How Disclosing a Prior Cyberattack Influences the Efficacy of Cybersecurity Risk Management Reporting and Independent Assurance-Reference-Cited by-同舟云学术

How Disclosing a Prior Cyberattack Influences the Efficacy of Cybersecurity Risk Management Reporting and Independent Assurance

Published:2019-01-01 Issue:3 Volume:33 Page:183-200
ISSN:0888-7985
Container-title:Journal of Information Systems
language:en
Short-container-title:

Author:

Frank Michele L.¹^ORCID,Grenier Jonathan H.¹^ORCID,Pyzoha Jonathan S.¹^ORCID

Affiliation:

1. Miami University

Abstract

ABSTRACT This paper provides evidence that the efficacy of voluntary cybersecurity risk management reporting and independent assurance, in terms of enhancing investment attractiveness, depends on whether a company has disclosed a prior cyberattack. Based on the voluntary disclosure literature, we predict and find that issuing the management component of the AICPA's cybersecurity reporting framework absent assurance is more effective when a company has not (versus has) disclosed a prior cyberattack, as nonprofessional investors are less likely to question the reliability of management's reporting. However, obtaining third party assurance of management's report provides a greater benefit for companies that have (versus have not) disclosed a prior cyberattack, as these companies benefit more from the reliability enhancement of assurance. Finally, we find it may be possible to enhance a company's investment attractiveness by issuing the independent assurance report by itself. Our results have implications for companies' cybersecurity risk management reporting and assurance decisions. Data Availability: Data are available upon request.

Publisher

American Accounting Association

Subject

Management of Technology and Innovation,Information Systems and Management,Human-Computer Interaction,Accounting,Information Systems,Software,Management Information Systems

Link

http://meridian.allenpress.com/jis/article-pdf/33/3/183/2711912/isys-52374.pdf

Reference69 articles.

1. American Institute of Certified Public Accountants (AICPA). 2017a. SOC for Cybersecurity: A Backgrounder. New York, NY: AICPA.

2. American Institute of Certified Public Accountants (AICPA). 2017b. Reporting on an Entity's Cybersecurity Risk Management Program and Controls—Attestation Guide. New York, NY: AICPA.

3. American Institute of Certified Public Accountants (AICPA). 2017c. Illustrative Cybersecurity Risk Management Report. New York, NY: AICPA.

4. AICPA unveils cybersecurity risk management reporting framework;American Institute of Certified Public Accountants (AICPA),2017

5. Do firms underreport information on cyber-attacks? Evidence from capital markets;Amir;Review of Accounting Studies,2018

Cited by 20 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. The impact of cybersecurity risk management strategy disclosure on investors’ judgments and decisions;International Journal of Accounting Information Systems;2024-09

2. Does cybersecurity maturity level assurance improve cybersecurity risk management in supply chains?;International Journal of Accounting Information Systems;2024-09

3. Information security risk items and management practices for mobile payment using non-financial-institution service providers: An exploratory study;International Journal of Accounting Information Systems;2024-06

4. How the three lines of defense can contribute to public firms’ cybersecurity effectiveness;International Journal of Disclosure and Governance;2024-02-23

5. Climate Change Risks Disclosure: Do Business Strategy and Management Characteristics Matter?;International Journal of Financial Studies;2023-12-14