Login | Register

Three Essays on the Governance of Cybersecurity


Three Essays on the Governance of Cybersecurity

Amani, Farzaneh (2023) Three Essays on the Governance of Cybersecurity. PhD thesis, Concordia University.

[thumbnail of Amani_PhD_F2023.pdf]
Text (application/pdf)
Amani_PhD_F2023.pdf - Accepted Version
Available under License Spectrum Terms of Access.


This dissertation consists of three interrelated essays that examine the governance of cybersecurity. The first essay synthesizes the literature on the of cybersecurity risks and incidents to identify its drivers, informativeness, quality, theoretical perspectives, and future directions. The review identifies several drivers for cybersecurity disclosure, highlights that while the level of informativeness of such disclosure meets the usefulness expectations of regulators, its quality falls short, mostly lacks an explicit theoretical framework, and uses predominantly textual content analysis and event studies. The review identifies the need for research in both governance and management of cybersecurity disclosure, thus providing the motivation for the second and third essays. The second essay examines where cybersecurity risk oversight resides within a firm’s governance structure, what determines such positioning, and how it impacts the firm’s response to a cybersecurity breach. In proxy statements, breached firms explicitly disclose oversight assignment with a wide variation, ranging from full board to a named board committee - the audit committee being the most common. Results show that board connectedness and cyber competency are positively associated with oversight assignment, full board oversight is more likely with smaller boards, and boards’ shareholding and cyber competency steer oversight to the audit committee. In the event of a breach, the presence of oversight decreases the time firms take to announce and resolve the breach, as well as reduces the recurrence of breaches. While the audit committee cybersecurity oversight discloses and resolves the breach quicker, full board oversight leads to fewer recurrences. The increase of data breaches leads firms to adopt various risk management strategies, hence the third essay examines the relation between cyber insurance disclosure and a firm’s likelihood of being target of a future breach. Using textual analysis of the risk factors disclosed in 10-K filings and comparing cyber insurance disclosures of firms that are breached to those that are not, the evidence shows that firms disclosing cyber insurance have a significantly higher subsequent probability of being breached. Furthermore, it appears that disclosing cyber insurance leads to delayed public breach disclosure but more timely breach resolution, and higher breach recurrence.

Divisions:Concordia University > John Molson School of Business > Accountancy
Item Type:Thesis (PhD)
Authors:Amani, Farzaneh
Institution:Concordia University
Degree Name:Ph. D.
Program:Business Administration (Accountancy specialization)
Date:19 June 2023
Thesis Supervisor(s):Magnan, Michel and Moldovan, Rucsandra
Keywords:Cybersecurity; Literature Review; Disclosure; Cybersecurity Risks and Incidents; Risk Oversight; Corporate Governance; Data Breaches; Determinants; Consequences; Cyber Insurance; Risk Management; Risk Transfer
ID Code:992562
Deposited By: Farzaneh Amani
Deposited On:14 Nov 2023 19:09
Last Modified:14 Nov 2023 19:09
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top