Investors’ perceptions of the cybersecurity risk management reporting framework
Pages | 167-183 |
DOI | https://doi.org/10.1108/IJAIM-02-2019-0022 |
Published date | 28 January 2020 |
Date | 28 January 2020 |
Author | Ling Yang,Linda Lau,Huiqi Gan |
Subject Matter | Accounting/accountancy,Accounting methods/systems |
Investors’perceptions of the
cybersecurity risk management
reporting framework
Ling Yang
Department of Accounting, New Jersey City University, Jersey City, New Jersey, USA
Linda Lau
Longwood University, Farmville, Virginia, USA, and
Huiqi Gan
UMass Lowell, Lowell, Massachusetts, USA
Abstract
Purpose –The purpose of this paper is to propose a research model to examine the perception of non-
professional investorstoward the cybersecurity reporting framework developedby the American Institute of
CertifiedPublic Accountants (AICPA).
Design/methodology/approach –The proposed hypotheses were tested using structural equation
modelingwith data collected from Amazon’s Mechanical Turk platform.
Findings –The findings conclude that investors’perceived benefits of the cybersecurity risk
framework are positively related to investment intention. Information quality and cybersecurity
awareness also positively influence perceived benefits of the risk framework and investment
intention.
Practical implications –Findings of this study are relevant to both regulatory bodies and firms
because non-professional investors’perceptions of the benefits of the AICPA’s reporting framework
are unveiled.
Originality/value –Findings from this research help to provide a more in-depth understanding of the
impact of various factors on investor’s decision-making process and also significant insights into the non-
professionalinvestor’s attitude toward the AICPA’sframework.
Keywords Cybersecurity risk management reporting framework, Information quality,
Cybersecurity awareness, Trust
Paper type Research paper
1. Introduction
Cybersecurity poses extraordinary challenges as organizations are vulnerable to data
breaches and other cyber-related threats (PwC, 2017). For instance, a 2017 data breach at
Equifax may have compromisedthe identities of more than 143 million US individuals(The
Editorial Board, 2017). In response to these growing challenges, the American Institute of
Certified Public Accountants (AICPA, 2017) developed an entity-level cybersecurity
reporting framework thatfirms can use to disclose useful informationto stakeholders about
their cybersecurity risk management program and its effectiveness. The framework
consists of the following three components that aim to assist stakeholders in monitoring a
firm’s cybersecurityrisk management program:
Perceptions of
the
cybersecurity
risk
167
Received20 February 2019
Revised5 April 2019
Accepted24 April 2019
InternationalJournal of
Accounting& Information
Management
Vol.28 No. 1, 2020
pp. 167-183
© Emerald Publishing Limited
1834-7649
DOI 10.1108/IJAIM-02-2019-0022
The current issue and full text archive of this journal is available on Emerald Insight at:
https://www.emerald.com/insight/1834-7649.htm
(1) management’s description of the program;
(2) management’s assertion that the program description is in accordance with the
AICPA’s description criteria and measures of effectiveness in terms of achieving
the entity’s cybersecurity objectives; and
(3) the AICPA’s opinion on the description and effectiveness of the controls put in
place.
The framework provides a commonlanguage that stakeholders can use to evaluate a firm’s
cybersecurity position and the effectiveness of its risk management program. Despite the
existence of this framework, little is known about investors’perceptions and to what extent
these perceptions influence investment decisions. To fill in this research gap, this study
examines
non-professional investors’perceptions of the AICPA’s framework and how their
perceptions affect investment decisions; and
how factors such as perceptions of the quality of the existing information,
individuals’cybersecurity awareness (CSA) and trust affect this decision-making
process.
A survey was administered to 194 non-professional investors recruited from Amazon’s
Mechanical Turk platform. We found that information quality (IQ), participants’CSA and
the perceived benefit of the cybersecurityrisk framework are directly and indirectly related
to their investment intentions.In addition, trust partially mediates the effect of CSA and IQ
on perceived benefitsof the framework.
Perols and Murthy (2018) is one of the first few studies to test how the attestation service of
AICPA’s framework affects investors’perceptions and valuation judgments. Contrasting with
Perols and Murthy (2018) focus, our study investigates how investors’general perceptions about
the firms’IQ, cybersecurity and investors’trust would influence their attitudes toward this
framework and their intentions to invest in these firms based on the technology acceptance model
(TAM). This study uses the survey method, which is identified as an effective way to study users’
perception of new system adoption (Moqbel et al.,2013;Wu and Chen, 2017), to help reveal the
factors that influence investors’perceptions of the reporting framework.
Our study makes the following contributions.First, our study provides novel and direct
evidence of non-professional investors’perceptions of the AICPA’s cybersecurity
framework and how these perceptions can affect their investment intentions. Currently, the
adoption of the AICPA’s reporting framework and the disclosure of the cybersecurity risk
management program are voluntary.As Chen et al. (2016, p. 50) point out, practitioners have
always been concerned about management’s voluntary disclosures, particularlyin terms of
whether communicatingthese disclosures to investors influences investment decisions.
In addition to the claimed benefits associated with the proposed risk framework, firms
are likely to incur a certainlevel of costs, depending on the complexity and maturity of their
IT environments (Lenk et al.,2018). Thus, our findings are relevant to both regulatory
bodies and firms in that we unveil non-professional investors’perceptions of the benefits of
the AICPA’s reporting framework. This is significant because non-professional investors
represent a significant group of stakeholders who are concerned about the firms’
cybersecurity risks.
Second, we extend the literature on cybersecurity risk (Kim et al., 2008;Srinidhi et al.,
2015) by investigating how variousfactors, including IQ, CSA and trust, interactively affect
investors’perceptions and decision-making processes. We found that the perceived quality
IJAIM
28,1
168
To continue reading
Request your trial