Paper Type
ERF
Abstract
The increasing reliance on the digitization of service delivery has made cybersecurity (CS) a critical concern for businesses. Over time, SEC regulations have mandated more explicit CS disclosures, providing valuable insights into how public US firms reflect their CS concerns in those reports. Quality disclosures allow investors to evaluate firms’ exposure to material CS risks and their ability to manage and mitigate those risks. To quantify disclosure quality, we employ a language-based machine learning model (SecureBERT). This model offers two CS awareness indexes: CS- proactiveness index (CSPI) and reactiveness index (CSRI), guided by CSF 2.0. Additionally, we examine a bi-directional relationship of cyber-incident severity with those indexes using vector autoregression. Further, we test the reliability of CS disclosures by examining their correlation with IT security budget. This study offers new insights on quantification of disclosure quality and understanding of complex dynamics of the causality loop between CS awareness and risk.
Paper Number
2305
Recommended Citation
Das, Samiran and Andoh-Baidoo, Francis Kofi, "Cybersecurity Disclosure Index: Reflecting Risk Management Strategy and Predicting Future Risk in US Firms" (2025). AMCIS 2025 Proceedings. 43.
https://aisel.aisnet.org/amcis2025/sig_sec/sig_sec/43
Cybersecurity Disclosure Index: Reflecting Risk Management Strategy and Predicting Future Risk in US Firms
The increasing reliance on the digitization of service delivery has made cybersecurity (CS) a critical concern for businesses. Over time, SEC regulations have mandated more explicit CS disclosures, providing valuable insights into how public US firms reflect their CS concerns in those reports. Quality disclosures allow investors to evaluate firms’ exposure to material CS risks and their ability to manage and mitigate those risks. To quantify disclosure quality, we employ a language-based machine learning model (SecureBERT). This model offers two CS awareness indexes: CS- proactiveness index (CSPI) and reactiveness index (CSRI), guided by CSF 2.0. Additionally, we examine a bi-directional relationship of cyber-incident severity with those indexes using vector autoregression. Further, we test the reliability of CS disclosures by examining their correlation with IT security budget. This study offers new insights on quantification of disclosure quality and understanding of complex dynamics of the causality loop between CS awareness and risk.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.
Comments
SIGSEC