IDEAS home Printed from https://ideas.repec.org/a/spr/infosf/v26y2024i3d10.1007_s10796-023-10404-7.html
   My bibliography  Save this article

Organizational Learning from Cybersecurity Performance: Effects on Cybersecurity Investment Decisions

Author

Listed:
  • Faheem Ahmed Shaikh

    (University of Jyväskylä)

  • Mikko Siponen

    (University of Jyväskylä)

Abstract

IS literature has identified various economic, performance, and environmental factors affecting cybersecurity investment decisions. However, economic modeling approaches dominate, and research on cybersecurity performance as an antecedent to investments has taken a backseat. Neglecting the role of performance indicators ignores real-world concerns driving actual cybersecurity investment decision-making. We investigate two critical aspects of cybersecurity performance: breach costs and breach identification source, as antecedents to cybersecurity investment decisions. We use organizational learning to theorize how performance feedback from these two aspects of cybersecurity breaches influences subsequent investment decisions. Using firm-level data on 722 firms in the UK, we find that higher breach costs are more likely to elicit increases in cybersecurity investments. This relationship is further strengthened if a third party identifies the breach instead of the focal firm. We contribute to the literature on cybersecurity investments and incident response. The findings stress the need for firms to analyze aspects of their cybersecurity performance and use them as feedback for investment decisions, making these decisions data-driven and based on firm-specific needs.

Suggested Citation

  • Faheem Ahmed Shaikh & Mikko Siponen, 2024. "Organizational Learning from Cybersecurity Performance: Effects on Cybersecurity Investment Decisions," Information Systems Frontiers, Springer, vol. 26(3), pages 1109-1120, June.
    • Handle: RePEc:spr:infosf:v:26:y:2024:i:3:d:10.1007_s10796-023-10404-7
    DOI: 10.1007/s10796-023-10404-7
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s10796-023-10404-7
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1007/s10796-023-10404-7?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Atif Ahmad & Kevin C. Desouza & Sean B. Maynard & Humza Naseer & Richard L. Baskerville, 2020. "How integration of cyber security management and incident response enables organizational learning," Journal of the Association for Information Science & Technology, Association for Information Science & Technology, vol. 71(8), pages 939-953, August.
    2. Safi, Roozmehr & Browne, Glenn J. & Jalali Naini, Azadeh, 2021. "Mis-spending on information security measures: Theory and experimental evidence," International Journal of Information Management, Elsevier, vol. 57(C).
    3. Feng Xu & Xin (Robert) Luo & Hongyun Zhang & Shan Liu & Wei (Wayne) Huang, 2019. "Do Strategy and Timing in IT Security Investments Matter? An Empirical Investigation of the Alignment Effect," Information Systems Frontiers, Springer, vol. 21(5), pages 1069-1083, October.
    4. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William & Sohail, Tashfeen, 2006. "The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities," Journal of Accounting and Public Policy, Elsevier, vol. 25(5), pages 503-530.
    5. J.P. Eggers, 2012. "All experience is not created equal: learning, adapting, and focusing in product portfolio management," Strategic Management Journal, Wiley Blackwell, vol. 33(3), pages 315-335, March.
    6. William H Starbuck & Philippe Baumard, 2005. "Learning From Failures: Why It May Not Happen," Post-Print hal-03228735, HAL.
    7. James G. March & Lee S. Sproull & Michal Tamuz, 1991. "Learning from Samples of One or Fewer," Organization Science, INFORMS, vol. 2(1), pages 1-13, February.
    8. George P. Huber, 1991. "Organizational Learning: The Contributing Processes and the Literatures," Organization Science, INFORMS, vol. 2(1), pages 88-115, February.
    9. Dirk Basten & Thilo Haamann, 2018. "Approaches for Organizational Learning: A Literature Review," SAGE Open, , vol. 8(3), pages 21582440187, August.
    10. Alessandro Fedele & Cristian Roner, 2022. "Dangerous games: A literature review on cybersecurity investments," Journal of Economic Surveys, Wiley Blackwell, vol. 36(1), pages 157-187, February.
    11. Herbert A. Simon, 1991. "Bounded Rationality and Organizational Learning," Organization Science, INFORMS, vol. 2(1), pages 125-134, February.
    12. Nagurney, Anna & Shukla, Shivani, 2017. "Multifirm models of cybersecurity investment competition vs. cooperation and network vulnerability," European Journal of Operational Research, Elsevier, vol. 260(2), pages 588-600.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Agulles, Remei & Prats, Mª Julia, 2011. "Learning in practice: What organizational and management literature can contribute to professional and occupational development," IESE Research Papers D/938, IESE Business School.
    2. Ang, Siah Hwee & Benischke, Mirko H. & Hooi, Andrea Wai-Leng, 2018. "Frequency of international expansion through high control market expansion modes and interlocked directorships," Journal of World Business, Elsevier, vol. 53(4), pages 493-503.
    3. Peter M. Madsen, 2009. "These Lives Will Not Be Lost in Vain: Organizational Learning from Disaster in U.S. Coal Mining," Organization Science, INFORMS, vol. 20(5), pages 861-875, October.
    4. Jeoung Yul Lee & Alfredo Jiménez & Timothy M. Devinney, 2020. "Learning in SME Internationalization: A New Perspective on Learning From Success versus Failure," Management International Review, Springer, vol. 60(4), pages 485-513, August.
    5. Mahoney, Joseph T., 1995. "The management of resources and the resource of management," Journal of Business Research, Elsevier, vol. 33(2), pages 91-101, June.
    6. Pooja Kushwaha & M. K. Rao, 2017. "Integrating the Linkages between Learning Systems and Knowledge Process: An Exploration of Learning Outcomes," Business Perspectives and Research, , vol. 5(1), pages 11-23, January.
    7. Martina Linnenluecke & Andrew Griffiths & Peter Mumby, 2015. "Executives’ engagement with climate science and perceived need for business adaptation to climate change," Climatic Change, Springer, vol. 131(2), pages 321-333, July.
    8. Tammy E. Beck & Donde Ashmos Plowman, 2009. "Experiencing Rare and Unusual Events Richly: The Role of Middle Managers in Animating and Guiding Organizational Interpretation," Organization Science, INFORMS, vol. 20(5), pages 909-924, October.
    9. Dario Blanco-Fernandez & Stephan Leitner & Alexandra Rausch, 2022. "Interactions between the individual and the group level in organizations: The case of learning and autonomous group adaptation," Papers 2203.09162, arXiv.org.
    10. Peter Madsen & Robin L. Dillon & Catherine H. Tinsley, 2016. "Airline Safety Improvement Through Experience with Near‐Misses: A Cautionary Tale," Risk Analysis, John Wiley & Sons, vol. 36(5), pages 1054-1066, May.
    11. Hart E. Posen & Dirk Martignoni & Daniel A. Levinthal, 2013. "E Pluribus Unum: Organizational Size and the Efficacy of Learning," DRUID Working Papers 13-09, DRUID, Copenhagen Business School, Department of Industrial Economics and Strategy/Aalborg University, Department of Business Studies.
    12. Andrew Hargadon & Angelo Fanelli, 2002. "Action and Possibility: Reconciling Dual Perspectives of Knowledge in Organizations," Organization Science, INFORMS, vol. 13(3), pages 290-302, June.
    13. Yuzhe Miao & Robert M. Salomon & Jaeyong Song, 2021. "Learning from Technologically Successful Peers: The Convergence of Asian Laggards to the Technology Frontier," Organization Science, INFORMS, vol. 32(1), pages 210-232, January.
    14. David H. Hsu & Kwanghui Lim, 2014. "Knowledge Brokering and Organizational Innovation: Founder Imprinting Effects," Organization Science, INFORMS, vol. 25(4), pages 1134-1153, August.
    15. Tsang, Eric W. K., 2002. "Learning from overseas venturing experience: The case of Chinese family businesses," Journal of Business Venturing, Elsevier, vol. 17(1), pages 21-40, January.
    16. June-Young Kim & Ji-Yub (Jay) Kim & Anne S. Miner, 2009. "Organizational Learning from Extreme Performance Experience: The Impact of Success and Recovery Experience," Organization Science, INFORMS, vol. 20(6), pages 958-978, December.
    17. Petty, Jeffrey S. & Gruber, Marc, 2011. ""In pursuit of the real deal": A longitudinal study of VC decision making," Journal of Business Venturing, Elsevier, vol. 26(2), pages 172-188, March.
    18. Sanetake Nagayoshi & Jun Nakamura, 2024. "Impact of Computer Usage on Organizational Memory and Learning from Failure: A Case Study of a Japanese Company," The Review of Socionetwork Strategies, Springer, vol. 18(2), pages 349-371, November.
    19. Feng Zhu & Qihong Liu, 2018. "Competing with complementors: An empirical look at Amazon.com," Strategic Management Journal, Wiley Blackwell, vol. 39(10), pages 2618-2642, October.
    20. Abhoy K. Ojha & John L. Brown & Nelson Phillips, 1997. "Change and Revolutionary Change: Formalizing and Extending the Punctuated Equilibrium Paradigm," Computational and Mathematical Organization Theory, Springer, vol. 3(2), pages 91-111, June.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:infosf:v:26:y:2024:i:3:d:10.1007_s10796-023-10404-7. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.