{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,6]],"date-time":"2026-06-06T20:30:41Z","timestamp":1780777841876,"version":"3.54.1"},"reference-count":58,"publisher":"American Accounting Association","issue":"2","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021,6,1]]},"abstract":"ABSTRACT<\/jats:title>\n Cybersecurity has garnered much attention due to the increasing frequency and cost of cybersecurity incidents and has become a significant concern for organizations and governments. Regulators such as the Securities and Exchange Commission (SEC) have also shown an interest in cybersecurity and the quality of cybersecurity risk disclosures. This paper examines the informativeness of cybersecurity risk disclosures when cybersecurity incidents or related internal control weaknesses are reported. In particular, we propose a quantitative methodology, which is a combination of textual analysis and factor analysis, for classifying cybersecurity risk disclosures into nine factors. Our results show different disclosing patterns among firms depending on whether they had cybersecurity incidents and internal control weaknesses. Further, our analysis indicates that firms disclose control-related factors to mediate the negative effect of disclosing vulnerability-related factors. This study provides various stakeholders, including investors, regulators, and researchers, with insight into the informativeness of cybersecurity risk disclosures.<\/jats:p>","DOI":"10.2308\/isys-2020-031","type":"journal-article","created":{"date-parts":[[2020,8,30]],"date-time":"2020-08-30T16:52:13Z","timestamp":1598806333000},"page":"179-194","source":"Crossref","is-referenced-by-count":22,"title":["Classifying the Contents of Cybersecurity Risk Disclosure through Textual Analysis and Factor Analysis"],"prefix":"10.2308","volume":"35","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0507-4936","authenticated-orcid":true,"given":"Arion","family":"Cheong","sequence":"first","affiliation":[{"name":"Rutgers, The State University of New Jersey"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Kyunghee","family":"Yoon","sequence":"additional","affiliation":[{"name":"Clark University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Soohyun","family":"Cho","sequence":"additional","affiliation":[{"name":"Rutgers, The State University of New Jersey"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1676-4254","authenticated-orcid":true,"given":"Won Gyun","family":"No","sequence":"additional","affiliation":[{"name":"Rutgers, The State University of New Jersey"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1112","published-online":{"date-parts":[[2020,8,27]]},"reference":[{"key":"2024082915273298000_i1558-7959-35-2-179-Armerding1","unstructured":"Armerding,\n T.\n \n \n 2018.\n\t\t\t\t\tThe 18 biggest data breaches of the 21st century.\n\t\t\t\t\tAvailable at: https:\/\/laptrinhx.com\/the-18-biggest-data-breaches-of-the-21st-century-2296465893\/"},{"key":"2024082915273298000_i1558-7959-35-2-179-AuditAnalytics1","unstructured":"Audit Analytics.\n 2020.\n\t\t\t\t\tAudit Analytics Trends in Cybersecurity Breach Disclosures.\n\t\t\t\t\tSutton, MA:\n\t\t\t\t\tAudit Analytics."},{"key":"2024082915273298000_i1558-7959-35-2-179-Bao1","doi-asserted-by":"crossref","unstructured":"Bao,\n Y.,\n and\n\t\t\t\t\t\tDattaA.\n 2014.\n\t\t\t\t\tSimultaneously discovering and quantifying risk types from textual risk disclosures.\n\t\t\t\t\tManagement Science60 (\n\t\t\t\t\t6):\n\t\t\t\t\t1371\u2013\n\t\t\t\t\t1391.\n\t\t\t\t\thttps:\/\/doi.org\/10.1287\/mnsc.2014.1930","DOI":"10.1287\/mnsc.2014.1930"},{"key":"2024082915273298000_i1558-7959-35-2-179-Bennett1","unstructured":"Bennett,\n C.\n \n \n 2015.\n\t\t\t\t\tSEC weighs cybersecurity disclosure rules.\n\t\t\t\t\tAvailable at: https:\/\/thehill.com\/policy\/cybersecurity\/229431-sec-weighs-cybersecurity-disclosure-rules"},{"key":"2024082915273298000_i1558-7959-35-2-179-Berkman1","doi-asserted-by":"crossref","unstructured":"Berkman,\n H.,\n \n \n Jona\n J.,\n \n \n Lee\n G.,\n and\n\t\t\t\t\t\tSoderstromN.\n 2018.\n\t\t\t\t\tCybersecurity awareness and market valuations.\n\t\t\t\t\tJournal of Accounting and Public Policy37 (\n\t\t\t\t\t6):\n\t\t\t\t\t508\u2013\n\t\t\t\t\t526.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.jaccpubpol.2018.10.003","DOI":"10.1016\/j.jaccpubpol.2018.10.003"},{"key":"2024082915273298000_i1558-7959-35-2-179-Blei1","unstructured":"Blei,\n D. M.,\n \n \n Ng\n A. Y.,\n and\n\t\t\t\t\t\tJordanM. I.\n 2003.\n\t\t\t\t\tLatent Dirichlet allocation.\n\t\t\t\t\tJournal of Machine Learning Research3 (\n\t\t\t\t\tJanuary):\n\t\t\t\t\t993\u2013\n\t\t\t\t\t1022."},{"key":"2024082915273298000_i1558-7959-35-2-179-Bliss1","doi-asserted-by":"crossref","unstructured":"Bliss,\n B. A.,\n \n \n Partnoy\n F.,\n and\n\t\t\t\t\t\tFurchtgottM.\n 2018.\n\t\t\t\t\tInformation bundling and securities litigation.\n\t\t\t\t\tJournal of Accounting and Economics65 (\n\t\t\t\t\t1):\n\t\t\t\t\t61\u2013\n\t\t\t\t\t84.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.jacceco.2017.11.013","DOI":"10.1016\/j.jacceco.2017.11.013"},{"key":"2024082915273298000_i1558-7959-35-2-179-Bloomfield1","doi-asserted-by":"crossref","unstructured":"Bloomfield,\n R.\n \n \n 2012.\n\t\t\t\t\tDiscussion of detecting deceptive discussions in conference calls.\n\t\t\t\t\tJournal of Accounting Research50 (\n\t\t\t\t\t2):\n\t\t\t\t\t541\u2013\n\t\t\t\t\t552.\n\t\t\t\t\thttps:\/\/doi.org\/10.1111\/j.1475-679X.2012.00448.x","DOI":"10.1111\/j.1475-679X.2012.00448.x"},{"key":"2024082915273298000_i1558-7959-35-2-179-Brown1","doi-asserted-by":"crossref","unstructured":"Brown,\n S. V.,\n and\n\t\t\t\t\t\tTuckerJ. W.\n 2011.\n\t\t\t\t\tLarge-sample evidence on firms' year-over-year MD&A modifications.\n\t\t\t\t\tJournal of Accounting Research49 (\n\t\t\t\t\t2):\n\t\t\t\t\t309\u2013\n\t\t\t\t\t346.\n\t\t\t\t\thttps:\/\/doi.org\/10.1111\/j.1475-679X.2010.00396.x","DOI":"10.1111\/j.1475-679X.2010.00396.x"},{"key":"2024082915273298000_i1558-7959-35-2-179-Campbell1","doi-asserted-by":"crossref","unstructured":"Campbell,\n J. L.,\n \n \n Chen\n H.,\n \n \n Dhaliwal\n D. S.,\n \n \n Lu\n H.-M.,\n and\n\t\t\t\t\t\tSteeleL. B.\n 2014.\n\t\t\t\t\tThe information content of mandatory risk factor disclosures in corporate filings.\n\t\t\t\t\tReview of Accounting Studies19 (\n\t\t\t\t\t1):\n\t\t\t\t\t396\u2013\n\t\t\t\t\t455.\n\t\t\t\t\thttps:\/\/doi.org\/10.1007\/s11142-013-9258-3","DOI":"10.1007\/s11142-013-9258-3"},{"key":"2024082915273298000_i1558-7959-35-2-179-Church1","doi-asserted-by":"crossref","unstructured":"Church,\n B.,\n and\n\t\t\t\t\t\tSchneiderA.\n 2016.\n\t\t\t\t\tThe impact of Section 302 and 404 (b) internal control disclosures on prospective investors' judgments and decisions: An experimental study.\n\t\t\t\t\tInternational Journal of Auditing20 (\n\t\t\t\t\t2):\n\t\t\t\t\t175\u2013\n\t\t\t\t\t185.","DOI":"10.1111\/ijau.12065"},{"key":"2024082915273298000_i1558-7959-35-2-179-Craigen1","doi-asserted-by":"crossref","unstructured":"Craigen,\n D.,\n \n \n Diakun-Thibault\n N.,\n and\n\t\t\t\t\t\tPurseR.\n 2014.\n\t\t\t\t\tDefining cybersecurity.\n\t\t\t\t\tTechnology Innovation Management Review4 (\n\t\t\t\t\t10):\n\t\t\t\t\t13\u2013\n\t\t\t\t\t21.","DOI":"10.22215\/timreview\/835"},{"key":"2024082915273298000_i1558-7959-35-2-179-DeAngelo1","doi-asserted-by":"crossref","unstructured":"DeAngelo,\n L. E.\n \n \n 1981.\n\t\t\t\t\tAuditor size and audit quality.\n\t\t\t\t\tJournal of Accounting and Economics3 (\n\t\t\t\t\t3):\n\t\t\t\t\t183\u2013\n\t\t\t\t\t199.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/0165-4101(81)90002-1","DOI":"10.1016\/0165-4101(81)90002-1"},{"key":"2024082915273298000_i1558-7959-35-2-179-DeFond1","unstructured":"DeFond,\n M. L.,\n and\n\t\t\t\t\t\tJiambalvoJ.\n 1991.\n\t\t\t\t\tIncidence and circumstances of accounting errors.\n\t\t\t\t\tThe Accounting Review66 (\n\t\t\t\t\t3):\n\t\t\t\t\t643\u2013\n\t\t\t\t\t655."},{"key":"2024082915273298000_i1558-7959-35-2-179-Doyle1","doi-asserted-by":"crossref","unstructured":"Doyle,\n J.,\n \n \n Ge\n W.,\n and\n\t\t\t\t\t\tMcVayS.\n 2007.\n\t\t\t\t\tDeterminants of weaknesses in internal control over financial reporting.\n\t\t\t\t\tJournal of Accounting and Economics44 (\n\t\t\t\t\t1\/2):\n\t\t\t\t\t193\u2013\n\t\t\t\t\t223.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.jacceco.2006.10.003","DOI":"10.1016\/j.jacceco.2006.10.003"},{"key":"2024082915273298000_i1558-7959-35-2-179-Drew1","unstructured":"Drew,\n J.\n \n \n 2012.\n\t\t\t\t\tManaging cybersecurity risks.\n\t\t\t\t\tJournal of Accountancy214 (\n\t\t\t\t\t2):\n\t\t\t\t\t44."},{"key":"2024082915273298000_i1558-7959-35-2-179-Eaton1","doi-asserted-by":"crossref","unstructured":"Eaton,\n T. V.,\n \n \n Grenier\n J. H.,\n and\n\t\t\t\t\t\tLaymanD.\n 2019.\n\t\t\t\t\tAccounting and cybersecurity risk management.\n\t\t\t\t\tCurrent Issues in Auditing13 (\n\t\t\t\t\t2):\n\t\t\t\t\tC1\u2013\n\t\t\t\t\tC9.\n\t\t\t\t\thttps:\/\/doi.org\/10.2308\/ciia-52419","DOI":"10.2308\/ciia-52419"},{"key":"2024082915273298000_i1558-7959-35-2-179-FederalCommunicationsCommissionFCC1","unstructured":"Federal Communications Commission (FCC).\n 2016.\n\t\t\t\t\tCritical Infrastructure and Communications Security.\n\t\t\t\t\tWashington, DC:\n\t\t\t\t\tFederal Communications Commission."},{"key":"2024082915273298000_i1558-7959-35-2-179-Feldman1","doi-asserted-by":"crossref","unstructured":"Feldman,\n R.,\n \n \n Govindaraj\n S.,\n \n \n Livnat\n J.,\n and\n\t\t\t\t\t\tSegalB.\n 2010.\n\t\t\t\t\tManagement's tone change, post earnings announcement drift and accruals.\n\t\t\t\t\tReview of Accounting Studies15 (\n\t\t\t\t\t4):\n\t\t\t\t\t915\u2013\n\t\t\t\t\t953.\n\t\t\t\t\thttps:\/\/doi.org\/10.1007\/s11142-009-9111-x","DOI":"10.1007\/s11142-009-9111-x"},{"key":"2024082915273298000_i1558-7959-35-2-179-GalOr1","doi-asserted-by":"crossref","unstructured":"Gal-Or,\n E.,\n and\n\t\t\t\t\t\tGhoseA.\n 2005.\n\t\t\t\t\tThe economic incentives for sharing security information.\n\t\t\t\t\tInformation Systems Research16 (\n\t\t\t\t\t2):\n\t\t\t\t\t186\u2013\n\t\t\t\t\t208.\n\t\t\t\t\thttps:\/\/doi.org\/10.1287\/isre.1050.0053","DOI":"10.1287\/isre.1050.0053"},{"key":"2024082915273298000_i1558-7959-35-2-179-Gao1","doi-asserted-by":"crossref","unstructured":"Gao,\n L.,\n \n \n Calderon\n T. G.,\n and\n\t\t\t\t\t\tTangF.\n 2020.\n\t\t\t\t\tPublic companies' cybersecurity risk disclosures.\n\t\t\t\t\tInternational Journal of Accounting Information Systems38 (\n\t\t\t\t\tSeptember).\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.accinf.2020.100468","DOI":"10.1016\/j.accinf.2020.100468"},{"key":"2024082915273298000_i1558-7959-35-2-179-Gordon1","doi-asserted-by":"crossref","unstructured":"Gordon,\n L. A.,\n \n \n Loeb\n M. P.,\n and\n\t\t\t\t\t\tSohailT.\n 2010.\n\t\t\t\t\tMarket value of voluntary disclosures concerning information security.\n\t\t\t\t\tMIS Quarterly34 (\n\t\t\t\t\t3):\n\t\t\t\t\t567\u2013\n\t\t\t\t\t594.\n\t\t\t\t\thttps:\/\/doi.org\/10.2307\/25750692","DOI":"10.2307\/25750692"},{"key":"2024082915273298000_i1558-7959-35-2-179-Graham1","doi-asserted-by":"crossref","unstructured":"Graham,\n J. R.,\n \n \n Harvey\n C. R.,\n and\n\t\t\t\t\t\tRajgopalS.\n 2005.\n\t\t\t\t\tThe economic implications of corporate financial reporting.\n\t\t\t\t\tJournal of Accounting and Economics40 (\n\t\t\t\t\t1\/3):\n\t\t\t\t\t3\u2013\n\t\t\t\t\t73.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.jacceco.2005.01.002","DOI":"10.1016\/j.jacceco.2005.01.002"},{"key":"2024082915273298000_i1558-7959-35-2-179-Haapamaki1","doi-asserted-by":"crossref","unstructured":"Haapam\u00e4ki,\n E.,\n and\n\t\t\t\t\t\tSihvonenJ.\n 2019.\n\t\t\t\t\tCybersecurity in accounting research.\n\t\t\t\t\tManagerial Auditing Journal34 (\n\t\t\t\t\t7):\n\t\t\t\t\t808\u2013\n\t\t\t\t\t834.\n\t\t\t\t\thttps:\/\/doi.org\/10.1108\/MAJ-09-2018-2004","DOI":"10.1108\/MAJ-09-2018-2004"},{"key":"2024082915273298000_i1558-7959-35-2-179-He1","doi-asserted-by":"crossref","unstructured":"He,\n S.,\n \n \n Lee\n G. M.,\n \n \n Han\n S.,\n and\n\t\t\t\t\t\tWhinstonA. B.\n 2016.\n\t\t\t\t\tHow would information disclosure influence organizations' outbound spam volume? Evidence from a field experiment.\n\t\t\t\t\tJournal of Cybersecurity2 (\n\t\t\t\t\t1):\n\t\t\t\t\t99\u2013\n\t\t\t\t\t118.\n\t\t\t\t\thttps:\/\/doi.org\/10.1093\/cybsec\/tyw011","DOI":"10.1093\/cybsec\/tyw011"},{"key":"2024082915273298000_i1558-7959-35-2-179-Hicks1","doi-asserted-by":"crossref","unstructured":"Hicks,\n R.,\n and\n\t\t\t\t\t\tTingleyD.\n 2011.\n\t\t\t\t\tCausal mediation analysis.\n\t\t\t\t\tThe Stata Journal11 (\n\t\t\t\t\t4):\n\t\t\t\t\t605\u2013\n\t\t\t\t\t619.\n\t\t\t\t\thttps:\/\/doi.org\/10.1177\/1536867X1201100407","DOI":"10.1177\/1536867X1201100407"},{"key":"2024082915273298000_i1558-7959-35-2-179-Hope1","doi-asserted-by":"crossref","unstructured":"Hope,\n O.-K.,\n \n \n Hu\n D.,\n and\n\t\t\t\t\t\tLuH.\n 2016.\n\t\t\t\t\tThe benefits of specific risk-factor disclosures.\n\t\t\t\t\tReview of Accounting Studies21 (\n\t\t\t\t\t4):\n\t\t\t\t\t1005\u2013\n\t\t\t\t\t1045.\n\t\t\t\t\thttps:\/\/doi.org\/10.1007\/s11142-016-9371-1","DOI":"10.1007\/s11142-016-9371-1"},{"key":"2024082915273298000_i1558-7959-35-2-179-Howardson1","doi-asserted-by":"crossref","unstructured":"Howardson,\n G. N.,\n \n \n Karim\n M. N.,\n and\n\t\t\t\t\t\tHornR. G.\n 2017.\n\t\t\t\t\tThe latent change score model: A more flexible approach to modeling time in self-regulated learning.\n\t\t\t\t\tJournal of Business and Psychology32 (\n\t\t\t\t\t3):\n\t\t\t\t\t317\u2013\n\t\t\t\t\t334.\n\t\t\t\t\thttps:\/\/doi.org\/10.1007\/s10869-016-9475-4","DOI":"10.1007\/s10869-016-9475-4"},{"key":"2024082915273298000_i1558-7959-35-2-179-Huang1","doi-asserted-by":"crossref","unstructured":"Huang,\n K.-W.,\n and\n\t\t\t\t\t\tLiZ.\n 2011.\n\t\t\t\t\tA multilabel text classification algorithm for labeling risk factors in SEC Form 10-K.\n\t\t\t\t\tACM Transactions on Management Information Systems2 (\n\t\t\t\t\t3):\n\t\t\t\t\t1\u2013\n\t\t\t\t\t19.\n\t\t\t\t\thttps:\/\/doi.org\/10.1145\/2019618.2019624","DOI":"10.1145\/2019618.2019624"},{"key":"2024082915273298000_i1558-7959-35-2-179-Kinney1","doi-asserted-by":"crossref","unstructured":"Kinney,\n W. R.,\n Jr.,\n and\n\t\t\t\t\t\tMcDanielL. S.\n 1989.\n\t\t\t\t\tCharacteristics of firms correcting previously reported quarterly earnings.\n\t\t\t\t\tJournal of Accounting and Economics11 (\n\t\t\t\t\t1):\n\t\t\t\t\t71\u2013\n\t\t\t\t\t93.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/0165-4101(89)90014-1","DOI":"10.1016\/0165-4101(89)90014-1"},{"key":"2024082915273298000_i1558-7959-35-2-179-Kunreuther1","doi-asserted-by":"crossref","unstructured":"Kunreuther,\n H.,\n and\n\t\t\t\t\t\tHealG.\n 2003.\n\t\t\t\t\tInterdependent security.\n\t\t\t\t\tJournal of Risk and Uncertainty26 (\n\t\t\t\t\t2-3):\n\t\t\t\t\t231\u2013\n\t\t\t\t\t249.\n\t\t\t\t\thttps:\/\/doi.org\/10.1023\/A:1024119208153","DOI":"10.1023\/A:1024119208153"},{"key":"2024082915273298000_i1558-7959-35-2-179-Li1","doi-asserted-by":"crossref","unstructured":"Li,\n F.\n \n \n 2008.\n\t\t\t\t\tAnnual report readability, current earnings, and earnings persistence.\n\t\t\t\t\tJournal of Accounting and Economics45 (\n\t\t\t\t\t2\/3):\n\t\t\t\t\t221\u2013\n\t\t\t\t\t247.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.jacceco.2008.02.003","DOI":"10.1016\/j.jacceco.2008.02.003"},{"key":"2024082915273298000_i1558-7959-35-2-179-Li2","doi-asserted-by":"crossref","unstructured":"Li,\n H.,\n \n \n No\n W. G.,\n and\n\t\t\t\t\t\tWangT.\n 2018.\n\t\t\t\t\tSEC's cybersecurity disclosure guidance and disclosed cybersecurity risk factors.\n\t\t\t\t\tInternational Journal of Accounting Information Systems30:\n\t\t\t\t\t40\u2013\n\t\t\t\t\t55.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/j.accinf.2018.06.003","DOI":"10.1016\/j.accinf.2018.06.003"},{"key":"2024082915273298000_i1558-7959-35-2-179-Loughran1","doi-asserted-by":"crossref","unstructured":"Loughran,\n T.,\n and\n\t\t\t\t\t\tMcDonaldB.\n 2011.\n\t\t\t\t\tWhen is a liability not a liability? Textual analysis, dictionaries, and 10-Ks.\n\t\t\t\t\tThe Journal of Finance66 (\n\t\t\t\t\t1):\n\t\t\t\t\t35\u2013\n\t\t\t\t\t65.\n\t\t\t\t\thttps:\/\/doi.org\/10.1111\/j.1540-6261.2010.01625.x","DOI":"10.1111\/j.1540-6261.2010.01625.x"},{"key":"2024082915273298000_i1558-7959-35-2-179-Lundholm1","doi-asserted-by":"crossref","unstructured":"Lundholm,\n R. J.,\n \n \n Rogo\n R.,\n and\n\t\t\t\t\t\tZhangJ. L.\n 2014.\n\t\t\t\t\tRestoring the Tower of Babel: How foreign firms communicate with U.S. investors.\n\t\t\t\t\tThe Accounting Review89 (\n\t\t\t\t\t4):\n\t\t\t\t\t1453\u2013\n\t\t\t\t\t1485.\n\t\t\t\t\thttps:\/\/doi.org\/10.2308\/accr-50725","DOI":"10.2308\/accr-50725"},{"key":"2024082915273298000_i1558-7959-35-2-179-Malone1","doi-asserted-by":"crossref","unstructured":"Malone,\n P. S.,\n \n \n Lansford\n J. E.,\n \n \n Castellino\n D. R.,\n \n \n Berlin\n L. J.,\n \n \n Dodge\n K. A.,\n \n \n Bates\n J. E.,\n and\n\t\t\t\t\t\tPettitG. S.\n 2004.\n\t\t\t\t\tDivorce and child behavior problems: Applying latent change score models to life event data.\n\t\t\t\t\tStructural Equation Modeling11 (\n\t\t\t\t\t3):\n\t\t\t\t\t401\u2013\n\t\t\t\t\t423.\n\t\t\t\t\thttps:\/\/doi.org\/10.1207\/s15328007sem1103_6","DOI":"10.1207\/s15328007sem1103_6"},{"key":"2024082915273298000_i1558-7959-35-2-179-McArdle1","doi-asserted-by":"crossref","unstructured":"McArdle,\n J. J.\n \n \n 2009.\n\t\t\t\t\tLatent variable modeling of differences and changes with longitudinal data.\n\t\t\t\t\tAnnual Review of Psychology60 (\n\t\t\t\t\t1):\n\t\t\t\t\t577\u2013\n\t\t\t\t\t605.\n\t\t\t\t\thttps:\/\/doi.org\/10.1146\/annurev.psych.60.110707.163612","DOI":"10.1146\/annurev.psych.60.110707.163612"},{"key":"2024082915273298000_i1558-7959-35-2-179-McBride1","unstructured":"McBride,\n M.,\n \n \n Carter\n L.,\n and\n\t\t\t\t\t\tWarkentinM.\n 2012.\n\t\t\t\t\tExploring the role of individual employee characteristics and personality on employee compliance with cybersecurity policies.\n\t\t\t\t\tAvailable at: http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download?doi=10.1.1.453.3551&rep=rep1&type=pdf"},{"key":"2024082915273298000_i1558-7959-35-2-179-Merle1","unstructured":"Merle,\n R.\n \n \n 2018.\n\t\t\t\t\tYahoo fined $35 million for failing to disclose cyber breach.\n\t\t\t\t\tAvailable at: https:\/\/www.washingtonpost.com\/news\/business\/wp\/2018\/04\/24\/yahoo-fined-35-million-for-failing-to-disclose-cyber-breach\/"},{"key":"2024082915273298000_i1558-7959-35-2-179-Mikolov1","unstructured":"Mikolov,\n T.,\n \n \n Sutskever\n I.,\n \n \n Chen\n K.,\n \n \n Corrado\n G. S.,\n and\n\t\t\t\t\t\tDeanJ.\n 2013.\n\t\t\t\t\tDistributed representations of words and phrases and their compositionality.\n\t\t\t\t\tAvailable at: https:\/\/www.researchgate.net\/publication\/257882504_Distributed_Representations_of_Words_and_Phrases_and_their_Compositionality"},{"key":"2024082915273298000_i1558-7959-35-2-179-Moore1","unstructured":"Moore,\n T. W.,\n and\n\t\t\t\t\t\tClaytonR.\n 2011.\n\t\t\t\t\tThe impact of public information on phishing attack and defense.\n\t\t\t\t\tCommunications & Strategies81 (\n\t\t\t\t\t1):\n\t\t\t\t\t45\u2013\n\t\t\t\t\t68."},{"key":"2024082915273298000_i1558-7959-35-2-179-No1","doi-asserted-by":"crossref","unstructured":"No,\n W. G.,\n and\n\t\t\t\t\t\tVasarhelyiM. A.\n 2017.\n\t\t\t\t\tCybersecurity and continuous assurance.\n\t\t\t\t\tJournal of Emerging Technologies in Accounting14 (\n\t\t\t\t\t1):\n\t\t\t\t\t1\u2013\n\t\t\t\t\t12.\n\t\t\t\t\thttps:\/\/doi.org\/10.2308\/jeta-10539","DOI":"10.2308\/jeta-10539"},{"key":"2024082915273298000_i1558-7959-35-2-179-NewYorkStateDepartmentofFinancialServicesNYDFS1","unstructured":"New York State Department of Financial Services (NYDFS).\n\t\t\t\t\t2017.\n\t\t\t\t\t23 NYCRR 500: Cybersecurity requirements for financial services companies.\n\t\t\t\t\tAvailable at: https:\/\/govt.westlaw.com\/nycrr\/Browse\/Home\/NewYork\/NewYorkCodesRulesandRegulations?guid=I5be30d2007f811e79d43a037eefd0011&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default) (last accessed May 2021)."},{"key":"2024082915273298000_i1558-7959-35-2-179-Moody1","unstructured":"Moody,\n C.\n \n \n 2016.\n\t\t\t\t\tMixing Dirichlet topic models and word embeddings to make Lda2vec.\n\t\t\t\t\tAvailable at: https:\/\/arxiv.org\/abs\/1605.02019"},{"key":"2024082915273298000_i1558-7959-35-2-179-PonemonInstitute1","unstructured":"Ponemon Institute.\n 2018.\n\t\t\t\t\tCost of a data breach study: Global overview.\n\t\t\t\t\tAvailable at: https:\/\/www.ibm.com\/account\/reg\/us-en\/signup?formid=urx-33316 (last accessed May 2021)."},{"key":"2024082915273298000_i1558-7959-35-2-179-Robbins1","unstructured":"Robbins,\n R. B.,\n and\n\t\t\t\t\t\tRothenbergP. L.\n 2005.\n\t\t\t\t\tSecurities disclosure.\n\t\t\t\t\tInsights: The Corporate & Securities Law Advisor19 (\n\t\t\t\t\t5):\n\t\t\t\t\t9\u2013\n\t\t\t\t\t16."},{"key":"2024082915273298000_i1558-7959-35-2-179-Roder1","doi-asserted-by":"crossref","unstructured":"R\u00f6der,\n M.,\n \n \n Both\n A.,\n and\n\t\t\t\t\t\tHinneburgA.\n 2015.\n\t\t\t\t\tExploring the space of topic coherence measures.\n\t\t\t\t\tProceedings of the Eighth ACM International Conference on Web Search and Data Mining.","DOI":"10.1145\/2684822.2685324"},{"key":"2024082915273298000_i1558-7959-35-2-179-SecuritiesandExchangeCommissionSEC1","unstructured":"Securities and Exchange Commission (SEC).\n 2005.\n\t\t\t\t\tFinal Rule: Securities Offering Reform: SEC Release No. 33-859.\n\t\t\t\t\tWashington, DC:\n\t\t\t\t\tGPO."},{"key":"2024082915273298000_i1558-7959-35-2-179-SecuritiesandExchangeCommissionSEC2","unstructured":"Securities and Exchange Commission (SEC).\n 2011.\n\t\t\t\t\tCF Disclosure Guidance: Topic No. 2 Cybersecurity.\n\t\t\t\t\tWashington, DC:\n\t\t\t\t\tGPO."},{"key":"2024082915273298000_i1558-7959-35-2-179-SecuritiesandExchangeCommissionSEC3","unstructured":"Securities and Exchange Commission (SEC).\n 2018.\n\t\t\t\t\tCommission Statement and Guidance on Public Company Cybersecurity Disclosures.\n\t\t\t\t\tWashington, DC:\n\t\t\t\t\tGPO."},{"key":"2024082915273298000_i1558-7959-35-2-179-Shumsky1","unstructured":"Shumsky,\n T.\n \n \n 2016.\n\t\t\t\t\tCorporate judgment call: When to disclose you've been hacked.\n\t\t\t\t\tAvailable at: https:\/\/www.wsj.com\/articles\/corporate-judgment-call-when-to-disclose-youve-been-hacked-1474320689"},{"key":"2024082915273298000_i1558-7959-35-2-179-Skinner1","doi-asserted-by":"crossref","unstructured":"Skinner,\n D. J.\n \n \n 1997.\n\t\t\t\t\tEarnings disclosures and stockholder lawsuits.\n\t\t\t\t\tJournal of Accounting and Economics23 (\n\t\t\t\t\t3):\n\t\t\t\t\t249\u2013\n\t\t\t\t\t282.\n\t\t\t\t\thttps:\/\/doi.org\/10.1016\/S0165-4101(97)00010-4","DOI":"10.1016\/S0165-4101(97)00010-4"},{"key":"2024082915273298000_i1558-7959-35-2-179-Stouffer1","doi-asserted-by":"crossref","unstructured":"Stouffer,\n K.,\n \n \n Lightman\n S.,\n \n \n Pillitteri\n V.,\n \n \n Abrams\n M.,\n and\n\t\t\t\t\t\tHahnA.\n 2014.\n\t\t\t\t\tGuide to Industrial Control Systems (ICS) Security: NIST Special Publication 800-82, Revision 2.\n\t\t\t\t\tGaithersburg, MD:\n\t\t\t\t\tNational Institute of Standards and Technology.","DOI":"10.6028\/NIST.SP.800-82r2"},{"key":"2024082915273298000_i1558-7959-35-2-179-Tang1","unstructured":"Tang,\n Q.,\n \n \n Linden\n L.,\n \n \n Quarterman\n J. S.,\n and\n\t\t\t\t\t\tWhinstonA. B.\n 2013.\n\t\t\t\t\tImproving internet security through social information and social comparison: A field quasi-experiment.\n\t\t\t\t\tAvailable at: https:\/\/econinfosec.org\/archive\/weis2013\/papers\/TangWEIS2013.pdf"},{"key":"2024082915273298000_i1558-7959-35-2-179-Tetlock1","doi-asserted-by":"crossref","unstructured":"Tetlock,\n P. C.,\n \n \n Saar-Tsechansky\n M.,\n and\n\t\t\t\t\t\tMacskassyS.\n 2008.\n\t\t\t\t\tMore than words: Quantifying language to measure firms' fundamentals.\n\t\t\t\t\tThe Journal of Finance63 (\n\t\t\t\t\t3):\n\t\t\t\t\t1437\u2013\n\t\t\t\t\t1467.\n\t\t\t\t\thttps:\/\/doi.org\/10.1111\/j.1540-6261.2008.01362.x","DOI":"10.1111\/j.1540-6261.2008.01362.x"},{"key":"2024082915273298000_i1558-7959-35-2-179-Trope1","unstructured":"Trope,\n R. L.,\n and\n\t\t\t\t\t\tHughesS. J.\n 2011.\n\t\t\t\t\tThe SEC staff's cybersecurity disclosure guidance: Will it help investors or cyber-thieves more? Available at: https:\/\/www.repository.law.indiana.edu\/cgi\/viewcontent.cgi?article=3558&context=facpub"},{"key":"2024082915273298000_i1558-7959-35-2-179-USHouseofRepresentatives1","unstructured":"U.S. House of Representatives.\n 2002.\n\t\t\t\t\tSarbanes-Oxley Act of 2002. Public Law No: 107-204 [H.R. 3763].\n\t\t\t\t\tWashington DC:\n\t\t\t\t\tGPO."},{"key":"2024082915273298000_i1558-7959-35-2-179-Wang1","doi-asserted-by":"crossref","unstructured":"Wang,\n T.,\n \n \n Kannan\n K. N.,\n and\n\t\t\t\t\t\tUlmerJ. R.\n 2013.\n\t\t\t\t\tThe association between the disclosure and the realization of information security risk factors.\n\t\t\t\t\tInformation Systems Research24 (\n\t\t\t\t\t2):\n\t\t\t\t\t201\u2013\n\t\t\t\t\t218.\n\t\t\t\t\thttps:\/\/doi.org\/10.1287\/isre.1120.0437","DOI":"10.1287\/isre.1120.0437"}],"container-title":["Journal of Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/publications.aaahq.org\/jis\/article-pdf\/35\/2\/179\/7661\/i1558-7959-35-2-179.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/publications.aaahq.org\/jis\/article-pdf\/35\/2\/179\/7661\/i1558-7959-35-2-179.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,8,29]],"date-time":"2024-08-29T16:58:11Z","timestamp":1724950691000},"score":1,"resource":{"primary":{"URL":"https:\/\/publications.aaahq.org\/jis\/article\/35\/2\/179\/960\/Classifying-the-Contents-of-Cybersecurity-Risk"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,8,27]]},"references-count":58,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2020,8,27]]},"published-print":{"date-parts":[[2021,6,1]]}},"URL":"https:\/\/doi.org\/10.2308\/isys-2020-031","relation":{},"ISSN":["1558-7959","0888-7985"],"issn-type":[{"value":"1558-7959","type":"electronic"},{"value":"0888-7985","type":"print"}],"subject":[],"published":{"date-parts":[[2020,8,27]]}}}