We investigated publicly reported security breaches of internal controls in corporate information systems to determine whether U.S. Securities and Exchange Commission (SEC) data are information bearing with respect to breaches of security and privacy. The issue has grown in importance as information systems breaches have steadily grown costlier and more frequent. Our analysis supports a high predictability for credit card breaches, portable device related breaches and breaches conducted by firm insiders. Our study also found evidence that employees are subverting particularly strict internal controls by using portable devices that can be carried outside the physical boundaries of the firm. In general, auditing and corporate data filed with the SEC was non-informative with regard to breaches involving unintended disclosures, physical losses, hacking and malware and workplace computers. Scope and fees associated with auditing are significant factors in predicting security breaches, whereas assessments of internal controls effectiveness was shown to be less significant for prediction.

我们调查了公开报告的公司信息系统内部控制安全漏洞，以确定美国证券交易委员会 (SEC) 的数据是否与安全和隐私漏洞有关。随着信息系统漏洞的成本和频率稳步上升，这个问题变得越来越重要。我们的分析支持信用卡违规、与便携式设备相关的违规和公司内部人员进行的违规的高度可预测性。我们的研究还发现，有证据表明，员工使用可携带到公司物理边界之外的便携式设备破坏了特别严格的内部控制。一般来说，提交给 SEC 的审计和公司数据对于涉及意外披露、物理损失、黑客和恶意软件以及工作场所计算机。与审计相关的范围和费用是预测安全漏洞的重要因素，而内部控制有效性的评估对预测而言则不那么重要。