Cyber Failures and IT Capability Reputation

Olivia Hall
illustration with cybersecurity images

Cyber failures –  such as data breaches, cyberattacks, and accidental incidents – often reveal weaknesses in IT processes and IT assets comprising the IT capability of the affected company. In a recent study, Michel Benaroch, professor of management information systems, explores to what degree such revelations impact how external stakeholders perceive the firms in their aftermath.

 

Do we see a sharper drop in stock prices for companies that suffered cyber incidents which revealed more severe or critical weaknesses in their IT capability? And does the revelation affect the firms’ IT capability reputation?

 

Using a methodology from social network analysis, Benaroch measured which IT processes are central to firms’ portfolio of IT processes. “I could then check to see whether the stock price reaction to different cyber incidents is sensitive to that measure of centrality of the specific weak IT processes revealed by each incident,” he explained. Indeed, the more processes were revealed to have weaknesses and the higher their centrality, the more negatively stock prices reacted.

 

Benaroch turned to Information Week for a measure of companies’ IT capability reputation, a valuable intangible asset proxied by the digital magazine’s annual “IT leader” rankings. He looked at listings over 20 years and whether companies with cyber incidents that revealed serious IT process weaknesses dropped out of the top 500 rankings in the following years. He found that these firms suffered an erosion of their IT capability reputation proportional to the severity of their revealed IT process weaknesses. “That’s significant, because if companies are not perceived as IT leaders, they are not perceived as corporations that know how to use IT to be the most competitive, cost efficient and innovative,” Benaroch said.

 

He believes the study, published in the Journal of Management Information Systems, empowers companies in their battle against cyber incidents. “There's a general perception that cyber security incidents are going to happen no matter what to all companies,” he said. “But in many cases, weaknesses in companies’ IT platforms create the opening for attacks.” He points to the case of Equifax, where a failure to install a vendor’s software security patch created an opening for one of the largest data breaches to date. Instead of just defensively spending money on cyber security insurance and defenses, companies should also proactively invest in strengthening their central IT processes to close any back doors and prevent new ones from opening.

 

If a capability weakness has already been revealed, companies can mitigate the most negative reactions in the stock market and among stakeholders by having their PR campaigns finetuned to acknowledge the weakness and promise to fix or enhance it.

 

“Companies have more control than they think over their exposure to cyber incidents,” Benaroch said.

 

Benaroch M., “Cyber Failures and IT Capability Reputation: Examining Ex Ante and Ex Post Interplay Effects,” Journal of Management Information Systems, Sep. 2024, 41(3):744-778

 

Tagged As:

  • Alumni
  • Corporate Partners
  • Donors
  • Faculty
  • Ph.D.
  • News