Tawei Wang

The Association Between the Disclosure and the Realization of Information Security Risk Factors

Firms often disclose information security risk factors in public filings such as 10-K reports. The internal information associated with disclosures may be positive or negative. In this paper, we evaluate how the nature of the disclosed security risk factors, believed to represent the firms internal information regarding information security, is associated with future breach announcements reported in the media. For this purpose, we build a decision tree model, which classifies the occurrence of future security breaches based on the textual contents of the disclosed security risk factors. The model is able to accurately associate disclosure characteristics with breach announcements about 77% of the time. We further explore the contents of the security risk factors using text-mining techniques to provide a richer interpretation of the results. The results show that the disclosed security risk factors with risk-mitigation themes are less likely to be related to future breach announcements. We also investigate how the market interprets the nature of information security risk factors in annual reports. We find that the market reaction following the security breach announcement is different depending on the nature of the preceding disclosure. Thus, our paper contributes to the literature in information security and sheds light on how market participants can better interpret security risk factors disclosed in financial reports at the time when financial reports are released.

Knowledge management systems and organizational knowledge processing challenges: A field experiment

This paper investigates the appropriateness of knowledge management system (KMS) designs for different organizational knowledge processing challenges. Building on the theory of task-technology fit (TTF), we argue that different KMS designs are more effective for different knowledge tasks. An exploratory field experiment was conducted in the context of Internet-based knowledge sharing services to provide empirical support for our hypotheses. The results of our experiment show that a KMS designed to support the goal GENERATE is more appropriate for divergent type knowledge problems because of its affordances for iterative brainstorming processes. Conversely, for convergent type knowledge processing challenges, a KMS with the goal CHOOSE that supports the ability to clarify and to analyze is more effective.

The Association between Top Management Involvement and Compensation and Information Security Breaches

ABSTRACT:  This paper examines how an information technology (IT) executives position in a top management team and how his/her compensation are associated with the likelihood of information security breaches. Using a sample drawn from multiple sources in the period from 2003 to 2008, we show that an IT executives involvement in the top management team is negatively related to the possibility of information security breaches. We also find that the amount of behavior-based (i.e., salary) compensation and the pay differences of outcome-based (i.e., bonuses, stock awards, and stock options) compensation between IT and non-IT executives are negatively associated with the likelihood of information security breaches. Our findings shed light on how an IT executives status in the top management team and the composition of his/her compensation can be related to a firms IT governance mechanisms.

A Legitimacy Challenge of a Cross-Cultural Interorganizational Information System

This paper studies the adoption and diffusion of a cross-cultural Interorganizational Information System (IOS), which is used to streamline the processing of financial transactions between European investment fund companies and Taiwanese banks. Drawing from institutional and organizational legitimacy theory, we argue that the adoption and implementation of technological innovation is contingent upon its alignment with three institutional pillars in different countries and the deployment of legitimation strategies by stakeholders. Departing from classical innovation diffusion theory, our empirical investigation reveals that the implementation of a cross-cultural IOS is a dynamic process involving the recognition, understanding, and management of the regulative, normative, and cognitive challenges arising in two different institutional settings. This paper contributes to the growing body of research that highlights the significance of social and institutional influences on the adoption of IOS in a global environment.

The Textual Contents of Media Reports of Information Security Breaches and Profitable Short-Term Investment Opportunities

Information security-related incidents continue to make headlines. Interestingly, researchers have found mixed results when attempting to associate reports of information security breaches with changes in the affected firms stock price. This research delves further into this puzzle by investigating the association between the textual contents of information security breach media reports and the stock price, as well as the trading volume reactions of the affected firm(s) around the breach announcement day. Our findings suggest that when the textual contents of breach reports provide more detailed information regarding the incidents, a more consistent belief is formed by the market about the negative impact of the reported security incident on the firms business value. However, when there is a lack of specific information regarding the reported breach, the market does not seem to reach consensus on the impact of reported security incidents. We further demonstrate that different perceptions exist among general and sophisticated investors regarding the impact of reported information security incidents on a firms future performance as demonstrated by changes in trading volume. By exploiting the different perceptions among investors, we form a trading strategy to demonstrate that, on average, one can make about 300% annual profit around the breach announcement day.

The Impact of ISO 27001 Certification on Firm Performance

The extensive organizational dependence on information technology (IT), along with worsening impact of information security incidents, has made information security one of the top management concerns. The ISO 27001 standard provides guidance to a sound information security management system (ISMS). However, implementation and accreditation costs can also be considerable. In this study, we explored whether the certification can benefit organizations by signaling the managements attitude toward security management and the appropriateness of ISMS implementation. We investigated firm performance after the ISO 27001 certification with samples from the United States and selected European countries. Different from our expectation, we found no evidence that ISO 27001 certification brought benefits to the certified firm in terms of return-on-assets and stock market performance. We attributed the results to the nature of ISO 27001 that a good information security management would be seen as an obligation, instead of a competitive advantage.