Professional Documents
Culture Documents
Stephanie Walton
Louisiana State University
ABSTRACT: This study examines whether a firm’s business strategy is an underlying determinant of cybersecurity
breach likelihood. Based on organizational theory, firm strategy can focus on innovation or efficiency, with innovative
strategy firms being more likely to have weaker, decentralized control systems, multiple technologies, and greater risk
than firms with an efficiency-focused strategy. Following the Miles and Snow (1978) strategy topology, we predict and
find that the prospector business strategy is associated with greater breach likelihood. We further explore IT
awareness within the firm. Ex ante, it is unclear whether strategic IT policy formation is impounded into a firm’s
strategy or can be impacted by individual executives and nonstrategy firm characteristics. We find that IT
understanding at the executive or firm level can affect the relationship between strategy and breach likelihood.
Collectively, our results indicate that business strategy is a useful indicator in evaluating firms’ cybersecurity activities.
Keywords: business strategy; information technology; cybersecurity breaches; IT awareness.
I. INTRODUCTION
firm’s business strategy guides a firm’s operations and approach to technological changes (Hambrick 1981,
A 1983). Cybersecurity is essential to a firm’s strategy (Melika 2021). As part of a firm’s strategy, cybersecurity
activities can assist in not only reducing operational risks, but also enabling growth through agile decisions that
promote innovation and customer trust (Martin 2021). However, it is unclear whether strategy, as a firm-level character-
istic reflecting an accumulation of firm decisions that typically persist beyond individual actions (Miles and Snow 1978,
2003; Bentley-Goode, Omer, and Twedt 2019), impacts cybersecurity risks. Cybersecurity breaches reflect a nonfinancial
reporting outcome with significant economic consequences, with U.S. breaches having the highest global per event cost
of $9.05 million, taking an average of 287 days to identify and contain (Ponemon Institute and IBM Security 2021). To
a threat actor, a firm could appear as a better breach target than other firms due to its strategy, which provides idiosyn-
cratic information about a firm. As such, we examine the following research question: Does a firm’s strategy affect
cybersecurity breach risk?
A move toward greater remote work and increasing customer and client concern surrounding digital security under-
scores the importance of cybersecurity processes in keeping a firm’s operations running smoothly (Melika 2021).
Further, breaches can impact all firms. For instance, Robinhood, a stock trading and investing application, recently dis-
closed a third-party breach affecting 7 million user records, including personal information, such as email address,
name, date of birth, and zip code (Robinhood 2021). Although Robinhood is an innovative, technology-focused firm, it
still faced a breach. Strategy affords an opportunity to investigate differences between firms incremental to financial
reporting risk, firm size, complexity, or other risk-based measures (Bentley, Omer, and Sharp 2013). In turn, strategy
enables us to examine a potential breach determinant distinct from component risk, executive characteristics, and firm
We are grateful for the helpful comments from Marc Eulerich (editor), two anonymous reviewers, Jochen Theis (discussant), Vern Richardson, Theo
Stratopoulos, Joseph Schroeder, and participants at the 2022 2nd Journal of Information Systems International Conference.
Tianpei (Constance) Li, University of Nebraska at Kearney, College of Business and Technology, Department of Accounting, Finance, and
Economics, Kearney, NE, USA; Stephanie Walton, Louisiana State University, E. J. Ourso College of Business, Department of Accounting, Baton
Rouge, LA, USA.
Editor’s note: Accepted by Marc Eulerich, under the Senior Editorship of J. Efrim Boritz.
51
52 Li and Walton
characteristics used to broadly classify firms previously investigated in cybersecurity research (Ettredge, Guo, and Li
2018; Walton, Wheeler, Zhang, and Zhao 2021; Ashraf 2022).
Of the three viable business strategies described by Miles and Snow (1978, 2003)—prospector, analyzer, and
defender—firms with a prospector strategy seek to identify and exploit new products and market opportunities, whereas
firms with a defender strategy have an efficiency focus.1 Analyzer firms share characteristics with both prospectors and
defenders. Although research based in organizational theory broadly characterizes prospectors as having greater organi-
zational risk than other firms, such studies focus on financial reporting and related disclosures (Bentley et al. 2013;
Bentley-Goode, Newton, and Thompson 2017; Hsieh, Ma, and Novoselov 2018; Lim, Chalmers, and Hanlon 2018).
Within a cybersecurity setting, prospectors’ focus on technological flexibility could result in these firms being more
likely to invest in cybersecurity-promoting technologies than other firms, reducing breach risk. Likewise, defenders could
be more attractive breach targets than other firms, as there is a history of organizational stability and profitability,
increasing breach risk. However, such factors may not be influential enough to mitigate the duality between strategy
and organizational risk. Prospector firms’ lack of lengthy technological commitments and decentralized control systems
can promote organizational instability, as through internal control material weaknesses (Miles and Snow 1978, 2003;
Bentley et al. 2013; Bentley-Goode et al. 2017), potentially increasing breach risk. Similarly, defender firms could have
greater capabilities of defending against breach attempts, reducing the likelihood of a successful breach. As such,
although all firms need to manage breach risk, we argue that prospector strategy firms face greater breach likelihood
than other firms.
As a firm’s business strategy typically reflects persistent firm decisions, it is also unclear the extent to which informa-
tion technology (IT) awareness at the executive or firm level could impact the relationship between strategy and breach
likelihood. Based on organizational theory, distinct differences in the approach to products and markets, control sys-
tems, technology use, and organizational structure could result in IT savviness providing an additional benefit for pros-
pector strategy firms compared to defender firms (Miles and Snow 1978, 2003). At the executive level, CEOs and Chief
Financial Officers (CFOs) with greater IT expertise could be more apt at navigating the changing cybersecurity land-
scape, resulting in reduced breach risk (Haislip, Lim, and Pinsker 2021), regardless of the firm’s strategy. We further
examine the extent to which other firm characteristics focusing on IT understanding, including the presence of a Chief
Information Officer (CIO), having a technology committee on the board of directors, and operating in an IT-focused
industry, affect the relationship between strategy and breach likelihood. Affecting IT governance, such characteristics
could assist a firm in navigating cybersecurity risk originating due to both operational decisions and threat actors. In
turn, there could be a lower breach likelihood for prospector firms. However, the typically persistent nature of strategy
could overwhelm any individual executive or firm characteristic that could mitigate breach risk, resulting in little change
to breach likelihood.
We use a comprehensive measure of organizational business strategy that is generalizable across industries from
Bentley et al. (2013) to capture firm business strategy. To investigate the relationship between strategy and breaches, we
use a sample of 34,308 firm-year observations from 2005 to 2019, including 3,622 prospector firm-year observations and
1,283 defender firm-year observations. Based on organizational theory and prior business strategy empirical research,
we expect and find that prospector firms have higher breach likelihood than defender firms. We find evidence that pros-
pectors are associated with greater breach likelihood using both discrete and dichotomous strategy measures. Results
are robust to entropy balancing at the first and second moments. Our results suggest that strategy can uniquely impact
breach risk, with prospector firms more likely to face a breach than other analyzer and defender firms.
We also find that the positive association between strategy and breach likelihood is impacted by IT awareness at the
executive and firm levels. Our results suggest that executive IT experience can assist in mitigating an increase in breach
risk due to having a prospector strategy. Further, we find that at the firm level, greater IT savviness, either through hav-
ing a technology committee on the board or operating in an IT-intensive industry, can assist in alleviating an increase in
breach likelihood for firms with a prospector business strategy. Additional investigation suggests that the relationship
between strategy and breach likelihood is exacerbated by external pressures attributable to diversification. At the execu-
tive level, CEO turnover also provides insight into the future breach likelihood, as there could be new policies put into
place with a new executive. In the year of CEO change strategy does not appear to impact breach risk; however, breach
risk is greater for prospector firms if there is no turnover.
We make several contributions to the literature. First, we extend organizational theory within the accounting litera-
ture by examining the relationship between the business strategy and an outcome, breaches, that goes beyond clear
1
We discuss different strategy typologies in Appendix A. Following Miles and Snow’s (1978, 2003) typology, we view strategy classifications as occur-
ring along a continuum, with the prospector strategy being mutually exclusive from the defender strategy. Analyzer strategy firms share characteris-
tics with both endpoints, and, as such, we focus the majority of our discussion on prospector and defender firms.
financial reporting outcomes. Although breaches can have negative economic costs that affect operations, financial
reporting decisions, disclosures, and external stakeholder perceptions (Walton et al. 2021), it is ultimately a nonfinancial
outcome. Second, we add to the breach literature by identifying strategy as a distinct breach determinant. The breach
determinants literature has focused on disclosure issues, such as industry (Ashraf 2022) and proprietary information
(Ettredge et al. 2018). Although these studies provide important insights, they broadly categorize firms and do not cap-
ture potentially useful firm-level information pertaining to breach risk. Third, we find that executive and firm IT under-
standing can disrupt the relationship between strategy and breach likelihood, answering a call for research from Walton
et al. (2021). Since strategy largely persists across time and executives, our results indicate that firms can at least partially
address cybersecurity risk beyond a firm’s overall strategic focus on innovation or efficiency.
Practically, our study provides useful information to stakeholders, including investors, boards of directors, auditors,
and regulators. We provide information to investors interested in understanding a firm’s cybersecurity risk exposure by
investigating the role of firm business strategy. A firm may appear to a threat actor as a better breach target than other
firms due to their strategy, increasing investor exposure to cybersecurity risk. Although we do not recommend altering a
firm’s strategy, boards can benefit from understanding their firms’ overall cybersecurity risk and what actions can be
taken at the firm or executive level, such as increasing IT awareness, to reduce breach likelihood. Auditors, who price
breach risk into audit fees (Smith, Higgs, and Pinsker 2019) and who levy higher fees to prospector strategy firms
(Bentley et al. 2013) could also adjust their audit fee premium after considering the joint relationship between their cli-
ents’ strategy and breach risk. Firms with a prospector strategy could further benefit from additional regulator guidance
on cybersecurity risk disclosures, possibly including risk-management strategies (e.g., American Institute of Certified
Public Accountants (AICPA) 2017a, 2017b). Increasing interest in cybersecurity activities, including the establishment
of a cybersecurity bureau in the U.S. State Department to deal with evolving challenges (Volz 2021), underscores the ris-
ing importance of cybersecurity risk to national security.
The remainder of the study is as follows. Section II reviews the related literature and develops our hypotheses.
Section III describes our research design, while Section IV describes the results. Section V concludes.
Cybersecurity Breaches
Cybersecurity breach events are increasing in frequency and severity (Ponemon Institute and IBM Security 2021).
Firms can have a variety of negative economic consequences following a breach (Walton et al. 2021). Breaches are asso-
ciated with lower short-term market returns (e.g., Richardson, Smith, and Watson 2019), greater CIO and CEO turn-
over (Banker and Feng 2019), higher audit fees (Smith et al. 2019; Lawrence, Minutti-Meza, and Vyas 2018; Yen, Lim,
Wang, and Hsu 2018; Li, No, and Boritz 2020), greater real earnings management (Xu, Guo, Haislip, and Pinsker
2019), higher loan spreads, loans requiring collateral and greater covenants (Huang and Wang 2021), and fewer patents
and investment efficiency (He, Frost, and Pinsker 2020). Breaches can also affect nonbreached peer firms. Ashraf (2022)
notes that peer firms are associated with a reduction in internal control material weaknesses and an increase in the likeli-
hood of having a cybersecurity expert in the top management team. Further, there is increasing regulatory interest in
breach events, including increased disclosures and the establishment of a cybersecurity bureau with the U.S. State
Department to monitor cybersecurity risk (Volz 2021).
There is a need to understand breach determinants and whether firm actions can mitigate cybersecurity risk, includ-
ing breach likelihood. Firm business strategy could affect the extent of IT investments, IT governance, and the actions
undertaken by managers and the firm. IT investments are associated with increased market value, especially among
smaller firms (Im, Dow, and Grover 2001), higher abnormal returns (Chai, Kim, and Rao 2011), and an overall higher
rate of being breached (Sen and Borle 2015). Angst, Block, D’Arcy, and Kelley (2017) note that only substantial, rather
than symbolic, adoptions increase the effectiveness of IT investments, reducing breach likelihood. Relatedly, the inclu-
sion of an IT executive (Kwon, Ulmer, and Wang 2013) or other executives with IT expertise (Haislip et al. 2021), a
board-level technology committee (Higgs, Pinsker, Smith, and Young 2016), and internal auditors with security exper-
tise (Islam, Farah, and Stafford 2018) are positively associated with cybersecurity strength. It is unclear how senior man-
agement support could affect the strength of cybersecurity activities (Walton et al. 2021). Decisions made by
management could also affect the preparedness of a firm against possible breach attempts. Following a breach, Tan and
Yu (2018) note that higher management responsibility acceptance is a more effective strategy following an external
breach, but not an internal breach, suggesting that management decisions can affect how stakeholders perceive a firm.
As such, we posit that business strategy can serve as a breach determinant distinct from those denoted in the extant
literature, including internal control material weaknesses (Bentley-Goode et al. 2017; Walton et al. 2021).
Similarly, defender firms report more litigious tone language in their 10-K reports than other firms (Lim et al. 2018),
reflecting greater external risk.
Nevertheless, such actions may not be enough to counter the overarching relationship between strategy and organi-
zational risk. For instance, prospector reliance on novel, multiple technologies is associated with a greater likelihood of
reporting an internal control material weakness (Bentley-Goode et al. 2017). Such use of multiple technologies could
also result in superficial investments compared to analyzer and defender firms, increasing breach likelihood, as Angst
et al. (2017) find that only substantial IT investments are associated with a reduction in breach risk. Comparatively, the
centralized control systems, routinization, deep technology investments, and cautious growth actions undertaken by
defender firms could reduce cybersecurity risk exposure, despite the firms being perceived as lucrative breach targets.
Compared to defender and analyzer firms, greater use of uncertainty reporting language by prospector firms could
reflect rapid changes, a less-detailed cybersecurity strategy, and fewer substantive cybersecurity investments. In turn,
organizational instability could negatively affect a firm’s overall IT governance focus.
As such, prospector strategy firms could have greater cybersecurity risk than both analyzer and defender firms.
Organizational risk differences can manifest in prospector firms facing greater breach risk than other firms, even though
individual actions could affect cybersecurity activities. Therefore, our first hypothesis predicts a positive relationship
between prospector business strategy and cybersecurity breach likelihood.
H1: Prospector business strategy firms are more likely to face a cybersecurity breach than defender business
strategy firms.
IT Awareness
Although a firm’s business strategy usually reflects persistent objectives, subject to strategic flexibility, it remains
unknown whether individual executive or other firm characteristics relating to IT assist in mitigating the effect of strat-
egy on breach likelihood. Miles and Snow (1978, 2003) discuss how the administrative functions between strategies can
differ. Based on organizational theory, we focus on two levels of IT awareness that could affect the relationship between
strategy and breach risk: executive and firm. At the executive level, it remains unknown whether the actions of a CEO
or a CFO could temper a rise in cybersecurity risk, given a prospector strategy. Whereas the CEO has the primary role
of establishing and overseeing firm policies (Masli, Richardson, Watson, and Zmud 2016), the CFO has control over
financial reporting processes and shares in the management of cybersecurity risk (Haislip et al. 2021). At the firm level,
having greater IT understanding within the firm could assist in mitigating cybersecurity risk for firms, even if strategy
objectives result in higher risk.
We first investigate whether CEOs and CFOs with IT expertise can impact the cybersecurity risk faced by a firm pur-
suing a prospector strategy. Haislip et al. (2021) note that CEOs with IT expertise are associated with lower breach risk.2
Not only does the CEO communicate current and future IT issues within the firm to other executives, including the CIO
and employees, but the CEO also assists in developing IT risk-management practices (Vincent, Higgs, and Pinsker 2017;
Haislip et al. 2021). The CEO and CFO can make meaningful IT decisions that could align IT policies with overall busi-
ness risk and strategy objectives, even if there is a penchant for innovation, rather than efficiency. Specifically, an executive
could enhance IT governance actions, strengthening controls and reducing cybersecurity exposure, despite a decentralized
control system. Compared to the incremental progress made by defender firms, which could still benefit from executive IT
expertise, we posit that prospector strategy firms have a greater possible cybersecurity advantage.
We next investigate firm-level characteristics that could also have a balancing effect on increases in breach risk due
to having a prospector strategy. First, the presence of a CIO could assist in communicating IT policies. Kwon et al.
(2013) find that there is a negative relationship between having a CIO in the top management team and breach risk. The
additional IT expertise provided by a CIO appears to reduce cybersecurity concerns (Banker and Feng 2019).3 A CIO
could assist in mitigating breach risk for prospector strategy firms by promoting best practices and providing support to
top executives. Similarly, a prospector strategy firm with a technology committee on the board of directors could miti-
gate breach risk increases (Higgs et al. 2016). Since prospector firms have an innovation focus and invest in multiple
technologies, there could, conversely, be a greater need for board oversight. At a broad level, operating in an IT-
2
Jarvenpaa and Ives (1991) find that CEO IT expertise is marked by stronger IT policies than in the absence of IT expertise. For instance, having a
CEO with IT expertise is associated with more accurate earnings forecasts (Haislip and Richardson 2018) and the timely disclosure of key findings to
external stakeholders (Haislip, Karim, Lin, and Pinsker 2020).
3
There is also greater interest in board of director level IT governance following a breach event (Higgs et al. 2016; Benaroch and Chernobai 2017).
Further, there is greater CEO and CIO turnover following a breach event (Banker and Feng 2019).
intensive industry could also facilitate decisions that maintain a rapid pace of change, consistent with prospector firm
objectives (Bentley-Goode et al. 2017), and thus are more likely to have a beneficial impact on cybersecurity activities.
However, it is important to note that prospector strategy firms could face increased cybersecurity risk with or with-
out executive- or firm-level IT awareness, and the actions of any one individual or group might not be enough to miti-
gate such risk. Similarly, Bentley et al. (2013) underscore that the increase in audit effort via higher fees for prospector
firms is not enough to counter the effect of strategy on financial reporting quality. As prospector strategy firms are also
predisposed to weaker internal controls (Bentley-Goode et al. 2017), greater business risk could result in higher breach
risk, regardless of the specialization of executives, the IT support received from within the firm, or external IT pressures.
Although greater IT understanding could mitigate an increase in breach risk for prospectors by leveraging current IT
investments and establishing formalized control policies, status quo breach likelihood may not be fundamentally reduced.
We take the position that prospector firms have greater cybersecurity risk than other firms, stemming partially from cur-
sory technology investments, a decentralized control system, and a low degree of mechanization. We believe that these
firms also have greater opportunities for IT awareness and understanding to contribute to firm operations. Nevertheless,
the possibility exists that instability underscoring prospector firms does not foster IT understanding. Further, it is unclear
whether defender strategy firms would likewise see a reduction in breach risk. Since the relationship between strategy, IT
awareness, and breach likelihood remains uncertain, we propose the following nondirectional hypothesis:
H2: The positive association between prospector business strategy firms and cybersecurity breach likelihood is
impacted by IT awareness.
Sample Selection
To examine the relationship between business strategy and breach likelihood, we utilize reported breach data from
Privacy Rights Clearinghouse and Audit Analytics, and firm financial and auditing information from Compustat, Audit
Analytics, and BoardEx.4 We begin our sample selection process with 1,45,681 Compustat firm-year observations
between 2005 and 2019 after removing firm-year observations with zero or negative sales and assets and missing histori-
cal SIC industry classifications. We then remove financial and utility firms due to the regulated nature of the industries.
As our STRATEGY measure requires five-year rolling averages (e.g., Ittner et al. 1997; Bentley et al. 2013), we further
remove 76,447 observations with insufficient data for all six strategy components. As such, we have 51,819 firm-year
business strategy scores from 2005 to 2019. After merging with Compustat financial information, audit information
from Audit Analytics, and executive information from BoardEx, our sample consists of 34,308 firm-year observations.
Table 1, Panel A provides additional details on our sample selection process.
Our sample consists of 3,622 prospector firm-years and 1,283 defender firm-years, consistent with prior strategy
research. In Panel B, we note that the breaches in our sample are evenly distributed across years. Breaches are spread
across industries, with Computers, Software, and Electronic (29.16 percent) and Wholesale and Retail Services (24.68
percent) industry firms reporting the most breach events in Panel C. We also find that each strategy is largely evenly dis-
tributed across the sample period and industries. Further, in Panel D, we show the composition of strategy by industry.
Research Design
Our primary model examines the association between firm business strategy (STRATEGY) and reported breach
likelihood in t+1 (Prob(Breachit+1 ¼ 1)).5 We use the phrasing “reported breaches” to be consistent with the sources of
our data and with the extant research (e.g., Haislip et al. 2021). Reported breaches are used to proxy for all breaches.
SIC two-digit industry (IND) and year (YEAR) fixed effects are included, but not reported. The standard error is
4
We begin the sample period in 2005, as breach data are not available from Privacy Rights Clearinghouse in prior years. We recognize that the finan-
cial crisis could affect the extent to which firms invest in cybersecurity activities, including controls. As such, we exclude firm-year observations from
2008 and 2009 and find that our results are robust to the exclusion of these years.
5
Firms in the United States are required by the Securities and Exchange Commission (SEC) to report material events publicly. Breaches are one such
material event, and the SEC has made several recommendations (Securities and Exchange Commission (SEC) 2011; Securities and Exchange
Commission (SEC) 2018) on the disclosure of breach risks and events. The SEC’s (2011) guidance indicates that public firms must disclose significant
cybersecurity risks and breach events promptly in Part I, Item 1A, of the Form 10-K filing. The SEC’s (2018) guidance provides further clarification
on such disclosures. Further, firms are bound by U.S. state breach notification laws, which exist in all states, to notify individuals of breaches of per-
sonally identifiable information (Huang and Wang 2021). As strategy does not vastly change from year to year, in an untabulated analysis. we also
examine the relationship between strategy and current breach likelihood. We find consistent evidence that higher strategy scores, those with a pros-
pector strategy, are associated with greater breach likelihood.
TABLE 1
Sample Selection
clustered at the firm level. All continuous variables are Winsorized at 1 and 99 percentage level. The definitions of all
variables used in our analyses are reported in Appendix B.
Research demonstrates that the composite business strategy measure is more than a sum of its parts (Bentley et al.
2013; Bentley-Goode et al. 2017; Hsieh et al. 2018). Following Bentley et al. (2013) and Hsieh et al. (2018), we measure
TABLE 1 (continued)
Panel C: Breach Distribution by Fama-French 12-Industries
Breach Firms Nonbreach Firms Total
business strategy as the composite of six variables captured over a rolling prior five-year period.6 The measures are: the
ratio of the number of employees to sales (EMPS5); the standard deviation of the total number of employees (EMP5);
the ratio of research and development expenditures to sales (RDS5); one-year percent change in total sales (REV5); the
ratio of selling, general, and administrative expenses to sales (SGA5); and the ratio of property, plant, and equipment to
total assets (CAP5). Each measure is calculated per firm-year. Quintile rankings for each year and two-digit SIC indus-
try are used to score each measure, where observations in the highest (lowest) quintile receive a score of 5 (1). Firm strat-
egy is thus the sum of the six measures ranging from a minimum score of 6 to a maximum of 30. Higher (lower) scores
reflect a prospector-(defender-)oriented strategy. We use both a discrete strategy score (STRATEGY) and a
6
By following prior U.S.-based empirical strategy research (e.g., Bentley et al. 2013), we use equal weighting of our strategy component mea-
sures. A. Eulerich, M. Eulerich, and Fligge (2023) note that given rapid globalization it might be reasonable to use other weights or measure
components. For instance, in a German setting, it appears that firm focus on differentiation and efficiency are not mutually exclusive, in con-
trast with extant strategy measures following Miles and Snow’s (1978, 2003) typology (Eulerich et al. 2023). We further test an alternative
strategy specification, strategic emphasis. Strategic emphasis is captured through advertising expense minus research and development expenses
scaled by total assets (Mizik and Jacobson 2003). Firms can be classified as either value appropriating or value creating, which roughly
approximate the goals of defenders and prospectors, respectively. Higher values reflect value appropriation, in line with the defender strategy.
We find a negative relationship between strategic emphasis and breach likelihood, suggesting that value-creating firms, acting like prospectors,
are more likely to be breached. The alternative specification indicates the robust relationship between strategy and breach likelihood, reducing
concerns surrounding our strategy measure calculation.
dichotomous strategy measure to identify prospector strategy firms (PRO).7 Defenders have a score between 6 and 12;
analyzers have a score between 13 and 23 and share characteristics with the other two strategies; and prospectors have a
score between 24 and 30.8
We include a variety of control variables to control for the likelihood of a firm facing a breach. First, we control for
firm size (LNASSET), age (LNFIRMAGE), leverage (LEVERAGE), and annual growth (ROA, GROWTH, MB) as
larger, growing firms could face greater cybersecurity risk and greater disclosure incentives (e.g., Brown, Tian, and
Tucker 2018). Although long-term change in growth relative to other firms in the same industry-year is a component of
STRATEGY, controlling for annual growth enables us to distinguish breach risk established by recent firm growth.
Further, profitable firms (LOSS) and those with more complex operations (FOREIGN, MERGER, RESTRUCTURE)
could be more likely to incur and report a breach than other firms (Wang, Kannan, and Ulmer 2013; Kwon et al. 2013;
Gao, Zhong, and Mei 2015). We also account for the presence of an internal control material weakness (ICW) (Bentley-
Goode et al. 2017). We include several variables to control for executive, board of directors, and auditor characteristics
(Higgs et al. 2016; Feng and Wang 2018). Specifically, we control for the presence of a CIO, whether there is a technol-
ogy (TECH) or risk (RISK) committee on the board, whether the CEO is chairman of the board (CEOCHAIR), and
whether a Big 4 auditor is utilized (BIG4). Finally, we account for a firm’s IT strategic role (IT_ROLE) (Dehning,
Richardson, and Zmud 2003). IT strategic role captures firm IT intensity, specifically, the strategic role of IT invest-
ments by SIC four-digit code and year using investment announcement data.
Next, we examine the relationship between business strategy, IT awareness (IT_AWARENESS), and breach likelihood.
We capture IT awareness at both the executive and firm levels. At the executive level, the CEO approves security policies,
is informed of security reports, refines and communicates firm-wide security policies, and understands the firm information
risk profile; and the CFO has an increasing role in cybersecurity and control processes throughout the firms (Masli et al.
2016; Haislip et al. 2021). Firm-level risk-management practices that could enhance IT governance, including cybersecurity
practices, can be shaped by executive background and experiences (Vincent et al. 2017). As such, we first examine IT
expertise (CEOIT, CFOIT), captured through BoardEx education and work experience. Executives without IT expertise
could be guided by their firm strategy more than an executive who has greater IT experience. At the firm level, we examine
three characteristics: the presence of a CIO (CIO), the presence of a technology committee on the board (TECH) (Higgs
et al. 2016), and whether the firm operates in an IT industry (IT_INDUSTRY). Collectively, these factors capture a firm’s
technological savviness. Firms with greater technology understanding could have policies to address cybersecurity risk dis-
tinct from an overarching firm strategy focused on innovation and the adoption of multiple technologies.
IV. RESULTS
Descriptive Statistics
Table 2 presents descriptive statistics. Panel A provides details on the construction of STRATEGY. We note that
the mean strategy score in our sample is 18.979, consistent with prior organizational theory research. We further note
that prospectors have higher strategy scores than defenders. Panel B presents summary statistics for the full sample. We
7
We use the discrete measure STRATEGY as our primary strategy identifier in our analyses, as it captures nuances in analyzer firms that can have
strategy scores closer to prospectors or defenders that would otherwise be disregarded in our setting. We use PRO as a supplementary measure pro-
viding additional evidence on the robustness of our results. As analyzer firms share characteristics with both prospector and defender strategies, we
also tabulate an additional dichotomous variable (PRO_ALT) to facilitate their inclusion in our discussion. Our results are robust.
8
Following Balsam, Fernando, and Tripathy (2011), we also use the alternative strategy measures of differentiation and cost leadership described by
Porter (1980). Relative to the Miles and Snow (1978) framework, differentiation is similar to a prospector strategy, and cost leadership is similar to a
defender strategy. Our results are robust to this alternative specification. Specifically, we find a positive association between a differentiation strategy
and breach likelihood (t ¼ 2.32). We further note a negative association between a cost leadership strategy and breach likelihood (t ¼ 1.82), sugges-
ting that an efficiency-focused strategy can assist in strengthening cybersecurity activities. Results are consistent if both differentiation and cost lead-
ership variables are included in the same model.
TABLE 2
Descriptive Statistics
note that firms in our sample are, on average, large and profitable firms that are not likely to receive an internal control
material weakness. In Panel C, we compare mean differences between breached and nonbreached firm-year observa-
tions. We find that breached firms are larger, have higher ROA, and are more likely to use a Big 4 auditor and have a
CIO than nonbreached firms. In Panel D, we compare mean differences between prospector and defender strategy firm-
year observations. We find that prospectors are more leveraged, are more likely to have a Big 4 auditor, and are more
TABLE 2 (continued)
Panel C: Comparison of the Mean Value of Variables of Breach Firms and Nonbreach Firms
Breach Firms (n 5 1,783) Nonbreach Firms (n 5 32,525)
Variables Mean Std. Dev. Median Mean Std. Dev. Median Wilcoxon Rank-Sum Test
STRATEGY 19.577 2.894 19.000 18.946 3.605 19.000 (0.00)
PRO 0.088 0.283 0.000 0.107 0.309 0.000 (0.01)
PRO_ALT 0.658 0.475 1.000 0.548 0.498 1.000 (0.00)
LNASSET 8.479 1.926 8.761 5.699 2.448 6.000 (0.00)
ROA 0.039 0.173 0.053 0.124 0.971 0.029 (0.00)
LEVERAGE 0.253 0.229 0.209 0.190 0.239 0.122 (0.00)
MB 3.371 10.997 2.715 2.767 8.403 1.979 (0.00)
LOSS 0.169 0.375 0.000 0.362 0.480 0.000 (0.00)
FOREIGN 0.331 0.471 0.000 0.332 0.471 0.000 (0.92)
BIG4 0.701 0.458 1.000 0.539 0.498 1.000 (0.00)
RISK 0.043 0.203 0.000 0.020 0.141 0.000 (0.00)
TECH 0.057 0.231 0.000 0.034 0.182 0.000 (0.00)
CIO 0.796 0.403 1.000 0.402 0.490 0.000 (0.00)
IT_ROLE 1.836 1.148 2.000 1.510 1.179 2.000 (0.00)
ICW 0.040 0.196 0.000 0.075 0.263 0.000 (0.00)
MERGER 0.568 0.495 1.000 0.378 0.485 0.000 (0.00)
RESTRUCTURE 0.504 0.500 1.000 0.328 0.470 0.000 (0.00)
GROWTH 0.081 0.266 0.053 0.143 0.681 0.059 (0.00)
LNFIRMAGE 3.405 0.607 3.401 3.073 0.548 3.045 (0.00)
CEOCHAIR 0.694 0.461 1.000 0.407 0.491 0.000 (0.00)
DT 0.726 0.565 0.546 0.606 0.517 0.448 (0.00)
CEOTURNOVER 0.118 0.322 0.000 0.526 0.223 0.000 (0.00)
CEOIT 0.036 0.187 0.000 0.035 0.183 0.000 (0.72)
CFOIT 0.129 0.113 0.000 0.012 0.110 0.000 (0.81)
FLUIDITY 6.404 3.193 5.856 6.458 3.461 5.698 (0.41)
Variables Mean Std. Dev. Median Mean Std. Dev. Median Wilcoxon Rank-Sum Test
BREACH 0.007 0.086 0.000 0.007 0.082 0.000 (0.17)
STRATEGY 25.107 1.226 25.000 19.283 3.280 19.000 (0.00)
LNASSET 5.255 2.863 5.793 5.858 2.518 6.129 (0.00)
ROA 0.311 1.441 0.001 0.118 0.947 0.031 (0.00)
LEVERAGE 0.217 0.273 0.141 0.192 0.239 0.127 (0.03)
MB 3.306 10.760 2.314 2.838 8.633 2.031 (0.00)
LOSS 0.502 0.500 1.000 0.354 0.478 0.000 (0.00)
FOREIGN 0.315 0.465 0.000 0.333 0.471 0.000 (0.43)
BIG4 0.561 0.496 1.000 0.553 0.497 1.000 (0.00)
RISK 0.008 0.089 0.000 0.021 0.144 0.000 (0.00)
TECH 0.027 0.161 0.000 0.036 0.187 0.000 (0.08)
CIO 0.402 0.490 0.000 0.429 0.495 0.000 (0.00)
IT_ROLE 1.315 1.215 2.000 1.522 1.183 2.000 (0.00)
ICW 0.098 0.297 0.000 0.073 0.261 0.000 (0.00)
MERGER 0.400 0.490 0.000 0.393 0.488 0.000 (0.00)
RESTRUCTURE 0.308 0.462 0.000 0.341 0.474 0.000 (0.00)
GROWTH 0.301 1.045 0.095 0.142 0.675 0.060 (0.00)
TABLE 2 (continued)
Variables Mean Std. Dev. Median Mean Std. Dev. Median Wilcoxon Rank-Sum Test
LNFIRMAGE 2.914 0.549 2.833 3.087 0.556 3.045 (0.00)
CEOCHAIR 0.361 0.480 0.000 0.425 0.494 0.000 (0.19)
DT 0.613 0.518 0.448 0.614 0.521 0.448 (0.07)
CEOTURNOVER 0.115 0.319 0.000 0.114 0.317 0.000 (0.89)
CEOIT 0.036 0.187 0.000 0.036 0.186 0.000 (0.00)
CFOIT 0.009 0.094 0.000 0.013 0.111 0.000 (0.37)
FLUIDITY 7.360 3.743 6.615 6.505 3.474 5.760 (0.00)
likely to have a loss than defender firms. However, we do not note a significant difference in breach likelihood. Panel E
presents Pearson correlation coefficients.
Main Analyses
We first examine the relationship between business strategy and the likelihood of reporting a breach event
(BREACH) in Table 3. We expect that firms with a prospector business strategy have higher breach risk than defender
strategy firms, thus increasing breach likelihood. We find a positive association between our discrete strategy score mea-
sure (STRATEGY) and breach likelihood (p < 0.01, z ¼ 2.69), consistent with our first hypothesis. A 1-point increase in
STRATEGY is associated with a 3.2 percent increase in breach likelihood. Our results suggest that firms with a prospec-
tor business strategy uniquely face a greater likelihood of reporting a breach than analyzer and defender firms. We simi-
larly find a positive and significant relationship between our dichotomous prospector strategy measures and the
TABLE 2 (continued)
(12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22)
RISK (12) 1.0000
TECH (13) 0.0065 1.0000
CIO (14) 0.0496 0.1061 1.0000
IT_ROLE (15) 0.0195 0.0231 0.1342 1.0000
ICW (16) 0.0143 0.0247 0.0427 0.0158 1.0000
MERGER (17) 0.0253 0.0562 0.1696 0.0723 0.0352 1.0000
RESTRUCTURE (18) 0.0257 0.0854 0.2147 0.0643 0.0204 0.1685 1.0000
GROWTH (19) 0.0159 0.0037 0.0525 0.0097 0.0243 0.0197 0.0808 1.0000
LNFIRMAGE (20) 0.0294 0.0669 0.0836 0.0895 0.0381 0.0682 0.1190 0.0815 1.0000
CEOCHAIR (21) 0.0222 0.0909 0.1954 0.0304 0.0804 0.1717 0.1502 0.0577 0.2577 1.0000
DT (22) 0.0033 0.0387 0.0088 0.0170 0.0038 0.0402 0.0833 0.0206 0.0689 0.0311 1.0000
Indicates that coefficients are significant at the 10 percent level.
This table reports descriptive statistics of the full sample. Panel A presents summary statistics for the full sample. Panel B compares mean and median sta-
tistics for breach and nonbreach firm-year observations, while Panel C compares mean and median statistics for prospector and defender firm-year obser-
vations. Panel D presents Pearson correlation coefficients. All continuous variables are Winsorized at the 1 percent and 99 percent level.
Please refer to Appendix B for variable definitions.
TABLE 3
Business Strategy and Breaches
likelihood of reporting a breach in t+1 (PRO, p < 0.05, z ¼ 1.97; PRO_ALT, p < 0.05, z ¼ 2.06). Having a prospector
strategy is associated with a 14 to 21.1 percent increase in breach likelihood compared to other firms, depending on the
specification of prospector firms. Our findings are not contingent on how we capture a firm’s business strategy.9 Our
results suggest that organizational instability stemming from decentralized controls implemented to facilitate diverse,
innovative operations place prospector firms at significantly greater risk of cybersecurity breaches. Although prospectors
9
The highest variance inflation factor in our model is 2.71 (SIZE). As such, multicollinearity is not a concern in our setting. We additionally restrict
our sample to only firms meeting the strict strategy score requirements described by Bentley et al. (2013) as being identified as having a defender or
prospector strategy. We continue to find a positive relationship between prospector business strategy and breach likelihood.
TABLE 3 (continued)
TABLE 4
Business Strategy, IT Awareness, and Breaches
have greater flexibility in changing their operations, the low degree of mechanization or routinization compared to
defenders can be disadvantageous.
We next examine the relationship between business strategy, IT awareness, and breach likelihood in Table 4. In
Panel A, we examine CEO and CEO IT expertise. We find that having a CEO or CFO with IT expertise mitigates the
TABLE 4 (continued)
(1) (2)
TABLE 5
IT Strategic Role
positive association between strategy and breach likelihood. Specifically, the interaction terms CEOIT STRATEGY (p <
0.10, z ¼ 1.67) and CFOIT STRATEGY (p < 0.01, z 4.59) are negatively associated with breach likelihood.
Although strategy remains positively associated with breach risk, our results suggest that executive-level IT awareness can
assist in mitigating IT risk and managing IT governance, extending prior research findings (Vincent et al. 2017; Haislip
et al. 2021). In Panel B, we examine firm-level IT awareness. We do not find a significant association between
STRATEGY CIO and breach likelihood (z ¼ 0.65).10 However, strategy remains positively associated with the likelihood
of reporting a breach (z ¼ 1.85). One possible explanation is that having a CIO may not have enough latitude over IT
activities to mitigate an increase in breach risk, particularly if the firm is involved in the acquisition of multiple technolo-
gies. Moreover, we find that having a technology committee on the board of directors can assist in mitigating the relation-
ship between strategy and breach likelihood (STRATEGY TECH, p < 0.10, z ¼ 1.77). A technology committee could
help oversee policies and the establishment of internal controls, allaying some cybersecurity concerns. We similarly
find that operating in an IT-intensive industry can assist in mitigating breach risk (STRATEGY IT_INDUSTRY,
10
We note that firms with and without CIOs can have differences that necessitate the examination of such firm-years separately. For instance,
Chatterjee, Richardson, and Zmud (2001) find that the creation of a CIO role is viewed as value adding by market participants. In turn, these firms
can be viewed as having a different inherent approach to IT governance than firms lacking a CIO. We alternatively examine the relationship
between strategy, the presence of a CIO, and breach likelihood by partitioning the sample into firm-years with and without a CIO. We find a positive
association between strategy and breach likelihood only for firm-years lacking a CIO (p < 0.01, z ¼ 2.60). The difference between the STRATEGY
coefficient for firm-years with and without a CIO is significant (p ¼ 0.03). We also examine our other firm-level measures using a similar approach
and find that our results are robust to such alternative specification. Caution remains needed in interpreting the interaction terms. A negative inter-
action term can reflect either a mitigation in increased breach risk or a direct reduction in breach risk.
TABLE 5 (continued)
Panel B: IT Role and Breach Likelihood
(1) (2) (3)
Informate Automate Transform
p < 0.10, z ¼ 1.71).11 Although operating in an IT industry can increase the likelihood of facing a breach
(IT_INDUSTRY, p < 0.10, z ¼ 1.93), it appears to affect a firm’s response to cybersecurity activities and controls.
Collectively, our results suggest that executive- and firm-level IT awareness can impact breach likelihood, given the
existing business strategy, providing support for our second hypothesis.
We recognize that a firm’s strategic IT role could affect not only the strategy undertaken by a firm, but also overall
exposure to cybersecurity risk. As such, in Table 5, we specifically examine the impact of strategic IT role. Following
Dehning et al. (2003), there are three IT roles: informate, automate, and transform. An informate IT role provides data
11
We define IT industry as operating in one of the following SIC three-digit industries: 357, 367, or 737. Alternatively, we also examine two breach
intensive industries: Computers, Software, and Electronic and Wholesale and Retail Services. Our results are not contingent on Computers,
Software, and Electronic industry or retail industry breach events. We continue to note a relationship between strategy and breach likelihood.
TABLE 6
Firm Diversification
Panel A: DT
(1) (2) (3)
STRATEGY PRO PRO_ALT
or information to empower employees, whereas an automate role automates business processes. Comparatively, a trans-
form IT role fundamentally alters how business is conducted through changes to business processes and relationships. In
Panel A, we first examine whether there is an association between strategic IT role (IT_ROLE) and strategy score
(STRATEGY). We find a significant negative association between IT role and strategy, suggesting that firms with IT
roles focused on automation or the provision of additional information to employees are less likely to have a prospector
strategy. That is, automate and informate IT roles, moreover, focus on empowering decision making rather than the
rapid change of a prospector strategy.
In Panel B, we further investigate the impact of the three strategic IT roles (IT_ROLE_INFORMATE,
IT_ROLE_AUTOMATE, and IT_ROLE_TRANSFORM) on the relationship between strategy and breach likelihood.
We find that an informate IT role can moderate the positive relationship between strategy and breach risk, reducing
future breach likelihood (IT_ROLE_INFORMATE STRATEGY, p < 0.10, z ¼ 1.74). One possible explanation is
that the provision of additional data and information through an informate IT role can assist in empowering managers
to make informed decisions, even if there is a prospector strategy, reducing risk. Relatedly, we do not find any evidence
that either an automate or a transform role affect the relationship between strategy and breach likelihood. The mere
automation of existing business processes might not have enough weight to affect cybersecurity activities. Further, trans-
forming processes and relationships through IT could not leave enough resources to consider the impact of strategy on
organizational risk.
TABLE 6 (continued)
Panel B: FLUIDITY
(1) (2) (3)
STRATEGY PRO PRO_ALT
Additional Analyses
We alternatively explore whether firm diversification can have a similar effect to IT awareness in possibly miti-
gating some prospector firm breach risk. Firm diversification is a firm decision strategy akin to an overall business
strategy. In Table 6, Panel A, we examine the relationship between business strategy, diversification (DT), and
breach likelihood. Specifically, following Palepu (1985) we utilize the Jacquemin-Berry entropy measure to capture
the diversity of operations through the number of product segments, the distribution of total sales across product
segments, and the degree of relatedness among product segments. We find evidence that firms with higher business
strategy scores continue to have higher breach risk after concurrently considering the extent of firm diversification
(STRATEGY DT, p < 0.10, z ¼ 1.91). In Panel B, we alternatively examine whether product market competi-
tion (FLUIDITY), a firm-level effect, alters the relationship between strategy and breach likelihood. Based on
Hoberg, Phillips, and Prabhala (2014), we capture product market competition through product market fluidity
from rival firms. Higher fluidity values reflect more competitive products. We find that prospector strategy firms
with greater competition have an increased likelihood of facing a breach (STRATEGY FLUIDITY, p < 0.05,
TABLE 7
CEO Turnover
(1) (2)
CEOTURNOVER 5 1 CEOTURNOVER 5 0
z ¼ 2.28). Firm diversification and product market competition are external pressures that assist in explaining why
prospector firms are incentivized to innovate, increasing breach risk.
We observe that the CEO can impact the relationship between firm business strategy and breach likelihood.
We argue that the association between strategy and breach risk has a long-term effect due to strategy’s incremental
changes. As such, we examine instances of CEO turnover in Table 7 to discern whether strategic IT policy forma-
tion is impounded into a firm’s strategy. Banker and Feng (2019) document that there is a greater likelihood of
CEO turnover following a security breach, particularly breaches with both system deficiency and human error,
given the broad responsibilities of the CEO. Additionally, organizational theory finds that executives of prospector
firms face greater turnover relative to other firms (e.g., Miles and Snow 1978, 2003). We extend these findings by
positing that CEO turnover can renew attention to cybersecurity strategies, especially for prospector strategy firms.
We find that the positive association between strategy and future breach likelihood exists only if there is no CEO
turnover (CEOTURNOVER ¼ 0, p < 0.01, z ¼ 2.60). Our results suggest that IT policy can change over the
course of a CEO’s tenure. In the year of turnover, there is no association between strategy and breach likelihood.
The association develops for CEOs with short tenure. Once longer tenure is achieved, the association no longer
appears. IT policy does not appear to be stable, but, rather, something that can be malleable by the firm, possibly
mitigating additional risks stemming from a prospector strategy.
TABLE 8
Internal and External Breaches
(1) (2)
INTERNAL BREACH EXTERNAL BREACH
Further, we examine whether prospector firms’ greater breach likelihood is attributable to breaches related to
insiders or external sources.12 Following Higgs et al. (2016), internal breaches are attributable to unintended disclosure
(DISC), physical loss (PHYS), insiders (INSD), payment card fraud (CARD), and unknown (UNKN). External breaches
are attributable to hacks (HACK), portable device theft (PORT), or stationary theft (STAT). In Table 8, we find that
the prospector business strategy is associated with a greater likelihood of internal breaches (STRATEGY, p < 0.01, z ¼
3.28). That is, firms with a prospector business strategy are more likely to have breaches due to insiders rather than
external parties. One possible explanation is that the prospector strategy involves rapid change and development com-
pared to the defender strategy, reducing the likelihood of routines and processes that insiders can rely on when carrying
out their duties, and increasing breach likelihood as a result.
In an untabulated analysis, we also conduct entropy balancing. Entropy balancing weights model covariates based
on balance conditions and a specified tolerance level (McMullin and Schonberger 2020) and is an “equal percent bias
reducing” matching method (Hainmueller 2012). Studies have shown that entropy balancing outperforms other match-
ing methods, such as propensity score matching, under a wide range of conditions (Parish, Keyes, Beadles, and
Kandilov 2018; Zhao and Percival 2017; Zubizarreta 2015). Using first and second moment (mean and standard devia-
tion) entropy balancing, we find that our results are consistent with previously stated results. Specifically, a positive
12
Breach classification is limited to breaches gathered from Privacy Rights Clearinghouse. We are able to classify 230 breaches in our sample.
association remains between strategy and breach likelihood. Our analysis provides additional confidence that results are
not attributable to inherent covariate differences between prospector and defender strategy firms.
V. CONCLUSION
Our study examines the impact of business strategy on a firm’s breach risk, a nonfinancial reporting outcome. To a
threat actor, whether a firm exhibits a prospector or defender strategy could manifest in underlying differences in cyber-
security breach incentives. That is, prospector firms with an innovation focus likely have different cybersecurity risks
than efficiency-focused defender-strategy firms, despite technological investments. We find that prospectors have a
higher breach likelihood than defenders. Further, we find that IT awareness at the executive and firm levels can affect
the relationship between prospectors and breach likelihood by mitigating some breach risk. Executives with IT expertise
appear to counter the impact of firm business strategy objectives, yielding lower breach likelihood. Similarly, firm-level
technology familiarity impacts the relationship between strategy and breach likelihood, with less savvy firms facing
greater risk. Our findings have important implications for external stakeholders evaluating a firm’s cybersecurity risk,
auditors assessing firm risk and planning cybersecurity-related testing, and regulators evaluating the need for additional
cybersecurity requirements and disclosures.
Our study has limitations that provide opportunities for future research. First, we rely on Miles and Snow’s (1978,
2003) business strategy typology and prior study methodologies (e.g., Bentley et al. 2013) to identify prospector and
defender firms. Strategy likely reflects fundamental differences in the structure and objectives of a firm that are estab-
lished early in a firm’s life cycle and remain relatively stable over time, with some firm adjustments. As such, econometri-
cally correcting for self-selection bias in our sample through propensity score matching is inconsistent with
organizational theory expectations, since firm characteristics other than strategy are also likely to be different. However,
we attempt to classify analyzer strategy firms using our dichotomous strategy variable, retaining them in our sample and
providing greater detail on strategy implications. Second, we are only able to examine reported cybersecurity breaches.
There could be additional breaches during our sample period that have yet to be reported. Future research can examine
whether cybersecurity controls and processes within a firm have adapted to the business strategy over time.
Additionally, future research can examine the extent to which cybersecurity requirements and disclosures are shaped by
executives and strategy.
REFERENCES
American Institute of Certified Public Accountants (AICPA). 2017a. AICPA Unveils Cybersecurity Risk Management Reporting
Framework. Durham, NC: AICPA. https://www.aicpa.org/press/pressreleases/2017/aicpa-unveils-cybersecurity-risk-manage-
ment-reporting-framework.html
American Institute of Certified Public Accountants (AICPA). 2017b. Description Criteria for Management’s Description of an
Entity’s Cybersecurity Risk Management Program. New York, NY: AICPA.
Angst, C. M., E. S. Block, J. D’Arcy, and K. Kelley. 2017. When do IT security investments matter? Accounting for the influence
of institutional factors in the context of healthcare data breaches. MIS Quarterly 41 (3): 893–916. https://doi.org/10.25300/
MISQ/2017/41.3.10
Ashraf, M. 2022. The role of peer events in corporate governance: Evidence from data breaches. The Accounting Review 97 (2):
1–24. https://doi.org/10.2308/TAR-2019-1033
Balsam, S., G. D. Fernando, and A. Tripathy. 2011. The impact of firm strategy on performance measures used in executive com-
pensation. Journal of Business Research 64 (2): 187–193. https://doi.org/10.1016/j.jbusres.2010.01.006
Banker, R. D., and C. Q. Feng. 2019. The impact of information security breach incidents on CIO turnover. Journal of
Information Systems 33 (3): 309–329. https://doi.org/10.2308/isys-52532
Benaroch, M., and A. Chernobai. 2017. Operational IT failures, IT value-destruction, and board-level IT governance changes.
MIS Quarterly 41 (3): 729–762. https://doi.org/10.25300/MISQ/2017/41.3.04
Bentley, K. A., T. C. Omer, and N. Y. Sharp. 2013. Business strategy, financial reporting irregularities, and audit effort.
Contemporary Accounting Research 30 (2): 780–817. https://doi.org/10.1111/j.1911-3846.2012.01174.x
Bentley-Goode, K. A., N. J. Newton, and A. M. Thompson. 2017. Business strategy, internal control over financial reporting,
and audit reporting quality. Auditing: A Journal of Practice & Theory 36 (4): 49–69. https://doi.org/10.2308/ajpt-51693
Bentley-Goode, K. A., T. C. Omer, and B. J. Twedt. 2019. Does business strategy impact a firm’s information environment?
Journal of Accounting, Auditing & Finance 34 (4): 563–587. https://doi.org/10.1177/0148558X17726893
Brown, S. V., X. S. Tian, and J. W. Tucker. 2018. The spillover effect of SEC comment letters on qualitative corporate disclosure:
Evidence from the risk factor disclosure. Contemporary Accounting Research 35 (2): 622–656. https://doi.org/10.1111/1911-
3846.12414
Chai, S., M. Kim, and H. R. Rao. 2011. Firms’ information security investment decisions: Stock market evidence of investors’
behavior. Decision Support Systems 50 (4): 651–661. https://doi.org/10.1016/j.dss.2010.08.017
Chatterjee, D., V. J. Richardson, and R. W. Zmud. 2001. Examining the shareholder wealth effects of announcements of newly
created CIO positions. MIS Quarterly 25 (1): 43–70. https://doi.org/10.2307/3250958
Collins, F., O. Holzmann, and R. Mendoza. 1997. Strategy, budgeting, and crisis in Latin America. Accounting, Organizations
and Society 22 (7): 669–689. https://doi.org/10.1016/S0361-3682(96)00050-5
Dehning, B., V. J. Richardson, and R. W. Zmud. 2003. The value relevance of announcements of transformational information
technology investments. MIS Quarterly 27 (4): 637–656. https://doi.org/10.2307/30036551
Eulerich, A. K., M. Eulerich, and B. Fligge. 2023. Analyzing the strategy-performance relationship in Germany–Can we still use the
common strategic frameworks? Journal of Strategy and Management (forthcoming). https://doi.org/10.1108/JSMA-09-2022-0157
Ettredge, M., F. Guo, and Y. Li. 2018. Trade secrets and cyber security breaches. Journal of Accounting and Public Policy 37 (6):
564–585. https://doi.org/10.1016/j.jaccpubpol.2018.10.006
Feng, C. Q., and T. Wang. 2018. Does CIO risk appetite matter? Evidence from information security breach incidents.
International Journal of Accounting Information Systems 32: 59–75. https://doi.org/10.1016/j.accinf.2018.11.001
Gao, X., W. Zhong, and S. Mei. 2015. Security investment and information sharing under an alternative security breach probabil-
ity function. Information Systems Frontiers 17 (2): 423–438. https://doi.org/10.1007/s10796-013-9411-3
Hainmueller, J. 2012. Entropy balancing for causal effects: A multivariate reweighting method to produce balanced samples in
observational studies. Political Analysis 20 (1): 25–46. https://doi.org/10.1093/pan/mpr025
Haislip, J., J.-H. Lim, and R. Pinsker. 2021. The impact of executives’ IT expertise on reported data security breaches.
Information Systems Research 32 (2): 318–334. https://doi.org/10.1287/isre.2020.0986
Haislip, J. Z., and V. J. Richardson. 2018. The effect of CEO IT expertise on the information environment: Evidence from earn-
ings forecasts and announcements. Journal of Information Systems 32 (2): 71–94. https://doi.org/10.2308/isys-51796
Haislip, J. Z., K. E. Karim, K. J. Lin, and R. E. Pinsker. 2020. The influence of CEO IT expertise and board-level technology
committees on disclosure timeliness. Journal of Information Systems 34 (2): 167–185. https://doi.org/10.2308/isys-52530
Hambrick, D. C. 1981. Environment, strategy, and power within top management teams. Administrative Science Quarterly 26 (2):
253–275. https://doi.org/10.2307/2392472
Hambrick, D. C. 1983. Some tests of the effectiveness and functional attributes of Miles and Snow’s strategic types. The Academy
of Management Journal 26 (1): 5–26. https://doi.org/10.2307/256132
He, C. Z., T. Frost, and R. E. Pinsker. 2020. The impact of reported cybersecurity breaches on firm innovation. Journal of
Information Systems 34 (2): 187–209. https://doi.org/10.2308/isys-18-053
Higgins, D., T. C. Omer, and J. D. Phillips. 2015. The influence of a firm’s business strategy on its tax aggressiveness.
Contemporary Accounting Research 32 (2): 674–702. https://doi.org/10.1111/1911-3846.12087
Higgs, J. L., R. E. Pinsker, T. J. Smith, and G. R. Young. 2016. The relationship between board-level technology committees and
reported security breaches. Journal of Information Systems 30 (3): 79–98. https://doi.org/10.2308/isys-51402
Hoberg, G., G. Phillips, and N. Prabhala. 2014. Product market threats, payouts, and financial flexibility. The Journal of Finance
69 (1): 293–324. https://doi.org/10.1111/jofi.12050
Hsieh, C.-C., Z. Ma, and K. E. Novoselov. 2018. Accounting conservatism, business strategy, and ambiguity. Accounting,
Organizations and Society 74: 41–55. https://doi.org/10.1016/j.aos.2018.08.001
Huang, H. H., and C. Wang. 2021. Do banks price firms’ data breaches? The Accounting Review 96 (3): 261–286. https://doi.org/
10.2308/TAR-2018-0643
Im, K. S., K. E. Dow, and V. Grover. 2001. Research report: A reexamination of IT investment and the market value of
the firm—an event study methodology. Information Systems Research 12 (1): 103–117. https://doi.org/10.1287/isre.12.1.
103.9718
Islam, M. S., N. Farah, and T. F. Stafford. 2018. Factors associated with security/cybersecurity audit by internal audit function:
An international study. Managerial Auditing Journal 33 (4): 377–409. https://doi.org/10.1108/MAJ-07-2017-1595
Ittner, C. D., D. F. Larcker, and M. V. Rajan. 1997. The choice of performance measures in annual bonus contracts.
The Accounting Review 72 (2): 231–255. https://www.jstor.org/stable/248554
Jarvenpaa, S. L., and B. Ives. 1991. Executive involvement and participation in the management of information technology. MIS
Quarterly 15 (2): 205–227. https://doi.org/10.2307/249382
Kwon, J., J. R. Ulmer, and T. Wang. 2013. The association between top management involvement and compensation and infor-
mation security breaches. Journal of Information Systems 27 (1): 219–236. https://doi.org/10.2308/isys-50339
Lawrence, A., M. Minutti-Meza, and D. Vyas. 2018. Is operational control risk informative of financial reporting deficiencies?
Auditing: A Journal of Practice & Theory 37 (1): 139–165. https://doi.org/10.2308/ajpt-51784
Li, H., W. G. No, and J. E. Boritz. 2020. Are external auditors concerned about cyber incidents? Evidence from audit fees.
Auditing: A Journal of Practice & Theory 39 (1): 151–171. https://doi.org/10.2308/ajpt-52593
Lim, E. K., K. Chalmers, and D. Hanlon. 2018. The influence of business strategy on annual report readability. Journal of
Accounting and Public Policy 37 (1): 65–81. https://doi.org/10.1016/j.jaccpubpol.2018.01.003
March, J. G. 1991. Exploration and exploitation in organizational learning. Organization Science 2 (1): 71–87. https://doi.org/
10.1287/orsc.2.1.71
Martin, D. X. 2021. Cybersecurity as a business strategy. Corporate Board Member. https://boardmember.com/cybersecurity-as-a-
business-strategy/
Masli, A., V. Richardson, M. W. Watson, and R. W. Zmud. 2016. Senior executives’ IT management responsibilities: Serious IT-
related deficiencies and CEO/CFO turnover. MIS Quarterly 40 (3): 687–708. https://doi.org/10.25300/MISQ/2016/40.3.08
McMullin, J. L., and B. Schonberger. 2020. Entropy-balanced accruals. Review of Accounting Studies 25: 84–119. https://doi.org/
10.1007/s11142-019-09525-9
Melika, J. 2021. Cybersecurity is now essential to corporate strategy. Here’s how to bring the two together. Entrepreneur
(May 22). https://www.entrepreneur.com/article/369618
Miles, R. E., and C. C. Snow. 1978. Organizational Strategy, Structure and Process. New York, NY: McGraw-Hill.
Miles, R. E., and C. C. Snow. 2003. Organizational Strategy, Structure, and Process. Stanford, CA: Stanford University Press.
Mizik, N., and R. Jacobson. 2003. Trading off between value creation and value appropriation: The financial implications of shifts
in strategic emphasis. Journal of Marketing 67 (1): 63–76. https://doi.org/10.1509/jmkg.67.1.63.18595
Palepu, K.1985. Diversification strategy, profit performance and the entropy measure. Strategic Management Journal 6 (3): 239–
255. https://doi.org/10.1002/smj.4250060305
Parish, W. J., V. Keyes, C. Beadles, and A. Kandilov. 2018. Using entropy balancing to strengthen an observational cohort study
design: Lessons learned from an evaluation of a complex multi-state federal demonstration. Health Services and Outcomes
Research Methodology 18: 17–46. https://doi.org/10.1007/s10742-017-0174-z
Ponemon Institute and IBM Security. 2021. Cost of a data breach report 2021. https://www.ibm.com/downloads/cas/OJDVQGRY
Porter, M. E. 1980. Competitive Advantage. New York, NY: Free Press.
Richardson, V. J., R. E. Smith, and M. W. Watson. 2019. Much ado about nothing: The (lack of) economic impact of data pri-
vacy breaches. Journal of Information Systems 33 (3): 227–265. https://doi.org/10.2308/isys-52379
Robinhood. 2021. Robinhood announces data security incident (update). https://blog.robinhood.com/news/2021/11/8/data-secu-
rity-incident
Securities and Exchange Commission (SEC). 2011. CF Disclosure Guidance: Topic No. 2: Cybersecurity. Washington, DC: SEC.
https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
Securities and Exchange Commission (SEC). 2018. Commission Statement and Guidance on Public Company Cybersecurity
Disclosures. Release Nos. 33-10459, 34-82746. Washington, DC: SEC. https://www.sec.gov/rules/interp/2018/33-10459.pdf
Sen, R., and S. Borle. 2015. Estimating the contextual risk of data breach: An empirical approach. Journal of Management
Information Systems 32 (2): 314–341. https://doi.org/10.1080/07421222.2015.1063315
Simons, R. 1987. Accounting control systems and business strategy: An empirical analysis. Accounting, Organizations and Society
12 (4): 357–374. https://doi.org/10.1016/0361-3682(87)90024-9
Smith, T. J., J. L. Higgs, and R. E. Pinsker. 2019. Do auditors price breach risk in their audit fees? Journal of Information Systems
33 (2): 177–204. https://doi.org/10.2308/isys-52241
Tan, H.-T., and Y. Yu. 2018. Management’s responsibility acceptance, locus of breach, and investors’ reactions to internal control
reports. The Accounting Review 93 (6): 331–355. https://doi.org/10.2308/accr-52077
Treacy, M., and F. Wiersema. 1995. The Discipline of Market Leaders: Choose Your Customers, Narrow Your Focus, Dominate
Your Market. Reading, MA: Addison-Wesley.
Vincent, N. E., J. L. Higgs, and R. E. Pinsker. 2017. IT governance and the maturity of IT risk management practices. Journal of
Information Systems 31 (1): 59–77. https://doi.org/10.2308/isys-51365
Volz, D. 2021. State department to form new cyber office to face proliferating global challenges. The Wall Street Journal (October 25).
https://www.wsj.com/articles/state-department-to-form-new-cyber-office-to-face-proliferating-global-challenges-11635176700
Walton, S., P. R., Wheeler, Y. I. Zhang, and X. R. Zhao. 2021. An integrative review and analysis of cybersecurity research:
Current state and future directions. Journal of Information Systems 35 (1): 155–186. https://doi.org/10.2308/ISYS-19-033
Wang, T., K. N. Kannan, and J. R. Ulmer. 2013. The association between the disclosure and the realization of information secu-
rity risk factors. Information Systems Research 24 (2): 201–218. https://doi.org/10.1287/isre.1120.0437
Xu, H., S. Y. Guo, J. Z. Haislip, and R. E. Pinsker. 2019. Earnings management in firms with data security breaches. Journal of
Information Systems 33 (3): 267–284. https://doi.org/10.2308/isys-52480
Yen, J.-C., J.-H. Lim, T. Wang, and C. Hsu. 2018. The impact of audit firms’ characteristics on audit fees following information
security breaches. Journal of Accounting and Public Policy 37 (6): 489–507. https://doi.org/10.1016/j.jaccpubpol.2018.10.002
Zhao, Q., and D. Percival. 2017. Entropy balancing is doubly robust. Journal of Causal Inference 5 (1): 20160010. https://doi.org/
10.1515/jci-2016-0010
Zubizarreta, J. R. 2015. Stable weights that balance covariates for estimation with incomplete outcome data. American Statistical
Association 110 (511): 910–922. https://doi.org/10.1080/01621459.2015.1023805
APPENDIX A
Strategy Typologies
Treacy and
Miles and Snow Eulerich et al.
Porter (1980) March (1991) Wiersema
(1978, 2003) (2023)
(1995)
Product
leadership and
Prospectors Differentiation Exploration Differentiation
customer
intimacy
Operational
Defenders Cost Leaders Exploitation Efficiency
excellence
Reactors
APPENDIX B
Variable Definitions