Should executives go to jail over cybersecurity breaches?

The Consumer Data Protection Act, a new bill introduced by Senator Ron Wyden, is proposing “jail time of up to 20 years for executives who knowingly sign off on incorrect or inaccurate annual certifications of their companies’ data-security practices.” The bill also recommends that companies be fined “up to 4 percent of their annual revenue.” While the critics consider the penalties too harsh and severe, the proposed legislation reflects two key realities – a) active involvement and commitment of senior management is essential to achieving a high level of cybersecurity preparedness; and b) legislation and fear of severe penalties (such as Sarbanes-Oxley Act of 2002 and European Union’s General Data Protection Regulation) is often necessary to motivate desired organizational behavior. In an increasingly digital ecosystem characterized by high levels of electronic connectivity, vulnerability to cyberattacks is growing. Organizations are in a perpetual state of breach with rapidly expanding attack surfaces and evolving threat vectors. Protecting confidential data and related digital assets is becoming critical to survival and success. Senior management must come to terms with this new business reality and give strategic priority to cybersecurity preparedness and investments. Research finds active involvement of top management in cyber risk mitigation initiatives to be a critical success factor and best practice. The onus is also on senior management to create a high-performance security culture founded on three key cornerstones – commitment, preparedness, and discipline. They also must lead the charge in establishing a cybersecurity governance structure characterized by joint ownership, responsibility, and accountability.     

Calculated risk? A cybersecurity evaluation tool for SMEs

Small and medium-sized enterprises (SMEs) are among the least mature and most vulnerable in terms of their cybersecurity risk and resilience. In this article, we describe a methodology developed using the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) as a starting point. The NIST CSF does not meet all the needs of the SME IT leader, but it offers a solid foundation for a useful evaluation and recommendation methodology. We propose an SME cybersecurity evaluation tool (CET) that consists of a 35-question online survey to be completed by IT leaders to self-rate their maturity within the five NIST framework categories: identify, protect, detect, respond, and recover. We outline this approach to cybersecurity risk management before discussing its effectiveness and implications for practitioners.     

A $10 million question and other cybersecurity-related ethical dilemmas amid the COVID-19 pandemic

Cybercrime and cybersecurity are like two sides of the same coin: They are opposites but cannot exist without each other. Their mutual relation generates a myriad of ethical issues, ranging from minor to vital. The rapid development of technology will surely involve even more ethical concerns, like the infamous example of a fitness tracking company allegedly paying $10 million worth of ransom. Every cybersecurity solution, tool, or practice has to be ethical by design if it is to protect people and their rights. To identify the ethical issues that cybersecurity/cybercrime might bring about in the future, we conducted the first broad and comprehensive horizon-scanning study since the COVID-19 pandemic arose. As we began this project, nobody had the slightest idea that the coming months would bring the COVID-19 pandemic, and that the reality we had known was about to change dramatically. As it soon became apparent, the deadly coronavirus brought completely new cybersecurity/cybercrime ethical dilemmas to light, and some of the ones known before were transformed or shifted. This article presents the results of our horizon-scanning study concerning the ethical dilemmas that emerged amid the COVID-19 pandemic.     

Cybersecurity: Risk management framework and investment cost analysis

As organizations accelerate digital transformation with mobile devices, cloud services, social media, and Internet of Things services, cybersecurity has become a key priority in enterprise risk management. While improving cybersecurity leads to higher levels of customer trust and increased revenue opportunities, rapidly evolving data protection and privacy regulations have complicated cybersecurity management. Against the backdrop of rapidly rising cyberbreaches and the emergence of novel cybersecurity technologies such as machine learning and artificial intelligence, this article introduces a cyber risk management framework, discusses a cyber risk assessment process, and illustrates a continuous improvement of cybersecurity performance and cyberinvestment cost analysis with a real-world cybersecurity example.     

Business and cyber peace: We need you!

Rarely does a day seem to go by without another front page story about a firm being breached by cyber-attackers. Even experts in the field are far from immune from the unsustainable status quo. For example, Jim Lewis of the Center for Strategic and International Studies has said: “We have a faith-based approach [to cybersecurity], in that we pray every night nothing bad will happen.” This is a difficult starting point to consider an appropriate end game. Still, it is something that firms must do since infinite investment cannot breed infinite security. This article takes lessons from the burgeoning field of cyber peace studies and applies them to private sector cyber risk mitigation strategies. With members of the C-suite on down to mailroom clerks worrying about the next attack and looking over their shoulder after a breach occurs, who wouldn’t welcome some peace of mind?     

Where is the Security Blanket? Developing Social Media Marketing Capability as a Shield from Perceived Cybersecurity Risk

Although cybersecurity is important for any organization, firms have little understanding of the ramifications of perceived cybersecurity risk and how marketers can avert its negative marketing outcomes. The inability of firms to prevent massive data breaches in the recent past has heightened cybersecurity risk perceptions of customers and cybersecurity-related marketing challenges and opportunities. This study links cybersecurity risk with firm risk through firm reputation by developing a conceptual framework grounded in perceived risk theory in conjunction with dynamic capabilities and social network theoretical perspectives. Our findings show that social media marketing capabilities enable firms in mitigating the adverse impact of cybersecurity risk in declining firm reputation and value. Thus, this study provides significant implications for marketing theory and practice.     

The emerging role of the CISO

Against a background of board-level concern for cybersecurity, organizations are seeking to ensure the protection of their information assets and minimize the risk of a cybersecurity attack. These objectives place two particular demands on organizations: to appoint a suitable official to head up their information security operations, a CISO; and to ensure that the executive and board are appropriately informed of the organization's security status. In exploring the challenges that confront organizations in selecting a CISO, we drew on data from the U.S., Canada, and New Zealand. Two main issues were addressed. First, the organization has to be very clear on what it wants in terms of the job the CISO is expected to perform and the corresponding attributes that such an incumbent would need to possess. The CISO is a senior-level executive and rather than being a specialized technical expert, the CISO should be an excellent communicator. This will help address the second issue, which is how effectively the CISO can communicate with the board. Some suggestions are provided that serve to aid both effectiveness and efficiency. However, organizations need to embrace their concern about cybersecurity and build it into their selection criteria for board members.     

Why you should care about the Target data breach

Data breaches are becoming more frequent and more damaging to the bottom line of many businesses. The Target data breach marked the beginning of increased scrutiny of cybersecurity practices. In the past, data breaches were seen as a cost of doing business, but Target's negligence and the scale of the data loss forced businesses and the courts to reevaluate current practices and regulatory frameworks. Businesses must make strategic use of their chief information officers, adopt cybersecurity best practices, and effectively train their employees to respond to growing security threats. They must also shape the cybersecurity narrative to influence regulatory responses to these threats.     

Diagnosing a healthcare cybersecurity crisis: The impact of IoMT advancements and 5G

Internet of Medical Things (IoMT) technology remains in early stages of adoption, but advancements and breakthroughs are quickly moving this process forward. There is a critical need for cybersecurity to be a priority in the development of these new tools, alongside design and utility. Given the rapid pace and potential magnitude of the coming advancements in IoMT, if privacy and security risks are neglected, a significant crisis could emerge in the form of more frequent cybersecurity breaches. This article examines the market opportunities and risks associated with IoMT and outlines a plan for proactively mitigating concerns and providing a platform to foster growth, to modify attitudes and behaviors, and to continue to build consumer confidence in the overall health system without sacrificing security.     

Systems theoretic process analysis of information security: the case of aadhaar

ABSTRACT

A new way of thinking about cybersecurity is much needed to deal with the complex and dynamic cyber-ecosystem. In this paper, we introduce a systems thinking based approach for solving problems related to cybersecurity. We adapt the powerful safety-hazard analysis method, Systems Theoretic Process Analysis (STPA) based on systems theory to analyze the cybersecurity related features of India’s massive digital identity program, Aadhaar. Our findings produce important insights. On one hand, it helps identify the security gaps of the Aadhaar system, and on the other hand, it provides controls using systems thinking to overcome these gaps. We contribute to understanding the world of cybersecurity practices and develop risk mitigation strategies that can benefit the Aadhaar.     

Exploring SME cybersecurity practices in developing countries

The continued use of information technology systems by small and medium enterprises (SMEs) in developing countries has the potential to bring significant benefits but, at the same time, expose them to online cybersecurity threats. Addressing these threats is, therefore, of paramount importance for developing countries, not only because SMEs are seen as the vehicle for employment and job creation, but because research on SMEs and cybersecurity in this context is limited. This study is a contribution toward addressing this gap.

The purpose of this study is, therefore, to explore SME cybersecurity practices and the challenges they face in developing countries. The goal is to sensitize practitioners and government institutions about the challenges and practices faced by SMEs, so that the various parties can work collaboratively in providing context-specific solutions to address these challenges and improve current cybersecurity practices. The study follows a qualitative enquiry approach to solicit information from three South African SMEs that had implemented cybersecurity practices. The findings show that an SME’s perception of cybersecurity is constrained by internal factors of budget, management support, and attitudes. Further findings show that SMEs’ cybersecurity practices are affected by the landscape of cybersecurity, as well as institutional pressures.     

Misinformation,disinformation, and fake news: Cyber risks to business

Misleading information is an emerging cyber risk. It includes misinformation, disinformation, and fake news. Digital transformation and COVID-19 have exacerbated it. While there has been much discussion about the effects of misinformation, disinformation, and fake news on the political process, the consequences of misleading information on businesses have been far less, and it can be argued insufficiently, examined. The article offers a primer on misleading information and cyber risks aimed at business executives and leaders across an array of industries, organizations, and nations. Misleading information can have a profound effect on business. I analyze different misleading information types and identify associated cyber risks to help businesses think about these emerging threats. I examine in general the cyber risk posed by misleading information on business, and I explore in more detail the impact on healthcare, media, financial markets, and elections and geopolitical risks. Finally, I offer a set of practical recommendations for organizations to respond to these new challenges and to manage risks.     

我国医疗保健行业股指收益率波动特征与杠杆效应

本文运用SWARCH模型分析了我国医疗保健板块收益率的波动,并将医疗保健板块收益率与上证综指、深证成指收益率的SWARCH模型的估计结果进行比较,得出以下结论:医疗保健指数收益率序列呈现出低、中、高三种波动状态,样本区间主要分布于中波动状态,低波动状态的平均持续期最长、中波动状态的平均持续期居中、高波动状态的平均持续期最短,医疗保健指数收益率波动杠杆效应显著;我国股市医疗保健板块收益率波动状态之间的差异高于沪深综指波动状态的差异,医疗保健指数收益率与沪深综指收益率区制转移趋同,但存在着细微差异;医疗保健指数收益率各区制间转移相对频繁,每种波动状态的平均持续期较短,股市医疗保健板块收益率对新信息的反应更为敏感。     

高管薪酬差距、现金持有及其市场价值——基于不同产权性质比较

薪酬差距这一话题引起社会各界的广泛关注，国内外学者对此问题已经进行了大量的研究，并取得了丰硕的成果，但目前我国上市公司高管薪酬差距如何影响其现金持有水平及其价值，几乎尚未见探讨。基于此背景，以中国A股2005—2018年非金融类上市公司为研究对象，实证考察了不同产权性质公司高管薪酬差距对其现金持有水平及价值的影响。研究结果表明：国企高管薪酬差距增加了现金持有量，降低了现金持有价值；民企高管薪酬差距降低了现金持有量，但提高了现金持有价值；稳健性检验表明文中论断依然成立；进一步分析可知国企高管薪酬差距更加倾向于增加内部现金流用于现金持有的积累，且同时导致过度投资水平的增加，民企高管薪酬差距降低了内部现金流用于现金持有的积累，对过度投资水平影响不显著。从以上结果可以得出，国企高管薪酬差距对现金持有行为的影响支持了社会比较理论；民企高管薪酬差距对现金持有行为的影响支持了锦标赛理论。     

On the internationalization of Turkish hospital chains: A dynamic capabilities perspective

How do professional service firms build the capabilities required for effective international operations? Although the internationalization of manufacturing firms is a widely studied topic, the literature on the internationalization of service firms remains scant. The problem is even more acute when it comes to studies of professional services such as healthcare organizations and hospitals. Yet, we encounter remarkable examples of international market expansion by professional service firms. In this paper, we report on a study of large privately-owned hospital operators from the emerging economy of Turkey, based on in-depth interviews with senior executives. Taking advantage of Turkey’s strategic location in the region, these firms have shown extraordinary entrepreneurial initiative expanding their operations beyond the home market over the past two decades. Even more impressive is the creative strategies these firms have been deploying in terms of market entry modes. These range from medical tourism to setting up diagnostic clinics abroad, operating full-service hospitals in key markets, management contracts, and attracting equity capital from international investment firms. We draw from the theory of dynamic capabilities in order to explain the success these firms have had in cultivating international market opportunities. We contend that it takes a variety of organizational capabilities for traditionally domestic-market focused firms to expand into international markets. We provide an integrative discussion and offer implications for advancing knowledge and managerial practice.     

Open-source intelligence for risk assessment

Advances in information technology (IT) have prompted tremendous growth in security issues for companies. Increasingly, cyberattacks represent a threat to companies and national security; to prevent them, firms should routinely perform risk assessments of their IT infrastructure and employees. This article highlights the importance of open-source intelligence (OSINT) tools in conducting risk assessments to prevent cyberattacks. More specifically, we performed a vulnerability assessment on the critical infrastructure of a company operating on the U.S. electrical grid. We successfully profiled the company’s network software, hardware, and key IT personnel—using OSINT—and detailed potential vulnerabilities associated with these findings. The results of our study provide empirical evidence for the efficacy of OSINT in improving the security posture of organizations. Our research findings were subsequently used to produce tactical and strategic recommendations for organizations based on the use of OSINT to identify vulnerabilities, mitigate risks, and formulate more robust security policies to prevent cyberattacks.     

The influence of hospitable design and service on patient responses

ABSTRACT

A study of 216 respondents examined a medical center environment’s influence on patient responses. A stimulus–organism–response (S-O-R) model was adapted to the theory that more hospitable healthcare servicescape elements will affect patients’ overall satisfaction with healthcare experience, loyalty intentions, and willingness to pay out-of-pocket expenses for healthcare services. Servicescape elements included atmospherics of the healthcare environment, service delivery by healthcare staff, physical design of the healthcare environment, and wayfinding. Results of structural equation modeling confirmed that the four servicescape elements – had a significant impact on patients’ overall satisfaction with the healthcare experience. Furthermore, overall satisfaction with the healthcare experience predicted patients’ loyalty intentions and willingness to pay out-of-pocket expenses for healthcare services. The study makes a significant contribution to the empirical modeling of patients’ behavioral responses to hospitable healthcare environments.     

The impact of foreignness on the compliance with cybersecurity controls

This study examines whether and how foreignness affects internal auditors’ compliance with the International Standards for the Professional Practice of Internal Auditing (the Standards) from social and culture perspective. It demonstrates that foreignness, such as language and relational social capital, has a significant impact on auditors’ compliance with the Standards, especially with respect to cybersecurity, independence and objectivity, individual objectivity, and governance of the Standards. The Partial Least Squares Structural Equation Modelling (PLS-SEM) is used to analyze the survey data. This study highlights that external factors such as social capital affect the internal auditors’ compliance with the Standards.     

Do stock prices undervalue investments in advertising?

Under the efficient market hypothesis, the stock price incorporates the full value of a firm’s advertising. If so, advertising spending should not be associated with future abnormal stock returns. Nevertheless, from 1995 to 2015, advertising spending often leads to abnormal stock returns the following year. The strongest results surface for consumer goods and services where advertising used to build brand equity can carryover from one year to the next. No significant differences arise for healthcare, industrial goods, or retailer advertising. Healthcare and industrial goods advertising is often modest. Retailer advertising that builds traffic should have little if any carryover into the following year. These results may help marketing managers defend an advertising budget whose benefits carryover into the following year, but hurt current profits. Having more investment analysts on Wall Street with a marketing background should help reduce this overly conservative “wait and see” discount for carryover advertising.