ABSTRACT This paper reviews the expanding literature on the disclosure of cybersecurity risks and incidents. In contrast to prior reviews on cybersecurity, we focus specifically on disclosure and consider studies publicly available to the end of 2024. We classify the literature along three main dimensions: characteristics, determinants, and outcomes of cybersecurity disclosure. Within each dimension, we group studies that examine similar concepts to highlight areas where a critical mass of knowledge exists, as well as areas where research remains limited, findings are inconclusive, or contradictions persist. We conclude by outlining four broad research questions that warrant further investigation, with the goal of advancing our understanding of cybersecurity disclosure, its implications for organizations and stakeholders, the broader risk management landscape, and the related adversarial costs unique to this disclosure.
Amani et al. (Thu,) studied this question.