Study Finds Companies May Be Wise to Share Cybersecurity Efforts

It turns out, if recent research is any indication, when one company is breached in a vertical market other companies in that vertical market become less attractive places for investors to stick their capital. Yet, when companies share their cybersecurity risk management they significantly outperform their peers that don’t disclose their cybersecurity efforts.

“Previous studies have found evidence of this ‘contagion effect’ in the wake of cybersecurity breaches,” said Robin Pennington, co-author of a paper on the work and an associate professor of accounting in North Carolina State University’s Poole College of Management. “However, to our knowledge, ours is the first to test the issue experimentally. We not only confirmed the contagion effect but found that there are clear steps companies can take to reduce its impact,” he said.

Pennington cited the voluntary reporting guidelines from the AICPA (American Institute of CPAs) known as the System and Organization Controls (SOC) for Cybersecurity.

The AICPA developed its cybersecurity risk management reporting framework, it says, “to assist organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs.”

“The framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations' enterprise-wide cybersecurity risk management program. This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations' efforts,” the AICPA explains.

When it comes to the so-called “contagion effect,” the North Carolina State University’s researchers conducted a study with 120 nonprofessional investors.

According to the researchers, for the study, participants were given information about a fictional company, which was called Company A. A number of participants were told briefly about the fictional Company A’s cybersecurity risk management program. They were then asked to provide an initial assessment of the attractiveness of investing in Company A, as well as the likelihood of purchasing stock in the company.

Study participants were then told that one of Company A’s peers was the victim of a cybersecurity breach. And they were then asked to provide an updated assessment of the investment attractiveness of Company A. All participants were then given a news release from Company A. While some received a version of the release that included a reference to Company A’s cybersecurity risk management program. The participants were then asked to provide their final assessment of Company A’s attractiveness and the likelihood of investment. “The researchers found that companies who disclosed cybersecurity risk management efforts both before and after a competitor’s breach fared the best,” the researchers said in a statement.

“While the company suffers some decline in attractiveness after the breach, on average it suffers the least if it discloses its cybersecurity risk management program, in a way that is similar to the AICPA’s voluntary reporting guidelines,” Pennington said.

The researchers also analyzed the study data to ascertain the impact of another effect, called the “competition effect,” which has previously been associated with cybersecurity breaches in archival research. In this context, the competition effect is when investors see a cybersecurity breach at one company as an advantage for that company’s competitors – making those competitors more attractive to investors.

“We did see evidence of the competition effect with some investors in our study, but on average the contagion effect overwhelmed the competition effect,” Pennington says.

“Our study offers experimental evidence for both the contagion and competition effects, as well as their relative strengths,” Pennington says. “But I think the takeaway here is that there are very real advantages to voluntarily disclosing cybersecurity risk management efforts, as the AICPA suggests. This is not a purely theoretical exercise – it can affect your company’s appeal to investors.”

The paper, “Do voluntary disclosures mitigate the cybersecurity breach contagion effect?” is published in the Journal of Information Systems. Corresponding author of the paper is Andrea Seaton Kelton of Middle Tennessee State University.