Three essays on organizational determinants of data breach risk

Abstract

Given data breaches can bring firms significant financial and reputational damages, it should come as little surprise that information security has become the chief concern among corporate executives. Against this backdrop, it is important to investigate how data breach risk can be determined by organizational factors. My thesis intents to provide several new insights into this area. The thesis includes three essays. The first essay empirically investigates two research questions: (1) How will firms' information technology (IT) innovativeness influence data breach risk? and (2) How will the relationship between IT innovativeness and data breach risk be contingent upon environmental uncertainty? I determine that firms' IT innovativeness will increase data breach risk. I further determine that the effect of IT innovativeness on increasing such a risk is mitigated if mangers are presented with high long-term incentives and is exacerbated when external environments are complex. This research is the first empirical attempt to analyze the security impact of IT innovation, highlighting the information security challenge and providing beneficial insights for organizations when they pursue proactive and innovative ITs. In the section essay, I investigate how employee-related corporate social responsibility's (CSR) influence data breach risk. I determine that firms' employee-related CSR reduces data breach risk. I further find that the effect of employee-related CSR on reducing such a risk is pronounced when firms suffer from deteriorating economic performance, face turbulent environments, or encounter high product similarity with their competitors. This research is among the first empirical attempts to analyze the security effectiveness of corporate CSR. Specifically, it highlights the information security benefits of employee-related CSR and provides beneficial managerial insights on making strategic decisions on these activities. The third essay investigates (1) how firm diversity strategies influence data breach risks and (2) whether the relationship between firm diversity and data breach risk is moderated by managerial ability. I determine that firm diversity, particularly related diversity, can benefit firms by reducing their data breach risk. I also determine that the benefits of firm diversity in reducing data breach risk is exacerbated when managerial ability is high.