Investors’ Reactions to Cybersecurity Incidents: The Joint Effects of Disclosure Tone, Critical Audit Matters, and IT Knowledge
通过两个实验,研究了投资者对网络安全事件披露中管理层语气和审计师评论的反应如何取决于其信息技术知识水平,发现高IT知识投资者更偏好中性语气和关键审计事项,而低IT知识投资者更偏好积极语气和无关键审计事项。
We investigate whether investors’ reactions to management’s tone and to auditor’s commentary in the disclosure of a cybersecurity incident are contingent on investors’ level of knowledge about information technology (IT). In Experiment 1, we predict and find that investors with a high level of IT knowledge are more likely to invest in a company when management’s cybersecurity risk disclosure is written in a neutral tone and a critical audit matter (CAM) about the cybersecurity incident is present. In contrast, investors with a low level of IT knowledge are more likely to invest when the cybersecurity risk disclosure is written in a positive tone and a CAM about the incident is absent. We also find that for investors with a high level of IT knowledge, a positive tone of disclosure results in lower perceived management credibility and thus in lower willingness to invest when the CAM relating to the cybersecurity incident is present. In Experiment 2, we find that these results are unchanged regardless of the number of CAMs disclosed. Our findings are relevant to management, to auditors, and to the regulators that have expressed concerns about the quality of cybersecurity risk disclosures for informing investors’ decision-making.