{"title":"网络安全风险管理策略披露对投资者判断和决策的影响","authors":"Jiehui (Annabella) Huang, Uday Murthy","doi":"10.1016/j.accinf.2024.100696","DOIUrl":null,"url":null,"abstract":"<div><p>In March 2022, the Securities and Exchange Commission (SEC) proposed the mandatory reporting of cybersecurity risk management policies for public companies. This study aims to explore the potential impact of cybersecurity risk management strategy disclosure on nonprofessional investors. Using a 4 x 1 between-participants experimental design, we examine whether nonprofessional investors’ perceptions and decisions differ between disclosed cybersecurity risk management strategies of self-assessment, self-assessment referencing the <span><span>National Institute of Standards and Technology (NIST)</span></span> framework, third-party assurance, and insurance. We find that nonprofessional investors’ willingness to invest is significantly higher for the insurance strategy compared to the third-party cybersecurity examination and self-assessment (without reference to NIST) strategies. Moderated mediation analysis reveals that investors’ perceptions of financial risk moderates the mediating effect of perceived cybersecurity risk management strategy effectiveness on the relation between cybersecurity risk management strategy and likelihood of investment. Our study contributes to regulators, practitioners, and stakeholders concerned about the potential impact of cybersecurity risk management strategy disclosures on nonprofessional investors.</p></div>","PeriodicalId":47170,"journal":{"name":"International Journal of Accounting Information Systems","volume":"54 ","pages":"Article 100696"},"PeriodicalIF":4.1000,"publicationDate":"2024-08-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"The impact of cybersecurity risk management strategy disclosure on investors’ judgments and decisions\",\"authors\":\"Jiehui (Annabella) Huang, Uday Murthy\",\"doi\":\"10.1016/j.accinf.2024.100696\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>In March 2022, the Securities and Exchange Commission (SEC) proposed the mandatory reporting of cybersecurity risk management policies for public companies. This study aims to explore the potential impact of cybersecurity risk management strategy disclosure on nonprofessional investors. Using a 4 x 1 between-participants experimental design, we examine whether nonprofessional investors’ perceptions and decisions differ between disclosed cybersecurity risk management strategies of self-assessment, self-assessment referencing the <span><span>National Institute of Standards and Technology (NIST)</span></span> framework, third-party assurance, and insurance. We find that nonprofessional investors’ willingness to invest is significantly higher for the insurance strategy compared to the third-party cybersecurity examination and self-assessment (without reference to NIST) strategies. Moderated mediation analysis reveals that investors’ perceptions of financial risk moderates the mediating effect of perceived cybersecurity risk management strategy effectiveness on the relation between cybersecurity risk management strategy and likelihood of investment. Our study contributes to regulators, practitioners, and stakeholders concerned about the potential impact of cybersecurity risk management strategy disclosures on nonprofessional investors.</p></div>\",\"PeriodicalId\":47170,\"journal\":{\"name\":\"International Journal of Accounting Information Systems\",\"volume\":\"54 \",\"pages\":\"Article 100696\"},\"PeriodicalIF\":4.1000,\"publicationDate\":\"2024-08-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Journal of Accounting Information Systems\",\"FirstCategoryId\":\"91\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S1467089524000290\",\"RegionNum\":3,\"RegionCategory\":\"管理学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"BUSINESS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Accounting Information Systems","FirstCategoryId":"91","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1467089524000290","RegionNum":3,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"BUSINESS","Score":null,"Total":0}
引用次数: 0
摘要
2022 年 3 月,美国证券交易委员会(SEC)提议强制要求上市公司报告网络安全风险管理政策。本研究旨在探讨网络安全风险管理策略披露对非专业投资者的潜在影响。我们采用 4 x 1 参与者之间的实验设计,考察非专业投资者对自我评估、参考框架的自我评估、第三方保证和保险这几种已披露的网络安全风险管理策略的看法和决策是否存在差异。我们发现,与第三方网络安全检查和自我评估(不参考 NIST)策略相比,非专业投资者对保险策略的投资意愿明显更高。调节中介分析显示,投资者对金融风险的感知调节了感知到的网络安全风险管理策略有效性对网络安全风险管理策略和投资可能性之间关系的中介效应。我们的研究有助于监管机构、从业人员和关注网络安全风险管理策略披露对非专业投资者潜在影响的利益相关者。
The impact of cybersecurity risk management strategy disclosure on investors’ judgments and decisions
In March 2022, the Securities and Exchange Commission (SEC) proposed the mandatory reporting of cybersecurity risk management policies for public companies. This study aims to explore the potential impact of cybersecurity risk management strategy disclosure on nonprofessional investors. Using a 4 x 1 between-participants experimental design, we examine whether nonprofessional investors’ perceptions and decisions differ between disclosed cybersecurity risk management strategies of self-assessment, self-assessment referencing the National Institute of Standards and Technology (NIST) framework, third-party assurance, and insurance. We find that nonprofessional investors’ willingness to invest is significantly higher for the insurance strategy compared to the third-party cybersecurity examination and self-assessment (without reference to NIST) strategies. Moderated mediation analysis reveals that investors’ perceptions of financial risk moderates the mediating effect of perceived cybersecurity risk management strategy effectiveness on the relation between cybersecurity risk management strategy and likelihood of investment. Our study contributes to regulators, practitioners, and stakeholders concerned about the potential impact of cybersecurity risk management strategy disclosures on nonprofessional investors.
期刊介绍:
The International Journal of Accounting Information Systems will publish thoughtful, well developed articles that examine the rapidly evolving relationship between accounting and information technology. Articles may range from empirical to analytical, from practice-based to the development of new techniques, but must be related to problems facing the integration of accounting and information technology. The journal will address (but will not limit itself to) the following specific issues: control and auditability of information systems; management of information technology; artificial intelligence research in accounting; development issues in accounting and information systems; human factors issues related to information technology; development of theories related to information technology; methodological issues in information technology research; information systems validation; human–computer interaction research in accounting information systems. The journal welcomes and encourages articles from both practitioners and academicians.