{"title":"Cybersecurity Risk and Audit Pricing—A Machine Learning-Based Analysis","authors":"Wanying Jiang","doi":"10.2308/isys-2023-019","DOIUrl":null,"url":null,"abstract":"\n Cybersecurity risk represents a growing business threat. However, little attention has been paid to its assessment. This study proposes a machine learning algorithm that considers firm cybersecurity risk disclosure, information technology governance, external monitoring by financial analysts and auditors, and general firm characteristics to estimate cybersecurity risk (i.e., the likelihood of a firm experiencing data breaches during a year). This measure outperforms the measure produced by logistic regression models, is higher in industries more prone to cyberattacks, and effectively predicts future data breaches and firm use of cybersecurity insurance policies. I also examine whether auditors consider firm cybersecurity risk in the engagement planning process, finding that, on average, a one-percentage-point increase in cybersecurity risk is associated with a 1.15 percent increase in audit fees. In addition, auditors charge a fee premium after a data breach only if the client has heightened cybersecurity risk.\n Data Availability: Data are available from the public sources cited in the text.","PeriodicalId":46998,"journal":{"name":"Journal of Information Systems","volume":" 11","pages":""},"PeriodicalIF":2.0000,"publicationDate":"2024-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Systems","FirstCategoryId":"91","ListUrlMain":"https://doi.org/10.2308/isys-2023-019","RegionNum":4,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"BUSINESS, FINANCE","Score":null,"Total":0}
引用次数: 0
Abstract
Cybersecurity risk represents a growing business threat. However, little attention has been paid to its assessment. This study proposes a machine learning algorithm that considers firm cybersecurity risk disclosure, information technology governance, external monitoring by financial analysts and auditors, and general firm characteristics to estimate cybersecurity risk (i.e., the likelihood of a firm experiencing data breaches during a year). This measure outperforms the measure produced by logistic regression models, is higher in industries more prone to cyberattacks, and effectively predicts future data breaches and firm use of cybersecurity insurance policies. I also examine whether auditors consider firm cybersecurity risk in the engagement planning process, finding that, on average, a one-percentage-point increase in cybersecurity risk is associated with a 1.15 percent increase in audit fees. In addition, auditors charge a fee premium after a data breach only if the client has heightened cybersecurity risk.
Data Availability: Data are available from the public sources cited in the text.
期刊介绍:
The Journal of Information Systems (JIS) is the academic journal of the Accounting Information Systems (AIS) Section of the American Accounting Association. Its goal is to support, promote, and advance Accounting Information Systems knowledge. The primary criterion for publication in JIS is contribution to the accounting information systems (AIS), accounting and auditing domains by the application or understanding of information technology theory and practice. AIS research draws upon and is informed by research and practice in management information systems, computer science, accounting, auditing as well as cognate disciplines including philosophy, psychology, and management science. JIS welcomes research that employs a wide variety of research methods including qualitative, field study, case study, behavioral, experimental, archival, analytical and markets-based.