The Association Between the Disclosure and the Realization of Information Security Risk Factors
University of Hawaii at Manoa - School of Accountancy
Karthik Natarajan Kannan
Purdue University - Department of Management
January 14, 2013
T. Wang, K. Karthik, and J. Rees. 2013. The association between the disclosure and the realization of information security risk factors. Information Systems Research, available online October 5, 2012, DOI:10.1287/isre.1120.0437.
Firms often disclose information security risk factors in public filings such as 10-K reports. The internal information associated with disclosures may be positive or negative. In this paper, we are interested in evaluating how the nature of security risk factors disclosed, which is believed to represent the internal information regarding information security, is associated with future breach announcements. For this purpose, we build a decision tree model, which classifies the occurrence of future security breaches based on the textual contents of the disclosed security risk factors. The model is able to accurately associate disclosure characteristics with breach announcements about 77% of the time. We further explore the contents of the security risk factors using text mining techniques to provide a richer interpretation of the results. The results show that the security risk factors with action-oriented terms and phrases are less likely to be related to future incidents. We also conduct a cross-sectional analysis to study how the market interprets the nature of information security risk factors in annual reports at different time points. We find that the market reaction following the security breach announcement is different depending on the nature of disclosure. Thus, our paper contributes to the literature in information security and sheds light on how market participants can better interpret security risk factors disclosed in financial reports at the time when financial reports are released.
Keywords: information security, information security incident, risk factor, text miningAccepted Paper Series
Date posted: January 15, 2008 ; Last revised: January 15, 2013
© 2013 Social Science Electronic Publishing, Inc. All Rights Reserved.
This page was processed by apollo1 in 0.375 seconds