Journal of Business Ethics

https://doi.org/10.1007/s10551-020-04717-9

ORIGINAL PAPER

Board Gender Diversity and Corporate Response to Cyber Risk:

Evidence from Cybersecurity Related Disclosure
Camélia Radu1 · Nadia Smaili1

Received: 2 July 2020 / Accepted: 21 December 2020

© The Author(s), under exclusive licence to Springer Nature B.V. part of Springer Nature 2021, corrected publication 2021

Abstract
Cyber risk has become one of the greatest threats to firms in recent years. Accordingly, boards of directors must be continu-
ally vigilant about this danger. They have a duty to ensure that the companies adopt appropriate cybersecurity measures
to manage the risk of cyber fraud. Boards should also ensure that the firm disclose material cyber risk and breaches. We
examine how the board’s gender composition can influence the extent of such disclosure, based on a sample of the companies
listed on the S&P/TSX 60 Index over the period 2014–2018. Results show evidence of a positive association between the
presence and level of cybersecurity disclosure and board gender diversity. However, the board must boast a critical mass of
at least three women before this positive impact can be observed. Our findings contribute to the debate on the importance
of gender diversity by adding the concept of the positive influence of heterogeneity on cyber disclosure. We also augment
the literature on the critical mass of women in boardrooms by providing empirical evidence that three or more women con-
stitute the threshold for better governance. Our study has important implications for investors, stakeholders and regulators.
If investors wish to increase cybersecurity disclosure, they should ask for more diversified boards. Our findings support
regulators in their efforts to increase women’s representation on boards by providing empirical evidence of better outcomes
with this type of board composition.

Keywords Cyber risk · Cybersecurity disclosure · Corporate governance · Gender diversity

Introduction positions, as advocated by diverse studies. Prior research on

The growing debate on the effect of gender diversity on the
firm’s outcomes and strategies has led to calls in several
countries for women’s increased participation in corporate
governance, including in Canada (Baker et al. 2020; Ben-
Amar et al. 2017; Francoeur et al. 2019; Gul et al. 2011).
In 2014, the Ontario Securities Commission (OSC) intro-
duced a “comply or explain” regime aimed at enhancing the
representation of women on the boards of Canadian pub-
licly listed companies (Ben-Amar et al. 2017). The regime
seeks to increase the transparency of information provided
to investors and other stakeholders regarding this representa-
tion of women both at the board level and in senior executive
* Camélia Radu
radu.camelia@uqam.ca
Nadia Smaili
smaili.nadia@uqam.ca
1
ESG UQAM (School of Management), Université du
Québec à Montréal, Montréal, Canada
gender diversity also highlights that firms benefit when they
choose to include women on their boards.
Growing evidence suggests that the presence of women
on the board of directors is positively associated with the
firm’s outcomes (Francoeur et al. 2008, 2019; Kent Baker
et al. 2020). It also highlights that gender diversity is associ-
ated with closer monitoring (Adams and Ferreira 2009; Gul
et al. 2011) and more ethical firm decisions (Campbell and
Mínguez-Vera 2008; Kent Baker et al. 2020; Nekhili and
Gatfaoui 2013). Women in corporate governance, and espe-
cially on the board of directors, tend to enhance board effec-
tiveness (Nielsen and Huse 2010) and communications (Gul
et al. 2011; Joy 2008), but there is scant evidence regarding
their impact on disclosure (Allini et al. 2016; Bravo 2018).
Among the few studies conducted, some test the association
between the presence of women on boards and the firm’s
financial (Gul et al. 2011; Srinidhi et al. 2011), non-finan-
cial and environmental disclosure (Ben-Amar et al. 2017;
Francoeur et al. 2019; Liao et al. 2015). They suggest that
board gender diversity has a positive influence on the firm’s

13
Vol.:(0123456789)

adoption of sustainable practices and the extent of its envi-
ronmental disclosure (Liao et al. 2015). More specifically,
a critical mass of two or three women directors is needed to
obtain this positive influence (Ben-Amar et al. 2017; Konrad
et al. 2008). Other issues such as the question of women’s
impact on the firm’s internal and external fraud risk and
its cyber risk disclosure strategy remain largely unexplored.
As cyber risk is a top concern for firms, governance and
business leaders, cybersecurity disclosure is an important
issue to examine. In 2019, cyber risk was named the big-
gest risk for businesses in the U.S. and Canada, as well as
in Europe (World Economic Forum 2019). The Canadian
Securities Administrators (CSA), an umbrella organization
of Canada’s provincial and territorial securities regulators,
has published regulation on cybersecurity emphasizing the
importance of cybersecurity disclosure and the key oversight
role of the board of the directors. Given the seriousness of
cyber attacks and their potential harm to investors and the
public, the board of directors is expected to be continually
vigilant and adopt a more comprehensive approach to man-
aging cybersecurity risks (Abraham et al. 2019; SEC 2018).
A director’s duty of care extends to the disclosure of mate-
rial risks that could affect shareholders’ decision making. As
a crucial piece of data for the market, risk information helps
shareholders assess the firm’s financial situation and informs
their decision-making processes regarding financial invest-
ments. The board is therefore expected to disclose material
information that is relevant to shareholders, including infor-
mation about cyber risk and how it is addressed by the firm.
Since cybersecurity disclosure levels can be affected by
board composition, we explore whether women’s representa-
tion in the boardroom improves the level of this disclosure.
We assume that a link exists between gender diversity and
cybersecurity disclosure for several reasons. First, extensive
literature suggests that women add value to boards through
their experience, knowledge and social interaction skills
(Van Knippenberg et al. 2004; Wahid 2019). Second, prior
research shows that women add value to the organization
because they take into account stakeholders’ interests and
align them with those of the firm (Baird and Bradley 1979;
Nielsen and Huse 2010). It follows that this sensitivity to
stakeholder needs could have a positive effect on cybersecu-
rity disclosure. Overall, women directors may bring different
experiences, talents and perspectives to the board (Bravo
2018; Francoeur et al. 2008), which would enhance cyber-
security disclosure.
The objective of this study is to examine two major social
and risk issues transforming the competitive corporate land-
scape: voluntary disclosure of cybersecurity information and
the effect of women’s representation on the board. Regarding
13
C. Radu, N. Smaili
the first issue, investors and stakeholders alike are increas-
ingly concerned about the need to integrate technology and
information, and particularly cybersecurity risk information.
Concerning the second issue, we investigate whether the rep-
resentation of women on the board fulfills investors’ and
stakeholders’ increased needs for information on the firm’s
cyber-attack risk mitigation. To this end, we use stakeholder
theory, resource dependence theory and critical mass theory
to study a sample of all the companies listed on the TSX
60 between 2014 and 2018 (300 firm-year observations).
Our results provide evidence that the presence of women on
boards has a positive and significant effect on the presence
and level of cybersecurity disclosure, but only if the board
has a critical mass of at least three women. This conclu-
sion provides support for critical mass theory and suggests
that women on the board positively affect a firm’s disclosure
practices as long as the stated threshold of three women is
reached.
The impact of corporate governance on corporate risk
disclosure is largely unknown, as the scarce extant studies
are mainly confined to environmental and finance risk. In
light of calls to investigate this impact as well as other types
of disclosure and impacts in a variety of country contexts
(Bravo 2018; Li et al. 2018a), we extend the literature on dis-
closure practices by providing evidence that gender diversity
has a significant influence on annual report disclosure, and
by choosing Canada as our context. This setting adds a layer
of interest because the country’s regulatory guidance regard-
ing cybersecurity disclosure and gender diversity on boards
is relatively recent (2017 and 2014 respectively). In fact,
Canada has minimal requirements regarding gender diversity
in corporate boards, as noted by Ben-Amar et al. (2017). The
timing of these regulations led us to select the period 2014 to
2018 to examine our sample and assess how the two selected
study areas are related. This investigation is important and
timely because recent evidence suggests that firms have been
adding more women to their boards over the past 10 years,
even while cyber attacks have become a main concern in
the corporate world, including in Canada. To the best of our
knowledge, no evidence so far ties together this increase in
gender diversity and firms’ disclosure about cybersecurity.
Although women have recently achieved greater repre-
sentation in various spheres of the workforce and leadership
around the world, they are still underrepresented in cyber-
security leadership (Kshetri 2020). In 2019, they accounted
for only 10% of the cybersecurity workforce in Canada
(Women CyberSecurity Society 2020), 14% in the U.S. and
7% in Europe (Kshetri 2020). This low representation is
linked to the broader problem of the underrepresentation of
women in science, technology, engineering and mathematics
Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related…
(Women CyberSecurity Society 2020). Research on the role
of women in cybersecurity is scarce, and most of it was
conducted in the engineering field. As women’s perspec-
tives tend to differ from those of men, their underrepresenta-
tion in cybersecurity management and governance could be
critical in addressing cyber risks (Kshetri 2020). This study
examines the role of women in cybersecurity, specifically the
impact that women on the board may have on cybersecurity
disclosure.
This study has both theoretical and practical contribu-
tions. It sheds light on the role that women on the board play
in relation to cybersecurity disclosure, and it reports their
positive association with the presence and level of cyber-
related disclosure. This paper adds to the gender diversity
and critical mass literatures in addition to contributing to the
debate on the importance of gender diversity. It also goes
beyond the topic of the impact of women on boards on firm
performance by describing the positive influence of hetero-
geneity on cyber disclosure. Women’s presence increases
board effectiveness in cybersecurity disclosure as long as
there is a critical mass of at least three women on the board.
Hence, we contribute to the literature on the critical mass
of women on boards by providing empirical evidence of a
critical mass of three women as the threshold for better gov-
ernance. More specifically, heterogeneous boards with three
or more women provide more cyber-related disclosure than
homogeneous boards do.
This paper fills the gap in the literature on risk-related
disclosure. Prior research focused on the impact of women
on boards and different types of firm disclosure, such as
financial (Gul et al. 2011; Srinidhi et al. 2011) or social and
environmental disclosure (Ben-Amar et al. 2017; Francoeur
et al. 2019; Liao et al. 2015). Fewer studies have examined
the impact of gender diversity on cyber risk disclosure. As
cyber risk differs from traditional risks and is highly strate-
gic for businesses, it requires in–depth examination to obtain
a comprehensive view of its technical, social and ethical
issues.
Our paper has several practical implications. As cyber risk
is one of the greatest risks facing firms, investors are particu-
larly interested in cyber risk management. Other stakeholders,
such as clients and employees, are also interested in firms’
cybersecurity disclosure due to this information possibly con-
taining confidential information concerning them. As cyber-
security disclosure provides other valuable information for
investors and other stakeholders, a heterogeneous board with
three or more women is one way to obtain more of this disclo-
sure. To this end, investors should request this type of board
and representation. Our findings support regulators in their
attempt to constitute more heterogeneous boards by provid-
ing empirical evidence of better outcomes for them. In sum,
adding women’s voices to corporate boards continues to be
important as it provides protection against cyber attacks and
supplies shareholders with more information on the responses
of organizations regarding these attacks.
The paper proceeds as follows. In the next section, we
discuss the regulatory settings for the disclosure of cyber-
security in Canada. This is followed by our literature review
and hypothesis development. Section 4 describes the meth-
odology. We then present our results, discuss our findings
and conclude the paper.
Regulatory Settings
The U.S. Cybersecurity and Infrastructure Security Agency
(CISA) defines cybersecurity as “the activity or process,
ability or capability, or state whereby information and com-
munications systems and the information contained therein
are protected from and/or defended against damage, unau-
thorized use or modification, or exploitation.” (CISA 2009).
The National Institute of Standards and Technology (NIST
2020) emphasizes that the objective of information secu-
rity is to provide integrity, confidentiality, and availability.1
According to the SEC, cybersecurity risk refers to “a sig-
nificant vulnerability to, or a significant deficiency in the
security and defense activities of a cybersecurity system”
(U.S. Congress 2016).
Cybersecurity, including threats and solutions, is the fast-
est growing area in information technology (OSC 2017).
Businesses should be prepared to adequately manage cyber
attacks, prevent breaches and effectively deter cyber threats.
They should implement procedures and policies that allow
them to identify any unauthorized internal or external activ-
ity, update their software in a timely manner and permit
employees or third parties to report cyber incidents (OSC
2017). An effective cyber risk assessment should include an
inventory of the firm’s critical and confidential data, identifi-
cation of vulnerable areas, a description of how cyber threats
and vulnerabilities are identified, and a delineation of their
potential consequences. Firms should ensure that they put in
place appropriate preventive controls and training programs
and develop an incident response plan addressing various
types of potential cyber threats, threat neutralization strate-
gies and data recovery procedures (OSC 2017).
Due to the potentially harmful consequences of a cyber
attack, cybersecurity has been identified as one of the top
enforcement priorities of American and Canadian securities
1
National Institute of Standards and Technology defines confiden-
tiality as the assurance that information does not get disclosed to
unauthorized individuals, processes, or devices. Information integrity
means that that information has not been altered in an unauthorized
manner. Lastly, availability is viewed as timely, reliable access to data
and information services for authorized users. https​://csrc.nist.gov/
gloss​ary/term/infor​matio​n_secur​ity, accessed 2020/11/20.
13

regulators; for example, the Canadian Securities Administra-
tors (CSA) named cyber security a strategic priority in its
Business Plan 2016-2019. Canadian regulation on cyberse-
curity began with CSA Staff Notice 11-326 in 2013, which
set out the challenges of cybercrime, the measures to miti-
gate cyber risks and the importance of cybersecurity disclo-
sure. In 2016, the CSA published Staff Notice 11-332 Cyber
Security highlighting the magnitude of cyber security risks
for issuers, registrants and regulated entities (CSA 2016).
The notice provides that firms must determine whether they
should disclose an attack, and, if so, decide on the nature,
timing and method of disclosure. Further, they should con-
sider whether any material fact or material change requires
disclosure. In 2017, CSA Multilateral Staff Notice 51-347
Disclosure of Cyber Security Risks and Incidents provided
results on disclosure by the firms on the S&P/TSX Compos-
ite Index regarding cyber security risk and cyber attacks. It
found that the materiality of a cyber security breach varied
by issuer and industry, according to the type of incident, its
consequences and the context of the incident. Cyber attacks
aimed at obtaining client information had significant conse-
quences. The Notice indicates that the characteristics of the
disclosure depended on the materiality of the cyber breach
and the significance of the impact; for instance, disclosure
was more extensive when client information was one of the
goals of the breach. Lastly, the presence and level of disclo-
sure differed among the firms.
The considerable expense of a cyber attack includes repu-
tational, legal or cyber protection costs to the firm. These
costs can affect the evaluation of a firm’s risk and value.
Accordingly, financial market bodies are striving to improve
corporate responsibility and accountability related to cyber
attacks and ultimately protect investors and the financial
market. For instance, the SEC has stated that timely dis-
closure about relevant cybersecurity risks and incidents is
essential for investors. In its recent guidance on cyberse-
curity disclosure (SEC 2018), the SEC added to previous
guidance issued in 2011 (SEC 2011) and offered new insight
into the materiality of cybersecurity risk or a cybersecu-
rity incident, the timing of disclosure, the role of the board,
cybersecurity policies and procedures and cybersecurity
assessments. Notably, the board of directors, with its over-
sight role, should be vigilant in understanding security and
technology and in managing cybersecurity risks. For its part,
the firm should disclose information about the board’s role
in overseeing cybersecurity risks (SEC 2018).
13
C. Radu, N. Smaili
Literature Review and Hypothesis
Development
Cybersecurity Beyond a Compliance‑Based
Approach: Cyber‑Business Ethics
Consumers are using technology like never before. E-com-
merce is growing at an unprecedented rate all over the world,
and businesses have greater access to personal information
than in the past. Customers are continually sharing their
own and their children’s personal information and entrust-
ing companies with sensitive data. This information could
be extremely harmful when used in the wrong way or in the
wrong hands. Thus, this explosive Internet growth facilitates
cyber attacks, with potentially devastating effects on organi-
zations, individuals and society. These effects could materi-
alize as financial costs, reputational costs, loss of confiden-
tial data, erosion of consumer confidence in e-commerce,
violation of privacy, etc.
Corporate cybersecurity is critical as it has an impact
not only on shareholders, managers and employees, but
also on society as a whole. The recent example of Desjar-
dins Group, the largest federation of credit unions in North
America, illustrates this impact. A data breach revealed in
2019 affected 2.7 million people and 173,000 businesses, or
more than 40 per cent of the credit union’s clients and mem-
bers. The leaked information included names, birth dates,
social insurance numbers, addresses, email addresses, phone
numbers and information about banking habits.2 Cybersecu-
rity involves taking appropriate actions and making ethical
decisions to mitigate cyber risks. Firms should develop a
cyber program that consists of assessing these as well as
evaluating existing controls and practices, responding to the
risks (increasing controls, assurance, etc.) and promoting
awareness among top managers and employees. Cybersecu-
rity is therefore not limited to safeguarding information con-
fidentiality; it must also be considered a strategic business
and ethical practice. To mitigate corporate scandals such as
cyber breaches, firms can use a compliance-based approach
to eliminate technical causes, an integrity approach to elimi-
nate ethical concerns, or a harmonized approach in which
compliance and integrity reinforce each other (Calderón
et al. 2018). From a reductionist perspective, cybersecurity
mitigates cyber-related risks, but from a comprehensive per-
spective, cybersecurity includes not only the firm’s response
to cyber risks, but also related ethical and strategic business
decisions combined in a harmonized approach. Firms should
consider the entire ecosystem of cybersecurity consisting of
2
CBC News, https​://www.cbc.ca/news/canad​a/montr​eal/desja​rdins​
-data-breac​h-1.51832​97, page accessed on 2020/11/15.
Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related…
cyber risk, impacts on society, training and education, ethics,
techniques, and so forth.
Beyond the technical aspect of protecting organizational
resources and safeguarding confidential data, cybersecurity
encompasses other dimensions such as employee handling
of data, disclosure/non-disclosure of cyber-related informa-
tion, potential consequences of a data breach, and violation
of the privacy of customers, individual investors and other
stakeholders. Technology therefore creates an ethical risk
in addition to its technical and financial risks, as the firm
and its stakeholders can be affected when the technology is
not used in compliance with ethical principles concerning
privacy. As cybersecurity deals with risks stemming from
social and technological factors, it is a complex issue for
organizations. For example, several hospitals and healthcare
providers across the U.S. have recently been targeted in ran-
somware attacks.3 As a result, patients experience prolonged
wait times to receive critical care. A cyber attack targeted
a German hospital, resulting in the death of a woman seek-
ing emergency treatment. In sum, information technologies
used for, within and between organizations are not ethically
neutral (Strate 2012; Vallor 2018). They mirror the indi-
vidual and business values that guide their use. Accord-
ing to Patrignani and Whitehouse (2014 p. 83), technol-
ogy systems should be “designed using a human-centered
approach.” Thus, to enhance customer well-being, informa-
tion technologies should be good, fair and clean (Patrignani
and Whitehouse 2014), since “technologies both reveal and
shape what humans value, what we think is ‘good’ in life and
worth seeking” (Vallor, 2018, p. 3).
One of the most important ethical problems involving the
use of information technology is the issue of privacy (Moor
1997). Privacy was defined by Fried (1984, p. 209) as “not
simply an absence of information about us in the minds of
others, rather it is the control we have over information about
ourselves.” In this sense, privacy is the feeling that there is a
zone of our individual lives under our own control and free
from external intrusion. Moor (1991) adds to this notion
of control the restriction of access to information, i.e. “an
individual or group has privacy in a situation if and only
if in that situation the individual or group or information
related to the individual or group is protected from intru-
sion, observation, and surveillance by others” (Moor 1991,
p. 76). Depriving an individual of privacy could even expose
(endanger) a person’s mental and physical health.
According to Johnson (1985), “technology is not just
artifacts, but rather artifacts embedded in social practices
and infused with social meaning” (Johnson 1985, p. 16).
3 ask the right questions and request additional information
CNN (October 2020), https​://www.cnn.com/2020/10/28/polit​ics/
hospi​tals-targe​ted-ranso​mware​-attac​ks/index​.html, page accessed on
2020/11/15.
Patrignani and Whitehouse (2014) add that technology
should be viewed as a socio-technical system. Hence, we
define cyber business ethics as a combination of business
ethics, as defined in business research, and cyber ethics,
as viewed by engineering research. Cyber business ethics
involves the study of the ethical decisions of firms (manag-
ers, boards of directors and employees) when dealing with
information technology. As cyber-related decisions impact
on society, decision makers must find the best and “right”
decision for the firm from a strategic point of view.
Our view of cyber business ethics is at the intersection
of business ethics and cyber ethics, two ethical areas devel-
oped separately by researchers over time (Patrignani and
Whitehouse 2014). Unifying them offers the opportunity to
examine cybersecurity from a holistic approach. According
to Lewis (1985, p. 383), “business ethics is related to opin-
ions about what is ethical for managers” and “involves the
application of one’s understanding of what is morally right
and truthful at a time of ethical dilemma.” Cyber ethics, also
named computer ethics or information ethics, is the foun-
dation on which the ethical impact of information security
is studied. Computer ethics, as a branch of applied ethics
and normative ethics, has received considerable attention
from information technology researchers and professionals
(Nemati 2007). Cyber ethics is a term used to encompass
all forms of applied ethics issues pertaining to technology-
related human activities (Luppicini 2009). This field strives
to determine an appropriate perspective or philosophy in the
application of technology to real-life situations (Shapiro &
Gross, 2013). Surprisingly, previous business research has
completely ignored the ethical issues of information technol-
ogy in business, while only some information technology
professionals and researchers in the engineer field have high-
lighted the importance of considering the ethical aspects of
information technology. According to Nemati (2007), infor-
mation technology poses several problems related to ethics,
covering three main types of ethical issues: personal privacy,
access rights, and harmful actions.
Overall, organizations have an ethical responsibility to
ensure the protection of stakeholders’ information (cus-
tomer, employees, suppliers, etc.) and to take timely and
effective steps to protect the data entrusted to them. In par-
ticular, corporations should have a strong corporate culture
of ethics and compliance extended to issues of cybersecurity
and data protection. In addition, increasing cybersecurity
risk disclosure might be viewed as an ethical decision by
organizations (managers and the board of directors), since
information disclosed about cyber risks is informative and
useful for stakeholders when assessing the probability of
future incidents (Li et al. 2018b). Boards of directors should
regarding the company’s cyber vulnerability, prepared-
ness and potential failures. Boards should strengthen the
13

organization in its cybersecurity responsibilities and ensure
that data are ethically used and managed.
Gender Diversity on Boards
As the main corporate governance mechanism, the board of
directors is vitally important to the firm because it provides
the firm’s strategic focus (Baker et al. 2020; Gul et al. 2011)
and protects shareholders’ interests (Jensen and Meckling
1976). The media, regulators and academics have given
considerable attention to diversity in boardrooms in recent
years. Gender diversity on the board provides new insights
and perspectives that enhance the firm’s performance (Bravo
2017; Carter et al. 2003; Francoeur et al. 2008). Evidence
suggests that board diversity improves the informativeness
of the data intended for stockholders (Baker et al. 2020; Gul
et al. 2011).
Prior studies on the role of gender diversity on boards
draw on multiple theories and perspectives. Some of them
adopt the agency theory perspective to investigate the effect
of gender diversity on firms’ outcomes and decisions (Carter
et al. 2003; Francoeur et al. 2008). They find that the practice
yields multiple advantages for organizations. First, gender
diversity improves board monitoring (Adams and Ferreira
2009; Baker et al. 2020) and therefore the quality of cor-
porate governance (Baker et al. 2020; McInerney-Lacombe
et al. 2008). It attenuates agency costs and reduces agency
conflicts (Adams and Ferreira 2009; Terjesen et al. 2009).
Gender diversity enables the board of directors to internal-
ize various opinions and brings a fresh perspective to the
decision-making process (Baker et al. 2020; Francoeur et al.
2008; Kabongo and Okpara 2019).
Some research draws on resource dependence theory to
examine the impact of gender diversity on firm performance
and decisions (Bravo 2017; Lu and Herremans 2019). Under
this framework, gender diversity enables firms to gain con-
trol over their external resources and to develop additional
resources. By including women on boards, firms reduce
environmental uncertainty, while adding a greater variety
of skills to the board and improving the board’s decision
making (Carter et al. 2010). As a result, greater director
diversity can bring critical resources to a firm (Bravo 2018).
Prior studies suggest that women and men communicate
differently in the boardroom and with stakeholders and may
have a different attitude towards risk. Baird Jr and Bradley
(1979) suggest that women tend to be more informative than
men and that they attribute greater importance to commu-
nication than men do (Ahmed et al. 2017; Guadagno and
Cialdini 2002). Loden and Rosener (1991) also highlight
that women tend to share, rather than retain, information.
It follows that voluntary disclosure could be a tool that
women directors use to better communicate and collabo-
rate with stakeholders (Ahmed et al. 2017). In addition,
13
C. Radu, N. Smaili
current literature provides evidence that women and men
differ in their relationship with risk management and that
women have lower risk tolerance than men (D’Acunto 2015;
Huang and Kisgen 2013). Wahid (2019) shows that gender-
diverse boards commit fewer financial reporting mistakes
and engage less frequently in fraud schemes.
Prior research also indicates that gender diversity comes
with drawbacks as well as advantages. From the socio-psy-
chological perspective, Baker et al. (2020) find that gender
diversity creates more conflict within the board and thus
delays its decision-making process. The presence of women
may reduce board effectiveness by increasing internal divi-
siveness, constraining the board’s ability to act (Gul et al.
2011). Forbes and Milliken (1999), based on an analysis of
board effectiveness, suggest that women directors change the
board’s group dynamics. Although the resulting cognitive
conflicts affect cohesion and lead to debates and discussion,
they ultimately improve collaboration and interaction within
the group. Increasing the number of women on the board
reduces the effect of the “old boys’ club” and the likelihood
of groupthink mentality, and may lead to better decision
making (Van Knippenberg et al. 2004; Wahid 2019).
Gender Diversity and Cybersecurity
Women on boards might affect cybersecurity through dif-
ferent channels and in multiple ways: specific and general
knowledge, risk oversight and governance, independence,
ethical sensitivity, stakeholder sensitivity, leadership style,
effect on group dynamics, and other characteristics. Our
arguments for an association between gender diversity and
cybersecurity are as follows.
Boards of directors face increased expectations from
stakeholders in regard to their role of cyber risk oversight.
In response, they should provide greater assurance and trans-
parency on the establishment of effective cybersecurity man-
agement programs. Women on boards can assume the role of
risk oversight (Sila et al. 2016). A greater number of women
on boards enhances corporate governance and risk manage-
ment (Chen et al. 2016) and improves board effectiveness
in risk management (Shimin Chen et al. 2016; Sila et al.
2016). Prior research on environmental risk suggests that
women are generally more concerned about environmen-
tal issues than men are (Diamantopoulos et al. 2003; Liao
et al. 2015). Women promote environmental and corporate
social responsibility reporting, especially when the number
of women directors exceeds three (Liao et al. 2015; Webb
2004). In addition, the literature on financial risk highlights
that the presence of women on boards reduces financial risk
(Wahid 2019). Overall, “boards with more women surpass
all-male boards in their attention to audit and risk oversight
and control” (Brown et al. 2002, p. 5).
Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related…
As women bring to the boardroom a set of perspectives,
experiences, and viewpoints that differ from those of their
male counterparts (Dhir 2015), they might raise cyberse-
curity issues during board discussions. Women have been
found to provide strategic input and generate more produc-
tive discourse incorporating different points of views (Bili-
moria and Wheeler 2000; Nielsen and Huse 2010).
Women’s particular leadership styles and board tasks
make a difference in terms of board effectiveness (Nielsen
and Huse 2010). Women on boards are positively associ-
ated with board strategic control, but not directly associated
with board operational control (Nielsen and Huse 2010).
Strategic control refers to the board’s ex ante control of cor-
porate strategies formulated by top managers (Baysinger
and Hoskisson 1990). It is more complex than operational
control and requires creativity and a broader range of per-
spectives (Nielsen and Huse 2010). The characteristics of
women directors may lead to women’s active involvement
in strategic issues that concern the firm and its stakeholders,
such as cybersecurity. Hence, women may be particularly
sensitive to and exercise influence on decisions regarding
cyber security.
Given their ethics and stakeholder-oriented sensitivity,
women on boards could also affect cybersecurity disclosure.
Prior studies point out that they enhance ethical practices
(Ntim 2015; Wahid 2019; Zalata et al. 2019) and are more
responsive to stakeholders’ demands for increased disclosure
(Ben-Amar et al. 2017). As stakeholders’ privacy is one of
the most important ethical aspects of cybersecurity, women
directors are more likely to address this issue with the board.
Women can strengthen board oversight by increasing the
number of independent directors in the boardroom, which
enhances the board’s ability to question managers on a wider
array of decisions (Adams 2016). Moreover, women direc-
tors are less likely to be part of the “old-boys’ club” (Wahid
2019) and more inclined to be independent and effective
monitors (Adams 2016). They therefore could affect cyber-
security disclosure through board oversight.
The audit committee is generally responsible for cyber-
security strategy (Héroux and Fortin 2020; Lanz 2016).
Canadian regulation, as well as the SOX Act, requires that
audit committee members be independent and have exper-
tise (Ontario Securities Commission, 2011). Dedication
and prudence are also considered key characteristics of a
diligent audit committee member (Brouard et al. 2017; Cal-
derón et al. 2018). Differences between the characteristics of
women and men audit committee members may explain the
impact of gender diversity on cybersecurity disclosure. Hill-
man et al. (2008) highlight that board members with mul-
tiple identities (for our purposes, an example would be the
fact of being both a director and a woman) exercise flexibil-
ity with complex issues. This could be the case with issues
like cybersecurity. Women on boards would accordingly
demonstrate flexibility in terms of cybersecurity and influ-
ence cyber-related disclosure.
Overall, women are likely to affect cybersecurity disclo-
sure by the differences they bring to board heterogeneity in
terms of board function, governance, and group dynamics.
Women on boards could be cyber-engaged in various ways.
This is a multidimensional process involving oversight (what
to do regarding cybersecurity issues), specific and general
knowledge (how to do it) and strategic and ethical considera-
tions (why do it).
Hypotheses Development
A number of regulators and academics who study corporate
risk disclosure have called for an increase in the practice.
Hernández-Madrigal et al. (2012) and Bravo (2017) char-
acterize improvement of corporate risk disclosure as one
of the most important objectives of corporate governance.
This information is an important consideration in share-
holders’ investment decisions and the decision process of
other stakeholders (Bravo, 2017; Eccles et al. 2002; Oliveira
et al. 2013). Campbell et al. (2014) show that firms disclose
more risk factors when faced with increased risks, and that
a large part of the disclosure is dedicated to a description
of these risks. Kravet and Muslu (2013) conclude that the
volume of risk disclosure is associated with industry level
risk. They also note that the quantity of corporate risk dis-
closure is associated far more with industry factors than with
firm-specific factors such as stock volatility and trading vol-
ume. The Canadian and U.S. governments have encouraged
risk-related disclosure, with the result that the inclusion of
risk like cyber risk is trending upward in annual reports.
Risk-related information tends to be helpful for assessing
the firm’s financial situation and evaluating how manage-
ment and the board of directors address these risks. Diverse
boards are more sensitive to different stakeholders’ infor-
mation needs and should drive more extensive cyber-risk
disclosure.
However, despite the upside to this information, i.e. that
it signals new and valuable information for investors, there
is a negative aspect: disclosing critical internal informa-
tion that hackers and cyber criminals might use to attack
the firm (Hausken 2007; Li et al. 2018a; Wang et al. 2013).
In fact, the disclosure of some security information has
been associated with future breach announcements in the
media (Wang et al. 2013). Amir et al. (2018) find that
cybersecurity risk disclosure is informative for future
cybersecurity incidents. A vigilant board of directors
should take into account the benefits and disadvantages of
cybersecurity disclosure and consider a trade-off between
disclosing value-relevant cybersecurity information and
maintaining the security of the company’s systems. How-
ever, there is no evidence on how women on boards might
13

affect this trade-off or whether their presence and number
affect the volume of cybersecurity disclosure.
Our hypothesis development is based on stakeholder,
resource dependence and critical mass theories, as
explained below.
Under stakeholder theory, gender diversity is expected
to increase board oversight of cyber risk. The presence
of women could improve strategic decisions by reducing
information asymmetry between managers and shareholders
and could therefore generally enhance disclosure of value-
relevant information to shareholders or stakeholders. With
their increased stakeholder sensitivity and diverse perspec-
tives (Nielsen and Huse 2010), it follows that women might
affect cybersecurity disclosure. In addition, board diversity
is linked to more transparent disclosure (Upadhyay and
Zeng 2014). Women are more likely to share information
than to withhold it from stakeholders (Baird and Bradley
1979). Hence, stakeholder theory posits that cybersecurity
disclosure increases with women on boards since they are
more amenable to stakeholders’ demands for information.
Additionally, under resource dependence theory, the pres-
ence of women in boardrooms enables firms to gain control
over their external resources. According to Francoeur et al.
(2008), it also brings a fresh perspective to complex issues.
Women help organizations better understand and solve prob-
lems arising from the environment and are more adept at
evaluating the needs of shareholders (Bear et al. 2010; Bravo
2018). In addition, they may enhance corporate response to
stakeholders’ increasing needs for information on cybersecu-
rity risk. Prior studies on gender diversity show that women
are more risk averse than men (Loukil and Yousfi 2016; Sila
et al. 2016), and their conservatism and risk aversion can
contribute to increased risk disclosure (Eaton et al. 2019).
Women favour collaboration and trust over power and reten-
tion of information (Ahmed et al. 2017). Under resource
dependence theory, women are likely to benefit businesses
for several reasons: they enhance firm legitimacy by convey-
ing the positive message that women are included on the
board; with their specialized knowledge skills or expertise,
they provide critical advice and counsel on specific issues,
such as cybersecurity; and they are useful communication
links with the organizational environment (Dunn 2012).
There are thus general differences between genders, includ-
ing the aspects of risk oversight and group dynamics. Board
gender composition may explain variations in corporate risk
organizational response and subsequent variations in disclo-
sure. In addition, since women’s input into business issues
varies from men’s, they are likely to play a different role in
cyber issues. Women could promote a culture of cybersecurity
13
C. Radu, N. Smaili
and be active and cyber-engaged in fostering ethical behaviour
in regard to cybersecurity by increasing transparency in cyber
disclosure. They could direct attention and effort to cyber
issues and signal their importance to the board.
Based on the above theories and the differences between
men and women directors highlighted in the literature, we
predict that women on boards influence the presence and
volume of cybersecurity-related disclosure and promote
transparency and better communication with investors and
stakeholders. We expect that board gender diversity will
pressure directors to increase the firm’s risk disclosure.
Accordingly, we formulate the following two hypotheses:
H1 The presence of cybersecurity-related disclosure is
positively associated with gender diversity in corporate
governance.
H2 The level of cybersecurity disclosure is positively asso-
ciated with gender diversity in corporate governance.
Starting with Kanter (1977), the impact of women’s rep-
resentation on firms’ outcomes has included the question of
the critical mass of women needed to make a difference. In
groups like boards, where the numbers are highly skewed in
favour of men, women are only token members and their num-
bers purely symbolic. Women in these positions experience
pressure from the dominant culture (Kanter 1977), whereas
increasing their numbers may lead to coalitions and alliances
affecting decision making. Although empirical research by
Ben-Amar et al. (2017) concludes that a minimum of two
women is sufficient to affect decision making concerning sus-
tainability outcomes, this number is not enough to avoid the
imposition of the dominant members’ opinions (Kanter 1977).
Rather, a critical mass of three or more women is required to
impel acceptance and communication (Konrad et al. 2008).
Other empirical research has reached the same conclusion
about a critical mass of three or more women positively affect-
ing firm outcomes (Post et al. 2011; Torchia et al. 2011).
Based on critical mass theory, we expect that the level
of cybersecurity disclosure is positively associated with the
presence of three or more women on the board—hence, our
third hypothesis:
H3 The level of cybersecurity disclosure is positively asso-
ciated with a critical mass of three or more women on the
board.
Figure 1 synthesizes the research model and the
hypotheses.
Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related…
Fig. 1  Research model and
hypothesis
Research Methodology
Sample
Our sample consists of the companies listed on the Toronto
Stock Exchange (TSX) that were featured on the S&P/TSX
60 index during the sample period. As our sample selection
is based on prior literature’s characterization of firm size as
an important determinant of voluntary disclosure (Brammer
and Pavelin 2008; Cormier and Magnan 1999; Hossain et al.
1995), it is assumed that these large listed companies are more
likely to disclose cybersecurity-related information. Our study
covers the 5-year period running from 2014 to 2018. The final
sample yielded a total of 300 company-year observations. The
list of the sample companies is presented in “Appendix A”.
Data Collection
We collected 5 years of the sample companies’ annual
reports published between 2014 and 2018 from the Sedar
database and www.annua​lrepo​r ts.com. We began by iden-
tifying cybersecurity-related information disclosure in the
annual report. We used the keywords “cyber” (included in
cyber risk and cyber disclosure), “cybersecurity”, “cyber
attack” and “information security” to identify all the para-
graphs in the annual reports related to cybersecurity, and fol-
lowed this search with a manual check to verify the validity
of each identified paragraph. The paragraphs were copied
into a new Word file so the words and sentences could be
counted.
Governance and financial variables were collected from
Sedar using information from annual reports and comple-
mentary information in management information or proxy
circulars.
Model
We use a multiple linear regression model to test the asso-
ciation between cybersecurity disclosure and board gender
diversity.
The basic model for testing our hypotheses is:
CyberDiscli = 𝛽0 + 𝛽1 Diversityi + 𝛽2 Controlsi + ∈i
where, for firm i: CyberDiscl represents the cybersecurity
disclosure in the annual report, Diversity is the number of
women on the board of directors, Controls are the control
variables and ∈i is the error term.
Using some of the determinants of disclosure identified in
prior literature, we control for financial variables that impact
disclosure, i.e. firm size, profitability, investment opportu-
nities and leverage. We add a control for other governance
variables affecting disclosure, i.e. board size, board inde-
pendence and firm industry affiliation.
Model (2) includes individual control variables:
CyberDiscli =𝛽0 + 𝛽1 Diversityi + 𝛽2 Sizei + 𝛽3 ROAi + 𝛽4 MTBi + 𝛽5 Leveragei
+ 𝛽6 BoardSizei + 𝛽7 BoardIndepi + 𝛽8 Indi + 𝛽9 NbPagesi + ∈i
(2)
where, for firm i CyberDiscl represents the cybersecurity dis-
closure in the annual report, Diversity is the gender diversity
of the board of directors, Size is the firm’s size, ROA is the
firm’s profitability, MTB is the firm’s growth opportunity,
Leverage is the firm’s leverage, BoardSize is the board’s
size, BoardIndep is the independence of the board, Ind is the
firm’s industry affiliation, NbPages is the number of pages
in the annual report and ∈i is the error term.
Measures of Variables
Table 1 summarizes the measures used for the variables.
Dependent Variable
Our dependent variable measures cybersecurity disclosure
in the annual report. The annual report is an important and
reliable source of risk-related information for investors and
other stakeholders (Allini et al. 2016). Three different meas-
ures are used for cybersecurity disclosure. The first meas-
ure, CyberDiscl (dummy), is a binary variable indicating
the presence or absence of cybersecurity-related informa-
tion in the annual report, as previously used in disclosure
research (Chen et al. 2002). It takes the value 1 if cyberse-
curity disclosure is present in the annual report and 0 other-
wise. To identify cybersecurity disclosure we used the key
(1) word “cyber”, as well as “cybersecurity”, “cyber attack” and
13
 C. Radu, N. Smaili

Table 1  Summary of variables used in the regression model

List of variables Measures

Dependent and independent variables

CyberDiscl Cybersecurity-related disclosure in the annual report. Three alternative measures are used for this variable, as follows
A dummy variable coded 1 for firms presenting cybersecurity-related disclosure in the annual report and 0 otherwise
Number of words in the cybersecurity disclosure
Number of paragraphs in the cybersecurity disclosure
Diversity Gender diversity of the board, as follows
Percentage of women
Blau Index of heterogeneity
Critical mass of women using three dummies
OneWoman takes the value 1 if there is one woman on the board and 0 otherwise
TwoWomen takes the value 1 if there are two women on the board and 0 otherwise
ThreePlusWomen takes the value 1 if there is a minimum of three women on the board and 0 otherwise
Control variables
Size Firm size measured by the natural logarithm of total assets
ROA Firm profitability measured by return on assets
MTB Firm growth opportunity measured by market-to-book ratio
LEV Firm leverage measured by total liabilities divided by book value of equity
BoardSize Board size measured by number of directors
BoardIndep Board independence measured by the percentage of independent directors on the board
Ind Firm industry affiliation (seven dummy variables for eight industrial sectors)
NbPages Annual report’s total pages

“information security.” After noting wide variations in the
volume of cybersecurity disclosure during data collection,
we used more detailed measures for this volume, i.e. number
of paragraphs (Allini et al. 2016; Bravo 2017) and number
of words in the annual report pertaining to cybersecurity
disclosure (Campbell 2004).
We run separate regressions for each measure of the
dependent variable. A logistic regression is used for the
binary variable indicating the presence of cybersecurity
disclosure and ordinary least squares regression for volume
of cybersecurity disclosure.
Independent Variables
To examine the effect of gender diversity in corporate
governance on cybersecurity disclosure, we use the inde-
pendent variable Diversity to represent board diversity.
To measure gender diversity, three proxies are used. As in
previous research, we measure Diversity by the percentage
of women on the board (Ben-Amar et al. 2017; Boulouta,
2013; Campbell and Mínguez-Vera 2008; Francoeur et al.
2008, 2019; Kassinis et al. 2016). The second measure for
Diversity, the Blau Index (Blau 1977), considers the num-
ber of diversity categories and distribution evenness in each
category (Ben-Amar et al. 2017; Campbell and Mínguez-
Vera 2008). This is an index of heterogeneity calculated as
1 − i=1 P2i , where Pi is the percentage of board members in
∑n
each category and n is the number of categories (in this case,
two categories—women and men). The Blau Index values
range from 0 for all board members in the same category to
0.5 for equal representation of women and men. The third
measure for Diversity is used to test our third hypothesis
on the critical mass of women necessary to have a positive
effect on disclosure. Consistent with prior literature, three
dummy variables are used: OneWoman, coded 1 if there is
one woman on the board and 0 otherwise, TwoWomen, coded
1 if there are two women on the board and 0 otherwise, and
ThreePlusWomen, coded 1 if there are at least three women
on the board and 0 otherwise (Ben-Amar et al. 2017; Post
et al. 2011).
Control Variables
We control for company characteristics associated with dis-
closure, i.e. size, industry affiliation, growth opportunity,
profitability and debt. As discussed earlier, firm size is posi-
tively associated with disclosure, i.e. larger firms disclose
more information (Brammer and Pavelin 2008; Branco and
Rodrigues 2008; Zadeh and Eskandari 2012). We measure
this characteristic by the natural logarithm of total assets.
Industry affiliation is also related to disclosure (Ben-Amar
et al. 2017; Brammer and Pavelin 2008; Branco and Rodri-
gues 2008), as some industries, including communications
and finance, are exposed to greater cybersecurity risks and
disclose more cybersecurity-related information. Since our
sample consists of firms in eight industries (see Table 1),

13
Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related…

Table 2  Sample distribution by sector Descriptive statistics are presented in Table 3. We use
Sectors Number of Percentage
three variables to measure extent of cybersecurity disclo-
companies sure. The first, a dummy variable, measures the presence
of cybersecurity disclosure in the annual report. Using
Mining 55 18.3
this variable, we find that 71.67% of the firms disclose
Construction 5 1.7
cybersecurity-related information. The second variable
Manufacturing 55 18.3
represents the number of cybersecurity-related words,
Transportation, communications, 60 20.0
ranging from 0 to 1759 words, with a mean of 310 words.
electric, gas and sanitary service
The third variable is the number of paragraphs used for
Wholesale trade 10 3.3
cybersecurity disclosure, varying from 0 to 30. The sam-
Retail trade 30 10.0
ple’s mean is 3.55.
Finance, insurance and real estate 65 21.7
The mean percentage of women on the board is 24.25%,
Services 20 6.7
with the maximum percentage being 50%. Results show that
Total 300 100.0
11.7% of the sample has one woman on the board, 27.7%
has two women, and the majority (56.3%) has three or more
women. Surprisingly, there are still boards without women
seven dummy variables were introduced to control for indus- among the 60 largest companies in Canada (4.3%). The Blau
try affiliation. Next, disclosure is positively associated with Index has a mean of 34.5, showing that the sample boards
firm profitability (D’Amico et al. 2016; Francoeur et al. are not homogeneous in terms of gender.
2019), which we measure using the firm’s ROA. Firms with Consistent with Héroux and Fortin (2020), we note that
higher profitability have more resources to allocate to risk several companies repeat the same statements related to
management and disclose information on this topic. Lever- cybersecurity year after year (see the example in Appen-
age is also related to disclosure; firms with higher lever- dix B). Variations in the means for cybersecurity-related
age provide more disclosure in response to greater pressure disclosure and gender diversity for the research period
from financing stakeholders (Clarkson et al. 2008; D’Amico are presented in Fig. 2. Level of cybersecurity disclosure
et al. 2016). We measure the debt level trait by total liabili- as measured by number of words or number of paragraphs
ties to total assets. Lastly, firms with growth opportunities increased consistently between 2014 and 2018. The presence
strive to reduce the information asymmetry between internal of cybersecurity disclosure, also measured by the dummy
stakeholders and investors by providing extensive disclosure variable, likewise increased, as a result of regulation encour-
(Ben-Amar et al. 2017; Francoeur et al. 2008). Our measure aging disclosure of cyber-related information.
for growth opportunities is market-to-book ratio. We note an increase in the presence of women on the
Consistent with previous research, we also control for the sample boards between 2014 and 2018, measured by per-
board characteristics of size and independence (Ben-Amar centage or number of women on the board and the Blau
et al. 2017; Post et al. 2011). Board size is the number of Index. Both cybersecurity disclosure and board gender
directors on the board and board independence is the per- diversity seem to be positively associated and to follow the
centage of independent members on the board. And lastly, same upward trend.
as our measure for cybersecurity disclosure is the number Some key characteristics are required for board members
of words or paragraphs in the annual report, we control for in audit committees (Calderón et al. 2018). As the audit
the total number of pages in the annual report. committee is generally responsible for cybersecurity strategy
(Héroux and Fortin 2020; Lanz 2016), we refine our analysis
by looking closer at the presence of women on the board and
Results and Discussion their characteristics, and more specifically, their information
technology (IT) expertise, presence on the audit committee
Descriptive Statistics and independence (see Table 4).
The number of women with IT expertise on boards
Table 2 provides information on the sample’s distribution by increased steadily from 11 in 2014 to 22 in 2018, a sta-
industry sector. The sector with the highest representation is tistically significant difference (p < 0.01). The majority of
Finance, Insurance and Real Estate, with 65 companies, or women directors with IT expertise are independent, at the
21.7% of the sample. This category is followed by Transpor- rate of 63.60% in 2014 (7 out of 11) and 63.63% in 2018
tation, Communications, Electric, Gas and Sanitary service, (14 out of 22). Firms attracted women directors with IT
with 60 companies, or 20.0% of the total sample. Construc- expertise mainly from outside the organization. There are
tion is the sector with the lowest representation, with five no major differences between the percentages of women
companies, accounting for 1.7% of the sample. directors with IT expertise from outside and within the

13
 C. Radu, N. Smaili

Table 3  Descriptive Statistics Variable Mean Median Std deviation Minimum Maximum

CyberDiscl (dummy) 0.717 1 0.451 0 1

CyberDiscl 310.177 229.5 395.294 0 1759
(by number of words)
CyberDiscl 3.55 3 4.025 0 30
(by number of paragraphs)
Diversity (percentage of women) 0.243 0.25 0.105 0 0.5
Diversity (Blau Index) 0.345 0.375 0.115 0 0.5
OneWoman 0.117 0 0.322 0 1
TwoWomen 0.277 0 0.448 0 1
ThreePlusWomen 0.563 1 0.497 0 1
Size 10.487 10.217 2.397 3.145 16.351
ROA 0.021 0.025 0.201 -3.144 0.892
Leverage 0.647 0.626 0.263 -0.941 0.999
MTB 7.729 3.510 11.080 0.008 76.364
BoardSize 11.377 11 2.737 5 16
BoardIndep 0.763 0.833 0.206 0 1
NbPages 150.547 148 61.202 22 566
Number of observations: 300

CyberDiscl (dummy) is a binary variable indicating the presence or absence of cybersecurity-related infor-
mation in the annual report. CyberDiscl (by number of words) represents the number of words in the annual
report relating to cybersecurity disclosure. CyberDiscl (by number of paragraphs) is the number of para-
graphs in the annual report relating to cybersecurity disclosure. Diversity (percentage of women) is the
percentage of women on the board. Diversity (Blau Index) is the Blau Index of heterogeneity on the board.
OneWoman, TwoWomen and ThreePlusWomen are binary variables indicating the presence of one, two, or
three or more women on the board. Size is the natural logarithm of total assets. ROA is the return on assets.
Leverage is the total liabilities to total assets. MTB is the market-to-book ratio. BoardSize is the number of
directors on the board. BoardIndep is the percentage of independent directors on the board. NbPages is the
total number of pages in the annual report

Fig. 2  Variation in cybersecurity related disclosure and gender diversity from 2014 to 2018

company. The total number of board members with IT
expertise also increased from 40 in 2014 to 64 in 2018,
and the difference is statistically significant (p < 0.05). The
increase in the number of women directors with IT exper-
tise exceeded the increase in the total number of directors
with IT expertise, with the former’s percentage growing
from 27.5% of the total number of board members with IT
expertise in 2014 to 34.4% in 2018. A sample statement on
a woman director with IT expertise is provided in “Appen-
dix C”.
We also followed changes in the number of women on the
audit committee. In 2014, 23.09% of the audit committee
members were women, whereas in 2018 this figure increased
to 30.09%, a statistically significant variation (p < 0.01).
The percentage of independent women on boards grew

13
Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related…
Table 4  Sample description
2014 2018 Difference (t-value)
Independent women on board 92.87 94.01 − 1.14 (− 0.584)
(%)
Presence on the audit commit- 23.09 30.09 − 7.00 (− 2.927)***
tee (%)
IT expertise (global) 0.67 1.07 − 0.4 (− 2.225)**
IT women expertise 0.18 0.37 − 0.183 (− 3.027)***
Independent IT women (%) 63.60 63.63 No difference
*p < 0.05, **p < 0.01, ***p < 0.001
from 92.87% in 2014 to 94.01% in 2018, a non-significant
difference.
The average firm size as measured by the natural loga-
rithm of total assets is 10.5. The means for ROA, leverage
and market-to-book ratio are respectively 2.1%, 64.7%, and
7.7%. Average board size is 11 directors and the mean per-
centage of independent directors is 76.3. The annual reports
in the sample have an average of 151 pages.
Multivariate Analysis
Table 5 presents the correlation coefficients between the
variables of the model. As expected, high positive correla-
tions are observed between board diversity and cybersecu-
rity-related disclosure. The variable OneWoman, capturing
the presence of only one woman on the board, is negatively
correlated with cybersecurity disclosure, while TwoWomen
is not correlated and ThreePlusWomen is positively corre-
lated with cybersecurity disclosure.
A logit regression was used to test the first hypothesis on
the positive association between the presence of cybersecu-
rity-related disclosure and gender diversity in corporate gov-
ernance. The results of the regression are reported in the first
columns of Tables 6 and 7. Using the percentage of women
as the measure for diversity on the board, Table 6 shows a
positive and significant association between the presence
of cybersecurity-related disclosure and diversity (b = 6.74,
p < 0.01). The results reported in Table 7, using the Blau
Index as the measure for gender diversity, also indicate a
positive association between gender diversity and the pres-
ence of cybersecurity disclosure (b = 6.07, p < 0.01). Hence,
our first hypothesis is confirmed.
Our sample consists of longitudinal data for a 5-year
period running from 2014 to 2018. To test our second and
third hypotheses, we use a regression with a fixed effects
model for panel data. The fixed effects model controls for
firm, year and industry, since industry does not vary from
year to year.
The results of the regression used to test the second
hypothesis are reported in columns (2) and (3) of Tables 6
and (2) and (3) of 7. Based on 300 firm-year observations,
our model indicates a very strong and positive association
between cybersecurity disclosure and gender diversity on
the board. Column (2) of Table 6 presents the regression
coefficients using number of words as the measure of cyber-
security disclosure and percentage of women as the measure
of gender diversity on the board. CyberDiscl is positively
associated with Diversity (b = 826.2, p < 0.001), confirming
our second hypothesis. The results are robust at alternative
measurements of cybersecurity disclosure. Table 6, column
(3) shows the regression coefficients using number of para-
graphs to measure cybersecurity disclosure. The result is a
positive and significant association between cybersecurity
disclosure and gender diversity (b = 11.23, p < 0.001).
In Table 7, we report regression coefficients using the
Blau Index as an alternative measure of board diversity.
According to the results in column (2) of Table 7, cyberse-
curity disclosure as measured by number of words is posi-
tively associated with board diversity (b = 762.2, p < 0.001).
Column (3), Table 7 displays similar results: a strong and
positive association is observed between cybersecurity dis-
closure, measured by number of paragraphs, and gender
diversity on the board (b = 9.682, p < 0.001). In conclusion,
our second hypothesis regarding the positive association
between level of cybersecurity disclosure and gender diver-
sity in corporate governance is confirmed.
As regards control variables, consistent with prior
research (Lang and Lundholm 1993; Zadeh and Eskandari
2012), size is positively associated with level of cyberse-
curity disclosure. Larger firms face higher agency costs
and more disclosure pressure from stakeholders, and con-
sequently provide more disclosure to reduce information
asymmetry and legitimize their activities. Similar with prior
research findings (Cormier and Magnan 1999; Gamerschlag
et al. 2011), firm profitability is positively associated with
level of cybersecurity disclosure. Firms in good financial
health, greater public exposure and higher potential political
costs disclose more to avoid being associated with actions
that breach stakeholders’ expectations (Gamerschlag et al.
2011). Higher profitability makes it possible to allocate more
resources to risk management and disclosure (D’Amico et al.
2016). Market-to-book ratio is negatively associated only
with the presence of cybersecurity-related disclosure. This
negative relation might be explained by managers withhold-
ing negative information (Amir et al. 2018). Consistent with
Eng (2003), this relation is no longer significant for the level
of disclosure.
Table 8 reports the results of tests of the third hypoth-
esis regarding the association between level of cybersecu-
rity disclosure and a critical mass of three or more women.
As reported in column (1) of Table 8, cybersecurity disclo-
sure measured by number of words is negatively associated
with the presence of one woman on the board (b = − 128.4,
13
13
Table 5  Pearson’s Correlation Matrix
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15)

CyberDisc (dummy) (1) 1

CyberDisc 0.601* 1
(words) (2)
CyberDisc 0.555* 0.897* 1
(paragr.) (3)
Diversity 0.328* 0.308* 0.308* 1
(%) (4)
Diversity 0.365* 0.330* 0.323* 0.963* 1
(BlauIndex) (5)
OneWoman − 0.186* − 0.231* − 0.213* − 0.443* − 0.454* 1
(6)
TwoWomen − 0.0411 0.0411 0.0414 − 0.245* − 0.157* − 0.225* 1
(7)
ThreePlus 0.282* 0.191* 0.174* 0.709* 0.699* − 0.413* − 0.702* 1
Women (8)
Size (9) 0.0740 0.113 0.0411 0.0059 0.0034 − 0.0874 − 0.0382 0.0376 1
Profit (10) 0.003 0.087 0.069 0.011 0.016 − 0.002 − 0.066 0.084 − 0.013 1
Leverage (11) 0.214* 0.144* 0.137* 0.229* 0.262* − 0.074 − 0.215* 0.347* 0.162* 0.329* 1
MTB (12) − 0.272* − 0.180* − 0.178* − 0.108 − 0.146* 0.0045 0.0071 − 0.111 − 0.087 0.0869 − 0.184* 1
BoardSize (13) 0.270* 0.194* 0.160* 0.260* 0.305* − 0.304* − 0.175* 0.507* 0.0279 0.125* 0.401* − 0.213* 1
BoardIndep (14) − 0.020 − 0.108 − 0.096 0.0344 0.0543 − 0.035 0.0802 − 0.003 − 0.158* 0.0128 − 0.150* − 0.024 0.003 1
NbPages 0.356* 0.296* 0.268* 0.162* 0.193* 0.0448 − 0.137* 0.195* 0.194* − 0.098 0.442* − 0.309* 0.280* − 0.265* 1
(15)

*p < 0.05
C. Radu, N. Smaili
Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related…

Table 6  Results of the (1) (2) (3)

regression of cybersecurity
disclosure on gender diversity CyberDiscl CyberDiscl CyberDiscl
(% of women) (dummy) (number of words) (number of paragraphs)

Diversity 6.738** 826.2*** 11.23***

(% of women) (3.28) (4.42) (4.47)
Size − 0.0626 56.05*** 0.498**
(− 0.68) (4.15) (2.75)
ROA 0.507 214.2* 3.132*
(0.55) (2.32) (2.52)
MTB − 0.0796*** − 2.929 − 0.0342
(− 3.57) (− 1.80) (− 1.56)
Leverage − 0.441 147.3 4.071
(− 0.53) (0.92) (1.89)
BoardSize 0.121 1.257 − 0.0964
(1.68) (0.11) (− 0.65)
BoardIndep 1.703 200.7 2.278
(1.60) (1.54) (1.30)
MiningSector − 3.189**
(− 3.16)
ConstructionSector − 4.962**
(− 2.76)
ManufacturingSector − 1.315
(− 1.39)
TransportSector − 0.271
(− 0.27)
WholesaleSector − 3.362**
(− 2.90)
RetailSector − 0.691
(− 0.71)
FinanceSector − 0.623
(− 0.60)
NbPages 0.0161*** 0.442 0.00382
(3.54) (1.15) (0.74)
_cons − 2.407 − 789.0** − 8.048*
(− 1.21) (− 3.13) (− 2.38)
Fixed effects Firm, Year & Industry Firm, Year & Industry
LR χ2(18) 131.90
F 8.72 8.84
Prob > F 0.000*** 0.000*** 0.000***
R2 0.369 0.095 0.068
N 300 300 300

t statistics in parentheses, *p < 0.05, **p < 0.01, ***p < 0.001

p < 0.05). The result is robust at alternative measures for
cybersecurity disclosure; using number of paragraphs as
the measure of cybersecurity disclosure, we continue to
observe a negative association between cybersecurity-
related disclosure and the presence of one woman on the
board (b = − 1.893, p < 0.005). For two women on the
board, columns (2) and (5) of Table 8 report no association
between this representation and cybersecurity disclosure.
Findings change when three women are on the board: as
reported in column (3) of Table 8, cybersecurity disclosure

13
 C. Radu, N. Smaili

Table 7  Results of the (1) (2) (3)

regression of cybersecurity
disclosure on gender diversity CyberDiscl CyberDiscl CyberDiscl
(Blau Index) (dummy) (number of words) (number of paragraphs)

Blau Index 6.068** 726.2*** 9.682***

(3.28) (4.08) (4.04)
Size − 0.0663 52.19*** 0.446*
(− 0.71) (3.84) (2.44)
ROA 0.470 206.1* 3.014*
(0.50) (2.22) (2.41)
MTB − 0.0800*** − 3.054 − 0.0360
(− 3.57) (− 1.86) (− 1.63)
Leverage − 0.465 154.9 4.175
(− 0.56) (0.96) (1.92)
BoardSize 0.117 − 0.405 − 0.118
(1.62) (− 0.04) (− 0.78)
BoardIndep 1.587 207.8 2.391
(1.48) (1.59) (1.36)
MiningSector − 3.142**
(− 3.17)
ConstructionSector − 4.705**
(− 2.70)
ManufacturingSector − 1.273
(− 1.37)
TransportSector − 0.138
(− 0.14)
WholesaleSector − 2.884*
(− 2.56)
RetailSector − 0.689
(− 0.72)
FinanceSector − 0.576
(− 0.56)
NbPages 0.0154*** 0.457 0.00410
(3.42) (1.18) (0.79)
_cons − 2.686 − 791.6** − 8.058*
(− 1.33) (− 3.12) (− 2.36)
Fixed effects Firm, Year & Industry Firm, Year & Industry
LR χ2(15) 132.03
F 8.29 8.29
Prob > F 0.000*** 0.000*** 0.000***
R2 (pseudo R2) 0.369 0.099 0.069
N 300 300 300

t statistics in parentheses, *p < 0.05, **p < 0.01, ***p < 0.001

measured by number of words is positively associated with Discussion and Conclusion

this threshold of women (b = 115.2, p < 0.01), as is number
of paragraphs (Table 8, column (6)) (b = 1.421, p < 0.05).
Our third hypothesis is therefore confirmed, whereby a
critical mass of three women is positively related to the
level of cybersecurity disclosure.
In 2019, the World Economic Forum characterized cyber
risk as the greatest danger facing businesses around the
globe (World Economic Forum 2019). Stakeholders and
regulators are pressuring companies to manage this risk
and to disclose their cybersecurity-related information.
Canada started using regulatory channels to promote

13
Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related…

Table 8  Results of the regression of cybersecurity disclosure on the critical mass of women on the board
(1) (2) (3) (4) (5) (6)
CyberDiscl CyberDiscl CyberDiscl CyberDiscl CyberDiscl CyberDiscl
(number of words) (number of words) (number of words) (number of (number of (number of
paragraphs) paragraphs) paragraphs)

OneWoman − 128.4* − 1.893*

(− 2.32) (− 2.55)
TwoWomen − 26.72 − 0.165
(− 0.72) (− 0.33)
ThreePlusWomen 115.2** 1.421*
(2.78) (2.55)
Size 56.27*** 56.49*** 60.84*** 0.503** 0.491* 0.556**
(4.05) (3.96) (4.35) (2.70) (2.56) (2.94)
ROA 201.9* 178.7 195.8* 2.991* 2.652* 2.861*
(2.12) (1.87) (2.07) (2.34) (2.06) (2.25)
MTB − 3.344* − 3.251 − 3.272 − 0.0400 − 0.0385 − 0.0388
(− 1.99) (− 1.92) (− 1.96) (− 1.78) (− 1.69) (− 1.73)
Leverage 142.6 154.8 135.5 3.990 4.196 3.939
(0.86) (0.93) (0.82) (1.80) (1.87) (1.78)
BoardSize − 3.036 3.746 − 2.940 − 0.162 − 0.0634 − 0.145
(− 0.26) (0.33) (− 0.25) (− 1.03) (− 0.41) (− 0.93)
BoardIndep 266.1* 264.8 235.6 3.162 3.189 2.796
(2.00) (1.97) (1.77) (1.77) (1.76) (1.56)
NbPages 0.506 0.707 0.562 0.00448 0.00738 0.00563
(1.27) (1.79) (1.43) (0.83) (1.39) (1.06)
_cons − 580.3* − 704.6** − 690.1** − 5.077 − 6.847 − 6.713
(− 2.20) (− 2.69) (− 2.68) (− 1.44) (− 1.95) (− 1.93)
Fixed effects Firm, year & industry (for all models)
F 6.60 5.87 6.95 6.81 5.85 6.81
Prob > F 0.000*** 0.000*** 0.000*** 0.000*** 0.000*** 0.000***
Pseudo R2 0.056 0.046 0.055 0.032 0.025 0.030
N 300 300 300 300 300 300

t statistics in parentheses, *p < 0.05, **p < 0.01, ***p < 0.001

the disclosure of cyber-related information in 2013. As
a result, cybersecurity-related disclosure expanded over
the research period of 2014 to 2018. In 2018, the large
majority of our sample (85%) disclosed cybersecurity
information compared to only 56.7% in 2014. The level
of cyber disclosure also increased in terms of number of
words from 161 words in 2014 to 462 words in 2018, and
in terms of number of paragraphs, from a mean of two par-
agraphs in 2014 to five paragraphs in 2018. Total disclo-
sure level as measured by number of pages in the annual
report increased from 145 pages in 2014 to 156 in 2018.
It thus appears that firms respond to stakeholder pressure
and demand for cybersecurity information by expanding
their disclosure.
This continuous and steep rise in cybersecurity disclo-
sure follows the same trend as gender diversity on boards.
Regulatory pressure to include women in corporate
governance in Canada began only recently, i.e. in 2014.
From 20.4% of board members in 2014, the proportion of
women on boards rose steadily to reach 27.7% in 2018.
While board size shows a marginal variation (from a
mean of 11.4 members in 2014 to 11.6 in 2018), the num-
ber of women on the board increased over the research
period from a mean of 2.4 in 2014 to 3.3 in 2018. The
critical mass of three women on the board was reached,
on average, in 2017, and the Blau index of heterogene-
ity increased from 0.31 in 2014 to 0.38 in 2018. It thus
appears that the introduction of the “comply or explain”
regime by the OSC (Ben-Amar et al. 2017) paid off, as
boards now frequently appoint new women directors and
have become more heterogeneous.
The characteristics of women on boards changed from
2014 to 2018. The number of women with IT expertise
increased from 11 in 2014 to 22 in 2018, exceeding the

13

increase in total number of directors with IT expertise. These
results complement the arguments of Kshetri (2020). We
also note underrepresentation of women in cybersecurity
leadership, but show positive changes in the percentage of
women with IT expertise on boards. Independent women
directors and women with IT expertise on boards do not vary
significantly for the period. Women on boards also became
more numerous in audit committees, which are generally
responsible for cybersecurity strategy.
Our findings confirm the first hypothesis concerning a
positive association between the presence of cybersecurity-
related disclosure and gender diversity in corporate gov-
ernance. The second hypothesis on the positive associa-
tion between level of cybersecurity disclosure and gender
diversity in governance is also confirmed. These results
are consistent with the predictions of stakeholder theory
whereby the presence of women on boards improves strate-
gic decisions by reducing information asymmetry through
disclosure of cybersecurity information that stakeholders
will find valuable. Further, based on the assumptions of
resource dependence theory, we find evidence that women
on boards have a positive impact on disclosure. Consistent
with Van Knippenberg et al. (2004) and Wahid (2019), we
note that women, by their wide variety of skills and breadth
of experience and knowledge, improve board decision mak-
ing, leading to improved disclosure. Imperial Oil, a company
in our sample, alluded to this breadth of skills in a byline for
director Miranda Hubbs listing “global experience, strategy
development, audit committee financial expert, financial
expertise, information technology/cybersecurity, execu-
tive compensation” (see “Appendix C”). Women also have
a positive impact on the firm’s disclosure by being highly
instrumental in the inclusion of cybersecurity-related infor-
mation in the annual report. Our findings are consistent with
previous studies (Bear et al. 2010; Bravo 2017; Francoeur
et al. 2008) that report that women on boards have a positive
effect by bringing a fresh perspective to complex issues and
evaluating shareholders’ needs more effectively. As women
are more risk averse than men (Loukil and Yousfi 2016; Sila
et al. 2016), their conservatism triggers greater risk-related
disclosure such as cybersecurity information. Heterogene-
ous boards are more efficient than homogeneous boards in
cybersecurity matters, as reflected by their cyber-related dis-
closure. Our findings corroborate the theoretical foundations
of gender diversity in psychology, as put forward by previous
studies (Forbes and Milliken 1999; Wahid 2019). Accord-
ing to this literature, diverse groups behave and act differ-
ently from homogeneous groups. The presence of women
affects cohesion and cognitive conflicts within the board and
changes its group dynamics (Forbes and Milliken 1999),
thereby improving it decision making (Wahid 2019).
Based on critical mass theory, our third hypothesis pre-
dicts a positive association between level of cybersecurity
13
C. Radu, N. Smaili
disclosure and a critical mass of three or more women on
the board. In 2014, the first year of our study, the mean num-
ber of women on boards was 2.4. For the same year, 13.3%
of the sample had one woman on the board, 35% had two
women directors and 43.3% reached the critical mass of
three women on the board. In 2014, 8.4% of the sample still
had no women directors. The number of women directors
increased until 2018, when 6.7% of the companies had one
woman director, 23.3% has two women on the board and
68.3% of the sample had three or more women directors.
In 2018, there were no women on the board at 1.8% of the
companies.
Our results confirm our third hypothesis whereby a criti-
cal mass of three women on the board must be reached to
create a positive relation with cybersecurity disclosure.
Interestingly, one woman on the board yields a negative
relation between cybersecurity-related disclosure and gender
diversity. According to critical mass theory, women will not
impact cybersecurity disclosure until their numbers increase
from a few token directors to a minority (Kanter 1977).
Token representation on the board is symbolic and infers
that these women will conform to the dominant old boys’
club model and decisions. A lone woman on the board is
visible and legitimizes the board in its persistence with the
same practices and decision making (Torchia et al. 2011).
Our findings are consistent with recent evidence on manag-
ers withholding information about serious cyber attacks to
avoid a decrease in market value (Amir et al. 2018). With
the presence of at least two token women, alliances and coa-
litions can be generated, but these arrangements are still
difficult to strike (Kanter 1977). We note no association
between level of cybersecurity disclosure and gender diver-
sity on a board where there are two token women. However,
grouped in a minority of three or more women, women can
form alliances and break free from token isolation (Torchia
et al. 2011). This result may also indicate a change in group
dynamics, as described by Forbes and Milliken (1999) and
Wahid (2019). For instance, the presence of one or two
women on the board could increase cognitive conflicts and
lead to lack of cohesion, as reflected in the negative relation-
ship between gender diversity and cybersecurity disclosure
or by the absence of an association. However, this number
has more inconveniences (e.g. conflicts) than advantages.
Three or more women on the board may reduce cognitive
conflicts, and this heterogeneity may lead to increased group
discussion and superior decision making.
Although we find evidence of a positive association
between level of cybersecurity disclosure and a critical mass
of three or more women on the board, prior research yielded
mixed results regarding this threshold. Some authors find
that the critical mass must consist of two women to have an
impact on firm outcomes (Ben-Amar et al. 2017) whereas
Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related…
others say three (Konrad et al. 2008; Kramer et al. 2006;
Torchia et al. 2011).
This research investigated the impact of gender diversity
in corporate governance on cybersecurity-related disclosure.
Based on a sample consisting of the companies listed on
the S&P/TSX 60 index over the period 2014–2018, we find
evidence of a positive association between cybersecurity dis-
closure and gender diversity. Women’s engagement in cyber
issues adds different perspectives and leadership styles,
changes board tasks, contributes ethical and stakeholder-
oriented sensitivity (why do it) and specific and general
knowledge (how to do it), and enhances the oversight role
(what to do), resulting in positive impacts on cybersecurity-
related disclosure. Further, a critical mass of three women
should be reached to observe this positive impact.
Our findings are of interest to investors, other stakehold-
ers and policymakers. Investors in particular are interested
in cyber risk because it is one of the greatest threats to firms.
Cybersecurity-related disclosure provides valuable informa-
tion for stakeholders, and heterogeneous boards with three
or more women is a way to extend this disclosure. With their
wide variety of experience, knowledge and skills, women
increase board effectiveness in cybersecurity disclosure as
long as there is a critical mass of at least three of them on
the board. One token woman is insufficient for triggering
greater cybersecurity disclosure; although visible, she has
no impact on “old boys’ club” decisions. Although having
one woman in corporate governance makes the board appear
inclusive and legitimate in terms of cyber-related manage-
ment, this number is negatively associated with cyber dis-
closure, as the board may still allow some negative informa-
tion to be withheld, such as that related to cyberattacks. For
boards with two token women, cybersecurity disclosure is
not associated with gender diversity, as this number must
increase to three before outcomes change. Consequently, to
obtain more cybersecurity disclosure, investors should ask
for more heterogeneous boards with three or more women.
By providing empirical evidence of better outcomes for such
boards, our findings support policymakers in their attempts
at more diverse composition. Adding women to corporate
boards provides protection against cyber attacks and sup-
plies shareholders with more information on the responses
of organizations regarding these attacks.
Our view of cybersecurity is not limited to the firm’s
response to cyber-risks; it also includes ethics-related and
strategic business decisions, combined in a harmonized
approach. Future research on this ethical dimension of
cybersecurity would lend support to our recommendation for
such an approach, where compliance and integrity reinforce
each other. Several important aspects such as impacts of
cybersecurity on society, cybersecurity training and educa-
tion, cybersecurity literacy and the importance of stakehold-
ers’ privacy need further investigation.
We acknowledge the limitations of our paper. As our
sample consists of the largest companies listed on the TSX,
our findings are relevant for companies of that size. Since
the governance of small firms differs from that of larger
firms (Forbes and Milliken 1999), further investigation
could explore the impact of other board characteristics
on cybersecurity disclosure for small- and medium-sized
companies. In this study, we focus only on the presence
of women on the board of directors. Future researchers
could examine whether women’s participation in manage-
ment also affects the presence and level of cybersecurity
disclosure. As suggested by Francoeur et al. (2008), they
can exert their influence not only by participating on the
board but also when they occupy managerial positions. Our
sample consists strictly of Canadian firms; as suggested
recently by Lewellyn and Muller-Kahle (2020) and Adnan
et al. (2018), a variety of geographical and cultural con-
texts could result in interesting analyses and comparisons
for future research. Our study is based on a quantitative
approach, but a content analysis of cyber-related disclo-
sure could provide a detailed description on the methods
firms use to prevent cyber risk. Lastly, future studies could
examine interactions within the board of directors by using
case studies or other qualitative methodology that enables
researchers to study other aspects of board group dynamics.
Compliance with Ethical Standards
Conflict of interest The authors declare that they have no conflict of
interest.
Appendix A: List of the Sample Companies
No. Company
1 Agnico Eagle Mines
2 Alimentation Couche-Tard
3 Bank of Montreal
4 Bank of Nova Scotia
5 Barrick Gold
6 Bausch Health Companies
7 BCE
8 BlackBerry
9 Bombardier
10 Brookfield Asset Management
11 Brookfield Infrastructure Partners
12 Cameco Corporation
13 Canadian Imperial Bank Of Com-
merce
14 Canadian National Railway
Company
13
 C. Radu, N. Smaili

No. Company Appendix B

15 Canadian Natural Resources
16 Canadian Pacific Railway
Example of Similar Cybersecurity‑Related
17 Canadian Tire
Statements in Annual Reports Published Between
18 Canopy Growth
2015 and 2018
19 CCL Industries
20 Cenovus Energy
Excerpts from the annual reports of Wheaton Precious
21 CGI
Metals.
22 Constellation Software
23 Dollarama Information Systems and Cyber Security
24 Emera
25 Enbridge Silver Wheaton’s information systems, and those of its coun-
26 Encana terparties under the precious metal purchase agreements,
27 First Quantum Minerals third-party service providers and vendors, are vulnerable to
28 Fortis an increasing threat of continually evolving cybersecurity
29 Franco-Nevada risks. Unauthorized parties may attempt to gain access to
30 George Weston these systems or the Company’s information through fraud
31 Gildan Activewear or other means of deceiving the Company’s counterparties
32 Husky Energy under its precious metal purchase agreements, third-party
33 Imperial Oil service providers or vendors.
34 Inter Pipeline Silver Wheaton’s operations depend, in part, on how
35 Kinross Gold well Silver Wheaton and its suppliers, as well as counter-
36 Loblaw Companies parties under the precious metal purchase agreements, pro-
37 Magna International tect networks, equipment, information technology (“IT”)
38 Manulife Financial systems and software against damage from a number of
39 Metro threats. Silver Wheaton has entered into agreements with
40 National Bank of Canada third parties for hardware, software, telecommunications
41 Nutrien and other services in connection with its operations. The
42 Open Text Company’s operations and Mining Operations also depend
43 Pembina Pipeline on the timely maintenance, upgrade and replacement of
44 Power Corporation of Canada networks, equipment, IT systems and software, as well as
45 Restaurant Brands International pre-emptive expenses to mitigate the risks of failures. Any
46 Rogers Communications of these and other events could result in information system
47 Royal Bank of Canada failures, delays and/or increase in capital expenses. The fail-
48 Saputo ure of information systems or a component of information
49 Shaw Communications systems could, depending on the nature of any such failure,
50 Shopify adversely impact the Corporation’s reputation and results
51 SNC-Lavalin Group of operations.
52 Sun Life Financial Although to date the Company has not experienced any
53 Suncor Energy material losses relating to cyber attacks or other informa-
54 TC Energy tion security breaches, there can be no assurance that Sil-
55 Teck Resources ver Wheaton will not incur such losses in the future. The
56 TELUS Company’s risk and exposure to these matters cannot be
57 Thomson Reuters fully mitigated because of, among other things, the evolv-
58 Toronto-Dominion Bank ing nature of these threats. As a result, cyber security and
59 Waste Connections the continued development and enhancement of controls,
60 Wheaton Precious Metals processes and practices designed to protect systems, com-
puters, software, data and networks from attack, damage or
unauthorized access remain a priority.

13
Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related…
Any future significant compromise or breach of the Com-
pany’s data security, whether external or internal, or misuse
of data, could result in additional significant costs, lost sales,
fines and lawsuits, and damage to the Company’s reputa-
tion. In addition, as the regulatory environment related to
information security, data collection and use, and privacy
becomes increasingly rigorous, with new and constantly
changing requirements applicable to Silver Wheaton’s
business and counterparties to the precious metal purchase
agreements, compliance with those requirements could
also result in additional costs. As cyber threats continue to
evolve, the Company or its counterparties may be required
to expend additional resources to continue to modify or
enhance protective measures or to investigate and remedi-
ate any security vulnerabilities.”
Wheaton Precious Metals 2018 Annual Report, p. 44,
Wheaton Precious Metals 2017 Annual Report, p. 41,
Wheaton Precious Metals 2016 Annual Report, p. 38,
Wheaton Precious Metals 2015 Annual Report, p. 51.
Appendix C: Statement on a Woman Director
with IT Expertise
Excerpt from Imperial Oil Form 10-K (2018).4
Miranda C. Hubbs.
Toronto, Ontario, Canada.
Miranda Hubbs is currently an independent director of
Nutrien Ltd. and also serves as an independent director of PSP
Investments (Public Sector Pension Investment Board). Ms.
Hubbs serves on the board of the Canadian Red Cross and is
a founding member and past national co-chair of the Canadian
Red Cross Tiffany Circle—Women Leading Through Philan-
thropy. Prior to retirement in 2011, Ms. Hubbs was executive
vice president and managing director of McLean Budden. Ms.
Hubbs holds a BSc from Western University and an MBA
from Schulich School of Business at York University and is
a CFA charterholder and a National Association of Corpo-
rate Directors (NACD) Governance Fellow. Ms. Hubbs also
received her CERT Certificate in Cybersecurity Oversight
issued by the CERT Division of the Software Engineering
Institute at Carnegie Mellon University.
Nonemployee director (independent).
Age: 52.
Director since: July 26, 2018.
Skills and experience Global experience, Strategy
development, Audit committee financial expert, Financial
4
Imperial Oil website, https://www.imperialoil.ca/en-CA/Investors/
Investor-relations/Annual-and-quarterly-reports-and-filings, accessed
June 10, 2020.
expertise, Information technology/Cybersecurity, Executive
compensation.
Director qualification and selection process.
Other expertise.
Expertise in information technology and cybersecurity
(Information technology/Cybersecurity).
References
Abraham, C., Chatterjee, D., & Sims, R. R. (2019). Muddling through
cybersecurity: Insights from the US healthcare industry. Business
Horizons, 62(4), 539–548.
Adams, R. B. (2016). Women on boards: The superheroes of tomor-
row? The Leadership Quarterly, 27(3), 371–386.
Adams, R. B., & Ferreira, D. (2009). Women in the boardroom and
their impact on governance and performance. Journal of Finan-
cial Economics, 94(2), 291–309.
Adnan, S. M., Hay, D., & van Staden, C. J. (2018). The influence of
culture and corporate governance on corporate social responsi-
bility disclosure: A cross country analysis. Journal of Cleaner
Production, 198, 820–832.
Ahmed, A., Monem, R. M., Delaney, D., & Ng, C. (2017). Gender diver-
sity in corporate boards and continuous disclosure: Evidence from
Australia. Journal of Contemporary Accounting & Economics,
13(2), 89–107.
Allini, A., Manes Rossi, F., & Hussainey, K. (2016). The board’s role in
risk disclosure: An exploratory study of Italian listed state-owned
enterprises. Public Money & Management, 36(2), 113–120. https​
://doi.org/10.1080/09540​962.2016.11189​35.
Amir, E., Levi, S., & Livne, T. (2018). Do firms underreport informa-
tion on cyber-attacks? Evidence from capital markets. Review of
Accounting Studies, 23(3), 1177–1206.
Baird, J. E., Jr., & Bradley, P. H. (1979). Styles of management and
communication: A comparative study of men and women. Com-
munications Monographs, 46(2), 101–111.
Baker, H. K., Pandey, N., Kumar, S., & Haldar, A. (2020). A bibliometric
analysis of board diversity: Current status, development, and future
research directions. Journal of Business Research, 108, 232–246.
Baysinger, B., & Hoskisson, R. E. (1990). The composition of boards
of directors and strategic control: Effects on corporate strategy.
Academy of Management Review, 15(1), 72–87.
Bear, S., Rahman, N., & Post, C. (2010). The impact of board diversity
and gender composition on corporate social responsibility and firm
reputation. Journal of Business Ethics, 97(2), 207–221.
Ben-Amar, W., Chang, M., & McIlkenny, P. (2017). Board gender diver-
sity and corporate response to sustainability initiatives: Evidence
from the carbon disclosure project. Journal of Business Ethics,
142(2), 369–383.
Bilimoria, D., & Wheeler, J. V. (2000). Women corporate directors:
Current research and future directions. Women in Management:
Current Research Issues, 2(10), 138–163.
Blau, P. M. (1977). Inequality and heterogeneity: A primitive theory of
social structure (Vol. 7). New York: Free Press.
Boulouta, I. (2013). Hidden connections: The link between board gender
diversity and corporate social performance. Journal of Business
Ethics, 113(2), 185–197.
Brammer, S., & Pavelin, S. (2008). Factors influencing the quality of
corporate environmental disclosure. Business Strategy and the
Environment, 17(2), 120–136.
13

Branco, M. C., & Rodrigues, L. L. (2008). Factors influencing social
responsibility disclosure by Portuguese companies. Journal of
Business Ethics, 83(4), 685–701.
Bravo, F. (2017). Are risk disclosures an effective tool to increase firm
value? Managerial and Decision Economics, 38(8), 1116–1124.
Bravo, F. (2018). Does board diversity matter in the disclosure process?
An analysis of the association between diversity and the disclosure
of information on risks. International Journal of Disclosure and
Governance, 15(2), 104–114.
Brouard, F., Bujaki, M., Durocher, S., & Neilson, L. C. (2017). Pro-
fessional accountants’ identity formation: An integrative frame-
work. Journal of Business Ethics, 142(2), 225–238. https​://doi.
org/10.1007/s1055​1-016-3157-z.
Brown, D. A. H., Brown, D. L., & Anastasopoulos, V. (2002). Women
on Boards: Not just the right thing… but the” bright” thing, The
Conference Board of Canada, Report.
Calderón, R., Piñero, R., & Redín, D. M. (2018). Can compliance restart
integrity? Toward a harmonized approach. The example of the
audit committee. Business Ethics : A European Review, 27(2),
195–206.
Campbell, D. (2004). A longitudinal and cross-sectional analysis of
environmental disclosure in UK companies—A research note.
The British Accounting Review, 36(1), 107–117. https​://doi.
org/10.1016/j.bar.2003.09.001.
Campbell, J. L., Chen, H., Dhaliwal, D. S., Lu, H.-M., & Steele, L. B.
(2014). The information content of mandatory risk factor disclo-
sures in corporate filings. Review of Accounting Studies, 19(1),
396–455.
Campbell, K., & Mínguez-Vera, A. (2008). Gender diversity in the
boardroom and firm financial performance. Journal of Busi-
ness Ethics, 83(3), 435–451. https​: //doi.org/10.1007/s1055​
1-007-9630-y.
Carter, D. A., D’Souza, F., Simkins, B. J., & Simpson, W. G. (2010).
The gender and ethnic diversity of US boards and board com-
mittees and firm financial performance. Corporate Governance:
An International Review, 18(5), 396–414.
Carter, D. A., Simkins, B. J., & Simpson, W. G. (2003). Corporate
governance, board diversity, and firm value. Financial Review,
38(1), 33–53.
Chen, S., DeFond, M. L., & Park, C. W. (2002). Voluntary disclosure
of balance sheet information in quarterly earnings announce-
ments. Journal of Accounting and Economics, 33(2), 229–251.
Chen, S., Ni, X., & Tong, J. Y. (2016). Gender diversity in the board-
room and risk management: A case of R&D investment. Journal
of Business Ethics, 136(3), 599–621.
CISA. (2009). CNSSI 4009, NIST SP 800-53 Rev 4, NIPP, DHS
National Preparedness Goal; White House Cyberspace Policy
Review, May 2009. Retrieved from
Clarkson, P. M., Li, Y., Richardson, G. D., & Vasvari, F. P. (2008).
Revisiting the relation between environmental performance and
environmental disclosure: An empirical analysis. Accounting,
Organizations and Society, 33(4–5), 303–327.
Cormier, D., & Magnan, M. (1999). Corporate environmental dis-
closure strategies: Determinants, costs and benefits. Journal of
Accounting, Auditing & Finance, 14(4), 429–451.
CSA. (2016). CSA Staff Notice 11-332 Cyber Security.
D’Acunto, F. (2015). Identity, overconfidence, and investment deci-
sions. Available at SSRN 2641182.
D’Amico, E., Coluccia, D., Fontana, S., & Solimene, S. (2016). Fac-
tors influencing corporate environmental disclosure. Business
Strategy and the Environment, 25(3), 178–192. https​://doi.
org/10.1002/bse.1865.
Dhir, A. A. (2015). Challenging boardroom homogeneity: Corporate
law, governance, and diversity. Cambridge: Cambridge Univer-
sity Press.
13
C. Radu, N. Smaili
Diamantopoulos, A., Schlegelmilch, B. B., Sinkovics, R. R., & Bohlen,
G. M. (2003). Can socio-demographics still play a role in profil-
ing green consumers? A review of the evidence and an empirical
investigation. Journal of Business Research, 56(6), 465–480.
Dunn, P. (2012). Breaking the boardroom gender barrier: The human
capital of female corporate directors. Journal of Management
and Governance, 16(4), 557–570.
Eaton, T. V., Grenier, J. H., & Layman, D. (2019). Accounting and
cybersecurity risk management. Current Issues in Auditing,
13(2), C1–C9.
Eccles, R. G., Herz, R. H., Keegan, E. M., & Phillips, D. M. (2002).
The valuereporting revolution: Moving beyond the earnings
game. Hoboken: Wiley.
Eng, L. L. (2003). Corporate governance and voluntary disclosure.
Journal of Accounting and Public Policy, 22(4), 325.
Forbes, D. P., & Milliken, F. J. (1999). Cognition and corporate gov-
ernance: Understanding boards of directors as strategic deci-
sion-making groups. Academy of Management Review, 24(3),
489–505.
Francoeur, C., Labelle, R., Balti, S., & Bouzaidi, S. E. (2019). To
what extent do gender diverse boards enhance corporate social
performance? Journal of Business Ethics, 155(2), 343–357.
Francoeur, C., Labelle, R., & Sinclair-Desgagné, B. (2008). Gender
diversity in corporate governance and top management. Journal
of Business Ethics, 81(1), 83–95.
Fried, C. (1984). Privacy. Philosophical dimensions of privacy, 54,
203–222.
Gamerschlag, R., Möller, K., & Verbeeten, F. (2011). Determinants of
voluntary CSR disclosure: empirical evidence from Germany.
Review of Managerial Science, 5(2–3), 233–262.
Guadagno, R. E., & Cialdini, R. B. (2002). Online persuasion: An exami-
nation of gender differences in computer-mediated interpersonal
influence. Group Dynamics: Theory, Research, and Practice, 6(1),
38.
Gul, F. A., Srinidhi, B., & Ng, A. C. (2011). Does board gender diversity
improve the informativeness of stock prices? Journal of Account-
ing and Economics, 51(3), 314–338.
Hausken, K. (2007). Information sharing among firms and cyber attacks.
Journal of Accounting and Public Policy, 26(6), 639–688.
Hernández-Madrigal, M., Blanco-Dopico, M.-I., & Aibar-Guzmán, B.
(2012). The influence of mandatory requirements on risk disclo-
sure practices in Spain. International Journal of Disclosure and
Governance, 9(1), 78–99.
Héroux, S., & Fortin, A. (2020). Cybersecurity disclosure by the com-
panies on the S&P/TSX 60 Index. Accounting Perspectives, 19(2),
73–100.
Hillman, A. J., Nicholson, G., & Shropshire, C. (2008). Directors’ mul-
tiple identities, identification, and board monitoring and resource
provision. Organization Science, 19(3), 441–456.
Hossain, M., Perera, M. H. B., & Rahman, A. R. (1995). Voluntary dis-
closure in the annual reports of New Zealand companies. Jour-
nal of International Financial Management & Accounting, 6(1),
69–87.
Huang, J., & Kisgen, D. J. (2013). Gender and corporate finance: Are
male executives overconfident relative to female executives? Jour-
nal of Financial Economics, 108(3), 822–839.
Jensen, M. C., & Meckling, W. (1976). Theory of the firm: Manage-
rial behavior, agency costs and ownership structure. Journal of
Finance Economics, 3, 1–11.
Johnson, D. G. (1985). Computer ethics. London: Englewood Cliffs (NJ).
Joy, L. (2008). Women board directors in the United States: An eleven
year retrospective (pp. 15–23). Women on Corporate Boards of
Directors: International Research and Practice.
Kabongo, J. D., & Okpara, J. O. (2019). Timing and speed of interna-
tionalization: Evidence from African banks. Journal of Business
Research, 102, 12–20.
Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related…
Kanter, R. M. (1977). Some effects of proportions on group life. In The
gender gap in psychotherapy (pp. 53–78). New York: Springer.
Kassinis, G., Panayiotou, A., Dimou, A., & Katsifaraki, G. (2016).
Gender and environmental sustainability: A longitudinal analysis.
Corporate Social Responsibility and Environmental Management,
23(6), 399–412.
Konrad, A. M., Kramer, V., & Erkut, S. (2008). The impact of three
or more women on corporate boards. Organizational Dynamics,
37(2), 145–164.
Kramer, V. W., Konrad, A. M., Erkut, S., & Hooper, M. J. (2006). Criti-
cal mass on corporate boards: Why three or more women enhance
governance. Wellesley: Wellesley Centers for Women.
Kravet, T., & Muslu, V. (2013). Textual risk disclosures and investors’
risk perceptions. Review of Accounting Studies, 18(4), 1088–1122.
Kshetri, N. (2020). The evolution of cyber-insurance industry and mar-
ket: An institutional analysis. Telecommunications Policy, 44(8),
102007.
Lang, M., & Lundholm, R. (1993). Cross-sectional determinants of
analyst ratings of corporate disclosures. Journal of Accounting
Research, 31(2), 246–271.
Lanz, J. (2016). Communicating cybersecurity risks to the audit com-
mittee. The CPA Journal, 86(5), 2–5.
Lewellyn, K. B., & Muller-Kahle, M. I. (2020). The corporate board
glass ceiling: The role of empowerment and culture in shap-
ing board gender diversity. Journal of Business Ethics, 165(2),
329–346.
Lewis, P. V. (1985). Defining ‘business ethics’: Like nailing jello to a
wall. Journal of Business Ethics, 4(5), 377–383.
Li, D., Huang, M., Ren, S., Chen, X., & Ning, L. (2018a). Environ-
mental legitimacy, green innovation, and corporate carbon disclo-
sure: Evidence from CDP China 100. Journal of Business Ethics,
150(4), 1089–1104.
Li, H., No, W. G., & Wang, T. (2018b). SEC’s cybersecurity disclosure
guidance and disclosed cybersecurity risk factors. International
Journal of Accounting Information Systems, 30, 40–55.
Liao, L., Luo, L., & Tang, Q. (2015). Gender diversity, board independ-
ence, environmental committee and greenhouse gas disclosure.
The British Accounting Review, 47(4), 409–424.
Loden, M., & Rosener, J. B. (1991). Workforce America!: Managing
employee diversity as a vital resource. New York: McGraw-Hill.
Loukil, N., & Yousfi, O. (2016). Does gender diversity on corporate
boards increase risk-taking? Canadian Journal of Administrative
Sciences/Revue Canadienne des Sciences de l’Administration,
33(1), 66–81.
Lu, J., & Herremans, I. M. (2019). Board gender diversity and environ-
mental performance: An industries perspective. Business Strategy
and the Environment, 28(7), 1449–1464.
Luppicini, R. (2009). Conversation ethics for online learning communi-
ties. In Ethical practices and implications in distance learning (pp.
98–107). IGI Global.
McInerney-Lacombe, N., Bilimoria, D., & Salipante, P. F. (2008).
Championing the discussion of tough issues: How women cor-
porate directors contribute to board deliberations (pp. 123–139).
Women on Corporate Boards of Directors: International Research
and Practice.
Moor, J. H. (1991). The ethics of privacy protection.
Moor, J. H. (1997). Towards a theory of privacy in the information age.
ACM Sigcas Computers and Society, 27(3), 27–32.
NIST, N. I. o. S. a. T. (2020). Control Baselines for InformationSystems
and Organizations. NIST Special Publication 800-53B. Retrieved
from https​://doi.org/10.6028/NIST.SP.800-53B
Nekhili, M., & Gatfaoui, H. (2013). Are demographic attributes and firm
characteristics drivers of gender diversity? Investigating women’s
positions on French boards of directors. Journal of Business Eth-
ics, 118(2), 227–249.
Nemati, H. (2007). Information security and computer ethics (pp. 543–
568). Theories and Modeling: Tools.
Nielsen, S., & Huse, M. (2010). The contribution of women on boards
of directors: Going beyond the surface. Corporate Governance:
An International Review, 18(2), 136–148.
Ntim, C. G. (2015). Board diversity and organizational valuation: Unrav-
elling the effects of ethnicity and gender. Journal of Management
and Governance, 19(1), 167–195.
Oliveira, J., Rodrigues, L. L., & Craig, R. (2013). Company risk-related
disclosures in a code law country: A synopsis. Australasian
Accounting, Business and Finance Journal, 7(1), 123–130.
Ontario Securities Commission. (2011). National instrument 52-110:
Audit Committees. Retrieved from https​://www.osc.gov.on.ca/
en/13550​.htm
Ontario Securities Commission. (2017). CSA Staff Notice 33-321 Cyber
Security and Social Media. Retrieved from https​://www.osc.gov.
on.ca/en/Secur​ities​Law_csa_20171​019_33-321_cyber​-secur​ity-
and-socia​l-media​.htm.
Patrignani, N., & Whitehouse, D. (2014). Slow Tech: The bridge between
computer ethics and business ethics. Paper presented at the IFIP
International Conference on Human Choice and Computers.
Post, C., Rahman, N., & Rubow, E. (2011). Green governance: Boards of
directors’ composition and environmental corporate social respon-
sibility. Business & Society, 50(1), 189–223.
SEC. (2011). CF Disclosure Guidance: Topic No. 2 Cybersecurity.
Washington, DC. Retrieved from https​://www.sec.gov/divis​ions/
corpf​i n/guida​nce/cfgui​dance​-topic​2.htm.
SEC. (2018). Commission statement and guidance on public company
cybersecurity disclosures. Washington DC Retrieved from https​
://www.sec.gov/rules​/inter​p/inter​parch​ive/inter​parch​2018.shtml​.
Shapiro, J. P., & Gross, S. J. (2013). Ethical educational leadership in
turbulent times: (Re) solving moral dilemmas. London: Routledge.
Sila, V., Gonzalez, A., & Hagendorff, J. (2016). Women on board: Does
boardroom gender diversity affect firm risk? Journal of Corporate
Finance, 36, 26–53.
Srinidhi, B., Gul, F. A., & Tsui, J. (2011). Female directors and earnings
quality. Contemporary Accounting Research, 28(5), 1610–1644.
Strate, L. (2012). If it’s neutral, it’s not technology. Educational Technol-
ogy, 52(1), 6–9.
Terjesen, S., Sealy, R., & Singh, V. (2009). Women directors on corpo-
rate boards: A review and research agenda. Corporate Govern-
ance: An International Review, 17(3), 320–337.
Torchia, M., Calabrò, A., & Huse, M. (2011). Women directors on cor-
porate boards: From tokenism to critical mass. Journal of Business
Ethics, 102(2), 299–317.
Upadhyay, A., & Zeng, H. (2014). Gender and ethnic diversity on boards
and corporate information environment. Journal of Business
Research, 67(11), 2456–2463.
US Congress. (2016). A bill to amend the Sarbanes-Oxley Act of 2002
to protect investors by expanding the mandated internal controls
reports and disclosures to include cybersecurity systems and risks
of publicly traded companies.
Vallor, S. (2018). An introduction to data ethics. Santa Clara, CA: Mark-
kula Center for Applied Ethics.
Van Knippenberg, D., De Dreu, C. K., & Homan, A. C. (2004). Work
group diversity and group performance: An integrative model and
research agenda. Journal of Applied Psychology, 89(6), 1008.
Wahid, A. S. (2019). The effects and the mechanisms of board gender
diversity: Evidence from financial manipulation. Journal of Busi-
ness Ethics, 159(3), 705–725.
Wang, T., Kannan, K. N., & Ulmer, J. R. (2013). The association between
the disclosure and the realization of information security risk fac-
tors. Information Systems Research, 24(2), 201–218.
13
 C. Radu, N. Smaili

Webb, E. (2004). An examination of socially responsible firms’ board Zalata, A. M., Ntim, C. G., Choudhry, T., Hassanein, A., & Elzahar, H.
structure. Journal of Management and Governance, 8(3), 255–277. (2019). Female directors and managerial opportunism: Monitor-
Women CyberSecurity Society (Producer). (2020). Women in ing versus advisory female directors. The Leadership Quarterly,
Cybersecurity. 30(5), 101309.
World Economic Forum. (2019). Regional Risks for Doing Business
2019. Insight report. Retrieved from Geneva https​://www.wefor​ Publisher’s Note Springer Nature remains neutral with regard to
um.org/press​/2019/10/cyber​attac​ks-and-fisca​l-crise​s-top-list-of- jurisdictional claims in published maps and institutional affiliations.
busin​ess-risks​-in-2019/.
Zadeh, F. O., & Eskandari, A. (2012). Firm size as company’s charac-
teristic and level of risk disclosure: Review on theories and lit-
eratures. International Journal of Business and Social Science,
3(17), 1–12.

13