If You Cannot Measure It, You Cannot Manage It: Assessing the Quality of Cybersecurity Risk Disclosure through Textual Imagification

Abstract

Cybersecurity threats can exert significant adverse effects on a company’s performance, necessitating that stakeholders make an effort to understand the risks related to the companies with which they conduct business. However, since a company’s relative exposure to cybersecurity risks is related to both identified potential cybersecurity risks as well as previous cyberattacks (and efforts to mitigate future attacks), an accurate assessment of the level of a company’s cybersecurity risk can pose a daunting challenge. In this paper, we suggest a methodology to measure a company’s cybersecurity risks by focusing on its disclosed cybersecurity risks, aggregating said risks and ultimately assessing them in a comprehensive manner. Specifically, we use text analytics to examine the cybersecurity risk disclosures of companies. Then, by applying Textual Imagification (TI) and a new approach derived from machine learning techniques, we develop a measurement mechanism for cybersecurity risks for individual companies. By providing measures of cybersecurity risks across companies, we can facilitate the decision-making processes of stakeholders by allowing them to access and compare cybersecurity risks, thereby improving the social welfare of market participants.