网络安全风险披露的信息量有多大？勒索软件攻击企业的实证分析

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-08-25 DOI:10.1016/j.cose.2025.104626

Matthew Adams, Tyler Moore

{"title":"网络安全风险披露的信息量有多大？勒索软件攻击企业的实证分析","authors":"Matthew Adams, Tyler Moore","doi":"10.1016/j.cose.2025.104626","DOIUrl":null,"url":null,"abstract":"<div><div>Public companies face escalating requirements to disclose cybersecurity risks and damages in regulatory filings. In theory, such disclosures should equip investors with knowledge required to make informed decisions, while also encouraging firms to adopt more robust strategies for managing cybersecurity risks. In practice, discussions are often embedded in disparate locations of long documents full of legalese, which hinders systematic examination. This paper examines the regulatory filings of 61 firms that experienced ransomware incidents between 2018 and 2021. We describe a process whereby 7681 cyber-related statements were extracted from 314 10-K filings between 2018–23, then categorized using an iterative process inspired by grounded theory. We then perform quantitative and qualitative analysis of the statements, examining how firms discuss cybersecurity before and after experiencing an incident.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104626"},"PeriodicalIF":5.4000,"publicationDate":"2025-08-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"How informative are cybersecurity risk disclosures? Empirical analysis of firms targeted by ransomware\",\"authors\":\"Matthew Adams, Tyler Moore\",\"doi\":\"10.1016/j.cose.2025.104626\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Public companies face escalating requirements to disclose cybersecurity risks and damages in regulatory filings. In theory, such disclosures should equip investors with knowledge required to make informed decisions, while also encouraging firms to adopt more robust strategies for managing cybersecurity risks. In practice, discussions are often embedded in disparate locations of long documents full of legalese, which hinders systematic examination. This paper examines the regulatory filings of 61 firms that experienced ransomware incidents between 2018 and 2021. We describe a process whereby 7681 cyber-related statements were extracted from 314 10-K filings between 2018–23, then categorized using an iterative process inspired by grounded theory. We then perform quantitative and qualitative analysis of the statements, examining how firms discuss cybersecurity before and after experiencing an incident.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"159 \",\"pages\":\"Article 104626\"},\"PeriodicalIF\":5.4000,\"publicationDate\":\"2025-08-25\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404825003153\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003153","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

上市公司在监管文件中披露网络安全风险和损害的要求越来越高。从理论上讲，这样的披露应该使投资者掌握做出明智决策所需的知识，同时也鼓励公司采取更有力的策略来管理网络安全风险。在实践中，讨论往往被嵌入到充满法律术语的冗长文件的不同位置，这阻碍了系统的审查。本文研究了2018年至2021年间遭遇勒索软件事件的61家公司的监管文件。我们描述了一个过程，从2018-23年间的314份10-K文件中提取了7681份与网络相关的陈述，然后使用基于基础理论的迭代过程进行分类。然后，我们对陈述进行定量和定性分析，检查公司在经历事件之前和之后如何讨论网络安全。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

How informative are cybersecurity risk disclosures? Empirical analysis of firms targeted by ransomware

Public companies face escalating requirements to disclose cybersecurity risks and damages in regulatory filings. In theory, such disclosures should equip investors with knowledge required to make informed decisions, while also encouraging firms to adopt more robust strategies for managing cybersecurity risks. In practice, discussions are often embedded in disparate locations of long documents full of legalese, which hinders systematic examination. This paper examines the regulatory filings of 61 firms that experienced ransomware incidents between 2018 and 2021. We describe a process whereby 7681 cyber-related statements were extracted from 314 10-K filings between 2018–23, then categorized using an iterative process inspired by grounded theory. We then perform quantitative and qualitative analysis of the statements, examining how firms discuss cybersecurity before and after experiencing an incident.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.