Skip to Content

Maryam Firoozi,
Cyber Security Risk Disclosure

Cyber Security Risk Disclosure

Principal Investigator: Maryam Firoozi, Accounting
Funder: SSHRC Insight Development

The wave of cyberattacks on businesses in the last decade has caused stakeholders and regulators to pay significant attention to the responsibilities of a corporation before, during, and after such incidents. Due to the severe impact of cyber risk on national security and the global economy, regulators all over the world are taking actions to make sure firms have adequate governance mechanisms in place to prevent cyberattacks. Although regulatory bodies and stakeholders are emphasizing transparency about cyber security risks, cyber incidents, and preparedness to prevent cyberattacks, there is limited research on how firms disclose cyber security information and whether this information has any substance.

The purpose of this study is to investigate the practices and quality of cyber security risk disclosure and IT governance practices of a sample of Canadian firms, with emphasis on the role of new regulatory guidelines, policies and best practices. Most of the limited research on cyber security risk disclosure uses automated approaches such as counting the frequency of words and sentences related to IT security, which does not reveal enough information about the quality of the data disclosed to stakeholders. Since most of the cyber security risk disclosure is qualitative, a manual content analysis approach will allow the researchers to capture the quality of cyber security risk disclosure in a more meaningful way.