This study measures the economic consequences of information security activities, in general, and more specifically the market value of disclosures of information security activities. Since information security activities are primarily non-revenue generating, management tends to view them as the cost-of-doing-business, with no impact on firm value. Furthermore, managers are reluctant to share the details, because that they do not want to attract the attention of hackers. However, voluntary disclosures of information security can help reduce information asymmetry, which leads to belief revisions by investors, and hence corrects the misspecifications (if any) of the firm's market value. In other words, voluntary disclosures of security activities are signaling mechanisms. The objective of this dissertation is to develop a taxonomy of disclosures of information security activities, and empirically test the value relevance of such disclosures. Based on a sample of 1,637 disclosing firms, the empirical results provide support for the argument that voluntary disclosures of information security activities are value-relevant. Industry-wide analyses support the disclosure taxonomy developed, and highlight that firms which are technology and data-dependent, have the most impact from these discretionary disclosures of information security activities. These results are robust to various sensitivity checks, including matched-pair design, returns model, and the model that corrects for self-selection bias.

The main contributions of this research are three-fold: 1) it adds to the discretionary disclosure literature by supporting the signaling hypothesis, 2) it adds to the extant literature on value-relevance vis-à-vis the importance of intangible voluntary disclosures, and 3) it adds to the information security literature concerning the value of information security-related activities to organizations. Future directions highlight the rich stream of potential research, based on the dataset collected as a part of this study