Exploring the information content of cyber breach reports and the relationship to internal controls

Accenture, 2019. “Ninth Annual Cost of Cybercrime Study.” 2019. https://www.accenture.com/us-en/insights/security/cost-cybercrime-study. European Union Agency for Network and Information Security. “ENISA Threat Landscape, Data breach, From January 2019 to April 2020.” 2020. https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends. American Psychological Association, 2018. Information Recommended for Inclusion in Manuscripts. 2018. http://www.apastyle.org/jars/quant-table-1.pdf. Biener, C., Eling, M., Wirfs, J.H., 2015. Insurability of Cyber Risk: An Empirical Analysis. The Geneva Papers on Risk and Insurance, 29. https://search-proquest-com.proxy.lib.iastate.edu/docview/1639205183?accountid=10906. Catlett, C., 2008. A Scientific Research and Development Approach to Cyber Security. US Department of Energy. https://science.energy.gov/~/media/ascr/ascac/pdf/meetings/mar09/Catlett.pdf. United States Federal Bureau of Investigation, Internet Crime Compliant Center, 2020 Internet Crime Report.” 2021. https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf. Committee on Sponsoring Organizations of the Treadway Commission, 2013 “Internal Control - Integrated Framework”. IBM Corporation, 2021. “IBM X-Force Threat Intelligence Index 2020.” 2021. https://www.ibm.com/security/data-breach/threat-intelligence. Darrow Edwards, 2016, Hype and heavy tails: a closer look at data breaches, J. Cybersecurity, 2, 3, 10.1093/cybsec/tyw003 Eling, 2017, Data breaches: goodness of fit, pricing, and risk measurement, Insurance: Math. Econ., 75, 126 Eling, 2016, What do we know about cyber risk and cyber risk insurance?, J. Risk Finance, 17, 474, 10.1108/JRF-09-2016-0122 Fenz, 2014, Current challenges in information security risk management, Inf. Manage. Comput. Security, 22, 410, 10.1108/IMCS-07-2013-0053 FireEye, 2021. “M-Trends 2021.” 2021. https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html. Freund, J., Jones, J., 2015. Measuring and Managing Information Risk: A FAIR Approach, Elsevier, Inc. 2015. Herley, 2017, SoK: science, security and the elusive goal of security as a scientific pursuit, Proceedings - IEEE Symposium on Security and Privacy, 99 Hughes. B. Boh. D, Irfan, M, Margolese-Malin, E., Solórzano, J., 2017 “ICT/Cyber benefits and costs: Reconciling competing perspectives on the current and future balance”, Frederick S. Pardee Center for International Futures, Josef Korbel School of International Studies, University of Denver, 2201 South Gaylord Street, Denver, Colorado 80208, United States. IBM Corporation, 2020. Cost of Data Breach Study.” 2020. https://www.ibm.com/security/digital-assets/cost-data-breach-report/1Cost%20of%20a%20Data%20Breach%20Report%202020.pdf. Julisch, 2013, Understanding and overcoming cyber security anti-patterns, Comput. Networks, 57, 2206, 10.1016/j.comnet.2012.11.023 March, 2016, Managerial perspectives on risk and risk taking, Manage. Sci., 33, 1404, 10.1287/mnsc.33.11.1404 Marotta, 2017, Cyber-insurance survey, Comput. Sci. Rev., 24, 35, 10.1016/j.cosrev.2017.01.001 McMorrow, 2010 Microsoft, 2020. “Microsoft Digital Defense Report.” 2020. https://www.microsoft.com/en-us/security/business/security-intelligence-report. Peng, 2018, Modeling multivariate cybersecurity risks, J. Appl. Stat., February, 1 Ruan, 2017, Introducing cybernomics: A unifying economic framework for measuring cyber risk, Comput. Security, 65, 10.1016/j.cose.2016.10.009 Rundle, 2021, Industry groups urge lawmakers to streamline cyber breach reporting rules, Wall Street J. Sarabi, 2016, Risky business: fine-grained data breach prediction using business profiles, J. Cybersecurity, 2, 15, 10.1093/cybsec/tyw004 Schatz, 2017, Economic valuation for information security investment: a systematic literature review, Inf. Syst. Front., 19, 1205, 10.1007/s10796-016-9648-8 Schneider, 2012, Blueprint for a science of cybersecurity, The Next Wave, 19, 47 Siponen, M.T, Willison, R. 2007. “A Critical Assessment of IS Security Research Between 1990-2004.” ECIS 2007 Proceedings, 1: 1551–9. http://openarchive.cbs.dk/handle/10398/6505. Symantec. “Internet Security Threat Report.” 2019. 24. https://docs.broadcom.com/docs/istr-24-2019-en. United States Department of Health and Human Services, 2019. Office for Civil Rights. “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Year 2019.” 2019. https://www.hhs.gov/sites/default/files/breach-report-to-congress-2019.pdf. United States Department of Homeland Security, 2010. Risk Steering Committee. “DHS Risk Lexicon 2010 Edition.” 2010. Washington, DC https://www.dhs.gov/sites/default/files/publications/dhs-risk-lexicon-2010_0.pdf. United States Federal Depositors Insurance Corporation, 2021, “Agencies Approve Final Rule Requiring Computer-Security Incident Notification” https://www.fdic.gov/news/press-releases/2021/pr21095.html. United States National Initiative for Cybersecurity Careers and Studies Cybersecurity and Infrastructure Security Agency (NICCS CISA) 2022 https://niccs.cisa.gov/about-niccs/cybersecurity-glossary. United States National Institute of Standards and Technology, 2006. “FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems.” 2006. FIPS PUB 200. Gaithersburg, Maryland. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf. United States National Institute of Standards and Technology, 2012. “NIST Special Publication 800-30, Revision 1: Guide for Conducting Risk Assessments.” 2012. NIST SP 800-30r1. Gaithersburg, Maryland. https://doi.org/10.6028/NIST.SP.800-30r1. United States National Institute of Standards and Technology, 2013. “NIST Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.” 2013. NIST SP 800-53r4. Gaithersburg, Maryland. https://doi.org/10.6028/NIST.SP.800-53r4. United States Executive Office of the President [Joseph Biden]. Executive Order 14028: Executive Order on Improving the Nation’s Cybersecurity. 12 May 2021. Verizon, 2021. Data Breach Investigations Report.” 2021. https://www.verizon.com/business/resources/reports/dbir/. Xu, 2018, Modeling and predicting cyber hacking breaches, IEEE Trans. Inf. Foren. Security, 13, 2856, 10.1109/TIFS.2018.2834227 Young, D., Beebe, N., and Chang, F. 2012. “Prospect Theory and Information Security Investment Decisions,” 9. https://pdfs.semanticscholar.org/8108/516e0f3259e65ea2d8f2a73c10010b7a2d83.pdf.