Information security breaches have hit the headlines frequently in recent years because of their potential impact on organizations and the public. For example, Equifax announced a data breach in September 2017, which affected about 147 million people.1 Its business value, estimated by stock prices, dropped four billion dollars in the first week of the breach. The cost associated with the breach was already $439 million2 before a $425 million settlement was announced in 2020.3 The trend of data breaches does not show an optimistic future. According to IBM, the average total cost of a data breach was about $4.24 million, but it took, on average, 287 days to identify and contain a data breach.4
The seriousness of information security breaches has also attracted attention from the regulators. For example, the U.S. Securities and Exchange Commission (“SEC”) has issued guidance and interpretive guidance in 2011 and 2018, respectively, regarding the disclosures of cybersecurity related risks, which has led to more enforcement actions.5 The Public Company Accounting Oversight Board included an assessment and understanding of cyber and information security risks in its 2020–2024 strategic plan.6 The Federal Trade Commission (“FTC”) has also started to propose changes to its Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act.7
Given the huge impact of data breaches on organizations and individuals, the business research community has attempted to better understand information security from various angles, from threat and disclosures to impact and responses.8 In this study, we will provide a review of prior empirical studies to help readers better understand this stream of literature. The review will be organized based on a summary of the terminologies discussed in International Organization for Standardization (“ISO”)/International Electrotechnical Commission (“IEC”) 27032:2012 as illustrated in Figure 1.9 This framework captures the components that are commonly discussed in assessing information security risks as mentioned in the ISO/IEC 27000 series. Specifically, in the framework, threat agents give rise to threats to specific assets in an organization. The threat may exploit the vulnerabilities that can lead to risks. The shareholders would like to reduce the risks by imposing various governance mechanisms (for example, controls) that can also reduce the vulnerabilities. When the risk is realized, it becomes a breach event, which can affect the breached organization. Actions may be taken in response to the security breaches. Accordingly, Figure 1 provides a structure for us to understand information security, from identification of threats and vulnerabilities; risk assessment and management strategies; and potential consequences and responses.
Figure 1. Framework for the Review
Based on the framework illustrated in Figure 1, the following literature review is organized into three major groups: (1) threats and vulnerabilities; (2) risks and governance mechanisms; and (3) impacts and responses.