Information Security Risk Assessments following Cybersecurity Breaches : The Mediating Role of Top Management Attention to Cybersecurity

Abstract

Information Systems (IS) research on managerial response to cybersecurity breaches has largely focused on externally oriented actions such as customer redressal and crisis response. Within the firm itself, a breach may be a symptom of systematic problems, and a narrow, siloed focus on only fixing immediate issues through technical fixes and controls might preclude other managerial actions to ensure future cybersecurity. Towards this end, Information Security Risk Assessments (ISRA) can help surface other vulnerabilities following a breach. While the role of governance in such exercises is emphasized in standards, it is undertheorized in IS research and lacks empirical evidence. We draw on the attention-based view to theorize that the principles of focus of attention, structural distribution of attention, and situated attention can lead to the top management team (TMT) according greater attention to cybersecurity following relatively high breach costs. Using firm level data, we find that high breach costs result in greater TMT attention to cybersecurity, while also making it more likely that firms will carry out an ISRA. Moreover, TMT attention to cybersecurity partially mediates the relation between breach costs and the decision to carry out an ISRA. We theorize that this is because the TMT is best positioned to oversee resource allocation, consider business implications, and centrally orchestrate an ISRA. Our findings stress the need for the cybersecurity function to work with the TMT in managing breach response.