35 research outputs found

    NSA Revelations of Privacy Breaches: Do Investors Care?

    Get PDF
    Our study is focused on the financial impact of NSA-security and privacy breach events announced in the news media between June 2013 and March 2014. While prior research has provided empirical evidence on the stock market reaction of security and privacy breaches such as confidentiality, integrity and availability breaches, there is scarce research on the financial impact of NSA-related security and privacy breaches. Based on previous studies, we apply the event study framework to analyze how NSA revelations influence investor’s confidence. Results show that NSA-breach announcements have a negative impact on investors’ confidence, which is confirmed by the negative cumulated abnormal returns on the event date. Our study contributes hence with insights on a relatively new phenomenon of high relevance concerning the security of information assets

    From Convergence to Compromise: Understanding the Interplay of Digital Transformation and Mergers on Data Breach Risks in Local and Cross-Border Mergers

    Get PDF
    In today\u27s digital age, the potential risks and challenges associated with digital transformation (DT) and cybersecurity have received limited research attention. This dissertation consists of three interconnected studies that aim to address this gap. The first study employs paradox theory to demonstrate that DT initiatives can increase a firm\u27s susceptibility to data breaches. Using a unique dataset spanning 10 years and involving 3604 brands, our analysis reveals that DT efforts in mobile and digital marketing are associated with a higher incidence of data breaches. However, firms can mitigate this impact by enhancing their innovative capacities. These findings contribute to a better understanding of the complex relationship between DT, data breaches, and innovation. Our second investigation, rooted in complexity theory and matching theory, examines the impact of mergers and acquisitions (M&As) on the frequency of data breaches. By analyzing 18 years of data from 5072 US firms, we find that M&As increase the likelihood of data breaches, particularly when the merging firms operate in different business domains. Furthermore, we observe that M&As that receive more media attention are more prone to data breaches, while those involving a more vulnerable target firm have fewer breaches. In our third study, guided by Institutional theory, we explore the relationship between cross-border mergers and acquisitions (CBMA) and data breaches. Our findings indicate that CBMAs, especially those accompanied by significant media publicity and involving firms from divergent institutional contexts, heighten the risk of data breaches. Overall, these studies provide valuable insights for firms aiming to mitigate data breach risks during their digital transformation (DT) efforts and M&A activities. They emphasize the importance of adopting a balanced communication strategy and considering the security implications of strategic actions. Moreover, our findings contribute to the academic discourse in information systems by illuminating the intricate interplay between DT, M&As, and data breaches

    New Organizational Challenges in a Digital World: Securing Cloud Computing Usage and Reacting to Asset-Sharing Platform Disruptions

    Get PDF
    Information technology (IT) and IT-enabled business models are transforming the business ecosystem and posing new challenges for existing companies. This two-essay dissertation examines two such challenges: cloud security and the disruption of asset-sharing business models.The first essay examines how an organizations usage of cloud storage affects its likelihood of accidental breaches. The quasi-experiment in the U.S. healthcare sector reveals that organizations with higher levels of digitalization (i.e., Electronic Health Records levels) or those with more IT applications running on their internal data center are less likely to experience accidental breaches after using public cloud storage. We argue that digitalization and operational control over IT applications increase organizations awareness and capabilities of establishing a company-wide security culture, thereby reducing negligence related to physical devices and unintended disclosure after adopting cloud storage. The usage of cloud storage is more likely to cause accidental breaches for organizations contracting to more reputable or domain expert vendors. We explain this result as the consequence of less attention being focused on securing personally accessible data and physical devices given high reliance on reputed and knowledgeable cloud providers. This research is among the first to empirically examine the actual security impacts of organizations cloud storage usage and offers practical insights for cloud security management.The second essay examines how Asset-Sharing Business Model Prevalence (ASBMP) affects the performance implications of industry incumbent firms competitive actions when faced with entrants with asset-sharing business models, like Airbnb. ASBMP represents the amount of third-party products and services that originally were unavailable inside the traditional business model but now are orchestrated by asset-sharing companies in an industry. We use texting mining and econometrics approaches to analyze a longitudinal dataset in the accommodation industry. Our results demonstrate that incumbents competitive action repertoires (i.e., action volume, complexity, and heterogeneity) increase their performance when the ASBMP is high but decrease incumbents performance when the ASBMP is low. Practically, incumbents who are facing greater threat from asset-sharing firms can implement more aggressive competitive action repertoires and strategically focus on new product and M&A strategies. This research contributes to the literature of both competitive dynamics and asset-sharing business models

    The Legal and Regulatory Aspect of International Cybercrime and Cybersecurity: Limits and Challenges

    Get PDF
    The development of the internet and digital technologies represent a major opportunity for humanity in transforming businesses and providing new tools for everyday communication. Internet users are spending increasing amounts of time online and undertaking a greater range of online and social networking activities. However, just like a double edged sword, the internet also presents opportunities to cybercrimes in the Information society. The nature of some ‘traditional’ crime types has been transformed by the use of computers and other information communications technology (ICT) in terms of its scale and reach, with risks extending to many aspects of social life, such as financial transactions, sexual offences, harassment and threatening behavior, and commercial damage and disorder. Cybercrime is a transnational menace in the sense that it cuts across borders. The most critical challenges of the information society have been the security of digital data and information systems and the prevention of the malicious misuse of information communications technologies by cyber criminals, terrorist groups, or state actors. Measures to address these security challenges of the information society birthed a concept known as “cyber security”. Cyber security seeks to promote and ensure the overall security of digital information and information systems with a view to securing the information society. Thus, the concept is broadly concerned with social, legal, regulatory and technological measures that will ensure the integrity, confidentiality, availability and the overall security of digital information and information systems in order to achieve a high degree of trust and security necessary for the development of a sustainable information cyber space. This dissertation contends that, on the one hand, International laws are behind in providing proper regulatory coverage for cybercrime, while, on the other hand, existing regulations have largely been unsuccessful in containing cyber security threats primarily due to complications caused by the disharmonization of cyber security laws and regulation. This dissertation also attempts to discuss the legal and regulatory aspects of cyber security in International law. An analysis of international, regional and national regulatory responses to cyber security in both developed and developing countries was made. It calls attention to the limits and challenges of these regulatory responses in the promotion of cyber security and explores several regulatory measures to address the highlighted challenges with a view to promoting global cyber security. It suggests several regulatory measures to enhance global cyber security and also emphasizes the need for the collective responsibility of states for global cyber security

    The impact of the Data Protection Officer (DPO) in the firm’s strategic decisions

    Get PDF
    This dissertation adopts an exploratory empirical research method in order to address a subject that has recently gained considerable media and corporate attention. The urgent focus on the issue in relation to the principles of data protection in corporate governance and the business world results from the fact that although the General Data Protection Regulation (GDPR) affects virtually all companies and requires them to employ a data protection officer (DPO), in fact, the reality does not reflect this. Of the almost 27 million companies in the European Union required by law to enforce GDPR regulation, most have never heard of their requirement to employ a DPO in full compliance with the legislation, even though full observance of GDPR became mandatory as of 25 May 2018. The current research analyses the role of the DPO and explores its potential to impact on the business world. The research assesses the transformational effect the GDPR paradigm has had on the system of corporate responsibility of the businesses that must observe it. In particular the competencies and responsibility bestowed on the DPO when effectively it gave the role the power to take responsibility for and actively influence the direction of a company’s strategic decision-making. In order to identify the gaps, the research commences with an examination of the nature of this transformational paradigm, focusing on its origin, development and finally its execution. The analysis then focuses on the selection, appointment and profile of the DPO and additionally gains insight into the role, actions taken, and structural implementation of the DPO role within organizations. Examination of the relationship of the DPO with other stakeholders and its relationship with the board produced pertinent data, allowing the researcher to come to a number of conclusions as to the impact of GDPR, the DPO’s role, and the role’s relevance to corporate governance. This qualitative research, using semi-structured interviews, selected interviewees according to the criteria adopted, with focus on organizational reputation and the importance of personal data-handling. The DPOs were selected from multinational listed companies operating in data-driven sectors (e.g. banking, telecommunications, pharmaceuticals and retail) because, as these organizations deal with massively sensitive data as an indispensable part of their core business, the DPOs within them play a pivotal role in terms of influence. What emerged from the research is that the involvement of the DPO differs: sometimes the DPO is central to the development of GDPR compliance and sometimes the role is there just to ensure compliance and provide training. The research suggests that the DPO does has real influence at board level; however, the hypothesis is also that the DPO can directly intervene in the decision-making processes of organizations, either in the development or in the execution of GDPR, as a direct result of their involvement in the implementation of the strategy. Finally, even though GDPR is a very recent paradigm, which means there are no guidelines or case laws to refer to, this does not diminish corporate responsibility to comply. However, as businesses often rely upon instinct and community, and base practice on trial and error, the consequences – both positive and negative – are yet to manifest

    A Double-Edged Sword of Involvement: On the Tension Between Customers’ Group Value and Self-Interest in Data Breach Response Processes

    Get PDF
    As data breaches continue to rise, customers exhibit heterogeneous expectations regarding the company\u27s response. Universal responses can show backfire effects since they fail to meet the expectations. Thus, the challenge arises that customer expectations must be known to mitigate the consequences while time is limited to publish the data breach announcement. By drawing on service failure, data breach, and justice research, we theorize that customer involvement provides a viable approach to this challenge. We argue that active customer involvement allows customers to formulate their expectations. Thus, enabling companies to leverage these expectations to provide tailored data breach responses. We test our hypotheses in a digital experiment (n=304). Our results provide a first indication that active customer involvement in a data breach drives positive group value and negative self-interest effects. We contribute to the data breach literature by revealing that customer involvement constitutes a suitable mechanism for identifying customer expectations

    Ethical and Unethical Hacking

    Get PDF
    The goal of this chapter is to provide a conceptual analysis of ethical, comprising history, common usage and the attempt to provide a systematic classification that is both compatible with common usage and normatively adequate. Subsequently, the article identifies a tension between common usage and a normativelyadequate nomenclature. ‘Ethical hackers’ are often identified with hackers that abide to a code of ethics privileging business-friendly values. However, there is no guarantee that respecting such values is always compatible with the all-things-considered morally best act. It is recognised, however, that in terms of assessment, it may be quite difficult to determine who is an ethical hacker in the ‘all things considered’ sense, while society may agree more easily on the determination of who is one in the ‘business-friendly’ limited sense. The article concludes by suggesting a pragmatic best-practice approach for characterising ethical hacking, which reaches beyond business-friendly values and helps in the taking of decisions that are respectful of the hackers’ individual ethics in morally debatable, grey zones

    Best Practices and Recommendations for Cybersecurity Service Providers

    Full text link
    This chapter outlines some concrete best practices and recommendations for cybersecurity service providers, with a focus on data sharing, data protection and penetration testing. Based on a brief outline of dilemmas that cybersecurity service providers may experience in their daily operations, it discusses data handling policies and practices of cybersecurity vendors along the following five topics: customer data handling; information about breaches; threat intelligence; vulnerability-related information; and data involved when collaborating with peers, CERTs, cybersecurity research groups, etc. There is, furthermore, a discussion of specific issues of penetration testing such as customer recruitment and execution as well as the supervision and governance of penetration testing. The chapter closes with some general recommendations regarding improving the ethical decision-making procedures of private cybersecurity service providers
    corecore