TY - JOUR
T1 - Classifying the contents of cybersecurity risk disclosure through textual analysis and factor analysis
AU - Cheong, Arion
AU - Yoon, Kyunghee
AU - Cho, Soohyun
AU - No, Won Gyun
N1 - Publisher Copyright:
© 2021, American Accounting Association. All rights reserved.
PY - 2021/6/1
Y1 - 2021/6/1
N2 - Cybersecurity has garnered much attention due to the increasing frequency and cost of cybersecurity incidents and has become a significant concern for organizations and governments. Regulators such as the Securities and Exchange Commission (SEC) have also shown an interest in cybersecurity and the quality of cybersecurity risk disclosures. This paper examines the informativeness of cybersecurity risk disclosures when cybersecurity incidents or related internal control weaknesses are reported. In particular, we propose a quantitative methodology, which is a combination of textual analysis and factor analysis, for classifying cybersecurity risk disclosures into nine factors. Our results show different disclosing patterns among firms depending on whether they had cybersecurity incidents and internal control weaknesses. Further, our analysis indicates that firms disclose control-related factors to mediate the negative effect of disclosing vulnerability-related factors. This study provides various stakeholders, including investors, regulators, and researchers, with insight into the informativeness of cybersecurity risk disclosures.
AB - Cybersecurity has garnered much attention due to the increasing frequency and cost of cybersecurity incidents and has become a significant concern for organizations and governments. Regulators such as the Securities and Exchange Commission (SEC) have also shown an interest in cybersecurity and the quality of cybersecurity risk disclosures. This paper examines the informativeness of cybersecurity risk disclosures when cybersecurity incidents or related internal control weaknesses are reported. In particular, we propose a quantitative methodology, which is a combination of textual analysis and factor analysis, for classifying cybersecurity risk disclosures into nine factors. Our results show different disclosing patterns among firms depending on whether they had cybersecurity incidents and internal control weaknesses. Further, our analysis indicates that firms disclose control-related factors to mediate the negative effect of disclosing vulnerability-related factors. This study provides various stakeholders, including investors, regulators, and researchers, with insight into the informativeness of cybersecurity risk disclosures.
KW - Cybersecurity
KW - Factor analysis
KW - Risk factor disclosure
KW - Textual analysis
UR - http://www.scopus.com/inward/record.url?scp=85112371768&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85112371768&partnerID=8YFLogxK
U2 - 10.2308/ISYS-2020-031
DO - 10.2308/ISYS-2020-031
M3 - Article
AN - SCOPUS:85112371768
SN - 0888-7985
VL - 35
SP - 179
EP - 194
JO - Journal of Information Systems
JF - Journal of Information Systems
IS - 2
ER -