Digital Security Risk Disclosure and Investment Process

Yap Kiew Heong Angeline; Yap Saw Teng

Growing interconnectedness and extensive access to cybersecurity systems increased related threats that could exploit organisations’ assets. To protect the assets, organisations can implement risk mitigation measures, or transfer risks to third parties. These organisations need to disclose the digital security implemented as part of the investor relations efforts. Because of this growing cybersecurity concern, this paper examines whether investors will invest in organisations that provide the digital security risk disclosure, since it is important to assess organisations’ ability to stay resilient and viable during this fast-paced technology advancement age. The researchers solicited two hundred and nineteen (219) responses from Malaysian organisations through questionnaires. Smart PLS was used to analyse the data. The results suggest that disclosure of digital security strategy, its risk mitigation, and its cyber events significantly impact the investment decision. Theoretically, this paper contributes to the literature on legitimacy theory, especially from the institutional pressure when organisations try to address the legitimacy gap during cybersecurity events. Digital security risk is growing in relevance to organisations and investors, but the current disclosure is insufficient, management should pay more attention to improving this area. Future studies may examine factors that impact digital security risks such as the role of financial implications, reputational concerns, and industry-specific regulations.

Kalid, F., Jabar, J., Hasim, A. M., & Jamaris, N. W. (2020). What Tickles Your Fancy? The Case of Technology and Engineering Students Becoming Entrepreneurs. Asian Journal of Business and Accounting 13(1), 263-287.
Al-Ababneh, H. A., Al-Qudah, O. M., Amoush, A. H., Popova, S., Popova, O., Tomashevskaya, E. (2020). Risks of Investment in Digital Marketing: The Optimum or Minimum? Journal of Critical Reviews, 7(13), 2897-2907.
Al-Abrrow, H., Alnoor, A., & Abbas, S. (2019). The Effect of Organizational Resilience and CEO’s Narcissism on Project Success: Organizational Risk as Mediating Variable. Organization Management Journal, 16(1), 1-13.
Allodi, L., & Massacci, F. (2017). Security Events and Vulnerability Data for Cybersecurity Risk Estimation. Risk Analysis An International Journal, 37(8), 1606-1627.
Amir, E., Levi, S., & Livne, T. (2018). Do firms underreport information on cyber-attacks? Evidence from capital markets. Review of Accounting Studies, 23(3)(11), 1177-1206.
Bakker, T. G. (2015). Accuracy of Self-Disclosed Cybersecurity Risks of Large US Banks . Madison, South Dakota: Dakota State University .
Bartock, M., Cichonski, J., Souppaya, M., Smith, M., Witt, G., & Scarfone, K. (2016). Guide for Cybersecurity Event Recovery. Gaithersburg: National Institute of Standards and Technology.
Bebbington, J., Larrinaga, C., & Moneva, J. M. (2008). Corporate social reporting and reputation risk management. Accounting, Auditing & Accountability Journal, 21(3), 337-361.
Benoit, W. L. (5 December, 1994). Accounts, excuses, and apologies : a theory of image restoration strategies. State University of New York Press, p. 197.
Berkman, H., Jona, J., Lee, G., & Soderstrom, N. (2018). Cybersecurity awareness and market valuations. Journal of Accounting and Public Policy, 37(6), 508-526.
Blackburn, S., Galvin, J., Laberge, L., & Williams, E. (8 October, 2021). A winning digital strategy requires new twists to familiar moves. Strategy for a digital world, pp. 1-11.
Bodin, L. D., Gordon, L. A., Loeb, M. P., & Wang, A. (2018). Cybersecurity insurance and risk-sharing. Journal of Accounting and Public Policy, 37(6), 527-544.
Buhr, N. (1998). Environmental performance, legislation and annual report disclosure: the case of acid rain and Falconbridge. Accounting, Auditing & Accountability Journal, 11(2), 163-190.
Calderon, T. G., & Gao, L. (2020). Cybersecurity risks disclosure and implied audit risks: Evidence from audit fees. International Journal of Auditing, 25(1), 24-39.
Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer SecurityVolume, 11(3), 431-448.
Carcary, M., & Doherty, E. (2016). The Digital Wild West: Managing the Risks of Digital Disruption. The European Conference on Information Systems Management (pp. 29-36). Reading: Academic Conferences International Limited.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce, 9(1), 69-104.
Chai, S., Kim, M., & Rao, R. (2011). Firms’ information security investment decisions: Stock market evidence of investors’ behavior. Decision Support Systems, 50, 651-661.
Chen, J., Henry, E., & Jiang, X. (2022). Is Cybersecurity Risk Factor Disclosure Informative? Evidence from Disclosures Following a Data Breach. Journal of Business Ethics, 187, 199–224.
Cheng, X., & Walton, S. (2019). Do nonprofessional investors care about how and when data breaches are disclosed? Journal of Information Systems, 33(3) , 163-182.
Cheng, X., Hsu, C., & Wang, T. (2022). Talk too much? The Impact of Cybersecurity Disclosures on Investment Decisions. Communications of the Association for Information Systems, 50, 481-500.
Cho, C. H., & Patten, D. M. (2007). The role of environmental disclosures as tools of legitimacy: A research note. Accounting, Organizations and Society, 32(7-8), 639-647.
CNSS Secretariat. (2016). CNSS Annual Report 2015/2016. Fort George G. Meade: National Security Agency.
Cronbach, L. J. (1951). Coefficient alpha and the internal structure of tests. Psychometrika, 16, 297–334.
Dang, H. T., Phan, D. T., Nguyen, H. T., & Hoang, L. H. (2020). Factors Affecting Financial Risk: Evidence from Listed Enterprises in Vietnam. Journal of Asian Finance, Economics and Business, 7(9) , 11-18.
D'Arcy, J., & Basoglu, A. (2022). The Influences of Public and Institutional Pressure on Firms’ Cybersecurity Disclosures. Journal of the Association for Information Systems, 23(3), 779-805.
Daud, M., Rasiah, R., George, M., Asirvatham, D., & Thangiah, G. (2018). Bridging the Gap Between Organisational Practices & Cyber Security Compliance: Can Cooperation Promote Compliance In Organisations? International Journal of Business and Society, 19 (1), 161-180.
Deephouse, D. L., & Suchman, M. (2008). Legitimacy in Organizational Institutionalism. In The SAGE Handbook Of Organisational Institutionalism (pp. 49-77). SAGE Publications Ltd.
Deloitte . (2023). Unleashing value from digital transformation: Paths and pitfalls. UK: Deloitte Touche Tohmatsu Limited.
Demek, K. C., & Kaplan, S. E. (2023). Cybersecurity breaches and investors’ interest in the firm as an investment. International Journal of Accounting Information Systems, 49, 100616.
Duuren, E. v., Plantinga, A., & Scholtens, B. (2016). ESG Integration and the Investment Management Process:. Journal of Business Ethics,138, 525–533.
Duvenhage, F., Smit, A., & Botha, M. (2022). Cyber Security disclosure in the banking sector: A case of South Africa and China. 31st International Biometric Conference. Riga: International Biometric Society.
Eijkelenboom, E. V., & Nieuwesteeg, B. F. (2021). An analysis of cybersecurity in Dutch annual reports of listed companies. Computer Law & Security Review, 40.
Ernst & Young LLP. (2020). What companies are disclosing about cybersecurity risk and oversight in 2020. US: Ernst & Young Global Limited.
Eugen, P., & PetruÅ£, D. (2018). Exploring the New Era of Cybersecurity Governance. Ovidius University Annals, Economic Sciences Series, 1, 358-363.
Financial Reporting Council. (2022). FRC Lab Report: Digital Security Risk Disclosure. London: The Financial Reporting Council Ltd.
Goel, S., & Shawky, H. A. (2014). The Impact of Federal and State Notification Laws on Security Breach Announcements. Communications of the Association for Information Systems, 34(1), 37-50.
Gordon, L. A., & Loeb, M. P. (2002). The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5(4), 438-457.
Hair, J. F., Hult, G. M., Ringle, C. M., & Sarstedt, M. (2022). A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM), 3rd Edition. Thousand Oaks, CA: Sage.
Halderman, J. A. (2009). Investigating security failures and their causes: An analytic approach to computer security. Princeton University.
Henseler, J., Ringle, C. M., & Sarstedt, M. (2015). A new criterion for assessing discriminant validity in variance-based structural equation modeling. Journal of the Academy of Marketing Science 43, 115–135.
Heroux, S., & Fortion, A. (2020). Cybersecurity Disclosure by the Companies on the S&P/TSX 60 Index. Accounting Perspectives, 19(2), 73-100.
Hsu, C., Lee, J. N., & Straub, D. W. (2012). Institutional Influences on Information Systems Security Innovations. Information Systems Research, 23(2).
Hsu, C., Wang, T., & Lu, A. (2016). The Impact of ISO 27001 Certification on Firm Performance. 49th Hawaii International Conference on System Sciences (HICSS) (pp. 4842-4848). Koloa: IEEE COMPUTER SOCIETY.
Ibrahim, N. S., Shamsudin, A., Abdullah, S., Ibrahim, M. T., Jaaffar, M. Y., & Bani, H. (2021). Content Analysis of Voluntary Disclosures on Cybersecurity in Malaysia. International Journal of Academic Research in Accounting Finance and Management Sciences, 11(4), 10-28.
Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31 (1), 83-95.
Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-79.
Kamiya, S., Kang, J.-k., Kim, J., Milidonis, A., & Stulz, R. M. (2021). Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics, 139(3), 719-749.
Kaur, R., Gabriejelcic, D., & Klobucar, T. (2023). Artificial intelligence for cybersecurity: Literature review and future research directions. Information Fusion, 97, 101804.
Khalid , F. A., Jabar, J., Hashim, M. A., & Jamaris, N. W. (2020). What Tickles Your Fancy? The Case of Technology and Engineering Students Becoming Entrepreneurs. Asian Journal of Business and Accounting, 13(1), 263-287.
Koch, T., & Windsperger, J. (2017). Seeing through the network: Competitive advantage in the digital economy. Journal of Organisation Design 6(6), 1-30.
Leitner, K.-H., & Guldenberg, S. (2010). Generic strategies and firm performance in SMEs: a longitudinal study of Austrian SMEs. Small Business Economies, 35, 169-189.
Lim, C. C., & Tan, S. S. (2020). The Significance of Personal Value, Risk Attitude and Trust on Life Insurance Ownership in the Northern Regions of Malaysia. Jurnal Pengurusan, 58, 67–78.
Lindblow, C. K. (1993). The Implications of Organisational Legitimacy for Corporate Social Performance and Disclosure. Critical Perspectives on Accounting Conference. New York.
Maricela, R., Lazaro, R. A., Maria, E. G., & Vartika. (2022). The Disclosures of Information on Cybersecurity in Listed Companies in Latin America—Proposal for a Cybersecurity Disclosure Index. Sustainability, MDPI, 14(3), 1.
Marquis, C., Toffel, M. W., & Zhou, Y. (2016). Scrutiny, Norms, and Selective Disclosure: A Global Study of Greenwashing. Organization Science, 27(2), 483–504.
Mazzoccoli, A., & Naldi, M. (2022). Optimizing Cybersecurity Investments over Time. Algorithms, 15(6), 121.
Nguyen, P. D., & Dong, P. T. (2013). Determinants of Corporate Investment Decisions: The Case of Vietnam. Journal of Economics and Development, 15(1), 32-48.
Omotayo, E. O., Oladipo, O. N., & Olusegun, E. A. (2020). Impact of Corporate Strategy on Investment Decision in Nigeria. Acta Universitatis Danubius, 16(5), 285-302.
Peng, J., & Krivacek, G. (2020). The Growing Role of Cybersecurity Disclosures. ISACA Journal, 1, 1-7.
Rankin, M., Stanton, P., McGowan, S., Ferlauto, K., Tiling, M., Meredith, K., & Antic, A. (2023). Theories in Accounting. In Contemporary Issues in Accounting (pp. 85-118). Milton Qld: John Wiley & Sons Australia Ltd.
Riaz, L., Hunjra, A. I., & Azam, R. I. (2012). Impact of psychological factors on investment decision making mediating by risk perception: A conceptual study. Middle-East Journal of Scientific Research, 12(6), 789-795.
Rowe, B. R., & Gallaher, M. P. (2006). Private sector cyber security investment strategies: An empirical analysis. The fifth workshop on the economics of information security (WEIS06). England: Institute for Information Infrastructure Protection (I3P).
Safa, N. S., Solms, R. v., & Furnell, S. (2016). nformation security policy compliance model in organisations. Computers & Security, 56, 70-82.
Said, F., Abdul Jalil, A., & Zainal, D. (2023). Big Data Analytics Capabilities, Sustainability Reporting on Social Media, and Competitive Advantage: An Exploratory Study. Asian Journal of Business and Accounting 16(1), 129-160.
Sekaran, U., & Bougie, R. (2016). Research Methods for Business: A Skill-Building Approach. 7th Edition. West Sussex: Wiley & Sons.
Sheikhpour, R., & Modiri, N. (2012). A best practice approach for integration of ITIL and ISO/IEC 27001 services for information security management. Indian Journal of Science and Technology, 5(2), 2170-2176.
Simon, J., & Omar , A. (2020). Cybersecurity investments in the supply chain: Coordination and a strategic attacker. European Journal of Operational Research, 282(1), 161-171.
Suchman, M. C. (1995). Managing Legitimacy: Strategic and Institutional Approaches. The Academy of Management Review, 20(3), 571-610 .
Sutherland, E. (2018). Cybersecurity: Governance of a New Technology. Proceedings of the PSA18 Political Studies Association International Conference. Cardiff: SSRN.
Taber, K. S. (2018). The Use of Cronbach’s Alpha When Developing and Reporting Research Instruments in Science Education. Research in Science Education, 48, 1273–1296.
Telang, R., & Wattal, S. (2007). An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Transactions on Software engineering, 33(8), 544-557.
Uddin, M. H., Ali, M. H., & Hassan, M. K. (2020). Cybersecurity hazards and financial system vulnerability: a synthesis of literature. Risk Management, 22, 239-309.
Solms, B., & von Solms, R. (2018). Cybersecurity and information security – what goes where? Information and Computer Security, 26(1), 2-9.
Wang, T., Kannan, K. N., & Ulmer, J. R. (2013). The association between the disclosure and the realization of information security risk factors. Information systems research, 24(2) , 201-218.
Yang, L., Lau, L., & Gan, H. (2020). Investors’ perceptions of the cybersecurity risk management reporting framework. International Journal of Accounting & Information Management, 28(1), 167-183.

Yap Kiew Heong, A., & Teng, Y. S. (2024). Digital Security Risk Disclosure and Investment Process. International Journal of Academic Research in Accounting, Finance and Management Sciences, 14(3), 504–523.

Copyright: © 2024 The Author(s)
Published by HRMARS (www.hrmars.com)
This article is published under the Creative Commons Attribution (CC BY 4.0) license. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this license may be seen at: http://creativecommons.org/licences/by/4.0/legalcode

International Journal of Academic Research in Accounting, Finance and Management Sciences

Open Access Journal

Digital Security Risk Disclosure and Investment Process

Yap Kiew Heong Angeline , Yap Saw Teng

Further Information

Our Journals

Get intouch with us