Cheong, Arion. If you cannot measure it, you cannot manage it: three essays on cybersecurity risk assessment. Retrieved from https://doi.org/doi:10.7282/t3-cqb3-4741
DescriptionCybersecurity has received enormous attention in recent years. The volume of cyberattacks is dramatically increasing, in line with the explosive growth in the number of cybersecurity breaches. A computerized business environment makes the organization exposed to a greater cybersecurity vulnerability. Top managements are deeply concerned about the potential for cybersecurity threats that hinder the growth of their firms (Symantec, 2016). While cybersecurity risk measures have been developed, many of them are based on attributes that reflect technical aspects (e.g., IT infrastructure) and managerial considerations (e.g., cybersecurity policies). The complex nature of cybersecurity, however, renders it difficult to assess a firm's cybersecurity risks. In light of this challenge, I will introduce three different empirical methodologies in my dissertation to assess cybersecurity-related events using a data analytic approach. The first chapter proposes a methodology to measure the firm-specific information in cybersecurity risk disclosure. The second chapter assesses the insider threat after the massive layoff during the COVID-19 period by utilizing a unique dark web dataset. Finally, the last chapter introduces a new methodology to measure latency inequality in order execution for stock exchanges.