Date of Award

Fall 9-1-2015

Document Type


Degree Name

Doctor of Science in Information Systems


Business and Information Systems


Since 2011, publicly traded corporations are required by the Securities and Exchange Commission (SEC) to self-disclose information security risks. However, because of several undefined factors, the risk information may not accurately reflect the threats within the Internet domain. Investors are then left ill-informed regarding this substantial risk to corporate value. This project quantifies the disparity between reported information security risks and information security threats finding that while reporting is becoming more accurate, corporations still only report 66% of cybersecurity threats they face. This project also introduces a model that delineates factors that affect the accuracy of self-disclosed cybersecurity. The hypothesized factors are maturity, guidance, performance, and realization. Maturity is the number of years a company has been reporting cybersecurity risks, Guidance refers to the 2011 publication of a SEC document that instructs company’s on proper reporting methodology. Performance is the effect on a company’s profit or loss on accurate reporting and realization, the increase in reporting accuracy attributed to a company learning that they do face a particular threat. Of the four factors analyzed in the model, only two were found to be relevant in determining cybersecurity risk reporting accuracy. Those two factors are maturity and guidance. Performance was not found to influence reporting accuracy. While there is anecdotal evidence to support the hypothesis that realization does improve reporting accuracy, there was not enough data on the report to corroborate this hypothesis. The impact of this study is twofold, first if the maturation trend continues; reporting will improve to where they are reporting all of the risks that each corporation faces. The second v implication is that the SEC can control the accuracy of self-disclosed reports by instructing reporting institutions on how to prepare data for the reports they desire.