In this study, we use a semi-supervised natural language processing (NLP) methodology to assess cybersecurity strategy of firms based on their 10-K filings. Adapted from the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST), five distinct cybersecurity strategies, namely identification, protection, detection, response, and recovery, are calculated annually. We find evidence that cybersecurity identification strategy is positively and significantly associated with firm market value. For those firms experienced a cyberattack in the past, disclosing cybersecurity protection strategy is not assessed positively by the market. When a firm experienced a cyberattack, cybersecurity detection strategy disclosed dampens the negative market reaction. This paper makes contribution by studying the cyber strategy disclosed in 10-K reports using textual analysis. We also show empirical evidence of how market reacts to different strategies, such implications are valuable for industry to better manage cyber risk, and are worthwhile for future cyber studies.
Cao, Rui; Kafaee, Nazli Ozum; Aziz, Arslan; and Cavusoglu, Hasan, "Market Value of Cybersecurity Strategies" (2022). PACIS 2022 Proceedings. 113.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.