The extant literature has provided valuable insights into the post-failure behavior of organizations, highlighting two distinct tendencies: failure learning and threat rigidity. While failure learning involves organizations embracing change and seeking improvements after experiencing failures, threat rigidity leads to a more conservative and resistant approach to change during such times. In our study, we used a pioneering approach by integrating these seemingly competing perspectives within the context of data breaches. Employing a propensity score matching (PSM)-combined-difference-in-differences (DiD) approach, we uncovered a dual impact of data breaches on firms’ information technology (IT) investment—after data breaches, firms tend to increase their IT investment intensity (a promoting effect) while simultaneously reducing their new IT investments (an inhibiting effect). Furthermore, we found that a firm with a strong quality culture exhibits a stronger tendency to increase its IT investment intensity following a data breach, while a firm highly valuing innovation demonstrates a weaker trend in reducing new IT investments after a breach. In post hoc analyses, we found that the impact of data breaches on IT investments is contingent on a series of factors related to the nature of the breach and the specific type of IT investments considered. Overall, our study provides valuable insights into the complex and diverse relationship between data breaches and IT investments in firms.
AngstCMBlockESD’ArcyJ, et al. (2017) When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly41(3): 893–916.
2.
AudiaPGGreveHR (2006) Less likely to fail: Low performance, firm size, and factory expansion in the shipbuilding industry. Management Science52(1): 83–94.
3.
BakerACLarckerDFWangCCY (2022) How much should we trust staggered difference-in-differences estimates?Journal of Financial Economics144(2): 370–395.
4.
BaruaAKriebelCHMukhopadhyayT (1991) An economic analysis of strategic information technology investments. MIS Quarterly15(3): 313–331.
5.
BeckTLevineRLevkovA (2010) Big bad banks? The winners and losers from bank deregulation in the United States. The Journal of Finance65(5): 1637–1667.
6.
BenarochMChernobaiA (2017) Operational IT failures, IT value-destruction, and board-level IT governance changes. MIS Quarterly41(3): 729–762.
7.
BensoussanAMookerjeeVYueWT (2020) Managing information system security under continuous and abrupt deterioration. Production and Operations Management29(8): 1894–1917.
8.
BharadwajASBharadwajSGKonsynskiBR (1999) Information technology effects on firm performance as measured by Tobin’s Q. Management Science45(7): 1008–1024.
BrownHS (2016) After the data breach: Managing the crisis and mitigating the impact. Journal of Business Continuity & Emergency Planning9(4): 317–328.
11.
CameronKSineW (1999) A framework for organizational quality culture. Quality Management Journal6(4): 7–25.
12.
CampbellKGordonLALoebMP, et al. (2003) The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security11(3): 431–448.
13.
CavusogluHMishraBRaghunathanS (2004) The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce9(1): 70–104.
14.
CezarACavusogluHRaghunathanS (2017) Sourcing information security operations: The role of risk interdependency and competitive externality in outsourcing decisions. Production and Operations Management26(5): 860–879.
15.
ChengLLiuFYaoDD (2017) Enterprise Data Breach: Causes, Challenges, Prevention, and Future Directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery7(5): e1211-n/a.
16.
ChengZRaiATianF, et al. (2021) Social learning in information technology investment: The role of board interlocks. Management Science67(1): 547–576.
17.
Chengalur-SmithIDuchessiP (1999) The initiation and adoption of client–server technology in organizations. Information & Management35(2): 77–88.
18.
ChoiBCFKimSSJiangZ (2016) Influence of firm’s recovery endeavors upon privacy breach on online customer behavior. Journal of Management Information Systems33(3): 904–933.
19.
ChwelosPRamirezRKraemerKL, et al. (2010) Research note—does technological progress Alter the nature of information technology as a production input? New evidence and new results. Information Systems Research21(2): 392–408.
20.
CoffmanBPrincipalI (1997) Building the Innovation Culture. Some Notes on Adaptation and Change in Network-CentricOrganizations. Principal, InnovationLabs.
21.
CyertRMMarchJG (1963) A Behavioral Theory of the Firm. Vol. 2. Englewood Cliffs, NJ: Englewood Cliffs, NJ.
22.
DaiYRauPRStouraitisA, et al. (2020) An ill wind? Terrorist attacks and CEO compensation. Journal of Financial Economics135(2): 379–398.
23.
D’aunnoTSuttonRI (1992) The responses of drug abuse treatment organizations to financial adversity: A partial test of the threat-rigidity thesis. Journal of Management18(1): 117–131.
24.
DePHuYRahmanMS (2010) Technology usage and online sales: An empirical study. Management Science56(11): 1930–1945.
25.
DetertJRSchroederRGMaurielJJ (2000) A framework for linking culture and improvement initiatives in organizations. The Academy of Management Review25(4): 850–863.
26.
DewanSMichaelSCMinC (1998) Firm characteristics and investments in information technology: Scale and scope effects. Information Systems Research9(3): 219–232.
27.
DingWWLevinSGStephanPE, et al. (2010) The impact of information technology on academic Scientists’ productivity and collaboration patterns. Management Science56(9): 1439–1461.
28.
DongJQKarhadePPRaiA, et al. (2021) How firms make information technology investment decisions: Toward a behavioral agency theory. Journal of Management Information Systems38(1): 29–58.
29.
FichmanRGKemererCF (1997) The assimilation of software process innovations: An organizational learning perspective. Management Science43(10): 1345–1363.
30.
FowlerK (2016) Data Breach Preparation and Response: Breaches Are Certain, Impact Is Not. Syngress.
31.
GavettiGGreveHRLevinthalDA, et al. (2012) The behavioral theory of the firm: Assessment and prospects. Academy of Management Annals6(1): 1–40.
32.
GoelSShawkyHA (2009) Estimating the market impact of security breach announcements on firm values. Information & Management46(7): 404–410.
33.
GoldsteinJChernobaiABenarochM (2011) An event study analysis of the economic impact of IT operational risk and its subcategories. Journal of the Association for Information Systems12(9): 606–631.
34.
GoodeSHoehleHVenkateshV, et al. (2017) User compensation as a data breach recovery action: An investigation of the sony playstation network breach. MIS Quarterly41(3): 703–727.
35.
GroverVGoslarMD (1993) The initiation, adoption, and implementation of telecommunications technologies in U.S. Organizations. Journal of Management Information Systems10(1): 141–164.
36.
GwebuKLWangJWangL (2018) The role of corporate reputation and crisis response strategies in data breach management. Journal of Management Information Systems35(2): 683–714.
37.
HainmuellerJ (2012) Entropy balancing for causal effects: A multivariate reweighting method to produce balanced samples in observational studies. Political Analysis20(1): 25–46.
38.
HarrisSEKatzJL (1991) Organizational performance and information technology investment intensity in the insurance industry. Organization Science2(3): 263–295.
39.
HaunschildPRRheeM (2004) The role of volition in organizational learning: The case of automotive product recalls. Management Science50(11): 1545–1560.
40.
HaunschildPRSullivanBN (2002) Learning from complexity: Effects of prior accidents and incidents on Airlines’ learning. Administrative Science Quarterly47(4): 609–643.
41.
HendricksBHowellTBinghamC (2019) How much do top management teams matter in founder-led firms?Strategic Management Journal40(6): 959–986.
42.
HilaryGSegalBZhangMH (2016) Cyber-risk disclosure: Who cares?Georgetown McDonough School of Business Research Paper.
43.
HittLM (1999) Information technology and firm boundaries: Evidence from panel data. Information Systems Research10(2): 134–149.
44.
HoffmanKDKelleySW (2000) Perceived justice needs and recovery evaluation: A contingency approach. European Journal of Marketing34(3/4): 418–433.
45.
HolstiOR (1964) An adaptation of the “general inquirer” for the systematic analysis of political documents. Behavioral Science9(4): 382–388.
46.
HovavAD’ArcyJ (2003) The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review6(2): 97–121.
47.
HovavAD’ArcyJ (2004) The impact of virus attack announcements on the market value of firms. Information Systems Security13(3): 32–40.
48.
JacobsBWSwinkMLindermanK (2015) Performance effects of early and late six sigma adoptions. Journal of Operations Management36: 244–257.
49.
JanakiramanRLimJHRishikaR (2018) The effect of a data breach announcement on customer behavior: Evidence from a multichannel retailer. Journal of Marketing82(2): 85–105.
50.
KamiyaSKangJ-KKimJ, et al. (2021) Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics139(3): 719–749.
51.
KannanKReesJSridharS (2007) Market reactions to information security breach announcements: An empirical analysis. International Journal of Electronic Commerce12(1): 69–91.
52.
Khern-am-nuaiWKannanKGhasemkhaniH (2018) Extrinsic versus intrinsic rewards for contributing reviews in an online platform. Information Systems Research29(4): 871–892.
53.
KleisLChwelosPRamirezRV, et al. (2012) Information technology and intangible output: The impact of IT investment on innovation productivity. Information Systems Research23(1): 42–59.
54.
KohliRDevarajSOwTT (2012) Does information technology investment influence a firm’s market value? A case of non-publicly traded healthcare firms. MIS Quarterly36(4): 1145–1163.
55.
KumarSMallipeddiRR (2022) Impact of cybersecurity on operations and supply chain management: Emerging trends and future research directions. Production and Operations Management31(12): 4488–4500.
56.
KwonJJohnsonME (2015) “The Market Effect of Healthcare Security: Do Patients Care About Data Breaches?,” WEIS, working paper.
57.
LattacherWWdowiakMA (2020) Entrepreneurial learning from failure. A systematic review. International Journal of Entrepreneurial Behavior & Research26(5): 1093–1131.
LendingCMinnickKSchornoPJ (2018) Corporate governance, social responsibility, and data breaches. Financial Review53(2): 413–455.
60.
LevittBMarchJG (1988) Organizational learning. Annual Review of Sociology14(1): 319–338.
61.
LiKMaiFShenR, et al. (2021) Measuring corporate culture using machine learning. The Review of Financial Studies34(7): 3265–3315.
62.
LiuCLuoXRSiaCL, et al. (2014) The impact of Xbrl adoption in PR China. Decision Support Systems59: 242–249.
63.
LiuYXuXJinY, et al. (2023) Understanding the digital resilience of physicians during the Covid-19 pandemic: An empirical study. MIS Quarterly47(1): 391–422.
64.
LohrmannDTanS (2022) Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions. Hoboken, New Jersey, US: John Wiley & Sons.
65.
LuoSChoiT-M (2022) E-commerce supply chains with considerations of cyber-security: Should governments play a role?Production and Operations Management31(5): 2107–2126.
66.
LyytinenKRoseGM (2003) The disruptive nature of information technology innovations: The case of internet computing in systems development organizations. MIS Quarterly27(4): 557–596.
67.
MackelprangAWHabermannMSwinkM (2015) How firm innovativeness and unexpected product reliability failures affect profitability. Journal of Operations Management38: 71–86.
68.
MakridisCDeanB (2018) Measuring the economic effects of data breaches on firm outcomes: Challenges and opportunities. Journal of Economic and Social Measurement43(1–2): 59–83.
69.
MalhiR (2013) Creating and sustaining: A quality culture. Journal of Defense Management S3: 1–4.
70.
MarchJGShapiraZ (1987) Managerial perspectives on risk and risk taking. Management Science33(11): 1404–1418.
71.
MartinsECTerblancheF (2003) Building organisational culture that stimulates creativity and innovation. European Journal of Innovation Management6(1): 64–74.
72.
MassiminoBGrayJVBoyerKK (2017) The effects of agglomeration and national property rights on digital confidentiality performance. Production and Operations Management26(1): 162–179.
73.
MassiminoBGrayJVLanY (2018) On the inattention to digital confidentiality in operations and supply chain research. Production and Operations Management27(8): 1492–1515.
74.
MasuchKGreveMTrangS, et al. (2022) Apologize or justify? Examining the impact of data breach response actions on stock value of affected companies?Computers & Security112: 102502.
75.
MitraSChayaAK (1996) Analyzing cost-effectiveness of organizations: The impact of information technology spending. Journal of Management Information Systems13(2): 29–57.
76.
MookerjeeRSamuelJ (2023) Managing the security of information systems with partially observable vulnerability. Production and Operations Management32(9): 2902–2920.
77.
MuehlfeldKRao SahibPVan WitteloostuijnA (2012) A contextual theory of organizational learning from failures and successes: A study of acquisition completion in the global newspaper industry, 1981–2008. Strategic Management Journal33(8): 938–964.
78.
NordlundJ (2019) “The Role of Experience in the Director Labor Market: Ev- Idence from Cybersecurity Events,” Working paper, Louisiana State University.
79.
O’BrienJPDavidP (2014) Reciprocity and R&D search: Applying the behavioral theory of the firm to a communitarian context. Strategic Management Journal35(4): 550–565.
80.
O’reillyCAChatmanJA (1996) Culture as Social Control: Corporations, Cults, and Commitment.
81.
PamuruVKhern-am-nuaiWKannanK (2021) The impact of an augmented-reality game on local businesses: A study of pokémon go on restaurants. Information Systems Research32(3): 950–966.
PowellTCArregleJ-L (2007) Firm performance and the axis of errors. Journal of Management Research7(2): 59–77.
85.
RamiUGouldC (2016) From a “culture of blame” to an encouraged “learning from failure culture”. Business Perspectives and Research4(2): 161–168.
86.
RansbothamSFichmanRGGopalR, et al. (2016) Special section Introduction—ubiquitous IT and digital vulnerabilities. Information Systems Research27(4): 834–847.
87.
RavichandranTHanSHasanI (2009) Effects of institutional pressures on information technology investments: An empirical investigation. IEEE Transactions on Engineering Management56(4): 677–691.
88.
RavichandranTLiuY (2011) Environmental factors, managerial processes, and information technology investment strategies. Decision Sciences42(3): 537–574.
89.
RosenbaumPRRubinDB (1983) The central role of the propensity score in observational studies for causal effects. Biometrika70(1): 41–55.
90.
Sadegh SharifiradMAtaeiV (2012) Organizational culture and innovation culture: Exploring the relationships between constructs. Leadership & Organization Development Journal33(5): 494–517.
91.
SashkinMKiserKJ (1993) Putting Total Quality Management to Work: What Tqm Means, How to Use It, & How to Sustain IT over the Long Run. San Francisco, California, US: Berrett-Koehler Publishers.
92.
SayGVasudevaG (2020) Learning from digital failures? The effectiveness of Firms’ divestiture and management turnover responses to data breaches. Strategy Science5(2): 117–142.
93.
SchmidheinyKSieglochS (2023) On event studies and distributed-lags in two-way fixed effects models: Identification, equivalence, and generalization. Journal of Applied Econometrics38(5): 695–713.
94.
ShiWConnellyBLCirikK (2018) Short seller influence on firm growth: A threat rigidity perspective. Academy of Management Journal61(5): 1892–1919.
95.
ShimizuK (2007) Prospect theory, behavioral theory, and the threat-rigidity thesis: Combinative effects on organizational decisions to divest formerly acquired units. Academy of Management Journal50(6): 1495–1514.
96.
SmithAKBoltonRN (2002) The effect of Customers’ emotional responses to service failures on their recovery effort evaluations and satisfaction judgments. Journal of the Academy of Marketing Science30(1): 5–23.
97.
SnyderRCPaigeGD (1958) The United States decision to resist aggression in Korea: The application of an analytical scheme. Administrative Science Quarterly3(3): 341–378.
98.
SrinivasSLiangH (2022) Being digital to being vulnerable: Does digital transformation allure a data breach?Journal of Electronic Business & Digital Economics1(1/2): 111–137.
99.
StawBMSandelandsLEDuttonJE (1981) Threat rigidity effects in organizational behavior: A multilevel analysis. Administrative Science Quarterly26(4): 501–524.
100.
TanTFNetessineS (2020) At your service on the table: Impact of tabletop technology on restaurant performance. Management Science66(10): 4496–4515.
101.
TatikondaMVMontoya-WeissMM (2001) Integrating operations and marketing perspectives of product innovation: The influence of organizational process factors and capabilities on development performance. Management Science47(1): 151–172.
102.
TatikondaMVRosenthalSR (2000) Technology novelty, project complexity, and product development project execution success: A deeper Look at task uncertainty in product innovation. IEEE Transactions on Engineering Management47(1): 74–87.
103.
ThornhillSAmitR (2003) Learning about failure: Bankruptcy, firm age, and the resource-based view. Organization Science14(5): 497–509.
104.
TianFXuSX (2015) How do enterprise resource planning systems affect firm risk? Post-implementation impact. MIS Quarterly39(1): 39–60.
105.
WangQJiangSNgaiEWT, et al. (2024) Vendor selection in the wake of data breaches: A longitudinal study. Journal of Operations Management70(4): 568–599.
106.
WangQNgaiEWTPientaD, et al. (2023) Information technology innovativeness and data-breach risk: A longitudinal study. Journal of Management Information Systems40(4): 1139–1170.
107.
XueLRayGGuB (2011) Environmental uncertainty and IT infrastructure governance: A curvilinear relationship. Information Systems Research22(2): 389–399.
108.
XueLRayGSambamurthyV (2013) Efficiency or Innovation: How Do Industry Environments Moderate the Effects of Firms’ IT Asset Portfolios. 36(2): 509–528.
109.
XueLRayGZhaoX (2017) Managerial incentives and IT strategic posture. Information Systems Research28(1): 180–198.
110.
XueYLiangHBoultonWR (2008) Information technology governance in information technology investment decision processes: The impact of investment characteristics, external environment, and internal context. MIS Quarterly32(1): 67–96.
111.
ZhangLXieLZhengX (2023) Across a few prohibitive miles: The impact of the anti-poverty relocation program in China. Journal of Development Economics160: 102945.
Supplementary Material
Please find the following supplemental material available below.
For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.
For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.
