Hacking the Value Gap: Cybersecurity Investments, Cybersecurity Talent, and Vulnerability Relative to Peers

67 Pages Posted: 21 Aug 2019 Last revised: 27 Aug 2019

See all articles by Taha Havakhor

Taha Havakhor

Temple University- Fox School of Business

Tianjian Zhang

Oklahoma State University - Stillwater

Mohammad Saifur Rahman

Purdue University - Krannert School of Management

Bryan Hammer

University of Arkansas - Department of Information Systems

Date Written: August 19, 2019

Abstract

Despite the escalation of cybersecurity from an operational level issue to a perennial strategic topic that engages top executives and stakeholders, evidence about the strategic value of cybersecurity investments is still lacking. Unlike their preventive value, cybersecurity investments have a less clear path in impacting broader strategic goals. Nonetheless, shedding light on the connection between cybersecurity investments and a firm’s competitive value is critical to equip alerted executives with the knowledge that allows championing for cybersecurity investments. This study draws on the legitimacy view to conceptualize cybersecurity investments as a type of organizational investment that, when publicly emphasized, create economic rents through gained legitimacy from stakeholders and a subsequent reduction in the cost of capital. We further hypothesize that cybersecurity talent critically complements publicly emphasized cybersecurity investments and turns them into solutions fit to the idiosyncratic cyber needs of a firm. We also hypothesize that the value of publicly emphasizing cybersecurity investments (PECIs) and the complementary role of cybersecurity talent is contingent on the cyber vulnerability of a firm relative to its industry peers. Tracking public emphases on cybersecurity investments in Securities and Exchange Commission disclosures, we created a matched panel of 3,130 firm-year observations spanning from 2005 to 2015. The results suggest: a) PECIs are associated with a generally positive value as measured by Tobin’s q, return on assets, and return on sales, b) PECIs accompanied by security talent recruitments generate significantly higher gains, and c) PECIs are more profitable for under-performing firms (breached firms in industries with less frequent breaches) as well as over-performing firms (un-breached firms in industries with more frequent breaches). Interestingly, while PECIs without sufficient talent support does not significantly reduce subsequent cyber breaches, it still generates market rewards for under- and over-performing firms. Moreover, our additional analyses, unfolding the underlying mechanism that turn the preventive value of PECIs to business value, suggest that reduction in the cost of capital, but not the reduction in the cost of goods sold, is likely the reason for the observed increase in business value. The collection of our findings connects PECIs to the book-keeping indices of sustained performance, ties them into the deeper strategic efforts of talent acquisition in competitive markets, makes them relevant to the institutional positioning of a firm relative to its peers, and positions them as a significant factor in connecting to stakeholders and accessing competitive sources of financing.

Keywords: cybersecurity investment, public emphasis, cybersecurity talent, legitimacy, vulnerability relative to peers, Tobin’s q, cost of capital, return on assets, return on sales

JEL Classification: D22, J24, O33

Suggested Citation

Havakhor, Taha and Zhang, Tianjian and Rahman, Mohammad Saifur and Hammer, Bryan, Hacking the Value Gap: Cybersecurity Investments, Cybersecurity Talent, and Vulnerability Relative to Peers (August 19, 2019). Available at SSRN: https://ssrn.com/abstract=3439131 or http://dx.doi.org/10.2139/ssrn.3439131

Taha Havakhor

Temple University- Fox School of Business ( email )

201C Speakman Hall
1810 North 13th Street
Philadelphia, PA 19122-6083
United States
(215)204-6945 (Phone)

Tianjian Zhang (Contact Author)

Oklahoma State University - Stillwater ( email )

Stillwater, OK 74078
United States

Mohammad Saifur Rahman

Purdue University - Krannert School of Management ( email )

403 W. State St
West Lafayette, IN 47907
United States
765-494-4464 (Phone)

Bryan Hammer

University of Arkansas - Department of Information Systems ( email )

United States

Here is the Coronavirus
related research on SSRN

Paper statistics

Downloads
29
Abstract Views
204
PlumX Metrics