To Alert or Alleviate? A Natural Experiment on the Effect of Anti-phishing Laws on Corporate IT and Security Investments

Research output: Journal Publications and ReviewsRGC 21 - Publication in refereed journalpeer-review

View graph of relations

Related Research Unit(s)


Original languageEnglish
Article number114173
Journal / PublicationDecision Support Systems
Online published4 Jan 2024
Publication statusPublished - Apr 2024



In the United States, between 2005 and 2017, 23 states enacted anti-phishing laws to prosecute those suspected of phishing. As the primary targets of phishing attacks, firms’ interpretations and reactions toward these laws are worth investigating. Utilizing a unique dataset in a natural experimental setting, in this study, we employed the difference-in-differences method to contrast firms’ investment decisions related to IT and cybersecurity in states in which such laws had been newly enacted and those in states without such laws, before and after their enactment. We found firms with different operational experiences react to the enactment of the anti-phishing laws in different ways. Single-state firms tend to shrink IT investments, whereas multistate firms increase security investments, leveraging diverse security knowledge. The research uncovers the intra-firm spillover effects induced by cybersecurity laws and emphasizes the importance of a holistic view of IT security to deter attacks on the weakest links. In this study, we emphasize the need for policymakers to consider the diverse effects of cybersecurity laws and encourage firms to implement protection, whereas firms should benchmark their practices for broader cybersecurity perspective. © 2024 The Authors. Published by Elsevier B.V.

Research Area(s)

  • Anti-phishing laws, Security investment, IT investment, Signaling effect, Difference-in-difference

Bibliographic Note

Information for this record is supplemented by the author(s) concerned.

Download Statistics

No data available