Publicação
Supply chain cyber risk management
| Resumo: | Cybersecurity incidents are a growing concern for businesses, their supply chains, and stakeholders. The incidents’ potential adverse effects and borderlessness emphasize the importance of information sharing through market agents. Disclosures convey private information to the market and are critical tools to rebuild trust after companies experience cybersecurity incidents. Nevertheless, a lack of confidence surrounds disclosures due to the complex trade-off managers face during the reporting process, namely transparency-protecting sensitive information. The US Securities and Exchange Commission (SEC) recently issued final rulings on cybersecurity incident disclosure, expecting to increase the informational levels of disclosures and incident comparability. This research investigates how can supply chain participants leverage cybersecurity disclosed information to 1) develop mitigation strategies, 2) analyze the informational quality of disclosures, and 3) examine factors impacting the disclosures’ characteristics. To address these points, this research designed a novel database combining information disclosed by publicly traded companies in the US market from 2011 to 2023. The dataset covers 346 incidents, condensing over 650 firm-years and almost 3,000 filings discussing cybersecurity incidents. This dataset selected variables have been thoroughly analyzed in the literature and represent a bottom-up solution to the problem of “what to share.” Aside from this novel dataset, this thesis 1) developed a new incident classification to help users select their defensive strategies. The classes also uncover hidden classes’ characteristics and expose the dynamic interplay of the cognitive appraisal processes defenders pass during this selection. 2) It found i) disclosure adherence to the new SEC guidelines, indicating that under the regulators’ perspective, disclosures would be considered of quality, ii) in-company, and topic isomorphism in cybersecurity disclosures, and iii) managers’ reporting preferences. Moreover, 3) it is unveiled that the target company’s external characteristics influence the elapsed time to the first report and that the incident’s features connect to how thorough the disclosures are. Our results offer theoretical advances to multiple bodies of literature (namely, protection motivation, proprietary costs, institutional, information systems, and corporate social (digital) responsibility). Regarding policy implications, our results favor the regulatory steps taken by the SEC. However, there is still space for improvements, such as a shift from the one-size-fits-all regulation and the definition of a metric for incident comparability. |
|---|---|
| Autores principais: | Gomes Filho, Núbio Vidal de Negreiros |
| Assunto: | Cybersecurity disclosure Cybersecurity incidents Incident database Mitigation strategies Regulation Base de dados de incidentes Estratégias de mitigação Incidentes cibernéticos Regulação Reportes cibernéticos Ciências Sociais::Economia e Gestão |
| Ano: | 2024 |
| País: | Portugal |
| Tipo de documento: | tese de doutoramento |
| Tipo de acesso: | acesso embargado |
| Instituição associada: | Universidade do Minho |
| Idioma: | inglês |
| Origem: | RepositóriUM - Universidade do Minho |
| Resumo: | Cybersecurity incidents are a growing concern for businesses, their supply chains, and stakeholders. The incidents’ potential adverse effects and borderlessness emphasize the importance of information sharing through market agents. Disclosures convey private information to the market and are critical tools to rebuild trust after companies experience cybersecurity incidents. Nevertheless, a lack of confidence surrounds disclosures due to the complex trade-off managers face during the reporting process, namely transparency-protecting sensitive information. The US Securities and Exchange Commission (SEC) recently issued final rulings on cybersecurity incident disclosure, expecting to increase the informational levels of disclosures and incident comparability. This research investigates how can supply chain participants leverage cybersecurity disclosed information to 1) develop mitigation strategies, 2) analyze the informational quality of disclosures, and 3) examine factors impacting the disclosures’ characteristics. To address these points, this research designed a novel database combining information disclosed by publicly traded companies in the US market from 2011 to 2023. The dataset covers 346 incidents, condensing over 650 firm-years and almost 3,000 filings discussing cybersecurity incidents. This dataset selected variables have been thoroughly analyzed in the literature and represent a bottom-up solution to the problem of “what to share.” Aside from this novel dataset, this thesis 1) developed a new incident classification to help users select their defensive strategies. The classes also uncover hidden classes’ characteristics and expose the dynamic interplay of the cognitive appraisal processes defenders pass during this selection. 2) It found i) disclosure adherence to the new SEC guidelines, indicating that under the regulators’ perspective, disclosures would be considered of quality, ii) in-company, and topic isomorphism in cybersecurity disclosures, and iii) managers’ reporting preferences. Moreover, 3) it is unveiled that the target company’s external characteristics influence the elapsed time to the first report and that the incident’s features connect to how thorough the disclosures are. Our results offer theoretical advances to multiple bodies of literature (namely, protection motivation, proprietary costs, institutional, information systems, and corporate social (digital) responsibility). Regarding policy implications, our results favor the regulatory steps taken by the SEC. However, there is still space for improvements, such as a shift from the one-size-fits-all regulation and the definition of a metric for incident comparability. |
|---|
Atividades financiadas
Carregando projetos financiados...