An Event Study Analysis of the Economic Impact of IT Operational Risk and its Subcategories

Organizations’ growing exposure to IT operational risk, or the risk of failures of operational IT systems, could translate into significant losses. Despite this, there are notable theoretical and empirical gaps in the literature on IT operational risk. We propose the “resource weaknesses” framework, which extends the resource-based theory of the firm, as a theoretical lens for investigating IT operational risk and its impacts. We also theorize about and empirically examine the impact differences of two categories of IT operational failures: ones resulting in the disclosure, misuse, or destruction of data assets, and ones resulting in the loss of availability or the mis-operation of functional IT assets responsible for the handling of data assets. Whereas the former, data-related failures have had some coverage in the literature, little is known about the latter, function-related failures. We apply an event study analysis with a well-balanced data set of IT operational failure events that occurred in U.S. financial service firms over a 25-year period. We find that function-related events have a substantially larger negative wealth effect than data-related events, and that firm characteristics such as firm size and growth potential greatly influence the degree of wealth effect. We conclude with important implications for practice and research

IT operational risk awareness building in banking companies: A preliminary research design highlighting the importance of risk cultures and control systems

This research in progress paper introduces a research initiative focusing on bank employee risk behaviour to mitigate IT operational risks in Austrian banks. The study focuses on the role of IT risk culture and internal controls in relation to employee risk behaviour and the effectiveness of different awareness building practices in banking companies in response to international banking regulation. We offer a short introduction to central theoretical concepts, main research assump-tions and a two-staged methodological design to conduct the underlying study. The indicative findings suggest important properties of awareness building methods and guidelines to create a proactive IT risk culture

The Role of Information Security Awareness for Promoting Information Security Policy Compliance in Banks

Banks rely heavily on information security (IS) by preserving confidentiality, integrity, and availability of information. A key layer for ensuring information security is the employees, who need to be aware of possible information security issues and behave accordingly. Banks introduce information security policies (ISP) to establish required rules for IS behavior and implement information security awareness (ISA) programs, which are systematically planned ISA interventions such as structured campaigns using intranet messages or posters to educate employees and enhance their ISA. According to previous conceptual research, the most cost-effective method to prevent IS incidents is fostering ISA. The purpose of this dissertation is to explore the role of ISA for promoting employees' ISP compliance. The four stages of this dissertation project focus on organizational efforts such as ISA programs to improve employees' compliant IS behavior and identifying predecessors for explaining employees' ISP compliance based on established scientific theories. A developmental mixed methods approach is conducted through these four stages of analysis. Primary data were collected in each stage to investigate banks operating in countries such as Austria, Germany, Czech Republic, Hungary, Slovakia, and Rumania. In the first research stage, semi-structured expert interviews were conducted with operational risk and IS managers to explore banks' efforts to counteract IS incidents. The considered banks primarily use online methods such as intranet articles and conventional methods such as posters for building ISA. Second, the findings from stage one were incorporated in research stage two, in which a positivistic case study was conducted to test the Theory of Reasoned Action, Neutralization Theory, as well as the Knowledge-Attitude-Behavior model. The data were analyzed by utilizing partial least squares structural equation modeling (PLS-SEM). In addition to several qualitative interviews and an online survey at the headquarters of the case bank, data such as internal ISA materials (e.g., posters or IS intranet messages) were also analyzed. The second research stage provided empirical evidence that ISA program components affect employees' ISA, which further positively affects employees' attitudes and social norms toward compliance with ISPs, but negatively affects the use of neutralization techniques. All of these effects should eventually positively influence IS. This is shown in the chain of subsequent factors. The employees' attitudes and social norms positively affect the intention for compliant IS behavior, which is negatively affected by the use of neutralization techniques. In the third research stage, the influence of employees' perception of ISA programs on the Protection Motivation Theory was examined by conducting an online survey among German bank employees. It is demonstrated that employees' perception of ISA programs positively affects perceived severity as well as their coping mechanisms, which play the most important role in positively affecting the intention for compliant IS behavior. Surprisingly, employees' perception of ISA programs negatively affect perceived vulnerability. Moreover, perceived monitoring has a positive moderation effect on the intention-behavior link. Finally, the fourth research stage consists of a qualitative study to analyze the efforts of IS managers to enhance IS and examine how these efforts are perceived by users. Further, the inductive part of the study uncovers factors that influence the compliant IS behavior of users. Therefore, semi-structured interviews with IS managers were carried out to discover ISA program designs and categorize them according to design recommendations gained from current literature. In addition, this stage shows that individual ISP compliance seems to be connected with individual perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. To conclude, this dissertation provides several practical as well as theoretical contributions. From an academic perspective, the findings highlight the importance of attitudes, social norms, neutralization techniques, as well as coping mechanisms for employees' intentions to comply with their ISP. Future research might extend the findings by establishing and characterizing IS enhancing social norms and exploring methods of counteracting the common use of neutralization techniques. For practitioners, analysis of the design practices of ISA programs provides a better understanding of effectively using ISA interventions in the context of banks. (author's abstract

End User Information Security Awareness Programs for Improving InformationSecurity in Banking Organizations: Preliminary Results from an Exploratory Study

The purpose of this research is to analyze information security awareness (ISA) programs and the measurement of ISA behavior in banking organizations. The underlying paper summarizes the qualitative and exploratory part of our two-staged mixed methods research on the improvement of employee security behavior concerning IT operational risks. IT operational loss events are often caused by undesirable security behavior of employees concerning information technology. Organizations conduct ISA programs to build employees’ security awareness concerning information technology to prevent IT operational loss events. Ten semi-structured qualitative expert interviews were carried out to explore potentials for improvement of ISA programs. Our findings focus on the character of ISA delivery methods and the implemented controls for these methods. Further research should shed light on the effectivenessof experimental and proactive ISA controlling. The outcome provides input for practice in the area of ISA building in the financial sector

IT Risk Factor Disclosure and Stock Price Crashes

As firms are increasingly more dependent on Information Technology (IT) for their business strategies and value creation activities, risks associated with IT become one of the top concerns for corporate boards and managers. This study examines the impact of IT-related risk factor disclosure in Item 1A of the 10-K annual report on stock price crashes. We use Latent Dirichlet Allocation topic modeling to identify risk categories in risk disclosures between 2006 and 2017. IT risk emerged as one of the key risk categories. We find that IT risk disclosure is positively correlated with a firm’s future stock price crash risk. We further separate IT risk factor disclosures into two categories: IT value risk that relates to a firm’s use of and reliance on information technology for its operations to reach its goals and objectives, and cybersecurity risk that could lead to a loss or leak of data. We find that while the correlation between cyber security risk disclosure and a firm’s future crash risk is significant, IT value risk disclosures do not have a significant correlation

Firm Actions Toward Data Breach Incidents and Firm Equity Value: An Empirical Study

Managing information resources including protecting the privacy of customer data plays a critical role in most firms. Data breach incidents may be extremely costly for firms. In the face of a data breach event, some firms are reluctant to disclose information to the public. Firm may be concerned with the potential drop in the market value following the revelation of a data breach. This paper examines the impact of data breach incidents to the firm’s market value/equity value, and explores the possibility that certain firm behaviors may reduce the cost of the incidents. We use regression analysis to identify the factors that affect cumulative abnormal stock return (CAR). Our results indicate that when data breach happens, firms not only should notify customers or the public timely, but also try to control the amount of information disclosed. These findings should provide corporate executives with guidance on managing public disclosure of data breach incidents

Themes in Information Security Research in the Information Systems Discipline: A Topic Modeling Approach

Information security continues to grow in importance in all aspects of society, and therefore evolves as a prevalent research area. The Information Systems (IS) discipline offers a unique perspective from which to move this stream of literature forward. Using a semi-automated thematic analysis approach based on the topic modeling technique, we review a broad range of information security literature to investigate how we might theorize about information security on a grander scale. Five themes resulted from our analysis: Software Security Decisions, Firm Security Strategy, Susceptibility, Information Security Policy Compliance, and Other Developing Themes. Implications of our findings and future research directions are discussed

Seven C’s of Information Security

The 1991 United States Federal Sentencing Guidelines for Organizations (updated in 2004) describes legal requirements for organizations’ ethical business procedures. We adapt this framework for the purpose of developing a high-level “Seven C’s” framework for ethically-responsible information security (InfoSec) procedures. Informed by the Resource Based View (RBV) of strategic management, we analyze case studies of two organizations to demonstrate the adapted guidelines’ applicability. Each organization has a well-established InfoSec program, yet each requires further development according to guidelines in our Seven C’s model. We discuss implications for InfoSec policies and standards

Show Me the Green: Three Essays on Information Systems Value and Environmental Performance in Global Organizations.

Businesses utilize information systems (IS) to increase revenues, reduce costs, and spur innovation. IS automate tasks, generate and deliver information, and can transform core value creation processes. As climate change and its associated challenges become increasingly relevant to business enterprises worldwide, IS are a key tool in enabling their response. Prior research shows that IS can either aid or inhibit organizational efforts, yet we do not fully understand their influence in this important context. This dissertation presents three essays examining how IS affects financial market value and greenhouse gas emissions performance in large businesses. The first essay (Chapter 2) introduces a method utilized in chapter 3. After finding a surprising dearth of international event studies in the IS discipline, a multiple-factor method is selected from related management literature to estimate international financial market reaction. Its performance relative to the commonly-used single-factor model is evaluated with a Monte Carlo analysis. Error correction improvement of the multiple factor model is calculated to be 44%-99% over the single-factor model for conditions observed in world markets 2000-2012. The second essay (Chapter 3) utilizes the multiple-factor model from chapter 2 to investigate international financial market reaction to Carbon Management Systems (CMS) adoption. CMS, a class of IS, enable the capture and management of carbon footprints. Three main results emerge. First, shareholders do not react positively to CMS announcements, as wealth effects are either not significant or negative, depending on the specification. Second, markets appear to penalize firms in more carbon regulated countries versus others, consistent with theory. Lastly, negative reactions to CMS appear to be dampening over time. The third essay (Chapter 4) examines the impact of IS on firm GHG emissions for large corporations with a presence in North America. This first-of-its-kind analysis finds interaction effects between GHG reduction plans and the physical deployment scope of ERP modules for Enterprise Support (e.g. HR, Finance, Accounting). Corporations with reduction plans in place and the highest 18% of ES physical scope are associated with reduced CO2 emissions. A one-standard-deviation increase in the ES physical scope deployment measure reduces GHG emissions by 46.63% for these companies.PhDBusiness AdministrationUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/113461/1/danrush_1.pd