Search Results (8)

In increasingly competitive digital markets, software firms must strategically balance cybersecurity investments and pricing decisions to attract consumers while safeguarding their platforms. This study develops a game-theoretic model in which two competing firms choose among three cybersecurity strategies—no action, bug bounty programs, and in-house protection—before setting prices. We demonstrate that cybersecurity efforts and pricing are interdependent: investment choices significantly alter market outcomes by influencing consumer trust and competitive dynamics. Our analysis reveals that a bug bounty program is preferable when consumer sensitivity to security and the probability of ethical vulnerability disclosures are high, while in-house protection becomes optimal when firms must rebuild credibility from a weaker competitive position. Furthermore, initial service quality gaps between firms critically shape both investment intensity and pricing behavior. By jointly endogenizing security efforts and prices, this study offers new insights into strategic cybersecurity management and provides practical guidance for software firms seeking to integrate security initiatives with competitive pricing strategies. Full article

The integration of Internet of Things (IoT) technologies into solar energy systems has transformed them into smart solar energy systems, enabling advanced real-time monitoring, control, and optimization. However, this connectivity also expands the attack surface, exposing critical components to cybersecurity threats that could compromise system reliability and long-term sustainability. This study presents a comprehensive cybersecurity threat modeling analysis for IoT-based smart solar energy systems using the STRIDE threat model to systematically identify, categorize, and assess potential security risks. These risks, if unmitigated, could disrupt operations and hinder large-scale adoption of solar energy. The methodology begins with a system use case outlining the architecture and key components, including sensors, PV modules, IoT nodes, gateways, cloud infrastructure, and remote-access interfaces. A Data Flow Diagram (DFD) was developed to visualize the data flow and identify the critical trust boundaries. The STRIDE model was applied to classify threats, such as spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege across components and their interactions. The DREAD risk assessment model was then used to prioritize threats based on the Damage Potential, Reproducibility, Exploitability, Affected Users, and Disability. The results indicate that most threats fall into the high-risk category, with scores ranging from 2.6 to 2.8, emphasizing the need for targeted mitigation. This study proposes security recommendations to address the identified threats and enhance the resilience of IoT-enabled solar energy systems. By securing these infrastructures, this research supports the transition to sustainable energy by ensuring system integrity and protection against cyber threats. The combined use of STRIDE and DREAD provides a robust framework for identifying, categorizing, and prioritizing risks, enabling effective resource allocation and targeted security measures. These findings offer critical insights into safeguarding renewable energy systems against evolving cyber threats, contributing to global energy sustainability goals in an increasingly interconnected world. Full article

This study investigates the relationship between cyber risks and dividend policy, as well as how boards, as a governance mechanism, affect the dividend policy under cyber risk. This study collected firm-level financing, corporate governance, and control variables from the Bloomberg database during the period 2013–2022. This paper measures of cyber risk through publicly available corporate disclosures on Form 10-K. The findings confirmed that cyber risks significantly impact dividend policy by posing challenges to corporate technical communication and financial transparency. Effective boards play a critical role in guiding companies toward governance strategies that enhance dividend policy and improve cybersecurity. This study involves policy and practical implications, where research findings suggest the need to strengthen regulatory frameworks that encourage the adoption of strong governance practices and advanced cybersecurity practices within companies. On the practical level, companies should adopt a proactive approach to managing cyber risks by enhancing investments in this area and developing flexible dividend policies. Full article

With an increasing number of firms in cybersecurity information-sharing platforms, the potential cyber risks become a critical challenge during the exchanging of information. How to balance economic benefits and security requirements is an important topic for both firms and the government. By developing a game-theoretic model, the firms’ optimal strategies are discussed considering their absorptive capacity for security information under different policy constrains. The results show that the value of security information, intrusion loss, the level of cybersecurity vulnerability, the negative impact coefficient of platform security information disclosure, and the absorptive capacity for security information are key factors impacting firms’ decisions. The value of security information and intrusion loss are constrained by the marginal utility of cybersecurity investment and security information sharing. Firms prefer to increase their security investment or security information sharing only if the value of security information and intrusion loss are positively related to the marginal utility of cybersecurity investment or cybersecurity information sharing. Specifically, in the case without policy constrains, the optimal strategies of n firms are discussed, and it is found that they are consistent with those of two firms and that the utility of any firm in the platform decreases as the number of firms increases. Full article

A data breach is the unauthorized disclosure of sensitive personal data, and it impacts millions of individuals annually in the United States, as reported by Privacy Rights Clearinghouse. These breaches jeopardize the physical safety of the individuals whose data are exposed and result in substantial economic losses for the affected companies. To diminish the frequency and severity of data breaches in the future, it is imperative to research their causes and explore preventive measures. In pursuit of this goal, this study considers a dataset of data breach incidents affecting companies listed on the New York Stock Exchange and NASDAQ. This dataset has been augmented with additional information regarding the targeted company. This paper employs statistical visualizations of the data to clarify these incidents and assess their consequences on the affected companies and individuals whose data were compromised. We then propose mitigation controls based on established frameworks such as the NIST Cybersecurity Framework. Additionally, this paper reviews the compliance scenario by examining the relevant laws and regulations applicable to each case, including SOX, HIPAA, GLBA, and PCI-DSS, and evaluates the impacts of data breaches on stock market prices. We also review guidelines for appropriately responding to data leaks in the U.S., for compliance achievement and cost reduction. By conducting this analysis, this work aims to contribute to a comprehensive understanding of data breaches and empower organizations to safeguard against them proactively, improving the technical quality of their basic services. To our knowledge, this is the first paper to address compliance with data protection regulations, security controls as countermeasures, financial impacts on stock prices, and incident response strategies. Although the discussion is focused on publicly traded companies in the United States, it may also apply to public and private companies worldwide. Full article

For the corporate sphere, cybersecurity becomes an inescapable business responsibility, and accountability becomes a way of providing trust and ensuring resilience against cyber risks and high-impact cyber threats. The purpose of this study was to create a disclosure index that allows analysis of the scope of the disclosure of voluntary and mandatory cybersecurity information. The content analysis technique used focuses on the examination and identification of the cybersecurity information revealed in the annual reports and the 20 F annual forms of the companies with the highest stock market prices in Argentina, Brazil, Chile, Colombia, Mexico, and Peru during the period of 2016–2020. Longitudinal analysis indicates an increase over time in the disclosures and scope of information. The findings highlight that the country with the highest related disclosure is Argentina; the most extensive disclosures are due to the financial sector; and the strategy dimension represents the greatest weight in the index score. The study provides a novel instrument for measuring the content of disclosure on cybersecurity that is applicable in any specific context. In this case, the scope of disclosure in Latin America—a region which, according to our research, does not have previous studies on the subject—is evaluated. Full article

An array of developments impacting the financial services industry, such as increasing complexity, interconnectedness, third party dependencies and digitalization, means operational resilience will remain a significant area of concern for policy makers, investors and customers. The purpose of this study is to evaluate if banks are disclosing information on their operational resilience risk. The study initially reviews the regulatory landscape for operational resiliency. The recent annual reports of the GSIB banks are reviewed to identify if they have made references to operational resilience. Through text mining, a frequency analysis of terms related to operational resilience was done, followed by an evaluation to understand the existence of relationships between these terms. The study shows that the regulatory guidance for operational resilience is still evolving with much of the current impetus on cybersecurity. There is a notable gap between banks that have reported on operational resiliency and those that have not, with a few patterns visible. Research in the area of operational resilience is relatively new and limited, and this research for the first time analyses the disclosures related to operational resilience in annual reports. Further, for policymakers, it highlights the disparity in disclosures around this relatively new area of risk, thus calling for additional regulatory guidance. Full article

Medical Cyber-Physical Systems (MCPS) hold the promise of reducing human errors and optimizing healthcare by delivering new ways to monitor, diagnose and treat patients through integrated clinical environments (ICE). Despite the benefits provided by MCPS, many of the ICE medical devices have not been designed to satisfy cybersecurity requirements and, consequently, are vulnerable to recent attacks. Nowadays, ransomware attacks account for 85% of all malware in healthcare, and more than 70% of attacks confirmed data disclosure. With the goal of improving this situation, the main contribution of this paper is an automatic, intelligent and real-time system to detect, classify, and mitigate ransomware in ICE. The proposed solution is fully integrated with the ICE++ architecture, our previous work, and makes use of Machine Learning (ML) techniques to detect and classify the spreading phase of ransomware attacks affecting ICE. Additionally, Network Function Virtualization (NFV) and Software Defined Networking (SDN)paradigms are considered to mitigate the ransomware spreading by isolating and replacing infected devices. Different experiments returned a precision/recall of 92.32%/99.97% in anomaly detection, an accuracy of 99.99% in ransomware classification, and promising detection and mitigation times. Finally, different labelled ransomware datasets in ICE have been created and made publicly available. Full article