Hacking the Value Gap: Cybersecurity Investments, Cybersecurity Talent, and Vulnerability Relative to Peers
67 Pages Posted: 21 Aug 2019 Last revised: 27 Aug 2019
Date Written: August 19, 2019
Despite the escalation of cybersecurity from an operational level issue to a perennial strategic topic that engages top executives and stakeholders, evidence about the strategic value of cybersecurity investments is still lacking. Unlike their preventive value, cybersecurity investments have a less clear path in impacting broader strategic goals. Nonetheless, shedding light on the connection between cybersecurity investments and a firm’s competitive value is critical to equip alerted executives with the knowledge that allows championing for cybersecurity investments. This study draws on the legitimacy view to conceptualize cybersecurity investments as a type of organizational investment that, when publicly emphasized, create economic rents through gained legitimacy from stakeholders and a subsequent reduction in the cost of capital. We further hypothesize that cybersecurity talent critically complements publicly emphasized cybersecurity investments and turns them into solutions fit to the idiosyncratic cyber needs of a firm. We also hypothesize that the value of publicly emphasizing cybersecurity investments (PECIs) and the complementary role of cybersecurity talent is contingent on the cyber vulnerability of a firm relative to its industry peers. Tracking public emphases on cybersecurity investments in Securities and Exchange Commission disclosures, we created a matched panel of 3,130 firm-year observations spanning from 2005 to 2015. The results suggest: a) PECIs are associated with a generally positive value as measured by Tobin’s q, return on assets, and return on sales, b) PECIs accompanied by security talent recruitments generate significantly higher gains, and c) PECIs are more profitable for under-performing firms (breached firms in industries with less frequent breaches) as well as over-performing firms (un-breached firms in industries with more frequent breaches). Interestingly, while PECIs without sufficient talent support does not significantly reduce subsequent cyber breaches, it still generates market rewards for under- and over-performing firms. Moreover, our additional analyses, unfolding the underlying mechanism that turn the preventive value of PECIs to business value, suggest that reduction in the cost of capital, but not the reduction in the cost of goods sold, is likely the reason for the observed increase in business value. The collection of our findings connects PECIs to the book-keeping indices of sustained performance, ties them into the deeper strategic efforts of talent acquisition in competitive markets, makes them relevant to the institutional positioning of a firm relative to its peers, and positions them as a significant factor in connecting to stakeholders and accessing competitive sources of financing.
Keywords: cybersecurity investment, public emphasis, cybersecurity talent, legitimacy, vulnerability relative to peers, Tobin’s q, cost of capital, return on assets, return on sales
JEL Classification: D22, J24, O33
Suggested Citation: Suggested Citation