Does business strategy influence cybersecurity risk disclosures?

Mostafa Hasan*, Charlene Chen, Colly He

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

Synopsis

The research problem
This study examines the influence of firms’ business strategies on their cybersecurity risk disclosures (CRDs).


Motivations
The exponential expansion of the digital economy and the increasing reliance on online data storage and processing have made cybersecurity breaches a critical issue for businesses worldwide. The disclosure of cybersecurity risks is vital in fostering transparency and communication between firms and external stakeholders. This study draws from the Miles and Snow (1978) strategic typology to explore how firms’ chosen strategies influence their CRDs. This investigation is important because firms that adopt a prospector- or a defender-type strategy have different strategic focuses, leading to varying degrees of exposure to cybersecurity risks. As a result, these firms have various incentives to engage in CRDs. By enhancing our understanding of CRDs’ determinants, this study provides insights into the way in which business strategies shape firms’ approaches to communicating cybersecurity risks.

Despite the increasing scholarly attention paid to firms’ disclosure of cybersecurity risks, there remains a lack of literature concerning the factors influencing the extent of CRDs. Our study fills the gap in the literature by investigating how firms’ business strategies shape CRDs. By uncovering the influence of business strategies on CRDs, our study provides valuable insights into the information environment within firms.

The test hypotheses
H1a: Firms that adopt a prospector-type strategy are likely to make more CRDs than firms that follow a defender-type strategy.
H1b: Firms that adopt a prospector-type strategy are likely to make fewer CRDs than firms that follow a defender-type strategy.


Target population
Regulators, investors, and other stakeholders

Adopted methodology
Ordinary least squares regressions

Analyses
Our independent variable of interest is business strategies, which we categorized into prospectors, analyzers, and defenders based on the Miles and Snow (1978) strategic typology. As our dependent variable, we employ the cybersecurity risk disclosure score developed by Florackis et al. (2023), which utilizes machine learning-based textual analysis to quantify CRDs. As for the analysis of consequences, we use Tobin’s Q as an indicator of firm value.

Findings
We find that firms adopting a prospector-type strategy are more inclined to provide extensive CRDs than firms following a defender-type strategy. Moreover, we observe that the impact of business strategies on CRDs is heightened in firms with strong corporate governance attributes, including effective boards, robust internal controls, and the engagement of industry expert auditors or Big 4 accounting firms. In addition, our findings indicate that the strengthened relationship between business strategies and CRDs contributes positively to firm value.
Original languageEnglish
JournalThe International Journal of Accounting
Publication statusAccepted/In press - 2024

Keywords

  • Cybersecurity
  • cybersecurity risk disclosure
  • business strategies
  • prospectors
  • defenders

Cite this