The European Union Agency for Network and Information Security (ENISA), is one of the “third generation” of EU agencies, active in the area of cybersecurity. Over a period of years this expert agency’s fundamental regulation has been amended and replaced, and its governing bodies modified....

Cyberattacks by nation states and other organized groups against the United States have continued to escalate in recent years with ever-increasing concerns about ransomware attacks and other cyberattacks on the public sector and critical infrastructures. Society is highly dependent upon these...

Purpose of the article: Cyber security has become a key factor in determining the success or failure of companies that rely on information systems. However, this entails considerable investment. Typical investments in information technology aim to create value, while investments in cyber...

With cyber-losses mounting worldwide, the need for effective cybersecurity governance has never been greater. The objective of this paper is to identify what is currently known about this important topic and what remains to be further investigated. We examine both the academic and industry...

Data breaches account for a significant share of cyber attacks. While they severely impact customers, who lose valuable personal data, they often have a limited effect on the operations of data holding companies. This might lead firms to underinvest in cybersecurity. Does stronger data...

We develop a novel firm-level measure of cybersecurity risk using textual analysis of cybersecurity-risk disclosures in corporate filings. The measure successfully identifies firms extensively discussing cybersecurity risk in their 10-K, displays intuitive relations with quantitative measures of...

Bug bounty program is a business activity in which firms invite white-hat hackers around the world to identify vulnerabilities in their cyber systems. The paper proposes a model to quantify the normal cybersecurity spending with respect to the importance of information systems. An upper limit of...

The SEC has expressed concern that some emerging risks - most notably, cybersecurity risk - exhibit an insufficient level and quality of disclosure. Policymakers envision a board role in cybersecurity risk management, but whether that role would effectively improve risk disclosure is an open...