Where is IT in Information Security? The Interrelationship among IT Investment, Security Awareness, and Data Breaches.

1 Jul 2023

Information Systems

Dr. Wilson Weixun Li, Dr. Alvin Chung Man Leung, Dr. Wei Thoo Yue

Published in MIS Quarterly, March 2023

Data breaches can have a significant impact on a firm's reputation and customer confidence. While firms continue to invest in security measures to prevent such breaches, practitioners and academics have been doubting the effectiveness of such investments. This study suggests that firms should evolve beyond the reactive mindset of solely upgrading security and begin nurturing both threat awareness and countermeasure awareness to address the underlying IT system issues that are the cause of data breaches.

The authors argue that effective investments to address breach incidents involve two different kinds of security awareness. The first is that the organization is aware of potential threats and vulnerabilities related to possible breach incidents; the second is that firms possess a deep understanding of IT solutions to devise appropriate security solutions.

Using an eight-year panel of 311 U.S.-listed firms, the research illustrates the bidirectional dynamic relationship between IT investment and data breaches moderated by threat and countermeasure security awareness. The results suggest that threat awareness broadens firms' scope for addressing data-breach issues by investing more in IT than in security. Countermeasure awareness equips firms with sufficient knowledge and experience to ensure effective implementation of IT, which provides more comprehensive protection than security investment alone.

The study highlights the importance of instilling threat and countermeasure awareness among corporate management and IT personnel alongside IT investment to prevent data breaches. The results can have significant implications for firms looking to invest in cybersecurity. By adopting a proactive approach to cybersecurity, firms can improve their ability to prevent data breaches and reduce the impact on their reputation and customer confidence. The findings may be useful for policymakers and regulators to improve cybersecurity standards for firms. Overall, the study provides valuable insights into the relationship between IT investment, security awareness, and data breaches, and how firms can improve their cybersecurity measures to prevent data breaches.

Dr. Alvin Chung Man Leung

Alvin Leung is an Associate Professor in the Department of Information Systems, College of Business, City University of Hong Kong. His research interests lie at the intersection of IS and Finance. His current research primarily focuses on IT business value, business analytics and information security. His teaching objective is to bring his research into class. He is interested in teaching business strategies and introducing new information technologies to enhance corporate competitive advantages. His works have been published in various leading IS journals and international conference proceedings. He currently serves as Associate Editor for Decision Support Systems and the Communications of the AIS.

Professor. Wei Thoo Yue

Wei Thoo Yue is a Professor of Management Information Systems in the Department of Information Systems, College of Business, City University of Hong Kong. He currently serves as Senior Editor for Production Operations Management. He received his Ph.D. in Management Information Systems from Purdue University. Prior to joining City University of Hong Kong, he was a faculty member at the University of Texas, Dallas. His research interests focus on the economic and operational aspects of information security and information systems. His work has appeared in Management Science, Information Systems Research, MIS Quarterly, Journal of Management Information Systems, Decision Support Systems, and other journals.

Read the full paper

Research Insights