Business Strategy and Cybersecurity Breaches

JOURNAL OF INFORMATION SYSTEMS American Accounting Association
Vol. 37, No. 2 DOI: 10.2308/ISYS-2022-033

Summer 2023
pp. 51–76
Business Strategy and Cybersecurity Breaches

Tianpei (Constance) Li
University of Nebraska at Kearney
Stephanie Walton
Louisiana State University
ABSTRACT: This study examines whether a firm’s business strategy is an underlying determinant of cybersecurity
breach likelihood. Based on organizational theory, firm strategy can focus on innovation or efficiency, with innovative
strategy firms being more likely to have weaker, decentralized control systems, multiple technologies, and greater risk
than firms with an efficiency-focused strategy. Following the Miles and Snow (1978) strategy topology, we predict and
find that the prospector business strategy is associated with greater breach likelihood. We further explore IT
awareness within the firm. Ex ante, it is unclear whether strategic IT policy formation is impounded into a firm’s
strategy or can be impacted by individual executives and nonstrategy firm characteristics. We find that IT
understanding at the executive or firm level can affect the relationship between strategy and breach likelihood.
Collectively, our results indicate that business strategy is a useful indicator in evaluating firms’ cybersecurity activities.
Keywords: business strategy; information technology; cybersecurity breaches; IT awareness.
I. INTRODUCTION
firm’s business strategy guides a firm’s operations and approach to technological changes (Hambrick 1981,
A 1983). Cybersecurity is essential to a firm’s strategy (Melika 2021). As part of a firm’s strategy, cybersecurity
activities can assist in not only reducing operational risks, but also enabling growth through agile decisions that
promote innovation and customer trust (Martin 2021). However, it is unclear whether strategy, as a firm-level character-
istic reflecting an accumulation of firm decisions that typically persist beyond individual actions (Miles and Snow 1978,
2003; Bentley-Goode, Omer, and Twedt 2019), impacts cybersecurity risks. Cybersecurity breaches reflect a nonfinancial
reporting outcome with significant economic consequences, with U.S. breaches having the highest global per event cost
of $9.05 million, taking an average of 287 days to identify and contain (Ponemon Institute and IBM Security 2021). To
a threat actor, a firm could appear as a better breach target than other firms due to its strategy, which provides idiosyn-
cratic information about a firm. As such, we examine the following research question: Does a firm’s strategy affect
cybersecurity breach risk?
A move toward greater remote work and increasing customer and client concern surrounding digital security under-
scores the importance of cybersecurity processes in keeping a firm’s operations running smoothly (Melika 2021).
Further, breaches can impact all firms. For instance, Robinhood, a stock trading and investing application, recently dis-
closed a third-party breach affecting 7 million user records, including personal information, such as email address,
name, date of birth, and zip code (Robinhood 2021). Although Robinhood is an innovative, technology-focused firm, it
still faced a breach. Strategy affords an opportunity to investigate differences between firms incremental to financial
reporting risk, firm size, complexity, or other risk-based measures (Bentley, Omer, and Sharp 2013). In turn, strategy
enables us to examine a potential breach determinant distinct from component risk, executive characteristics, and firm
We are grateful for the helpful comments from Marc Eulerich (editor), two anonymous reviewers, Jochen Theis (discussant), Vern Richardson, Theo
Stratopoulos, Joseph Schroeder, and participants at the 2022 2nd Journal of Information Systems International Conference.
Tianpei (Constance) Li, University of Nebraska at Kearney, College of Business and Technology, Department of Accounting, Finance, and
Economics, Kearney, NE, USA; Stephanie Walton, Louisiana State University, E. J. Ourso College of Business, Department of Accounting, Baton
Rouge, LA, USA.
Editor’s note: Accepted by Marc Eulerich, under the Senior Editorship of J. Efrim Boritz.
Submitted: June 2022

Accepted: February 2023
Early Access: June 2023
51
52 Li and Walton
characteristics used to broadly classify firms previously investigated in cybersecurity research (Ettredge, Guo, and Li
2018; Walton, Wheeler, Zhang, and Zhao 2021; Ashraf 2022).
Of the three viable business strategies described by Miles and Snow (1978, 2003)—prospector, analyzer, and
defender—firms with a prospector strategy seek to identify and exploit new products and market opportunities, whereas
firms with a defender strategy have an efficiency focus.1 Analyzer firms share characteristics with both prospectors and
defenders. Although research based in organizational theory broadly characterizes prospectors as having greater organi-
zational risk than other firms, such studies focus on financial reporting and related disclosures (Bentley et al. 2013;
Bentley-Goode, Newton, and Thompson 2017; Hsieh, Ma, and Novoselov 2018; Lim, Chalmers, and Hanlon 2018).
Within a cybersecurity setting, prospectors’ focus on technological flexibility could result in these firms being more
likely to invest in cybersecurity-promoting technologies than other firms, reducing breach risk. Likewise, defenders could
be more attractive breach targets than other firms, as there is a history of organizational stability and profitability,
increasing breach risk. However, such factors may not be influential enough to mitigate the duality between strategy
and organizational risk. Prospector firms’ lack of lengthy technological commitments and decentralized control systems
can promote organizational instability, as through internal control material weaknesses (Miles and Snow 1978, 2003;
Bentley et al. 2013; Bentley-Goode et al. 2017), potentially increasing breach risk. Similarly, defender firms could have
greater capabilities of defending against breach attempts, reducing the likelihood of a successful breach. As such,
although all firms need to manage breach risk, we argue that prospector strategy firms face greater breach likelihood
than other firms.
As a firm’s business strategy typically reflects persistent firm decisions, it is also unclear the extent to which informa-
tion technology (IT) awareness at the executive or firm level could impact the relationship between strategy and breach
likelihood. Based on organizational theory, distinct differences in the approach to products and markets, control sys-
tems, technology use, and organizational structure could result in IT savviness providing an additional benefit for pros-
pector strategy firms compared to defender firms (Miles and Snow 1978, 2003). At the executive level, CEOs and Chief
Financial Officers (CFOs) with greater IT expertise could be more apt at navigating the changing cybersecurity land-
scape, resulting in reduced breach risk (Haislip, Lim, and Pinsker 2021), regardless of the firm’s strategy. We further
examine the extent to which other firm characteristics focusing on IT understanding, including the presence of a Chief
Information Officer (CIO), having a technology committee on the board of directors, and operating in an IT-focused
industry, affect the relationship between strategy and breach likelihood. Affecting IT governance, such characteristics
could assist a firm in navigating cybersecurity risk originating due to both operational decisions and threat actors. In
turn, there could be a lower breach likelihood for prospector firms. However, the typically persistent nature of strategy
could overwhelm any individual executive or firm characteristic that could mitigate breach risk, resulting in little change
to breach likelihood.
We use a comprehensive measure of organizational business strategy that is generalizable across industries from
Bentley et al. (2013) to capture firm business strategy. To investigate the relationship between strategy and breaches, we
use a sample of 34,308 firm-year observations from 2005 to 2019, including 3,622 prospector firm-year observations and
1,283 defender firm-year observations. Based on organizational theory and prior business strategy empirical research,
we expect and find that prospector firms have higher breach likelihood than defender firms. We find evidence that pros-
pectors are associated with greater breach likelihood using both discrete and dichotomous strategy measures. Results
are robust to entropy balancing at the first and second moments. Our results suggest that strategy can uniquely impact
breach risk, with prospector firms more likely to face a breach than other analyzer and defender firms.
We also find that the positive association between strategy and breach likelihood is impacted by IT awareness at the
executive and firm levels. Our results suggest that executive IT experience can assist in mitigating an increase in breach
risk due to having a prospector strategy. Further, we find that at the firm level, greater IT savviness, either through hav-
ing a technology committee on the board or operating in an IT-intensive industry, can assist in alleviating an increase in
breach likelihood for firms with a prospector business strategy. Additional investigation suggests that the relationship
between strategy and breach likelihood is exacerbated by external pressures attributable to diversification. At the execu-
tive level, CEO turnover also provides insight into the future breach likelihood, as there could be new policies put into
place with a new executive. In the year of CEO change strategy does not appear to impact breach risk; however, breach
risk is greater for prospector firms if there is no turnover.
We make several contributions to the literature. First, we extend organizational theory within the accounting litera-
ture by examining the relationship between the business strategy and an outcome, breaches, that goes beyond clear
1
We discuss different strategy typologies in Appendix A. Following Miles and Snow’s (1978, 2003) typology, we view strategy classifications as occur-
ring along a continuum, with the prospector strategy being mutually exclusive from the defender strategy. Analyzer strategy firms share characteris-
tics with both endpoints, and, as such, we focus the majority of our discussion on prospector and defender firms.
Journal of Information Systems

Volume 37, Number 2, 2023
Business Strategy and Cybersecurity Breaches 53
financial reporting outcomes. Although breaches can have negative economic costs that affect operations, financial
reporting decisions, disclosures, and external stakeholder perceptions (Walton et al. 2021), it is ultimately a nonfinancial
outcome. Second, we add to the breach literature by identifying strategy as a distinct breach determinant. The breach
determinants literature has focused on disclosure issues, such as industry (Ashraf 2022) and proprietary information
(Ettredge et al. 2018). Although these studies provide important insights, they broadly categorize firms and do not cap-
ture potentially useful firm-level information pertaining to breach risk. Third, we find that executive and firm IT under-
standing can disrupt the relationship between strategy and breach likelihood, answering a call for research from Walton
et al. (2021). Since strategy largely persists across time and executives, our results indicate that firms can at least partially
address cybersecurity risk beyond a firm’s overall strategic focus on innovation or efficiency.
Practically, our study provides useful information to stakeholders, including investors, boards of directors, auditors,
and regulators. We provide information to investors interested in understanding a firm’s cybersecurity risk exposure by
investigating the role of firm business strategy. A firm may appear to a threat actor as a better breach target than other
firms due to their strategy, increasing investor exposure to cybersecurity risk. Although we do not recommend altering a
firm’s strategy, boards can benefit from understanding their firms’ overall cybersecurity risk and what actions can be
taken at the firm or executive level, such as increasing IT awareness, to reduce breach likelihood. Auditors, who price
breach risk into audit fees (Smith, Higgs, and Pinsker 2019) and who levy higher fees to prospector strategy firms
(Bentley et al. 2013) could also adjust their audit fee premium after considering the joint relationship between their cli-
ents’ strategy and breach risk. Firms with a prospector strategy could further benefit from additional regulator guidance
on cybersecurity risk disclosures, possibly including risk-management strategies (e.g., American Institute of Certified
Public Accountants (AICPA) 2017a, 2017b). Increasing interest in cybersecurity activities, including the establishment
of a cybersecurity bureau in the U.S. State Department to deal with evolving challenges (Volz 2021), underscores the ris-
ing importance of cybersecurity risk to national security.
The remainder of the study is as follows. Section II reviews the related literature and develops our hypotheses.
Section III describes our research design, while Section IV describes the results. Section V concludes.
II. PRIOR RESEARCH AND HYPOTHESES
Cybersecurity Breaches
Cybersecurity breach events are increasing in frequency and severity (Ponemon Institute and IBM Security 2021).
Firms can have a variety of negative economic consequences following a breach (Walton et al. 2021). Breaches are asso-
ciated with lower short-term market returns (e.g., Richardson, Smith, and Watson 2019), greater CIO and CEO turn-
over (Banker and Feng 2019), higher audit fees (Smith et al. 2019; Lawrence, Minutti-Meza, and Vyas 2018; Yen, Lim,
Wang, and Hsu 2018; Li, No, and Boritz 2020), greater real earnings management (Xu, Guo, Haislip, and Pinsker
2019), higher loan spreads, loans requiring collateral and greater covenants (Huang and Wang 2021), and fewer patents
and investment efficiency (He, Frost, and Pinsker 2020). Breaches can also affect nonbreached peer firms. Ashraf (2022)
notes that peer firms are associated with a reduction in internal control material weaknesses and an increase in the likeli-
hood of having a cybersecurity expert in the top management team. Further, there is increasing regulatory interest in
breach events, including increased disclosures and the establishment of a cybersecurity bureau with the U.S. State
Department to monitor cybersecurity risk (Volz 2021).
There is a need to understand breach determinants and whether firm actions can mitigate cybersecurity risk, includ-
ing breach likelihood. Firm business strategy could affect the extent of IT investments, IT governance, and the actions
undertaken by managers and the firm. IT investments are associated with increased market value, especially among
smaller firms (Im, Dow, and Grover 2001), higher abnormal returns (Chai, Kim, and Rao 2011), and an overall higher
rate of being breached (Sen and Borle 2015). Angst, Block, D’Arcy, and Kelley (2017) note that only substantial, rather
than symbolic, adoptions increase the effectiveness of IT investments, reducing breach likelihood. Relatedly, the inclu-
sion of an IT executive (Kwon, Ulmer, and Wang 2013) or other executives with IT expertise (Haislip et al. 2021), a
board-level technology committee (Higgs, Pinsker, Smith, and Young 2016), and internal auditors with security exper-
tise (Islam, Farah, and Stafford 2018) are positively associated with cybersecurity strength. It is unclear how senior man-
agement support could affect the strength of cybersecurity activities (Walton et al. 2021). Decisions made by
management could also affect the preparedness of a firm against possible breach attempts. Following a breach, Tan and
Yu (2018) note that higher management responsibility acceptance is a more effective strategy following an external
breach, but not an internal breach, suggesting that management decisions can affect how stakeholders perceive a firm.
As such, we posit that business strategy can serve as a breach determinant distinct from those denoted in the extant
literature, including internal control material weaknesses (Bentley-Goode et al. 2017; Walton et al. 2021).

54 Li and Walton
Business Strategy and Organizational Theory

Organizational theory assists in categorizing firms and their associated business risks to develop a better understand-
ing of business strategy. Lim et al. (2018) note that strategy influences operating complexity, information asymmetry,
environmental uncertainty, organizational structure, and product and market mix. Reflecting how firms compete in their
market environments, business strategy is a construct distinct from piecemeal components of risk or other firm charac-
teristics. Therefore, business strategy affords an opportunity to examine a potential breach determinant distinct from
component risk, executive, and firm characteristics previously investigated in cybersecurity research. Hambrick (1983, 6)
argues that “the key dimension underlying the [strategy] typology is the rate at which an organization changes its prod-
ucts and markets.” Strategy is not subject to sudden changes. Rather, smaller incremental changes can occur relative to
each viable strategy. We follow the Miles and Snow (1978, 2003) strategy typology with three viable business strategies
along a continuum: defenders, analyzers, and prospectors. Prospector strategy firms rapidly change their product market
risk using an innovation focus to be a market leader. Defender strategy firms, conversely, have a narrow and stable
product mix and have an efficiency focus. Analyzer strategy firms share aspects of both prospectors and defenders.
Prospector strategy firms are innovative firms that seek to identify and exploit new products and market opportuni-
ties (Miles and Snow 1978, 2003). These firms are thus more reliant on research and development activities than other
firms. Innovation can also be achieved by using multiple technologies. Although innovative prospectors may invest in
multiple technologies, the investments are flexible, enabling firms to change rapidly. However, flexible investments do
not promote efficiency. Avoiding lengthy technology commitments further results in a low degree of mechanization or
routinization that leverages the knowledge and skills of employees. Such diverse operations, in turn, rely on decentral-
ized control systems, which, coupled with fewer routines, could weaken internal control processes (e.g., Bentley-Goode
et al. 2017). As such, there is generally greater organizational instability and organizational risk than defender and ana-
lyzer firms.
Conversely, defender strategy firms maintain a narrow and stable product focus to compete on the basis of price,
service, or quality (Miles and Snow 1978, 2003). Defenders are focused on efficiency in the production and distribution
of goods and services. A narrow market focus through thoughtful and incremental growth protects the finance and pro-
duction functions. A defender strategy requires large technology investments to improve mechanization and routiniza-
tion based on the knowledge and skills of employees, including cost-efficient technology and continuous improvement.
Unlike prospectors, defenders require strict centralized control systems to ensure improved efficiency. Collectively, there
is greater organizational stability, gradual growth, consistent profitability, and less organizational risk stemming from
calculated decision making than prospector and analyzer firms (Bentley-Goode et al. 2017).
Within accounting and management literatures, business strategy has been used to examine financial reporting-
related items, including accounting control systems (Simons 1987), CEO bonus contracts (Ittner, Larcker, and Rajan
1997), budgetary use (Collins, Holzmann, and Mendoza 1997), accounting irregularities and auditor effort (Bentley
et al. 2013), and tax aggressiveness (Higgins, Omer, and Phillips 2015). Additionally, strategy is a significant incremental
predictor of internal control material weaknesses, with prospector firms more likely to report a material weakness than
other firms (Bentley-Goode et al. 2017). Greater organizational risk stemming from a prospector strategy also appears
to affect financial reporting disclosure decisions, including greater accounting conservatism (Hsieh et al. 2018) and less
readable 10-K reports with more negative and uncertainty tones than defender firms (Lim et al. 2018). Importantly,
Bentley et al. (2013) find that strategy as a composite measure is more than the sum of its parts. That is, business strategy
provides insights into firm operations incremental to financial reporting risk, firm size, complexity, or other risk-based
measures. Bentley et al. (2013) also note that the increase in prospector client audit fees relative to other firms is not
enough to fully mitigate underlying client riskiness. The results suggest that external factors used to mitigate risk, such
as increased auditor effort, may not be enough to counter client risk attributable to strategy.
Although the extant strategy literature finds that strategy reflects a unique facet of business risk, with prospector
strategy firms having greater inherent risk than defender firms, nonfinancial outcomes have not been investigated.
Ex ante, it is unclear whether the relationship between strategy and organizational risk will persist when examining
breaches. As a part of a firm’s activities, cybersecurity needs to be embedded throughout the business ecosystem (Martin
2021). Within a cybersecurity setting, strategy can possibly delineate firms that are more likely to face a breach than
other firms. Compared to other firms, prospectors invest in multiple technologies, increasing the likelihood of investing
in technology that promotes a firm’s cybersecurity activities. Additional attention to cybersecurity activities could lower
the likelihood of a successful breach. Further, prospectors report higher audit fees, which could not only reflect greater
auditor response to organizational risk (Bentley et al. 2013), but also additional attention to cybersecurity (Li et al.
2020), which could lower cybersecurity risk. Defenders, in contrast, are more established firms with a history of profit-
ability (Miles and Snow 1978, 2003), increasing a firm’s financial attractiveness to a threat actor as a breach target.

Similarly, defender firms report more litigious tone language in their 10-K reports than other firms (Lim et al. 2018),
reflecting greater external risk.
Nevertheless, such actions may not be enough to counter the overarching relationship between strategy and organi-
zational risk. For instance, prospector reliance on novel, multiple technologies is associated with a greater likelihood of
reporting an internal control material weakness (Bentley-Goode et al. 2017). Such use of multiple technologies could
also result in superficial investments compared to analyzer and defender firms, increasing breach likelihood, as Angst
et al. (2017) find that only substantial IT investments are associated with a reduction in breach risk. Comparatively, the
centralized control systems, routinization, deep technology investments, and cautious growth actions undertaken by
defender firms could reduce cybersecurity risk exposure, despite the firms being perceived as lucrative breach targets.
Compared to defender and analyzer firms, greater use of uncertainty reporting language by prospector firms could
reflect rapid changes, a less-detailed cybersecurity strategy, and fewer substantive cybersecurity investments. In turn,
organizational instability could negatively affect a firm’s overall IT governance focus.
As such, prospector strategy firms could have greater cybersecurity risk than both analyzer and defender firms.
Organizational risk differences can manifest in prospector firms facing greater breach risk than other firms, even though
individual actions could affect cybersecurity activities. Therefore, our first hypothesis predicts a positive relationship
between prospector business strategy and cybersecurity breach likelihood.
H1: Prospector business strategy firms are more likely to face a cybersecurity breach than defender business
strategy firms.
IT Awareness
Although a firm’s business strategy usually reflects persistent objectives, subject to strategic flexibility, it remains
unknown whether individual executive or other firm characteristics relating to IT assist in mitigating the effect of strat-
egy on breach likelihood. Miles and Snow (1978, 2003) discuss how the administrative functions between strategies can
differ. Based on organizational theory, we focus on two levels of IT awareness that could affect the relationship between
strategy and breach risk: executive and firm. At the executive level, it remains unknown whether the actions of a CEO
or a CFO could temper a rise in cybersecurity risk, given a prospector strategy. Whereas the CEO has the primary role
of establishing and overseeing firm policies (Masli, Richardson, Watson, and Zmud 2016), the CFO has control over
financial reporting processes and shares in the management of cybersecurity risk (Haislip et al. 2021). At the firm level,
having greater IT understanding within the firm could assist in mitigating cybersecurity risk for firms, even if strategy
objectives result in higher risk.
We first investigate whether CEOs and CFOs with IT expertise can impact the cybersecurity risk faced by a firm pur-
suing a prospector strategy. Haislip et al. (2021) note that CEOs with IT expertise are associated with lower breach risk.2
Not only does the CEO communicate current and future IT issues within the firm to other executives, including the CIO
and employees, but the CEO also assists in developing IT risk-management practices (Vincent, Higgs, and Pinsker 2017;
Haislip et al. 2021). The CEO and CFO can make meaningful IT decisions that could align IT policies with overall busi-
ness risk and strategy objectives, even if there is a penchant for innovation, rather than efficiency. Specifically, an executive
could enhance IT governance actions, strengthening controls and reducing cybersecurity exposure, despite a decentralized
control system. Compared to the incremental progress made by defender firms, which could still benefit from executive IT
expertise, we posit that prospector strategy firms have a greater possible cybersecurity advantage.
We next investigate firm-level characteristics that could also have a balancing effect on increases in breach risk due
to having a prospector strategy. First, the presence of a CIO could assist in communicating IT policies. Kwon et al.
(2013) find that there is a negative relationship between having a CIO in the top management team and breach risk. The
additional IT expertise provided by a CIO appears to reduce cybersecurity concerns (Banker and Feng 2019).3 A CIO
could assist in mitigating breach risk for prospector strategy firms by promoting best practices and providing support to
top executives. Similarly, a prospector strategy firm with a technology committee on the board of directors could miti-
gate breach risk increases (Higgs et al. 2016). Since prospector firms have an innovation focus and invest in multiple
technologies, there could, conversely, be a greater need for board oversight. At a broad level, operating in an IT-
2
Jarvenpaa and Ives (1991) find that CEO IT expertise is marked by stronger IT policies than in the absence of IT expertise. For instance, having a
CEO with IT expertise is associated with more accurate earnings forecasts (Haislip and Richardson 2018) and the timely disclosure of key findings to
external stakeholders (Haislip, Karim, Lin, and Pinsker 2020).
3
There is also greater interest in board of director level IT governance following a breach event (Higgs et al. 2016; Benaroch and Chernobai 2017).
Further, there is greater CEO and CIO turnover following a breach event (Banker and Feng 2019).

56 Li and Walton
intensive industry could also facilitate decisions that maintain a rapid pace of change, consistent with prospector firm
objectives (Bentley-Goode et al. 2017), and thus are more likely to have a beneficial impact on cybersecurity activities.
However, it is important to note that prospector strategy firms could face increased cybersecurity risk with or with-
out executive- or firm-level IT awareness, and the actions of any one individual or group might not be enough to miti-
gate such risk. Similarly, Bentley et al. (2013) underscore that the increase in audit effort via higher fees for prospector
firms is not enough to counter the effect of strategy on financial reporting quality. As prospector strategy firms are also
predisposed to weaker internal controls (Bentley-Goode et al. 2017), greater business risk could result in higher breach
risk, regardless of the specialization of executives, the IT support received from within the firm, or external IT pressures.
Although greater IT understanding could mitigate an increase in breach risk for prospectors by leveraging current IT
investments and establishing formalized control policies, status quo breach likelihood may not be fundamentally reduced.
We take the position that prospector firms have greater cybersecurity risk than other firms, stemming partially from cur-
sory technology investments, a decentralized control system, and a low degree of mechanization. We believe that these
firms also have greater opportunities for IT awareness and understanding to contribute to firm operations. Nevertheless,
the possibility exists that instability underscoring prospector firms does not foster IT understanding. Further, it is unclear
whether defender strategy firms would likewise see a reduction in breach risk. Since the relationship between strategy, IT
awareness, and breach likelihood remains uncertain, we propose the following nondirectional hypothesis:
H2: The positive association between prospector business strategy firms and cybersecurity breach likelihood is
impacted by IT awareness.
III. RESEARCH DESIGN
Sample Selection
To examine the relationship between business strategy and breach likelihood, we utilize reported breach data from
Privacy Rights Clearinghouse and Audit Analytics, and firm financial and auditing information from Compustat, Audit
Analytics, and BoardEx.4 We begin our sample selection process with 1,45,681 Compustat firm-year observations
between 2005 and 2019 after removing firm-year observations with zero or negative sales and assets and missing histori-
cal SIC industry classifications. We then remove financial and utility firms due to the regulated nature of the industries.
As our STRATEGY measure requires five-year rolling averages (e.g., Ittner et al. 1997; Bentley et al. 2013), we further
remove 76,447 observations with insufficient data for all six strategy components. As such, we have 51,819 firm-year
business strategy scores from 2005 to 2019. After merging with Compustat financial information, audit information
from Audit Analytics, and executive information from BoardEx, our sample consists of 34,308 firm-year observations.
Table 1, Panel A provides additional details on our sample selection process.
Our sample consists of 3,622 prospector firm-years and 1,283 defender firm-years, consistent with prior strategy
research. In Panel B, we note that the breaches in our sample are evenly distributed across years. Breaches are spread
across industries, with Computers, Software, and Electronic (29.16 percent) and Wholesale and Retail Services (24.68
percent) industry firms reporting the most breach events in Panel C. We also find that each strategy is largely evenly dis-
tributed across the sample period and industries. Further, in Panel D, we show the composition of strategy by industry.
Research Design
Our primary model examines the association between firm business strategy (STRATEGY) and reported breach
likelihood in t+1 (Prob(Breachit+1 ¼ 1)).5 We use the phrasing “reported breaches” to be consistent with the sources of
our data and with the extant research (e.g., Haislip et al. 2021). Reported breaches are used to proxy for all breaches.
SIC two-digit industry (IND) and year (YEAR) fixed effects are included, but not reported. The standard error is
4
We begin the sample period in 2005, as breach data are not available from Privacy Rights Clearinghouse in prior years. We recognize that the finan-
cial crisis could affect the extent to which firms invest in cybersecurity activities, including controls. As such, we exclude firm-year observations from
2008 and 2009 and find that our results are robust to the exclusion of these years.
5
Firms in the United States are required by the Securities and Exchange Commission (SEC) to report material events publicly. Breaches are one such
material event, and the SEC has made several recommendations (Securities and Exchange Commission (SEC) 2011; Securities and Exchange
Commission (SEC) 2018) on the disclosure of breach risks and events. The SEC’s (2011) guidance indicates that public firms must disclose significant
cybersecurity risks and breach events promptly in Part I, Item 1A, of the Form 10-K filing. The SEC’s (2018) guidance provides further clarification
on such disclosures. Further, firms are bound by U.S. state breach notification laws, which exist in all states, to notify individuals of breaches of per-
sonally identifiable information (Huang and Wang 2021). As strategy does not vastly change from year to year, in an untabulated analysis. we also
examine the relationship between strategy and current breach likelihood. We find consistent evidence that higher strategy scores, those with a pros-
pector strategy, are associated with greater breach likelihood.

TABLE 1
Sample Selection
Panel A: Sample Selection

Firms with Compustat data between 2005 and 2019 (after eliminating firm-years 1,45,681
with zero or negative assets and sales, and missing SIC)
Less firm-years with missing strategy values (76,447)
Less firm-years operating in the Financial industry (SIC 6000–6999) (13,426)
Less firm-years operating in the Utilities industry (SIC 4900–4999) (3,989)
Less firm-years with missing Compustat values (10,864)
Less firm-years with BoardEx values (6,647)
Comprising:
Prospector firm-years 3,622
Defender firm-years 1,283
Total firm-year observations 34,308
Panel B: Sample Distribution by Year

Breach Firms Nonbreach Firms Prospectors Defenders
Year Freq. Percent Freq. Percent Freq. Percent Freq. Percent

2005 131 7.35 2,954 9.08 375 10.35 98 7.64
2006 132 7.40 2,794 8.59 315 8.70 99 7.72
2007 130 7.29 2,615 8.04 276 7.62 94 7.33
2008 127 7.12 2,493 7.66 281 7.76 101 7.87
2009 123 6.90 2,425 7.46 287 7.92 82 6.39
2010 125 7.01 2,319 7.13 254 7.01 90 7.01
2011 129 7.23 2,219 6.82 243 6.71 100 7.79
2012 125 7.01 2,151 6.61 213 5.88 88 6.86
2013 125 7.01 2,060 6.33 210 5.80 76 5.92
2014 125 7.01 2,018 6.20 219 6.05 78 6.08
2015 117 6.56 1,940 5.96 214 5.91 70 5.46
2016 112 6.28 1,886 5.80 206 5.69 81 6.31
2017 108 6.06 1,843 5.67 213 5.88 88 6.86
2018 104 5.83 1,856 5.71 215 5.94 94 7.33
2019 70 3.93 952 2.93 101 2.79 44 3.43
Total 1,783 100 32,525 100 3,622 100 1,283 100

(continued on next page)
clustered at the firm level. All continuous variables are Winsorized at 1 and 99 percentage level. The definitions of all
variables used in our analyses are reported in Appendix B.
ProbðBREACH itþ1 ¼ 1Þ ¼ b0 þ b1 STRATEGY it þ b2 LNASSET it þ b3 ROAit þ b4 LEVERAGEit

þ b5 MBit þ b6 LOSSit þ b7 FOREIGN it þ b8 BIG4it þ b9 RISK it þ b10 TECH it
þ b11 CIOit þ b12 IT ROLEit þ b13 ICW it þ b14 MERGERit þ b15 HIGHTECH it
þ b16 RESTRUCTUREit þ b17 GROWTH it þ b18 LNFIRMAGEit
þ b19 CEOCHAIRit þ IND þ YEAR þ eit (1)
Research demonstrates that the composite business strategy measure is more than a sum of its parts (Bentley et al.
2013; Bentley-Goode et al. 2017; Hsieh et al. 2018). Following Bentley et al. (2013) and Hsieh et al. (2018), we measure

58 Li and Walton
TABLE 1 (continued)
Panel C: Breach Distribution by Fama-French 12-Industries
Breach Firms Nonbreach Firms Total
Industry Freq. Percent Freq. Percent Freq. Percent

Consumer Nondurables 69 3.87 1,767 5.43 1,836 9.30
Consumer Durables 21 1.18 1,082 3.33 1,103 4.51
Manufacturing 148 8.30 4,167 12.81 4,315 21.11
Energy Oil, and Gas Products 15 0.84 1,992 6.12 2,007 6.96
Chemicals and Allied Products 30 1.68 1,057 3.25 1,087 4.93
Computers, Software, and Electronic 520 29.16 8,059 24.78 8,579 53.94
Telephone and Television 148 8.30 1,042 3.20 1,190 11.50
Wholesale and Retail Services 440 24.68 3,612 11.11 4,052 35.79
Healthcare, Medical Equipment, and Drugs 168 9.42 5,128 15.77 5,296 25.19
Other 224 12.56 4,619 14.20 4,843 26.76
Total 1,783 100 32,525 100 34,308 100
Panel D: Strategy Distribution by Fama-French 12-Industries

Prospectors Defenders Analyzers Total
Industry Freq. Percent Freq. Percent Freq. Percent Freq. Percent

Consumer Nondurables 168 4.64 17 1.33 1,651 5.62 1,836 5.35
Consumer Durables 61 1.68 71 5.53 971 3.30 1,103 3.21
Manufacturing 314 8.67 258 20.11 3,743 12.73 4,315 12.58
Energy Oil, and Gas Products 337 9.30 6 0.47 1,664 5.66 2,007 5.85
Chemicals and Allied Products 8 0.22 289 22.53 790 2.69 1,087 3.17
Computers, Software, and Electronic 715 19.74 247 19.25 7,617 25.91 8,579 25.01
Telephone and Television 115 3.18 12 0.94 1,063 3.62 1,190 3.47
Wholesale and Retail Services 541 14.94 32 2.49 3,479 11.83 4,052 11.81
Healthcare, Medical Equipment, and Drugs 737 20.35 162 12.63 4,397 14.95 5,296 15.44
Other 626 17.28 189 14.73 4,028 13.70 4,843 14.12
Total 3,622 100 1,283 100 29,403 100 34,308 100
business strategy as the composite of six variables captured over a rolling prior five-year period.6 The measures are: the
ratio of the number of employees to sales (EMPS5); the standard deviation of the total number of employees (EMP5);
the ratio of research and development expenditures to sales (RDS5); one-year percent change in total sales (REV5); the
ratio of selling, general, and administrative expenses to sales (SGA5); and the ratio of property, plant, and equipment to
total assets (CAP5). Each measure is calculated per firm-year. Quintile rankings for each year and two-digit SIC indus-
try are used to score each measure, where observations in the highest (lowest) quintile receive a score of 5 (1). Firm strat-
egy is thus the sum of the six measures ranging from a minimum score of 6 to a maximum of 30. Higher (lower) scores
reflect a prospector-(defender-)oriented strategy. We use both a discrete strategy score (STRATEGY) and a
6
By following prior U.S.-based empirical strategy research (e.g., Bentley et al. 2013), we use equal weighting of our strategy component mea-
sures. A. Eulerich, M. Eulerich, and Fligge (2023) note that given rapid globalization it might be reasonable to use other weights or measure
components. For instance, in a German setting, it appears that firm focus on differentiation and efficiency are not mutually exclusive, in con-
trast with extant strategy measures following Miles and Snow’s (1978, 2003) typology (Eulerich et al. 2023). We further test an alternative
strategy specification, strategic emphasis. Strategic emphasis is captured through advertising expense minus research and development expenses
scaled by total assets (Mizik and Jacobson 2003). Firms can be classified as either value appropriating or value creating, which roughly
approximate the goals of defenders and prospectors, respectively. Higher values reflect value appropriation, in line with the defender strategy.
We find a negative relationship between strategic emphasis and breach likelihood, suggesting that value-creating firms, acting like prospectors,
are more likely to be breached. The alternative specification indicates the robust relationship between strategy and breach likelihood, reducing
concerns surrounding our strategy measure calculation.

dichotomous strategy measure to identify prospector strategy firms (PRO).7 Defenders have a score between 6 and 12;
analyzers have a score between 13 and 23 and share characteristics with the other two strategies; and prospectors have a
score between 24 and 30.8
We include a variety of control variables to control for the likelihood of a firm facing a breach. First, we control for
firm size (LNASSET), age (LNFIRMAGE), leverage (LEVERAGE), and annual growth (ROA, GROWTH, MB) as
larger, growing firms could face greater cybersecurity risk and greater disclosure incentives (e.g., Brown, Tian, and
Tucker 2018). Although long-term change in growth relative to other firms in the same industry-year is a component of
STRATEGY, controlling for annual growth enables us to distinguish breach risk established by recent firm growth.
Further, profitable firms (LOSS) and those with more complex operations (FOREIGN, MERGER, RESTRUCTURE)
could be more likely to incur and report a breach than other firms (Wang, Kannan, and Ulmer 2013; Kwon et al. 2013;
Gao, Zhong, and Mei 2015). We also account for the presence of an internal control material weakness (ICW) (Bentley-
Goode et al. 2017). We include several variables to control for executive, board of directors, and auditor characteristics
(Higgs et al. 2016; Feng and Wang 2018). Specifically, we control for the presence of a CIO, whether there is a technol-
ogy (TECH) or risk (RISK) committee on the board, whether the CEO is chairman of the board (CEOCHAIR), and
whether a Big 4 auditor is utilized (BIG4). Finally, we account for a firm’s IT strategic role (IT_ROLE) (Dehning,
Richardson, and Zmud 2003). IT strategic role captures firm IT intensity, specifically, the strategic role of IT invest-
ments by SIC four-digit code and year using investment announcement data.
Next, we examine the relationship between business strategy, IT awareness (IT_AWARENESS), and breach likelihood.
ProbðBREACH itþ1 ¼ 1Þ ¼ b0 þ b1 STRATEGY it þ b2 IT AWARENESSit

þ b3 STRATEGY IT AWARENESSit þ b4 LNASSET it þ b5 ROAit
þ b6 LEVERAGEit þ b7 MBit þ b8 LOSSit þ b9 FOREIGN it þ b10 BIG4it
þ b11 RISK it þ b12 TECH it þ b13 CIOit þ b14 IT ROLEit þ b15 ICW it
þ b16 MERGERit þ b17 HIGHTECH it þ b18 RESTRUCTUREit
þ b19 GROWTH it þ b20 LNFIRMAGEit þ b21 CEOCHAIRit þ IND þ YEAR þ eit (2)
We capture IT awareness at both the executive and firm levels. At the executive level, the CEO approves security policies,
is informed of security reports, refines and communicates firm-wide security policies, and understands the firm information
risk profile; and the CFO has an increasing role in cybersecurity and control processes throughout the firms (Masli et al.
2016; Haislip et al. 2021). Firm-level risk-management practices that could enhance IT governance, including cybersecurity
practices, can be shaped by executive background and experiences (Vincent et al. 2017). As such, we first examine IT
expertise (CEOIT, CFOIT), captured through BoardEx education and work experience. Executives without IT expertise
could be guided by their firm strategy more than an executive who has greater IT experience. At the firm level, we examine
three characteristics: the presence of a CIO (CIO), the presence of a technology committee on the board (TECH) (Higgs
et al. 2016), and whether the firm operates in an IT industry (IT_INDUSTRY). Collectively, these factors capture a firm’s
technological savviness. Firms with greater technology understanding could have policies to address cybersecurity risk dis-
tinct from an overarching firm strategy focused on innovation and the adoption of multiple technologies.
IV. RESULTS
Descriptive Statistics
Table 2 presents descriptive statistics. Panel A provides details on the construction of STRATEGY. We note that
the mean strategy score in our sample is 18.979, consistent with prior organizational theory research. We further note
that prospectors have higher strategy scores than defenders. Panel B presents summary statistics for the full sample. We
7
We use the discrete measure STRATEGY as our primary strategy identifier in our analyses, as it captures nuances in analyzer firms that can have
strategy scores closer to prospectors or defenders that would otherwise be disregarded in our setting. We use PRO as a supplementary measure pro-
viding additional evidence on the robustness of our results. As analyzer firms share characteristics with both prospector and defender strategies, we
also tabulate an additional dichotomous variable (PRO_ALT) to facilitate their inclusion in our discussion. Our results are robust.
8
Following Balsam, Fernando, and Tripathy (2011), we also use the alternative strategy measures of differentiation and cost leadership described by
Porter (1980). Relative to the Miles and Snow (1978) framework, differentiation is similar to a prospector strategy, and cost leadership is similar to a
defender strategy. Our results are robust to this alternative specification. Specifically, we find a positive association between a differentiation strategy
and breach likelihood (t ¼ 2.32). We further note a negative association between a cost leadership strategy and breach likelihood (t ¼ 1.82), sugges-
ting that an efficiency-focused strategy can assist in strengthening cybersecurity activities. Results are consistent if both differentiation and cost lead-
ership variables are included in the same model.

60 Li and Walton
TABLE 2
Descriptive Statistics
Panel A: Composite and Component STRATEGY

Full Sample (n 5 34,308) Prospectors (n 5 3,622) Defenders (n 5 1,283)
Variables Mean Median Q1 Q3 Std. Dev. Mean Median Mean Median

STRATEGY 18.979 19.000 17.000 21.000 3.574 25.107 25.000 11.156 11.000
STRATEGY components:
RDS5 0.672 0.007 0.000 0.105 3.877 2.501 0.030 0.033 0.000
EMPS5 0.014 0.004 0.003 0.007 0.121 0.037 0.007 0.003 0.003
REV5 107.504 8.963 2.058 20.260 3,124.644 258.698 29.064 2.421 1.993
SGA5 1.266 0.238 0.113 0.426 22.145 5.977 0.397 0.163 0.138
EMP5 1.365 0.193 0.040 0.832 5.048 1.913 0.292 0.297 0.045
CAP5 0.245 0.161 0.073 0.349 0.228 0.193 0.102 0.389 0.360
Panel B: Summary Statistics (n 5 34,308)

Variables Mean Std. Dev. Q1 Median Q3
BREACH 0.007 0.081 0.000 0.000 0.000
STRATEGY 18.979 3.574 17.000 19.000 21.000
PRO 0.106 0.307 0.000 0.000 0.000
PRO_ALT 0.554 0.497 0.000 1.000 1.000
LNASSET 6.090 2.328 4.521 6.193 7.682
ROA 0.115 0.947 0.051 0.031 0.074
LEVERAGE 0.193 0.239 0.000 0.128 0.296
MB 2.517 7.193 1.170 1.579 2.389
LOSS 0.352 0.477 0.000 0.000 1.000
FOREIGN 0.332 0.471 0.000 0.000 1.000
BIG4 0.547 0.498 0.000 1.000 1.000
RISK 0.021 0.145 0.000 0.000 0.000
TECH 0.035 0.185 0.000 0.000 0.000
CIO 0.423 0.494 0.000 0.000 1.000
IT_ROLE 1.527 1.180 0.000 2.000 2.000
ICW 0.044 0.205 0.000 0.000 0.000
MERGER 0.388 0.487 0.000 0.000 1.000
RESTRUCTURE 0.338 0.473 0.000 0.000 1.000
GROWTH 0.140 0.666 0.040 0.059 0.174
LNFIRMAGE 3.090 0.556 2.639 3.045 3.497
CEOCHAIR 0.422 0.494 0.000 0.000 1.000
DT 0.613 0.521 0.241 0.448 0.832
CEOTURNOVER 0.056 0.230 0.000 0.000 0.000
CEOIT 0.035 0.184 0.000 0.000 0.000
CFOIT 0.012 0.110 0.000 0.000 0.000
FLUIDITY 6.455 3.448 3.966 5.708 8.119
note that firms in our sample are, on average, large and profitable firms that are not likely to receive an internal control
material weakness. In Panel C, we compare mean differences between breached and nonbreached firm-year observa-
tions. We find that breached firms are larger, have higher ROA, and are more likely to use a Big 4 auditor and have a
CIO than nonbreached firms. In Panel D, we compare mean differences between prospector and defender strategy firm-
year observations. We find that prospectors are more leveraged, are more likely to have a Big 4 auditor, and are more

TABLE 2 (continued)
Panel C: Comparison of the Mean Value of Variables of Breach Firms and Nonbreach Firms
Breach Firms (n 5 1,783) Nonbreach Firms (n 5 32,525)
Variables Mean Std. Dev. Median Mean Std. Dev. Median Wilcoxon Rank-Sum Test
STRATEGY 19.577 2.894 19.000 18.946 3.605 19.000 (0.00)
PRO 0.088 0.283 0.000 0.107 0.309 0.000 (0.01)
PRO_ALT 0.658 0.475 1.000 0.548 0.498 1.000 (0.00)
LNASSET 8.479 1.926 8.761 5.699 2.448 6.000 (0.00)
ROA 0.039 0.173 0.053 0.124 0.971 0.029 (0.00)
LEVERAGE 0.253 0.229 0.209 0.190 0.239 0.122 (0.00)
MB 3.371 10.997 2.715 2.767 8.403 1.979 (0.00)
LOSS 0.169 0.375 0.000 0.362 0.480 0.000 (0.00)
FOREIGN 0.331 0.471 0.000 0.332 0.471 0.000 (0.92)
BIG4 0.701 0.458 1.000 0.539 0.498 1.000 (0.00)
RISK 0.043 0.203 0.000 0.020 0.141 0.000 (0.00)
TECH 0.057 0.231 0.000 0.034 0.182 0.000 (0.00)
CIO 0.796 0.403 1.000 0.402 0.490 0.000 (0.00)
IT_ROLE 1.836 1.148 2.000 1.510 1.179 2.000 (0.00)
ICW 0.040 0.196 0.000 0.075 0.263 0.000 (0.00)
MERGER 0.568 0.495 1.000 0.378 0.485 0.000 (0.00)
RESTRUCTURE 0.504 0.500 1.000 0.328 0.470 0.000 (0.00)
GROWTH 0.081 0.266 0.053 0.143 0.681 0.059 (0.00)
LNFIRMAGE 3.405 0.607 3.401 3.073 0.548 3.045 (0.00)
CEOCHAIR 0.694 0.461 1.000 0.407 0.491 0.000 (0.00)
DT 0.726 0.565 0.546 0.606 0.517 0.448 (0.00)
CEOTURNOVER 0.118 0.322 0.000 0.526 0.223 0.000 (0.00)
CEOIT 0.036 0.187 0.000 0.035 0.183 0.000 (0.72)
CFOIT 0.129 0.113 0.000 0.012 0.110 0.000 (0.81)
FLUIDITY 6.404 3.193 5.856 6.458 3.461 5.698 (0.41)
Panel D: Comparison of the Mean Value of Variables of Prospectors and Defenders

Prospectors (n 5 3,622) Defenders (n 5 1,283)
BREACH 0.007 0.086 0.000 0.007 0.082 0.000 (0.17)
STRATEGY 25.107 1.226 25.000 19.283 3.280 19.000 (0.00)
LNASSET 5.255 2.863 5.793 5.858 2.518 6.129 (0.00)
ROA 0.311 1.441 0.001 0.118 0.947 0.031 (0.00)
LEVERAGE 0.217 0.273 0.141 0.192 0.239 0.127 (0.03)
MB 3.306 10.760 2.314 2.838 8.633 2.031 (0.00)
LOSS 0.502 0.500 1.000 0.354 0.478 0.000 (0.00)
FOREIGN 0.315 0.465 0.000 0.333 0.471 0.000 (0.43)
BIG4 0.561 0.496 1.000 0.553 0.497 1.000 (0.00)
RISK 0.008 0.089 0.000 0.021 0.144 0.000 (0.00)
TECH 0.027 0.161 0.000 0.036 0.187 0.000 (0.08)
CIO 0.402 0.490 0.000 0.429 0.495 0.000 (0.00)
IT_ROLE 1.315 1.215 2.000 1.522 1.183 2.000 (0.00)
ICW 0.098 0.297 0.000 0.073 0.261 0.000 (0.00)
MERGER 0.400 0.490 0.000 0.393 0.488 0.000 (0.00)
RESTRUCTURE 0.308 0.462 0.000 0.341 0.474 0.000 (0.00)
GROWTH 0.301 1.045 0.095 0.142 0.675 0.060 (0.00)

62 Li and Walton
TABLE 2 (continued)
Prospectors (n 5 3,622) Defenders (n 5 1,283)
LNFIRMAGE 2.914 0.549 2.833 3.087 0.556 3.045 (0.00)
CEOCHAIR 0.361 0.480 0.000 0.425 0.494 0.000 (0.19)
DT 0.613 0.518 0.448 0.614 0.521 0.448 (0.07)
CEOTURNOVER 0.115 0.319 0.000 0.114 0.317 0.000 (0.89)
CEOIT 0.036 0.187 0.000 0.036 0.186 0.000 (0.00)
CFOIT 0.009 0.094 0.000 0.013 0.111 0.000 (0.37)
FLUIDITY 7.360 3.743 6.615 6.505 3.474 5.760 (0.00)
Panel E: Pearson Correlation Coefficients

(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11)
BREACH (1) 1.0000
STRATEGY (2) 0.0193 1.0000
PRO (3) 0.0036 0.5891 1.0000
PRO_ALT (4) 0.0182 0.8032 0.3082 1.0000
LNASSET (5) 0.0966 0.0535 0.0808 0.0402 1.0000
ROA (6) 0.0143 0.0889 0.0709 0.0734 0.3508 1.0000
LEVERAGE (7) 0.0137 0.0273 0.0344 0.0299 0.1544 0.1028 1.0000
MB (8) 0.0151 0.0429 0.0204 0.0340 0.0326 0.0747 0.0665 1.0000
LOSS (9) 0.0345 0.1361 0.1080 0.1101 0.4493 0.2716 0.0618 0.0364 1.0000
FOREIGN (10) 0.0033 0.0198 0.0124 0.0276 0.1732 0.0641 0.0372 0.0044 0.0550 1.0000
BIG4 (11) 0.0244 0.0647 0.0095 0.0560 0.3927 0.1135 0.0851 0.0281 0.1469 0.1253 1.0000
RISK (12) 0.0078 0.0312 0.0318 0.0104 0.1016 0.0211 0.0268 0.0095 0.0422 0.0335 0.0556
TECH (13) 0.0057 0.0037 0.0161 0.0131 0.1130 0.0217 0.0021 0.0181 0.0396 0.0562 0.0636
CIO (14) 0.0612 0.0516 0.0143 0.0434 0.3706 0.0730 0.0365 0.0253 0.1171 0.0881 0.1869
IT_ROLE (15) 0.0169 0.0847 0.0617 0.0685 0.0445 0.0229 0.0232 0.0271 0.0392 0.0165 0.0027
ICW (16) 0.0104 0.0355 0.0332 0.0275 0.1405 0.1413 0.0140 0.0212 0.1198 0.0134 0.0924
MERGER (17) 0.0309 0.0387 0.0085 0.0267 0.3445 0.1072 0.0598 0.0172 0.2013 0.1208 0.1493
RESTRUCTURE (18) 0.0193 0.0074 0.0216 0.0150 0.2873 0.0496 0.0898 0.0230 0.0164 0.2074 0.1813
GROWTH (19) 0.0073 0.1127 0.0834 0.0884 0.0836 0.0339 0.0142 0.0372 0.0188 0.0284 0.0070
LNFIRMAGE (20) 0.0472 0.1633 0.1090 0.1376 0.2858 0.0628 0.0063 0.0238 0.2115 0.0496 0.0224
CEOCHAIR (21) 0.0461 0.0098 0.0421 0.0018 0.4109 0.1215 0.0060 0.0150 0.2511 0.0639 0.2102
DT (22) 0.0295 0.0012 0.0003 0.0031 0.0630 0.0054 0.0601 0.0073 0.0502 0.1994 0.0237
likely to have a loss than defender firms. However, we do not note a significant difference in breach likelihood. Panel E
presents Pearson correlation coefficients.
Main Analyses
We first examine the relationship between business strategy and the likelihood of reporting a breach event
(BREACH) in Table 3. We expect that firms with a prospector business strategy have higher breach risk than defender
strategy firms, thus increasing breach likelihood. We find a positive association between our discrete strategy score mea-
sure (STRATEGY) and breach likelihood (p < 0.01, z ¼ 2.69), consistent with our first hypothesis. A 1-point increase in
STRATEGY is associated with a 3.2 percent increase in breach likelihood. Our results suggest that firms with a prospec-
tor business strategy uniquely face a greater likelihood of reporting a breach than analyzer and defender firms. We simi-
larly find a positive and significant relationship between our dichotomous prospector strategy measures and the

TABLE 2 (continued)
(12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22)
RISK (12) 1.0000
TECH (13) 0.0065 1.0000
CIO (14) 0.0496 0.1061 1.0000
IT_ROLE (15) 0.0195 0.0231 0.1342 1.0000
ICW (16) 0.0143 0.0247 0.0427 0.0158 1.0000
MERGER (17) 0.0253 0.0562 0.1696 0.0723 0.0352 1.0000
RESTRUCTURE (18) 0.0257 0.0854 0.2147 0.0643 0.0204 0.1685 1.0000
GROWTH (19) 0.0159 0.0037 0.0525 0.0097 0.0243 0.0197 0.0808 1.0000
LNFIRMAGE (20) 0.0294 0.0669 0.0836 0.0895 0.0381 0.0682 0.1190 0.0815 1.0000
CEOCHAIR (21) 0.0222 0.0909 0.1954 0.0304 0.0804 0.1717 0.1502 0.0577 0.2577 1.0000
DT (22) 0.0033 0.0387 0.0088 0.0170 0.0038 0.0402 0.0833 0.0206 0.0689 0.0311 1.0000
Indicates that coefficients are significant at the 10 percent level.
This table reports descriptive statistics of the full sample. Panel A presents summary statistics for the full sample. Panel B compares mean and median sta-
tistics for breach and nonbreach firm-year observations, while Panel C compares mean and median statistics for prospector and defender firm-year obser-
vations. Panel D presents Pearson correlation coefficients. All continuous variables are Winsorized at the 1 percent and 99 percent level.
Please refer to Appendix B for variable definitions.
TABLE 3
Business Strategy and Breaches
Dependent Variable: Prob(BREACH 5 1)
(1) (2) (3)
Variables Coef. z-value Coef. z-value Coef. z-value

Constant 6.313 (12.83) 5.692 (14.24) 5.750 (14.25)
STRATEGY 0.032 (2.69)
PRO 0.211 (1.97)
PRO_ALT 0.140 (2.06)
LNASSET 0.269 (8.63) 0.272 (8.71) 0.268 (8.69)
ROA 0.074 (0.24) 0.055 (0.18) 0.060 (0.19)
LEVERAGE 0.014 (0.08) 0.042 (0.23) 0.020 (0.11)
MB 0.004 (0.98) 0.004 (1.04) 0.004 (1.00)
LOSS 0.068 (0.80) 0.073 (0.86) 0.075 (0.88)
FOREIGN 0.078 (1.13) 0.075 (1.07) 0.073 (1.06)
BIG4 0.087 (1.18) 0.082 (1.12) 0.083 (1.13)
RISK 0.054 (0.28) 0.041 (0.22) 0.031 (0.16)
TECH 0.169 (1.26) 0.178 (1.34) 0.156 (1.16)
CIO 0.158 (2.25) 0.167 (2.38) 0.158 (2.26)
IT_ROLE 0.019 (0.50) 0.018 (0.47) 0.017 (0.45)
likelihood of reporting a breach in t+1 (PRO, p < 0.05, z ¼ 1.97; PRO_ALT, p < 0.05, z ¼ 2.06). Having a prospector
strategy is associated with a 14 to 21.1 percent increase in breach likelihood compared to other firms, depending on the
specification of prospector firms. Our findings are not contingent on how we capture a firm’s business strategy.9 Our
results suggest that organizational instability stemming from decentralized controls implemented to facilitate diverse,
innovative operations place prospector firms at significantly greater risk of cybersecurity breaches. Although prospectors
9
The highest variance inflation factor in our model is 2.71 (SIZE). As such, multicollinearity is not a concern in our setting. We additionally restrict
our sample to only firms meeting the strict strategy score requirements described by Bentley et al. (2013) as being identified as having a defender or
prospector strategy. We continue to find a positive relationship between prospector business strategy and breach likelihood.

64 Li and Walton
TABLE 3 (continued)
Dependent Variable: Prob(BREACH 5 1)
(1) (2) (3)

ICW 0.077 (0.59) 0.080 (0.61) 0.080 (0.62)
MERGER 0.004 (0.05) 0.006 (0.08) 0.008 (0.10)
RESTRUCTURE 0.040 (0.58) 0.044 (0.64) 0.042 (0.62)
GROWTH 0.060 (0.60) 0.040 (0.43) 0.036 (0.39)
LNFIRMAGE 0.089 (1.29) 0.073 (1.07) 0.081 (1.17)
CEOCHAIR 0.085 (1.18) 0.089 (1.24) 0.087 (1.21)
Year FE Yes Yes Yes
Industry FE Yes Yes Yes
Pseudo R2 0.2406 0.2387 0.2387
Area under ROC 0.8873 0.8857 0.8861
Observations 34,308 34,308 34,308
, , Indicate significance at the 1 percent, 5 percent, and 10 percent levels (two-tailed), respectively.
This table tests the relationship between business strategy (STRATEGY, PRO, PRO_ALT) and breaches (BREACHit+1). All continuous variables
are Winsorized at the 1 percent and 99 percent level. The standard error is clustered at the firm level.
TABLE 4
Business Strategy, IT Awareness, and Breaches
Panel A: CEO and CFO IT Expertise

(1) (2)
Variables Coef. z-value Coef. z-value

Constant 6.421 (12.44) 6.314 (12.86)
STRATEGY 0.029 (2.40) 0.032 (2.70)
CEOIT 1.597 (1.80)
CFOIT 2.013 (3.32)
STRATEGY CEOIT 0.079 (1.67)
STRATEGY CFOIT 0.142 (4.59)
LNASSET 0.271 (8.74) 0.271 (8.65)
ROA 0.064 (0.55) 0.083 (0.26)
LEVERAGE 0.195 (1.12) 0.016 (0.09)
MB 0.005 (1.13) 0.004 (0.98)
LOSS 0.068 (0.87) 0.070 (0.82)
FOREIGN 0.089 (1.26) 0.079 (1.13)
BIG4 0.085 (1.15) 0.089 (1.21)
RISK 0.063 (0.33) 0.063 (0.33)
TECH 0.091 (0.74) 0.163 (1.23)
CIO 0.151 (2.16) 0.160 (2.27)
have greater flexibility in changing their operations, the low degree of mechanization or routinization compared to
defenders can be disadvantageous.
We next examine the relationship between business strategy, IT awareness, and breach likelihood in Table 4. In
Panel A, we examine CEO and CEO IT expertise. We find that having a CEO or CFO with IT expertise mitigates the

TABLE 4 (continued)
(1) (2)

IT_ROLE 0.063 (2.10) 0.022 (0.57)
ICW 0.090 (0.71) 0.077 (0.59)
MERGER 0.010 (0.14) 0.002 (0.03)
RESTRUCTURE 0.031 (0.45) 0.040 (0.58)
GROWTH 0.057 (0.60) 0.061 (0.60)
LNFIRMAGE 0.060 (0.88) 0.087 (1.27)
CEOCHAIR 0.077 (1.08) 0.083 (1.15)
Year FE Yes Yes
Industry FE Yes Yes
Pseudo R2 0.2239 0.2418
Area under ROC 0.8829 0.8881
Observations 34,308 34,308
Panel B: Firm IT Awareness

(1) (2) (3)

Constant 5.799 (13.10) 9.634 (12.24) 6.288 (12.52)
STRATEGY 0.026 (1.85) 0.022 (1.78) 0.027 (2.07)
CIO 0.271 (0.70) 0.139 (0.86) 0.150 (1.11)
TECH 1.213 (1.54)
IT_INDUSTRY 0.889 (1.93)
STRATEGY CIO 0.013 (0.65)
STRATEGY TECH 0.069 (1.77)
STRATEGY IT_INDUSTRY 0.041 (1.71)
LNASSET 0.248 (8.28) 0.238 (7.49) 0.227 (7.94)
ROA 0.240 (0.67) 0.057 (0.46) 0.076 (0.53)
LEVERAGE 0.098 (0.52) 0.073 (0.42) 0.165 (0.98)
MB 0.006 (1.33) 0.002 (0.49) 0.002 (0.60)
LOSS 0.069 (0.79) 0.146 (1.75) 0.142 (1.72)
FOREIGN 0.083 (1.22) 0.087 (1.24) 0.087 (1.27)
BIG4 0.102 (1.33) 0.080 (1.02) 0.081 (1.06)
RISK 0.095 (0.51) 0.155 (0.86) 0.088 (0.49)
IT_ROLE 0.190 (1.43) 0.102 (0.97) 0.009 (0.22)
ICW 0.172 (2.00) 0.115 (0.89) 0.115 (0.90)
MERGER 0.035 (1.12) 0.021 (0.28) 0.036 (0.51)
RESTRUCTURE 0.098 (0.76) 0.098 (1.44) 0.093 (1.36)
GROWTH 0.009 (0.13) 0.156 (1.62) 0.131 (1.53)
LNFIRMAGE 0.002 (0.02) 0.195 (2.60) 0.198 (2.77)
CEOCHAIR 0.101 (0.94) 0.111 (1.51) 0.109 (1.49)
Year FE Yes Yes Yes
Pseudo R2 0.2124 0.2486 0.2259
Area under ROC 0.8783 0.8843 0.8788
Observations 34,308 34,308 34,308
This table tests the relationship between business strategy (STRATEGY), IT awareness, and breaches (BREACHit+1). Panel A examines IT exper-
tise at the executive level (CEOIT, CFOIT). Panel B examines IT awareness at the firm level (CIO, TECH, and IT_INDUSTRY). All continuous
variables are Winsorized at the 1 percent and 99 percent level. The standard error is clustered at the firm level.

66 Li and Walton
TABLE 5
IT Strategic Role
Panel A: IT Role and Strategy

(1)
Variables Coef. t-statistic

Constant 21.559 (29.12)
IT_ROLE 1.328 (3.58)
SIZE 0.004 (0.14)
ROA 0.331 (6.21)
LEVERAGE 0.836 (4.22)
MB 0.021 (6.95)
LOSS 1.184 (15.54)
FOREIGN 0.267 (2.71)
BIG4 0.390 (3.76)
RISK 0.817 (3.07)
TECH 0.408 (1.90)
CIO 0.496 (5.37)
ICW 0.284 (2.76)
MERGER 0.579 (8.13)
RESTRUCTURE 0.117 (1.52)
GROWTH 0.585 (17.88)
LNFIRMAGE 1.052 (11.52)
CEOCHAIR 0.186 (1.99)
Year FE Yes
Industry FE Yes
Adjusted R2 0.1603
Observations 34,308
positive association between strategy and breach likelihood. Specifically, the interaction terms CEOIT STRATEGY (p <
0.10, z ¼ 1.67) and CFOIT STRATEGY (p < 0.01, z 4.59) are negatively associated with breach likelihood.
Although strategy remains positively associated with breach risk, our results suggest that executive-level IT awareness can
assist in mitigating IT risk and managing IT governance, extending prior research findings (Vincent et al. 2017; Haislip
et al. 2021). In Panel B, we examine firm-level IT awareness. We do not find a significant association between
STRATEGY CIO and breach likelihood (z ¼ 0.65).10 However, strategy remains positively associated with the likelihood
of reporting a breach (z ¼ 1.85). One possible explanation is that having a CIO may not have enough latitude over IT
activities to mitigate an increase in breach risk, particularly if the firm is involved in the acquisition of multiple technolo-
gies. Moreover, we find that having a technology committee on the board of directors can assist in mitigating the relation-
ship between strategy and breach likelihood (STRATEGY TECH, p < 0.10, z ¼ 1.77). A technology committee could
help oversee policies and the establishment of internal controls, allaying some cybersecurity concerns. We similarly
find that operating in an IT-intensive industry can assist in mitigating breach risk (STRATEGY IT_INDUSTRY,
10
We note that firms with and without CIOs can have differences that necessitate the examination of such firm-years separately. For instance,
Chatterjee, Richardson, and Zmud (2001) find that the creation of a CIO role is viewed as value adding by market participants. In turn, these firms
can be viewed as having a different inherent approach to IT governance than firms lacking a CIO. We alternatively examine the relationship
between strategy, the presence of a CIO, and breach likelihood by partitioning the sample into firm-years with and without a CIO. We find a positive
association between strategy and breach likelihood only for firm-years lacking a CIO (p < 0.01, z ¼ 2.60). The difference between the STRATEGY
coefficient for firm-years with and without a CIO is significant (p ¼ 0.03). We also examine our other firm-level measures using a similar approach
and find that our results are robust to such alternative specification. Caution remains needed in interpreting the interaction terms. A negative inter-
action term can reflect either a mitigation in increased breach risk or a direct reduction in breach risk.

TABLE 5 (continued)
Panel B: IT Role and Breach Likelihood
(1) (2) (3)
Informate Automate Transform

Constant 21.559 (29.12) 5.898 (13.34) 5.922 (13.02)
STRATEGY 0.062 (2.80) 0.033 (2.67) 0.032 (2.32)
IT_ROLE_INFORMATE 1.225 (2.17)
STRATEGY IT_ROLE_INFORMATE 0.049 (1.74)
IT_ROLE_AUTOMATE 0.405 (0.73)
STRATEGY IT_ROLE_AUTOMATE 0.022 (0.79)
IT_ROLE_TRANSFORM 0.228 (0.48)
STRATEGY IT_ROLE_TRANSFORM 0.003 (0.11)
SIZE 0.266 (8.46) 0.248 (8.11) 0.248 (8.31)
ROA 0.084 (0.28) 0.250 (0.69) 0.249 (0.69)
LEVERAGE 0.090 (0.48) 0.089 (0.47) 0.102 (0.55)
MB 0.003 (0.74) 0.006 (1.32) 0.006 (1.32)
LOSS 0.065 (0.71) 0.071 (0.80) 0.070 (0.80)
FOREIGN 0.052 (0.72) 0.085 (1.25) 0.090 (1.30)
BIG4 0.083 (1.09) 0.104 (1.36) 0.097 (1.27)
RISK 0.149 (0.69) 0.103 (0.55) 0.079 (0.44)
TECH 0.214 (1.56) 0.186 (1.37) 0.188 (1.41)
CIO 0.134 (1.76) 0.168 (2.41) 0.154 (2.21)
ICW 0.048 (0.35) 0.097 (0.75) 0.093 (0.73)
MERGER 0.009 (0.12) 0.006 (0.08) 0.022 (0.31)
RESTRUCTURE 0.063 (0.89) 0.003 (0.04) 0.002 (0.03)
GROWTH 0.109 (0.91) 0.102 (0.96) 0.106 (0.97)
LNFIRMAGE 0.073 (0.96) 0.089 (1.24) 0.100 (1.40)
CEOCHAIR 0.089 (1.18) 0.076 (1.05) 0.079 (1.10)
Year FE Yes Yes Yes
Pseudo R2 0.3138 0.2117 0.2136
Area under ROC 0.8877 0.8873 0.8875
Observations 34,308 34,308 34,308
This table tests the relationship between IT strategic role, strategy, and breach likelihood. Panel A examines the relationship between IT strategic
role (IT_ROLE) and strategy score (STRATEGY). Panel B examines the relationship between IT Strategic roles (IT_ROLE_INFORMATE,
IT_ROLE_AUTOMATE, and IT_ROLE_TRANSFORM), strategy, and breach likelihood (BREACH). All continuous variables are Winsorized
at the 1 percent and 99 percent level. The standard error is clustered at the firm level.
p < 0.10, z ¼ 1.71).11 Although operating in an IT industry can increase the likelihood of facing a breach
(IT_INDUSTRY, p < 0.10, z ¼ 1.93), it appears to affect a firm’s response to cybersecurity activities and controls.
Collectively, our results suggest that executive- and firm-level IT awareness can impact breach likelihood, given the
existing business strategy, providing support for our second hypothesis.
We recognize that a firm’s strategic IT role could affect not only the strategy undertaken by a firm, but also overall
exposure to cybersecurity risk. As such, in Table 5, we specifically examine the impact of strategic IT role. Following
Dehning et al. (2003), there are three IT roles: informate, automate, and transform. An informate IT role provides data
11
We define IT industry as operating in one of the following SIC three-digit industries: 357, 367, or 737. Alternatively, we also examine two breach
intensive industries: Computers, Software, and Electronic and Wholesale and Retail Services. Our results are not contingent on Computers,
Software, and Electronic industry or retail industry breach events. We continue to note a relationship between strategy and breach likelihood.

68 Li and Walton
TABLE 6
Firm Diversification
Panel A: DT
(1) (2) (3)
STRATEGY PRO PRO_ALT

Constant 9.590 (10.68) 9.089 (24.92) 9.080 (73.97)
STRATEGY 0.016 (1.04) 0.001 (0.01) 0.010 (0.06)
DT 0.472 (1.73) 0.004 (0.08) 0.007 (0.13)
STRATEGY DT 0.026 (1.91) 0.300 (2.20) 0.290 (2.10)
LNASSET 0.273 (8.43) 0.275 (8.57) 0.275 (8.58)
ROA 0.044 (0.15) 0.017 (0.06) 0.015 (0.06)
LEVERAGE 0.058 (0.31) 0.113 (0.62) 0.114 (0.62)
MB 0.005 (1.05) 0.005 (1.09) 0.005 (1.09)
LOSS 0.053 (0.63) 0.063 (0.75) 0.063 (0.76)
FOREIGN 0.082 (1.18) 0.079 (1.12) 0.078 (1.11)
BIG4 0.077 (1.04) 0.066 (0.89) 0.066 (0.88)
RISK 0.096 (0.49) 0.080 (0.42) 0.079 (0.41)
TECH 0.200 (1.44) 0.194 (1.40) 0.193 (1.39)
CIO 0.151 (2.13) 0.163 (2.30) 0.161 (2.27)
IT_ROLE 0.169 (1.58) 0.135 (1.28) 0.133 (1.27)
ICW 0.066 (0.51) 0.065 (0.50) 0.066 (0.51)
MERGER 0.006 (0.08) 0.007 (0.10) 0.008 (0.11)
RESTRUCTURE 0.038 (0.55) 0.042 (0.61) 0.040 (0.59)
GROWTH 0.076 (0.70) 0.049 (0.49) 0.047 (0.47)
LNFIRMAGE 0.084 (1.18) 0.064 (0.90) 0.064 (0.90)
CEOCHAIR 0.096 (1.33) 0.102 (1.41) 0.100 (1.39)
Year FE Yes Yes Yes
Pseudo R2 0.2627 0.2611 0.2606
Area under ROC 0.8907 0.8889 0.8889
Observations 34,308 34,308 34,308
or information to empower employees, whereas an automate role automates business processes. Comparatively, a trans-
form IT role fundamentally alters how business is conducted through changes to business processes and relationships. In
Panel A, we first examine whether there is an association between strategic IT role (IT_ROLE) and strategy score
(STRATEGY). We find a significant negative association between IT role and strategy, suggesting that firms with IT
roles focused on automation or the provision of additional information to employees are less likely to have a prospector
strategy. That is, automate and informate IT roles, moreover, focus on empowering decision making rather than the
rapid change of a prospector strategy.
In Panel B, we further investigate the impact of the three strategic IT roles (IT_ROLE_INFORMATE,
IT_ROLE_AUTOMATE, and IT_ROLE_TRANSFORM) on the relationship between strategy and breach likelihood.
We find that an informate IT role can moderate the positive relationship between strategy and breach risk, reducing
future breach likelihood (IT_ROLE_INFORMATE STRATEGY, p < 0.10, z ¼ 1.74). One possible explanation is
that the provision of additional data and information through an informate IT role can assist in empowering managers
to make informed decisions, even if there is a prospector strategy, reducing risk. Relatedly, we do not find any evidence
that either an automate or a transform role affect the relationship between strategy and breach likelihood. The mere
automation of existing business processes might not have enough weight to affect cybersecurity activities. Further, trans-
forming processes and relationships through IT could not leave enough resources to consider the impact of strategy on
organizational risk.

TABLE 6 (continued)
Panel B: FLUIDITY
(1) (2) (3)
STRATEGY PRO PRO_ALT

Constant 5.124 (9.47) 5.344 (15.70) 5.355 (15.61)
STRATEGY 0.013 (0.60) 0.250 (1.53) 0.293 (1.81)
FLUIDITY 0.134 (2.07) 0.002 (0.15) 0.006 (0.47)
STRATEGY FLUIDITY 0.007 (2.28) 0.071 (3.30) 0.072 (3.36)
LNASSET 0.248 (8.25) 0.251 (8.23) 0.249 (8.19)
ROA 0.299 (0.80) 0.272 (0.74) 0.274 (0.74)
LEVERAGE 0.112 (0.61) 0.075 (0.41) 0.076 (0.42)
MB 0.006 (1.33) 0.006 (1.35) 0.006 (1.35)
LOSS 0.066 (0.74) 0.070 (0.80) 0.071 (0.80)
FOREIGN 0.081 (1.18) 0.080 (1.15) 0.078 (1.13)
BIG4 0.110 (1.45) 0.107 (1.39) 0.106 (1.39)
RISK 0.088 (0.47) 0.080 (0.43) 0.076 (0.41)
TECH 0.177 (1.32) 0.187 (1.40) 0.186 (1.38)
CIO 0.164 (2.36) 0.172 (2.48) 0.173 (2.49)
IT_ROLE 0.032 (1.02) 0.033 (1.05) 0.032 (1.03)
ICW 0.093 (0.73) 0.097 (0.76) 0.096 (0.75)
MERGER 0.009 (0.13) 0.001 (0.01) 0.001 (0.01)
RESTRUCTURE 0.006 (0.09) 0.006 (0.08) 0.006 (0.08)
GROWTH 0.120 (1.10) 0.103 (1.00) 0.105 (1.03)
LNFIRMAGE 0.096 (1.30) 0.082 (1.12) 0.083 (1.13)
CEOCHAIR 0.078 (1.07) 0.084 (1.15) 0.086 (1.17)
Year FE Yes Yes Yes
Pseudo R2 0.2144 0.2131 0.2129
Area under ROC 0.8793 0.8771 0.8771
Observations 34,308 34,308 34,308
, , Indicate significance at the 1 precent, 5 precent, and 10 precent levels (two-tailed), respectively.
This table tests the relationship between firm diversification (DT, FLUIDITY), business strategy (STRATEGY) and breach likelihood
(BREACH). The standard error is clustered at the firm level. All continuous variables are winsorized at the 1 precent and 99 precent level.
Additional Analyses
We alternatively explore whether firm diversification can have a similar effect to IT awareness in possibly miti-
gating some prospector firm breach risk. Firm diversification is a firm decision strategy akin to an overall business
strategy. In Table 6, Panel A, we examine the relationship between business strategy, diversification (DT), and
breach likelihood. Specifically, following Palepu (1985) we utilize the Jacquemin-Berry entropy measure to capture
the diversity of operations through the number of product segments, the distribution of total sales across product
segments, and the degree of relatedness among product segments. We find evidence that firms with higher business
strategy scores continue to have higher breach risk after concurrently considering the extent of firm diversification
(STRATEGY DT, p < 0.10, z ¼ 1.91). In Panel B, we alternatively examine whether product market competi-
tion (FLUIDITY), a firm-level effect, alters the relationship between strategy and breach likelihood. Based on
Hoberg, Phillips, and Prabhala (2014), we capture product market competition through product market fluidity
from rival firms. Higher fluidity values reflect more competitive products. We find that prospector strategy firms
with greater competition have an increased likelihood of facing a breach (STRATEGY FLUIDITY, p < 0.05,

70 Li and Walton
TABLE 7
CEO Turnover
(1) (2)
CEOTURNOVER 5 1 CEOTURNOVER 5 0

Constant 10.677 (12.99) 5.820 (12.80)
STRATEGY 0.021 (0.82) 0.032 (2.60)
LNASSET 0.316 (4.34) 0.244 (8.00)
ROA 1.668 (1.08) 0.132 (0.42)
LEVERAGE 0.761 (1.43) 0.030 (0.16)
MB 0.003 (0.46) 0.007 (1.34)
LOSS 0.456 (1.60) 0.044 (0.48)
FOREIGN 0.109 (0.63) 0.087 (1.21)
BIG4 0.272 (1.34) 0.084 (1.05)
RISK 0.196 (0.42) 0.108 (0.62)
TECH 0.182 (0.40) 0.183 (1.30)
CIO 0.235 (1.10) 0.157 (2.22)
IT_ROLE 0.141 (1.73) 0.027 (0.83)
ICW 0.150 (0.39) 0.109 (0.80)
MERGER 0.209 (1.29) 0.030 (0.40)
RESTRUCTURE 0.487 (2.49) 0.053 (0.74)
GROWTH 0.433 (1.30) 0.082 (0.79)
LNFIRMAGE 0.131 (0.77) 0.083 (1.09)
CEOCHAIR 0.084 (0.46) 0.082 (1.08)
Year FE Yes Yes
Industry FE Yes Yes
Pseudo R2 0.2821 0.2160
This table tests the relationship between business strategy (STRATEGY), CEO turnover (CEOTURNOVER), and breach likelihood (BREACH).
All continuous variables are Winsorized at the 1 percent and 99 percent level. The standard error is clustered at the firm level.
z ¼ 2.28). Firm diversification and product market competition are external pressures that assist in explaining why
prospector firms are incentivized to innovate, increasing breach risk.
We observe that the CEO can impact the relationship between firm business strategy and breach likelihood.
We argue that the association between strategy and breach risk has a long-term effect due to strategy’s incremental
changes. As such, we examine instances of CEO turnover in Table 7 to discern whether strategic IT policy forma-
tion is impounded into a firm’s strategy. Banker and Feng (2019) document that there is a greater likelihood of
CEO turnover following a security breach, particularly breaches with both system deficiency and human error,
given the broad responsibilities of the CEO. Additionally, organizational theory finds that executives of prospector
firms face greater turnover relative to other firms (e.g., Miles and Snow 1978, 2003). We extend these findings by
positing that CEO turnover can renew attention to cybersecurity strategies, especially for prospector strategy firms.
We find that the positive association between strategy and future breach likelihood exists only if there is no CEO
turnover (CEOTURNOVER ¼ 0, p < 0.01, z ¼ 2.60). Our results suggest that IT policy can change over the
course of a CEO’s tenure. In the year of turnover, there is no association between strategy and breach likelihood.
The association develops for CEOs with short tenure. Once longer tenure is achieved, the association no longer
appears. IT policy does not appear to be stable, but, rather, something that can be malleable by the firm, possibly
mitigating additional risks stemming from a prospector strategy.

TABLE 8
Internal and External Breaches
(1) (2)
INTERNAL BREACH EXTERNAL BREACH

Constant 11.137 (20.83) 4.800 (11.43)
STRATEGY 0.051 (3.28) 0.015 (1.18)
LNASSET 0.249 (5.32) 0.229 (7.97)
ROA 0.534 (0.76) 0.084 (0.26)
LEVERAGE 0.068 (0.27) 0.076 (0.34)
MB 0.013 (3.78) 0.001 (0.19)
LOSS 0.205 (1.47) 0.040 (0.38)
FOREIGN 0.015 (0.16) 0.105 (1.44)
BIG4 0.033 (0.31) 0.134 (1.69)
RISK 0.092 (0.41) 0.084 (0.42)
TECH 0.330 (1.42) 0.104 (0.72)
CIO 0.023 (0.24) 0.235 (2.73)
IT_ROLE 0.012 (0.26) 0.037 (1.09)
ICW 0.101 (0.53) 0.083 (0.55)
MERGER 0.017 (0.16) 0.010 (0.13)
RESTRUCTURE 0.073 (0.77) 0.033 (0.43)
GROWTH 0.015 (0.14) 0.168 (1.31)
LNFIRMAGE 0.282 (2.50) 0.057 (0.81)
CEOCHAIR 0.091 (0.86) 0.047 (0.60)
Year FE Yes Yes
Industry FE Yes Yes
Pseudo R2 0.2582 0.1821
This table tests the relationship between business strategy (STRATEGY) and internal and external breaches. All continuous variables are
Winsorized at the 1 percent and 99 percent level. The standard error is clustered at the firm level.
Further, we examine whether prospector firms’ greater breach likelihood is attributable to breaches related to
insiders or external sources.12 Following Higgs et al. (2016), internal breaches are attributable to unintended disclosure
(DISC), physical loss (PHYS), insiders (INSD), payment card fraud (CARD), and unknown (UNKN). External breaches
are attributable to hacks (HACK), portable device theft (PORT), or stationary theft (STAT). In Table 8, we find that
the prospector business strategy is associated with a greater likelihood of internal breaches (STRATEGY, p < 0.01, z ¼
3.28). That is, firms with a prospector business strategy are more likely to have breaches due to insiders rather than
external parties. One possible explanation is that the prospector strategy involves rapid change and development com-
pared to the defender strategy, reducing the likelihood of routines and processes that insiders can rely on when carrying
out their duties, and increasing breach likelihood as a result.
In an untabulated analysis, we also conduct entropy balancing. Entropy balancing weights model covariates based
on balance conditions and a specified tolerance level (McMullin and Schonberger 2020) and is an “equal percent bias
reducing” matching method (Hainmueller 2012). Studies have shown that entropy balancing outperforms other match-
ing methods, such as propensity score matching, under a wide range of conditions (Parish, Keyes, Beadles, and
Kandilov 2018; Zhao and Percival 2017; Zubizarreta 2015). Using first and second moment (mean and standard devia-
tion) entropy balancing, we find that our results are consistent with previously stated results. Specifically, a positive
12
Breach classification is limited to breaches gathered from Privacy Rights Clearinghouse. We are able to classify 230 breaches in our sample.

72 Li and Walton
association remains between strategy and breach likelihood. Our analysis provides additional confidence that results are
not attributable to inherent covariate differences between prospector and defender strategy firms.
V. CONCLUSION
Our study examines the impact of business strategy on a firm’s breach risk, a nonfinancial reporting outcome. To a
threat actor, whether a firm exhibits a prospector or defender strategy could manifest in underlying differences in cyber-
security breach incentives. That is, prospector firms with an innovation focus likely have different cybersecurity risks
than efficiency-focused defender-strategy firms, despite technological investments. We find that prospectors have a
higher breach likelihood than defenders. Further, we find that IT awareness at the executive and firm levels can affect
the relationship between prospectors and breach likelihood by mitigating some breach risk. Executives with IT expertise
appear to counter the impact of firm business strategy objectives, yielding lower breach likelihood. Similarly, firm-level
technology familiarity impacts the relationship between strategy and breach likelihood, with less savvy firms facing
greater risk. Our findings have important implications for external stakeholders evaluating a firm’s cybersecurity risk,
auditors assessing firm risk and planning cybersecurity-related testing, and regulators evaluating the need for additional
cybersecurity requirements and disclosures.
Our study has limitations that provide opportunities for future research. First, we rely on Miles and Snow’s (1978,
2003) business strategy typology and prior study methodologies (e.g., Bentley et al. 2013) to identify prospector and
defender firms. Strategy likely reflects fundamental differences in the structure and objectives of a firm that are estab-
lished early in a firm’s life cycle and remain relatively stable over time, with some firm adjustments. As such, econometri-
cally correcting for self-selection bias in our sample through propensity score matching is inconsistent with
organizational theory expectations, since firm characteristics other than strategy are also likely to be different. However,
we attempt to classify analyzer strategy firms using our dichotomous strategy variable, retaining them in our sample and
providing greater detail on strategy implications. Second, we are only able to examine reported cybersecurity breaches.
There could be additional breaches during our sample period that have yet to be reported. Future research can examine
whether cybersecurity controls and processes within a firm have adapted to the business strategy over time.
Additionally, future research can examine the extent to which cybersecurity requirements and disclosures are shaped by
executives and strategy.
REFERENCES
American Institute of Certified Public Accountants (AICPA). 2017a. AICPA Unveils Cybersecurity Risk Management Reporting
Framework. Durham, NC: AICPA. https://www.aicpa.org/press/pressreleases/2017/aicpa-unveils-cybersecurity-risk-manage-
ment-reporting-framework.html
American Institute of Certified Public Accountants (AICPA). 2017b. Description Criteria for Management’s Description of an
Entity’s Cybersecurity Risk Management Program. New York, NY: AICPA.
Angst, C. M., E. S. Block, J. D’Arcy, and K. Kelley. 2017. When do IT security investments matter? Accounting for the influence
of institutional factors in the context of healthcare data breaches. MIS Quarterly 41 (3): 893–916. https://doi.org/10.25300/
MISQ/2017/41.3.10
Ashraf, M. 2022. The role of peer events in corporate governance: Evidence from data breaches. The Accounting Review 97 (2):
1–24. https://doi.org/10.2308/TAR-2019-1033
Balsam, S., G. D. Fernando, and A. Tripathy. 2011. The impact of firm strategy on performance measures used in executive com-
pensation. Journal of Business Research 64 (2): 187–193. https://doi.org/10.1016/j.jbusres.2010.01.006
Banker, R. D., and C. Q. Feng. 2019. The impact of information security breach incidents on CIO turnover. Journal of
Information Systems 33 (3): 309–329. https://doi.org/10.2308/isys-52532
Benaroch, M., and A. Chernobai. 2017. Operational IT failures, IT value-destruction, and board-level IT governance changes.
MIS Quarterly 41 (3): 729–762. https://doi.org/10.25300/MISQ/2017/41.3.04
Bentley, K. A., T. C. Omer, and N. Y. Sharp. 2013. Business strategy, financial reporting irregularities, and audit effort.
Contemporary Accounting Research 30 (2): 780–817. https://doi.org/10.1111/j.1911-3846.2012.01174.x
Bentley-Goode, K. A., N. J. Newton, and A. M. Thompson. 2017. Business strategy, internal control over financial reporting,
and audit reporting quality. Auditing: A Journal of Practice & Theory 36 (4): 49–69. https://doi.org/10.2308/ajpt-51693
Bentley-Goode, K. A., T. C. Omer, and B. J. Twedt. 2019. Does business strategy impact a firm’s information environment?
Journal of Accounting, Auditing & Finance 34 (4): 563–587. https://doi.org/10.1177/0148558X17726893
Brown, S. V., X. S. Tian, and J. W. Tucker. 2018. The spillover effect of SEC comment letters on qualitative corporate disclosure:
Evidence from the risk factor disclosure. Contemporary Accounting Research 35 (2): 622–656. https://doi.org/10.1111/1911-
3846.12414

Chai, S., M. Kim, and H. R. Rao. 2011. Firms’ information security investment decisions: Stock market evidence of investors’
behavior. Decision Support Systems 50 (4): 651–661. https://doi.org/10.1016/j.dss.2010.08.017
Chatterjee, D., V. J. Richardson, and R. W. Zmud. 2001. Examining the shareholder wealth effects of announcements of newly
created CIO positions. MIS Quarterly 25 (1): 43–70. https://doi.org/10.2307/3250958
Collins, F., O. Holzmann, and R. Mendoza. 1997. Strategy, budgeting, and crisis in Latin America. Accounting, Organizations
and Society 22 (7): 669–689. https://doi.org/10.1016/S0361-3682(96)00050-5
Dehning, B., V. J. Richardson, and R. W. Zmud. 2003. The value relevance of announcements of transformational information
technology investments. MIS Quarterly 27 (4): 637–656. https://doi.org/10.2307/30036551
Eulerich, A. K., M. Eulerich, and B. Fligge. 2023. Analyzing the strategy-performance relationship in Germany–Can we still use the
common strategic frameworks? Journal of Strategy and Management (forthcoming). https://doi.org/10.1108/JSMA-09-2022-0157
Ettredge, M., F. Guo, and Y. Li. 2018. Trade secrets and cyber security breaches. Journal of Accounting and Public Policy 37 (6):
564–585. https://doi.org/10.1016/j.jaccpubpol.2018.10.006
Feng, C. Q., and T. Wang. 2018. Does CIO risk appetite matter? Evidence from information security breach incidents.
International Journal of Accounting Information Systems 32: 59–75. https://doi.org/10.1016/j.accinf.2018.11.001
Gao, X., W. Zhong, and S. Mei. 2015. Security investment and information sharing under an alternative security breach probabil-
ity function. Information Systems Frontiers 17 (2): 423–438. https://doi.org/10.1007/s10796-013-9411-3
Hainmueller, J. 2012. Entropy balancing for causal effects: A multivariate reweighting method to produce balanced samples in
observational studies. Political Analysis 20 (1): 25–46. https://doi.org/10.1093/pan/mpr025
Haislip, J., J.-H. Lim, and R. Pinsker. 2021. The impact of executives’ IT expertise on reported data security breaches.
Information Systems Research 32 (2): 318–334. https://doi.org/10.1287/isre.2020.0986
Haislip, J. Z., and V. J. Richardson. 2018. The effect of CEO IT expertise on the information environment: Evidence from earn-
ings forecasts and announcements. Journal of Information Systems 32 (2): 71–94. https://doi.org/10.2308/isys-51796
Haislip, J. Z., K. E. Karim, K. J. Lin, and R. E. Pinsker. 2020. The influence of CEO IT expertise and board-level technology
committees on disclosure timeliness. Journal of Information Systems 34 (2): 167–185. https://doi.org/10.2308/isys-52530
Hambrick, D. C. 1981. Environment, strategy, and power within top management teams. Administrative Science Quarterly 26 (2):
253–275. https://doi.org/10.2307/2392472
Hambrick, D. C. 1983. Some tests of the effectiveness and functional attributes of Miles and Snow’s strategic types. The Academy
of Management Journal 26 (1): 5–26. https://doi.org/10.2307/256132
He, C. Z., T. Frost, and R. E. Pinsker. 2020. The impact of reported cybersecurity breaches on firm innovation. Journal of
Information Systems 34 (2): 187–209. https://doi.org/10.2308/isys-18-053
Higgins, D., T. C. Omer, and J. D. Phillips. 2015. The influence of a firm’s business strategy on its tax aggressiveness.
Contemporary Accounting Research 32 (2): 674–702. https://doi.org/10.1111/1911-3846.12087
Higgs, J. L., R. E. Pinsker, T. J. Smith, and G. R. Young. 2016. The relationship between board-level technology committees and
reported security breaches. Journal of Information Systems 30 (3): 79–98. https://doi.org/10.2308/isys-51402
Hoberg, G., G. Phillips, and N. Prabhala. 2014. Product market threats, payouts, and financial flexibility. The Journal of Finance
69 (1): 293–324. https://doi.org/10.1111/jofi.12050
Hsieh, C.-C., Z. Ma, and K. E. Novoselov. 2018. Accounting conservatism, business strategy, and ambiguity. Accounting,
Organizations and Society 74: 41–55. https://doi.org/10.1016/j.aos.2018.08.001
Huang, H. H., and C. Wang. 2021. Do banks price firms’ data breaches? The Accounting Review 96 (3): 261–286. https://doi.org/
10.2308/TAR-2018-0643
Im, K. S., K. E. Dow, and V. Grover. 2001. Research report: A reexamination of IT investment and the market value of
the firm—an event study methodology. Information Systems Research 12 (1): 103–117. https://doi.org/10.1287/isre.12.1.
103.9718
Islam, M. S., N. Farah, and T. F. Stafford. 2018. Factors associated with security/cybersecurity audit by internal audit function:
An international study. Managerial Auditing Journal 33 (4): 377–409. https://doi.org/10.1108/MAJ-07-2017-1595
Ittner, C. D., D. F. Larcker, and M. V. Rajan. 1997. The choice of performance measures in annual bonus contracts.
The Accounting Review 72 (2): 231–255. https://www.jstor.org/stable/248554
Jarvenpaa, S. L., and B. Ives. 1991. Executive involvement and participation in the management of information technology. MIS
Quarterly 15 (2): 205–227. https://doi.org/10.2307/249382
Kwon, J., J. R. Ulmer, and T. Wang. 2013. The association between top management involvement and compensation and infor-
mation security breaches. Journal of Information Systems 27 (1): 219–236. https://doi.org/10.2308/isys-50339
Lawrence, A., M. Minutti-Meza, and D. Vyas. 2018. Is operational control risk informative of financial reporting deficiencies?
Auditing: A Journal of Practice & Theory 37 (1): 139–165. https://doi.org/10.2308/ajpt-51784
Li, H., W. G. No, and J. E. Boritz. 2020. Are external auditors concerned about cyber incidents? Evidence from audit fees.
Auditing: A Journal of Practice & Theory 39 (1): 151–171. https://doi.org/10.2308/ajpt-52593
Lim, E. K., K. Chalmers, and D. Hanlon. 2018. The influence of business strategy on annual report readability. Journal of
Accounting and Public Policy 37 (1): 65–81. https://doi.org/10.1016/j.jaccpubpol.2018.01.003

74 Li and Walton
March, J. G. 1991. Exploration and exploitation in organizational learning. Organization Science 2 (1): 71–87. https://doi.org/
10.1287/orsc.2.1.71
Martin, D. X. 2021. Cybersecurity as a business strategy. Corporate Board Member. https://boardmember.com/cybersecurity-as-a-
business-strategy/
Masli, A., V. Richardson, M. W. Watson, and R. W. Zmud. 2016. Senior executives’ IT management responsibilities: Serious IT-
related deficiencies and CEO/CFO turnover. MIS Quarterly 40 (3): 687–708. https://doi.org/10.25300/MISQ/2016/40.3.08
McMullin, J. L., and B. Schonberger. 2020. Entropy-balanced accruals. Review of Accounting Studies 25: 84–119. https://doi.org/
10.1007/s11142-019-09525-9
Melika, J. 2021. Cybersecurity is now essential to corporate strategy. Here’s how to bring the two together. Entrepreneur
(May 22). https://www.entrepreneur.com/article/369618
Miles, R. E., and C. C. Snow. 1978. Organizational Strategy, Structure and Process. New York, NY: McGraw-Hill.
Miles, R. E., and C. C. Snow. 2003. Organizational Strategy, Structure, and Process. Stanford, CA: Stanford University Press.
Mizik, N., and R. Jacobson. 2003. Trading off between value creation and value appropriation: The financial implications of shifts
in strategic emphasis. Journal of Marketing 67 (1): 63–76. https://doi.org/10.1509/jmkg.67.1.63.18595
Palepu, K.1985. Diversification strategy, profit performance and the entropy measure. Strategic Management Journal 6 (3): 239–
255. https://doi.org/10.1002/smj.4250060305
Parish, W. J., V. Keyes, C. Beadles, and A. Kandilov. 2018. Using entropy balancing to strengthen an observational cohort study
design: Lessons learned from an evaluation of a complex multi-state federal demonstration. Health Services and Outcomes
Research Methodology 18: 17–46. https://doi.org/10.1007/s10742-017-0174-z
Ponemon Institute and IBM Security. 2021. Cost of a data breach report 2021. https://www.ibm.com/downloads/cas/OJDVQGRY
Porter, M. E. 1980. Competitive Advantage. New York, NY: Free Press.
Richardson, V. J., R. E. Smith, and M. W. Watson. 2019. Much ado about nothing: The (lack of) economic impact of data pri-
vacy breaches. Journal of Information Systems 33 (3): 227–265. https://doi.org/10.2308/isys-52379
Robinhood. 2021. Robinhood announces data security incident (update). https://blog.robinhood.com/news/2021/11/8/data-secu-
rity-incident
Securities and Exchange Commission (SEC). 2011. CF Disclosure Guidance: Topic No. 2: Cybersecurity. Washington, DC: SEC.
https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
Securities and Exchange Commission (SEC). 2018. Commission Statement and Guidance on Public Company Cybersecurity
Disclosures. Release Nos. 33-10459, 34-82746. Washington, DC: SEC. https://www.sec.gov/rules/interp/2018/33-10459.pdf
Sen, R., and S. Borle. 2015. Estimating the contextual risk of data breach: An empirical approach. Journal of Management
Information Systems 32 (2): 314–341. https://doi.org/10.1080/07421222.2015.1063315
Simons, R. 1987. Accounting control systems and business strategy: An empirical analysis. Accounting, Organizations and Society
12 (4): 357–374. https://doi.org/10.1016/0361-3682(87)90024-9
Smith, T. J., J. L. Higgs, and R. E. Pinsker. 2019. Do auditors price breach risk in their audit fees? Journal of Information Systems
33 (2): 177–204. https://doi.org/10.2308/isys-52241
Tan, H.-T., and Y. Yu. 2018. Management’s responsibility acceptance, locus of breach, and investors’ reactions to internal control
reports. The Accounting Review 93 (6): 331–355. https://doi.org/10.2308/accr-52077
Treacy, M., and F. Wiersema. 1995. The Discipline of Market Leaders: Choose Your Customers, Narrow Your Focus, Dominate
Your Market. Reading, MA: Addison-Wesley.
Vincent, N. E., J. L. Higgs, and R. E. Pinsker. 2017. IT governance and the maturity of IT risk management practices. Journal of
Volz, D. 2021. State department to form new cyber office to face proliferating global challenges. The Wall Street Journal (October 25).
https://www.wsj.com/articles/state-department-to-form-new-cyber-office-to-face-proliferating-global-challenges-11635176700
Walton, S., P. R., Wheeler, Y. I. Zhang, and X. R. Zhao. 2021. An integrative review and analysis of cybersecurity research:
Current state and future directions. Journal of Information Systems 35 (1): 155–186. https://doi.org/10.2308/ISYS-19-033
Wang, T., K. N. Kannan, and J. R. Ulmer. 2013. The association between the disclosure and the realization of information secu-
rity risk factors. Information Systems Research 24 (2): 201–218. https://doi.org/10.1287/isre.1120.0437
Xu, H., S. Y. Guo, J. Z. Haislip, and R. E. Pinsker. 2019. Earnings management in firms with data security breaches. Journal of
Yen, J.-C., J.-H. Lim, T. Wang, and C. Hsu. 2018. The impact of audit firms’ characteristics on audit fees following information
security breaches. Journal of Accounting and Public Policy 37 (6): 489–507. https://doi.org/10.1016/j.jaccpubpol.2018.10.002
Zhao, Q., and D. Percival. 2017. Entropy balancing is doubly robust. Journal of Causal Inference 5 (1): 20160010. https://doi.org/
10.1515/jci-2016-0010
Zubizarreta, J. R. 2015. Stable weights that balance covariates for estimation with incomplete outcome data. American Statistical
Association 110 (511): 910–922. https://doi.org/10.1080/01621459.2015.1023805

APPENDIX A
Strategy Typologies
Treacy and
Miles and Snow Eulerich et al.
Porter (1980) March (1991) Wiersema
(1978, 2003) (2023)
(1995)
Product
leadership and
Prospectors Differentiation Exploration Differentiation
customer
intimacy
Stuck in the Adaptive

Analyzers Balance/hybrid
middle systems/balance
Operational
Defenders Cost Leaders Exploitation Efficiency
excellence
Reactors
(The full-color version is available online.)
Strategy Typology Similarities and Differences

Overall, there are broad similarities between typologies. For instance, all typologies include efficiency (cost) as a
strategy. These firms are referred to as defenders (Miles and Snow 1978), cost leaders (Porter 1980), exploitation (March
1991), operational excellence (Treacy and Wiersema 1995), and efficiency (Eulerich et al. 2023). Such strategy reflects a
narrower focus on refinement and efficiency of existing operations. Although there is less definitive clarify about the
other endpoint along the strategy continuum, a viable strategy that is not focused on efficiency, there remains certain
key elements shared by the different typologies. These firms are referred to as prospectors (Miles and Snow 1978), differ-
entiation (Porter 1980; Eulerich et al. 2023), exploration (March 1991), and product leadership and customer intimacy
(Treacy and Wiersema 1995). Firms with such strategy are, moreover, focused on innovation, growth, and flexibility.
There are firms that do not follow either an efficiency or innovative strategy. Such hybrid or balanced strategy firms are
complex and could suffer from a lack of direction (March 1991) or share the strengths of both of the other strategies
(Miles and Snow 1978). Some similarities exist between typologies. For instance, Porter’s (1980) “stuck in the middle”
firms are similar to the analyzer firms described by Miles and Snow (1978). Miles and Snow also report that firms could
follow a reactor strategy. Notably, such strategy is not viable, as it reflects the inability to effectively respond to per-
ceived changes and uncertainty in a firm’s environment. There are tradeoffs to each viable strategy, which can result in
mutual exclusivity (Miles and Snow 1978; Porter 1980; Treacy and Wiersema 1995). However, there is emerging evi-
dence that strategy exclusivity may not hold in certain jurisdictions, given rapid globalization (Eulerich et al. 2023).
Firms can possibility have differentiation and efficiency strategies within the organization. We utilize the Miles and
Snow (1978) typology, following extant accounting research (e.g., Bentley et al. 2013). However, we note that the strate-
gies we measure can broadly reflect the strategy endpoints discussed by other typologies.

76 Li and Walton
APPENDIX B
Variable Definitions
Variable Name Measurement

Cybersecurity Breaches
BREACH 1 (0 otherwise) if the firm has a breach in t+1.
INTERNAL BREACH 1 (0 otherwise) if the firm has internal breach including an unintended disclosure
(DISC), physical loss (PHYS), insiders (INSD), payment card fraud (CARD), or
unknown (UNKN) in t+1 (Higgs et al. 2016).
EXTERNAL BREACH 1 (0 otherwise) if the firm has external breach including a hack (HACK), portable
device theft (PORT), or stationary theft (STAT) in t+1 (Higgs et al. 2016).
Business Strategy
STRATEGY Discrete score with values ranging from 6 to 30 where high (middle) [low] values
indicate prospector (analyzer) [defender] firms, respectively.
PRO 1 if a firm’s strategy score is between 24 and 30 (prospector), and 0 otherwise.
PRO_ALT 1 if a firm’s strategy score is between 19 and 30 (prospector), and 0 if a firm’s strategy
score is between 6 and 18 (defender).
IT Awareness
CEOIT 1 (0 otherwise) if the firm has CEO IT expertise, captured through prior educational
or work experience.
CFOIT 1 (0 otherwise) if the firm has CFO IT expertise, captured through prior educational
or work experience.
CIO 1 (0 otherwise) if the firm has any person in charge of IT, including a VP of IT, CIO,
or CTO.
TECH 1 (0 otherwise) if the firm has a technology committee on the board of directors.
IT_INDUSTRY 1 (0 otherwise) if the firm is in one of the following SIC three-digit industries: 357,
367, or 737.
IT Strategic Role
IT_ROLE 1 if the firm is in a transform industry IT role, 2 if the firm is in an informate industry
IT role, 3 if the firm is in an automate industry IT role, and 0 otherwise.
IT_ROLE_INFORMATE 1 (0 otherwise) if the firm is in an informate industry IT role.
IT_ROLE_AUTOMATE 1 (0 otherwise) if the firm is in an automate industry IT role.
IT_ROLE_TRANSFORM 1 (0 otherwise) if the firm is in a transform industry IT role.
Diversification and CEO Turnover
DT Palepu’s (1985) entropy-based measures of a firm’s total diversification.
FLUIDITY A measure of product market competition from rival firms following Hoberg et al.
(2014).
CEOTURNOVER 1 (0 otherwise) if the firm has a change in CEO in the current year.
Control Variables
LNASSET Natural logarithm of total assets.
ROA Ratio of income before extraordinary items to total assets.
LEVERAGE Ratio of total liabilities to total assets.
MB Market value of equity divided by book value of common equity.
LOSS 1 (0 otherwise) if operating income after depreciation is negative.
FOREIGN 1 (0 otherwise) if the firm has a nonzero foreign currency transaction.
BIG4 1 (0 otherwise) if the firm’s audit firm is one of the Big 4 accounting firms.
RISK 1 (0 otherwise) if the firm has a risk committee.
ICW 1 (0 otherwise) if the firm has an internal control material weakness.
MERGER 1 (0 otherwise) if the firm is involved in a merger and acquisition.
RESTRUCTURE 1 (0 otherwise) if the firm has restructuring charge.
GROWTH Sales in year t minus sales in year t1 scaled by sales in year t1.
LNFIRMAGE Natural logarithm of the number of years since the firm first appeared in Compustat.
CEOCHAIR 1 (0 otherwise) if the CEO is also the chair of the board.

Copyright of Journal of Information Systems is the property of American Accounting
Association and its content may not be copied or emailed to multiple sites or posted to a
listserv without the copyright holder's express written permission. However, users may print,
download, or email articles for individual use.

Business Strategy and Cybersecurity Breaches

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Business Strategy and Cybersecurity Breaches

Uploaded by

Copyright:

Available Formats

JOURNAL OF INFORMATION SYSTEMS American Accounting Association

Vol. 37, No. 2 DOI: 10.2308/ISYS-2022-033

Business Strategy and Cybersecurity Breaches

Submitted: June 2022

Journal of Information Systems

II. PRIOR RESEARCH AND HYPOTHESES

Journal of Information Systems

Business Strategy and Organizational Theory

Journal of Information Systems

Journal of Information Systems

III. RESEARCH DESIGN

Journal of Information Systems

Panel A: Sample Selection

Total ﬁrm-year observations 34,308

Panel B: Sample Distribution by Year

Year Freq. Percent Freq. Percent Freq. Percent Freq. Percent

Total 1,783 100 32,525 100 3,622 100 1,283 100

ProbðBREACH itþ1 ¼ 1Þ ¼ b0 þ b1 STRATEGY it þ b2 LNASSET it þ b3 ROAit þ b4 LEVERAGEit

Journal of Information Systems

Industry Freq. Percent Freq. Percent Freq. Percent

Total 1,783 100 32,525 100 34,308 100

Panel D: Strategy Distribution by Fama-French 12-Industries

Industry Freq. Percent Freq. Percent Freq. Percent Freq. Percent

Total 3,622 100 1,283 100 29,403 100 34,308 100

Journal of Information Systems

ProbðBREACH itþ1 ¼ 1Þ ¼ b0 þ b1 STRATEGY it þ b2 IT AWARENESSit

Journal of Information Systems

Panel A: Composite and Component STRATEGY

Variables Mean Median Q1 Q3 Std. Dev. Mean Median Mean Median

Panel B: Summary Statistics (n 5 34,308)

Journal of Information Systems

Panel D: Comparison of the Mean Value of Variables of Prospectors and Defenders

(continued on next page)

Journal of Information Systems

Prospectors (n 5 3,622) Defenders (n 5 1,283)

Panel E: Pearson Correlation Coefficients

Journal of Information Systems

Dependent Variable: Prob(BREACH 5 1)

(1) (2) (3)

Variables Coef. z-value Coef. z-value Coef. z-value

(continued on next page)

Journal of Information Systems

Dependent Variable: Prob(BREACH 5 1)

(1) (2) (3)

Variables Coef. z-value Coef. z-value Coef. z-value

Panel A: CEO and CFO IT Expertise

Variables Coef. z-value Coef. z-value

(continued on next page)

Journal of Information Systems

Variables Coef. z-value Coef. z-value

Panel B: Firm IT Awareness

Variables Coef. z-value Coef. z-value Coef. z-value

Journal of Information Systems

Panel A: IT Role and Strategy

Variables Coef. t-statistic

Journal of Information Systems

Variables Coef. z-value Coef. z-value Coef. z-value

Journal of Information Systems

Variables Coef. z-value Coef. z-value Coef. z-value

Journal of Information Systems

Variables Coef. z-value Coef. z-value Coef. z-value

Journal of Information Systems

Variables Coef. z-value Coef. z-value

Journal of Information Systems