To Alert or Alleviate? A Natural Experiment on the Effect of Anti-phishing Laws on Corporate IT and Security Investments

In the United States, between 2005 and 2017, 23 states enacted anti-phishing laws to prosecute those suspected of phishing. As the primary targets of phishing attacks, firms’ interpretations and reactions toward these laws are worth investigating. Utilizing a unique dataset in a natural experimental setting, in this study, we employed the difference-in-differences method to contrast firms’ investment decisions related to IT and cybersecurity in states in which such laws had been newly enacted and those in states without such laws, before and after their enactment. We found firms with different operational experiences react to the enactment of the anti-phishing laws in different ways. Single-state firms tend to shrink IT investments, whereas multistate firms increase security investments, leveraging diverse security knowledge. The research uncovers the intra-firm spillover effects induced by cybersecurity laws and emphasizes the importance of a holistic view of IT security to deter attacks on the weakest links. In this study, we emphasize the need for policymakers to consider the diverse effects of cybersecurity laws and encourage firms to implement protection, whereas firms should benchmark their practices for broader cybersecurity perspective. © 2024 The Authors. Published by Elsevier B.V.