La maturité cyber au prisme de la communication extra-financière : une analyse des entreprises du CAC 40
DOI :
https://doi.org/10.53102/2024.38.02.1187Mots-clés :
cybersécurité, cyber résilience , informations extra-financières , risques, rapports annuelsRésumé
L’objectif de ce papier est d’analyser le contenu des informations diffusées par les entreprises pour en déduire leur niveau de maturité en cas de cyberattaques. La survie d’une organisation ne dépend pas uniquement d’actions relatives à la cybersécurité, mais bien de sa capacité à récupérer et apprendre et donc à être résiliente. La résilience d’une organisation face à un risque cyber intéresse donc au plus haut point les parties prenantes. Si la communication extra-financière est un sujet qui préoccupe les chercheurs depuis longtemps, rares sont les articles qui s'intéressent à la communication en matière de risques cyber. L’objectif de cette étude est de caractériser la communication des grandes entreprises en la matière, notamment en identifiant la nature des informations publiées dans les rapports annuels et leur degré de précision. L’analyse des pratiques de diffusion de l’information nous permet de caractériser le degré de cyber résilience des entreprises du CAC 40
Références
Altintas, G. (2020). La capacité dynamique de résilience : l’aptitude à faire face aux événements perturbateurs du macro-environnement. Revue management et avenir, (1), 113-133. https://doi.org/10.3917/mav.115.0113 DOI: https://doi.org/10.3917/mav.115.0113
Altintas, G., & Royer, I. (2009). Renforcement de la résilience par un apprentissage post-crise : une étude longitudinale sur deux périodes de turbulence. M@n@gement, 12(4), 266-293.
https://doi.org/10.3917/mana.124.0266 DOI: https://doi.org/10.3917/mana.124.0266
Amir, E., Levi, S., & Livne, T. (2018). Do firms underreport information on cyber-attacks? Evidence from capital markets. Review of Accounting Studies, 23(3), 1177-1206. DOI: https://doi.org/10.1007/s11142-018-9452-4
Anderson, R., Barton, C., Bohme, R., Clayton, R., Eeten, M. J. G., Levi, M., & Savage, S. (2012). Measuring the Cost of Cybercrime, WEIS.
https://doi.org/10.1007/978-3-642-39498-0_12 DOI: https://doi.org/10.1007/978-3-642-39498-0_12
Arpagian N., (2018), La cybersécurité, Presses Universitaires de France, « Que sais-je ? ». DOI: https://doi.org/10.3917/puf.arpag.2018.01
Atoum, I., Otoom, A., & Abu Ali, A. (2014). A holistic cyber security implementation framework. Information Management & Computer Security, 22 (3), 251-264.
https://doi.org/10.1108/IMCS-02-2013-0014 DOI: https://doi.org/10.1108/IMCS-02-2013-0014
Bahl, L., Gagné, V. et Corriveau, A. (2021). Cybersécurité, légitimité et étendue de la divulgation aux rapport annuels d’entreprises canadiennes. La fuite de données personnelles chez Desjardins. 41ème congrès de l’AFC, mai.
Bahuguna, A., Bisht, R. K., & Pande, J. (2019). Assessing cybersecurity maturity of organizations: An empirical investigation in the Indian context. Information Security Journal: A Global Perspective. 28(6), 164-177.
https://doi.org/10.1080/19393555.2019.1689318 DOI: https://doi.org/10.1080/19393555.2019.1689318
Bakker, T. G., and K. Streff. 2016. Accuracy of self disclosed cybersecurity risks of large U.S. banks. Journal of Applied Business and Economics. 18 (3), 39–51.
https://articlegateway.com/index.php/JABE/article/view/848
Ben Jabeur, S., & Serret, V. (2019). Principes et enjeux de la responsabilité des conseils d’administration face au risque cybernétique. Question (s) de management, (4), 67-76. https://doi.org/10.3917/qdm.194.0067 DOI: https://doi.org/10.3917/qdm.194.0067
Berkman, H., Jona, J., Lee, G., & Soderstrom, N. (2018). Cybersecurity awareness and market valuations. Journal of Accounting and Public Policy, 37 (6), 508-526.
https://doi.org/10.1016/j.jaccpubpol.2018.10.003 DOI: https://doi.org/10.1016/j.jaccpubpol.2018.10.003
Biener, C., Eling, M., & Wirfs, J. H. (2015). Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance-Issues and Practice, 40, 131-158.
https://doi.org/10.1057/gpp.2014.19 DOI: https://doi.org/10.1057/gpp.2014.19
Björck, F., Henkel, M., Stirna, J., & Zdravkovic, J. (2015). Cyber Resilience - Fundamentals for a Definition. WorldCIST.
https://doi.org/10.1007/978-3-319-16486-1_31 DOI: https://doi.org/10.1007/978-3-319-16486-1_31
Bonet Fernandez, D., Petit, I., & Lancini, A. (2014). L’économie circulaire : quelles mesures de la performance économique, environnementale et sociale ? Revue Française De Gestion Industrielle, 33(4), 23–43. [RFGI]
https://doi.org/10.53102/2014.33.04.791 DOI: https://doi.org/10.53102/2014.33.04.791
Caralli, R. A. (2006). Sustaining Operational Resiliency: A Process Improvement Approach to Security Management. Carnegie-Mellon Univ. Pittsburgh pa software engineering inst.
https://doi.org/10.1184/R1/6584495.v1
Caralli, R. A., Allen, J. H., Curtis, P. D., White, D. W., & Young, L. R. (2010), August. Improving operational resilience processes: The CERT resilience management model. In IEEE Second International Conference on Social Computing (pp. 1165-1170).
https://doi.org/10.1109/SocialCom.2010.173 DOI: https://doi.org/10.1109/SocialCom.2010.173
Chebi Gamoura, S. (2021). Processus Achat 5.0 et Acheteurs Augmentés : L’IA collective avec chat-bots dotés d’aversion au risque post-COVID-19: Cas d’un constructeur automobile Français. Revue Française De Gestion Industrielle, 36(1), 83–111.
https://doi.org/10.53102/2022.36.01.907 DOI: https://doi.org/10.53102/2022.36.01.907
Cheong, A., Yoon, K., Cho, S., & No, W. G. (2021). Classifying the contents of cybersecurity risk disclosure through textual analysis and factor analysis. Journal of information Systems, 35(2), 179-194.
https://doi.org/10.2308/ISYS-2020-031 DOI: https://doi.org/10.2308/ISYS-2020-031
Craigen, D., Diakun-Thibault, N. & Purse, R. (2014). Defining Cybersecurity. Technology Innovation Management Review, 4 (10,). 13-21.
https://doi.org/10.22215/timreview/835 DOI: https://doi.org/10.22215/timreview/835
Curtis, P. D., & Mehravari, N. (2015). Evaluating and improving cybersecurity capabilities of the energy critical infrastructure. In 2015 IEEE international symposium on technologies for homeland security (hst), April, 1-6.
https://doi.org/10.1109/THS.2015.7225323 DOI: https://doi.org/10.1109/THS.2015.7225323
DeCoste, J. (2017). The impact of cyber-attacks on publicly traded companies (Doctoral dissertation, Concordia University).
Deibert, R., & Rohozinski, R. (2010). Liberation vs. control: The future of cyberspace. Journal of Democracy, 21(4), 43-57.
https://doi.org/10.1353/jod.2010.0010 DOI: https://doi.org/10.1353/jod.2010.0010
Deloitte, (2016), Cyberattaques : comment chiffrer les impacts ? Le visible et l’invisible. [En ligne] (consulté le 12 avril 2022) Disponible à l’adresse : https://www2.deloitte.com/fr/fr/pages/risque-compliance-et-controle-interne/articles/cyberattaques-chiffrer-les-impacts.html
Derrouiche, R. (2022). Supply Chain 4.0 : rôles et opportunités de la gestion industrielle. Revue Française de Gestion Industrielle, 36(1), 124–129. [RFGI]
https://doi.org/10.53102/2022.36.01.1111 DOI: https://doi.org/10.53102/2022.36.01.1111
Douzet, F. et Héon, S. (2013). L’analyse du risque cyber, emblématique d’un dialogue nécessaire. Sécurité et stratégie, 14 (3),44-52.
https://doi.org/10.3917/sestr.014.0044 DOI: https://doi.org/10.3917/sestr.014.0044
Dupont, B., Shearing, C. Bernier, M., Leukfeldt, R. (2023). The tensions of cyber-resilience: From sensemaking to practice, Computers & Security, 132.
https://doi.org/10.1016/j.cose.2023.103372 DOI: https://doi.org/10.1016/j.cose.2023.103372
Eddé, R. (2020). Les entreprises à l’épreuve des cyberattaques. Flux, 121, 3, 90-101.
https://doi.org/10.3917/flux1.121.0090 DOI: https://doi.org/10.3917/flux1.121.0090
Eijkelenboom, E.V.A. & Nieuwesteeg, B.F.H.. (2021). An analysis of cybersecurity in Dutch annual reports of listed companies. Computer Law & Security Review, 40. https://doi.org/10.1016/j.clsr.2020.105513 DOI: https://doi.org/10.1016/j.clsr.2020.105513
Eling, M. & Wirfs, J., (2019). What are the actual costs of cyber risk events? European Journal of Operational Research, Elsevier, 272 (3), 1109-1119.
https://doi.org/10.1016/j.ejor.2018.07.021 DOI: https://doi.org/10.1016/j.ejor.2018.07.021
Erkens, M., Paugam, L. & Stolowy, H. (2015). Non-financial information: State of the art and research perspectives based on a bibliometric study. Comptabilité Contrôle Audit, 21(3), 15-92.
https://doi.org/10.3917/cca.213.0015 DOI: https://doi.org/10.3917/cca.213.0015
Estay, D. A. S., Sahay, R., Barfod, M. B., & Jensen, C. D. (2020). A systematic review of cyber-resilience assessment frameworks. Computers & security, 97.
https://doi.org/10.1016/j.cose.2020.101996
Gao L., Calderon T.G. & Tang F. (2020), Public companies’ cybersecurity risk disclosures, International Journal of Accounting Information Systems, 38.
https://doi.org/10.1016/j.accinf.2020.100468 DOI: https://doi.org/10.1016/j.accinf.2020.100468
Goodall, J. R., Lutters, W. G., & Komlodi, A. (2009). Developing expertise for network intrusion detection. Information Technology & People 22 (2), 92-108.
https://doi.org/10.1108/09593840910962186 DOI: https://doi.org/10.1108/09593840910962186
Gordon, L. A., Loeb, M. P., & Zhou, L. (2011). The impact of information security breaches: Has there been a downward shift in costs?. Journal of Computer Security, 19(1), 33-56. https://doi.org/10.3233/JCS-2009-0398 DOI: https://doi.org/10.3233/JCS-2009-0398
Grøtan, T. O., Antonsen, S., & Haavik, T. K. (2022). Cyber resilience: a pre-understanding for an abductive research agenda. In Resilience in a Digital Age: Global Challenges in Organisations and Society, 205-229. Cham: Springer International Publishing.
https://doi.org/10.1007/978-3-030-85954-1_12 DOI: https://doi.org/10.1007/978-3-030-85954-1_12
Hamel, G. & Valinkangas, L. (2003). The Quest for Resilience. Harvard Business Review. 81(9), 52-65. DOI: https://doi.org/10.18356/866e2ac8-en
Häring, I., Ebenhöch, S., Stolz, A., (2016). Quantifying resilience for resilience engineering of socio-technical systems. Eur. J. Secur. Res. 1 (1), 21–58. https://doi.org/10.1007/s41125-015-0001-x DOI: https://doi.org/10.1007/s41125-015-0001-x
He, C. Z., Frost, T., & Pinsker, R. E. (2020). The impact of reported cybersecurity breaches on firm innovation. Journal of Information Systems, 34(2), 187-209. https://doi.org/10.2308/isys-18-053 DOI: https://doi.org/10.2308/isys-18-053
Héroux S. & Fortin A. (2020). Cybersecurity Disclosure by the Companies on the S&P/TSX 60 Index. Accounting Perspectives, 19 (2), 73‐100.
https://doi.org/10.1111/1911-3838.12220 DOI: https://doi.org/10.1111/1911-3838.12220
Hilary, G., Segal, B., & Zhang, M. H. (2016). Cyber-risk disclosure: who cares?. Georgetown McDonough School of Business Research Paper.
https://dx.doi.org/10.2139/ssrn.2852519 DOI: https://doi.org/10.2139/ssrn.2852519
Jenkins, H., & Yakovleva, N. (2006). Corporate social responsibility in the mining industry: Exploring trends in social and environmental disclosure. Journal of cleaner production, 14(3-4), 271-284.
https://doi.org/10.1016/j.jclepro.2004.10.004 DOI: https://doi.org/10.1016/j.jclepro.2004.10.004
Kamiya, S., Kang, J. K., Kim, J., Milidonis, A., & Stulz, R. M. (2021). Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics, 139(3), 719-749. DOI: https://doi.org/10.1016/j.jfineco.2019.05.019
https://dx.doi.org/10.2139/ssrn.3135514 DOI: https://doi.org/10.2139/ssrn.3135514
Kemmerer, R. A. (2003). Cybersecurity. In 25th International Conference on Software Engineering, May. Proceedings. 705-715. IEEE.
https://doi.org/10.1109/ICSE.2003.1201257 DOI: https://doi.org/10.1109/ICSE.2003.1201257
Keys, B., & Shapiro, S. (2019). Frameworks and best practices. Cyber Resilience of Systems and Networks, 69-92. https://doi.org/10.1007/978-3-319-77492-3_4 DOI: https://doi.org/10.1007/978-3-319-77492-3_4
Kruse, C. S., Frederick, B., Jacobson, T., & Monticone, D. K. (2017). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology and Health Care, 25 (1), 1-10.
https://doi.org/10.3233/THC-161263 DOI: https://doi.org/10.3233/THC-161263
Le, N. T., & Hoang, D. B. (2016). Can maturity models support cybersecurity? In IEEE 35th international performance computing and communications conference (IPCCC), December, 1-7.
https://doi.org/10.1109/PCCC.2016.7820663 DOI: https://doi.org/10.1109/PCCC.2016.7820663
Lehu, J. M. (2018). Cyberattaque : la gestion du risque est-elle encore possible? Analyse et enseignements du cas Sony Pictures. La revue des sciences de gestion, (3-4), 41-50. https://doi.org/10.3917/aprp.003.0026 DOI: https://doi.org/10.3917/rsg.291.0041
Lewis, J. A. (2006). Cybersecurity and critical infrastructure protection. Center for Strategic and International Studies, 9.
Li, H., No, W. G., & Boritz, J. E. (2020). Are external auditors concerned about cyber incidents? Evidence from audit fees. Auditing: A Journal of Practice & Theory, 39(1), 151-171.
https://doi.org/10.2308/ajpt-52593 DOI: https://doi.org/10.2308/ajpt-52593
Li, H., No, W. G., & Wang, T. (2018). SEC's cybersecurity disclosure guidance and disclosed cybersecurity risk factors. International Journal of Accounting Information Systems, 30, 40-55.
https://doi.org/10.1016/j.accinf.2018.06.003 DOI: https://doi.org/10.1016/j.accinf.2018.06.003
Linkov, I., & Kott, A. (2019). Fundamental concepts of cyber resilience: Introduction and overview. Cyber resilience of systems and networks, 1-25. https://doi.org/10.1007/978-3-319-77492-3_1 DOI: https://doi.org/10.1007/978-3-319-77492-3_1
Mereuil A. de & Bonnefous A.-M. (2016), Anatomie d’une cyber-attaque contre une entreprise : comprendre et prévenir les attaques par déni de service, Annales des Mines-Gérer et comprendre, 5-14.
https://doi.org/10.3917/geco1.123.0005 DOI: https://doi.org/10.3917/geco1.123.0005
Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26 (3), 565-584. https://doi.org/10.1287/isre.2015.0587 DOI: https://doi.org/10.1287/isre.2015.0587
Neal, P., & Ilsever, J. (2016). Protecting information: Active cyber defence for the business entity: A prerequisite corporate policy. Academy of Strategic Management Journal, 15 (2), 15.
Nurse, J. R. C., Creese, S., Goldsmith, M. & Lamberts, K. (2011) Trustworthy and Effective Communication of Cybersecurity Risks: A Review. In: The 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST), The 5th International Conference on Network and System Security (NSS).
https://doi.org/10.1109/STAST.2011.6059257 DOI: https://doi.org/10.1109/STAST.2011.6059257
Orchiston, C., Prayag, G., & Brown, C. (2016). Organizational resilience in the tourism sector. Annals of Tourism Research, 56, 145-148.
https://doi.org/10.1016/j.annals.2015.11.002 DOI: https://doi.org/10.1016/j.annals.2015.11.002
Pala, A., & Zhuang, J. (2019). Information sharing in cybersecurity: A review. Decision Analysis, 16(3), 172-196. https://doi.org/10.1287/deca.2018.0387 DOI: https://doi.org/10.1287/deca.2018.0387
Pardini, D. J., Heinisch, A. M. C. & Parreiras, F. S. (2017). Cyber Security Governance and Management for Smart Grids in Brazilian Energy Utilities. Journal of Information Systems and Technology Management, 14, 385-400.
https://doi.org/10.4301/s1807-17752017000300006 DOI: https://doi.org/10.4301/S1807-17752017000300006
Proag, V. (2014). The concept of vulnerability and resilience. Procedia Economics and Finance, 18, 369-376.
https://doi.org/10.1016/S2212-5671(14)00952-6 DOI: https://doi.org/10.1016/S2212-5671(14)00952-6
Putra, A. P. G., Humani, F., Zakiy, F. W., Shihab, M. R., & Ranti, B. (2020). Maturity Assessment of Cyber Security in The Workforce Management Domain: A Case Study in Bank Indonesia. In International Conference on Information Technology Systems and Innovation (ICITSI), October, IEEE, 89-94
https://doi.org/10.1109/ICITSI50517.2020.9264982 DOI: https://doi.org/10.1109/ICITSI50517.2020.9264982
PWC (2020), « Enquête – Les priorités du Directeur Financier, Concilier sens et complexité », en partenariat avec la DFCG.
Rapport France Stratégie, (2020). Responsabilité numérique des entreprises.
Romanosky, S. (2016). Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2(2), 121-135. https://doi.org/10.1093/cybsec/tyw001 DOI: https://doi.org/10.1093/cybsec/tyw001
Rothrock, R. A., Kaplan, J. & Van der Oord, F. (2018). The board’s role in managing cybersecurity risks. MIT Sloan Management Review, 59 (2), 12–15.
https://sloanreview.mit.edu/article/the-boards-role-in-managing-cybersecurity-risks/
Senkel, M-P. (2009). La divulgation d'informations « RSE » par les prestataires de services logistiques européens : Une analyse comparative du site Internet et du rapport d'activité », Marché et organisations, 8 (1), 173-200. https://doi.org/10.3917/maorg.008.0173 DOI: https://doi.org/10.3917/maorg.008.0173
Sepúlveda Estay D., A., Sahay, R., Barfod, M. B., Jensen, C., D. (2020), A systematic review of cyber-resilience assessment frameworks, Computers & Security, 97. https://doi.org/10.1016/j.cose.2020.101996 DOI: https://doi.org/10.1016/j.cose.2020.101996
Tariq, N. (2018). Impact of cyberattacks on financial institutions. Journal of Internet Banking and Commerce, 23(2), 1-11.
Wang P. & Park, S-A. (2017) Communication in cybersecurity: A public communication model for business data breach incident handling. Issues in Information Systems, 18 (2), 136-147.
https://iacis.org/iis/2017/2_iis_2017_136-147.pdf
Weick, K. E., & Sutcliffe, K. M. (2011). Managing the unexpected: Resilient performance in an age of uncertainty (Vol. 8). John Wiley & Sons.
White, G. B. (2011). The community cyber security maturity model. In IEEE international conference on technologies for homeland security (HST), November. 173-178. https://doi.org/10.1109/THS.2011.6107866 . DOI: https://doi.org/10.1109/THS.2011.6107866
Whitler, K. A. & Farris, P. W. (2017), The impact of cyber-attacks on brand image: Why proactive marketing expertise is needed for managing data breaches. Journal of Advertising Research, 2017, 57 (1), 3-9. https://doi.org/10.2501/JAR-2017-005 DOI: https://doi.org/10.2501/JAR-2017-005
Yilmaz Borekci, D., Rofcanin, Y., & Gürbüz, H. (2015). Organisational resilience and relational dynamics in triadic networks: a multiple case analysis. International Journal of Production Research, 53(22).
https://doi.org/10.1080/00207543.2014.903346 DOI: https://doi.org/10.1080/00207543.2014.903346
Young, F. W., Takane, Y., & Lewyckyj, R. (1978). ALSCAL: A nonmetric multidimensional scaling program with several individual-differences options. Behavior Research Methods & Instrumentation, 10(3), 451-453.
https://doi.org/10.3758/BF03205177 DOI: https://doi.org/10.3758/BF03205177
Zhang, X. A., & Borden, J. (2020). How to communicate cyber-risk? An examination of behavioral recommendations in cybersecurity crises. Journal of Risk Research, 23(10), 1336-1352. https://doi.org/10.1080/13669877.2019.1646315 DOI: https://doi.org/10.1080/13669877.2019.1646315
Téléchargements
Publiée
Soumis
Comment citer
Rubrique
Licence
(c) Tous droits réservés Revue Française de Gestion Industrielle 2024
Ce travail est disponible sous licence Creative Commons Attribution - Pas d’Utilisation Commerciale 4.0 International.
Statistiques
