You cannot spell risk without "I-S": The disclosure of information systems risks by Fortune 1000 firms.

Abstract

Cybersecurity events can cause business disruptions, health and safety repercussions, financial costs, and negative publicity for large firms, and executives rank cybersecurity as a top operational concern. Although cybersecurity may be the most publicized information systems (IS) risk, large firms face a range of IS risks. Over the past three decades, researchers developed frameworks to categorize and evaluate IS risks. However, there have been few updates to these frameworks despite numerous technological advances, and we are not aware of any research that uses empirical data to map actual IS risks cited by large firms to these frameworks. To address this gap, we coded and analyzed text data from Item 1A (Risk Factors) of the fiscal year 2020 Securities and Exchange Commission Forms 10-K for all Fortune 1000 firms. We build on prior research to develop a framework that places 25 IS risks into four quadrants and 10 categories, and we record the number and type of IS risks cited by each firm. The risk of cyberattack is cited by virtually all Fortune 1000 firms, and the risk of software/hardware failure is cited by 90% of Fortune 1000 firms. Risks associated with data privacy law compliance are cited by 70% of Fortune 1000 firms, and risks associated with internet/telecommunications/power outage, human error, and natural disasters/terrorism are cited by 60% of Fortune 1000 firms. We perform additional analysis to identify differences in risk citation based on industry and financial measures.