The Association Between the Disclosure and the Realization of Information Security Risk Factors
成果类型:
Article
署名作者:
Wang, Tawei; Kannan, Karthik N.; Ulmer, Jackie Rees
署名单位:
University of Hawaii System; University of Hawaii Manoa; Purdue University System; Purdue University
刊物名称:
INFORMATION SYSTEMS RESEARCH
ISSN/ISSBN:
1047-7047
DOI:
10.1287/isre.1120.0437
发表日期:
2013
页码:
201-218
关键词:
decision-tree induction
breach announcements
logistic-regression
MARKET REACTIONS
management
models
FIRMS
estimator
clusters
earnings
摘要:
Firms often disclose information security risk factors in public filings such as 10-K reports. The internal information associated with disclosures may be positive or negative. In this paper, we evaluate how the nature of the disclosed security risk factors, believed to represent the firm's internal information regarding information security, is associated with future breach announcements reported in the media. For this purpose, we build a decision tree model, which classifies the occurrence of future security breaches based on the textual contents of the disclosed security risk factors. The model is able to accurately associate disclosure characteristics with breach announcements about 77% of the time. We further explore the contents of the security risk factors using text-mining techniques to provide a richer interpretation of the results. The results show that the disclosed security risk factors with risk-mitigation themes are less likely to be related to future breach announcements. We also investigate how the market interprets the nature of information security risk factors in annual reports. We find that the market reaction following the security breach announcement is different depending on the nature of the preceding disclosure. Thus, our paper contributes to the literature in information security and sheds light on how market participants can better interpret security risk factors disclosed in financial reports at the time when financial reports are released.
来源URL: