The Influences of Public and Institutional Pressure on Firms’ Cybersecurity Disclosures

Cybersecurity disclosures in reports filed with the US Securities and Exchange Commission (SEC) inform investors about firms’ cybersecurity incidents, risks, and related risk management efforts. Firms have traditionally chosen to communicate such information on a quarterly or annual basis, if at all, and prior research on the topic has largely focused on regulatory factors as driving forces. In this paper, we focus on timely disclosures (via 8-K filings) and derive hypotheses regarding the influences of two alternate forms of pressure as drivers of cybersecurity disclosures—(1) public pressure following a firm’s data breach and (2) pressure arising from the breaches of industry peers, which we cast as “institutional pressure.” We also theorize on how the source of the breach (internal or external) influences these forms of pressure. Our results suggest that firms’ cybersecurity disclosure practices are influenced by public pressure following a data breach and that this pressure is more acute for external breaches than for internal breaches. By contrast, breaches by industry peers, as a form of institutional pressure, appear to prompt fewer cybersecurity disclosures, except when the focal firm suffers its own external breach. From a theoretical perspective, our study supports a nuanced application of legitimacy theory in the cybersecurity disclosure context, especially in the midst of public and institutional pressure, such that the source of a data breach determines whether firms attempt to address the resultant legitimacy gap. From a practical perspective, our results may be viewed as alarming in that firms are not reacting to internal breaches with the same degree of communicative effort about cybersecurity as for external breaches, at least in terms of the timely disclosures we consider in this study. Our findings also point to certain levers that can promote timely cybersecurity disclosures, and thus have important policy implications

‘Breaching’ Auditor Judgments of Information Security Effectiveness

In this in-progress study we explore whether aspects of a prior data security breach, along with prior audit performance, work to decrease auditor objectivity of information security (InfoSec) weaknesses in the subsequent audit period. We use SOX Section 404 as the contextual setting and our analysis is based on a unique dataset from publicly available sources. Preliminary results suggest that not only does former audit performance influence auditor judgments of InfoSec performance, but also the strength of this relationship changes based on public attention. We found no evidence for the influence of past breach severity on auditors’ judgments nor did we find that the influence of public attention is direct. Instead, it appears that auditors can be lured toward decreased objectivity in an indirect manner, based on the weight of public attention that increases their desire to validate past audit evaluations. Implications and plans for future research are discussed

A role theory perspective: Will shifting left become a pain for application developers?

To foster application security (AppSec), organizations are adopting development, security, and operations (DevSecOps) framework that integrates application development with security controls and systems operations. With DevSecOps. application developers have to “wear many hats”. Besides coding, developers are assigned additional tasks including system testing and operations, thus adopting the roles of systems testers and systems engineers. Transitioning from one role to another involves boundary crossing through which individuals have to embrace changes for performing new tasks defined by another role. This may instigate developers’ mental fatigue. Also, tasks associated with “non-developer” roles (e.g., systems operations) may not be a good cognitive fit, thus provoking developers’ mental distress. To address this issue, we examine the effects of multi-roles adoptions on developers’ well-being that will gradually affect their cognitions of cyber situational awareness (i.e., awareness of cyber threats relative to AppSec)

Trading well-being for ISP compliance: An investigation of the positive and negative effects of SETA programs

This paper attempts to challenge existing assumptions on SETA programs as positive interventions to promote ISP compliance behaviors. Drawing upon the conservation of resources theory, we posit SETA programs have resource enhancing and depleting effects, differentially influencing employees’ ISP compliance. This paper aims to open new avenues of research by highlighting the positive and negative effects of SETA programs from a stress perspective

Seeing the forest and the trees: A meta-analysis of information security policy compliance literature

A rich stream of research has identified numerous antecedents to employee compliance with information security policies. However, the breadth of this literature and inconsistencies in the reported findings warrants a more in-depth analysis. Drawing on 25 quantitative studies focusing on security policy compliance, we classified 105 independent variables into 17 distinct categories. We conducted a meta-analysis for each category’s relationship with security policy compliance and then analyzed the results for possible moderators. Our results revealed a number of illuminating insights, including (1) the importance of categories associated with employees’ personal attitudes, norms and beliefs, (2) the relative weakness of the link between compliance and rewards/punishment, and (3) the enhanced compliance associated with general security policies rather than specific policies (e.g., anti-virus). These findings can be used as a reference point from which future scholarship in this area can be guided

Using Bluetooth Low Energy devices to monitor visitor activity in remote amenity spaces

Tracking of pedestrian behaviour, particularly route selection and temporal behaviours, can be difficult to undertake. This is especially true of studies at a community or campus level where the anonymity of pedestrians can be difficult to protect. The introduction of the EU’s General Data Protection Regulations 2016 (GDPR) has increased the complexity of this challenge. Advances in Bluetooth Low Energy (BLE) technology in recent years have increased the potential to monitor human behaviour by tracking and triangulating pedestrians. This paper describes an experiment undertaken along The Great South Wall at the Port of Dublin, which is considered a leading amenity location. Monitoring of visitor behaviour in places of this type can provide valuable information about the use of this and other public resources. The aims of this study were to test two prototypes to: i) determine the direction of participants carrying BLE devices, ii) determine the capabilities of two BLE scanning prototypes, (ESP32 & Raspberry Pi3), iii) test the ability of detecting a small number of BLE devices simultaneously while minimising interference or loss of passers-by data, iv) to investigate the use of a hash encoding scheme to anonymise BLE device identifiers. The findings show that the direction of the visitors to the pier can be detected by correlating the received signal strength indicator (RSSI) from multiple Bluetooth scanning devices and this can work where scanning devices are as close as 10m apart. The locations of the BLE scanners has a slight effect on detecting the RSSI from different distances and the distance between scanners needs to be considered to facilitate accurate measurement of direction. As a pier like the South Wall has only one entrance and exit point, this approach can also be used to determine the length of time spent on the pier. The technical performance of the two BLE scanners was also reviewed and the ESP32 was shown to have significantly lower power consumption with only a slight decrease in performance. Finally, it was shown that the BLE scanners can detect multiple carried BLE devices successfully without interference or loss of data as long as those devices are within range of the BLE scanners

Global Perspectives on Labour Education into the New Millennium

No abstract available

Development and Validation of a Raman Spectroscopic Classification Model for Cervical Intraepithelial Neoplasia (CIN)

The mortality associated with cervical cancer can be reduced if detected at the precancer stage, but current methods are limited in terms of subjectivity, cost and time. Optical spectroscopic methods such as Raman spectroscopy can provide a rapid, label-free and nondestructive measurement of the biochemical fingerprint of a cell, tissue or biofluid. Previous studies have shown the potential of Raman spectroscopy for cervical cancer diagnosis, but most were pilot studies with small sample sizes. The aim of this study is to show the clinical utility of Raman spectroscopy for identifying cervical precancer in a large sample set with validation in an independent test set. Liquid-based cervical cytology samples (n = 662) (326 negative, 200 cervical intraepithelial neoplasia (CIN)1 and 136 CIN2+) were obtained as a training set. Raman spectra were recorded from single-cell nuclei and subjected to a partial least squares discriminant analysis (PLSDA). In addition, the PLSDA classification model was validated using a blinded independent test set (n = 69). A classification accuracy of 91.3% was achieved with only six of the blinded samples misclassified. This study showed the potential clinical utility of Raman spectroscopy with a good classification of negative, CIN1 and CIN2+ achieved in an independent test set