Too Good to Be True: Firm Social Performance and the Risk of Data Breach

D'Arcy, J., Aderid, I., Angst, C. M., and Glavas, A. Forthcoming. "Too Good to Be True: Firm Social Performance and the Risk of Data Breach," Information Systems Research, pp. 1-45.

51 Pages Posted: 2 Jun 2020

See all articles by Idris Adjerid

Idris Adjerid

Pamplin College of Business

John D'Arcy

University of Delaware - Alfred Lerner College of Business and Economics

Corey M. Angst

IT, Analytics, and Operations department

Ante Glavas

University of Vermont

Date Written: May 4, 2020

Abstract

In this paper, we draw from research in the information systems (IS) security and management fields to theorize that a firm’s social performance, as measured by its engagement in socially responsible (or irresponsible) activities (i.e., corporate social performance (CSP)), affects its likelihood of being subject to computer attacks that result in data breaches. Drawing from stakeholder theory, and positioning employees and external hackers as key stakeholders of the firm with respect to information security, we propose a set of hypotheses that elaborate relationships between aspects of a firm’s CSP and the likelihood of experiencing a data breach. To test our hypotheses, we compiled a unique dataset that consists of publicly available data on firms’ data breach incidents, external assessments of their CSP, and other firm-specific factors. Our contribution is an intriguing and previously unknown account of CSP as it relates to information security. Paradoxically, our results suggest that firms that are noted to have poor CSP records (i.e., CSP concerns) are no more likely to experience a data breach, while a positive CSP record (i.e., CSP strengths) in areas which are peripheral to core firm activities (e.g., philanthropy, recycling programs) results in an elevated likelihood of breach. Delving into this latter finding, our results suggest that firms that simultaneously have peripheral CSP strengths along with high CSP concerns in other areas are at increased risk of breach. The increased likelihood of breach for firms with seemingly disingenuous CSP records suggests that perceived ‘greenwashing’ efforts that attempt to mask poor social performance make firms attractive targets for security exploitation.

Keywords: data breach, corporate social performance, stakeholder theory, information security, information security management, longitudinal, panel data, econometric analysis

Suggested Citation

Adjerid, Idris and D'Arcy, John and Angst, Corey M. and Glavas, Ante, Too Good to Be True: Firm Social Performance and the Risk of Data Breach (May 4, 2020). D'Arcy, J., Aderid, I., Angst, C. M., and Glavas, A. Forthcoming. "Too Good to Be True: Firm Social Performance and the Risk of Data Breach," Information Systems Research, pp. 1-45., Available at SSRN: https://ssrn.com/abstract=3592518

Idris Adjerid

Pamplin College of Business ( email )

2058 Pamplin College of Business
Blacksburg, VA 20461
United States

John D'Arcy

University of Delaware - Alfred Lerner College of Business and Economics ( email )

419 Purnell Hall
Newark, DE 19716
United States

Corey M. Angst (Contact Author)

IT, Analytics, and Operations department ( email )

348 Mendoza College of Business
University of Notre Dame
Notre Dame, IN 46556-5646
United States

Ante Glavas

University of Vermont ( email )

212 Kalkin Hall
Burlington, VT 05405-0158
United States

Here is the Coronavirus
related research on SSRN

Paper statistics

Downloads
106
Abstract Views
847
rank
286,153
PlumX Metrics