Leveraging Corporate Social Responsibility as a Dual Strategy for Performance Enhancement and Risk Management under the Duality of Information Technology

Abstract

The complex and hypercompetitive business environment compels companies to invest in corporate social responsibility (CSR) to improve their relationships with stakeholders, which in turn establishes legitimacy and competitive advantages. CSR contributes to competitive advantages by serving as a dual strategy for performance enhancement and risk management. However, navigating these dual paths is challenging against the backdrop of the widespread use of information technology (IT). On the one hand, companies must nurture strong knowledge capabilities to manage and respond to complex demands from stakeholders for CSR payoffs. Nevertheless, little is known about whether the relation between CSR and firm performance (FP) is conditioned on IT, which substantially underpins a firm’s knowledge capabilities. On the other hand, widespread IT use has elevated data breach risk to one of the most critical risks facing firms today. Although emerging research suggests that CSR can defend against data breaches before they occur and help firms recover in their aftermath, literature on CSR’s pre-breach role focuses dominantly on the independent impact of CSR while largely neglecting the combined impact of CSR and other significant data breach triggers, such as corporate social irresponsibility (CSI). Moreover, the literature on CSR’s post-breach role does not explore how companies identify optimal CSR strategies from multiple CSR fields for recovery. The central question of this dissertation is: Given the duality of IT—where IT-enabled capabilities represent the bright side and data breach risk represents the dark side—how can organizations effectively leverage CSR as a dual strategy for performance enhancement and risk management? This dissertation asks three closely related sub-questions: 1) Do IT-enabled capabilities underpin CSR to improve FP? 2) How does CSR influence data breach risk in conjunction with CSI? 3) How do data breaches influence subsequent CSR strategies? By collecting, merging, and analyzing secondary data from multiple sources, this dissertation yields the following findings and contributions:

First, this dissertation helps reconcile the mixed CSR-FP findings by pointing to previously underexplored moderating roles of IT-enabled capabilities, such as IT-enabled absorptive capacity (IT-AC) and IT-enabled social integration capacity (IT-SIC). Our results further hint at the divergent boundary condition role of environmental dynamism in shaping the moderating impacts of IT-AC and IT-SIC. Although CSR is believed to help firms attain legitimacy and valuable resources, the findings on the CSR-FP relationship are, to date, inconclusive. As such, researchers have devoted much effort to identifying moderators that can boost the evaluations and performance consequences of CSR. Nevertheless, most research focuses on moderators complementing CSR communications rather than its execution. Although existing literature suggests that the execution of CSR depends on a firm’s absorptive capacity, it fails to explain why some firms possess stronger absorptive capacity to support the positive impact of CSR on FP than others. By exploring IT-AC and IT-SIC as moderators, which substantially underpins a firm’s absorptive capacity, we find that IT-AC and IT-SIC facilitate the translation from CSR to FP, a process that cannot be achieved by CSR alone. Further, our results suggest that environmental dynamism strengthens IT-AC’s moderating influence while not impacting that of IT-SIC. This study underscores the importance of incorporating IT-related factors to understand CSR’s value implications. It also highlights the need to consider the external environment when selecting appropriate IT-enabled capabilities to maximize the FP implications of CSR.

Second, this dissertation offers insights into the impact of CSR on data breaches by shifting the focus from an isolated impact of CSR to a joint impact between CSI and CSR. Our results unveil that CSR does not independently impact data breaches but has a moderating impact on the association between CSI and data breaches. Further, by differentiating between internal and external fields of CSR and CSI, we uncover that CSR does not always deter data breaches, depending on whether CSR and CSI simultaneously belong to internal fields. Recent studies have examined whether CSR can have a deterring impact on data breaches by establishing organizational reputation and legitimacy. However, most of the literature has focused exclusively on the independent impact of CSR but largely overlooks its joint impact with CSI, which is particularly relevant to the context of data breaches due to the rise of hacktivism. By examining the influence of CSR as a moderator in the CSI and data breach relation, with an emphasis on the multifaceted nature of CSI and CSR, we find that although CSR plays a general role in deterring CSI-induced data breach risk, it unexpectedly accentuates the risk if both CSR and CSI fall into internal areas. These findings contribute to a more thorough understanding of CSR’s data breach impact by emphasizing the transition from an isolated impact of CSR to an interactive effect between CSR and other critical data breach triggers, along with the multifaceted nature of CSR.

Third, we gain insights into CSR as a post-breach recovery strategy by investigating CSR from a microscopic perspective. Our results show that data breaches have mixed impacts on firms’ subsequent engagement in CSR, exerting opposing effects depending on whether the CSR activities are focused internally or externally. Moreover, artificial intelligence (AI) adoption, firm performance, and R&D intensity serve as boundary conditions that differently shape the data breach impacts on CSR. Recent studies have confirmed the effectiveness of CSR for post-breach recovery. Nevertheless, considering that CSR is a multifaceted concept covering various stakeholder groups, few studies draw on a microscopic perspective to examine how organizations identify the optimal post-breach CSR strategy from several distinct domains and what may cause the variations in CSR strategies across organizations. By examining the impact of data breaches on CSR, with a particular focus on the differentiation between internal and external fields of CSR, our results uncover that data breaches positively influence internal CSR but negatively impact external CSR (i.e., a strategic shift from external CSR to internal CSR). Further, we uncover that AI adoption strengthens the positive relationship between data breaches and internal CSR, whereas firm performance and R&D intensity weaken the negative relationship between data breaches and external CSR. Our results highlight the value of acknowledging the multifaceted nature of CSR and adopting a microscopic perspective to better understand CSR’s role in the aftermath of data breaches.

In summary, this dissertation explores how firms can effectively leverage CSR as a dual strategy for performance enhancement and risk management under the duality of IT. On the one hand, we provide insights into CSR as a performance-enhancing strategy by exploring IT-enabled capabilities (i.e., the bright side of IT) as moderators in the CSR-FP relationship. On the other hand, we advance the understanding of CSR’s risk management role in the context of data breaches (i.e., the dark side of IT), demonstrating how it can mitigate CSI-induced data breach risk and how firms identify optimal CSR strategies from several distinct domains for post-breach recovery. This dissertation lies within the intersection of CSR and IT, which is an important and emerging area of research. Our findings facilitate an improved understanding of the complex relationships between CSR and IT infrastructure, highlighting the importance of their synergistic decisions to enhance a company’s competitive advantages.

Date of Award	17 Apr 2025
Original language	English
Awarding Institution	City University of Hong Kong
Supervisor	Qin Su (External Supervisor) & Wei Thoo YUE (Supervisor)