The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities

Gordon, Lawrence A.; Loeb, Martin P.; Lucyshyn, William; Sohail, Tashfeen

doi:10.1016/j.jaccpubpol.2006.07.005

Cited by 130 publications

(62 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Although SOX does not regulate changes in information security activities, Gordon et al (2006b) find that voluntary disclosure in 2003-2004 increased 100% compared with 2000-2001, concomitant with enhanced awareness of the role of information security. Whether this trend will continue in the future is unclear since a double edged sword is involved when determining whether to disclose information security activities.…”

Section: Introductionmentioning

confidence: 93%

“…Aside from some cases where confidentiality plays a role, information sharing is usually collectively beneficial. Gordon et al (2006b) identify three categories of information disclosure. These are voluntary disclosure of proactive steps toward improving information security, voluntary disclosure of information security vulnerabilities, and voluntary disclosure of information security breaches.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Information sharing among firms and cyber attacks

Hausken

2007

Journal of Accounting and Public Policy

111

View full text Add to dashboard Cite

As the Sarbanes-Oxley Act strengthens internal controls, and the government encourages information sharing, accounting gains significance through secure representation, storage, and transfer of information, and by laying the foundation for assessing costs and benefits. Information sharing and security investment for two firms are inverse U shaped in the aggregate attack, and interlinked through the interdependence and the firm's unit cost of security investment. Both increase in the interdependence (e.g. US telecommunications industry). With given security investment, social welfare is inverse U shaped in information sharing. Individual optimization implies free riding. A social planner is introduced controlling information sharing, security investment, or both, in simultaneous and two period games. Two period games where the social planner moves first are realistic when the social planner is highly respected. For the simultaneous game, a social planner controlling information sharing (security investment) imposes unreasonably high sharing (security investment). Firms free ride in the variable they control. The social planner imposes more moderate levels in the two period games. A social planner controlling both information sharing and security investment in a two period game where the social planner moves first is the most beneficial control scenario when the firms' defense efficiencies are high. If these are sufficiently high, the attack is deterred altogether.

show abstract

Section: Introductionmentioning

confidence: 93%

Section: Introductionmentioning

confidence: 99%

Information sharing among firms and cyber attacks

Hausken

2007

Journal of Accounting and Public Policy

111

View full text Add to dashboard Cite

show abstract

“…With one notable exception [10], there has been only limited research which focuses on empirical investigation on the impact of a compliance and liability regulation on firms' information security activities. Gordon et al…”

Section: Introductionmentioning

confidence: 99%

“…in reference [10] provide indirect evidence that security activities are drawing more attention from organizations since the passage of a compliance law than before it was enacted. This study builds on and expands reference [10] by empirically exploring the impact of a compliance and liability regulation on firms' information security activities in the case of Korea.…”

Section: Introductionmentioning

confidence: 99%

“…This study builds on and expands reference [10] by empirically exploring the impact of a compliance and liability regulation on firms' information security activities in the case of Korea. More explicitly, the primary objective of this study is to investigate direct empirical evidence on the impact of EFTA, a Korean compliance and liability law targeting financial institutions and service providers, on firms' information security activities (i.e., the changes in firms' information security activities before and after the passage of EFTA) and to identify whether EFTA helps to create a sustainable national system for cyber security.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Analysis of the Impact of Security Liability and Compliance on a Firm's Information Security Activities

Shim¹

2011

The Journal of Society for e-Business Studies

View full text Add to dashboard Cite

Many governments have tried to develop a liability and compliance law that can improve cyber security in a sustainable way. This paper explores whether a liability and compliance law is effective in motivating firms' information security activities. In particular, I empirically investigate the impact of the 2007 Electronic Financial Transaction Act (EFTA), a liability and compliance law in Korea, on the information security activities of financial institutions and services providers. In spite of various criticisms of the effectiveness of EFTA, the empirical findings of this study clearly show that EFTA is having a positive impact on information security activities. From these findings, this article concludes that a liability and compliance law is likely to contribute to a certain degree to the achievement of sustainable development of cyber security.

show abstract

Disclosing elements of disclosure: a test of legitimacy theory and company ethics

Lightstone¹,

Driscoll²

2008

Can J Adm Sci

View full text Add to dashboard Cite

This paper focuses on some of the ethical issues related to voluntary disclosure of qualitative information by Canadian public companies. Drawing on various organizational theories, we examine some of the ways that companies can symbolically manage legitimacy through disclosure. Press releases of a sample of companies that received cease‐trading orders were analysed for their use of language. We found that high‐risk companies attempted to manage legitimacy by selectively releasing information and by using ambiguous language. Moreover, some companies behaved unethically by using language that suggested a positive future despite the imminent release of a cease‐trading order. These findings have implications for organizational and accounting theorists and stakeholders in the corporate, fiduciary, and investment communities. Copyright © 2008 ASAC. Published by John Wiley & Sons, Ltd.

show abstract

The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities

Cited by 130 publications

References 9 publications

Information sharing among firms and cyber attacks

Information sharing among firms and cyber attacks

Analysis of the Impact of Security Liability and Compliance on a Firm's Information Security Activities

Disclosing elements of disclosure: a test of legitimacy theory and company ethics

Contact Info

Product

Resources

About