Is Cybersecurity a Social Responsibility?

Cybersecurity incidents damage not only the organizations attacked, but also society in general, harming customers and stakeholders. Through the text mining of the incident database, we observed that the impact of cybersecurity incident trends became more outward-oriented causing increased risks associated with social responsibility. Thus, this study aims to validate the potential effect of cybersecurity incidents on social responsibility risks and stock price drops. To derive meaningful factors from the description of incidents, we mined the texts to extract the features of the severity of incidents and their direction of impact whether inward or outward. The severity score is derived from sentiment analysis and the impact direction by topic modeling and machine learning models including SVM, LSTM, and BERT. The effects of these incident features are studied through regression models with social responsibility risk and stock price drops as dependent variables. To conduct this study, we collected incident texts from the Privacy Rights Clearinghouse database, and social responsibility risk indices from the Privacy and Data Security index and Cyber Risk Rating scores. The subsequent short-term stock price drops are measured by Cumulative Abnormal Returns and their variations. Our analysis revealed a profound impact of cybersecurity incidents on social responsibility risk indices and stock price drops with the moderating effect of outward impact in both models. However, we recognize the incompatibility between an annual index of social responsibility risk and short-term stock price drops. Therefore, we propose a short-term social responsibility risk index for cybersecurity which can be derived from the disclosed incidents. All these scenarios support the premise that cybersecurity incidents significantly impact the social responsibility risk and may lead to potential stock price drops.