Krannert Graduate School of Management, Center for Education and Research in Information Assurance and Security (CERIAS), Purdue University, West Lafayette, Indiana 47907
Firms often disclose information security risk factors in public filings such as 10-K reports. The internal information associated with disclosures may be positive or negative. In this paper, we evaluate how the nature of the disclosed security risk factors, believed to represent the firm's internal information regarding information security, is associated with future breach announcements reported in the media. For this purpose, we build a decision tree model, which classifies the occurrence of future security breaches based on the textual contents of the disclosed security risk factors. The model is able to accurately associate disclosure characteristics with breach announcements about 77% of the time. We further explore the contents of the security risk factors using text-mining techniques to provide a richer interpretation of the results. The results show that the disclosed security risk factors with risk-mitigation themes are less likely to be related to future breach announcements. We also investigate how the market interprets the nature of information security risk factors in annual reports. We find that the market reaction following the security breach announcement is different depending on the nature of the preceding disclosure. Thus, our paper contributes to the literature in information security and sheds light on how market participants can better interpret security risk factors disclosed in financial reports at the time when financial reports are released.
The paper presents insights regarding the key learning-related factors a buyer should consider when deciding the extent to which information about bids is revealed in a procurement auction context. It offers the insights by analyzing the following two first-price sealed-bid policies in a private-value sequential auction with no winner dropouts: (i) iis, where only the winner's bid is revealed, and (ii) cis, where all bids are revealed. Our analysis identifies two important learning effects—the extraction and the deception effects—as having significant welfare implications. Both these effects arise because of a bidder's desire to gain an informational advantage relative to his competitors, but their manifestations are different. The extraction effect occurs because of a bidder's incentive to learn about his competitors, and the deception effect is a consequence of the incentive to prevent an opponent from gaining the information. Both effects lead to higher bid prices, and either may be dominant from a procurer surplus standpoint. With the deception effect, social welfare can decrease even when the number of suppliers increases, a result that is counterintuitive. The paper also discusses how insights regarding the learning effects might apply to other policies.