Investors’ perceptions of the cybersecurity risk management reporting framework

• Pages: 167-183
• DOI: https://doi.org/10.1108/IJAIM-02-2019-0022
• Published date: 28 January 2020
• Date: 28 January 2020
• Author: Ling Yang,Linda Lau,Huiqi Gan
• Subject Matter: Accounting/accountancy,Accounting methods/systems

Investors’perceptions of the

cybersecurity risk management

reporting framework

Ling Yang

Department of Accounting, New Jersey City University, Jersey City, New Jersey, USA

Linda Lau

Longwood University, Farmville, Virginia, USA, and

Huiqi Gan

UMass Lowell, Lowell, Massachusetts, USA

Abstract

Purpose –The purpose of this paper is to propose a research model to examine the perception of non-

professional investorstoward the cybersecurity reporting framework developedby the American Institute of

Certif‌iedPublic Accountants (AICPA).

Design/methodology/approach –The proposed hypotheses were tested using structural equation

modelingwith data collected from Amazon’s Mechanical Turk platform.

Findings –The f‌indings conclude that investors’perceived benef‌its of the cybersecurity risk

framework are positively related to investment intention. Information quality and cybersecurity

awareness also positively inf‌luence perceived benef‌its of the risk framework and investment

intention.

Practical implications –Findings of this study are relevant to both regulatory bodies and f‌irms

because non-professional investors’perceptions of the benef‌its of the AICPA’s reporting framework

are unveiled.

Originality/value –Findings from this research help to provide a more in-depth understanding of the

impact of various factors on investor’s decision-making process and also signif‌icant insights into the non-

professionalinvestor’s attitude toward the AICPA’sframework.

Keywords Cybersecurity risk management reporting framework, Information quality,

Cybersecurity awareness, Trust

Paper type Research paper

1. Introduction

Cybersecurity poses extraordinary challenges as organizations are vulnerable to data

breaches and other cyber-related threats (PwC, 2017). For instance, a 2017 data breach at

Equifax may have compromisedthe identities of more than 143 million US individuals(The

Editorial Board, 2017). In response to these growing challenges, the American Institute of

Certif‌ied Public Accountants (AICPA, 2017) developed an entity-level cybersecurity

reporting framework thatf‌irms can use to disclose useful informationto stakeholders about

their cybersecurity risk management program and its effectiveness. The framework

consists of the following three components that aim to assist stakeholders in monitoring a

f‌irm’s cybersecurityrisk management program:

Perceptions of

the

cybersecurity

risk

167

Received20 February 2019

Revised5 April 2019

Accepted24 April 2019

InternationalJournal of

Accounting& Information

Management

Vol.28 No. 1, 2020

pp. 167-183

© Emerald Publishing Limited

1834-7649

DOI 10.1108/IJAIM-02-2019-0022

The current issue and full text archive of this journal is available on Emerald Insight at:

https://www.emerald.com/insight/1834-7649.htm

(1) management’s description of the program;

(2) management’s assertion that the program description is in accordance with the

AICPA’s description criteria and measures of effectiveness in terms of achieving

the entity’s cybersecurity objectives; and

(3) the AICPA’s opinion on the description and effectiveness of the controls put in

place.

The framework provides a commonlanguage that stakeholders can use to evaluate a f‌irm’s

cybersecurity position and the effectiveness of its risk management program. Despite the

existence of this framework, little is known about investors’perceptions and to what extent

these perceptions inf‌luence investment decisions. To f‌ill in this research gap, this study

examines

non-professional investors’perceptions of the AICPA’s framework and how their

perceptions affect investment decisions; and

how factors such as perceptions of the quality of the existing information,

individuals’cybersecurity awareness (CSA) and trust affect this decision-making

process.

A survey was administered to 194 non-professional investors recruited from Amazon’s

Mechanical Turk platform. We found that information quality (IQ), participants’CSA and

the perceived benef‌it of the cybersecurityrisk framework are directly and indirectly related

to their investment intentions.In addition, trust partially mediates the effect of CSA and IQ

on perceived benef‌itsof the framework.

Perols and Murthy (2018) is one of the f‌irst few studies to test how the attestation service of

AICPA’s framework affects investors’perceptions and valuation judgments. Contrasting with

Perols and Murthy (2018) focus, our study investigates how investors’general perceptions about

the f‌irms’IQ, cybersecurity and investors’trust would inf‌luence their attitudes toward this

framework and their intentions to invest in these f‌irms based on the technology acceptance model

(TAM). This study uses the survey method, which is identif‌ied as an effective way to study users’

perception of new system adoption (Moqbel et al.,2013;Wu and Chen, 2017), to help reveal the

factors that inf‌luence investors’perceptions of the reporting framework.

Our study makes the following contributions.First, our study provides novel and direct

evidence of non-professional investors’perceptions of the AICPA’s cybersecurity

framework and how these perceptions can affect their investment intentions. Currently, the

adoption of the AICPA’s reporting framework and the disclosure of the cybersecurity risk

management program are voluntary.As Chen et al. (2016, p. 50) point out, practitioners have

always been concerned about management’s voluntary disclosures, particularlyin terms of

whether communicatingthese disclosures to investors inf‌luences investment decisions.

In addition to the claimed benef‌its associated with the proposed risk framework, f‌irms

are likely to incur a certainlevel of costs, depending on the complexity and maturity of their

IT environments (Lenk et al.,2018). Thus, our f‌indings are relevant to both regulatory

bodies and f‌irms in that we unveil non-professional investors’perceptions of the benef‌its of

the AICPA’s reporting framework. This is signif‌icant because non-professional investors

represent a signif‌icant group of stakeholders who are concerned about the f‌irms’

cybersecurity risks.

Second, we extend the literature on cybersecurity risk (Kim et al., 2008;Srinidhi et al.,

2015) by investigating how variousfactors, including IQ, CSA and trust, interactively affect

investors’perceptions and decision-making processes. We found that the perceived quality

IJAIM

28,1

168