This is a self-archived – parallel published version of this article in the publication archive of the University of Vaasa. It might differ from the original. Cybersecurity in Accounting Research Author(s): Haapamäki, Elina; Sihvonen, Jukka Title: Cybersecurity in Accounting Research Year: 2022 Version: Accepted manuscript Copyright ©2022 Routledge. This is an Accepted Manuscript of a book chapter published by Routledge in Artificial Intelligence in Accounting: Organisational and Ethical Implications on 5 August 2022, available online: https://doi.org/10.4324/9781003198123 Please cite the original version: Haapamäki, E. & Sihvonen, J. (2022). Cybersecurity in Accounting Research. In: Lehner, O. M. & Knoll, C. (eds.) Artificial Intelligence in Accounting: Organisational and Ethical Implications, 182-214. Routledge Studies in Accounting. Oxon: Routledge. https://doi.org/10.4324/9781003198123-10 https://doi.org/10.4324/9781003198123 https://doi.org/10.4324/9781003198123-10 8 Cybersecurity in Accounting Research Section 1 Page 1 of 75 Abstract: This chapter aims to update the cybersecurity-related accounting literature by synthesising 39 recent theoretical and empirical studies on the topic. Furthermore, the chapter provides a set of categories into which the studies fit. It is a synthesis chapter that summarises the research literature on cybersecurity, introducing knowledge from the extant research and revealing areas requiring further examination. This synthesis identifies a research framework that consists of the following research themes: cybersecurity and information sharing; cybersecurity investments; internal auditing and controls related to cybersecurity; disclosure of cybersecurity activities; and security threats and security breaches. Academics, practitioners, and the public would benefit from a research framework that categorises the research topics related to cybersecurity in the accounting field. This type of analysis is vital to enhance the understanding of the academic research on cybersecurity and can be used to support the identification of new lines for future research. This analysis has significant implications for research and practice by detailing, for example, the benefits of and obstacles to information sharing. This synthesis also highlights the importance of the model for cybersecurity investments. Further, the review emphasises the role of internal auditing and controls to improve cybersecurity. Keywords: Cybersecurity, Risk Management, Accounting, Auditing, Digitalisation 8 Cybersecurity in Accounting Research Section 1 Page 2 of 75 Running Head Right-hand: Cybersecurity in Accounting Research Running Head Left-hand: Elina Haapamäki and Jukka Sihvonen 8 Cybersecurity in Accounting Research Elina Haapamäki and Jukka Sihvonen Introduction The increasing use of digital technologies among companies has emphasised the importance and role of cybersecurity as a new risk management dimension, not least because cyber threats and risks have attracted significant attention from the public (e.g., Amir, Levi, & Livne, 2018; Li, No, & Wang, 2018). Furthermore, firms hit by cyber-attacks tend to suffer long-lasting economic and reputational losses (Agrafiotis et al., 2018; Kamiya et al., 2018). Recent studies suggest that, over the course of just a few years, cybersecurity has grown into one of the most significant risk challenges facing every type of organisation and society (e.g., IIA, 2018; Islam, Farah, & Stafford, 2018; Kahyaoglu & Caliyurt, 2018). For instance, Gordon, Loeb, Lucyshyn, and Zhou (2015b) argued that it is possible that a cybersecurity breach could shut down an entire critical infrastructure industry and threaten a nation’s entire economy and national defence. Cybersecurity is more often acknowledged as a severe organisational concern best addressed by integrating it as a part of managerial control system (Gordon, Loeb, Sohail, Tseng, & Zhou, 2008). This development is partly due to enforcement and supervision by regulatory authorities (SEC, 2018a, 2018b) and partly due to increased guidance from the Big 4 accounting firms and audit industry organisations (e.g. AICPA, 2018a, 2018b); market discipline also plays a part (Gordon, Loeb, & Sohail, 2010; Gordon, Loeb, & Zhou, 2011; Berkman, Jona, Lee, & Soderstrom, 2018; Amir et al., 2018). As a part of a managerial control system, cybersecurity has file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_439_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_471_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_471_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_464_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_465_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_465_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_466_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_453_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_453_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_456_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_456_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_437_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_455_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_457_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_440_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_440_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_439_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 3 of 75 also become very much a managerial accounting and auditing matter, subject to cost-benefit analysis, internal control assessment, and disclosure policy considerations. According to Gordon and Loeb (2006), the objectives of cybersecurity can be divided into three broad categories. First, cybersecurity protects the confidentiality of private information; second, it ensures that authorised users can access information on a timely basis; and third, cybersecurity protects the accuracy, reliability, and validity of information. The purpose of this chapter is to advance the research on cybersecurity in the accounting domain by investigating how well recent literature addresses the accounting implications of those objectives.1 We synthesise cybersecurity research in the accounting context into different categories intending to inform the reader of the learning available from the prior literature and which avenues of research require further investigation. This literature synthesis has three primary objectives. The first is to provide a comprehensive overview of the current academic knowledge on cybersecurity in accounting and auditing research and to provide a set of categories into which these studies fit. The second objective is to identify key topics and issues that have appeared in the previous literature. Finally, the third objective is to identify gaps in the literature and suggest fruitful future research opportunities. This literature analysis has significant implications for research and practice by detailing, for example, the benefits of and obstacles to information sharing. This synthesis also highlights the importance of the model for information-security (cybersecurity) investments by Gordon and Loeb (2002). Their model has received a significant amount of attention in the literature and is known as the Gordon–Loeb model. By providing an economic model that determines the optimal amount to invest in protecting a given set of information, it contributes to scientific research and practice. Moreover, this synthesis highlights the role of internal auditing and controls to improve cybersecurity. It emphasises that the cooperation between internal auditing and information- security functions should be uncomplicated and smooth. Finally, given the significance of cybersecurity to the field of accounting in today’s interconnected digital environment, a synthesis chapter that focuses on cybersecurity from an accounting perspective could help to file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_449_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_449_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 4 of 75 stimulate much-needed cybersecurity research by accounting academics and practitioners. Furthermore, this chapter conducts citation analysis, which is essential for analysing the most- cited articles in the specific research field (e.g., Guffey & Harp, 2017). The remainder of the chapter is organised as follows. Section 2 presents the relevant background information on the topic. Section 3 explains the method used to conceptualise the synthesis. Section 4 presents the examination of the theoretical and empirical literature and a comprehensive list of topics examined in prior cybersecurity studies in the accounting field. Section 5 provides the citation analysis. Finally, in Section 6, the conclusions are summarised and avenues for future studies are suggested. Background Cybersecurity Risk Management Reporting The American Institute of Certified Public Accountants (AICPA) (2018a, p. 1) stated that “Cybersecurity is one of the top issues on the minds of management and boards in nearly every company in the world – large and small, public and private”. Therefore, it is extremely important that every organisation at least considers a cybersecurity risk management program. In addition, certain organisations and their stakeholders need timely, useful information about organisations’ cybersecurity risk management efforts. Therefore, it is vital that the AICPA (2018) has a goal to establish a common, underlying language for cybersecurity risk management reporting (for the US GAAP and/or the IFRS). Accordingly, the AICPA (2018a) highlighted that cybersecurity is not just an Information Technology (IT) problem; it is an enterprise risk management problem that requires a global solution. The AICPA (2018b) also emphasised the importance of the entity-level cybersecurity reporting framework. It explicitly stated that the goal of the reporting framework is to provide a means by which organisations can communicate useful information regarding their cybersecurity risk management programs to stakeholders. Hence, the reporting file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_459_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_437_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-Ref%20Mismatch%20Report.docx%23LStERROR_230 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_437_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_438_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 5 of 75 framework is used to perform an examination-level attestation engagement. The framework is a key component of a new system and organisation control (SOC) for cybersecurity engagement. The cybersecurity report includes the following three key sets of information: i) the management’s description, ii) the management’s assertion, and iii) the practitioner’s opinion. To conclude, the AICPA (2018b) emphasised that its cybersecurity risk management reporting framework is a crucial first step toward enabling a consistent, market-based, business-based solution for companies to communicate successfully with key stakeholders on how they are managing cybersecurity risk. In addition, the Securities and Exchange Commission (SEC) (2018, p. 4) argued that it is essential that “public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack”. The increasing significance of cybersecurity incidents persuaded the SEC that it should provide further guidance, and in 2011 it released its first guidelines on cybersecurity. The SEC continues to consider other means of promoting appropriate disclosure of cyber incidents and is reinforcing and expanding that 2011 guidance. Specifically, the SEC is addressing two topics that were not developed earlier, namely the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context. Motivation An effective review creates a basis for advancing knowledge (Webster & Watson, 2002). Similarly, why synthesise studies related to cybersecurity in the accounting and auditing field? The number and severity of cyber threats have been unprecedented in recent years, and successful cyber-attacks have been reported regularly (e.g., Islam et al., 2018). Moreover, the costs of cyber-attacks are tremendous; therefore, cybersecurity risk management is argued to be extremely important for organisations (e.g., Islam et al., 2018). In relation to this, Hausken file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_438_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_475_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_487_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_465_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_465_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_461_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 6 of 75 (2006, p. 630) asserted that “the intensity of cyber war has increased through the internet revolution”. Relatedly, Gordon, Loeb, and Lucyshyn (2003) suggested that the Internet revolution has dramatically changed the way in which individuals, firms, and the government communicate and conduct business. The authors argued that the telecommunications, banking and finance, energy, and transportation industries, as well as the military and other essential government services, all depend on the Internet. Moreover, they concluded that this widespread interconnectivity has increased the vulnerability of computer systems. The same research also highlights how the links between public policy and information security are clear. For instance, the threat of cyber terrorism, aimed at shutting down critical infrastructure industries, has brought cybersecurity to the forefront of the public policy agenda. In addition, Gansler and Lucyshyn (2005) stated that the growing dependence of both public and private sectors on web-based technologies and networks for their financial management systems does not come without a price, and this price is increased vulnerability. Hence, according to the World Bank (2018), the financial service sector was attacked more than any other industry in 2016. However, Lainhart (2000) had already claimed that, for many organisations, information and the technology that supports it represent their most valuable assets. Lainhart (2000) argued that, in this global information society, in which information travels through cyberspace, its effective management is critical. Effective management is in turn related to the awareness of increasing vulnerabilities, such as cyber threats and information warfare. Organisations’ incentives to invest in security technology are influenced by regulation. For instance, the Sarbanes-Oxley Act of 2002 (SOX) placed strict requirements on firms (e.g., Hausken, 2006). The SOX highlights the significance of information system controls by requiring the management and auditors to report on the effectiveness of internal controls over the financial reporting component of the firm’s management information systems (e.g., Li, Peters, Richardson, & Watson, 2012). For example, Gordon, Loeb, Lucyshyn, and Sohail (2006) empirically examined the impact of the SOX on the voluntary disclosure of information-security activities by corporations. The empirical evidence provided clearly indicated that the SOX is file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_461_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_450_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_447_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_489_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_469_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_469_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_461_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_470_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_470_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_451_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 7 of 75 having a positive impact on voluntary disclosure. Gordon et al. (2006) offered strong indirect evidence that corporate information-security activities have attracted more attention since the passage of the SOX than before it was enacted. Indeed, they supported the widely held view that cybersecurity is an implicit requirement of the internal control structure. Overall, they argued that the information content of information-security activities is higher in some industries than in others. Firms in industries like banks, business services, insurance, telecommunications, financial services, transportation, and health care appear to be more proactive in providing voluntary disclosure of security-related activities (Gordon et al., 2006). In addition, Gordon and Loeb (2006) suggested guidelines for the efficient management of cybersecurity. Their cost- benefit analysis compared the costs of an activity with its benefits and the authors argued that, as long as the benefits of an additional information-security activity exceed its costs, it is valuable to engage in that activity. Further, they asserted that, while more cybersecurity does not always benefit an organisation, cyber-attacks are one of the main risks that organisations must control (Amir et al., 2018). Based on the previous arguments, it is vital to synthesise the previous literature related to cybersecurity and identify the research streams of the articles under review. To the authors’ knowledge, this is the first study to describe and synthesise the cybersecurity-related accounting and auditing studies. For instance, earlier review studies related to the topic have discussed research opportunities in IT and internal auditing (e.g., Weidenmier & Ramamoorti, 2006) and the impact of information-security events on the stock market (e.g., Spanos & Angelis, 2016). Terminology and Methodology Cybersecurity Cybersecurity is often used as an analogous term for information security. However, cybersecurity is not necessarily only the protection of cyberspace itself but also the protection of file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_451_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_451_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_449_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_449_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_439_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_488_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_477_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 8 of 75 those who function in cyberspace and any of their assets that can be reached via cyberspace (von Solms & van Niekerk, 2013). Cybersecurity comprises technologies, processes, and controls that are designed to protect systems, networks, and data from cyber-attacks. Effective cybersecurity reduces the risk of cyber-attacks and protects societies, organisations, and individuals from the unauthorised exploitation of systems, networks, and technologies. Cybersecurity is an umbrella concept that encompasses information security and information assurance (Gyun No & Vasarhelyi, 2017). Thus, cybersecurity involves the protection of information that is assessed and transmitted via any computer network (Gordon & Loeb, 2006). Method To introduce, summarise, and analyse the extent of the research on cybersecurity in the accounting field, a list of published studies was collected using the following methods. The articles collected were identified through a systematic process that combined electronic and manual research. The combinations of keywords used to search for relevant studies included cybersecurity, cyber, information security, security threats, and cyber threats. An electronic search was performed using Scopus and Google Scholar. A manual search was also conducted by tracking down references in the collected studies to guarantee that all the relevant papers were included in the analysis. This chapter reviews 39 studies related to cybersecurity; the majority of the studies were published in high-quality, prominent, peer-reviewed, accounting and auditing journals between 2000 and 2018. Table 8.1. provides a count of the studies reviewed, grouped by source journal, while Table 8.2. presents the topics, the types of articles, and the key research findings related to cybersecurity. It should be noted that there is considerable variation among the methodologies of the papers under review. For instance, the articles consist of analytical, conceptual, and exploratory studies. However, the most common are empirical studies using regression analysis. As shown in Table 8.1., the collected articles come from high-quality accounting and auditing journals, including, for instance, Accounting, Organization and Society, file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_484_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_484_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_460_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_460_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_449_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 9 of 75 Review of Accounting Studies, International Journal of Accounting & Information Management, Journal of Information Systems, International Journal of Accounting Information Systems, Journal of Accounting and Public Policy, European Accounting Review, and Managerial Auditing Journal. The prevalence of cybersecurity-related studies in major accounting and auditing journals emphasises the topic’s significance to the literature. Other journals are also included in the review, because articles in them clearly have an accounting perspective. These journals are mainly related to information management. The search included publications up to October 1, 2018. Figure 8.1. presents the trends of cybersecurity-related studies in the accounting and auditing literature over the period 2000–2018. To conclude, 39 studies fulfilled the selection criteria. After the selection of the studies, the articles were carefully read and analysed in a rather inductive manner. The overall purpose was to introduce, summarise and analyse the extent of research on cybersecurity, and there were no predispositions regarding the topics that would be covered. Rather, based on an initial review of each selected paper, notes were made on various aspects, such as research questions, hypotheses, and results. After analysing the papers, a set of categories into which these 39 studies fit could be constructed. Hence, these categories are the result of a critical and constructive analysis of the studies under review through summary, analysis, and comparison. To clarify, this synthesis identified five research streams that are related to cybersecurity. Furthermore, it is essential to categorise the research streams related to cybersecurity in the accounting field to provide data on the level of activity in a particular research field, allowing the outcomes to be used to evaluate the performance of research streams, researchers, and journals. Methodologically, this study builds on the previous literature to deepen the understanding of cybersecurity research. To clarify, the chapter is not directed at a specific cybersecurity-related question or issue or restricted to a specific geography. It is more comprehensive and provides relatively broad coverage of cybersecurity (in accounting) research topics. Hence, the article provides a cohesive picture of the theoretical and empirical archival literature related to cybersecurity. In terms of 8 Cybersecurity in Accounting Research Section 1 Page 10 of 75 structure, it is divided into sections based on the topics covered. Therefore, academics or practitioners working on specific cybersecurity-related topics should be able to benefit from reading even a limited part of this chapter. Furthermore, Figure 8.2. illustrates the research streams and factors related to cybersecurity stemming from the studies under review. Hence, Figure 8.2. incorporates the research categories – identified by section number – and presents the interrelations between the sections. It appears to show that the studies surveyed are concentrated in the left-most elements (text boxes). However, accounting journals publish a broad variety of research, hence, there might be opportunities to investigate and publish topics related to the right-most elements in the future. Future research ideas are discussed in more detail in the concluding section. Table 8.1 Breakdown of studies reviewed 8 Cybersecurity in Accounting Research Section 1 Page 11 of 75 Accounting, Organizations and Society 1 ACM Transactions on Information and System Security (TISSEC) 1 European Accounting Review 1 Information Systems Research 1 International Journal of Accounting & Information Management 1 International Journal of Accounting Information Systems 3 Journal of Accounting and Public Policy 7 Journal of Emerging Technologies in Accounting 1 Journal of Information Security 3 Journal of Information Systems 11 Managerial Auditing Journal 6 MIS Quarterly 2 Review of Accounting Studies 1 Total 39 Source: Authors 8 Cybersecurity in Accounting Research Section 1 Page 12 of 75 Table 8.2 Studies on cybersecurity. The number of articles within each stream is presented in parentheses 8 Cybersecurity in Accounting Research Section 1 Page 13 of 75 Author(s) Research topic Type of the paper/conclusions that are related to cybersecurity Panel A. Information sharing and cybersecurity (4) Gordon et al. (2003) Sharing information on computer systems security: An economic analysis. Analytical study. Gordon et al., suggested that information sharing concerning security breaches can lead to an increased level of information security. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_450_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_450_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 14 of 75 Gansler and Lucyshyn (2005) Improving the security of financial management systems: What are we to do? Research note. Gansler and Lucyshyn suggested that to avoid cyber-attacks every organisation should implement a cybersecurity program, but this is often done with limited success, because it is challenging to estimate risk and the security landscape is constantly changing. Hausken (2007) Information sharing among firms and cyber-attacks. Analytical study. Hausken suggested that assessing costs and benefits of information sharing and security investment are interlinked with other strategies to gain competitive advantage. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_447_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_447_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_447_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_462_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 15 of 75 Gordon, Loeb, Lucyshyn, and Zhou (2015a) The impact of information sharing on cybersecurity underinvestment: A real options perspective. Empirical study using real options perspective. Gordon et al. suggested that maintaining adequate cybersecurity is crucial for a firm to maintain the integrity of its external and internal financial reports, as well as to protect the firm’s strategic proprietary information. Panel B. Cybersecurity investments (8) file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_452_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_452_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_452_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 16 of 75 Gordon and Loeb (2002) The economics of information- security investment. Analytical study. Gordon and Loeb aimed to derive an economic model that determines the optimal amount to invest in information security. Based on the Gordon– Loeb model, the findings indicate that the amount a firm should spend to protect information sets should generally be only a small fraction of the expected loss. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 17 of 75 Tanaka, Matsuura, and Sudoh (2005) Vulnerability and information- security investment: An empirical analysis of E-local government in Japan. Empirical study using regression analysis. The authors utilised the Gordon–Loeb model and suggested that the decision related to the information-security investments depends on vulnerability. Their findings supported the insights of the Gordon and Loeb (2002) model. Hausken (2006) Income, interdependence, and substitution effects affecting incentives for security investment. Analytical study. Hausken concluded that each firm invests in security technology when the required rate of return from security investment exceeds the average attack level, or when the formal control requirements dictate investment. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_483_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_483_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_483_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_461_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 18 of 75 Gordon et al. (2008) Cybersecurity, capital allocations and management control systems. Analytical study. Gordon et al., argued that the design and use of management control systems can play a key role in dealing with cybersecurity issues. Bose and Luo (2014) Investigating security investment impact on firm performance. Conceptual study. Their study proposes a comprehensive conceptual framework where non-IT-related and IT-related security investment factors are posited to influence a firm’s performance. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_456_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_456_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_442_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_442_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 19 of 75 Gordon et al. (2015b) Externalities and the magnitude of cybersecurity underinvestment by private sector firms: A modification of the Gordon–Loeb model. Analytical study. The authors continue to extend the Gordon– Loeb model to incorporate externalities in deciding on the appropriate level of cybersecurity investment. The authors show that the firm’s social optimal investment in cyber security increases by no more than 37% of the expected externality loss. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_453_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_453_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 20 of 75 Gordon, Loeb, and Zhou (2016) Investing in cybersecurity: Insights from the Gordon–Loeb model. Conceptual study. This paper explains how organisations could use, based on four simple steps, the Gordon and Loeb (2002). Thus, this paper has provided a conceptual explanation, accompanied by an illustrative example, of how organisations can use the Gordon–Loeb model to derive their appropriate level of cybersecurity investment. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_458_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_458_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 21 of 75 Gordon, Loeb, Lucyshyn, and Zhou (2018) Empirical evidence on the determinants of cybersecurity investments in private sector firms. Empirical study using instrument survey and regression analysis. Gordon et al., indicate that there is a significant positive association between firms’ spending on cybersecurity activities and their treatment of cybersecurity as an important component of the firm’s internal controls over financial reporting. Panel C. Internal audit, controls, and cybersecurity (13) file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_454_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_454_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_454_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 22 of 75 Lainhart (2000) COBIT™: A methodology for managing and controlling information and Information Technology risks and vulnerabilities. Research note. Lainhart (2000) argued that in this global information society where information travels through cyberspace the effective management of information is very important. Pathak (2005) Risk management, internal controls, and organisational vulnerabilities. Research note. Pathak (2005) argued that cyber-attacks followed by physical attacks against critical infrastructure are a real threat; however, little is being done to provide a comprehensive defence against such a threat. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_469_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_469_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_473_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_473_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_473_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 23 of 75 Wallace, Lin, and Cefaratti (2011) Information security and Sarbanes- Oxley compliance. Exploratory study. The results reveal that organisations differ in their implementation of certain IT controls based on different attributes. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_485_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_485_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_485_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 24 of 75 Li et al. (2012). The consequences of Information Technology control weaknesses on management information systems: The case of Sarbanes-Oxley internal control reports. Empirical study using regression analysis. The authors examined three dimensions of Information Technology material weaknesses: data processing integrity, system access and security, and system structure and usage. The authors find that the association with forecast accuracy appears to be strongest for IT control weaknesses most directly related to data processing integrity. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_470_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 25 of 75 Steinbart, Raschke, Gal, and Dilla (2012) The relationship between internal audit and information security. Exploratory study. Steinbart et al., stated that the internal audit and information- security functions should co-operate synergistically. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_479_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_479_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_479_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 26 of 75 Steinbart, Raschke, Gal, and Dilla (2013) Information-security professionals’ perceptions about the relationship between the information security and IAFs. Empirical study using survey instrument and Partial Least Squares (PLS). Steinbart et al., suggest that information-security professionals’ perceptions about the level of technical expertise possessed by internal auditors and the extent of internal audit review of information security are positively associated with the assessment about the quality of the relationship between the two functions. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_480_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_480_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_480_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 27 of 75 Steinbart, Raschke, Gal, and Dilla (2016) SECURQUAL: An instrument for evaluating the effectiveness of enterprise information security programs. Empirical study using survey data and factor analysis. The authors emphasise that SECURQUAL scores reliably predict objective measures of information-security program effectiveness. Rahimian, Bajaj, and Bradley (2016) Estimation of deficiency risk and prioritisation of information- security controls. Empirical study using design science approach. The results indicate that the operational, public image, legal (OPL) model can be used to create a detailed risk assessment of all corporate data. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_481_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_481_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_481_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_474_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_474_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_474_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 28 of 75 Gyun No and Vasarhelyi (2017) Cybersecurity and continuous assurance. Research note. The authors addressed the most pressing topics in cybersecurity: the need for new approaches for its assurance. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_460_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_460_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_460_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 29 of 75 Islam et al. (2018) Factors associated with security/cybersecurity audit by IAF: An international study. Empirical analysis using regression analysis. Islam et al. (2018) examined the factors associated with the extent of cybersecurity audit by the internal audit function (IAF) of the firm. The authors suggested that the extent of cybersecurity audit by IAF is significantly and positively associated with IAF competence related to governance, risk, and control. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_465_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_465_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_465_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_465_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 30 of 75 Kahyaoglu and Caliyurt (2018) Cyber security assurance process from the internal audit perspective. Conceptual study. The authors concluded that cyber-risk must be managed and stated that it is very important to maintain formal documentation on related cyber controls and internal audit should be an integral part of cybersecurity assurance process, as internal audits have a unique capacity to look across organisations. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_466_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_466_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 31 of 75 Stafford, Deitz, and Li (2018) The role of internal audit and user training in information-security policy compliance. Qualitative case analysis. Stafford et al., examined the role of information-security policy compliance and the role of information systems auditing in identifying non- compliance in the workplace. The study is a qualitative case analysis of technology user security perceptions combined with interpretive analysis of depth interviews with auditors. The findings indicate that enterprise risk management benefits from audits. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_478_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_478_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 32 of 75 Steinbart, Raschke, Gal, and Dilla (2018) The influence of a good relationship between the internal audit and information-security functions on information-security outcomes. Empirical study using survey data and PLS. The authors investigate how the quality of the relationship between the internal audit and the information- security functions affects objective measures of the overall effectiveness of an organisation’s information-security efforts. The quality of this relationship has a positive effect on the number of reported internal control weaknesses and incidents of non- compliance, as well as on the numbers of security incidents detected both before and after they caused material harm to the organisation. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_482_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_482_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_482_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 33 of 75 Panel D. Disclosure of cybersecurity activities (5) Gordon et al. (2006) The impact of the Sarbanes-Oxley Act on the corporate disclosures of information-security activities. Empirical study. The results reveal that SOX is having a positive impact on voluntary disclosure. Gordon et al. provide strong indirect evidence that corporate information- security activities are receiving more focus since the passage of SOX than before SOX was enacted. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_451_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_451_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 34 of 75 Gordon et al. (2010) Market value of voluntary disclosures concerning information security. Empirical study using regression analysis. This article aims to examine market value of voluntary disclosures of items pertaining to information security. The findings provide strong evidence that voluntarily disclosing items concerning information security is associated positively with the market value of a firm. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_455_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_455_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 35 of 75 Wang, Kannan, and Ulmer (2013) The association between the disclosure and the realisation of information security risk. Mixed methods. Wang et al. evaluated how the nature of the disclosed security risk factors is associated with future breach announcements reported in the media. Their model is able to accurately associate disclosure characteristics with breach announcements about 77% of the time. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_486_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_486_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_486_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 36 of 75 Li et al. (2018) SEC’s cybersecurity disclosure guidance and disclosed cybersecurity risk factors. Empirical study using regression analysis. Li et al. investigate whether cybersecurity risk disclosure is informative for future cybersecurity incidents. The authors suggest that the presence in the pre- guidance period and length of cybersecurity risk disclosure are positively associated with subsequent cybersecurity incidents. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_471_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 37 of 75 Ettredge, Guo, and Li (2018) Trade secrets and cybersecurity breaches. Empirical study using regression analysis. The authors find that firms mentioning the existence of trade secrets have a significantly higher subsequent probability of being breached relative to firms that do not do so. Panel E. Security threats and security breaches (9) file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_445_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_445_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 38 of 75 Ettredge and Richardson (2003) Information transfer among internet firms: The case of hacker attacks Empirical study using regression analysis. The authors showed negative mean abnormal returns among internet firms that have not actually been attacked. Further, they suggested that investors believed that firms would respond to the hacker attacks with higher spending on IT security. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_446_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_446_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_446_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 39 of 75 Boritz and No (2005) Security in XML-based financial reporting services on the Internet. Conceptual study. The authors presented security threats and limitations of current security technologies. The authors also identified security requirements that should be considered to ensure reliable, trustworthy XBRL and XARL services. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_441_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_441_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 40 of 75 Abu-Musa (2006) Perceived security threats of computerised accounting information systems in the Egyptian banking industry. Empirical study using survey data. Abu-Musa (2006) suggested that accidental entry of bad data by employees, accidental destruction of data by employees, introduction of computer viruses to the system, natural and human-made disasters, employees’ sharing of passwords, and misdirecting prints and distributing information to unauthorised people are the most serious security threats. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_436_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_436_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_436_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_436_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 41 of 75 Kwon, Ulmer, and Wang (2013) The association between top management involvement and compensation and information security breaches. Empirical study using regression analysis. The findings present how an IT executive’s status in the top management team and the composition of his/her compensation can be related to a firm’s IT governance mechanisms. Higgs, Pinsker, Smith, and Young (2016) The relationship between board- level technology committees and reported security breaches. Empirical study using regression analysis. Using reported security breaches during the period 2005–2014, results reveal that firms with technology committees are more likely to have reported breaches in a given year than are firms without the committee. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_468_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_468_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_468_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_463_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_463_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_463_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 42 of 75 Carré, Curtis, and Jones (2018) Ascribing responsibility for online security and data breaches. Exploratory study. The authors reveal that individuals held companies more responsible for protecting private data and held companies even more responsible following a data breach. Curtis, Carré, and Jones (2018) Consumer security behaviours and trust following a data breach. Exploratory study. The authors’ summary is that online security is of great concern and companies that have had a breach face reputational damage. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_443_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_443_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_443_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_444_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_444_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_444_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 43 of 75 Smith, Higgs, and Pinsker (2018) Do auditors price breach risk in their audit fees? Empirical study using regression analysis. The authors suggest that breaches are associated with an increase in fees, but the result is driven by external breaches. Further, the study reveals the presence of board-level risk committees and more active audit committees may help mitigate the breach risk audit fee premium. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_476_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_476_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_476_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 44 of 75 Amir et al. (2018) Do firms underreport information on cyber-attacks? Evidence from capital markets. Empirical study using regression analysis. The findings reveal that the market reaction to disclosed cyber-attacks is indeed small, but the market reaction to withheld attacks is negative and significant. Source: Authors [Insert 15032-5311-008_Figure_001 Here] Figure 8.1 Trends of cybersecurity-related studies over the period of 2000–2018 [Insert 15032-5311-008_Figure_002 Here] Figure 8.2 Framework of research streams and factors related to cybersecurity Source: Authors Previous Theoretical and Empirical Literature Information Sharing and Cybersecurity The first research stream identified in this synthesis examines information sharing and its role in cybersecurity. The prior literature has suggested that information sharing in cybersecurity has file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_439_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_439_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 45 of 75 become extremely important for accounting and public policy. Gordon et al. (2003) examined information sharing in relation to computer system security. Their findings indicated that sharing information about threats and breaches of computer security lowers the overall costs of achieving any particular level of cybersecurity. Therefore, they suggested (p. 481) that sharing information “has been promoted as an important tool in enhancing social welfare”. However, while their analysis showed that information sharing does indeed offer the potential to reduce overall security costs and raise social welfare, some pitfalls exist that may well prevent the realisation of the full potential benefits. These pitfalls concern the need to create economic incentives to facilitate effective information sharing related to cybersecurity. In other words, Gordon et al. (2003) suggested that companies and society could benefit from sharing information concerning security breaches. However, without appropriate economic incentives, firms may try to exploit the security expenditure of others. Similarly, Gansler and Lucyshyn (2005) suggested that the vulnerabilities associated with cyber-attacks are often exploited by a variety of threats: hackers, insiders, criminals, terrorists, or possibly a combination of those. The authors argued that, to avoid cyber-attacks, every organisation should implement a cybersecurity program, but this might often achieve only limited success, because it is challenging to estimate risk, and the security landscape is constantly changing. Gansler and Lucyshyn (2005) stated that the current cyber threats are fairly well understood, but firms are not always proactive enough. They also claimed that it has been generally assumed that a key element required to improve cybersecurity is the sharing of information, because “having information on threats and on actual incidents experienced by others can help an organization better understand the risks faced and determine what preventive measures should be implemented” (Gansler & Lucyshyn, 2005, p. 6). They concluded that the importance of financial management systems in a cybersecurity process should be highlighted. In addition, they argued that the US is already the nation most dependent on information systems. Therefore, the consequences of the vulnerability of information systems should be considered extremely carefully (Gansler & Lucyshyn, 2005). file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_450_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_450_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_450_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_447_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_447_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_447_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_447_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 46 of 75 In contrast, Hausken (2007) suggested that assessing the costs and benefits of information sharing and security investment is interlinked with other strategies to gain a competitive advantage. Hausken (2007, p. 641) argued that the security of an interlinked information system depends on the strategies about information sharing and security investment chosen by all actors, including those that are players in it, those that attempt to regulate and reshape it and those that attempt to shut it down, which opens a role for public policy. Hausken (2007) considered two firms that are subject to cyber-attacks. The firms defend themselves by sharing information with each other and investing in security. Each firm chooses to receive information about the other firm’s security breaches. Hausken (2007) analysed the incentives to voluntarily provide information to another firm and the trade-offs that each firm makes between sharing information and investing in security. The same research introduced the classic free-rider problem to explain why information sharing often does not occur and also highlighted that the classic free-rider was also identified by Gordon et al. (2003). Hausken (2007, p. 674) indicated that “information sharing increases linearly in the interdependence between firms, and is zero with negative or no interdependence”. To conclude, Hausken (2007, p. 647) suggested that “it is the interdependence between firms that is the key determinator of information sharing and not the competitiveness”. On a related note, Gordon et al. (2015a) suggested that academics, government officials, and corporate executives have recommended information sharing related to cybersecurity, explaining that “the argument for sharing information is based on the belief that firms can reduce their cybersecurity threats, vulnerabilities and, in turn, cyber incidences, based on the experiences of other (especially similar) firms” (p. 518). Based on a real options perspective, they demonstrated that “information sharing, with its ability to reduce the uncertainty associated with cybersecurity investments, may well result in reducing the tendency by private-sector firms to underinvest in cybersecurity activities” (Gordon et al., 2015a, p. 518). Furthermore, the study file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_462_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_462_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_462_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_462_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_450_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_462_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_462_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_452_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_452_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 47 of 75 suggested that the benefit gained from information sharing could provide a vital incentive to overcome firms’ unwillingness to share their private information actively. Cybersecurity Investments The second research stream identified concentrates on cybersecurity investments. Given the significance of cybersecurity to organisations, a fundamental economics-based question has been brought up regularly in prior studies: How much should be invested in cybersecurity-related activities? Gordon and Loeb (2002) presented a model to address this research question, and this model has received considerable attention in the literature, in which it is known as the Gordon– Loeb model. The originators argued that, owing to the information-intense characteristics of a modern economy (e.g., the Internet and the World Wide Web), information security is a growing spending priority for most companies around the world, which prompted them to create an economic model that determines the optimal amount to invest in information security. To be more specific, they stated that the term information security in their model can be interpreted broadly. The Gordon–Loeb model is applicable to investments related to various information- security goals, for instance protecting the confidentiality, availability, and integrity of information. Hence, the model is also applicable to cybersecurity investments. To summarise, their findings indicated that the optimal amount to spend on protecting information sets does not always increase with the level of vulnerability of such information. The Gordon–Loeb model can be interpreted as suggesting that the amount that a firm should spend on protecting information sets should generally be only a small fraction of the expected loss, and, accordingly, the findings showed that “managers allocating an information-security budget should normally focus on information that falls into the midrange of vulnerability to security breaches” (Gordon & Loeb, 2002, p. 453). “Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities” (Gordon & Loeb, 2002, p. 438). Moreover, file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 48 of 75 Gordon et al. (2016) discussed the Gordon–Loeb model with a focus on providing insights to aid the model’s use in a practical setting. They highlighted that, despite its mathematical underpinnings: the Gordon–Loeb Model provides an intuitive framework that lends itself to an easily understood set of steps for deriving an organization’s cybersecurity investment level. These four steps are: (i) to estimate the value, and thus the potential loss, for each information set in the organization; (ii) to estimate the probability that an information set will be breached based on the information set’s vulnerability; (iii) to create a grid of all possible combinations of steps 1 and 2 above; and finally (iv) to derive the level of cybersecurity investment by allocating funds to protect the information sets, subject to the constraint that the incremental benefits from additional investments exceed (or are at least equal to) the incremental costs of the investment. (Gordon et al., 2016, pp. 57–58) Similarly, Tanaka et al. (2005) studied the relationship between vulnerability and information- security investment using data on Japanese municipal authorities. They exploited the Gordon– Loeb model and suggested that the decision related to information-security investments depends on vulnerability. Their findings revealed that the municipal authorities examined did not commit higher than usual expenditures on information security if the vulnerability levels were low or extremely high while, in contrast, they invested more than usual if the vulnerability levels were medium-high. Therefore, Tanaka et al.’s findings supported the insights provided by Gordon and Loeb’s (2002) model. Moreover, Gordon et al. (2015b) extended the Gordon–Loeb model to derive the optimal level of investment in cybersecurity activities. They investigated how the existence of well- recognised externalities changes the maximum that a firm should, from a social welfare perspective, invest in cybersecurity activities. They showed that a firm’s social optimal investment in cybersecurity increases by no more than 37% of the expected externality loss. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_458_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_458_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_483_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_448_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_453_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 49 of 75 Gordon et al.’s (2015b) results have important implications for practice because they indicate that, unless private-sector firms consider the costs of breaches associated with externalities, in addition to the private costs resulting from breaches, underinvestment in cybersecurity activities is essentially a given. Therefore, the authors concluded that cybersecurity underinvestment might pose a serious threat to national security and to the economic prosperity of a jurisdiction. In relation to this, they suggested that “governments around the world are justified in considering regulations and/or incentives designed to increase cybersecurity investments by private sector firms” (Gordon et al., 2015b, p. 29). The latest study by Gordon et al. (2018) found a significant positive association between the importance that firms attach to cybersecurity for internal control purposes and the percentage of their IT budget spent on cybersecurity activities; accordingly the study (2018, p. 133) suggests that “treating cybersecurity as an important component of a firm’s internal control system serves as an incentive for private firms to invest in cybersecurity activities”. The prior literature has also discussed other approaches to evaluating cybersecurity investments. For instance, Hausken (2006) argued that firms are threatened with cyber-attacks and invest increasingly in security technology. A variety of principles are applied to determine the size of the investment. However, firms’ incentives to invest in security technology are also influenced by law. As mentioned earlier, the SOX imposed strict requirements. Hausken (2006) stated that firms invest maximally in security when the average attack level is 25% of the firm’s required rate of return. Hausken (2006, p. 629) emphasised that “each firm invests in security technology when the required rate of return from security investment exceeds the average attack level, or when the formal control requirements dictate investment”. Similarly, Bose and Luo (2014) argued that today’s organisations are challenged by the threats of cybersecurity, It is therefore essential for organisations of different sizes and types to understand the potential impacts of cybersecurity on organisational performance. Bose and Luo (2014, p. 204) highlighted that “security investments need to be made by organizations to help secure their tangible and intangible or physical and intellectual assets”. Moreover, they argued file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_453_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_453_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_454_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_454_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_461_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_461_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_461_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_442_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_442_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_442_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 50 of 75 that understanding organisational cybersecurity now involves drawing from a holistic view of not only technical but also financial, legal, and policy aspects. In conclusion, the study proposed a comprehensive conceptual framework in which non-IT-related and IT-related security investment factors are posited to influence a firm’s performance. The authors put forward 14 propositions[^1] to understand the relationship between security investments and firm performance. Finally, Gordon et al. (2008) stated that cybersecurity breaches represent an important component of the enterprise risk confronting organisations. They therefore argued that security audits are simultaneously gaining in popularity. Gordon et al. (2008, p. 216) concluded that “the information security audit component of a management control system is useful in mitigating an agent’s empire building preferences in addressing cybersecurity threats”. By implication, the broader objective of their paper was to make the case that accounting researchers who are concerned with management control systems can – and should – play a dominant role in addressing issues related to cybersecurity. To be more specific, Gordon et al. (2008) analysed the role of security auditing in controlling the natural tendency of a chief information security officer (CISO) to overinvest in cybersecurity activities; in essence, they argued that firms can use an information-security audit to reduce a CISO’s power. Internal Auditing, Controls, and Cybersecurity The third research stream concentrates on internal auditing, controls, and cybersecurity. For instance, Pathak (2005) demonstrated the impact of technology convergence on the internal control mechanism of a firm and suggested that it is important for an auditor to be aware of the security hazards faced by the financial or even the entire organisational information system. Pathak (2005) attempted to place the security system design and the organisational vulnerabilities in the context of the convergence of communication and networking technologies with the complex IT in business processes. Pathak (2005) also highlighted that auditors should file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_456_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_456_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_456_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_473_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_473_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_473_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 51 of 75 be aware of technology risk management and its impact on the enterprise’s internal controls and organisational vulnerabilities. However, Lainhart (2000) suggested that management needs generally applicable and accepted IT governance and control practices to benchmark the existing and planned IT environment. Lainhart (2000, p. 22) stated that “CobitTM is a tool that allows managers to communicate and bridge the gap with respect to control requirements, technical issues and business risks”. Moreover, he suggested that CobitTM enables the development of clear policy and good practices for IT control throughout firms. Finally, Lainhart (2000) concluded that CobitTM is intended to be the breakthrough IT governance tool that helps understand and manage the risks associated with cybersecurity and information. Steinbart et al. (2016, p. 71) stated that “the ever-increasing number of security incidents underscores the need to understand the key determinants of an effective information security program”. Therefore, they examined the use of the COBIT Version 4.1 Maturity Model Rubrics to develop an instrument (SECURQUAL) that can obtain an objective measure of the effectiveness of enterprise information-security programs. They argued that scores for various rubrics predict four separate types of outcomes, thereby providing a multidimensional picture of information-security effectiveness. Finally, Steinbart et al. (2016, p. 88) concluded that “researchers can, therefore, use the SECURQUAL instrument to reliably measure the effectiveness of an organization’s information-security activities, without asking them to divulge sensitive details that most organizations are unwilling to disclose”. Because the SOX created a resurgence of the organisational focus on internal controls, Wallace et al. (2011) studied the extent to which the IT controls suggested by the ISO 17799 security framework have been integrated into organisations’ internal control environments. By surveying the members of the IIA on the usage of IT controls in their organisations, their results revealed the ten most commonly implemented controls and the ten least commonly implemented. The findings indicated that organisations may differ in their implementation of certain IT controls based on the size of the company, whether they are a public or private organisation, the file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_469_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_469_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_469_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_481_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_481_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_485_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 52 of 75 industry to which they belong, and the level of training given to IT and audit personnel. Moreover, Li et al. (2012, p. 180) stated that “SOX guidance and auditing standards also emphasize the unique benefits that accompany the use of IT-related controls, including enhancing the usefulness of information produced by the system”. Hence, using a design science approach, Rahimian et al. (2016) developed the operational, public image, legal (OPL) multidimensional risk specification model to quantitatively estimate the contribution of security controls in place as well as the control deficiency risk due to missing controls. They contributed to the literature by indicating that the OPL model can be used to create a detailed risk assessment of all corporate data. This finding was important because it is often difficult for the internal audit function (IAF) to assess control deficiency risk (CDR) in the area of information security. In addition to the important topics discussed earlier, a vital subject within this research stream is the cooperation between internal auditing and information-security functions. In many companies, both the information systems and the IAFs are involved with information security and cybersecurity. Steinbart et al. (2012, p. 228) argued that these functions should work together synergistically, because “the information security staff designs, implements, and operates various procedures and technologies to protect the organization’s information resources, and internal audit provides periodic feedback concerning effectiveness of those activities along with suggestions for improvement”. The main contribution of their study was to develop an exploratory model of the factors that influence the nature of the relationship between the IAF and the information-security function. These factors are, for instance, the internal auditor’s level of IT knowledge, the internal auditor’s communication skills, and the internal auditor’s attitude (i.e., role perception). In contrast, Steinbart et al. (2013) examined the relationship between the information- security function and the IAF from the perspective of information security professionals. The study in question surveyed information-security professionals’ perceptions, and the findings revealed that “information security professionals’ perceptions about the level of technical file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_470_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_474_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_479_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_480_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 53 of 75 expertise possessed by internal auditors and the extent of internal audit review of information security are positively related to their assessment about the quality of the relationship between the two functions” (Steinbart et al., 2013, p. 65). Most importantly, the study argued that the quality of the relationship is positively associated with perceptions of the value provided by internal auditing and with measures of the overall effectiveness of the organisation’s information-security endeavours. The latest study examining the cooperation between the IAF and the information-security function was also conducted by Steinbart et al. (2018). This latter study investigated the influence of a good relationship on information-security outcomes. In other words, using a unique dataset, Steinbart et al. (2018) investigated how the quality of the relationship objectively measures the overall effectiveness of an organisation’s information- security efforts. The findings highlighted that the quality of the relationship has a positive effect on the number of reported internal control weaknesses and incidents of non-compliance as well as on the number of security incidents detected, both before and after they caused material harm to the organisation. Finally, Steinbart et al. (2018, p. 1) emphasised that “higher levels of management support for information security and having the chief information security officer (CISO) report independently of the IT function have a positive effect on the quality of the relationship between the internal audit and information security functions”. Instead, Stafford et al. (2018) examined the role of information-security policy compliance and information system auditing in identifying non-compliance in working environments. They concentrated on the role of non-malicious insiders who unknowingly or innocuously thwart corporate cybersecurity directives by engaging in unsafe computing practices. Hence, they conducted a qualitative case analysis of technology user security perceptions, combined with an interpretive analysis of in-depth interviews with auditors, to examine and explain user behaviours in violation of cybersecurity directives. Thus, they determined the ways in which auditors can best assist management in overcoming the problems associated with security complacency among users. Their findings indicated that enterprise risk management (ERM) benefits from audits that identify technology users who might feel file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_480_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_482_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_482_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_482_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_478_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 54 of 75 invulnerable to cyber threats. Moreover, Stafford et al. (2018, p. 420) argued that “the IT auditor is likely the most valuable objective consultant and critic of the process that is designed to manage and enforce security compliance in the firm”. Nevertheless, the same report also stated that “the function of an audit is to consult, to improve and to guide; it is the role of corporate management to seek and embrace auditing guidance in the matter of improving cybersecurity” (2018, p. 420). Similarly, Islam et al. (2018) stated that cybersecurity auditing is a relatively new dimension of security practice intended to support the protection of critical information assets. The authors added that an auditing process will seek to obtain evidence of organisational cybersecurity policies and their efficacy for the protection of asset integrity, data confidentiality, and data access and availability. The study points out that managing cybersecurity is increasingly important for companies due to the growing dependence of firms on technology for conducting their business, creating a competitive advantage, and achieving success. Islam et al. (2018) examined the factors associated with the extent of cybersecurity auditing by the internal audit function (IAF) of the firm. Specifically, they focused on whether the internal audit function, the certified audit executive’s characteristics, the board involvement related to governance, the role of the audit committee, and the chief risk officer and the IAF tasked with ERM are associated with the extent to which the firm engages in cybersecurity auditing. Their results suggested that the extent of cybersecurity auditing by the IAF is significantly and positively associated with IAF competence related to governance, risk, and control. Board support regarding governance is also significant and positive. However, the Islam et al. research did not find significant results related to the roles of the audit committee and the chief risk officer. To conclude, the research argued that comprehensive risk assessment conducted by the IAF and IAF quality have a significant and positive effect on a cybersecurity audit. Therefore, the study provides insights into the specific IAF/certified audit executive characteristics and corporate governance characteristics that can lead the IAF to contribute significantly to a cybersecurity audit. file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_478_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_478_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_465_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_465_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 55 of 75 In related work, Kahyaoglu and Caliyurt (2018) examined the cybersecurity assurance process from the internal audit perspective. They developed a model to introduce the way in which the internal audit and information-security functions could work together to support organisations in accomplishing a cost-effective level of information security. The key issues and approaches were explained regarding how to become a trusted cybersecurity advisor, and a sample cybersecurity awareness program checklist was provided. For instance, Kahyaoglu and Caliyurt (2018, p. 371) concluded that “internal auditors should expand their own IT audit capabilities to provide proactive insights and, in this way, they could make value-added recommendations to management”. Finally, Gyun No and Vasarhelyi (2017) discussed whether external auditors should be involved in cybersecurity. First, they stated that cybersecurity can clearly influence the economic health of an organisation, because the estimated average costs of cyber-attacks are extremely high. Second, auditor competence in this highly technical area of cybersecurity raises further questions. For instance, are current auditors trained to be involved in cybersecurity issues? Hence, they stated that auditors might have training in other subject matters that may overlap with cybersecurity, such as valuation, in which the auditor relies on specialists to support key assertions. While some firms provide their employees with IT audit specialisation skills, the greater scope of accountant training precludes these skills (Gyun No & Vasarhelyi, 2017). Further, they argued that, if not auditors, then who should take the role of integrating financial and cyber-risk information into some form of assurance that can be provided to shareholders? Finally and most importantly, they discussed the risk assessment portion of future audits. They concluded that substantive research is needed on how to integrate the generally qualitative issues of the risk of cyber exposure into the traditional audit model. Disclosure of Cybersecurity Activities file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_466_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_466_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_466_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_460_FILE150325311PII008 file:///C:/Users/briea/Documents/Apex/Lehner%2015032-5311%20for%20Copyediting/15032-5311-FullBook.docx%23Ref_460_FILE150325311PII008 8 Cybersecurity in Accounting Research Section 1 Page 56 of 75 The fourth research theme contains articles examining the disclosure of cybersecurity activities. As mentioned earlier, Gordon et al. (2006) highlighted the impact of the SOX (2002) on the voluntary disclosure of information-security activities by corporations. They clearly emphasised that the SOX had a positive impact on such disclosure. To clarify, their findings indicated that the voluntary disclosure of information-security activities had increased by over 100% since the passage of SOX when compared with two years prior to the law’s implementation. This was an interesting finding, because the SOX did not explicitly address the issue of information security. On a related note, Gordon et al. (2010) examined voluntary disclosures concerning cybersecurity and argued that voluntary disclosures in the annual report on cybersecurity allow a corporation to provide signals to the markets that “the firm is actively engaged in preventing, detecting and correcting security breaches”. Accordingly, Gordon et al. suggested that it is a strategic choice whether or not a firm voluntarily decides to disclose items concerning information security; they further asserted that there is clear evidence that an increasing number of organisations are voluntarily disclosing information related to cybersecurity. Moreover, Gordon et al. provided empirical support for the argument that voluntary disclosures related to cybersecurity are positively and significantly related to the stock price. Their results indicated generic support for the signalling argument, which states that managers who disclose information voluntarily are consistent with increasing firm value. Most importantly, their results showed that “voluntary disclosures related to proactive security measures by a firm have the greatest impact on the firm’s market” (Gordon et al., 2010, p. 590). In contrast, Wang et al. (2013) examined the association between the disclosure and the realisation of information-security risk and stated that firms often disclose information-security risk factors in public filings. Wang et al. (2013) argued that the internal cybersecurity information associated with disclosures may be positive or negative. They evaluated how the nature of the disclosed security risk factors, believed to represent the firm’s internal information regarding information security, is associated with future breach announcements reported in the media. The paper presents a decision tree model, which categorised the occurrence of future file:///C:/Us