How Disclosing a Prior Cyberattack Influences the Efficacy of Cybersecurity Risk Management Reporting and Independent Assurance.

Michele L. Frank; Jonathan H. Grenier; Jonathan S. Pyzoha

Ayuda

How Disclosing a Prior Cyberattack Influences the Efficacy of Cybersecurity Risk Management Reporting and Independent Assurance.

Frank, Michele L. ^[1] ; Grenier, Jonathan H. ^[1] ; Pyzoha, Jonathan S. ^[1]
1. [1] Miami University
  
  Miami University
  
  Township of Oxford, Estados Unidos
Localización: Journal of information systems, ISSN 0888-7985, Vol. 33, Nº. 3, 2019, págs. 183-200
Idioma: inglés
Texto completo no disponible (Saber más ...)
Resumen
- This paper provides evidence that the efficacy of voluntary cybersecurity risk management reporting and independent assurance, in terms of enhancing investment attractiveness, depends on whether a company has disclosed a prior cyberattack. Based on the voluntary disclosure literature, we predict and find that issuing the management component of the AICPA's cybersecurity reporting framework absent assurance is more effective when a company has not (versus has) disclosed a prior cyberattack, as nonprofessional investors are less likely to question the reliability of management's reporting. However, obtaining third party assurance of management's report provides a greater benefit for companies that have (versus have not) disclosed a prior cyberattack, as these companies benefit more from the reliability enhancement of assurance. Finally, we find it may be possible to enhance a company's investment attractiveness by issuing the independent assurance report by itself. Our results have implications for companies' cybersecurity risk management reporting and assurance decisions. Data Availability: Data are available upon request. [ABSTRACT FROM AUTHOR]