Exploring the information content of cyber breach reports and the relationship to internal controls |
| |
| Institution: | 1. Strategic Security Sciences, Argonne National Laboratory, Ames, IA 50010, United States;2. Ivy College of Business, Iowa State University, Ames, IA 50010, United States;3. Strategic Security Sciences, Argonne National Laboratory, Argonne, IL 60439, United States;1. TU Dortmund University, Faculty of Business and Economics, Germany;2. The University of Tampa, Sykes College of Business, Department of Accounting, United States;1. Florida State University, 1107 W. Call St., Tallahassee, FL 32306-4301, United States;2. Grand Valley State University, 3032 L William Seidman Center, 50 Front Ave SW, Grand Rapids, MI 49504-6424, United States;3. University of Tampa, JS 243, Mailbox O, 401 W. Kennedy Blvd., Tampa, FL 33606, United States;4. Florida State University, 346 RBB, 821 Academic Way, Tallahassee, FL 32306-1110, United States;5. Michigan State University, 632 Bogue St. Rm N220, East Lansing, MI 48824, United States;1. Dept. of Business Informatics, Hanyang University, Seoul, Korea;2. School of Business, Hanyang University, Seoul, Korea;1. College of Business Administration, University of Seoul, Seoulsiripdaero 163, Dongdaemun-gu, Seoul 02504, South Korea;2. Shidler College of Business, University of Hawaii at Manoa, 2404 Maile Way, Honolulu, HI 96822, United States;3. School of Management, Clark University, 950 Main Street, Worcester, MA 01610, United States |
| |
| Abstract: | A number of institutions make reports available regarding the types, impacts, or origins of cybersecurity breaches. The information content of cyber breach reports is examined in light of Principle 15 of the 2017 Committee on Sponsoring Organizations Enterprise Risk Management (COSO ERM) information security control framework to understand the degree to which cyber breach reports reflect the established COSO internal control framework. This study utilizes the COSO ERM internal control framework to examine whether current cyber breach reports contain information that may influence a firm’s ability to assess substantial change within its industry due to external forces (COSO ERM Principle 15). As such, this study focuses on data breaches, a special type of cyber incident, which may result in the loss of confidential information. Cyber decision makers rely on this type of information to calibrate information security programs to ensure coverage of relevant threats and the efficient use of available funds. These reports may be used for the purposes of cybersecurity risk assessment and strategic planning. We compare, contrast, and analyzie the reports to identify their utility in such contexts. We also provide an overview of the current cybersecurity reporting environment and suggest revisions to US national cyber policy with the intent of increasing the benefit to reporters and consumers of the data.This study is focused on education as to the current structure of breach reporting based upon our review and synthesis of publicly-available breach reports.In this study, we review nine (9) reports that meet four (4) criteria. We relate these criteria to the framework provided by COSO ERM Principle 15 by analyzing and placing the criteria into a taxonomy developed for this purpose. We analyze the degree to which the reports are complementary, reflect potential improvements of internal controls, and provide recommendations for ways in which these types of reports might be used by practitioners, while highlighting potential limitations. Our findings indicate that the sample reports contain little information that may be incorporated to improve the risk profile of an entity. We provide recommendations to improve the information content and timeliness of breach reports. |
| |
| Keywords: | COSO Computer Security Computer Crime Risk analysis Security management Incident Breach |
| 本文献已被 ScienceDirect 等数据库收录! |
|
