Organizational Learning from Cybersecurity Performance : Effects on Cybersecurity Investment Decisions

Abstract

IS literature has identified various economic, performance, and environmental factors affecting cybersecurity investment decisions. However, economic modeling approaches dominate, and research on cybersecurity performance as an antecedent to investments has taken a backseat. Neglecting the role of performance indicators ignores real-world concerns driving actual cybersecurity investment decision-making. We investigate two critical aspects of cybersecurity performance: breach costs and breach identification source, as antecedents to cybersecurity investment decisions. We use organizational learning to theorize how performance feedback from these two aspects of cybersecurity breaches influences subsequent investment decisions. Using firm-level data on 722 firms in the UK, we find that higher breach costs are more likely to elicit increases in cybersecurity investments. This relationship is further strengthened if a third party identifies the breach instead of the focal firm. We contribute to the literature on cybersecurity investments and incident response. The findings stress the need for firms to analyze aspects of their cybersecurity performance and use them as feedback for investment decisions, making these decisions data-driven and based on firm-specific needs.