La maturité cyber au prisme de la communication extra-financière : une analyse des entreprises du CAC 40

Auteurs

DOI :

https://doi.org/10.53102/2024.38.02.1187

Mots-clés :

cybersécurité, cyber résilience , informations extra-financières , risques, rapports annuels

Résumé

L’objectif de ce papier est d’analyser le contenu des informations diffusées par les entreprises pour en déduire leur niveau de maturité en cas de cyberattaques. La survie d’une organisation ne dépend pas uniquement d’actions relatives à la cybersécurité, mais bien de sa capacité à récupérer et apprendre et donc à être résiliente. La résilience d’une organisation face à un risque cyber intéresse donc au plus haut point les parties prenantes. Si la communication extra-financière est un sujet qui préoccupe les chercheurs depuis longtemps, rares sont les articles qui s'intéressent à la communication en matière de risques cyber. L’objectif de cette étude est de caractériser la communication des grandes entreprises en la matière, notamment en identifiant la nature des informations publiées dans les rapports annuels et leur degré de précision. L’analyse des pratiques de diffusion de l’information nous permet de caractériser le degré de cyber résilience des entreprises du CAC 40

Biographies des auteurs

Anne-Laure Farjaudon, IAE Bordeaux, France

Anne-Laure Farjaudon est Maître de conférences à l’IAE Bordeaux et est membre de l’équipe de recherche de l’IRGO (Institut de Recherche en Gestion des Organisations). Elle est responsable du Mater 1 Contrôle de gestion et Audit Interne, ainsi que de la filière Expertise-comptable. Ses recherches sont ancrées principalement dans le champ du contrôle de gestion, de la comptabilité et de l’audit et portent notamment sur l’immatériel, la RSE et l’information extra-financière comme c’est le cas dans le papier proposé.

Voir plus

Nathalie Gardès , Univ. Bordeaux, IRGO, EA 4190, F-33000 Bordeaux, France

Nathalie Gardès est Maître de conférences HDR à l’IUT de Bordeaux et est membre de l’équipe de recherche de l’IRGO (Institut de Recherche en Gestion des Organisations). Elle est responsable de la licence professionnelle Métiers de l’immobilier. Ses recherches portent sur l’impact du numérique sur les organisations à travers différents prismes : expérience client, transformation digitale, appropriation des technologies.

Voir plus

Références

Altintas, G. (2020). La capacité dynamique de résilience : l’aptitude à faire face aux événements perturbateurs du macro-environnement. Revue management et avenir, (1), 113-133. https://doi.org/10.3917/mav.115.0113 DOI: https://doi.org/10.3917/mav.115.0113

Altintas, G., & Royer, I. (2009). Renforcement de la résilience par un apprentissage post-crise : une étude longitudinale sur deux périodes de turbulence. M@n@gement, 12(4), 266-293.

https://doi.org/10.3917/mana.124.0266 DOI: https://doi.org/10.3917/mana.124.0266

Amir, E., Levi, S., & Livne, T. (2018). Do firms underreport information on cyber-attacks? Evidence from capital markets. Review of Accounting Studies, 23(3), 1177-1206. DOI: https://doi.org/10.1007/s11142-018-9452-4

Anderson, R., Barton, C., Bohme, R., Clayton, R., Eeten, M. J. G., Levi, M., & Savage, S. (2012). Measuring the Cost of Cybercrime, WEIS.

https://doi.org/10.1007/978-3-642-39498-0_12 DOI: https://doi.org/10.1007/978-3-642-39498-0_12

Arpagian N., (2018), La cybersécurité, Presses Universitaires de France, « Que sais-je ? ». DOI: https://doi.org/10.3917/puf.arpag.2018.01

Atoum, I., Otoom, A., & Abu Ali, A. (2014). A holistic cyber security implementation framework. Information Management & Computer Security, 22 (3), 251-264.

https://doi.org/10.1108/IMCS-02-2013-0014 DOI: https://doi.org/10.1108/IMCS-02-2013-0014

Bahl, L., Gagné, V. et Corriveau, A. (2021). Cybersécurité, légitimité et étendue de la divulgation aux rapport annuels d’entreprises canadiennes. La fuite de données personnelles chez Desjardins. 41ème congrès de l’AFC, mai.

Bahuguna, A., Bisht, R. K., & Pande, J. (2019). Assessing cybersecurity maturity of organizations: An empirical investigation in the Indian context. Information Security Journal: A Global Perspective. 28(6), 164-177.

https://doi.org/10.1080/19393555.2019.1689318 DOI: https://doi.org/10.1080/19393555.2019.1689318

Bakker, T. G., and K. Streff. 2016. Accuracy of self disclosed cybersecurity risks of large U.S. banks. Journal of Applied Business and Economics. 18 (3), 39–51.

https://articlegateway.com/index.php/JABE/article/view/848

Ben Jabeur, S., & Serret, V. (2019). Principes et enjeux de la responsabilité des conseils d’administration face au risque cybernétique. Question (s) de management, (4), 67-76. https://doi.org/10.3917/qdm.194.0067 DOI: https://doi.org/10.3917/qdm.194.0067

Berkman, H., Jona, J., Lee, G., & Soderstrom, N. (2018). Cybersecurity awareness and market valuations. Journal of Accounting and Public Policy, 37 (6), 508-526.

https://doi.org/10.1016/j.jaccpubpol.2018.10.003 DOI: https://doi.org/10.1016/j.jaccpubpol.2018.10.003

Biener, C., Eling, M., & Wirfs, J. H. (2015). Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance-Issues and Practice, 40, 131-158.

https://doi.org/10.1057/gpp.2014.19 DOI: https://doi.org/10.1057/gpp.2014.19

Björck, F., Henkel, M., Stirna, J., & Zdravkovic, J. (2015). Cyber Resilience - Fundamentals for a Definition. WorldCIST.

https://doi.org/10.1007/978-3-319-16486-1_31 DOI: https://doi.org/10.1007/978-3-319-16486-1_31

Bonet Fernandez, D., Petit, I., & Lancini, A. (2014). L’économie circulaire : quelles mesures de la performance économique, environnementale et sociale ? Revue Française De Gestion Industrielle, 33(4), 23–43. [RFGI]

https://doi.org/10.53102/2014.33.04.791 DOI: https://doi.org/10.53102/2014.33.04.791

Caralli, R. A. (2006). Sustaining Operational Resiliency: A Process Improvement Approach to Security Management. Carnegie-Mellon Univ. Pittsburgh pa software engineering inst.

https://doi.org/10.1184/R1/6584495.v1

Caralli, R. A., Allen, J. H., Curtis, P. D., White, D. W., & Young, L. R. (2010), August. Improving operational resilience processes: The CERT resilience management model. In IEEE Second International Conference on Social Computing (pp. 1165-1170).

https://doi.org/10.1109/SocialCom.2010.173 DOI: https://doi.org/10.1109/SocialCom.2010.173

Chebi Gamoura, S. (2021). Processus Achat 5.0 et Acheteurs Augmentés : L’IA collective avec chat-bots dotés d’aversion au risque post-COVID-19: Cas d’un constructeur automobile Français. Revue Française De Gestion Industrielle, 36(1), 83–111.

https://doi.org/10.53102/2022.36.01.907 DOI: https://doi.org/10.53102/2022.36.01.907

Cheong, A., Yoon, K., Cho, S., & No, W. G. (2021). Classifying the contents of cybersecurity risk disclosure through textual analysis and factor analysis. Journal of information Systems, 35(2), 179-194.

https://doi.org/10.2308/ISYS-2020-031 DOI: https://doi.org/10.2308/ISYS-2020-031

Craigen, D., Diakun-Thibault, N. & Purse, R. (2014). Defining Cybersecurity. Technology Innovation Management Review, 4 (10,). 13-21.

https://doi.org/10.22215/timreview/835 DOI: https://doi.org/10.22215/timreview/835

Curtis, P. D., & Mehravari, N. (2015). Evaluating and improving cybersecurity capabilities of the energy critical infrastructure. In 2015 IEEE international symposium on technologies for homeland security (hst), April, 1-6.

https://doi.org/10.1109/THS.2015.7225323 DOI: https://doi.org/10.1109/THS.2015.7225323

DeCoste, J. (2017). The impact of cyber-attacks on publicly traded companies (Doctoral dissertation, Concordia University).

Deibert, R., & Rohozinski, R. (2010). Liberation vs. control: The future of cyberspace. Journal of Democracy, 21(4), 43-57.

https://doi.org/10.1353/jod.2010.0010 DOI: https://doi.org/10.1353/jod.2010.0010

Deloitte, (2016), Cyberattaques : comment chiffrer les impacts ? Le visible et l’invisible. [En ligne] (consulté le 12 avril 2022) Disponible à l’adresse : https://www2.deloitte.com/fr/fr/pages/risque-compliance-et-controle-interne/articles/cyberattaques-chiffrer-les-impacts.html

Derrouiche, R. (2022). Supply Chain 4.0 : rôles et opportunités de la gestion industrielle. Revue Française de Gestion Industrielle, 36(1), 124–129. [RFGI]

https://doi.org/10.53102/2022.36.01.1111 DOI: https://doi.org/10.53102/2022.36.01.1111

Douzet, F. et Héon, S. (2013). L’analyse du risque cyber, emblématique d’un dialogue nécessaire. Sécurité et stratégie, 14 (3),44-52.

https://doi.org/10.3917/sestr.014.0044 DOI: https://doi.org/10.3917/sestr.014.0044

Dupont, B., Shearing, C. Bernier, M., Leukfeldt, R. (2023). The tensions of cyber-resilience: From sensemaking to practice, Computers & Security, 132.

https://doi.org/10.1016/j.cose.2023.103372 DOI: https://doi.org/10.1016/j.cose.2023.103372

Eddé, R. (2020). Les entreprises à l’épreuve des cyberattaques. Flux, 121, 3, 90-101.

https://doi.org/10.3917/flux1.121.0090 DOI: https://doi.org/10.3917/flux1.121.0090

Eijkelenboom, E.V.A. & Nieuwesteeg, B.F.H.. (2021). An analysis of cybersecurity in Dutch annual reports of listed companies. Computer Law & Security Review, 40. https://doi.org/10.1016/j.clsr.2020.105513 DOI: https://doi.org/10.1016/j.clsr.2020.105513

Eling, M. & Wirfs, J., (2019). What are the actual costs of cyber risk events? European Journal of Operational Research, Elsevier, 272 (3), 1109-1119.

https://doi.org/10.1016/j.ejor.2018.07.021 DOI: https://doi.org/10.1016/j.ejor.2018.07.021

Erkens, M., Paugam, L. & Stolowy, H. (2015). Non-financial information: State of the art and research perspectives based on a bibliometric study. Comptabilité Contrôle Audit, 21(3), 15-92.

https://doi.org/10.3917/cca.213.0015 DOI: https://doi.org/10.3917/cca.213.0015

Estay, D. A. S., Sahay, R., Barfod, M. B., & Jensen, C. D. (2020). A systematic review of cyber-resilience assessment frameworks. Computers & security, 97.

https://doi.org/10.1016/j.cose.2020.101996

Gao L., Calderon T.G. & Tang F. (2020), Public companies’ cybersecurity risk disclosures, International Journal of Accounting Information Systems, 38.

https://doi.org/10.1016/j.accinf.2020.100468 DOI: https://doi.org/10.1016/j.accinf.2020.100468

Goodall, J. R., Lutters, W. G., & Komlodi, A. (2009). Developing expertise for network intrusion detection. Information Technology & People 22 (2), 92-108.

https://doi.org/10.1108/09593840910962186 DOI: https://doi.org/10.1108/09593840910962186

Gordon, L. A., Loeb, M. P., & Zhou, L. (2011). The impact of information security breaches: Has there been a downward shift in costs?. Journal of Computer Security, 19(1), 33-56. https://doi.org/10.3233/JCS-2009-0398 DOI: https://doi.org/10.3233/JCS-2009-0398

Grøtan, T. O., Antonsen, S., & Haavik, T. K. (2022). Cyber resilience: a pre-understanding for an abductive research agenda. In Resilience in a Digital Age: Global Challenges in Organisations and Society, 205-229. Cham: Springer International Publishing.

https://doi.org/10.1007/978-3-030-85954-1_12 DOI: https://doi.org/10.1007/978-3-030-85954-1_12

Hamel, G. & Valinkangas, L. (2003). The Quest for Resilience. Harvard Business Review. 81(9), 52-65. DOI: https://doi.org/10.18356/866e2ac8-en

Häring, I., Ebenhöch, S., Stolz, A., (2016). Quantifying resilience for resilience engineering of socio-technical systems. Eur. J. Secur. Res. 1 (1), 21–58. https://doi.org/10.1007/s41125-015-0001-x DOI: https://doi.org/10.1007/s41125-015-0001-x

He, C. Z., Frost, T., & Pinsker, R. E. (2020). The impact of reported cybersecurity breaches on firm innovation. Journal of Information Systems, 34(2), 187-209. https://doi.org/10.2308/isys-18-053 DOI: https://doi.org/10.2308/isys-18-053

Héroux S. & Fortin A. (2020). Cybersecurity Disclosure by the Companies on the S&P/TSX 60 Index. Accounting Perspectives, 19 (2), 73‐100.

https://doi.org/10.1111/1911-3838.12220 DOI: https://doi.org/10.1111/1911-3838.12220

Hilary, G., Segal, B., & Zhang, M. H. (2016). Cyber-risk disclosure: who cares?. Georgetown McDonough School of Business Research Paper.

https://dx.doi.org/10.2139/ssrn.2852519 DOI: https://doi.org/10.2139/ssrn.2852519

Jenkins, H., & Yakovleva, N. (2006). Corporate social responsibility in the mining industry: Exploring trends in social and environmental disclosure. Journal of cleaner production, 14(3-4), 271-284.

https://doi.org/10.1016/j.jclepro.2004.10.004 DOI: https://doi.org/10.1016/j.jclepro.2004.10.004

Kamiya, S., Kang, J. K., Kim, J., Milidonis, A., & Stulz, R. M. (2021). Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics, 139(3), 719-749. DOI: https://doi.org/10.1016/j.jfineco.2019.05.019

https://dx.doi.org/10.2139/ssrn.3135514 DOI: https://doi.org/10.2139/ssrn.3135514

Kemmerer, R. A. (2003). Cybersecurity. In 25th International Conference on Software Engineering, May. Proceedings. 705-715. IEEE.

https://doi.org/10.1109/ICSE.2003.1201257 DOI: https://doi.org/10.1109/ICSE.2003.1201257

Keys, B., & Shapiro, S. (2019). Frameworks and best practices. Cyber Resilience of Systems and Networks, 69-92. https://doi.org/10.1007/978-3-319-77492-3_4 DOI: https://doi.org/10.1007/978-3-319-77492-3_4

Kruse, C. S., Frederick, B., Jacobson, T., & Monticone, D. K. (2017). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology and Health Care, 25 (1), 1-10.

https://doi.org/10.3233/THC-161263 DOI: https://doi.org/10.3233/THC-161263

Le, N. T., & Hoang, D. B. (2016). Can maturity models support cybersecurity? In IEEE 35th international performance computing and communications conference (IPCCC), December, 1-7.

https://doi.org/10.1109/PCCC.2016.7820663 DOI: https://doi.org/10.1109/PCCC.2016.7820663

Lehu, J. M. (2018). Cyberattaque : la gestion du risque est-elle encore possible? Analyse et enseignements du cas Sony Pictures. La revue des sciences de gestion, (3-4), 41-50. https://doi.org/10.3917/aprp.003.0026 DOI: https://doi.org/10.3917/rsg.291.0041

Lewis, J. A. (2006). Cybersecurity and critical infrastructure protection. Center for Strategic and International Studies, 9.

Li, H., No, W. G., & Boritz, J. E. (2020). Are external auditors concerned about cyber incidents? Evidence from audit fees. Auditing: A Journal of Practice & Theory, 39(1), 151-171.

https://doi.org/10.2308/ajpt-52593 DOI: https://doi.org/10.2308/ajpt-52593

Li, H., No, W. G., & Wang, T. (2018). SEC's cybersecurity disclosure guidance and disclosed cybersecurity risk factors. International Journal of Accounting Information Systems, 30, 40-55.

https://doi.org/10.1016/j.accinf.2018.06.003 DOI: https://doi.org/10.1016/j.accinf.2018.06.003

Linkov, I., & Kott, A. (2019). Fundamental concepts of cyber resilience: Introduction and overview. Cyber resilience of systems and networks, 1-25. https://doi.org/10.1007/978-3-319-77492-3_1 DOI: https://doi.org/10.1007/978-3-319-77492-3_1

Mereuil A. de & Bonnefous A.-M. (2016), Anatomie d’une cyber-attaque contre une entreprise : comprendre et prévenir les attaques par déni de service, Annales des Mines-Gérer et comprendre, 5-14.

https://doi.org/10.3917/geco1.123.0005 DOI: https://doi.org/10.3917/geco1.123.0005

Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26 (3), 565-584. https://doi.org/10.1287/isre.2015.0587 DOI: https://doi.org/10.1287/isre.2015.0587

Neal, P., & Ilsever, J. (2016). Protecting information: Active cyber defence for the business entity: A prerequisite corporate policy. Academy of Strategic Management Journal, 15 (2), 15.

Nurse, J. R. C., Creese, S., Goldsmith, M. & Lamberts, K. (2011) Trustworthy and Effective Communication of Cybersecurity Risks: A Review. In: The 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST), The 5th International Conference on Network and System Security (NSS).

https://doi.org/10.1109/STAST.2011.6059257 DOI: https://doi.org/10.1109/STAST.2011.6059257

Orchiston, C., Prayag, G., & Brown, C. (2016). Organizational resilience in the tourism sector. Annals of Tourism Research, 56, 145-148.

https://doi.org/10.1016/j.annals.2015.11.002 DOI: https://doi.org/10.1016/j.annals.2015.11.002

Pala, A., & Zhuang, J. (2019). Information sharing in cybersecurity: A review. Decision Analysis, 16(3), 172-196. https://doi.org/10.1287/deca.2018.0387 DOI: https://doi.org/10.1287/deca.2018.0387

Pardini, D. J., Heinisch, A. M. C. & Parreiras, F. S. (2017). Cyber Security Governance and Management for Smart Grids in Brazilian Energy Utilities. Journal of Information Systems and Technology Management, 14, 385-400.

https://doi.org/10.4301/s1807-17752017000300006 DOI: https://doi.org/10.4301/S1807-17752017000300006

Proag, V. (2014). The concept of vulnerability and resilience. Procedia Economics and Finance, 18, 369-376.

https://doi.org/10.1016/S2212-5671(14)00952-6 DOI: https://doi.org/10.1016/S2212-5671(14)00952-6

Putra, A. P. G., Humani, F., Zakiy, F. W., Shihab, M. R., & Ranti, B. (2020). Maturity Assessment of Cyber Security in The Workforce Management Domain: A Case Study in Bank Indonesia. In International Conference on Information Technology Systems and Innovation (ICITSI), October, IEEE, 89-94

https://doi.org/10.1109/ICITSI50517.2020.9264982 DOI: https://doi.org/10.1109/ICITSI50517.2020.9264982

PWC (2020), « Enquête – Les priorités du Directeur Financier, Concilier sens et complexité », en partenariat avec la DFCG.

Rapport France Stratégie, (2020). Responsabilité numérique des entreprises.

Romanosky, S. (2016). Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2(2), 121-135. https://doi.org/10.1093/cybsec/tyw001 DOI: https://doi.org/10.1093/cybsec/tyw001

Rothrock, R. A., Kaplan, J. & Van der Oord, F. (2018). The board’s role in managing cybersecurity risks. MIT Sloan Management Review, 59 (2), 12–15.

https://sloanreview.mit.edu/article/the-boards-role-in-managing-cybersecurity-risks/

Senkel, M-P. (2009). La divulgation d'informations « RSE » par les prestataires de services logistiques européens : Une analyse comparative du site Internet et du rapport d'activité », Marché et organisations, 8 (1), 173-200. https://doi.org/10.3917/maorg.008.0173 DOI: https://doi.org/10.3917/maorg.008.0173

Sepúlveda Estay D., A., Sahay, R., Barfod, M. B., Jensen, C., D. (2020), A systematic review of cyber-resilience assessment frameworks, Computers & Security, 97. https://doi.org/10.1016/j.cose.2020.101996 DOI: https://doi.org/10.1016/j.cose.2020.101996

Tariq, N. (2018). Impact of cyberattacks on financial institutions. Journal of Internet Banking and Commerce, 23(2), 1-11.

Wang P. & Park, S-A. (2017) Communication in cybersecurity: A public communication model for business data breach incident handling. Issues in Information Systems, 18 (2), 136-147.

https://iacis.org/iis/2017/2_iis_2017_136-147.pdf

Weick, K. E., & Sutcliffe, K. M. (2011). Managing the unexpected: Resilient performance in an age of uncertainty (Vol. 8). John Wiley & Sons.

White, G. B. (2011). The community cyber security maturity model. In IEEE international conference on technologies for homeland security (HST), November. 173-178. https://doi.org/10.1109/THS.2011.6107866 . DOI: https://doi.org/10.1109/THS.2011.6107866

Whitler, K. A. & Farris, P. W. (2017), The impact of cyber-attacks on brand image: Why proactive marketing expertise is needed for managing data breaches. Journal of Advertising Research, 2017, 57 (1), 3-9. https://doi.org/10.2501/JAR-2017-005 DOI: https://doi.org/10.2501/JAR-2017-005

Yilmaz Borekci, D., Rofcanin, Y., & Gürbüz, H. (2015). Organisational resilience and relational dynamics in triadic networks: a multiple case analysis. International Journal of Production Research, 53(22).

https://doi.org/10.1080/00207543.2014.903346 DOI: https://doi.org/10.1080/00207543.2014.903346

Young, F. W., Takane, Y., & Lewyckyj, R. (1978). ALSCAL: A nonmetric multidimensional scaling program with several individual-differences options. Behavior Research Methods & Instrumentation, 10(3), 451-453.

https://doi.org/10.3758/BF03205177 DOI: https://doi.org/10.3758/BF03205177

Zhang, X. A., & Borden, J. (2020). How to communicate cyber-risk? An examination of behavioral recommendations in cybersecurity crises. Journal of Risk Research, 23(10), 1336-1352. https://doi.org/10.1080/13669877.2019.1646315 DOI: https://doi.org/10.1080/13669877.2019.1646315

Téléchargements

Publiée

30-04-2024

Soumis

03-07-2023

Comment citer

Farjaudon, A.-L., & Gardès , N. . (2024). La maturité cyber au prisme de la communication extra-financière : une analyse des entreprises du CAC 40. Revue Française De Gestion Industrielle, 38(2), 67–85. https://doi.org/10.53102/2024.38.02.1187

Rubrique

Article

Statistiques

Vues: 123
Téléchargements: 44