Management Information Systems Quarterly


This study identifies the effects of security investments that arise from previous failures or external regulatory pressure. Building on organizational learning theory, the study focuses on the healthcare sector where legislation mandates breach disclosure and detailed data on security investments are available. Using a Cox proportional hazard model, we demonstrate that proactive security investments are associated with lower security failure rates. Coupling that result with the economics of breach disclosure, we also show that proactive investments are more cost effective in healthcare security than reactive investments. Our results further indicate that this effect is amplified at the state level, supporting the argument that security investments create positive externalities. We also find that external pressure decreases the effect of proactive investments on security performance. This implies that proactive investments, voluntarily made, have more impact than those involuntarily made. Our findings suggest that security managers and policy makers should pay attention to the strategic and regulatory factors influencing security investment decisions.