Cyber Failures and Information Technology Capability Reputation: Examining Ex Ante and Ex Post Interplay Effects
成果类型:
Article
署名作者:
Benaroch, Michel
署名单位:
Syracuse University
刊物名称:
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS
ISSN/ISSBN:
0742-1222
DOI:
10.1080/07421222.2024.2376385
发表日期:
2024
页码:
744-778
关键词:
internal control weaknesses
CORPORATE REPUTATION
market value
Data breach
shareholder-wealth
Operational risk
firm performance
economic-impact
Path dependence
stock-market
摘要:
We study the interplay between cyber failures and information technology (IT) capability reputation (ITCAPR). Cyber failures often reveal vulnerable information systems (IS) processes and IT assets at their root that point to firm IT capability weakness. For external stakeholders, firm IT capability is unobservable and therefore a matter of perception or reputation. We theorize about cyber failures' adverse impacts on firm market value and firm ITCAPR based on how external stakeholders reconcile their ex ante perception of firm IT capability strength, or established ITCAPR, and their perception of an ex post revelation of IT capability weakness by cyber failures. Our analysis of 264 cyber failures finds empirical support for our theory-based predictions. We find that ex post revelation of IT capability weakness leads external stakeholders to adjust downward their ex ante perceptions of firm IT capability proportional to the severity of IT capability weakness. Two ex post consequences are commensurate loss of firm market value and decline in firm ITCAPR. Based on our main finding, that external stakeholders perceive IT capability weakness as an endogenous contributory factor to cyber failures that leads to erosion of firm ITCAPR, we contribute to theory in significant ways. First, we theoretically complement a predominant research focus on IT capability strength as a value-relevant intangible asset by confirming that IT capability weakness is a value-relevant intangible liability as well as adding vulnerability or weakness as a distinctive process aspect absent from prior literature linking IS processes and IT capabilities. Second, we theoretically add to an almost exclusive focus of research on cyber failures' short-term adverse effect on firm market value by documenting for the first time a time-lagged eroding effect on firm ITCAPR. Last, we theoretically show IT controls and particularly ones embedded in IS processes as an essential aspect of IT capability strength as well as cybersecurity protection and prevention.