Cybersecurity Laws, Cyberattacks and Firms' Reactions


Student thesis: Doctoral Thesis

View graph of relations


Related Research Unit(s)


Awarding Institution
Award date15 Sep 2022


Cyberattack is a persistent and challenging problem to solve. To cope with the challenges of protecting information security, governments enact cybersecurity laws, and firms adjust IT and security resource allocation. Because attacked firms tend to pay huge losses and suffer reputation damage, advance defense seems to be more worthwhile and effective than remedy afterward. Instead of studying the reactive response of firms to cyberattacks, this dissertation studies the proactive actions of firms. It consists of two studies that examine firms’ reactions to cybersecurity laws and cyberattacks that happened to industry peers.

The first study, “The Effect of Anti-phishing Laws on Corporate IT and Security Investments,” focuses on firms’ reactions to the enactment of anti-phishing laws. I propose that there are two ways that firms can interpret the enactment of laws. On the one hand, firms may interpret the enactment of new laws as a warning regarding the immediate risks posed by phishing attacks. However, anti-phishing laws may also alleviate firms’ security concerns and reduce their motivation to implement secure legal safeguards. There are 23 states that enacted anti-phishing laws and 27 states without laws until now. Because the enactment of laws occurs naturally and randomly, it provides a natural experimental setting. I employed the difference-in-differences method to contrast firms’ investment decisions related to IT and cybersecurity before and after the enactment of anti-phishing laws. Moreover, I studied the potential moderating factors affecting the relationship between the impact of laws and investments according to the technology-organization-environment (TOE) framework. The results suggest that anti-phishing laws led to a decrease in firms’ IT and cybersecurity investments. Different TOE factors, such as firm scope, firm experience, industry risk landscape, and IT capability, were found to moderate the laws’ impacts.

The second study, “Data Breaches and Industry Peers’ Security and Innovation,” examines the security strategies and innovations of non-breached firms in response to data breaches. Due to the spillover effects of data breaches, non-breached firms can be affected by data breaches. The primary reaction for non-breached firms is adjusting security budgets to deal with attacks. Besides, given the competitive relationship between breached and non-breached firms, and the fact that innovation is one of the main ways to improve the competitiveness of firms, non-breached firms may change their innovation strategies. In the general case, data breaches had a positive moderating effect on the relationship between innovation inputs and outputs, which remained for five years. Moreover, this study examined the moderating effects of a firm’s market position. The findings show that data breaches of industry leaders improved the security awareness of non-breached firms and positively moderated the relationship between innovation inputs and outputs in the following year. In contrast, market laggards in the field seem to be ignored. Furthermore, I find that innovation leaders decrease innovation inputs.

This dissertation contributes to the current literature. First, it enhances prior research on the influence of cybersecurity regulations by demonstrating that enterprises may have two contradicting responses to the implementation of anti-phishing laws. Second, it introduces the TOE determinants as moderating factors to explain the disparate organizational behaviors of single- and multi-state firms in cybersecurity. Third, it provides an understanding of non-breached firms’ reactions and the effect of market position when dealing with reported data breaches, which enriches research on spillover effects in the field of cybersecurity.

    Research areas

  • Anti-phishing Laws, Data Breaches, Security Investment, IT Investment, Innovation, Spillover Effects