THE INFLUENCE OF CYBERCRIME ON RISK MANAGEMENT REPORTING

THE INFLUENCE OF CYBERCRIME ON RISK MANAGEMENT REPORTING

Mieke Mooibroek S2731304

MSc Accountancy - University of Groningen Faculty of Economics and Business Supervisor: Prof. Dr. D.M. Swagerman

Co-assessor: Dr. J.S. Gusc June 2018, Groningen

Word count: 9.410

ABSTRACT

Cybercrime has become an important risk and the impact of this risk is increasing. Therefore, it is important that companies manage this risk. Despite these facts, there is not a vast amount of research on whether companies report cybercrime as a risk. Research has been conducted using a content analysis on how Dutch listed companies report on cybercrime risk. It has been examined whether they mention it as a risk, what kind of information they provide on this risk and if this information has developed in the period from 2015 to 2017. The results show that there is an increase in the amount of companies that mention cybercrime as a risk. In 2017 almost all companies mention it, but the information provided is limited. To conclude cybercrime risk does influence the reporting on risk management of companies.

Keywords: Cybercrime, Risk, Risk Reporting, Risk Management, Content Analysis, Disclosure Index

1

Table of Content

Review of Current Literature ... 10

Methodology ... 11

Research Method ... 11

Data Gathering ... 14

Reliability and Validity ... 15

Results ... 16

Analysis ... 24

Conclusion ... 26

Limitations and Ideas for Future Research ... 28

Discussion ... 29

What Will Cybercrime Mean for Accountancy? ... 31

Reflection ... 33

References ... 34

Appendices ... 39

Appendix A – Sample ... 39

Appendix B – Disclosure Index ... 40

2

Introduction

The WannayCry-virus infected ten thousand computers and shut down networks of big companies, hospitals and governments all over the world (FD, 3-08-2017). Maersk (world’s largest container shipping company) had to renew their complete IT-system due to a ransomware attack (estimated costs: $300 million) (FD, 26-01-2017). Dutch banks and government institutions were victims of a so called DDoS, a cyberattack where websites are overloaded with great amounts of data. As a result the websites became unreachable (FD, 29-01-2018). These are just three out of many examples of cybercrime, with a severe impact on several companies/institutions. Cyber incidents were mostly seen as a theoretical danger, but they can now greatly impact the business, resulting in financial and reputational damage (FD, 9-12-2017).

Cyber risk has become an important risk (Ruan, 2017). In 2003 was it already clear that cybercrime was becoming a larger threat to companies (Hinde, 2003). This is the result of changing technology, resulting in more challenging cyber vulnerabilities (Alali, 2018) and the fact that expected financial benefits of cybercrime are growing (Bernik, 2014). One out of five companies in the Netherlands is victim of a cyberattack1_{. Most of these attacks are the result of people’s}

ignorance or indifference when they unknowingly deal with information (Bernik, 2014). The impact of these cybercrime attacks is enormous: Deloitte (2017) estimated the impact on the Dutch economy to be € 10 billion. These costs are the result of theft of intellectual property, loss of clients and sales, reputation damage, claims, research costs, legal advice and repair costs (NBA, 2016). As a result of the developing technology, the quantity and the impact of cybercrimes are increasing (Bendovschi, 2015). IT is entrenched in our economies and (IT) risk management therefore has become a vital part of an organization’s ‘survival’ strategy (Barafort et al., 2017; Hughes, 2017).

Risk, risk reporting and risk management have received increasing interest in research over the last years (Linsley & Shrives, 2006; Soin & Collier, 2013; Paape & Speklé, 2012). This is the result of the fast growing expectations of the stakeholders, among other things (Paape & Speklé, 2012). Abraham & Shrives (2014) state that all studies on risk reporting indicate a lack of progress in risk reporting and although it might be interesting to a wide range of user groups, it is unhelpful and meaningless.

3 This is one of the first studies, to my knowledge, that researches cybercrime risk reporting, while risk reporting has become more and more important and cybercrime is growing in terms of number of attacks and the impact of an attack. This research contributes to the existing literature gap by extending prior work on risk disclosure, by researching cybercrime risk specifically. In contrast to other studies (e.g. Linsley & Shrives, 2006), this research also includes financial companies and has focused on Dutch listed companies, which has not been researched very often. In addition, this research also includes several years of risk reporting such as Abraham & Shrives (2014) did, where previous studies only used one year of reporting.

The goal of this study is to research the current situation on the reporting of risk management of cybercrime in the annual report through the use of content analysis. With a content analysis there can be research if cybercrime risk influences the risk reporting in the annual report.

This paper proceeds as follows: first, the theoretical framework of this study will be discussed in the literature section. Here, it will be described what is known in the literature about cybercrime and the risk management and risk reporting of cybercrime. It is also described why companies report on (cybercrime) risk and what kind of risk reporting is mandatory. Next, in the methodology section, the used method will be explained. With a content analysis, research will be conducted on how companies report on cybercrime risk and if the risk reporting of companies has changed, by comparing the disclosures from 2015 to 2017. After that, the findings are presented and the paper concludes with an analysis of the results, a conclusion, limitations and suggestions for future research and a discussion on cybercrime and the impact on accountancy.

4

Literature

In this section, the underlying theoretical concepts cybercrime, risk management and risk reporting will be described. After that the current state of the literature of risk reporting is discussed.

Cybercrime

Information technology and the use of technology devices, such as computers, has been growing, which has given criminals the opportunity to commit cybercrimes and has made it attractive to commit these crimes (Donner, 2014; Konradt et al., 2016). The growing threat of cybercrime was the result of changes over time (Donner, 2014). Since criminals easily adapt to new security measures, companies continue to be vulnerable to this threat (Eddolls, 2016). Criminals have evolved into skilled advanced attackers (Konradt et al., 2016) and they will change their attacks, because these crimes are enormously profitable for organized crime (Shackelford, 2012; Eddolls, 2016). However, the financial aspect is not always a motive to commit a cybercrime (Hunton, 2011), e.g. the attacker can have personal motives.

A problem with cybercrime is that there is no consistent current definition for cybercrime (Yar, 2013) and therefore different terms are used for it, such as internet crime or digital crime (Hunton, 2011). Although there is not a clear definition of what cybercrime entails, all used definitions have in common that cybercrime aims to compromise the confidentiality, integrity and availability of data (Bendovschi, 2015). Cybercrime differs from normal crime, because the consequences of these attacks spread quicker than other crimes (Mukhopadhyay et al., 2017) and these crimes are anonymous, because the offender commits the crime from behind a computer, deniable, because nobody saw who committed the crime, affordable and easy to use (Karabacak et al., 2016).

Different forms of cybercrime have been identified that could cause a cyber risk and can therefore have an impact on the cybersecurity of a company. Mukhopadhyay et al. (2017) identified virus attacks, denial-of-services (DoS) attacks, financial fraud, system penetration, theft of information and unauthorized access as the six most common cyberattacks. Van Schaik et al. (2017) identified some other forms of cybercrime: surveillance, identify theft, phishing, spyware, Trojans and key loggers. Because of these many different forms, it is difficult to decide what countermeasure one could and should take in order to mitigate these risks. The measures that a company takes for

5 potential cybercrime could also differ, because this can be dependent on the knowledge of several cybercrimes (Jeske & van Schaik, 2017). It is also difficult to prevent cybercrime, because, due to the internet, cybercrime has no borders (Eddolls, 2016).

Due to the fact that cybercrime has different forms, the number of attacks and the fact that there are no borders with cybercrime, thus multiple jurisdictions are involved, it is difficult for law enforcement to take measures (Eddolls, 2016). As of 25 of May 2018, the new law on cybercrime is applicable. This law is called the GDPR (General Data Protection Regulation) and is applied for the Europe Union. In the Netherlands the application of the GDPR is called the AVG (General Data Protection Regulation). The regulation is about the management and protection of data.

Risk Management

In order to manage cybercrime risk, risk management is necessary. According to Thekdi & Aven (2016), risk is the possibility of an event with the potential to have unwanted, negative consequences. But risk is also related to positive outcomes and the outcome of a risk (positive or negative) can have an impact on the future performance of a firm (Dobler, 2008). Risk management includes relevant risks: risks that could reduce corporate value or destroy the company, this includes not only financial risks (Stein & Wiedemann, 2016).

Risk management is the way companies deal with their risks. It is used to prevent and mitigate losses through identifying risk factors, analyzing them and evaluating their potential impact (Dobler, 2008). To be successful this should be implemented in the entire organization (Bessis, 2014). ISO 31000 is an international standard on risk management and defines risk management as: “coordinated activities to direct and control an organization with regard to risk’’ (ISO, 2009). It provides principles, generic guidelines, a framework and a process that can be used for managing risks and can be applied for either IT or non-IT use.

Risk management is fundamental in the current dynamic environment to ensure long-term viability of a company (Gordon et al., 2009; Stein & Wiedemann, 2016). Risk management ensures a link between the organizations and stakeholders (Soin & Collier, 2013) and could also contribute to a stable company (Stein & Wiedemann, 2016). This is only the case if risk management is properly

6 executed. When risk management is not properly executed, it will not have an impact on the daily processes (Soin & Collier, 2013).

Cybercrime Risk Management. Cybercrime risk is the likelihood of economic loss from cyber incidents and the vulnerabilities of IT systems that can be exploited and affect other systems (Ruan, 2017; Allodi & Massacci, 2017). Because an organizations need to protect themselves from cybercrime (Hinde, 2003), in order to do this, it is important, when managing risk, to manage cyber risk the same as all other risks (Ruan, 2017; Eddolls, 2016). Effective IT governance is necessary to ensure an efficient enterprise risk management process (Mukhopadhyay et al., 2017). Eddolls (2016) described several action points for cyber risk management: the organization needs to understand what makes them attractive and vulnerable. This needs to be divided into task and responsibilities among the right people. These actions need to be monitored, continuously tested and audited regularly. The quantitative estimation of the cyber risk is critical toward a more efficient allocation of resources and more secure overall environment (Allodi & Massacci, 2017). The measures that are taken help to ensure confidentiality, integrity and availability of the information system (Mukhopadhyay et al., 2013).

The problem with managers who try to manage cyber risk by a top-down method, is that they do not specifically consider the structure of the system (Paté‐Cornell et al., 2018). Other problems in the management of cyber risk is that there is no common standard for measuring cyber risk (Ruan, 2017) and risk is managed in different departments, instead of overall risk management for the entire organization (Hinde, 2003) and the lack of insufficient quality data on cybercrime (Ruan, 2017)

Risk Reporting

Companies report on their risks and risk management in the annual report. Risk reporting is influenced by risk management, because the information of risks in the annual report is derived from information coming from risk management (Dobler, 2008).

The company knows more about their risks and possible impact than stakeholders do, which creates an information asymmetry with their stakeholders. Risk reporting can be used to reduce

7 this information asymmetry between stakeholders and the company (Linsley & Shrives, 2000; Linsley & Shrives, 2006). Stakeholders want to know how sustainable the current value-creation drivers are. Effective communication on risk management is necessary to assure the stakeholders that risks are well-managed regarding future firm performance (Beretta & Bozzolan, 2004). Doing so, stakeholders will be able to assess the risks regarding the future performance of the company (Dobler, 2008).

Risk reporting is often general and will therefore not add value in making investment decisions. The risk reporting changes little over time and seems to bear limited or no relation to the actual risks faced by companies (Abraham & Shrives, 2014)

Theory on risk reporting. Risk reporting can be explained by several theories. A multi-theoretic approach is often used, because one separate theory is not sufficient to explain risk reporting (An & Davey, 2011; Abraham & Shrives, 2014). This study follows Abraham & Shrives (2014), who used two theories to explain risk reporting: the proprietary costs theory and the institutional theory. They used these theories, because these theories can explain why risk disclosures are too general and limited and can help to solve the current limitations of risk reporting.

The proprietary cost theory. This theory considers the cost and benefits of the disclosure

of information, to reduce the information asymmetry (Prencipe, 2004). Because of these costs and benefits, the information that the company has on risk is not the same information that is disclosed in the annual report. They need to decide which, how much and what kind of information they want to disclose. When they do not disclose enough information, it might seem that the company has a weak or non-existent risk management system, but when they disclose too much information, it may result in proprietary costs (Abraham & Shrives, 2014). Voluntary disclosure (on risk) may be limited, because of the proprietary costs. These costs can be preparation costs of the information and competition costs, which is the result of the company information that competitors and other parties use (Prencipe, 2004).

8

Institutional theory. This theory can explain the differences in the amount of information

that is disclosed by various institutions, with different cultures and who operate under different circumstances (El-Diftar et al., 2017). Di Maggio & Powell (1983) described three mechanisms related to the institutional theory. Coercive: pressure from politics and regulation; mimetic: uncertainty due to standards from more legitimate organizations; normative: pressure felt from social obligations (Di Maggio & Powell, 1983). The mimetic mechanisms results in the fact that the disclosure of companies can be copied from other well-performing companies in the industry, due to cost/benefit uncertainties of disclosure. The normative mechanisms suggest that when the content of the disclosure has been determined, managers become unwilling to change the disclosure, because of the perceived social obligations (Abraham & Shrives, 2014).

Voluntary risk reporting. Voluntary reporting on risk is not required by law and can be encouraged by incentives. These incentives can include the following benefits to risk reporting: risk reporting helps to provide forward-looking information, which is helpful for investors in assessing the competence of the company. In addition to this benefit, risk reporting encourages better risk management and it will reduce uncertainty, which is positive for the cost of capital (Linsley & Shrives, 2000). A specific benefit from disclosing information on information security is that is has a positive effect on the market value of the company (Gordon et al., 2010). This can indicate that disclosing information on cybercrime risk could also have a positive effect.

Companies can also choose to not (fully) report voluntarily on their risks. Directors can be insecure giving on risk information, because the information could be perceived as too sensitive and the information can also be non-verifiable and could lead to non-credible reports. In addition to these reasons, risk reporting could have economic disadvantages (Linsley & Shrives, 2006; Dobler, 2008). Companies also do not want to attract attention to the high level of risk they have and can therefore be reluctant to disclose information on risks (Linsley & Shrives, 2006).

Mandatory risk reporting. Risk reporting can be voluntary, but can also be mandatory, which is required by the law. Requirements on the type and format of risk reporting can enlarge the amount of risk information that is disclosed (Dobler, 2008). The population of this research contains only Dutch listed companies and therefore the regulations applicable for these companies

9 will be discussed. In the Netherlands, based on art. 2:391 BW, listed companies need to give a description of their primary risks and uncertainties they are facing in the board report. This is also required based on WFT 5:25C.

In addition to these laws, the Dutch Corporate Governance Code is applicable for listed companies. The Code provides principles and best practices and operates according to the ‘comply or explain’ principle. The Code has been implemented in 2003 and has been revised in 2008 and in 2016. As of 2018 companies need to report on the fiscal year 2017 according to the revised Code. Except for these regulations, there is no specific law on reporting cybercrime risk.

In the Dutch Corporate Governance Code of 2016 (p. 15) states that the annual report the board should render account of:

i. “The execution of the risk assessment, with a description of the principal risks facing the company in relation to its risk appetite. These risks may include strategic, operational, compliance and reporting risks;

ii. the design and operation of the internal risk management and control systems during the past financial year;

iii. any major failings in the internal risk management and control systems which have been observed in the financial year, any significant changes made to these systems and any major improvements planned, along with a confirmation that these issues have been discussed with the audit committee and the supervisory board; and

iv. The sensitivity of the results of the company to material changes in external factors.’’

IV is a new requirement in the code of 2016. Other additional requirements concerning risk management, compared to the code of 2008, are that the board needs to indicate which material risks may impact the continuity of the company and that the statement of the board is not limited to financial risks, but also includes material risks (Corporate Governance Code 2008; Corporate Governance Code 2016).

10 Review of Current Literature

There have been several studies on risk reporting in literature and this section will outline these studies and discuss them.

Linsley & Shrives (2006) studied, using content analysis, the risk disclosure in the annual report of 79 UK companies. They found a positive relation between company size and the volume of risk disclosures. They confirmed the results of Beretta & Bozzolan (2004), who analyzed the management’s discussion and analysis of 85 Italian listed companies. Beretta & Bezzolan also used a framework to measure the quality of risk disclosure instead of only looking at the volume of the risk disclosure. The quality is also influenced by the richness of its content instead of only the quantity. They did not find a relation between their disclosure quality and company size. Abraham & Shrives (2014) extended these researches by assessing the quality of risk reporting over a period of time and providing recommendations on how the quality of risk reporting can be improved. There is little research that focuses specifically on the risk reporting of Dutch companies. A study by the NBA performed in 2009 and 2014 focused on the risk management of Dutch companies. They found no significant improvement in risk management in 2014 compared to 2009, despite the fact that improvement is necessary. There is a study that has focused on cybercrime, KPMG has studied the reporting of cybercrime for the fourth time in 2017. In 2016 they studied Dutch listed companies and found that 83% of the companies mention cyber security risks.

The mentioned literature are all studies on risk reporting or risk management. However, besides the studies of KPMG, none of the studies considers specific cybercrime risk. Therefore this study wants to conduct further research on cybercrime risk reporting and want to incite to further research on this topic.

11

Methodology

The aim of this research is to answer the following research question: ‘Does the new ‘cybercrime

risk’ influence the reporting of risk management in the annual report in the Netherlands?’. The

question is captured in the following conceptual model.

Figure 1: Conceptual Model

The research question can be answered through answering the following sub-questions, which are deductive derived: How do companies report on cybercrime risk? and Is there a development in

the reporting on cybercrime risk?. These questions will be answered based on a content analysis,

using a disclosure index. The reason for this research method will be explained in the research method section below. This study is exploratory of nature, since it does not pursue statistical results, but wants to explore the current situation on cybercrime risk reporting. In addition to these reasons, this research wants to trigger further research. First, the used research method and sample are described. Then the issues concerning reliability and validity are outlined.

Research Method

This study wants to research how companies report on cybercrime risk, therefore the annual reports need to be analyzed. Several studies have used content analysis to analyze risk reporting (e.g. Linsley & Shrives, 2006). They used this method because narratives in annual reports can be categorized and because it can be used in analyzing a large amount of qualitative data. They do not use it to measure the quantity of the risk disclosure but to investigate the nature of the risk

Cybercrime risk disclosure in annual report

Voluntary & mandatory risk reporting

Cybercrime & risk

management _{Influence of cybercrime on}

12 disclosures (Linsley & Shrives, 2006). This research also wants to study the quality of the risk disclosures. Therefore, the research method used in this research is content analysis. There are also other methods to analyze narratives in annual reports, such as ethnography and grounded theory. These methods focus on counting words and with qualitative content analysis the focus is on the content or the contextual meaning of the text (Hsieh & Shannon 2005). The advantages of this method is that this method is exploratory of nature and is a frequently used research method in accounting (Krippendorff, 2004; Beattie, 2014). This method focuses on the subject and context of the information and therefore narratives in disclosures can be analyzed and evaluated (Beattie et al., 2004; Graneheim et al., 2004). This results in advantage, such as: providing new insights, increasing the understanding of the researcher and the ability to make valid and replicable conclusions (Krippendorff, 2004). A disadvantage is that this method is inevitably subjective (Linsley & Shrives, 2006), which can compromise the reliability and validity of the results. How these issues are addressed, is explained in the last section of the methodology and discussion.

In this study a content analysis is used, because with this method the content of the annual report, especially the content concerning cybercrime risk, can be analyzed. When the content is analyzed, it can be determined what is written, using the context of the content. This will give an insight and understanding on how companies report on cybercrime and makes it possible to draw valid conclusions from the texts (Smith, 2015). These conclusions will help with answering the last sub-question and in that way answering the research sub-question.

This method will be applied using a disclosure index, this is a form of content analysis where data is analyzed in binary terms or in ordinal terms when measuring quality aspects and whether weight is placed on the questions in the disclosure index or not (Beattie, 2014). A disclosure index can be used to measure the level of disclosure (Marston & Shrives, 1991). The disclosure index is used, because only measuring the quantity of the information is not enough. Words can be repeated and single numbers need to be explained to give information (Marston & Shrives, 1991).The disclosure index is also used for the reason that this will make it possible to compare the results between the different years and industries. A disadvantage of a disclosure index is that relevant information on cybercrime can be excluded, because it is nog included in the disclosure index

13 Disclosure Index. A disclosure index is developed to measure how companies report on cybercrime risk. The disclosure index is developed using a deductive approach, where theory is used to develop a disclosure index, combined with an inductive approach, where the data is analyzed to develop a disclosure index (Gaur & Kumar, 2018). These approaches are combined, because there is limited theory on what should be disclosed on cybercrime risk. The theory that has been used in developing the disclosure index is based on several studies. Linsley & Shrives (2000; 2006) state that looking forward and quantitative risk information is necessary. In addition to these used studies, the study of Abrahams & Shrives (2014) has been used. They derived themes from the theories discussed in the literature section (institutional and proprietary cost theory). They described what a good risk disclosure should comply to. Two of these themes are: ‘‘Disclosure information should be both specific to the company and regularly updated’’ (p. 94) & ‘’company managers should evaluate risk disclosures on a regular basis within annual reports’’ (p. 95). They examine the following factors with respect to these themes:

- “ whether managers have disclosed information that is general in nature or specific to the company;

- whether the same information is disclosed over the time period examined (i.e., to what extent information remains unaltered in annual reports from one year to the next);

- whether managers have disclosed how a particular risk factor is relevant to both the financial year under review and the company’s future strategy;

- and whether, in the risk factor list, an explanation is provided as to why risk factors have been added to or removed.’’ (Abrahams & Shrives, 2014, p. 95)

These factors are included in the disclosure index. The disclosure index is included in the appendix (see appendix B) Decisions rules have also been included in the appendix (see appendix C), these rules are based on the rules of Linsley & Shrives (2006).

Sample. A sample is used, because this study wants to explore the current situation on how companies report on cybercrime risk. The sample consist of Dutch listed companies, as explained below. Using this sample will give an impression of the current situation. Cybercrime is a problem for companies in many countries, yet this research focus on the situation in the Netherlands. The

14 Netherlands have been chosen, first because, as discussed in the literature section, there has been little research on how Dutch listed companies disclose on risk management and because the cybersecurity is well developed in the Netherlands, compared to other countries with the same threats (Deloitte, 2017). In the Netherlands there are 180 listed companies, however not all these companies are financial relevant. The companies on the AEX and the AMX will be used, because these companies have to report according to IFRS, like other countries in Europe and also some countries outside Europe. This will increase the similarity between annual reports and this will increase the generalizability of the results. Also Dutch listed companies have to report according to the Dutch Corporate Governance Code (Corporate Governance Code, 2016), as explained in the literature section. This means that they have to report on cybercrime risk if it is a significant risk. In the AEX and AMX two companies did not exist before 2015. Ahold-Delhaize NV and Philips Lighting NV merged/established in 2016. These two companies are excluded from the sample, therefore the sample consist of 48 companies (see appendix A). With hand collected data from the annual reports of 2015, 2016 and 2017 of these companies, the dataset contains 144 separate observations. The annual reports of 2015-2017 are used, because as discussed in the introduction cybercrime risk has become an important risk (Ruan, 2017) and has rapidly gained more attention in the past years. In 2015, the amount of cybersecurity incidents increased with almost 40 percent (NBA, 2016).

Unlike previous research (e.g. Linsley & Shrives, 2006), this research will include financial companies. Previous research excluded financial companies, because of the fact that these companies have different obligations to report on financial risks compared to other companies. In this research cybercrime risk is investigated and because all companies may be affected by this type of risk, these companies are not excluded from the sample.

Data Gathering

The content analysis on cybercrime risk has been performed using the disclosure index on all narrative sections in the annual report. A pretest has been performed on a part of the sample, whereby the disclosure index was refined. This disclosure index was used to analyze the whole sample. The companies will receive points on the questions in the disclosure index. For the questions 1-11 the company will receive one point, when the question is answered with yes and

15 zero points when the question is answered with no. Question 12 and 13 are analyzed based on the ratio of the disclosure compared to the annual report and the number of measures for cybercrime risk. To answer the last sub-question, it must be determined how companies report on cybercrime. How companies report this can be determined through analyzing the questions in the disclosure index. These answers can be compared to evaluate how the scores have changed over the past three years.

Reliability and Validity

With the content analysis, the researcher will be greatly involved in the data collection process. Therefore, it is important to ensure the reliability and consistency of the research in order to draw valid conclusions (Linsley & Shrives, 2006). Replicability is the most important form of reliability and is a requirement for reliable scores in an index (Krippendorff, 2004; Marston & Shrives, 1991). Replicability and consistency will be achieved through the use of decision rules, based on the study of Linsley & Shrives (2006) and the use of a single coder. This will help to draw valid conclusions. The results are valid if the results mean what was proposed to measure (Marston & Shrives, 1991). Issues concerning validity will be addressed in the discussion section.

16

Results

This section will provide the results of this study. These results will be presented by showing the results of the questions from the disclosure index in graphs. In this chapter the graphs will be explained and in the next chapter the results will be analyzed.

Word count ‘cyber’ & Cybercrime risk

Graph 1: The total number of times that companies mention cyber in the annual report

Graph 2: The percentage of companies that mention cybercrime as a risk

The first graph shows the number of times that cyber is mentioned in the annual report. The number of times that cyber is mentioned in 2015, 2016 and 2017 is respectively 137, 295 and 397. There

137 295 397 0 50 100 150 200 250 300 350 400 450 2015 2016 2017

Wordcount 'Cyber'

Cybercrime risk

17 is an increasing tendency in the use of cyber in the annual report. Graph 2 depicts how many of the companies mention cybercrime as a risk. In 2015 this is 44% of the companies, which equal to 21 companies. In 2016 73% of the companies mention cybercrime as a risk which corresponds to 35 companies. In 2017 85% of the companies mention cybercrime as a risk which is equivalent to 41 companies.

Graph 3: The percentage of companies that alter their information on cybercrime risk compared to previous year

Graph 3 illustrates the percentage of companies that alter their information on cybercrime risk compared to previous year. For 2015, 2016 and 2017 the number of companies that altered their information are respectively 20, 31, and 38. The light blue bars illustrate the percentage of all the companies that alter their information, including the companies that do not mention cybercrime as a risk. The dark blue bars represent the percentage of the companies that mention cybercrime as a risk and that alter their information on cybercrime risk.

42% 65% 79% 95% 89% 93% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2015 2016 2017

Altered information

18 Measures

Graph 4: The percentage of companies that mention measures on cybercrime

Graph 5: The number of companies that mention cybercrime as a risk

Graph 4 shows how many of the companies mention measures on cybercrime. How many of the total companies (48) mention cybercrime-measures is displayed in the light blue bars. In 2015, 16 companies mention measures on cybercrime, in 2016 there are 33 companies and in 2017 there are 38. For 2015 this means that 33% of all companies report measures on cybercrime and 76% of the companies that also mention cybercrime as a risk, do also mention measures on cybercrime. For 2016 this means that 69% of all companies report measures on cybercrime and 94% of the companies that also mention cybercrime as a risk, do also mention measures on cybercrime. For 2017 this means that 79% of all companies report measures on cybercrime and 93% of the companies that also mention cybercrime as a risk, do also mention measures on cybercrime. Graph 5 shows the total number of measures that companies mention. The average number of measures per company that mentions measures on cybercrime is in 2015 (41/16) 2.56, in 2016 (116/33) 3.52, and in 2017 (144/38) 3.79. 33% 69% 79% 76% 94% 93% 0% 20% 40% 60% 80% 100% 2015 2016 2017

Measures mentioned

Number of Measures

19 Specific information and risk factor

Graph 6: The percentage of companies that provide company specific information on cybercrime

Graph 7: The percentage of companies that explain why cybercrime is a risk

Graph 6 depicts if companies provide information on cybercrime risk that is specific to the company. How many of the total companies (48) mention specific information on cybercrime is displayed in the light blue bars. For 2015, 2016 and 2017, respectively 19, 34 and 39 companies provide specific information on cybercrime. For 2015 this means that 90% of the companies that also mention cybercrime as a risk, do provide specific information. For 2016 this is 97% and for 2017 this is 95%. Graph 7 illustrates how many of the companies explain why cybercrime is a risk factor. This means that they have explained why it is a risk to the company. How many of the total companies (48) explain why cybercrime is a risk is illustrated in the light blue bars. Respectively for 2015, 2016 and 2017, this is 20, 34, 40 companies that provide specific information on cybercrime. For 2015 this means that 95% of the companies that also mention cybercrime as a risk, do provide specific information. For 2016 this is 97% and for 2017 this is 98%.

40% 71% 81% 90% 97% 95% 0% 20% 40% 60% 80% 100% 120% 2015 2016 2017

Specific information

Risk factor

20 Impact

Graph 8: The percentage of companies that mention the impact of cybercrime

Graph 9: The companies that mention the impact of cybercrime2

With the impact of cybercrime, this study measured whether there is mentioning of any cybercrime attacks and disclosing whether these attacks had any impact. Only a few companies mention this, in 2015, 2016 and 2017 this was respectively 3, 8, and 8. There are also companies that mention the impact in a year, but do not mention the impact in the next year, which is illustrated in graph 9. These are the companies that have a grey or a light blue bar, but do not have a dark blue bar.

2 _{The supervisor has taken note of the company names, based on confidentiality these names are anonymized.}

6% 17% 17% 14% 23% 20% 0% 5% 10% 15% 20% 25% 2015 2016 2017

Impact

Impact

21 Relevance

Graph 10: The percentage of companies that explain why cybercrime is relevant to the future corporate strategy

Graph 10 illustrates how many of the companies report how cybercrime risk can influence their corporate strategy. In 2015 there were 3 companies who reported it. This means that 6% of all companies (48) and 14% of all companies that also mention cybercrime as a risk (21), explain how cybercrime can influence their strategy. In 2016 there were 9 companies who reported it. This means that 19% of all companies (48) and 26% of all companies that also mention cybercrime as a risk (35), explain how cybercrime can influence their strategy. In 2017 there were 7 companies who reported it. This means that 15% of all companies (48) and 17% of all companies that also mention cybercrime as a risk (41), explain how cybercrime can influence their strategy.

Graph 11: The percentage of companies that provide quantitative information on cybercrime risk

6% 19% 15% 14% 26% 17% 0% 5% 10% 15% 20% 25% 30% 2015 2016 2017

Relevance to future strategy

Total Cybercrime Companies 2% 2% 10% 5% 3% 12% 0% 2% 4% 6% 8% 10% 12% 14% 2015 2016 2017 A x is T itle

Quantitative information

22 Graph 12: The percentage of companies that explain why cybercrime is relevant to the current

financial year

Graphs 11 and 12 show whether companies provide information on the cost (and benefits) of cybercrime risk. If there are actual costs figures then it is marked as quantitative information, regardless of whether or not it is concerning the current financial year. When it has only been mentioned that there are certain costs concerning the current year, but not the figures it is only quantified as relevant to the financial year. In 2015, one company provides quantitative information and there is no company that provides information on how cybercrime is relevant for the financial year. In 2016, one company provides quantitative information and three companies explain how cybercrime is relevant to the current financial year. In 2017, 5 companies provide quantitative information and 2 companies provide an explanation on how cybercrime is relevant to the current financial year.

0% 6% 4% 0% 9% 5% 0% 1% 2% 3% 4% 5% 6% 7% 8% 9% 2015 2016 2017

Relevance to financial year

Total

23 Forward-looking information

Graph 13: The percentage of companies that provide forward-looking information

Graph 14: The percentage of companies that mention the GDPR with respect to cybercrime

Graph 13 illustrates the percentage of the companies that use forward-looking information when describing cybercrime risk. The percentage of the total companies (48) that use forward-looking information on cybercrime is displayed in the light blue bars. The percentage of the companies that report cybercrime as a risk and also use forward-looking information is illustrated in the dark blue bars. For 2015 this is 29%, for 2016 this is 40% and for 2017 this is 41%. Graph 14 contains information on how many companies report (breaching) the new GDPR as a possible result from cybercrime risk. Respectively in 2015, 2016 and 2017 this was reported by 2, 3 and 7 companies.

13% 29% 35% 29% 40% 41% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 2015 2016 2017

Forwardlooking information

GDPR

24

Analysis

The question to be answered using the results is: ‘How do companies report on cybercrime risk

and is there a development in the reporting on cybercrime risk?’ To answer this question the results

from the disclosure index, provided in the previous chapter, will be analyzed.

First, the results show that the word ‘cyber’ is increasingly used in the annual reports. This can be an indication that cybercrime is becoming more prominent and gains more attention in the annual reports of companies. This is also underlined by the fact that the number of companies that mention cybercrime as a risk is increasing every year. Almost all companies that mention cybercrime as a risk also alter their information they provide on cybercrime risk every year (2015: 95%, 2016: 89%, 2017: 93%). This can indicate that they pay attention to the text provided.

The number of companies that report measures on cybercrime also increases. Nevertheless the growth between 2016 and 2017 is caused by the increase in companies that mention cybercrime as a risk. The percentage of companies that mention cybercrime as a risk and also report measures stays almost the same (94% and 93%). However, the average number of measures by a company increases from 3.52 in 2016 to 3.79 in 2017. These measures are mentioned to reassure stakeholders, but the measures are often general. This is probably in order to not reveal too much information and inform people, who want to do harm.

As mentioned in the results section, there are companies that mention the impact of cybercrime in a specific year, but do not mention the impact in the following year. These are the companies that do mention the impact in 2015 and/or 2016, but do not mention it in 2017. In the cases that they mention the impact, they mention that the impact was 0. This can indicate that they only provide information on the impact in situations that the impact is 0, or they discovered that it was difficult to proper assess the impact. It is remarkable that almost no company mentions the impact of cybercrime, because this is important information in order to assess the future performance of the company.

Research data on the relevance of cybercrime is limited. Only a few companies mention how cybercrime can affect their future corporate strategy and even less companies mention how

25 cybercrime can influence the financial year or provide quantitative information. The difference between the results of quantitative information and relevance to the financial year can be explained by the fact that some companies mention that there are costs as a result from cybercrime, but do not mention specific numbers of the costs. Another explanation is the fact that companies mention quantitative information for the next year. Forward-looking information is used more than providing information on the relevance however, less than half of the companies use it. Issues that concern breaching the GDPR are also mentioned as a possible result from cybercrime. Even in 2015 some companies mention it. In 2017 the number of companies increased, this can caused by the fact that the GDPR is implemented from 2018.

Overall, the importance of cybercrime is increasing, where the number of companies that mention cybercrime as a risk is growing. The information on cybercrime risk is also growing from 2015-2017. However, the information is too general and limited. The information that is provided often only contains information on why it is a risk and what kind of measures are taken. There is often no information on the impact and the relevance. Cybercrime does influence the risk reporting in the way that companies report on this new risk and the amount of information is growing per year.

26

Conclusion

The research question, Does the new ‘cybercrime risk’ influence the reporting of risk management

in the annual report?, can be answered inductively, by answering the sub-questions. These

questions can be answered, based on the analysis of the results. The first sub-question is: How do

companies report on cybercrime risk?. The answer to this questions is that almost every company

recognizes and mentions cybercrime as a risk. Yet the information they provide is limited and often consist of only explaining why it is a risk and mentioning measurements. However, the amount of information that companies provide on this risk is increasing over the years from 2015-2017. Therefore the second sub-question, Is there a development in the reporting on cybercrime

risk?, can be answered with yes. In summary, there is a development in the number of companies

that mention cybercrime as a risk and there is a development in the amount of information that companies provide on cybercrime risk. Concluding, the answer to the research question is that the new cybercrime risk influences the reporting of risk management in the annual report through the fact that more companies mention it as a risk and provide more information on this risk.

These results are almost the same as the study of KPMG in 2016. KPMG studied the reporting of cybercrime of Dutch listed companies. In this research they found that 83 percent of the organizations in the AEX and midcap mention cyber security risks. However, only 66 percent of the organizations provide more information on the threats, risks and measures. They found this remarkable, because organizations are more dependent on IT in their vital processes and could go bankrupt as a result of cybercrime (KPMG, 2016). The results are also consistent with the study of Abraham & Shrives (2014). They stated that risk reporting is often general, changes little over time and is unhelpful and meaningless to stakeholders. The goal is to generalize these results through external validity. The results are generalizable to other EU countries, based on the fact that EU countries need to report according IFRS. This increases the similarity between the reporting in these countries.

There is little literature on cybercrime risk (reporting). This is remarkable, because as mentioned in the introduction, cybercrime is growing, as is the social demand for cyber risk management. On a daily basis there is news on cybercrime, reporting attacks on major organizations such as banks and government institutions. These attacks have a great impact on the society, but research on how

27 organizations and institutions will manage the risk of these attacks is not forthcoming. Cybercrime is a new and probably one of the important risk a company face. The fact that companies report on cybercrime risk and as a result reduce the information asymmetry, can be explained by the benefits of voluntary reporting. The costs of voluntary reporting can explain why companies report general and limited information on cybercrime. In the future it becomes more critical to manage and report this risk, to ensure the long-term viability of the company. Cybercrime risk should be managed as any other risk, however this is difficult because cybercrime risk does not fit in the current risk models. This makes it more difficult for companies to deal with this risk. This could be solved by developing a new risk model/adjusting the current models.

28

Limitations and Ideas for Future Research

This study has also limitations, which will be addressed in this section. These limitations suggest in turn ideas for future research. Other ideas for future research are also provided. A limitation of this research is that the sample consists of relative large companies, which tend to disclose more information than small companies (Marston & Shrives, 1991), this can bias the results. Therefore in future research a larger sample could be chosen, which includes also smaller companies. Another limitation in this research is the use of a disclosure index. A disclosure index will always contain subjective elements. Moreover, the answer options in the disclosure index are yes or no. With these options the yes for a company can be different then a yes for another company, which can results in too abstract results. However this limitation is limited through the use of decisions rules, but this research can be developed by improving the disclosure index. Another limitation is the possibility that companies do not mention their response to cybercrime in their annual report, because they do not want to inform malicious parties. It can be studied whether this is the case. In addition to these ideas for future research, this is also an explanatory research that wants to incite further research on cybercrime risk. Other studies could analyze which factors influence companies to report on cybercrime and on the amount of information they give. Since cybercrime is a risk that is quickly emerging, it could be useful to study how companies report on cybercrime in a few years from now. The new GDPR law can also influence how companies deal with cybercrime and cybersecurity. The GDPR is a law on the management and protection of data. Companies need to ensure that the data is safe and will not be stolen, damaged et cetera. Therefore they need to manage this risk properly and show that the company is doing enough to protect the data. This is important, because of the possible board liability as a result of this legislation. This study has focused on Dutch listed companies that report according to IFRS, these results are not generalizable to the United States or Asia companies, because in the United States and Asia companies do not report according to IFRS. Further research could focus on the United States and Asia companies.

29

Discussion

In this study the focus was on a relative new risk ‘cybercrime’, a topic that has not been researched a lot. Cybercrime is something to take seriously, because every organization that is online, can (and will) be a victim of cybercrime. Even in the past half year, during this study, there were many news articles that mention cases of cybercrime. Delta Air Lines has had a leak in their customer data (FD, 5-04-2018) and from 150 million users of a fitness app, data was stolen (FD, 30-03-18). There were even cyberattacks that were meant to kill people in a company in Saudi-Arabia (FD, 15-03-18). Because this is a relative new topic, this thesis is explanatory of nature. Cybercrime is a serious risk and this risk is not often researched, therefore this study wants to incite to more research on this topic. In this study it has been investigated if and what kind information companies provide on cybercrime.

The justice department of the Netherlands present a report with information on cybercrime every year, however the report of 2017 is not available yet. Cybercrime can be committed from all over the world, borders do not matter. To keep up with the pace of these developments in crime, investments need to be made in detection and prosecution possibilities that are future orientated (OM, 2016). In 2015 there were 124 cases that were prosecuted by the justice department, in 2016 this was increased to 171. However these numbers can be biased due to the fact that companies do not report cybercrime with the authorities, because of reputation damage. The justice department was asked if this is actually true, but they could not answer this question. Another question that needs to be asked is whether the justice department has enough expertise and capacity, since this can also cause that not all cases of cybercrime will be prosecuted.

The fact that companies might not report cybercrime to the authorities, because of possible reputation damage, can also be applicable for companies concerning the choice to mention the impact of cybercrime in the annual reports. Some companies mention the impact of cybercrime attacks in years that there is no material impact. But the year after, they do not mention any impact. This could be, because there was a material impact and they do not want to share it. Or because they discovered that it was more difficult to determine the impact, than thought before.

30 In the methodology section, validity concerns are mentioned. To ensure validity, triangulation has been used. This means that the results are verified by another method. In this study, the results are discussed with experts in the field. Interviews have been conducted with the NBA & the Cyber Security department from KPMG. The interviews show that more companies are recognizing the problem of cybercrime. This is also visible in the fact that in 2017 85% of the companies mention cybercrime risk. It also becomes clear that it is a difficult topic and that there are meetings between the Big 4 & the NBA to address the issues on cybercrime/cybersecurity. In the interviews with R. Verbij (senior consultant) & M. van Veen (senior manager) from the cyber security department from KPMG, they indicate that cybercrime gains more attention from companies, yet companies do not provide enough information on it. It is strong if a company reports on this type of risk, because it is a real risk. This should at least contain information on the threats, risks and measures of cybercrime/cybersecurity. The interview with J. Urlus (policy advisor ICT & Accountancy) from the NBA shows that cybercrime/cybersecurity is a complex case and that is becoming more important. His opinion on cybercrime risk reporting is that it should not be mandatory in the risk paragraph, however it should be mentioned in the board report. At least it should be mentioned whether companies were victim of cybercrime in the financial year.

In the interview with KPMG, it becomes clear that Dutch companies only spend 1-5% of their IT budget on cyber security and that this are often fragmented actions. Yet, the Dutch Cyber Security Council suggest that organizations need to invest 10% of their ICT-budget to cybersecurity and that the cyber security in the Netherlands has to be improved. More coordination from the government and more responsibility from organizations is needed (NCSC, 2017). What also came forward from the interview with KPMG is that cyber is often called an operational risk, but it can also be a compliance or a strategic risk. Cybersecurity also should not be dealt with by one department, but should be a topic through the entire organization.

The question if companies will be hacked is outdated. Every company will be a victim of cybercrime. A more relevant question is ‘when’ and ‘how often’ companies will be hacked (NBA, 2016). R. Verbij from KPMG stated that it is even more important to know how long it takes to discover it. It is not possible to secure every part of the organization, therefore the focus should be on the most important parts of the organization. This is the part that will cause the biggest loss and

31 biggest profit (NBA, 2016). Preventive controls are important, but detective and corrective controls are just as important. The accountant should be aware of this and the control will be improved if detective and corrective controls are tested (NBA, 2016). The question remains if companies do enough in the area of cybercrime.

What Will Cybercrime Mean for Accountancy?

It is clear from the interview with the NBA that the question for guidance on the assessment of the damage from cybercrime is raising among auditors. It is difficult to determine the total loss, because sometimes a company does not even know that they are a victim of cybercrime. How the auditor should deal with cybercrime can be compared to how the auditors check for fraud. The auditor is not responsible and cannot audit for this. However, when the auditor gains information that there was a cyberattack, then the auditor should do something with it in the audit. Nonetheless the auditor does not have enough knowledge on cybercrime and the knowledge quickly becomes outdated. It is a complex case, where assistant from an IT auditor or from a cyber security team is necessary. There are already developments within the accountant firms regarding cybercrime risk, which should be further developed. These developments will not be enough in my opinion, I believe it is also necessary that in the education for auditors cybercrime should be addressed despite the fact that the auditor can be assisted by an IT auditor or the cyber security team. I also believe that it is necessary that at a certain point of time the NBA will come with recommendations for this topic.

The reliability of the information for the annual report is dependent on the integrity of the data. The auditor should do more than determine if the impact of a cyber-attack truthful is recorded and if the continuity is assured (NBA, 2016). The most important role for the auditor is asking the right questions about cybersecurity. The auditor needs to determine if there is enough awareness with the board and if cybersecurity has the right position in the strategy and the risk management (NBA, 2016). Based on art. 2:393 sub 4 BW, the auditor needs to report his findings regarding the reliability and continuity of the automated data processing. Therefore, the auditor should consider the impact of cybercrime on this. On top of that, the auditor also relies on the continuity and reliability of the automated data processing when verifying the financial statements in the annual report.

32 The interview with KPMG shows that it should be considered by the auditor that despite the fact that the IT general controls and application controls work, the company can still be a victim of cybercrime. The malicious people do not care about controls and only use a weak spot to get in and remove his tracks. The cyber attacker does not care about the controls, bypasses the controls and will cover his tracks. Therefore, an audit team should consist, besides auditors and IT-auditors, of a cyber team that will get an understanding of cyber, cyber IT controls, technical deep dives, breach investigations (KPMG, 2017). It is also difficult to measure the impact of cybercrime. The categories where cyberattacks can have the biggest impact on are: impairment of asset value, impairment of the back system, impairment of automated controls risk of contractual obligations, continuity risk (KPMG, 2017).

In summary, cybercrime will have an impact on the accountancy and that this will be a challenge. For companies cybercrime and the reporting of this new risk will also be a challenge.

33

Reflection

This master thesis has been finished. I look back at a hectic, but also a good time. In the past five months I have completed my master thesis. During this time I got familiar with this new risk: cybercrime. A process where I gain more knowledge on this topic. I was surprised by the fact amount of research on this risk was limited. Therefore, with this thesis, I want to encourage further research on this topic. I was less surprised with the results that companies report little information on cybercrime. In my opinion, companies are doing too little on cybercrime. I am therefore curious on how this new risk will evolve in the future and how companies will deal with this risk, in their reporting and risk management and how this will influence companies/the economic.

I wrote my thesis at KPMG in Zwolle, where I also got familiar with the work of an auditor. At KPMG, I received a lot of support from colleagues and fellow interns, wherefore I would like to thank them. Especially, I would like to thank Joris and Thijs for guidance in the process and feedback on my thesis. From the university I also received guidance and feedback on my master thesis and process from Prof. Dr. D.M. Swagerman. I am grateful for this guidance and would like to thank him. Furthermore, I would like to thank the persons I could interview, Ruud, Michiel and Jacques. Last but not least I would like to thank Laura for correcting my English.

I hope it was a pleasure to read my thesis.

Groningen, June 2018 Mieke Mooibroek.

34

References

Abraham, S., & Shrives, P.J. (2014). Improving the relevance of risk factor disclosure in corporate annual reports. The British Accounting Review, 46(1), 91-107.

Alali, M., Almogren, A., Hassan, M.M., Rassan, I.A., & Bhuiyan, M.Z.A. (2018). Improving risk assessment model of cyber security using fuzzy logic inference system. Computers & Security, 74, 323-339.

Allodi, L., & Massacci, F. (2017). Security events and vulnerability data for cybersecurity risk estimation. Risk Analysis, 37(8), 1606-1627.

An, Y., Davey, H., & Eggleton, I.R. (2011). Towards a comprehensive theoretical framework for voluntary IC disclosure. Journal of Intellectual Capital, 12(4), 571-585.

Barafort, B., Mesquida, A.L., & Mas, A. (2017). Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards & Interfaces, 54, 176-185.

Beattie, V. (2014). Accounting narratives and the narrative turn in accounting research: Issues, theory, methodology, methods and a research framework. The British Accounting Review, 46(2), 111-134.

Beattie, V., McInnes, W., & Fearnley, S. (2004). A methodology for analysing and evaluating narratives in annual reports: a comprehensive descriptive profile and metrics for disclosure quality attributes. Accounting Forum, 28(3), 205-236.

Bendovschi, A. (2015). Cyber-attacks–trends, patterns and security countermeasures. Procedia

Economics and Finance, 28, 24-31.

Beretta, S., & Bozzolan, S. (2004). A framework for the analysis of firm risk communication.

The International Journal of Accounting, 39(3), 265-288.

Bernik, I. (2014). Cybercrime and cyber warfare. Londen, UK: ISTE.

Bessis, J. (2015). Risk management in banking (4th ed.) Sussex, UK: John Wiley & Sons. DiMaggio, P., & Powell, W.W. (1983). The iron cage revisited: Collective rationality and institutional isomorphism in organizational fields. American Sociological Review, 48(2), 147-160.

Dobler, M. (2008). Incentives for risk reporting — A discretionary disclosure and cheap talk approach. The International Journal of Accounting, 43(2), 184-206.

Donner, C. M., Marcum, C.D., Jennings, W.G., Higgins, G.E., & Banfield, J. (2014). Low self-control and cybercrime: Exploring the utility of the general theory of crime beyond digital piracy. Computers in Human Behavior, 34, 165-172.

35 Eddolls, M. (2016). Making cybercrime prevention the highest priority. Network Security,

(2016)8, 5-8.

El-Diftar, D., Jones, E., Ragheb, M., & Soliman, M. (2017). Institutional investors and voluntary disclosure and transparency: the case of Egypt. Corporate Governance: The International

Journal of Business in Society, 17(1), 134-151.

Gaur, A., & Kumar, M. (2018). A systematic approach to conducting review studies: An

assessment of content analysis in 25 years of IB research. Journal of World Business, 53(2), 280-289.

Graneheim, U. H., Lindgren, B.M., & Lundman, B. (2017). Methodological challenges in qualitative content analysis: A discussion paper. Nurse Education Today, 56, 29-34. Gordon, L.A., Loeb, M.P., & Tseng, C.Y. (2009). Enterprise risk management and firm

performance: A contingency perspective. Journal of Accounting and Public Policy, 28(4), 301-327.

Gordon, L.A., Loeb, M.P., & Sohail, T. (2010). Market value of voluntary disclosures concerning information security. MIS Quarterly, 34(3), 567-594.

Hsieh, H.F., & Shannon, S.E. (2005). Three approaches to qualitative content analysis.

Qualitative Health Research, 15(9), 1277-1288.

Hinde, S. (2003). The law, cybercrime, risk assessment and cyber protection. Computers &

Security, 22(2), 90-95.

Hughes, B.B., Bohl, D., Irfan, M., Margolese-Malin, E., & Solórzano, J. R. (2017). ICT/Cyber benefits and costs: Reconciling competing perspectives on the current and future balance.

Technological Forecasting and Social Change, 115, 117-130.

Hunton, P. (2011). A rigorous approach to formalising the technical investigation stages of cybercrime and criminality within a UK law enforcement environment. Digital

Investigation, 7(3-4), 105-113.

Jeske, D., & van Schaik, P. (2017). Familiarity with internet threats: Beyond awareness. Computers & Security, 66, 129-141.

Karabacak, B., Yildirim, S.O., & Baykal, N. (2016). A vulnerability-driven cyber security maturity model for measuring national critical infrastructure protection preparedness.

International Journal of Critical Infrastructure Protection, 15, 47-59.

Krippendorff, K. (2004). Content analysis: An introduction to its methodology (2nd ed.). Thousand Oaks, CA: Sage Publications.

36

Konradt, C., Schilling, A., & Werners, B. (2016). Phishing: An economic analysis of cybercrime perpetrators. Computers & Security, 58, 39-46.

Linsley, P.M., & Shrives, P.J. (2006). Risk reporting: A study of risk disclosures in the annual reports of UK companies. The British Accounting Review, 38(4), 387-404.

Linsley, P., & Shrives, P. (2000). Risk management and reporting risk in the UK. Journal of

Risk, 3(1), 115-129.

Marston, C.L., & Shrives, P.J. (1991). The use of disclosure indices in accounting research: a review article. The British Accounting Review, 23(3), 195-210.

Mukhopadhyay, A., Chatterjee, S., Bagchi, K.K., Kirs, P.J., & Shukla, G.K. (2017). Cyber risk assessment and mitigation (CRAM) framework using logit and probit models for cyber

insurance. Information Systems Frontiers, Advance online publication: https://doi-org.proxy-ub.rug.nl/10.1007/s10796-017-9808-5.

Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. K. (2013). Cyber-risk decision models: To insure IT or not?. Decision Support Systems, 56, 11-26.

Paape, L., & Speklè, R.F. (2012). The adoption and design of enterprise risk management practices: An empirical study. European Accounting Review, 21(3), 533-564.

Paté‐Cornell, M., Kuypers, M., Smith, M., & Keller, P. (2018). Cyber risk management for critical infrastructure: a risk analysis model and three case studies. Risk Analysis, 38(2), 226-241. Prencipe, A. (2004). Proprietary costs and determinants of voluntary segment disclosure:

evidence from Italian listed companies. European Accounting Review, 13(2), 319-340.

Ruan, K. (2017). Introducing cybernomics: A unifying economic framework for measuring cyber risk. Computers & Security, 65, 77-89.

van Schaik, P., Jeske, D., Onibokun, J., Coventry, L., Jansen, J., & Kusev, P. (2017). Risk perceptions of cyber-security and precautionary behaviour. Computers in Human Behavior, 75, 547-559.

Shackelford, S.J. (2012). Should your firm invest in cyber risk insurance?. Business Horizons, 55(4), 349-356.

Smith, M. (2015). Research methods in accounting. (3th ed.). London, UK: Sage Publications. Soin, K., & Collier, P. (2013). Risk and risk management in management accounting and control. Management Accounting Research, 24(2), 81-194.

Stein, V., & Wiedemann, A. (2016). Risk governance: conceptualization, tasks, and research agenda. Journal of Business Economics, 86(8), 813-836.

37 Thekdi, S., & Aven, T. (2016). An enhanced data-analytic framework for integrating risk

management and performance management. Reliability Engineering & System Safety, 156, 277-287.

Yar, M. (2013). Cybercrime and society (2nd ed.) London, UK: Sage Publications.

Other References

The Dutch Corporate Governance Code (2008). Monitoring committee Corporate Governance Code 2008.

The Dutch Corporate Governance Code (2016). Monitoring committee Corporate Governance Code 2016.

NCSC (2017). Cybersecuritybeeld Nederland 2017. Available at:

https://www.ncsc.nl/actueel/Cybersecuritybeeld+Nederland/cybersecuritybeeld-nederland-2017.html.

Deloitte (2017). Dealing efficiently with cybercrime. Cyber value at risk in The Netherlands 2017. Available at:

www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/Deloitte_Cyber%20VaR%20NL%202017.pdf.

Het Financieel Dagblad. (2017, December 9). Intelligent omgaan met cyberdreigingen. Het

Financieel Dagblad. Retrieved from www.fd.nl.

Het Financieel Dagblad. (2018, January 26). Maersk moest complete IT-systeem vernieuwen na cyberaanval. Het Financieel dagblad. Retrieved from www.fd.nl.

Het Financieel Dagblad. (2017, August 3). Hacker die WannaCry-virus stopte is gearresteerd.

Het Financieel dagblad. Retrieved from www.fd.nl.

Het Financieel Dagblad. (2018, January 29). Banken en overheidsinstanties opnieuw doelwit van cyberaanvallen. Het Financieel dagblad. Retrieved from www.fd.nl.

Het Financieel Dagblad. (2018, March 15). Cyberaanval op petrochemisch bedrijf in Saoedi-Arabië moest veel mensen doden. Het Financieel dagblad. Retrieved from www.fd.nl. Het Financieel Dagblad. (2018, March 30). Gegevens 150 miljoen gebruikers MyFitnessPal ontvreemd. Het Financieel dagblad. Retrieved from www.fd.nl.

Het Financieel Dagblad. (2018, April 5). Lek bij klantgegevens Delta Air Lines. Het Financieel

dagblad. Retrieved from www.fd.nl.

International Organization for Standardization (ISO) (2009). ISO 31000:2009 Risk Management – Principles and Guidelines.

38 KPMG (2016). 3e cyber security benchmark. Available at:

https://www.thehaguesecuritydelta.com/media/com_hsd/report/97/document/Cyber-Security-Benchmark-2016.pdf

KPMG (2017). Cyber security benchmark. Available at: http://kpmg-cyber.instantmagazine.com/cyber-security-benchmark/global. NBA (2009). Risicomanagement in tijden van crisis.

NBA (2014). Hoeveel zijn we opgeschoten na de crisis. Tweede nationaal onderzoek risicomanagement in Nederland.

NBA (2016). Van hype naar aanpak, PML over cybersecurity. Available at:

https://www.nba.nl/globalassets/projecten/kennis-delen-pmls/cybersecurity/pml-cyber-security.pdf.

Openbaar Ministerie (2016). Jaarbericht 2016. Available at: https://www.om.nl/onderwerpen/cybercrime/.