Tag Archives: IT risk

IS papers on Cybersecurity

Last update: Jan 18, 2022

In this post, I gathered recent IS publications (2010-current) on the topic of cybersecurity. It is by no means an exhaustive list of the topic. This does not cover other related topics such as privacy and ethics.

  1. Jacob Haislip, Jee-Hae Lim, Robert Pinsker (2021) The Impact of Executives’ IT Expertise on Reported Data Security Breaches. Information Systems Research 32(2):318-334.
  2. Ahmed Abbasi, David Dobolyi, Anthony Vance, Fatemeh Mariam Zahedi (2021) The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites. Information Systems Research 32(2):410-436.
  3. Yunhui Zhuang, Yunsik Choi, Shu He, Alvin Chung Man Leung, Gene Moo Lee & Andrew Whinston (2020) Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia, Journal of Management Information Systems, 37:3, 668-693.
  4. Qian Tang & Andrew B. Whinston (2020) Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment, Production and Operations Management 29(2):410-427.
  5. Yoo, Chul & Goo, Jahyun & Rao, Raghav. (2020). Is Cybersecurity a Team Sport? A Multilevel Examination of Workgroup Information Security Effectiveness. MIS Quarterly. 44. 907-931.
  6. Mohammadreza Ebrahimi, Jay F. Nunamaker Jr. & Hsinchun Chen (2020) Semi-Supervised Cyber Threat Identification in Dark Net Markets: A Transductive and Deep Learning Approach, Journal of Management Information Systems, 37:3, 694-722
  7. Sebastian W. Schuetz, Paul Benjamin Lowry, Daniel A. Pienta & Jason Bennett Thatcher (2020) The Effectiveness of Abstract Versus Concrete Fear Appeals in Information Security, Journal of Management Information Systems, 37:3, 723-757.
  8. Che-Wei Liu, Peng Huang & Henry C. Lucas Jr. (2020) Centralized IT Decision Making and Cybersecurity Breaches: Evidence from U.S. Higher Education Institutions, Journal of Management Information Systems, 37:3, 758-787.
  9. Ravi Sen, Ajay Verma & Gregory R. Heim (2020) Impact of Cyberattacks by Malicious Hackers on the Competition in Software Markets, Journal of Management Information Systems, 37:1, 191-216
  10. John D’Arcy, Idris Adjerid, Corey M. Angst, Ante Glavas (2020) Too Good to Be True: Firm Social Performance and the Risk of Data Breach. Information Systems Research 31(4):1200-1223.
  11. Zan Zhang, Guofang Nan, Yong Tan (2020) Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization. Information Systems Research 31(3):848-864.
  12. Terrence August, Duy Dao, Kihoon Kim (2019) Market Segmentation and Software Security: Pricing Patching Rights. Management Science 65(10):4575-4597.
  13. Seung Hyun Kim, Juhee Kwon (2019) How Do EHRs and a Meaningful Use Initiative Affect Breaches of Patient Information?. Information Systems Research 30(4):1184-1202.
  14. Kai-Lung Hui, Ping Fan Ke, Yuxi Yao, Wei T. Yue (2019) Bilateral Liability-Based Contracts in Information Security Outsourcing. Information Systems Research 30(2):411-429.
  15. Victor Benjamin, Joseph S. Valacich, and Hsinchun Chen (2019) DICE-E: a framework for conducting darknet identification, collection, evaluation with ethics. MIS Quarterly 43(1):1–22.
  16. Indranil Bose and Alvin Chung Man Leung (2019) Adoption of identity theft countermeasures and its short- and long-term impact on firm value. MIS Quarterly 43(1):313–328.
  17. Corey M. Angst, Emily S. Block, John D’Arcy, and Ken Kelley (2017) When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly 41(3):893–916.
  18. Orcun Temizkan, Sungjune Park, Cem Saydam (2017) Software Diversity for Improved Network Security: Optimal Distribution of Software-Based Shared Vulnerabilities. Information Systems Research 28(4):828-849.
  19. Shu He, Gene Moo Lee, Sukjin Han, Andrew B. Whinston (2016) How Would Information Disclosure Influence Organizations’ Outbound Spam Volume? Evidence from a Field Experiment. Journal of Cybersecurity 2(1), pp. 99-118.
  20. Yonghua Ji, Subodha Kumar, Vijay Mookerjee (2016) When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security. Information Systems Research 27(4):897-918.
  21. Karthik Kannan, Mohammad S. Rahman, Mohit Tawarmalani (2016) Economic and Policy Implications of Restricted Patch Distribution. Management Science 62(11):3161-3182.
  22. Chul Ho Lee, Xianjun Geng, Srinivasan Raghunathan (2016) Mandatory Standards and Organizational Information Security. Information Systems Research 27(1):70-86.
  23. Jingguo Wang, Manish Gupta, and H. Raghav Rao (2015) Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. MIS Quarterly 39(1):91–112.
  24. Jingguo Wang, Nan Xiao, H. Raghav Rao (2015) Research Note—An Exploration of Risk Characteristics of Information Security Threats and Related Public Information Search Behavior. Information Systems Research 26(3):619-633.
  25. Sabyasachi Mitra, Sam Ransbotham (2015) Information Disclosure and the Diffusion of Information Security Attacks. Information Systems Research 26(3):565-584.
  26. Debabrata Dey, Atanu Lahiri, and Guoying Zhang (2014) Quality competition and market segmentation in the security software market. MIS Quarterly 38(2):589–606.
  27. Seung Hyun Kim and Byung Cho Kim (2014) Differential effects of prior experience on the malware resolution process. MIS Quarterly 38(3):655–678.
  28. Ryan T. Wright, Matthew L. Jensen, Jason Bennett Thatcher, Michael Dinger, Kent Marett (2014) Research Note—Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance. Information Systems Research 25(2):385-400.
  29. Asunur Cezar, Huseyin Cavusoglu, Srinivasan Raghunathan (2013) Outsourcing Information Security: Contracting Issues and Security Implications. Management Science 60(3):638-657.
  30. Xia Zhao, Ling Xue & Andrew B. Whinston (2013) Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements, Journal of Management Information Systems, 30:1, 123-152.
  31. Chul Ho Lee, Xianjun Geng, Srinivasan Raghunathan, (2012) Contracting Information Security in the Presence of Double Moral Hazard. Information Systems Research 24(2):295-311.
  32. Ransbotham, S., Mitra, S., & Ramsey, J. (2012). Are Markets for Vulnerabilities Effective? MIS Quarterly36(1), 43–64.
  33. Gupta, A., & Zhdanov, D. (2012). Growth and Sustainability of Managed Security Services Networks: An Economic Perspective. MIS Quarterly36(4), 1109–1130.
  34. Kai-Lung Hui, Wendy Hui & Wei T. Yue (2012) Information Security Outsourcing with System Interdependency and Mandatory Security Requirement, Journal of Management Information Systems, 29:3, 117-156.
  35. Caliendo, M., Clement, M., Papies, D., & Scheel-Kopeinig, S. (2012). Research Note: The Cost Impact of Spam Filters: Measuring the Effect of Information System Technologies in Organizations. Information Systems Research23(3), 1068–1080.
  36. August, T., & Tunca, T. I. (2011). Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments. Management Science57(5), 934–959.
  37. Chen, P., Kataria, G., & Krishnan, R. (2011). Correlated Failures, Diversification, and Information Security Risk Management. MIS Quarterly35(2), 397–422.
  38. Mookerjee, V., Mookerjee, R., Bensoussan, A., & Yue, W. T. (2011). When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination. Information Systems Research22(3), 606–623.
  39. Galbreth, M. R., & Shor, M. (2010). The Impact of Malicious Agents on the Enterprise Software Industry. MIS Quarterly34(3), 595–612.
  40. Mahmood, M. A., Siponen, M., Straub, D., Rao, H. R., & Raghu, T. S. (2010). Moving Toward Black Hat Research in Information Systems Security: An Editorial Introduction to the Special Issue. MIS Quarterly34(3), 431–433.

IT Risk and Stock Price Crashes (Working Paper)

Song, Victor, Hasan Cavusoglu, Mary L. Z. Ma, Gene Moo Lee (2022) “IT Risk and Stock Price Crashes,” Under Review. [HICSS version]

As firms increasingly depend on Information Technology (IT), risks associated with IT have become one of the top concerns for managers and investors. This study examines the relation between the IT-related risk factor in Item 1A of the 10-K annual reports and a firm’s stock price crash risk, a firm-specific propensity to stock price crashes. Using topic modeling to identify IT-related risk factors, we find that IT risk emerges as one of the firms’ key risk categories and that IT risk factors are positively associated with a firm’s future stock price crash risk. We further separate IT risk factors into cybersecurity risk that potentially leads to a loss or leak of data, and non-cybersecurity IT risk that relates to a firm’s reliance on IT for its competitive advantage and value creation activities. We find that cybersecurity risk continues to affect crash risk, but non-cybersecurity IT risk does not, consistent with their different risk natures. We also find that the readability, novelty, and the order of appearance of the IT risk factor in Item 1A enhance the information content of IT risk factors and strengthen their relation with stock price crash risk.