Search results

The purpose of this paper is to propose a research model to examine the perception of non-professional investors toward the cybersecurity reporting framework developed by the American Institute of Certified Public Accountants (AICPA).

The proposed hypotheses were tested using structural equation modeling with data collected from Amazon's Mechanical Turk platform.

The findings conclude that investors' perceived benefits of the cybersecurity risk framework are positively related to investment intention. Information quality and cybersecurity awareness also positively influence perceived benefits of the risk framework and investment intention.

Findings of this study are relevant to both regulatory bodies and firms because non-professional investors’ perceptions of the benefits of the AICPA’s reporting framework are unveiled.

Findings from this research help to provide a more in-depth understanding of the impact of various factors on investor’s decision-making process and also significant insights into the non-professional investor’s attitude toward the AICPA’s framework.

With recent increases in cybersecurity incidents, it is imperative to supplement current accounting curriculum, equip accounting graduates with sufficient knowledge and skills to assess cybersecurity risk, and learn about controls to mitigate such risks. In this chapter, the authors describe 10 teaching modules, supported by 10 professionally produced video series. The authors developed these videos for educating students on cybersecurity and the videos are available free to instructors from other institutions who wish to use them. The videos are filled with insights and advice from our two experts – one a former hacker and the other an experienced cybersecurity professional. This dialogue between two different sides provides a rich discussion that leads to answering many questions that people often have about cybersecurity. Further, in Exhibit 1, this chapter offers a framework for characterizing and analyzing some recent publicized data-breach cases, which can supplement discussion on cybersecurity modules. Instructors can add more cases to this source overtime. Finally, the authors share the analysis of feedback from students who went through the series. The results suggest that the students show interest in the topic, and videos helped them better understand the complexity of cybersecurity risk and controls.

This paper aims to update the cybersecurity-related accounting literature by synthesizing 39 recent theoretical and empirical studies on the topic. Furthermore, the paper provides a set of categories into which the studies fit.

This is a synthesis paper that summarizes the research literature on cybersecurity, introducing knowledge from the extant research and revealing areas requiring further examination.

This synthesis identifies a research framework that consists of the following research themes: cybersecurity and information sharing, cybersecurity investments, internal auditing and controls related to cybersecurity, disclosure of cybersecurity activities and security threats and security breaches.

Academics, practitioners and the public would benefit from a research framework that categorizes the research topics related to cybersecurity in the accounting field. This type of analysis is vital to enhance the understanding of the academic research on cybersecurity and can be used to support the identification of new lines for future research.

This is the first literature analysis of cybersecurity in the accounting field, and it has significant implications for research and practice by detailing, for example, the benefits of and obstacles to information sharing. This synthesis also highlights the importance of the model for cybersecurity investments. Further, the review emphasizes the role of internal auditing and controls to improve cybersecurity.

The purpose of this study is to examine how financial analysts deal with cybersecurity information in their investment analysis process and whether they find cybersecurity disclosures in companies’ financial reports useful.

Investment managers/financial analysts and chief information security officers (CISOs) at seven institutional investors were interviewed.

Not all financial analysts consider cybersecurity risk in their investment analyses. Those who do look at company strategy, how the company integrates cybersecurity into its processes and whether it has certified its cybersecurity information. The financial analysts use this qualitative information to adjust the results of their quantitative analysis. They do not find boilerplate or cursory cybersecurity information in financial reports to be useful. In fact, they view it as unreliable and prefer drawing on other information sources to assess the company’s cybersecurity risk.

The results of this study highlight to securities regulators that reported cybersecurity information is of limited usefulness. Regulators are challenged to revisit their disclosure requirements. Companies wishing to improve the usefulness of their cybersecurity information should provide more company-specific information.

To the best of the authors’ knowledge, this study is the first to look at financial analysts’ perception of cybersecurity-related information. It complements findings from prior market studies by adding new insights into the way influential market participants deal with this information in their investment analysis process.

This study aims to develop a framework for cybersecurity risk assessment in an organization. Existing cybersecurity frameworks are complex and implementation oriented. The framework can be systematically used to assess the strategic orientation of a firm with respect to its cybersecurity posture. The goal is to assist top-management-team with tailoring their decision-making about security investments while managing cyber risk at their organization.

A thematic analysis of existing publications using content analysis techniques generates the initial set of keywords of significance. Additional factor analysis using the keywords provides us with a framework comprising of five pillars comprising prioritize, resource, implement, standardize and monitor (PRISM) for assessing a firm’s strategic cybersecurity orientation.

The primary contribution is the development of a novel PRISM framework, which enables cyber decision-makers to identify and operationalize a tailored approach to address risk management and cybersecurity problems. PRISM framework evaluation will help organizations identify and implement the most tailored risk management and cybersecurity approach applicable to their problem(s).

The new norm is for companies to realize that data stratification in cyberspace extends throughout their organizations, intertwining their need for cybersecurity within business operations. This paper fulfills an identified need improve the ability of company leaders, as CIOs and others, to address the growing problem of how organizations can better handle cyber threats by using an approach that is a methodology for cross-organization cybersecurity risk management.

The purpose of this study is to analyze the cybersecurity assurance approaches to determine the key issues and weaknesses within the internal audit and risk management perspective. Organizations increasingly rely on digital data to drive their growth and they are interconnected in a complex web to a multitude of stakeholders.

In this paper, cybersecurity is defined, and cybersecurity assurance model is explained based on the relevant literature. In addition, the role of internal auditing is introduced within this new business landscape. Finally, recommendations are made to provide best practices for stakeholders.

There are four major cyber-focused standards and frameworks in the current literature, namely, Control Objectives for Information and Related Technology, International Organization for Standardization, The American Institute of Certified Public Accountants and National Institute of Standards and Technology. In addition, there are many mechanisms in existence and operation currently which support cybersecurity assurance to prevent major threats. These include risk assessment, risk treatment, risk management, security assurance and auditing.

Cyber risk is not something that can be avoided; instead, it must be managed. Hence, it is very important to maintain formal documentation on related cyber controls. Internal audit should be an integral part of cybersecurity assurance process, as internal audit have a unique position to look across organizations. The contribution of internal audit also provides comfort to the Board and Audit Committee.

A model is introduced how the internal audit and information security functions could work together to support organizations accomplish a cost-effective level of information security. The key issues and approaches are explained for how to become a trusted cybersecurity advisor and a sample cybersecurity awareness program checklist is provided at Appendix 1.

Considering cybersecurity threats grow with speed, complexity, and impact, organizations are no longer satisfied with an answer to a question like “are we secure?” instead, they need the answer for such a question like “how to give a reasonable assurance that our business will be secure enough?”. In that respect, the role of internal audit is discussed based on the relevant literature and the current condition of the business environment.

A model is introduced how the internal audit and information security functions could work together to support organizations accomplish a cost-effective level of information security. The key issues and approaches are explained for how to become a trusted cybersecurity advisor and a sample cybersecurity awareness program checklist is provided at Appendix 1.

This study aims to assess the essential elements of internal organisational capability that influence the cybersecurity effectiveness of a construction firm. An extended McKinsey 7S model is used to analyse the relationship between a construction firm's cybersecurity effectiveness and nine internal capability elements: shared values, strategy, structure, systems, staff, style, skills, relationships with third parties and regulatory compliance.

Based on a quantitative research strategy, this study collected data through a cross-sectional survey of professionals working in the construction sector in the United Kingdom (UK). The collected data was analysed using descriptive and inferential statistical methods.

The findings underlined systems, regulatory compliance, staff and third-party relationships as the most significant elements of internal organisational capability influencing a construction firm's cybersecurity effectiveness, organised in order of importance.

Future research possibilities are proposed including the extension of the proposed diagnostic model to consider additional external factors, examining it under varying industrial relationship conditions and developing a dynamic framework that helps improve cybersecurity capability levels while overseeing execution outcomes to ensure success.

The extended McKinsey 7S model can be used as a diagnostic tool to assess the organisation's internal capabilities and evaluate the effectiveness of implemented changes. This can provide specific ways for construction firms to enhance their cybersecurity effectiveness.

This study contributes to the field of cybersecurity in the construction industry by empirically assessing the effectiveness of cybersecurity in UK construction firms using an extended McKinsey 7S model. The study highlights the importance of two additional elements, third-party relationships and construction firm regulatory compliance, which were overlooked in the original McKinsey 7S model. By utilising this model, the study develops a concise research model of essential elements of internal organisational capability that influence cybersecurity effectiveness in construction firms.

This paper aims to analyze the changes in cyberattacks against the health-care sector during the COVID-19 pandemic.

The changes in cyberattacks of the health-care sector are analyzed by examination of the number and essence of published news concerning cybersecurity attacks on the health-care sector during 2019 and compared them to those published during 2020, based on two main websites, which review such incidents.

This study found that there was a significant growth in reports of cyberattacks on the health-care sector. Moreover, the number of cyberattacks fit interestingly to the pattern of waves of the disease, which expanded worldwide. During the first wave the number of reports was doubled or even tripled, compared to the same period in 2019, a tendency that was slightly waned afterwards.

This study helps to deepen the awareness of information security implications of a potential global devastating crisis, even in the cybersecurity domain, and on the health-care sector, among various other affected sectors and domains.

COVID-19 pandemic created long-term wide-range changes that affect every individual and sector, mainly owing to the shift to remote working model, which impose long-term new cybersecurity changes, among them to the health-care industry.

This paper extends the existing information on implication of remote working model on information security and of the COVID-19 pandemic on the cybersecurity of health-care institutions around the world.