Tag Archives: IT risk

IS papers on Cybersecurity

Last update: Jan 18, 2022

In this post, I gathered recent IS publications (2010-current) on the topic of cybersecurity. It is by no means an exhaustive list of the topic. This does not cover other related topics such as privacy and ethics.

  1. Jacob Haislip, Jee-Hae Lim, Robert Pinsker (2021) The Impact of Executives’ IT Expertise on Reported Data Security Breaches. Information Systems Research 32(2):318-334.
  2. Ahmed Abbasi, David Dobolyi, Anthony Vance, Fatemeh Mariam Zahedi (2021) The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites. Information Systems Research 32(2):410-436.
  3. Yunhui Zhuang, Yunsik Choi, Shu He, Alvin Chung Man Leung, Gene Moo Lee & Andrew Whinston (2020) Understanding Security Vulnerability Awareness, Firm Incentives, and ICT Development in Pan-Asia, Journal of Management Information Systems, 37:3, 668-693.
  4. Qian Tang & Andrew B. Whinston (2020) Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment, Production and Operations Management 29(2):410-427.
  5. Yoo, Chul & Goo, Jahyun & Rao, Raghav. (2020). Is Cybersecurity a Team Sport? A Multilevel Examination of Workgroup Information Security Effectiveness. MIS Quarterly. 44. 907-931.
  6. Mohammadreza Ebrahimi, Jay F. Nunamaker Jr. & Hsinchun Chen (2020) Semi-Supervised Cyber Threat Identification in Dark Net Markets: A Transductive and Deep Learning Approach, Journal of Management Information Systems, 37:3, 694-722
  7. Sebastian W. Schuetz, Paul Benjamin Lowry, Daniel A. Pienta & Jason Bennett Thatcher (2020) The Effectiveness of Abstract Versus Concrete Fear Appeals in Information Security, Journal of Management Information Systems, 37:3, 723-757.
  8. Che-Wei Liu, Peng Huang & Henry C. Lucas Jr. (2020) Centralized IT Decision Making and Cybersecurity Breaches: Evidence from U.S. Higher Education Institutions, Journal of Management Information Systems, 37:3, 758-787.
  9. Ravi Sen, Ajay Verma & Gregory R. Heim (2020) Impact of Cyberattacks by Malicious Hackers on the Competition in Software Markets, Journal of Management Information Systems, 37:1, 191-216
  10. John D’Arcy, Idris Adjerid, Corey M. Angst, Ante Glavas (2020) Too Good to Be True: Firm Social Performance and the Risk of Data Breach. Information Systems Research 31(4):1200-1223.
  11. Zan Zhang, Guofang Nan, Yong Tan (2020) Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization. Information Systems Research 31(3):848-864.
  12. Terrence August, Duy Dao, Kihoon Kim (2019) Market Segmentation and Software Security: Pricing Patching Rights. Management Science 65(10):4575-4597.
  13. Seung Hyun Kim, Juhee Kwon (2019) How Do EHRs and a Meaningful Use Initiative Affect Breaches of Patient Information?. Information Systems Research 30(4):1184-1202.
  14. Kai-Lung Hui, Ping Fan Ke, Yuxi Yao, Wei T. Yue (2019) Bilateral Liability-Based Contracts in Information Security Outsourcing. Information Systems Research 30(2):411-429.
  15. Victor Benjamin, Joseph S. Valacich, and Hsinchun Chen (2019) DICE-E: a framework for conducting darknet identification, collection, evaluation with ethics. MIS Quarterly 43(1):1–22.
  16. Indranil Bose and Alvin Chung Man Leung (2019) Adoption of identity theft countermeasures and its short- and long-term impact on firm value. MIS Quarterly 43(1):313–328.
  17. Corey M. Angst, Emily S. Block, John D’Arcy, and Ken Kelley (2017) When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly 41(3):893–916.
  18. Orcun Temizkan, Sungjune Park, Cem Saydam (2017) Software Diversity for Improved Network Security: Optimal Distribution of Software-Based Shared Vulnerabilities. Information Systems Research 28(4):828-849.
  19. Shu He, Gene Moo Lee, Sukjin Han, Andrew B. Whinston (2016) How Would Information Disclosure Influence Organizations’ Outbound Spam Volume? Evidence from a Field Experiment. Journal of Cybersecurity 2(1), pp. 99-118.
  20. Yonghua Ji, Subodha Kumar, Vijay Mookerjee (2016) When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security. Information Systems Research 27(4):897-918.
  21. Karthik Kannan, Mohammad S. Rahman, Mohit Tawarmalani (2016) Economic and Policy Implications of Restricted Patch Distribution. Management Science 62(11):3161-3182.
  22. Chul Ho Lee, Xianjun Geng, Srinivasan Raghunathan (2016) Mandatory Standards and Organizational Information Security. Information Systems Research 27(1):70-86.
  23. Jingguo Wang, Manish Gupta, and H. Raghav Rao (2015) Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. MIS Quarterly 39(1):91–112.
  24. Jingguo Wang, Nan Xiao, H. Raghav Rao (2015) Research Note—An Exploration of Risk Characteristics of Information Security Threats and Related Public Information Search Behavior. Information Systems Research 26(3):619-633.
  25. Sabyasachi Mitra, Sam Ransbotham (2015) Information Disclosure and the Diffusion of Information Security Attacks. Information Systems Research 26(3):565-584.
  26. Debabrata Dey, Atanu Lahiri, and Guoying Zhang (2014) Quality competition and market segmentation in the security software market. MIS Quarterly 38(2):589–606.
  27. Seung Hyun Kim and Byung Cho Kim (2014) Differential effects of prior experience on the malware resolution process. MIS Quarterly 38(3):655–678.
  28. Ryan T. Wright, Matthew L. Jensen, Jason Bennett Thatcher, Michael Dinger, Kent Marett (2014) Research Note—Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance. Information Systems Research 25(2):385-400.
  29. Asunur Cezar, Huseyin Cavusoglu, Srinivasan Raghunathan (2013) Outsourcing Information Security: Contracting Issues and Security Implications. Management Science 60(3):638-657.
  30. Xia Zhao, Ling Xue & Andrew B. Whinston (2013) Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements, Journal of Management Information Systems, 30:1, 123-152.
  31. Chul Ho Lee, Xianjun Geng, Srinivasan Raghunathan, (2012) Contracting Information Security in the Presence of Double Moral Hazard. Information Systems Research 24(2):295-311.
  32. Ransbotham, S., Mitra, S., & Ramsey, J. (2012). Are Markets for Vulnerabilities Effective? MIS Quarterly36(1), 43–64.
  33. Gupta, A., & Zhdanov, D. (2012). Growth and Sustainability of Managed Security Services Networks: An Economic Perspective. MIS Quarterly36(4), 1109–1130.
  34. Kai-Lung Hui, Wendy Hui & Wei T. Yue (2012) Information Security Outsourcing with System Interdependency and Mandatory Security Requirement, Journal of Management Information Systems, 29:3, 117-156.
  35. Caliendo, M., Clement, M., Papies, D., & Scheel-Kopeinig, S. (2012). Research Note: The Cost Impact of Spam Filters: Measuring the Effect of Information System Technologies in Organizations. Information Systems Research23(3), 1068–1080.
  36. August, T., & Tunca, T. I. (2011). Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments. Management Science57(5), 934–959.
  37. Chen, P., Kataria, G., & Krishnan, R. (2011). Correlated Failures, Diversification, and Information Security Risk Management. MIS Quarterly35(2), 397–422.
  38. Mookerjee, V., Mookerjee, R., Bensoussan, A., & Yue, W. T. (2011). When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination. Information Systems Research22(3), 606–623.
  39. Galbreth, M. R., & Shor, M. (2010). The Impact of Malicious Agents on the Enterprise Software Industry. MIS Quarterly34(3), 595–612.
  40. Mahmood, M. A., Siponen, M., Straub, D., Rao, H. R., & Raghu, T. S. (2010). Moving Toward Black Hat Research in Information Systems Security: An Editorial Introduction to the Special Issue. MIS Quarterly34(3), 431–433.

IT Risk and Stock Price Crash Risk (Working Paper)

Song, Victor, Hasan Cavusoglu, Mary L. Z. Ma, Gene Moo Lee (2023) “IT Risk and Stock Price Crash Risk,” Under 2nd round review at Information Systems Research.

IT risk, especially cybersecurity risk, has rapidly increased and become a top concern for researchers, regulators, firm managers, and investors. This study creates a novel firm-level IT risk measure applicable to all US-listed firms by applying the BERTopic topic modeling to risk factors reported in Item 1A of the 10-K annual reports. We validate the measure with multiple approaches including cross-validations, presenting illustrative excerpts of IT risk factors, conducting cross-sectional and over-time distribution analyses, and analyzing firm characteristics associated with IT risk. The measure is found to be heightened in IT-intensive industries and for firms with larger sizes, higher profits, and better growth potential, and it can predict future data breaches. Using this ex-ante IT risk measure, we examine the relation between IT risk and stock price crash risk, which reflects a firm’s propensity to stock price crashes. Our findings suggest that IT risk is positively associated with crash risk, and we also identify that downward operating risk and predictability for data breaches are two mechanisms for the crash risk effect of IT risk. By decomposing IT risk into cybersecurity risk and non-cybersecurity IT risk, we find that both types of IT risk increase crash risk, but the effect of cybersecurity risk is stronger than that of non-cybersecurity IT risk, consistent with their different risk natures. We further observe that the novelty and readability of IT risk factors strengthen the crash risk effects of IT risk, consistent with the notion that the novelty represents updated and increased IT risk, and readability improves the understanding of IT risk. Lastly, difference-in-differences analyses reveal that IT risk increases stock price crash risk, not the other way around. We conclude the paper by discussing academic contributions and practical implications in the context of the SEC’s directives on reporting and managing IT risk and cybersecurity risk.