Reading the Disclosures with New Eyes: Bridging the Gap between Information Security Disclosures and Incidents

This paper investigates how the characteristics of information security incidents and disclosures in financial reports affect the valuation of a firm. Building on theories of disclosures in the accounting literature, we investigate investor reaction to disclosures through both quantitative and qualitative analyses. A cross-sectional analysis is first performed to examine the effect of the number of disclosures on stock price reactions to information security incidents. The results suggest that information security risk factors disclosed in financial reports increases the impact of information security incidents. Such an observation is consistent with investors perceiving the disclosures as a warning of future incidents. In order to provide a richer interpretation of the results, we further explore the contents of the disclosures using text mining techniques. One of the key findings is that breached firms react to information security incidents by disclosing additional and more specific risk factors. We further build a model to link disclosures with different stock price reactions to information security incidents to provide insights into how companies should disclose security concerns and practices. The model suggests that the disclosures associated with non-negative reactions are more generic and include actionable terms which confirms different disclosure patterns from companies with and without breach announcements. Thus, the paper not only contributes to the literature in information security and accounting but also sheds light on how managers can evaluate their information security policies and convey information security practices more effectively to the investors.