Search results

Today, information systems and technology provides a wide set of tools for companies to increase the efficiency of their businesses. Although technology offers many benefits to businesses, it also brings risks as the information systems security breaches. Security breaches and their financial impact is a constant concern of the researchers and practitioners. This paper explores information systems breaches and their financial impacts on the publicly traded companies in different sectors.

After a comprehensive data collection process, data from 192 events are analyzed by employing Event Study Methodology and a comparison of the results between the four highly affected sectors (Consumer Goods, Technology, Financial and Communications) is presented. The abnormal returns on the prices of stocks after the events are calculated with the Market Model. Also, the results of the Market Adjusted Model and Mean Adjusted Model are presented to support the results.

While information systems security breaches have a significant negative impact on the Financials and the Technology sectors for all the event windows in the study ([−5, 0], [−5, 1], [−5, 5], and [−5, 10]), the significant negative impact is observed only on the [−5, 5] and [−5, 10] event windows for the Consumer Goods sector. No significant negative impact is observed in the Communications sector, in fact, the cumulative abnormal returns are positive for this sector.

The contribution of this paper to provide evidence about the financial impacts of the information systems breaches for businesses in different sectors. While there are studies that have previously focused on the information systems breaches and their financial impacts on businesses, to the best of our knowledge, this is the first study that compares this effect between the four highly impacted sectors. With a relatively larger sample size and broader event windows than the past studies in the literature, statistical evidence is provided to managers to justify their investments in information security and build preventive measures to secure the market value of their firms.

The primary purpose of this study is to investigate the impact of information security breaches on hotel guests' perceived service quality, satisfaction, likelihood of recommending a hotel and revisit intentions.

Five‐hundred seventy‐four US travelers participated in this experimental study. The respondents were exposed to one of three different scenarios: “negative”, where an information security breach happened in the hotel where a person stayed last and guest information was compromised; “neutral”, where an information security breach happened and guest information remained safe; and “positive”, where participants were told that the hotel where they last stayed successfully passed a comprehensive security audit, meaning that their guest information is properly handled and secured.

The results of the study revealed a significant impact of the treatments on three of the four outcome variables: satisfaction, likelihood of recommending a hotel, and revisit intentions. Information security breach scenarios resulted in a negative impact on the outcome variables regardless of whether or not the guest's credit card information was compromised. A positive scenario revealed a significant increase in guest satisfaction and revisit intentions scores.

The findings of the study provide clear indication that hotel operators must continually strive to keep the sensitive data that is collected from their guests secure, and that failure to do so can have significant negative ramifications on current and future guests. The results also suggest that hotels should openly publicize their achievements in the field of PCI compliance.

The study contributes to the body of knowledge on the importance of credit card information security breaches to hotel guest satisfaction and future behavior. To date, this is the only study that has investigated this topic in the hospitality industry, and it therefore makes a significant improvement towards the understanding of the impact of information security breach on hotel guest perceptions and future intentions.

Cloud computing has disrupted the information technology (IT) industry. Associated benefits such as flexibility, payment on an on-demand basis and the lack of no need for IT staff are among the reasons for its adoption. However, these services represent not only benefits to users but also threats, with cybersecurity issues being the biggest roadblock to cloud computing success. Although ensuring data security on the cloud has been the responsibility of providers, these threats seem to be unavoidable. In such circumstances, both providers and users have to coordinate efforts to minimize negative consequences that might occur from these events. The purpose of this paper is to assess how providers and users can rely on social media to communicate risky events.

Based on the Situational Theory of Publics and trust, the authors developed three research questions to analyze stakeholders’ communication patterns after a security breach. By gathering Twitter data, the authors analyzed the data security breach faced by the Premera Blue Cross’ Web application.

The results indicate that Premera acted as the main source of information for Twitter users, while trustworthy actors such as IT security firms, specialists and local news media acted as intermediaries, creating small communities around them. Theoretical and practical implications are also discussed.

Social media could be used for diffusing information of potential threats; no research has assessed its usage in a cloud-based security breach context. The study aims to fill this gap and propose a framework to engage cloud users in co-securing their data along with cloud providers when they face similar situations.

The paper focuses on intentional information security breaches by insiders. The purpose is to assess the relationship between insiders' backgrounds and motivations and their deviant behaviors. Two outcome variables, information technology (IT) espionage and IT sabotage, are correlated with four predictors, financial changes, relationship strains, substance abuse, and job changes.

Some 62 cases of intentional information security breaches by insiders are examined using canonical analysis.

The results indicate that a significant relationship exists between financial hardship, relationship strains, and the theft and sale of proprietary data by insiders; and recent firings, substance abuse, and relationship strains are related to information system sabotage.

Because little or no research has been conducted on this topic, there is a lack of validated measures for variables associated with information security. Thus, the measures used in this paper are necessarily simplistic. Because few organizations report information security weaknesses, the sample is relatively small.

In the majority of cases included in this paper, it is found that the insider convey a number of warning signs before committing the security breach. After reading this paper, diligent managers should be able to identify potential security breaches.

This is one of the first studies to explore insider security breaches using canonical analysis.

This paper aims to provide an understanding of the proportions of incidents that relate to human error. The information security field experiences a continuous stream of information security incidents and breaches, which are publicised by the media, public bodies and regulators. Despite the need for information security practices being recognised and in existence for some time, the underlying general information security affecting tasks and causes of these incidents and breaches are not consistently understood, particularly with regard to human error.

This paper analyses recent published incidents and breaches to establish the proportions of human error and where possible subsequently uses the HEART (human error assessment and reduction technique) human reliability analysis technique, which is established within the safety field.

This analysis provides an understanding of the proportions of incidents and breaches that relate to human error, as well as the common types of tasks that result in these incidents and breaches through adoption of methods applied within the safety field.

This research provides original contribution to knowledge through the analysis of recent public sector information security incidents and breaches to understand the proportions that relate to human error.

This paper aims to examine optimal decisions for information security investments for a firm in a fuzzy environment. Under both sequential and simultaneous attack scenarios, optimal investment of firm, optimal efforts of attackers and their economic utilities are determined.

Throughout the analysis, a single firm and two attackers for a “firm as a leader” in a sequential game setting and “firm versus attackers” in a simultaneous game setting are considered. While the firm makes investments to secure its information assets, the attackers spend their efforts to launch breaches.

It is observed that the firm needs to invest more when it announces its security investment decisions ahead of attacks. In contrast, the firm can invest relatively less when all agents are unaware of each other’s choices in advance. Further, the study reveals that attackers need to exert higher effort when no agent enjoys the privilege of being a leader.

In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon – Loeb breach function, with the help of fuzzy expectation operator.

This study reports that the optimal breach effort exerted by each attacker is proportional to its obtained economic benefit for both sequential and simultaneous attack scenarios. A set of numerical experiments and sensitivity analyzes complement the analytical modeling.

In a novel approach, inherent system vulnerability of the firm, financial benefit of attackers from the breach and monetary loss suffered by the firm are considered, as fuzzy variables in the well-recognized Gordon – Loeb breach function, with the help of fuzzy expectation operator.

The purpose of this study is to examine whether users’ perceived moral affect explains the effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator and company, respectively, in an ill and good intention breach.

Participants completed a questionnaire containing items measuring their perceived intensity of emotional distress, perceived moral affect and responsibility judgment of a perpetrator and company, respectively.

The results support the mediating hypothesis on responsibility judgment of a perpetrator regardless of intention. The mediating hypothesis is also supported in an ill intention breach in responsibility judgment of a company. However, the mediating effect is not observed in a good intention breach when users assess a company’s responsibility.

The findings support the notion that users use the consequentialism approach when assessing a perpetrator’s responsibility because they focus on the victims’ emotional distress and discount a perpetrator’s intent, resulting in similar mediating effect of perceived moral affect in an ill and good intention breach. The results also indicate that perceived moral affect increases the negative effect of perceived intensity of emotional distress on responsibility judgment of a company, suggesting that users may exhibit empathetic feelings toward a company and perceive it as a victim of an ill intention breach. The lack of mediating effect in responsibility judgment of a company in a good intention breach may be attributed to the diminished effect of a perpetrator’s feelings of regret, sorrow, guilt and shame for causing emotional distress to the victims.

Stock price reactions have often been used to evaluate the cost of data breaches in the current information systems (IS) security literature. To further this line of research, this study examines the impact of data breaches on stock returns, information asymmetry and unsystematic firm risk in the context of COVID-19.

This paper employs an event study methodology and examines data breach events released in public databases, spanning pre- and post-COVID settings. This study investigated 283 data breaches of the US publicly traded firms, and the economic cost was measured by cumulative abnormal returns (CARs), trading volume, bid-ask spread and unsystematic risk.

The authors observe that data breaches during the COVID pandemic make investors react more negatively to data breach announcements, as reflected in the significantly negative difference in CARs between breached firms before COVID and those after COVID. The findings also indicate that, after the disclosure of data breach incidents, information asymmetry is reduced to a lesser extent compared with that in the pre-COVID setting. The authors also find that data breach events lead to an increase in the unsystematic risk of breached companies in the pre-COVID era but no change in the post-COVID era.

This study is the first effort to examine the economic consequences of data breaches by investigating the effects in the form of trading activities and risk measurement in the COVID setting.

This paper aims to update the cybersecurity-related accounting literature by synthesizing 39 recent theoretical and empirical studies on the topic. Furthermore, the paper provides a set of categories into which the studies fit.

This is a synthesis paper that summarizes the research literature on cybersecurity, introducing knowledge from the extant research and revealing areas requiring further examination.

This synthesis identifies a research framework that consists of the following research themes: cybersecurity and information sharing, cybersecurity investments, internal auditing and controls related to cybersecurity, disclosure of cybersecurity activities and security threats and security breaches.

Academics, practitioners and the public would benefit from a research framework that categorizes the research topics related to cybersecurity in the accounting field. This type of analysis is vital to enhance the understanding of the academic research on cybersecurity and can be used to support the identification of new lines for future research.

This is the first literature analysis of cybersecurity in the accounting field, and it has significant implications for research and practice by detailing, for example, the benefits of and obstacles to information sharing. This synthesis also highlights the importance of the model for cybersecurity investments. Further, the review emphasizes the role of internal auditing and controls to improve cybersecurity.

This study aims to examine the influence of one or more information security breaches on an organisation’s stock market value as a way to benchmark the wider economic impact of such events.

An event studies-based approach was used where a measure of the event’s economic impact can be constructed using security prices observed over a relatively short period of time.

Based on the results, it is argued that, although no strong conclusions could be made given the current data constraints, there was enough evidence to show that such correlation exists, especially for recurring security breaches.

One of the main limitations of this study was the quantity and quality of published data on security breaches, as organisations tend not to share this information.

One of the challenges in information security management is assessing the wider economic impact of security breaches. Subsequently, this helps drive investment decisions on security programmes that are usually seen as cost rather than moneymaking initiatives.

This study envisaged that as more breach event data become more widely available because of compliance and regulatory changes, this approach has the potential to emerge as an important tool for information security managers to help support investment decisions.