Where is IT in Information Security? The Interrelationship among IT Investment, Security Awareness, and Data Breaches
Wilson Weixun Li, Alvin Chung Man Leung and Wei T. Yue. "Where Is IT in Information Security? The Interrelationship of IT Investment, Security Awareness and Data Breaches" Management Information Systems Quarterly 47, no. 1 (2023): 317-342
Posted: 18 Jun 2020 Last revised: 2 Mar 2023
Date Written: April 16, 2020
Abstract
Data breaches can severely damage a firm’s reputation and its customers’ confidence. Firms must therefore continuously invest in security measures to prevent such breaches. However, the effectiveness of security investment has been questioned by both practitioners and academics. We illustrate the bidirectional dynamic relationship between information technologies (IT) investment and data breaches using an 8-year panel of 260 U.S.-listed firms, moderated by threat and countermeasure security awareness. Drawing on Straub and Welke’s security planning model, we provide empirical evidence that investing solely in security measures may not effectively prevent data breaches. IT investment must instead be combined with heightened security awareness. Our results suggest that firms should reconsider whether security performance is a direct outcome of security measures and take a broader perspective when addressing information security concerns.
Keywords: security investment, IT investment, security awareness, data breach, IT planning, panel vector autoregression model
JEL Classification: M15
Suggested Citation: Suggested Citation