Paper ID
1972
Paper Type
full
Description
Companies evolve their IT security strategies relative to their peers. To examine these peer effects, we conceptualize IT security strategic posture (ISSP) as the extent to which a firm’s IT security investments deviate from the industry norm. We further investigate the coevolution of IT security investments, ISSP, and organizational security performance. We predict that firms with higher ISSP are less likely to experience security breaches. We also hypothesize that over time firms will adjust their IT security investments to be closer to the industry norm. In addition to this ebb and flow of IT security investments, firms anticipate dynamic learning and correspondingly also adjust their IT security strategies after experiencing security breaches. The panel vector autoregression (VAR) analysis on the longitudinal data of the U.S. hospitals validates our theoretical predictions. The findings complement our understanding of IT security strategies by highlighting the peer effects and clarifying the coevolution of IT security investments, ISSP, and security breaches. We offer practical implications for executives on how to effectively manage IT security strategies.
Recommended Citation
Li, He; Yoo, Sungjin; and Kettinger, William, "The Changing Tides of Investments and Strategies and Their Impacts on Security Breaches" (2019). ICIS 2019 Proceedings. 33.
https://aisel.aisnet.org/icis2019/cyber_security_privacy_ethics_IS/cyber_security_privacy/33
The Changing Tides of Investments and Strategies and Their Impacts on Security Breaches
Companies evolve their IT security strategies relative to their peers. To examine these peer effects, we conceptualize IT security strategic posture (ISSP) as the extent to which a firm’s IT security investments deviate from the industry norm. We further investigate the coevolution of IT security investments, ISSP, and organizational security performance. We predict that firms with higher ISSP are less likely to experience security breaches. We also hypothesize that over time firms will adjust their IT security investments to be closer to the industry norm. In addition to this ebb and flow of IT security investments, firms anticipate dynamic learning and correspondingly also adjust their IT security strategies after experiencing security breaches. The panel vector autoregression (VAR) analysis on the longitudinal data of the U.S. hospitals validates our theoretical predictions. The findings complement our understanding of IT security strategies by highlighting the peer effects and clarifying the coevolution of IT security investments, ISSP, and security breaches. We offer practical implications for executives on how to effectively manage IT security strategies.