Focusing on the fundamentals? An investigation of the relationship between corporate social irresponsibility and data breach risk

Research output: Journal Publications and ReviewsRGC 21 - Publication in refereed journalpeer-review

View graph of relations

Related Research Unit(s)

Detail(s)

Original languageEnglish
Article number114252
Journal / PublicationDecision Support Systems
Volume182
Online published23 May 2024
Publication statusPublished - Jul 2024

Abstract

In an era of growing social activism, companies engaged in socially irresponsible practices are increasingly vulnerable to data breaches, resulting in substantial reputational and financial losses. This study examines how corporate social irresponsibility (CSI) influences a company’s data breach risk. We argue that CSI has an impact on data breach risk by influencing the intentional behaviors of both employees and external hackers. Given that CSI is a broad concept and can take on various forms, we further examine whether some forms of CSI pose a more significant threat than others. Our empirical analysis of data breaches in publicly listed US firms from 2005 to 2017 indicates that compared to the forms of CSI that violate broader social norms (e.g., environmental damages), CSI activities that jeopardize a company’s economic value delivery (e.g., product deficiencies) play a more dominant role in driving data breach risk. Furthermore, we find that corporate social responsibility (CSR) can have a dual impact on moderating the relationship between CSI and data breaches. While CSR often helps mitigate CSI-induced data breach risk, this risk is heightened when both CSR and CSI relate to a firm’s economic value delivery. This study provides critical insights into how companies can navigate complex data breach risk by managing their social performance. © 2024 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies.

Research Area(s)

  • Corporate social irresponsibility, Corporate social responsibility, Data breach, Hacktivism, Information security, Organizational legitimacy