In March 2022, the Securities and Exchange Commission (SEC) proposed the mandatory reporting of cybersecurity risk management policies for public companies. This study aims to explore the potential impact of cybersecurity risk management strategy disclosure on nonprofessional investors. Using a 4 x 1 between-participants experimental design, we examine whether nonprofessional investors’ perceptions and decisions differ between disclosed cybersecurity risk management strategies of self-assessment, self-assessment referencing the framework, third-party assurance, and insurance. We find that nonprofessional investors’ willingness to invest is significantly higher for the insurance strategy compared to the third-party cybersecurity examination and self-assessment (without reference to NIST) strategies. Moderated mediation analysis reveals that investors’ perceptions of financial risk moderates the mediating effect of perceived cybersecurity risk management strategy effectiveness on the relation between cybersecurity risk management strategy and likelihood of investment. Our study contributes to regulators, practitioners, and stakeholders concerned about the potential impact of cybersecurity risk management strategy disclosures on nonprofessional investors.

中文翻译：

---

网络安全风险管理策略披露对投资者判断和决策的影响


2022年3月，美国证券交易委员会（SEC）提议强制报告上市公司网络安全风险管理政策。本研究旨在探讨网络安全风险管理策略披露对非专业投资者的潜在影响。使用 4 x 1 参与者之间的实验设计，我们检查非专业投资者的看法和决策在已披露的自我评估、参考框架的自我评估、第三方保证和保险的网络安全风险管理策略之间是否存在差异。我们发现，与第三方网络安全检查和自我评估（不参考NIST）策略相比，非专业投资者对保险策略的投资意愿明显更高。有调节的中介分析表明，投资者对财务风险的认知调节了感知网络安全风险管理策略有效性对网络安全风险管理策略与投资可能性之间关系的中介作用。我们的研究有助于监管机构、从业者和利益相关者关注网络安全风险管理策略披露对非专业投资者的潜在影响。