I. INTRODUCTION

The paper by Ettredge and Richardson (2003) contributes to the AIS literature in several ways. First, and most obvious, the authors provide evidence of the existence and magnitude of the wealth effects of "hacker attacks." By extension, the paper illuminates the importance of adequate security procedures and the importance of auditors understanding their client firms' IT environments. Without such understanding, auditors will be less able to assess their clients' control environments. As a result, they might not identify significant security weaknesses and would, thus, underestimate the risks to which their clients' operations are exposed.

The paper also explores broader market effects of hacker attacks by evaluating the information transfer that occurred during the February 2000 denial of service (DoS) events. The authors show that announcements of denial of service problems resulted in an overall shock to the market. More importantly, however, they document industry effects of these announcements by studying other Internet-reliant firms that did not experience any security breaches (at least not any that were announced).

My comments discuss how to enhance this stream of research to provide a wide range of insights that triangulate our understanding of security breaches and their effects on organizations. I acknowledge that many research methods could enhance our knowledge, and each would provide unique benefits. For example, it is possible to balance the generalizable (nomothetic) insights gained through a large-sample, archival study with the richness (ideographic insights) provided through a rigorous small-sample study. In this paper, the authors limit their study to one event: the February 2000 DoS attacks. Is this a large- or small-sample study? The authors study all NASDAQ firms at the time of the DoS event. They segment this population by identifying four attacked Internet firms and an additional 275 Internet firms that were not attacked. By comparing these firms' financial performance with the NASDAQ index, they examine the market's reaction to this event. Therefore, in some respects, this is a large-sample study. However, DoS attacks are not limited to February 2000. In fact, researchers have identified more than 5,000 denial of service attacks during three weeks of 2001 (Vijayan 2002). Limiting the study to a single event results in it being a small sample of the population of DoS attacks.

sections...