkei surveys of 1,115 listed
and unlisted companies regarding their corporate images, which have been carried out by Nihon
Keizai Shimbun annually since 1988; global corporate image surveys, which have been
conducted by the same newspaper publisher since 2001; rankings of companies for which new
graduates wish to work; and surveys of securities analysts and fund managers regarding
corporate images, which have been carried out by Ito since 2001.
According to this framework, corporate brand value consists of CB advantages and CB leverages.
CB advantages (CB scores) indicate to what extent a corporate brand is attractive enough to
secure and retain first rate customers, employees, and stockholders. CB leverages (CB multiples)
show how much power a corporate brand has to convert CB advantages into cash flows. Even if
a corporate brand is highly appealing, its value is low if it lacks the power or business
opportunities to convert its appeal into cash flows (see Figure 16).
22
Figure 16 : CB Valuator
(Integrated Corporate Branding Diagnosis System)
Corporate brand value tree
Financial
Premium Premium Premium Return on assets (ROA)
data
× × × × • Risk
Image • Industry PER
data Recognition Recognition + Recognition Recognition + Recognition Analyst evaluation index • Growth
potential
× × × ×
Loyalty Loyalty Loyalty + Loyalty ROA-CB relationship
Analyzing financial data and image data statistically to evaluate and estimate corporate brand value in a comprehensive manner.
(a) CB score
The CB score indicates how many first rate customers, employees, and stockholders a corporate
brand can attract and retain, and for how long. In other words, it is an indicator of the corporate
brand’s relative position—how attractive the corporate brand is—within its industry. The CB
score comprises three elements: the customer score, employee score, and stockholder score.
The customer, employee, and stockholder scores are used as indicators based on the three factors
that have been emphasized in previous brand theories: premium, recognition, and loyalty.
Premium, recognition, and loyalty symbolize, respectively, the quality of stakeholders attracted
to a corporate brand, the number of such stakeholders, and the length of time during which
stakeholders are attracted to the brand and the volatility of its results. It is difficult to enhance the
power of the corporate brand unless the levels of premium, recognition, and loyalty are raised in
a comprehensive manner. For this reason, the CB score for each stakeholder is calculated by
multiplying the three indicators premium, recognition, and loyalty. The figure for premium is
computed based on financial data and recognition and loyalty are based on corporate image
surveys. Each indicator is calculated based on the deviation value for the industry used as a
sample.
23
(b) CB utilization ability
Even if a company has a high CB score, the value of its corporate brand is not always high. This
is because the CB score is no more than an indicator that symbolizes the relative power of the
company’s corporate brand in the industry, so that the CB score alone does not necessarily
explain future cash flows derived from the corporate brand. For example, if the company makes
efficient use of its investments, it can generate cash flows even if the power of its corporate
brand is low. Conversely, if the company can effectively convert the power of its corporate brand
into cash flows with small amounts of investment, there is a possibility that its corporate brand
will rise in value even if the CB score is low. Ito calls the ability of companies to effectively
convert the power of their corporate brand into cash flows “CB utilization ability.” The CB
utilization ability serves, so to speak, as a lever for the CB score. The CB utilization ability is
calculated based on the profitability of the company, but in this process, variables are changed so
as to enhance its significance as a lever for the CB score.
24
well as on whether opportunities for brand development are available or not.
Based on the CB valuator, The Nihon Keizai Shimbun and The Nikkei Sangyo Shimbun have
published a ranking of companies in CB value annually since 2001. Table 2 shows the CB value
ranking published on June 10, 2008.
Table 3 : Effects on
of Information
Corporate Brand
Security
Value:
Incidents
An Corporate
on Approach to Brand
Verification
Value
[Approach to verification]
1. Choose companies that were covered by one or more of the four kkei Ni kkei
newspapers
newspapers between
between
2001 and 2006 because they caused an information security incide nt (information
nt (information leak,
leak,
system
system
failure, etc.).
2. Examine what effects the IT incidents had on the corporate image of of
those
thoseof of
thethe
companies
companies
which were covered by Nikkei corporate image surveys.
3. Choose five of the prominent companies that are considered to ha have
ve suffered
sufferedparticularly
particularly
serious damage in the second step above and calculate the effects
effect
s of the
of the
IT IT
incidents
incidentsonon
thethe
financial value of their corporate brand in numerical terms.
Calculating the value of a company’s corporate brand requires its financial data (accounting and
stock price data) and corporate image data (Nikkei corporate image surveys and analyst surveys).
Therefore, it is difficult to calculate the degree of damage to the value of their corporate brand
for all companies that have caused information security incidents. As shown in Table 3, we
conducted searches in four Nikkei newspapers using the keywords “information leak” and
“system failure” to choose companies reported as having caused an information security incident
between 2001 and 2006 and whose corporate brand value could be calculated. As a result, we
obtained 34 sample companies for information leaks and 21 sample companies for system
failures.
First, we examine the effects of information security incidents on the corporate image of which
25
corporate brand value is constituted. Figure 17 uses the average for corporate image scores
during the three-year period prior to the occurrence of the information leaks or system failures to
indicate how much the incidents caused these scores to decline. In this figure, it can be
confirmed that corporate images went down substantially in terms of “product and service
quality,” “being eager to meet customer needs,” and “being able to respond to social changes.” It
can also be confirmed that system failures generally cause greater damage to corporate image.
1.20
1.15
1.10
1.05
1.00
0.95
0.90
0.85
0.80
0.75
Friendly
Lively
quality
Eager to meet
customer needs
product development
Reliable
changes
transformation
Active in disclosing
managerial information
sales capabilities
activities
Responsive to social
Active in research and
Active in self-
Refined advertising
* In the verification process, the effects are calculated using the image score at the time when the IT incident had just
occurred as the numerator and the image score prior to the IT incident occurring as the denominator. Analysis is
performed focusing on 14 serious accidents that are considered to have affected 100,000 ordinary consumers or
more.
26
Furthermore, if information security incidents are narrowed down to those which affected over
100,000 people, it can be confirmed that they caused greater damage to corporate image in terms
of “product and service quality” and “having good taste.” This confirms that information security
incidents have serious effects on the image that external stakeholders have of the companies
concerned.
To what extent, then, do information security incidents affect corporate brand value? In order to
answer this question, we narrowed down the number of companies analyzed to five to estimate
the effects of information security incidents on corporate brand value. Among the companies that
caused information security incidents, the ones involving these five were all played up by the
mass media, and it is assumed that such incidents seriously affected corporate brand value.
45,000 30.0%
40,000
25.0%
35,000
Unit: ¥1million
30,000 20.0%
25,000
15.0%
20,000
15,000 10.0%
10,000
5.0%
5,000
0 0.0%
Bank A Card Card Service Information &
company B company C company communications
D company E
Effect as amount Effect as ratio
Figure 18 indicates the amount of the damage caused by the information security incidents to
each of the companies and the loss as a percentage of the value of the corporate brand. This
figure shows that one of these information security incidents caused nearly 40 billion yen of
damage to the corporate brand value of the service company concerned. This represents 25% of
the corporate brand value the service company had maintained up till that point. The banking
institution also suffered nearly 40 billion yen of damage to its corporate brand value. As
exemplified by these two and other cases, information security incidents have grave effects on
corporate brand value.
27
Based on the foregoing, it can be said that information security incidents are likely not only to
lower evaluations of the companies involved by stock markets but also to substantially lower
evaluations by other stakeholders, including customers, employees, local communities, and the
global society.
How many companies, then, disclose information on their information security initiatives? In
order to clarify this, Ito conducted a survey of information disclosure officers at 3,931 listed
companies in Japan in October 2008. A total of 339 replies were received.
In addition to asking the information disclosure officers how their company disclosed
information on its risk management initiatives, including information security, the survey looked
at how they apprehend and disclose information on risk management. The following are the
results of the survey.
Figure 19 indicates how companies disclose information on corporate risk and its management,
including information security. According to this figure, it can be seen that many companies
disclose such information in the form of financial statements and corporate governance reports,
which stock exchanges require them to present.
28
Figure 19 : Media by Which Information Is Disclosed N=362
350
300
250
200
150
100
50
0
individual investors
financial results
meetings
financial results
Financial Reports
Annual reports
Corporate
Business reports
Materials for
announcing
Environmental and
responsibility (CSR)
reports
governance reports
corporate social
Websites
Brief reports on
Booklets for
Information on corporate risk Information on risk management
Information on corporate governance Information on internal controls
Information on information security
Related to defective
98 133 78 18 13
IT systems
Operational 54 115 99 23 41
Extremely large Quite large Quite small Extremely small Don’t know
How serious an effect do information disclosure officers think information security risks have on
corporate management? In Figure 20, information disclosure officers were asked about the
29
effects of information security risks on corporate management. This figure confirms that many
information disclosure officers think that risks involving compliance, information leaks, and
defective IT systems have serious effects on corporate management.
How far have companies established systems to manage risks that they think will have serious
effects on their management? Also, how far do they disclose information on such systems?
Figure 21 indicates how far companies replying that risks would have serious effects on their
management have established risk management systems5 and their disclosure of information on
the risks involved. This figure illustrates that while around 95% of companies have established
systems to manage risks involving compliance and information leaks, only around 60% of them
disclose information on such systems. With respect to risks involved in defective IT systems,
although 85% have established risk management systems, only around 45% disclose information
on these systems. It can be seen that even though systems are established to manage information
security risks, the incentive for disclosing information on these systems is small. Conversely, if,
despite the small incentive, companies disclose information on the information security risks that
face them and the systems in which they have to manage these risks, it may mean that they are
more enthusiastic about these initiatives, and their managers have a better understanding of these
initiatives than those of companies that do not.
5 In this context, that risk management systems have been established means meeting three
requirements: (1) where responsibilities lie is clearly defined; (2) methods for responding to risks in a
systematic way when they are revealed have been established; and (3) employee education and
training are provided.
30
(2) Building a hypothesis
If investors view the disclosure of risk information as a sign of active efforts to establish and
improve risk management systems, it can be assumed that they expect that companies disclosing
risk information in advance will take appropriate action after an information security incident
occurs.
On the other hand, if investors view the non-disclosure of risk information as a sign of the
inability to perceive the risk involved, the absence of risk management systems even if the risk is
perceived, or the unwillingness to establish such systems in the future, it can be assumed that
they do not expect that companies which do not disclose risk information in advance will take
appropriate action after an information security incident occurs. Therefore, it is supposed that
when a risk is revealed, the extent of the fall in the price of stocks in companies that disclose
information on risk is smaller than that for companies that do not. Based on this, the following
hypothesis is given.
Hypothesis: Other things being equal, when a risk is revealed, the extent of the
decrease in the price of stocks in companies that disclose risk information
in advance is smaller than that for companies that do not.
Among the cases identified through keyword searches, only those which met the following three
requirements were used in the sample: (1) the companies that caused the incident were then
listed on the First Section of the Tokyo Stock Exchange and have been listed there to the present
day; (2) they did not merge with another listed company during the period analyzed; and (3)
information on stock prices required for analysis is obtainable. 6The reason the sampling was
limited to companies listed on the First Section of the Tokyo Stock Exchange is that we
attempted to identify the effects of incidents involving the leakage of personal information on
stock prices by making other factors that might affect stock transactions as uniform as possible.
If two or more risks were revealed at the same company within one month, the second and
6 The authors tried to minimize the effects of the trading environment and other external factors by
using only TOPIX data as indicators to estimate rates of cumulative abnormal return.
31
subsequent risks are excluded from the sampling. The reason for this is that the first incident
might have continued to affect stock prices. As a result, 67 cases7 were used in the sample.
Table 4 indicates the distribution of industries sampled. This table shows that the
information/communications and banking industries are more highly represented than others.
According to the results of the survey of personal information leak incidents conducted by the
Japan Network Security Association, incidents in the banking industry account for 13.7% of the
total, ranking first among all industries, and those in the information/communications industry
represent 11.2%, ranking second. This corresponds to the distribution of industries sampled in
the present study. For this reason, we do not believe that the manner in which incidents were
sampled seriously affected the results of this analysis.
7 Incidents were sampled manually, however. Therefore, there is a possibility that not all incidents
involving the leakage of personal information were sampled.
8 However, the day of the event for cases reported in the evening edition is the day following the day
when they were reported. If stock markets were closed on the day when cases were reported, the day
of the event is the next day when the stock markets opened.
9 In this study, the authors performed analysis using market-adjusted models and found that the
32
CAR is calculated according to the following procedures:
First, the parameters, αˆ i and βˆ i, are estimated using formula (1).
Ri ,t = α i + β i Rm,t + ε i ,t (1)
Ri,t represents the CAR for Company i on Day t, and Rm,t represents the CAR rate for the whole
market 10 on Day t. As in the studies by Campbell et al. (2003), Cavusoglu et al. (2004), and
Ishiguro et al. (2006), the estimation period is 120 days prior to the day when the information
leak incident was reported.
Next, based on formula (2), abnormal return (AR) on equity investment is calculated using the
parameters estimated from formula (1).
Finally, all AAR rates are added up to give the CAR (4).
T
CAR = ∑ AARt
t = −1 (4)
The stock price data required for analysis were obtained from the Nikkei NEEDS-Financial
QUEST system.
results of this analysis were largely the same as those obtained by analysis using market models.
10 TOPIX was used to calculate the CAR rate for the whole market. The reason for this is that the
companies analyzed are limited to those listed on the First Section of the Tokyo Stock Exchange (TSE).
Analysis of the CAR rate for the whole market using TSE’s stock price index by industry obtained
similar results.
33
Figure 22 : Changes in CAR Rates (t = –1 to 15)
3%
2%
1%
0%
-1%
-2%
-3%
-4%
-1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Figure 2211 shows that following the report of information leak incidents, the price of stocks in
both companies that disclose information leak risks in advance and those which do not fell.
While prior-disclosure companies saw their stock price begin to rise five days after the incident
was reported and after seven days had recovered the fall experienced in the first five days,
non-prior-disclosure companies saw their stock price continue to fall and failed to recover the
pre-incident stock price level even after 15 days had passed. Fifteen days after the incident was
reported, while the stock price for prior-disclosure companies had risen about 0.1% that for
non-prior-disclosure companies had fallen about 3.0%. From these trends, it can be seen that
after the information leak incident, the stock price for prior-disclosure companies fluctuated
differently from that for non-prior-disclosure companies. This means that prior-disclosure
companies were more positively assessed by markets than non-prior-disclosure ones. The
following paragraphs explain the reasons why the differences in stock price fluctuation described
above between prior-disclosure and non-prior-disclosure companies occur.
Investors might have decided that companies disclosing risk information in advance had solid
risk management systems and expected that they would swiftly take appropriate action even if
risks became tangible. Wakasugi (1999) pointed out that information disclosure exerts
motivational control over corporate activities. If this argument is invoked, it can be claimed that
investors might have decided that the ability of companies to disclose risk information in
advance meant that they perceived the risks involved and had systems to manage them. In fact, in
an awareness survey of information disclosure officers, 95% of companies disclosing
information leak risks replied that they had put in place systems to manage such risks.
11 The results of analysis of changes in CAR rate in the banking and information/ communications
industries indicate that the CAR rate for prior-disclosure companies and that for non-prior-disclosure
ones showed the same trends as in Figure 22. The changes in CAR rate are largely similar to those for
the entirety of the sample. Banking and information/communications are the only industries that
included both prior-disclosure companies and non-prior-disclosure companies and for which the
number of cases in the sample was sufficient for analysis.
34
Table 5 : Testing of Average Differences in CAR between Prior-disclosure
Companies and Non-prior-disclosure Companies
Prior Non-prior Prior Non-prior
CAR -disclosure -disclosure t value CAR -disclosure -disclosure t value
companies companies companies companies
0 -0.002 -0.008 1.019 8 0.003 -0.016 1.935*
1 -0.002 -0.009 0.953 9 0.005 -0.015 1.764*
2 -0.004 -0.008 0.522 10 0.006 -0.019 2.059**
3 -0.002 -0.009 0.697 11 0.004 -0.025 2.286**
4 -0.004 -0.013 1.004 12 0.001 -0.029 2.258**
5 -0.003 -0.013 1.235 13 0.005 -0.030 2.593**
6 -0.002 -0.014 1.252 14 0.003 -0.031 2.344**
7 0.001 -0.015 1.538 15 0.006 -0.030 2.480**
** significant at the 5% level(two-sided test)
* significant at the 10% level(two-sided test)
On the other hand, investors might have decided that companies that did not disclose risk
information in advance did not perceive the risks involved or had not put risk management
systems in place even if they perceived them. Therefore, the investors made a different decision
when they considered investing in companies that did not disclose risk information in advance
and those which did.
These differences in the fluctuation of stock prices need to be verified at statistically significant
levels. Therefore, tests of average differences in CAR rate between prior-disclosure companies
and non-prior-disclosure companies were performed. Table 5 lists the results of t tests.
Table 5 shows that differences in the fluctuation of stock prices can be verified at statistically
significant levels eight days after the information leak incident was reported. In the study by
Ishiguro et al. (2006), statistically significant results of stock price fluctuations were obtained ten
days after the information leak incident was reported. It can be said that the results of the present
study are generally consistent with those of the study by Ishiguro and his colleagues.
With regard to the reason that there is a delay in investors responding to information leak
incidents, Ishiguro et al. (2006) explain that immediately after the occurrence of the incidents,
investors cannot accurately grasp the amount of loss caused, and that only after exposure to
various reports following the incidents can they obtain a clear understanding of the scale of loss.
In the present study, we performed analysis from the viewpoint of risk information disclosure,
and from this standpoint, it can be inferred that investors collect information in various ways
35
immediately after the occurrence of information leak incidents, and that this collected
information includes risk information. Having confirmed this risk information after the incident,
they may make different investment decisions with respect to prior-disclosure companies and
non-prior-disclosure companies.
Therefore, it can be pointed out that there is a possibility that investors gradually incorporate
information on whether companies disclose risk information or not into their investment
decisions. In other words, immediately after the occurrence of information leak incidents,
investors do not know whether companies disclose risk information or not, but later, through
information gathering, they distinguish companies that disclose risk information in advance from
those which do not. By doing so, they realize in hindsight that prior-disclosure companies have
appropriate risk management systems. This might have had favorable effects on stock prices,
helping them to start rising. On the other hand, investors decide that non-prior-disclosure
companies do not have adequate risk management systems, and this might have caused stock
prices to continue falling.
36
This section examines the three above-mentioned factors and the scale of the incident as factors
that affect CAR when information leak incidents occur. This is because it is assumed that
companies that cause a larger information leak incident see their stock price fall more
substantially than those which minimize the scale of the incident they cause.
As in the study by Ishiguro et al. (2006), the index (Size) based on the natural logarithm of
sales12 for the settlement term immediately before the information leak incident was reported is
used as an indicator of business scale. PBR for one day prior to the day when the information
leak incident was reported is used. The number of pieces of personal information leaked
(Numbers) is used as a variable that indicates the scale of incident. Since discrepancies exist in
the numbers of pieces of personal information leaked, however, the index based on the natural
logarithm of the numbers is used. As is shown in Table 4, since there is a possibility that
information leak incidents are closely related to industry characteristics, an industry dummy
variable is incorporated into the multiple regression model.
14
CARi ,t = α 0 + α 1 Salesi ,t + α 2 PBRi ,t + α 3 Numbersi ,t + α 4 DiscDummyi ,t + ∑ γ i INDi + ε i
i =1
Sales = Sales for the settlement term just before the information leak incident was
reported (natural logarithm)
PBR = PBR for one day prior to the day when the incident was reported
Numbers = Number of pieces of personal information leaked (natural logarithm)
DiscDummy = Information leak risk information disclosure dummy (1 for
prior-disclosure companies and 0 for non-prior-disclosure companies)
14
∑γ
i =1
i INDi =industry dummy
12Even in cases in which the total market value was used for the business scale index as in the study
by Cavusoglu et al. (2004), largely similar results were obtained.
37
The number of cases used in the sample was 64 after three cases were excluded in which
information on PBR and the number of pieces of personal information leaked was not obtained.
The stock price data and financial information required for analysis were obtained from the
Nikkei NEEDS-Financial QUEST database.
Table 6 and Table 7 show descriptive statistics for explanatory variables and correlation
coefficients between variables, respectively.
Table 6 : Descriptive Statistics
Descriptive statistics in Table 6 indicate that there is no particularly abnormal value, suggesting
that there is no sampling bias. Pearson correlation coefficients in Table 7 show that all
correlation coefficients between explanatory variables are within ±0.180, and it is presumed that
problems of multicollinearity do not need to be taken into consideration13.
The multiple regression model is estimated using CAR (t = 1 to t = 15) for explained variables.
(b) Results
The results of the analysis are shown in Table 8.
13 The variance inflation factor (VIF) for each variable is estimated at 3.205 for Size, 1.367 for PBR,
1.439 for Numbers, and 1.719 for DiscDummy. In general, multicollinearity can be suspected if VIF is
estimated at ten or more, but the values shown above are much smaller than ten. Therefore, it is
assumed that there is no problem of multicollinearity among explanatory variables.
38
According to Table 8, all coefficients for Size are positive in all periods except t = 8. But in no
period are they statistically significant. Coefficients for PBR are all negative and statistically
significant until the fifth day (significant at the 1% level on all days except t = 1). From six days
after the incident was reported onward, however, they are not statistically significant.
Coefficients for Numbers are negative after the incident was reported and statistically significant
until the fifth day (significant at the 1% level for t = 2 to 4 and at the 5% level for t = 1 and t = 5).
As for PBR, however, the values are not statistically significant from the sixth day onward.
Coefficients for Type are also statistically significant though they are not listed in the table.
2 0.005 1.604 -0.008 -3.108 *** -0.004 -3.228 *** 0.004 0.581 0.357 64
3 0.007 1.886 -0.010 -2.960 *** -0.005 -3.516 *** 0.002 0.242 0.332 64
4 0.004 1.235 -0.009 -3.092 *** -0.004 -3.050 *** 0.007 0.832 0.450 64
5 0.006 1.712 -0.010 -3.532 *** -0.003 -2.131 ** 0.005 0.633 0.464 64
Finally, a look at coefficients for DiscDummy indicates that they are positive in all periods. It is
not until eight days after the incident was reported, however, that they become statistically
significant (significant at the 10% level for t = 8 and t = 9 and significant at the 5% level for t =
10 to 15). If the results for PBR and Numbers are taken into account, it can be seen that there is a
possibility that following the reported incident, investors made investment decisions in
accordance with PBR and incident scale for some time, but that after a certain length of time
39
passed, whether or not the companies involved disclosed risk information in advance affected
their decisions.
Why, then, do companies that disclose information security risks not see their stock price fall
substantially? Why do those which do not disclose them see their stock price fall substantially?
One convincing hypothesis indicates the possibility that there are investors who study the
financial statements of the companies involved again when reconsidering their investment
decisions after the occurrence of information leak incidents. Companies that disclose information
security risks in their financial statements are likely to be keener on information security
initiatives and establish risk management systems in a more solid manner than those which do
not. It is inferred that the investors confirm these points and reflect them in their investment
decisions.
Information security initiatives not only prevent information security incidents from pushing
down stock prices but may also have positive effects on corporate brand value. The reason for
this is that information security initiatives are highly likely to help gain the greater trust of
external stakeholders and enhance customer preference and satisfaction in business transactions.
Another reason is that the greater trust of employees in information security increases their trust
in information systems, encouraging them to utilize information systems in a more strategic way.
40
Figure 23 shows how corporate users evaluated the companies’ information security initiatives.
According to this figure, the percentage of corporate users who highly rated Company B’s and
Company C’s information security increased in 2005, 2006, and 2007.
8%
Evaluations of
6% competitors
remained almost
4% at the same level.
2%
0%
2004 2005 2006 2007
In Japan, since 2005, the Ministry of Economy, Trade and Industry has taken a leading role in
establishing various systems and devices to encourage Japanese businesses to disclose
information security initiatives more actively. In line with this trend, Companies B and C made a
clear commitment to their stance of communicating their information security initiatives to
stakeholders inside and outside the companies, mainly through full information security
disclosure. The figure confirms that these initiatives have had a steady influence on corporate
users.
How, then, do high or low evaluations of companies’ information security affect user preference
when users purchase products and services from the companies? In order to answer this question,
we divided the corporate users into those which highly rated the companies’ information security
and those which did not and presented user evaluations when they dealt with the companies (see
Figure 24).
41
Figure 24 : Effects of Information Security Initiatives on
Evaluations by Corporate Users
Company A with
Security + 35 43 13 2 4 4
Company A with
Security – 16 40 21 4 3 16
Company B with
Security + 47 42 5222
Company B with
Security – 22 35 18 6 4 15
Company C with 0
Security + 28 54 15 11
Company C with
Security – 15 34 23 8 5 16
* “Security +” indicates users who highly rated the company’s information security, and “Security –”
indicates users who did not.
According to Figure 24, it can be seen that the corporate users tended to prefer dealing with
companies that excelled in information security initiatives. Similar results were derived in terms
of overall user satisfaction, although details are omitted.
The results of the foregoing analysis confirm that information security initiatives led to high
customer preference and satisfaction in business transactions.
In order to answer this question, this section uses questions asked in a survey aimed at measuring
the effects of investment in information processing systems, which was carried out by Ito at
Hitotsubashi University on administrators of corporate information processing systems or
personnel in similar positions in January 2007, to present the relationship between the
information security awareness of companies and the awareness of employees working for those
companies. The survey covered 3,950 listed companies and collected a sample of 495 responses.
In the survey, respondents were asked whether their company was working hard to bolster
information security or how their company’s information processing systems were evaluated by
42
internal stakeholders. The survey used a combination of these questions to examine what effects
the presence or absence of efforts to strengthen information security had on evaluations by
internal stakeholders of information processing systems (see Figure 25).
Information
8 25 48 10 4 4
security +
Information
20
security – 3 15 39 13 10
This figure confirms that companies that were active in information security initiatives enjoyed
higher evaluations by their employees of their information processing systems than those which
were not. The greater trust of employees in information processing systems will encourage them
to utilize these systems in a strategic way, and if these efforts are successful, the employees will
be motivated to work harder, and they will have a greater awareness of, and take greater pride in,
their company’s corporate brand.
As described above, it can be seen that information security initiatives are closely related to
evaluations by customers and employees of the corporate brand of the companies concerned.
The aim of this paper is to examine the effects of information security initiatives on corporate
value and demonstrate the significance of establishing information security governance so that
the effects permeate into business firms.
43
In order to achieve this goal, this paper first examined the effects of information security
incidents on evaluations by stock markets and on corporate brand value. It then showed the
possibility of information security incidents leading to significantly lower evaluations by stock
markets, and of them substantially damaging corporate brand value by lowering the level of the
corporate image.
Do, then, information security initiatives bring economic effects? In order to answer this question,
we performed the three analyses described below. One was to focus on companies that disclosed
information security risks in the “Risks involved in business etc.” column in their financial
statements and examine how differently stock markets evaluated such companies as compared to
those which did not when an information security incident occurred. As a result, it was
confirmed that companies that disclosed information security risks saw their stock price fall by a
smaller margin than those which did not.
Based on the results described above, it is considered that it is economically beneficial in two
ways to have internal and external stakeholders recognize that companies are carrying out
information security initiatives.
One benefit is that by explaining that they are carrying out information security initiatives as
expected by external stakeholders, companies can state that they are fulfilling their corporate
social responsibility, thus minimizing the concerns and distrust of external stakeholders.
Like global warming and other environmental problems, information security incidents, once
they occur, can have grave effects on companies and ordinary consumers in the community in
which the companies involved operate. Nonetheless, external stakeholders cannot ascertain how
active and enthusiastic the relevant companies are with regard to information security initiatives.
This may bring about underinvestment, viewed from the standpoint of social welfare. In order to
44
minimize the concerns and distrust of external stakeholders, companies are urged to disclose
information security initiatives as part of their corporate social responsibility.
Formerly, information security incidents did not occur as often as today. Also, there was a
“happy misunderstanding” that companies—which in fact were not intent on ensuring
information security—might be working hard to ensure information security even if they did not
disclose their information security initiatives. In recent years, however, many information
security incidents have occurred. In the light of these incidents, unless companies disclose
information security initiatives, external stakeholders cannot identify these initiatives even if the
companies are actively implementing them, and may consider the companies to be subject to
information incident risks in the same way that others are. In order to avoid such negative
evaluations and minimize the groundless concerns and distrust of external stakeholders,
companies have been urged to disclose their information security initiatives.
The other benefit lies in the aim of explaining about information security initiatives from the
viewpoint of raising future cash flow levels. If information security initiatives increase the trust
of business partners and customers, resulting in the establishment of stable relationships with
them, as well as in strategic management of customer loyalty, premiums, and information assets,
future cash flow levels can be raised or stabilized. This economic benefit, however, would rarely
lead to favorable evaluations by stockholders and other stakeholders of companies unless
information security initiatives are disclosed voluntarily. The results of the analysis in this paper
suggest that strengthening information security initiatives and disclosing them to external
stakeholders are effective in bringing these two benefits.
As shown in this paper, however, there are still comparatively few managers of Japanese
companies who believe that information security initiatives lead directly to enhanced corporate
competitiveness. For this reason, it is extremely important to have corporate managers
understand the importance of information security initiatives and engage themselves in these
initiatives more actively. In this sense, it is essential to establish and apply information security
governance, which is defined as “establishing and applying corporate governance, and the
internal control systems that represent the mechanism supporting it, within a company looking
from the viewpoint of ensuring information security.”
It is no easy matter to establish and apply information security governance. This is because, in
order to establish it, it is essential to establish systems to make information security governance
visible so that progress in information security initiatives can be properly managed from the
viewpoint of corporate managers and to establish risk communication systems to make
45
information security governance visible to external stakeholders. At present, however, it is no
easy matter to do this.
Why, then, is it not easy to establish systems to make information security governance visible
and to establish risk communication systems? One of the major reasons for this is the absence of
information security databases.
Lack of such databases makes it difficult to render the economic effects of information security
initiatives and those of investment in such initiatives tangible. For this reason, it is difficult to
make the aim of information security initiatives and the progress made with such initiatives
visible from the perspective of corporate managers. Corporate managers would not want to
actively communicate information to external stakeholders that does not allow them to confirm
the progress of these initiatives.
As shown in this paper, even among the companies that have established information security
risk management systems, only a few disclose them. It can be inferred that this is because many
of the corporate managers are afraid that actively disclosing risk information may in turn lead
stock markets to evaluate their company negatively.
The results of the analysis in this paper suggest that information security initiatives and their
disclosure are highly likely to bring positive economic effects.
Nonetheless, this paper does not give full consideration to what type of information security
governance brings positive economic effects to business firms or to other aspects of information
security governance. We regard these as issues that they should address in the future.
Acknowledgment
In writing this paper, the authors received support from the Center for Japanese Business
Studies—run by the Ministry of Education, Culture, Sports, Science and Technology’s Global
Center of Excellence (COE) Program—the main site of which is Hitotsubashi University
Graduate School of Commerce and Management. They also received science research subsidies
(basic research B) from the Japan Society for the Promotion of Science. They are deeply grateful
for this support.
46
Bibliography
Campbell,K., L.A.Gordon,M.P.Loeb, and L.Zhou,(2003)“The Economic Cost of Publicly
Announced Information Security Breaches: Empirical Evidence from the Stock Market,”Journal
of Computer Security, Vol.11.
Ito, K., Seminar: Valuation of Corporate Value, Nikkei Publishing Inc., 2007.
Ito, K., “New Development of Corporate Brand Management,” Hitotsubashi Business Review,
Vol. 51, No. 3, 2003.
Ito, K., “Corporate Brand Management for Higher Reputation,” Risk Management Business, Vol.
19, No. 9, 2004.
Ito, K. and T., Kagaya “Brand Risk Management and Corporate Value,” Hitotsubashi Business
Review, Vol. 54, No. 3, 2006.
Ministry of Economy, Trade and Industry, “Research Group on Corporate Information Security
Governance,” March 2005.
Kim, H. O., “The Effects of the Advance Disclosure of Risk Factors on Stock Returns When There
Are Information Security Incidents,” Hitotsubashi Review of Commerce and Management, Vol. 2,
No. 2, November 2007.
Japan Network Security Association, “Information Security Incident Survey Report,” 2002–2007
47
InterRisk Research Institute & Consulting, Inc., “An Analysis of Revealed Risks in Fiscal 2004,”
June 2005.
Wakasugi, A., Accounting Disclosure and Corporate Ethics, Zeimukeiri Kyokai Co., Ltd., 1999.
48
Brand Risk Management and Corporate Value
Kunio Ito, Professor, Graduate School of Commerce and Management, Hitotsubashi University
Tetsuyuki Kagaya, Associate Professor, Graduate School of Commerce and Management,
Hitotsubashi University
October 2006
49
1. Introduction
There has been growing interests on corporate risk management in Japan. The reason is related to
the three trends described below.
One is that since the new century began, there have been a string of scandals betraying the trust
and expectation of consumers in various industries such as food, transport equipment, electrical
machinery, insurance, machinery, and public utilities. Recently, such incidents have occurred
even at some of the excellent companies that are representative of Japan. The frequent
occurrence of these scandals has led consumers to turn a more critical eye toward companies
than before. Formerly, companies were able to gain public trust in the quality and safety of their
products and services simply because they were large. The “quality myth” that large companies
had enjoyed crumbled easily, however. With the collapse of the quality myth, there is growing
interest in corporate risk among consumers as they consider how to protect themselves.
Another trend is that advances are being made in the reform of legal systems dealing with
corporate risk. In the United States, corporate scandals that involved Enron, WorldCom, and
other companies led capital markets to demand more reliable financial reports. In response to
these needs, the Sarbanes-Oxley (SOX) Act was enforced in 2002. Not only the U.S. but also
various other countries have taken the opportunity presented by the series of corporate scandals
occurring on a worldwide scale to step up their efforts to improve systems related to the
establishment of internal controls.
Japan is no exception. In March 2003, major financial institutions began to attach a written
confirmation to their financial statements in accordance with the framework of the Basel
Committee on Banking Supervision. Starting April of the same year, the Cabinet Office
Ordinance on Disclosure of Corporate Information etc. required company managers submitting
financial statements and other documents to present documents confirming that they did not
include false descriptions. Furthermore, in December 2005, a document entitled
“Recommendations on standards for evaluations and audits of internal controls related to
financial reports” was published. In November 2004, the Tokyo Stock Exchange issued a
document entitled “Review of the listing system to increase public trust in corporate information
etc.,” requiring listed companies to submit a document confirming the appropriateness of the
content of descriptions in financial statements and other documents starting from financial results
for the term ending March 2005. Moreover, the Companies Act, which came into force in May
2006, requires companies that appoint corporate auditors to have their board of directors decide
basic policy for the establishment of internal control systems and to disclose the outline of its
50
resolutions in their business reports.
These system reforms aim to clarify who should take responsibility for corporate scandals and
other incidents and to urge corporate managers to take precautions against possible scandals.
With these system reforms forming a turning point, the interest of businesspeople in corporate
risk has grown dramatically.
The last of the three trends is that reputation risks are increasing. In recent years, the authors
have often heard businesspeople point out that even the type of scandals that were not covered by
mass media before are often played up by them nowadays, attracting public attention and
bringing criticism. Many businesspeople are concerned that as a result of their exposure to mass
media, these scandals may come to be widely known to the public, having serious effects on
corporate value and brands14.
Chart 1 indicates the number of online search results for the keyword “scandal” in four Nikkei
newspapers and The Asahi Shimbun. According to this chart, if 1991 and 1997, when many
sokaiya (racketeer) incidents and financial scandals occurred, are excluded, the number of
business or management related scandals covered from 2002 onwards has risen to 600–800 for
the four Nikkei newspapers and 200–300 for The Asahi.
What one should pay particular attention to is that these business or management related scandals
have serious effects on the sustainability and other aspects of companies.
Chart 2 below, for example, examines the effects of corporate scandals covered by newspapers
between 1998 and 2002 (14 cases such as defective product and service quality, soil
contamination or other environmental problems, and breaches of laws and regulations) on
corporate value. The analysis involves examining how stock prices fluctuated before and after
the day when the corporate scandal was reported by mass media. According to this chart, stock
prices fell substantially immediately after the day when the scandal was reported, with the extent
of the fall in the subsequent week growing to nearly 15%. Even 30 days after the scandal was
uncovered, the stock prices
had not recovered to the pre-scandal level.
14 For the relationship between reputation risks and corporate brands, see Ito (2004).
51
Chart 1 : Changes in the Number of Online Search
Results for the Keyword “Scandal” in Four Nikkei
Newspapers and The Asahi Shimbun
2,000 1,000
Four Nikkei newspapers
1,800 900
1,600 800
1,400 700
Asahi
1,200 600
1,000 500
800 400
600 300
400 200
200 100
0 0
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
Four Nikkei newspapers Four Nikkei newspapers
(“Scandal” and “management”) (“Scandal” and “business”)
Asahi (“Scandal” and Asahi (“Scandal” and “business”)
“management”)
The authors then analyzed the amount of economic loss suffered (sales loss and scandal-related
loss) and the amount of damage caused to the aggregate market value of stocks 30 days after the
scandal was discovered. Since the effects of the scandal itself cannot be separated from the
financial and accounting information disclosed by the company involved, the economic loss and
damage are inferred by analogy, and therefore, the effects of factors other than the scandal may
be included in the loss and damage. However, the amount of damage to the aggregate market
value of stocks during the period when the scandal occurred is much larger than the actual
economic loss during the same period, with the former at 169.3 billion yen on average and the
latter at 81.9 billion yen on average.
52
Chart 2 : Percentage of Damage Caused by Corporate
Scandals to Corporate Value
Rate of cumulative abnormal return on equity during the 30-day period after the corporate scandal was
revealed
The rate of cumulative abnormal return on equity is measured with that for the day when the scandal
was revealed as zero.
Changes in the rate of cumulative abnormal return on equity
(average for 14 companies)
5.0%
0.0%
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
-6
-5
-4
-3
-2
-1
-5.0%
-10.0%
-15.0%
-20.0%
Why, then, is the amount of damage to the aggregate market value of stocks larger than that of
actual operational loss? One of the convincing hypotheses is that stock markets consider that the
effects of scandals at companies on their financial results do not subside by the end of the year
when they occur but continue in the following year and thereafter. Of course, the degree of such
effects varies depending on the nature and characteristics of the corporate scandal, but it can be
confirmed that stock markets evaluate the companies involved, predicting that the effects of
scandals will generally continue in the following year and thereafter.
If a company’s stock value is left damaged for a long period of time, the damage may have
serious effects on the sustainability of the company. This is because the various systems,
including cross-holdings, which have served to stabilize Japanese companies, have practically
collapsed, and because, if their stock value remains low, there is a strong possibility that they
will be taken over by fund managers, foreign enterprises, or other Japanese companies in the
same industry15. In particular, the Companies Act, which was enacted in May 2006, allows
companies to acquire others and give stocks as compensation starting from May 2007, one year
after the law coming into force, and this makes the acquisition of Japanese companies by foreign
ones a practical possibility. As this new age of M&A starts, Japanese companies are being urged
to establish appropriate systems to cope with and respond to the risks that face them.
53
2. Why Do Risk Events Occur Frequently Today?
The first step towards establishing appropriate systems to cope with and respond to corporate
risk is to consider why corporate scandals have frequently occurred in Japan in recent years.
So, to start with, why have corporate scandals that seriously affected corporate value been
occurring so frequently in Japan in recent years? One reason for this is that the number of laws
with which businesses and businesspeople need to comply has been increasing. The scope of
statutes that businesspeople have to comply with, including the Product Liability Act, the Act on
the Protection of Personal Information, the Labor Standards Act, the Act on Securing, etc. of
Equal Opportunity and Treatment between Men and Women in Employment, and laws and
regulations related to intellectual property rights and insider trading, is expanding. On the other
hand, as consumers and the general public view listed corporations with an increasingly critical
eye, as mentioned above, mass media cover violations of laws and regulations more often than
before as they increase in number. Against this background, employees who were not fully aware
of changes in the business environment such as the revision of legal systems continued to
perform their duties as they had done before, and this may have led to an increase in the number
of corporate scandals, as described above.
54
led to widespread criticism of Japanese style management, which had held sway over the minds
of businesspeople during the 1980s. Japanese style management came under fire from many,
who argued that the weakening of individual businesses due to the pursuit of all-round
management, the lack of specialization due to personnel development centered on generalists, the
harmful influences of centralized management by a bloated head office, life employment,
personnel systems that, because of seniority, failed to evaluate personnel properly even if they
brought satisfactory results, and other factors eroded the competitiveness of Japanese businesses.
For this reason, Japanese companies began to implement policies to meet these criticisms in the
second half of the 1990s.
One example of these policies was the introduction of performance-based pay systems to bring
out the abilities of individual employees. In order to achieve good business results while curbing
personnel expenses, as they were becoming higher than overseas, it became indispensable to
properly reward personnel who brought excellent results. In order to attain this goal, Japanese
companies resolutely carried out reforms in personnel systems so that they revolved around
performance-based pay. At the same time, they implemented many policies to reduce costs,
including the invitation of applications for voluntary retirement, the relocation of plants to
overseas sites, and the utilization of temporary workers.
They also carried out organizational reforms to overcome the limits of all-round management,
which is symbolized by the term “conglomerate discount” or “diversification discount,” and to
enhance the competitiveness of individual businesses. So Japanese companies overcome
“conglomerate discount” or “diversification discount,” they began to accelerate the management
of individual businesses through organizational reforms such as thorough internal company and
business unit systems and spin-off operations, with the aim being to develop competitive
businesses. The availability of information technology backed up the decentralization of
resources for individual businesses.
Furthermore, Japanese companies streamlined their head office in parallel with efforts to enhance
the competitiveness of individual business units. The aim was to achieve greater efficiency in the
operation of the head office, a major cost center, by outsourcing part of its functions.
These management reforms contributed greatly to the recovery of Japanese companies’ business
performance. Chart 3, for example, shows the percentage of companies that posted their largest
income from 1988 to each year. It can be confirmed that in terms of operating income, ordinary
income, and net income for the current term, the percentage of such companies was highest in
2004.
55
Chart 3 : Percentage of Japanese companies that posited
their largest income from 1988 to each year
40%
35%
30%
25%
20%
15%
10%
5%
0%
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004
Operating income Ordinary income Net income for the current term
* The chart shows the percentage of companies that, in a given year, posted their largest income
since 1988. The survey covers 871 companies for which consolidated financial statements for the
period from fiscal 1988 to 2004 were obtainable.
However, while the business performance of Japanese companies recovered as described above,
the nature of management at Japanese companies steadily underwent changes in a manner that
would cause an increasing number of corporate scandals.
Reforms of personnel systems to revolve around performance-based pay, for example, were
introduced to make all employees aware of the emphasis on results and encourage them to
display their abilities to the full. These reforms contributed greatly to making each and every
employee aware of this emphasis. But on the other hand, many of the reforms, when they were
carried out, were restricted by the drive to reduce personnel expenses and this encouraged the
negative aspects of reform in the following two ways. One is that many of these reforms made
employees in a division indifferent to other divisions, group companies, and their company as a
whole. The other is that since too much emphasis was placed on performance, employees
neglected to expend sufficient effort on various other activities such as complying with laws and
regulations and establishing a competitive edge for the future, which affects the sustainability of
the company and forms a source of medium and long-term competitive power. In other words,
while Japanese companies made all-out efforts to emphasize performance, employees reduced
the range of their interest and lost their long-term point of view—a twofold “narrowing of
employees’ perspectives.”
56
Due to personnel reductions introduced to improve business performance, the workload of each
employee is increasing. In addition, as compliance and corporate social responsibility (CSR) gain
importance due to the series of corporate scandals that have occurred in recent years, a wide
range of new legal systems have been put in place. With the establishment of these legal systems,
there are ongoing moves to ensure thorough internal controls. Due to increases in documentation
and approval processes, which were not necessary in the past, the workload of employees, which
has already been growing, is becoming even larger. Moreover, the reason for the growing
workload and its significance are often not properly understood by all employees. Under these
circumstances, tighter internal controls end up making employees feel that they are just being
forced to work hard for the of sake of it—a sense of being busy without a vision.
The narrowing of employees’ perspectives, being busy without a vision, and partial optimization,
all of which were taking hold at Japanese companies, widened the psychological distance
between the company and its employees and consequently weakened the sensitivity of
employees to risk events and lowered their morale and sense of allegiance—elements that had
played an important role in preventing the occurrence of corporate scandals.
Up to that time, Japanese companies had prevented the occurrence of risk events by relying on
the sensitivity of employees to risks as well as their morale and sense of allegiance rather than
establishing particular risk prevention systems and devices. There is a strong possibility, however,
that the structural changes Japanese companies have undergone in recent years are weakening
their ability to prevent and respond to risks, resulting in the frequent occurrence of corporate
scandals.
57
questionnaire survey in October 2004. The survey covered 1,600 businesspeople who worked
with companies in eight industries: (1) food, agriculture, forestry, and fisheries, (2) textiles, pulp
and papermaking, chemicals, pharmaceuticals, rubber products, petroleum, and cement, ceramics
and glass, (3) iron and steel, nonferrous metals, and metal products, (4) electrical and precision
machinery, (5) transport equipment, (6) information and communications, (7) transport, electric
power, and gas (public utilities), and (8) services (finance, insurance, service, commerce, etc.).
Based on the survey results, this section shows how the risk structure of Japanese companies has
changed. In order to confirm how the nature of management at Japanese companies had changed,
the survey assessed changes in the perceptions of employees regarding changes in managerial
events, classifying responses into five levels (“I strongly think so,” “I think so,” “I do not know
whether I think so or not,” “I do not really think so,” and “I do not think so at all”). Chart 4
indicates its results.
This chart shows that an increasing number of employees had the following impressions: “we are
asked to achieve aggressive performance goals more often than before,” “it is becoming difficult
to achieve goals due to fierce competition in core businesses,” and “a large proportion of bonus
is now linked to performance.” In addition, many businesspeople pointed out that “it takes time
to coordinate between divisions” and that “the scope of business managers’ responsibility and
authority is becoming unclear.” Furthermore, the number of companies in which “cost reductions
drive profit generation” and “profits are secured through the hard work of sales personnel and
efforts to meet work quotas” was on the rise.
From these survey results, it can be confirmed that such problems as excessive emphasis on
performance and lack of interdivisional cooperation were becoming increasingly tangible to
employees.
58
0%
10%
20%
30%
40%
50%
60%
Asked to achieve aggressive
performance goals
Manufacturing
59
A wider range of authority is
delegated
Profits are secured through the
business environment
services
“I think so,” in response to 15 questions relating to the
between divisions
The scope of business
managers’ responsibility and
authority is unclear
How, then, should occurrence of the risk events underlying corporate scandals be prevented?
In recent years, Japanese companies have carried out, in earnest, compliance programs aimed at
educating and training employees in the legal systems and social conventions with which they
should comply. Furthermore, the Companies Act, which came into force in May 2006, requires
boards of directors to establish internal controls, with plans calling for the Financial Instruments
and Exchange Act to be enacted as a Japanese version of the SOX Act by the end of the same
financial year. As exemplified by these pieces of legislation, Japanese companies are being urged
to establish systems to preclude corporate scandals. Education and training as well as
establishment of internal controls will also enable Japanese companies to reduce the corporate
scandals that have been occurring frequently.
These various attempts will contribute to deepening the recognition and understanding of
employees regarding various situations that are considered to constitute a breach of laws and
regulations. What Japanese companies should pay attention to, however, is that unless the
intentions and aims of these attempts are properly communicated, including to rank-and-file
employees, they may come across to employees only as efforts to tighten internal controls and
strictly enforce extremely detailed rules, further weakening the sensitivity of employees to the
risks and lowering their morale and sense of allegiance.
What is important is to sharpen the sensitivity of employees to various events that are involved in
corporate scandals and encourage them to make voluntary efforts to prevent such scandals. What,
then, should be done to achieve the goal?
The authors believe that it is effective to make all employees realize, and take pride in, the fact
that they play their part in maintaining the corporate brand. This is because employees who
realize the importance of the corporate brand and take high pride in it can be expected to
voluntarily prevent actions that may damage corporate brand value and to actively engage
themselves in various compliance related activities. The authors call this approach of enhancing
the awareness of employees regarding discipline and preventing corporate scandals by making
them realize the importance of, and take pride in, the corporate brand “branding governance.”
60
3. Corporate Brand Crisis
In the autumn of 2001, Ito, one of the authors, worked with Nihon Keizai Shimbun, Inc. to
develop the “corporate brand (CB) valuator,” an evaluation model aimed at measuring corporate
brand value. Since then, he has annually published the top 20 companies in the corporate brand
value ranking in The Nihon Keizai Shimbun and the top 200 in The Nikkei Sangyo Shimbun (see
Chart 5).
Ito & Kagaya (2006) and other researchers verified the close relationship between corporate
brand value and corporate value. According to these studies, it has been proven that companies
with high corporate brand value can be expected to make a profit in a sustainable and stable
manner in the future, and that as a result, they are able to create corporate value.
In fact, corporate brand value represents a high percentage of total corporate value. Chart 6, for
61
example, gives data for companies with high corporate brand power (high CB score × high CB
utilization ability) in the selected industries. From this chart, it can be confirmed that corporate
brand value accounts for over 25% of total corporate value in the food, retail, and pharmaceutical
industries, and that it represents around 50% in the electrical machinery and transport equipment
industries.
Chart 6 : Percentage of the Aggregate Market Value of Stocks for Major Companies
Made Up by Corporate Brand Value
Food 26.994%
Retailing 25.955%
Pharmaceuticals 26.162%
From among the companies they had chosen to calculate corporate brand value, the authors
selected a sample of seven, which had caused, or whose group companies had caused, a
corporate scandal in the past. They then showed how much the corporate brand value and related
indicators for these seven companies fell in the year when the scandal occurred as compared to
their average corporate brand value during the five-year period prior to the occurrence of the
scandal (see Chart 7).
According to this analysis, the effects of corporate scandals on corporate brand value vary greatly.
While one company, which was affected seriously, saw its corporate brand value decline to as
low as around 12% of the previous level, another used the opportunity presented by the scandal
to heighten its corporate brand value through various customer services. On average, however,
the reputation of these companies fell sharply, with their corporate brand value at about 65% of
the previous level and their CB score, an indicator of the corporate brand’s appeal, down to about
70% as compared to the previous level. In addition, the premium, recognition (preference), and
loyalty indicators for customers, employees, and stockholders, which constitute the CB score,
62
also declined steeply.
120%
100%
80%
60%
40%
20%
0%
CB value CB score Premium Recognition Loyalty
Copyright (C).2006 Kunio Ito All Rights Reserved
How, then, does the image of corporate brands change due to corporate scandals? In order to
examine only events that jeopardize the safety and quality of products and services, this section
focuses on five of the seven companies sampled above and analyzes the effects of the scandals
on their corporate brand images. The magnitude of effects varies from one company to another,
but it can be confirmed that all companies saw the image of their corporate brand damaged
substantially in terms of perceived reliability, product and service quality, and quality of
managers.
What about the degree of image recovery after the year when the scandal occurred? Chart 9
indicates changes in corporate image in the year t and the year t + 1 with the image score for one
year prior to the year when the scandal occurred (year t – 1) as 100%. According to the chart,
while the corporate image recovered in terms of “excellent managers,” “active in
self-transformation,” “positive in disclosing managerial information,” and so on, they remained
low in terms of “reliability,” “product and service quality,” etc. In terms of “technological
capabilities” and “superior human resources,” there was a further decline. This indicates that it is
difficult to recover elements of the corporate image such as “reliability,” “product and service
quality,” and “technological capabilities” once they are tarnished by scandals.
63
Chart 8 : Changes in the Image of Companies That Caused
Scandals Affecting the Safety of Products and Services
Effects of concern about the safety of products and services on corporate image
Levels of corporate image in the year when the scandal occurred with the pre-scandal level as 1
120%
100%
80%
60%
40%
20%
0%
Stability
Reliability
quality
Energy
Individuality
Friendliness
Response to customer
needs
Managers
Technological capabilities
Superior human resources
development capabilities
Refined advertising
Tradition
changes
Financial condition
Swift management
Global environment
decision making
Self-transformation
information
Research and product
Growth potential
Disclosure of managerial
Company A Company B Company C Company D Company E
As described above, it has become clear that corporate scandals have grave effects on corporate
image and thus harm corporate brand value significantly. Spreading recognition of this
throughout the company will, to a certain extent, enable employees to share an understanding of
the significance of advancing initiatives for preventing the occurrence of various risk events that
may harm the corporate brand.
If then, there is a shared awareness that corporate scandals have major effects on corporate brand
value and thus on corporate value, can we prevent the occurrence of scandals?
64
Chart 9 : Changes in the Degree of Image Recovery
Effects of concern about the safety of products and services on corporate image
Changes in the degree of image recovery with the pre-scandal level as 1
120%
100%
80%
60%
40%
Corporate image
elements that take time to Corporate image elements
20% recover that are recovering
0%
Reliability
quality
Stability
Individuality
Energy
needs
development capabilities
Managers
capabilities
changes
Technological capabilities
Research and product
Swift management
Global environment
Financial condition
Response to customer
Refined advertising
Tradition
decision making
Ability to respond to social
Self-transformation
information
Growth potential
Disclosure of managerial
Year t – 1 Year t Year t + 1
Copyright (C).2006 Kunio Ito All Rights Reserved
First, this section defines brand risks. Brand risks refer to risks that impair brand value when the
expectations of customers and other stakeholders are betrayed. These risks include not only those
which stem from violations of laws and regulations and other inappropriate acts but also those
which arise from the gap between the common practices of companies and industries and those
of consumers and the general public.
According to the survey mentioned above, which was conducted jointly with Tokio Marine &
Nichido Risk Consulting in October 2004, around 5% of respondents who were asked what they
did when faced with a situation that clashed with compliance and corporate social responsibility
replied that they “disregard it,” and around 65% replied that they “take action on a case-by-case
basis.” Reasons cited by many respondents include “it has never been considered as a problem,”
“where the responsibility lies is unclear,” and “people’s impression of the company does not
change if I am the only one taking action.”
65
Chart 10 : Action Taken When Faced with a Situation
That Clashes with Compliance and CSR
What action do you take when you are faced with a situation that clashes with
compliance and CSR?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
As mentioned above, there are many cases in which companies have not made it clear how
employees should take action if they are faced with situations that clash with compliance and
corporate social responsibility. In cases in which employees can clearly determine whether
situations violate laws and regulations, it is possible to make it clear what action they should take.
The reality is, however, that many cases occur in gray areas. Deciding in detail what action
should be taken for cases that occur in these gray areas results in a great expansion in the range
of business operations employees have to manage. This would generate an increased sense of
restriction and fatigue among employees.
66
Chart 11 : Reasons for Disregarding or Taking Action
on a Case-by-Case Basis in a Situation That Clashes
with Compliance and CSR
What action do you take when you are faced with a situation that clashes with
compliance and CSR?
60%
Manufacturing
50%
Services
40%
30%
20%
10%
0%
A B C D E F
A) Such a situation has never been considered as a problem.
B) I think that even if I become aware of the need to take action in such a situation and actually
do so, it does not necessarily mean that the company as such will respond accordingly.
C) Since it is unclear where the responsibility lies, I do not know who has authority to stop
operations that are halfway through being performed.
D) Even if the company talks about compliance and CSR, it only professes this as a public
stance. In reality, it gives priority to performance goals, managers’ expectations, and so forth.
E) Our company does not have systems, such as a hotline etc, sufficient for protecting
employees. Employees are not given opportunities for future promotion or other kinds of
favorable treatment unless they follow their superiors’ orders.
F) The company does have a full array of systems, but I do not know any employees who have
ever used them (or many of the employees do not know how to use them).
(Source) Brand risk survey conducted by K. Ito and his research team at Hitotsubashi University jointly with TRC in October 2004
Copyright (C).2006 Kunio Ito All Rights Reserved
On the other hand, if companies classify these risks, which arise from gray areas, from the
viewpoint of brand risk management, the question as to whether such risks may betray the
expectation of stakeholders, thereby harming the value of their corporate brand, should be used
by these companies as a criterion to decide what action employees should take.
The authors define the monetary amount of the damage caused to brand value when such a risk is
revealed as a brand liability. In order to enhance corporate value continuously, it is necessary to
seriously consider what each and every employee can do to reduce brand liabilities and
implement corresponding policies (see Chart 12).
67
Chart 12 : Relationship between Corporate Brand Value
and Corporate Brand Risk
68
Chart 13 : Approach to Making Brand Risks Visible
Approach to making brand risks visible
Relationship between the corporate brand value tree and brand risks
CB score CB multiple
CB Advantage CB Leverage
The chart shows how much risks involving life and health hazards, breaches of laws and regulations,
and violations of the common practice of local communities and the general public lower levels
pertaining to corporate image when they occur.
80%
70%
60%
50%
40%
30%
20%
10%
0%
with the company
Friendly
Popularity
company
quality
Full of energy
Strong marketing and
Reliable
sales capabilities
purchase stocks in the
Excellent managers
69
Chart 14 indicates the results of such a survey of businesspeople. Chart 8 examines the effects on
corporate image of risk events that harm the safety of products and services when they occur, and,
in the same way as the results shown in Chart 8, Chart 14 confirms that the percentage of
damage is high in terms of “reliability,” “product and service quality,” and “quality of
managers.”
The second step of quantification clarifies how likely these risk events are to actually occur. In
order to estimate how often these risk events occur, it is necessary to (1) ascertain how willing
employees are to recommend their company to other people from the viewpoint of a customer,
employee, or stockholder (it is assumed that the less willing they are to do so, the more risk
factors their company has within its organization; see Charts 15 to 17), and (2) identify factors
that affect the probability of risk events (see Chart 18).
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percentage of employees
a b c d e who do not recommend their
company’s products and
services (reflected in
Copyright (C).2006 Kunio Ito All Rights Reserved customer risk)
According to Chart 15, when businesspeople put themselves in the customer’s position, 14% of
them replied that they did not intend to purchase their company’s products and services unless
the company offered special benefits such as pricing. Two percent replied that they did not intend
to introduce their company’s products and services to their friends, colleagues, and family
members, and that moreover, they would even advise them not to purchase them if they were
70
going to do so. It can be judged that the more such replies businesspeople give, the more likely it
is that some harm will occur in the future to the appeal of their company’s corporate brand (in
other words, the higher is their company’s brand risk).
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percentage of employees
a b c d e who do not recommend their
company as a place of
employment (reflected in
employee risk)
Copyright (C).2006 Kunio Ito All Rights Reserved
Similarly, the authors investigated whether respondents recommended their company as a place
of employment when they introduced it to their friends and family members (Chart 16) and
whether they recommended it, from the stockholder’s standpoint, as an equity investment (Chart
17). These charts confirm that a significant percentage of businesspeople do not recommend their
company as a place of employment or as an equity investment. For companies with these high
levels of negative response, there is an extremely strong possibility that the attractiveness of their
corporate brand, as seen from employees or stockholders, will be lost.
71
Chart 17 : How much would you like to acquire the
stock of your companies?
■Evaluations of companies as an equity investment
a.I always introduce my company to my friends, relatives, and family members as an
attractive equity investment irrespective of which industry they work in.
b.If in the same industry, I always introduce my company as an attractive equity
investment.
c.I tell other people that my company is one of the major candidates as an attractive
equity investment in the industry, but that it is worth them investigating whether it is the
best equity investment choice or not.
d.I do not particularly introduce my company as an attractive equity investment.
e.Rather than my company, I recommend other people to invest in its competitors.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percentage of employees
a b c d e who do not recommend their
company as an attractive
equity investment (reflected
in stockholder risk)
Copyright (C).2006 Kunio Ito All Rights Reserved
40%
35%
30%
25%
20%
Information Performance Business Product Risk awareness
flows pressure diversity characteristics and sensitivity
72
Chart 19 : Companies’ Ability to Respond to Risk Events
Items that influence compliance, CSR, and basic brand strength
Compliance, CSR, and basic brand strength are classified into three categories: prior prevention ability,
early detection ability, and immediate response ability. The percentage of people who, in response to
the questions regarding each category, replied that the compliance, CSR, and basic brand strength
were relatively high was analyzed.
50%
40%
30%
20%
10%
0%
CSR and compliance
Shared
relevant responsibility
manual
Scope of application of
Degree of coolness of
Importance of
awareness
organizations
organizations
Initiatives for branding
Chart 18, meanwhile, indicates whether the companies of the businesspeople surveyed had an
environment that might easily cause scandals. In other words, in order to confirm whether risk
events might easily be caused at the companies, the chart shows the state of five elements shared
by companies that cause scandals: (1) lack of information flows, (2) performance pressure, (3)
business diversity, (4) product characteristics, and (5) lack of initiatives to cope with risks. The
results of the survey confirm that on average, performance pressure and the lack of initiatives to
cope with risks are conspicuous at Japanese companies.
The third step of quantification examines how far corporate climates and systems for minimizing
the possibility of occurrence of such risk factors have been established. In this quantification
process, it is necessary to consider, among other factors, the extent of the company’s ability to
prevent the occurrence of risk events beforehand (permeation of CSR and compliance awareness
into the organization, the degree to which guiding principles and values are shared, and
73
initiatives for branding); the extent of the company’s ability to detect the occurrence of risk
events (whether or not there are departments with relevant responsibility, and the scope of
application of manuals); and the extent of the company’s ability to respond immediately to risks
if they actually occur (how far processes that should be followed after risks are revealed are
clearly defined and shared, the degree of coolness of organizations, and the importance of
organizations). Chart 19 indicates the average score for the ability to reduce and respond to risks
in various industries. A comparison of these figures shows the levels of companies’ abilities to
reduce and respond to risks.
Through the three steps outlined above, companies can clarify the actual condition of their brand
risks and then reduce them by considering measures to deal with them.
In Japan, with the enactment of the Companies Act in May 2006 and the Japanese version of the
Sarbanes-Oxley Act by the end of fiscal 2006, corporate boards of directors are required to take
practical action to establish internal controls. Following these and other developments, Japanese
companies are currently stepping up their efforts to establish these internal controls. Their efforts
will, to a certain extent, enable them to reduce the number of corporate scandals.
What Japanese companies should pay attention to, however, is that depending on the way
internal controls are established, they may sometimes have adverse effects on corporate value.
For example, in the United States, which enacted a corporate reform law, called the
Sarbanes-Oxley (SOX) Act, in July 2002 (earlier than in Japan) requiring American companies to
establish internal controls, the Securities and Exchange Commission and the Public Company
Accounting Oversight Board identified the issues listed below in the discussions they held on
May 10, 2006 to review two years of the SOX Act.
74
In fact, results from a substantial amount of research show that stock markets do not necessarily
evaluate the introduction of the SOX Act positively. For example, Chhaochharia & Grinstein
(2004) published the results of their studies, arguing that the application of the SOX Act has
positive effects on the value of large corporations, but does not bring economic benefits to small
companies. Jain & Razafe (2005) confirmed that when the SOX Act is applied, companies that
put more effective corporate governance in place, issue reliable financial reports, and have
dependable audit functions are positively evaluated by stock markets. Zhang (2005) estimated,
on the other hand, that $1.4 trillion in market value had been lost after the SOX Act was enacted,
and showed that in particular, stock markets had responded negatively to clauses related to
corporate governance and restrictions in clauses related to non-audit operations. In this way, the
results of studies generally demonstrate positive assessments of the SOX Act, but some
evaluations of the Act are negative, making it difficult to assert that the introduction of the Act
consistently has positive effects on evaluations by stock markets of corporate value.
The application of the SOX Act, meanwhile, has brought another economic effect—encouraging
small public companies to stop offering their stocks publicly. In fact, around the time when the
SOX Act came into force, an increasing number of companies chose to stop offering stocks
publicly. It became clear that many of the companies had chosen to stop after realizing the costs
that would be incurred (see Engel, Hayes, and Wang, 2004).
Of course, it is true that internal controls are being discussed in Japan while taking into
consideration the actual conditions and issues regarding internal controls that have been
identified in the U.S. On the other hand, however, the authors hear a considerable number of
businesspeople criticize initiatives to establish compliance and internal control systems, saying
that they lead to tighter controls on internal organizations, bloated head offices, and other
undesirable effects, which generate a greater sense of restriction and fatigue among employees
(see the May 1, 2006 issue of Nikkei Business magazine).
In order to ensure that the Japanese version of the SOX Act and other undertakings aimed toward
internal controls and compliance work truly effectively, it is essential to boost the vitality and
morale of employees and establish the ability of employees to voluntarily reduce and cope with
risks as part of the corporate climate.
In order to achieve this goal, it is important that each and every employee is a “small yet
important window” on the corporate brand, in other words, that they recognize properly that their
actions determine the image that customers and other external stakeholders have of the company.
If each and every employee sees that a single corporate scandal, once it occurs, has such a large
75
impact that it may significantly harm—and sometimes almost destroy—corporate brand value,
they will have a deeper understanding of the significance and aim of ensuring thorough internal
controls and compliance.
Furthermore, companies are urged to make brand risks visible. Making them visible enables
companies to clarify the results of initiatives and the progress made therein, as well as to
continue ongoing efforts to nip brand risks in the bud while achieving, together with their
employees, a concrete sense of the effects of the initiatives. Through the quantification of brand
risks, the authors hope that Japanese companies will build a corporate character that enables
continuous value creation.
Bibliography
Chhaochhari,V. and Y.Grinstein, “Corporate Governance and Firm Value - The Impact of the
2002 Governance Rules.” AFA 2006 Boston Meetings Paper. Johnson School Research Paper
Series No. 23-06, 2005.
Ito, K., Corporate Brand Management, Nihon Keizai Shimbun, Inc., 2000.
Ito, K., “New Development of Corporate Brand Management,” Hitotsubashi Business Review,
51(3), 2003.
Ito, K., “Corporate Brand Management for Higher Reputation” Risk Management Business,
19(9): 2004.
Edited by Ito, K., The Accounting of Intangible Assets, Chuokeizai-sha, Inc., 2006.
Saito, T., Hosoda, T., and Shinohara, T., “Employees and Companies Break Down in Offices
with Low Spirits—Why Tighter Controls?” Nikkei Business.
Rezaee,Z. and P.Jain, The Sarbanes-Oxley Act of 2002 and Security Market Behavior: Early
Evidence.” Working Paper. University of Memphis, 2005.
76