Exploring the information content of cyber breach reports and the relationship to internal controls

IF 4.1 3区管理学 Q2 BUSINESS International Journal of Accounting Information Systems Pub Date : 2022-09-01 DOI:10.1016/j.accinf.2022.100568

Benjamin Blakely , Jim Kurtenbach , Lovila Nowak

{"title":"Exploring the information content of cyber breach reports and the relationship to internal controls","authors":"Benjamin Blakely , Jim Kurtenbach , Lovila Nowak","doi":"10.1016/j.accinf.2022.100568","DOIUrl":null,"url":null,"abstract":"<div><p>A number of institutions make reports available regarding the types, impacts, or origins of cybersecurity breaches. The information content of cyber breach reports is examined in light of Principle 15 of the 2017 Committee on Sponsoring Organizations Enterprise Risk Management (COSO ERM) information security control framework to understand the degree to which cyber breach reports reflect the established COSO internal control framework. This study utilizes the COSO ERM internal control framework to examine whether current cyber breach reports contain information that may influence a firm’s ability to assess substantial change within its industry due to external forces (COSO ERM Principle 15). As such, this study focuses on data breaches, a special type of cyber incident, which may result in the loss of confidential information. Cyber decision makers rely on this type of information to calibrate information security programs to ensure coverage of relevant threats and the efficient use of available funds. These reports may be used for the purposes of cybersecurity risk assessment and strategic planning. We compare, contrast, and analyzie the reports to identify their utility in such contexts. We also provide an overview of the current cybersecurity reporting environment and suggest revisions to US national cyber policy with the intent of increasing the benefit to reporters and consumers of the data.</p><p>This study is focused on education as to the current structure of breach reporting based upon our review and synthesis of publicly-available breach reports.</p><p>In this study, we review nine (9) reports that meet four (4) criteria. We relate these criteria to the framework provided by COSO ERM Principle 15 by analyzing and placing the criteria into a taxonomy developed for this purpose. We analyze the degree to which the reports are complementary, reflect potential improvements of internal controls, and provide recommendations for ways in which these types of reports might be used by practitioners, while highlighting potential limitations. Our findings indicate that the sample reports contain little information that may be incorporated to improve the risk profile of an entity. We provide recommendations to improve the information content and timeliness of breach reports.</p></div>","PeriodicalId":47170,"journal":{"name":"International Journal of Accounting Information Systems","volume":"46 ","pages":"Article 100568"},"PeriodicalIF":4.1000,"publicationDate":"2022-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Accounting Information Systems","FirstCategoryId":"91","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1467089522000203","RegionNum":3,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"BUSINESS","Score":null,"Total":0}

引用次数: 6

Abstract

A number of institutions make reports available regarding the types, impacts, or origins of cybersecurity breaches. The information content of cyber breach reports is examined in light of Principle 15 of the 2017 Committee on Sponsoring Organizations Enterprise Risk Management (COSO ERM) information security control framework to understand the degree to which cyber breach reports reflect the established COSO internal control framework. This study utilizes the COSO ERM internal control framework to examine whether current cyber breach reports contain information that may influence a firm’s ability to assess substantial change within its industry due to external forces (COSO ERM Principle 15). As such, this study focuses on data breaches, a special type of cyber incident, which may result in the loss of confidential information. Cyber decision makers rely on this type of information to calibrate information security programs to ensure coverage of relevant threats and the efficient use of available funds. These reports may be used for the purposes of cybersecurity risk assessment and strategic planning. We compare, contrast, and analyzie the reports to identify their utility in such contexts. We also provide an overview of the current cybersecurity reporting environment and suggest revisions to US national cyber policy with the intent of increasing the benefit to reporters and consumers of the data.

This study is focused on education as to the current structure of breach reporting based upon our review and synthesis of publicly-available breach reports.

In this study, we review nine (9) reports that meet four (4) criteria. We relate these criteria to the framework provided by COSO ERM Principle 15 by analyzing and placing the criteria into a taxonomy developed for this purpose. We analyze the degree to which the reports are complementary, reflect potential improvements of internal controls, and provide recommendations for ways in which these types of reports might be used by practitioners, while highlighting potential limitations. Our findings indicate that the sample reports contain little information that may be incorporated to improve the risk profile of an entity. We provide recommendations to improve the information content and timeliness of breach reports.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

探讨网络泄露报告的信息内容及其与内部控制的关系

许多机构提供了关于网络安全漏洞的类型、影响或起源的报告。根据2017年赞助机构委员会企业风险管理(COSO ERM)信息安全控制框架的原则15审查网络泄露报告的信息内容，以了解网络泄露报告反映既定COSO内部控制框架的程度。本研究利用COSO ERM内部控制框架来检查当前的网络泄露报告是否包含可能影响公司评估因外部力量而导致的行业内重大变化的能力的信息(COSO ERM原则15)。因此，本研究的重点是数据泄露，这是一种特殊类型的网络事件，可能导致机密信息的丢失。网络决策者依靠这类信息来校准信息安全计划，以确保相关威胁的覆盖范围和可用资金的有效利用。这些报告可用于网络安全风险评估和战略规划。我们比较、对比和分析这些报告，以确定它们在这种上下文中的效用。我们还概述了当前的网络安全报道环境，并建议修订美国国家网络政策，以增加记者和数据消费者的利益。本研究的重点是基于我们对公开可用的违约报告的审查和综合，对当前违约报告结构的教育。在本研究中，我们回顾了符合四(4)个标准的九(9)份报告。我们将这些标准与COSO ERM Principle 15提供的框架联系起来，通过分析这些标准并将其放入为此目的开发的分类法中。我们分析了报告的互补程度，反映了内部控制的潜在改进，并为从业者可能使用这些类型的报告的方式提供建议，同时强调了潜在的局限性。我们的研究结果表明，样本报告中包含的可用于改善实体风险概况的信息很少。我们提供建议，以改善信息内容和违规报告的及时性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

International Journal of Accounting Information Systems Multiple-

CiteScore

9.00

自引率

6.50%

发文量

期刊介绍： The International Journal of Accounting Information Systems will publish thoughtful, well developed articles that examine the rapidly evolving relationship between accounting and information technology. Articles may range from empirical to analytical, from practice-based to the development of new techniques, but must be related to problems facing the integration of accounting and information technology. The journal will address (but will not limit itself to) the following specific issues: control and auditability of information systems; management of information technology; artificial intelligence research in accounting; development issues in accounting and information systems; human factors issues related to information technology; development of theories related to information technology; methodological issues in information technology research; information systems validation; human–computer interaction research in accounting information systems. The journal welcomes and encourages articles from both practitioners and academicians.