The Influences of Public and Institutional Pressure on Firms’ Cybersecurity Disclosures

Cybersecurity disclosures in reports filed with the US Securities and Exchange Commission (SEC) inform investors about firms’ cybersecurity incidents, risks, and related risk management efforts. Firms have traditionally chosen to communicate such information on a quarterly or annual basis, if at all, and prior research on the topic has largely focused on regulatory factors as driving forces. In this paper, we focus on timely disclosures (via 8-K filings) and derive hypotheses regarding the influences of two alternate forms of pressure as drivers of cybersecurity disclosures—(1) public pressure following a firm’s data breach and (2) pressure arising from the breaches of industry peers, which we cast as “institutional pressure.” We also theorize on how the source of the breach (internal or external) influences these forms of pressure. Our results suggest that firms’ cybersecurity disclosure practices are influenced by public pressure following a data breach and that this pressure is more acute for external breaches than for internal breaches. By contrast, breaches by industry peers, as a form of institutional pressure, appear to prompt fewer cybersecurity disclosures, except when the focal firm suffers its own external breach. From a theoretical perspective, our study supports a nuanced application of legitimacy theory in the cybersecurity disclosure context, especially in the midst of public and institutional pressure, such that the source of a data breach determines whether firms attempt to address the resultant legitimacy gap. From a practical perspective, our results may be viewed as alarming in that firms are not reacting to internal breaches with the same degree of communicative effort about cybersecurity as for external breaches, at least in terms of the timely disclosures we consider in this study. Our findings also point to certain levers that can promote timely cybersecurity disclosures, and thus have important policy implications

Understanding the Drivers and Outcomes of Healthcare Organizational Privacy Responses

This research adopts a grounded theory approach to examine the drivers, safeguards and operational outcomes of organizational information privacy responses in the healthcare context. Semi-structured interviews with key healthcare stakeholders were conducted. The findings are sobering. First, privacy safeguards are driven by legal compliance, competitive advantages, available resources and best practices. However, organizations have to balance conflicting risks associated with these drivers. Second, this study identifies the operational and behavioral outcomes which results in major balance issues. Third, the adoption of a privacy impact assessment (PIA) allows the integration of a risk management approach to effectively assess the different types of privacy risks. The findings provide evidence for: (1) a gap between privacy responses and their outcomes on healthcare practice and delivery; (2) the importance of the privacy impact assessment as a risk management tool; and (3) the challenging context of the healthcare environment of how privacy responses are unfolding

Themes in Information Security Research in the Information Systems Discipline: A Topic Modeling Approach

Information security continues to grow in importance in all aspects of society, and therefore evolves as a prevalent research area. The Information Systems (IS) discipline offers a unique perspective from which to move this stream of literature forward. Using a semi-automated thematic analysis approach based on the topic modeling technique, we review a broad range of information security literature to investigate how we might theorize about information security on a grander scale. Five themes resulted from our analysis: Software Security Decisions, Firm Security Strategy, Susceptibility, Information Security Policy Compliance, and Other Developing Themes. Implications of our findings and future research directions are discussed

New Organizational Challenges in a Digital World: Securing Cloud Computing Usage and Reacting to Asset-Sharing Platform Disruptions

Information technology (IT) and IT-enabled business models are transforming the business ecosystem and posing new challenges for existing companies. This two-essay dissertation examines two such challenges: cloud security and the disruption of asset-sharing business models.The first essay examines how an organizations usage of cloud storage affects its likelihood of accidental breaches. The quasi-experiment in the U.S. healthcare sector reveals that organizations with higher levels of digitalization (i.e., Electronic Health Records levels) or those with more IT applications running on their internal data center are less likely to experience accidental breaches after using public cloud storage. We argue that digitalization and operational control over IT applications increase organizations awareness and capabilities of establishing a company-wide security culture, thereby reducing negligence related to physical devices and unintended disclosure after adopting cloud storage. The usage of cloud storage is more likely to cause accidental breaches for organizations contracting to more reputable or domain expert vendors. We explain this result as the consequence of less attention being focused on securing personally accessible data and physical devices given high reliance on reputed and knowledgeable cloud providers. This research is among the first to empirically examine the actual security impacts of organizations cloud storage usage and offers practical insights for cloud security management.The second essay examines how Asset-Sharing Business Model Prevalence (ASBMP) affects the performance implications of industry incumbent firms competitive actions when faced with entrants with asset-sharing business models, like Airbnb. ASBMP represents the amount of third-party products and services that originally were unavailable inside the traditional business model but now are orchestrated by asset-sharing companies in an industry. We use texting mining and econometrics approaches to analyze a longitudinal dataset in the accommodation industry. Our results demonstrate that incumbents competitive action repertoires (i.e., action volume, complexity, and heterogeneity) increase their performance when the ASBMP is high but decrease incumbents performance when the ASBMP is low. Practically, incumbents who are facing greater threat from asset-sharing firms can implement more aggressive competitive action repertoires and strategically focus on new product and M&A strategies. This research contributes to the literature of both competitive dynamics and asset-sharing business models

Understanding Information Privacy Assimilation in IT Organizations using Multi-site Case Studies

We develop a framework for understanding the mechanisms of information privacy assimilation in information technology (IT) organizations. Following neo-institutional theory, we develop a broad conceptual model and further build a detailed theory based on a multi-site, multi-case study of 18 organizations. We treat information privacy as a distinct dimension separate from information security. As in the case of information security, senior management support emerged as a mediator between the external influences of coercive, mimetic, and normative forces and information privacy assimilation. Privacy capability emerged as a distinct construct that had a moderating effect on the influence of coercive and normative forces on privacy assimilation. Similarly, cultural acceptability also moderated the effect of external forces on privacy assimilation. We produce a theoretical model that future research can empirically test. The findings would enable senior managers identify and respond to institutional pressures by focusing on appropriate factors in the organizations

Three essays on the economics of cybersecurity

The rapid growth of digitization has made cybersecurity a critical area for corporations, markets, and governments. The rise in cybersecurity investments and sweeping changes in the regulatory environment raise new economic questions — related to the impacts of cybersecurity investments, innovations, and legislation — that are yet to be answered. Focusing on the limited supply of cybersecurity labor, which has fallen behind the large demand for cybersecurity, Essay 1 studies how cybersecurity labor impacts the value of major infrastructural cyber investments. Moving beyond the ways to leverage cyberinfrastructure and labor, Essay 2 sheds light on the impact of the increasing pressure to pursue development and innovation in the cybersecurity area. This essay examines the bottom-line value of a prevalent type of innovative initiatives, i.e., corporate venture capital (CVC) investment in cybersecurity startups. Essays 1 and 2 heavily focus on the value proposition of cybersecurity investments in corporations. While both essays consider the cybersecurity legislation as exogenous variations instigating further demand for cybersecurity products and innovations, Essay 3 links a widely-adopted cybersecurity law, i.e., security breach notification law (SBNL), to the broader economic demand for general IT services. Compliance costs of cybersecurity legislation raise the barrier for general digitization initiatives, thus decreasing the demand for digitization and negatively impact general IT service providers, the main suppliers of digital goods and services. A difference-in-difference study examines how passages of SBNLs impact the employment of general IT service providers. Overall, the dissertation highlights a) the importance of cybersecurity labor in leveraging cybersecurity infrastructure, b) the business value of innovation in cybersecurity as an area that is predominantly believed to be costly but not value-generating, and c) the broader economic impacts of cybersecurity legislation. In doing so, the dissertation covers a wide range of institutional entities that both shape and are impacted by the cybersecurity ecosystem

From Convergence to Compromise: Understanding the Interplay of Digital Transformation and Mergers on Data Breach Risks in Local and Cross-Border Mergers

In today\u27s digital age, the potential risks and challenges associated with digital transformation (DT) and cybersecurity have received limited research attention. This dissertation consists of three interconnected studies that aim to address this gap. The first study employs paradox theory to demonstrate that DT initiatives can increase a firm\u27s susceptibility to data breaches. Using a unique dataset spanning 10 years and involving 3604 brands, our analysis reveals that DT efforts in mobile and digital marketing are associated with a higher incidence of data breaches. However, firms can mitigate this impact by enhancing their innovative capacities. These findings contribute to a better understanding of the complex relationship between DT, data breaches, and innovation. Our second investigation, rooted in complexity theory and matching theory, examines the impact of mergers and acquisitions (M&As) on the frequency of data breaches. By analyzing 18 years of data from 5072 US firms, we find that M&As increase the likelihood of data breaches, particularly when the merging firms operate in different business domains. Furthermore, we observe that M&As that receive more media attention are more prone to data breaches, while those involving a more vulnerable target firm have fewer breaches. In our third study, guided by Institutional theory, we explore the relationship between cross-border mergers and acquisitions (CBMA) and data breaches. Our findings indicate that CBMAs, especially those accompanied by significant media publicity and involving firms from divergent institutional contexts, heighten the risk of data breaches. Overall, these studies provide valuable insights for firms aiming to mitigate data breach risks during their digital transformation (DT) efforts and M&A activities. They emphasize the importance of adopting a balanced communication strategy and considering the security implications of strategic actions. Moreover, our findings contribute to the academic discourse in information systems by illuminating the intricate interplay between DT, M&As, and data breaches

Three Essays on the Governance of Cybersecurity

This dissertation consists of three interrelated essays that examine the governance of cybersecurity. The first essay synthesizes the literature on the of cybersecurity risks and incidents to identify its drivers, informativeness, quality, theoretical perspectives, and future directions. The review identifies several drivers for cybersecurity disclosure, highlights that while the level of informativeness of such disclosure meets the usefulness expectations of regulators, its quality falls short, mostly lacks an explicit theoretical framework, and uses predominantly textual content analysis and event studies. The review identifies the need for research in both governance and management of cybersecurity disclosure, thus providing the motivation for the second and third essays. The second essay examines where cybersecurity risk oversight resides within a firm’s governance structure, what determines such positioning, and how it impacts the firm’s response to a cybersecurity breach. In proxy statements, breached firms explicitly disclose oversight assignment with a wide variation, ranging from full board to a named board committee - the audit committee being the most common. Results show that board connectedness and cyber competency are positively associated with oversight assignment, full board oversight is more likely with smaller boards, and boards’ shareholding and cyber competency steer oversight to the audit committee. In the event of a breach, the presence of oversight decreases the time firms take to announce and resolve the breach, as well as reduces the recurrence of breaches. While the audit committee cybersecurity oversight discloses and resolves the breach quicker, full board oversight leads to fewer recurrences. The increase of data breaches leads firms to adopt various risk management strategies, hence the third essay examines the relation between cyber insurance disclosure and a firm’s likelihood of being target of a future breach. Using textual analysis of the risk factors disclosed in 10-K filings and comparing cyber insurance disclosures of firms that are breached to those that are not, the evidence shows that firms disclosing cyber insurance have a significantly higher subsequent probability of being breached. Furthermore, it appears that disclosing cyber insurance leads to delayed public breach disclosure but more timely breach resolution, and higher breach recurrence

ERP implementation methodologies and frameworks: a literature review

Enterprise Resource Planning (ERP) implementation is a complex and vibrant process, one that involves a combination of technological and organizational interactions. Often an ERP implementation project is the single largest IT project that an organization has ever launched and requires a mutual fit of system and organization. Also the concept of an ERP implementation supporting business processes across many different departments is not a generic, rigid and uniform concept and depends on variety of factors. As a result, the issues addressing the ERP implementation process have been one of the major concerns in industry. Therefore ERP implementation receives attention from practitioners and scholars and both, business as well as academic literature is abundant and not always very conclusive or coherent. However, research on ERP systems so far has been mainly focused on diffusion, use and impact issues. Less attention has been given to the methods used during the configuration and the implementation of ERP systems, even though they are commonly used in practice, they still remain largely unexplored and undocumented in Information Systems research. So, the academic relevance of this research is the contribution to the existing body of scientific knowledge. An annotated brief literature review is done in order to evaluate the current state of the existing academic literature. The purpose is to present a systematic overview of relevant ERP implementation methodologies and frameworks as a desire for achieving a better taxonomy of ERP implementation methodologies. This paper is useful to researchers who are interested in ERP implementation methodologies and frameworks. Results will serve as an input for a classification of the existing ERP implementation methodologies and frameworks. Also, this paper aims also at the professional ERP community involved in the process of ERP implementation by promoting a better understanding of ERP implementation methodologies and frameworks, its variety and history