Reading the Disclosures with New Eyes: Bridging the Gap between Information Security Disclosures and Incidents

Get BibTex-formatted data

Download

PDF

Author

Ta-Wei "David" Wang; Jackie Rees

Entry type

article

Abstract

This paper investigates whether information security related disclosures in financial reports can mitigate the impact of information security incidents. First, stock price reactions from a number of information security related incidents from 1997 to 2006 are regressed on the number of disclosures along with control variables. Two different types of disclosures are considered: the disclosure of internal control and procedures and the disclosure of information security risk factors. Our analysis does not show significant relationship between the disclosures of internal controls and cumulative abnormal return (CAR). However, our findings demonstrate that new information security risk factor disclosure can mitigate the effect of information security incidents in terms of CAR. If those factors have been disclosed previously, the effect becomes smaller. Although the match between disclosures and the incident does not have any impacts on stock price reactions, our result shows that for the matched companies, other business risk factors can adversely increase CAR. Second, a clustering analysis is performed on the contents of information security risk disclosures and the media announcements of the incidents by using text mining techniques. The clustering results demonstrate that the titles and contents of the disclosures point out possible impacts and subjects that might be affected. The results also show that breached companies gradually increase the number of disclosures than non-breached firms. For media announcements, site attacks and virus attacks are the two most popular incidents in our sample from the clustering analysis. This paper not only contributes to the literature in information security and accounting but also sheds light on how managers can evaluate their information security policies and convey information security practices more effectively to the investors. By properly reflecting information security risk factors causing directly by information security incidents and indirectly by other companies, investors might discount the impacts of such events through expectation formulation.

Download

PDF

Key alpha

Wang

School

Purdue University

Affiliation

Krannert Graduate School of Management

Publication Date

2001-01-01

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Article{ Wang,
	title = "Reading the Disclosures with New Eyes: Bridging the Gap between Information Security Disclosures and Incidents",
	author = "Ta-Wei "David" Wang; Jackie Rees",
	school = "Purdue University",
	abstract = "This paper investigates whether information security related disclosures in financial reports can mitigate the impact of information security incidents.  First, stock price reactions from a number of information security related incidents from 1997 to 2006 are regressed on the number of disclosures along with control variables.  Two different types of disclosures are considered: the disclosure of internal control and procedures and the disclosure of information security risk factors.  Our analysis does not show significant relationship between the disclosures of internal controls and cumulative abnormal return (CAR).  However, our findings demonstrate that new information security risk factor disclosure can mitigate the effect of information security incidents in terms of CAR.  If those factors have been disclosed previously, the effect becomes smaller.  Although the match between disclosures and the incident does not have any impacts on stock price reactions, our result shows that for the matched companies, other business risk factors can adversely increase CAR.  Second, a clustering analysis is performed on the contents of information security risk disclosures and the media announcements of the incidents by using text mining techniques.  The clustering results demonstrate that the titles and contents of the disclosures point out possible impacts and subjects that might be affected.  The results also show that breached companies gradually increase the number of disclosures than non-breached firms.  For media announcements, site attacks and virus attacks are the two most popular incidents in our sample from the clustering analysis.  This paper not only contributes to the literature in information security and accounting but also sheds light on how managers can evaluate their information security policies and convey information security practices more effectively to the investors.  By properly reflecting information security risk factors causing directly by information security incidents and indirectly by other companies, investors might discount the impacts of such events through expectation formulation.",
	affiliation = "Krannert Graduate School of Management",
}