Cyber Failures and IT Capability Reputation: Examining Ex Ante and Ex Post Interplay Effects

Author
Michel Benaroch, Whitman School of Management, Syracuse University


Journal:
Journal of Management Information Systems (2024)

Summary:This paper is the first to show that cyber failures often reveal vulnerabilities of IS processes, a key component of firm IT capability, and this can lead to amplified market value losses and tarnished IT capability reputation.


Research Questions:
Two questions regarding how external stakeholder perceive the interplay between firm IT capability and cyber failures (encompassing data breaches, cyberattacks, and accidental incidents) that compromise data assets and IT systems:
1.      Is the loss of firm market value known to be associated with cyber failures greater when the failures reveal IT capability weaknesses of greater severity? 
2.      Given some evidence that cyber failures tarnish corporate reputation, do cyber failures tarnish firms’ IT capability reputation more gravely when they reveal IT capability weaknesses of greater severity?

What We Know:
Cyber failures have been found to have various negative effects on firms, most notably market value loss and declines in accounting performance. 

Recent research is starting to report that cyber failures tarnish corporate reputation for some types of firms.

Despite limited visibility into firms’ IT, the perceptions of external stakeholders based on publicly available information affect firms’ IT capability reputation and the valuable intangible asset it represents. Studies have demonstrated a positive association between IT capability reputation, often proxied by IW500 “IT leader” rankings, and improved firm performance.

Novel Findings:
Firms experience market value loss proportional to the severity of IT capability weakness revealed by cyber failures, and this finding applies to all firms, not only to strong IT capability reputation firms, counter to an earlier finding that good corporate reputation shields cyber failure firms from market value loss.

More importantly, cyber failure firms suffer erosion of their IT capability reputation, consistent with findings for corporate reputation, and the erosion is proportional to the severity of IT capability weakness revealed by cyber failures.

Novel Methodology:
To resolve selection bias vis-à-vis the sample of cyber failures, we used propensity score matching (PSM) with a difference-in-difference (DID) approach with treatment and control samples.

Implications for Practice:
Finding that external stakeholders perceive cyber failures as manifestations or revelation of IT capability weakness has important implications for management. One implication is on how to restore and sustain a firm’s IT capability reputation after a cyber failure. Just as sending continuous and consistent positive cues of IT capability strength helps firms establish a strong IT capability reputation and benefit their performance, cyber failures are negative cues that can undermine firms’ IT capability reputation and their performance. Managers ought to plan ways to mitigate erosion of their firms’ IT capability reputation including by voluntarily disclosing relevant preemptive and remediation initiatives. Of particular importance is using the IS process centrality measure we developed to remediate vulnerable IS processes central to a firm’s IT capability. Another way is to carefully calibrate PR strategies that can lessen post-failure effects on firms’ IT capability reputation.


Implications for Research:
There are also implications for IT capability research. 

1.      Having found that weakness of IS processes central to IT capability leads to greater erosion of firm market value and IT capability reputation, future research could examine how the strength of central IS processes leads to opposite effects on firm competitiveness and IT value creation. 

2.      Having found that unintentional negative IT capability cues such as cyber failures are increasingly the reason firms run into embarrassing IT-related problems, the almost exclusive focus of past research on positive cues of IT capability strength ought to be expanded to other negative IT capability cues and their effects on firms. 

3.      Our finding that the revelation of IT capability weakness by a cyber failure has adverse effects on all firms needs reconciling with the idea that effects of negative IT capability cues can be more severe for strong IT capability reputation firms and studies which found that strong corporate reputation softens the same effects.

4.      Our findings underscore the need for more research on contributory factors to cyber failures that are within firms’ control. 

5.       Our findings and our measure of IS process centrality should encourage corporate boards and IT executives to invest more in enhancing the reliability of specific IS processes to lower the likelihood of cyber failures. It is particularly useful to minimize the likelihood of cyber failures and their effect on the firm by balancing ex-ante preventive investments in IS process reliability against investments in line-of-defense cybersecurity tools for ex-post detection and blocking of cyber failures.

Full Citation:
Benaroch M., “Cyber Failures and IT Capability Reputation: Examining Ex Ante and Ex Post Interplay Effects,” forthcoming in Journal of MIS.

Abstract:
We study the interplay between cyber failures and information technology (IT) capability reputation (ITCAPR). Cyber failures often reveal vulnerable information systems (IS) processes and IT assets at their root that point to firm IT capability weakness. For external stakeholders, firm IT capability is unobservable and therefore a matter of perception or reputation. We theorize about cyber failures’ adverse impacts on firm market value and firm ITCAPR based on how external stakeholders reconcile their ex ante perception of firm IT capability strength, or established ITCAPR, and their perception of an ex post revelation of IT capability weakness by cyber failures. Our analysis of 264 cyber failures finds empirical support for our theory-based predictions. We find that ex post revelation of IT capability weakness leads external stakeholders to adjust downward their ex ante perceptions of firm IT capability proportional to the severity of IT capability weakness. Two ex post consequences are commensurate loss of firm market value and decline in firm ITCAPR.