![Sample our Information Science journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5940/TOC-Subject-Sample-2021-Communication-Studies.jpg"})
ABSTRACT
The adoption of new Information Technology (IT) innovations has led to increased uncertainty among employees, a greater demand for security measures, and more entry points for cyber-attacks, which all increase the risk of data breaches for firms. Despite the prevalence of discussions around this issue, there has been a lack of empirical research examining the data breach risk associated with IT innovations. To address this gap, we have developed arguments based on an organizational learning theoretical framework that explains how IT innovativeness can exacerbate data breach risk. Through our analysis of a sample of data breaches that occurred between 2013 and 2021, we have discovered that there is a positive association between firm IT innovativeness and the risk of data breaches. We also find that the effects of IT innovativeness can vary under certain conditions. For example, we find that the positive relationship between IT innovativeness and data breach risk is mitigated when managers possess IT expertise or when firms have established extensive board connections with cybersecurity managers. Moreover, we find that the relationship between IT innovativeness and data breach risk is amplified in complex environments but not in dynamic or munificent ones. This study takes the lead in advancing the theoretical understanding and empirical validation of security-related risks associated with IT innovations. Moreover, our findings serve as a timely reminder for research and practice to carefully consider the implications of introducing novel technologies into firms and the potential dark side consequences that may arise. Additionally, this study underscores the importance of understanding organizational learning in risk assessment and change management, as well as the critical role of contextual factors in moderating the unintended security-related consequences linked to IT innovations.
Acknowledgments
The authors are immensely grateful for the constructive comments of the Editor-in-Chief and three anonymous referees on earlier versions of this paper.
Disclosure Statement
No potential conflict of interest was reported by the authors.
Supplementary Information
Supplemental data for this article can be accessed online at https://doi.org/10.1080/07421222.2023.2267319
Notes
1. Source: https://www.ibm.com/downloads/cas/OJDVQGRY
3. Our study’s sample period spans from 2013 to 2021. This is because the CI database provided stable IT implementation data from 2011 onwards and ceased to provide this data in 2021. We also need two years of IT implementation data to identify new adoption of innovative IT (i.e., IT innovation). In addition, we used one-year lagging explanatory variables to account for any potential reverse causality. Therefore, our sample period is from 2013 to 2021.
4. ITRC (http://www.idtheftcenter.org/) is a nonprofit organization that has publicly provided data breach reports since 2005.
5. Based on the academic degree information revealed in BoardEx, we recognize an academic degree is IT-related if it contains at least one of the keywords listed in Online Supplemental Appendix 4, Panel A of . The keywords are case-insensitive. In addition, we have manually checked the correctness of each identified IT-related academic degrees.
6. Based on the position information revealed in BoardEx, we recognize a position is IT-related if it contains at least one of the keywords lists in Online Supplemental Appendix 4, Panel B of . The keywords are case-insensitive. In addition, we have manually checked the correctness of each identified IT-related positions.
7. Following Kim et al. [Citation53], we define IT firms as the ones in IT industries, and we define IT industries based on the following four-digit SIC codes: 3570, 3571, 3572, 3576, 3577, 3578, 3579, 3661, 3663, 3674, 3812, 3822, 3825, 3826, 3827, 3842, 3845, 3861, 4812, 4813, 4822, 4832, 4833, 4841, 4899, 7370, 7371, 7372, 7373, or 7374.
8. Based on the position information revealed in BoardEx, we recognize a position is cyber-related if it contains at least one of the keyword list in the Online Supplemental Appendix 4, Panel C of . The keywords are case-insensitive. In addition, we have manually checked the correctness of each identified IT-related positions.
Additional information
Notes on contributors
Qian Wang
Qian Wang ([email protected]) is an Assistant Professor in the Department of Business Intelligence and Analytics at the Faculty of Business Administration of the University of Macau. Her research interests revolve around information security, the impact of data breaches, and IT governance. Dr. Wang has published papers in Journal of Management Information Systems, Journal of Strategic Information Systems, International Journal of Production Economics, and Information Systems Frontiers.
Eric W. T. Ngai
Eric W. T. Ngai ([email protected]) is a Distinguished Research Professor in Information and Operations Management at the Department of Management and Marketing, Faculty of Business, The Hong Kong Polytechnic University. His research interests focus on E-commerce, supply chain management, decision support systems, and use of AI in business intelligence applications. Dr. Ngai has published in a number of prestigious journals including the Journal of Management Information Systems, MIS Quarterly, Journal of Operations Management, Production & Operations Management, INFORMS Journal on Computing, Information & Management, Decision Support Systems, European Journal of Information Systems, and other journals.
Daniel Pienta
Daniel Pienta ([email protected]) is an Assistant Professor in the Department of Accounting and Information Management in the Haslam College of Business at the University of Tennessee, Knoxville. His primary research interests include information security and user privacy. Prior to his career in academics, he consulted some of the largest financial institutions in the United States on due diligence and cybersecurity. Dr. Pienta has published in the Journal of Management Information Systems, Journal of the Association for Information Systems, Journal of Information Technology, and Communications of the Association of Information Systems.
Jason Bennett Thatcher
Jason Bennett Thatcher ([email protected]) holds the Milton F. Stauffer Professorship in the Department of Management Information Systems at the Fox School of Business, Temple University. His research examines the influence of individual beliefs and characteristics on adaptive and maladaptive post-adoption IT use. He also studies strategic, human resource management, and cybersecurity issues related to the effective application of information technologies in organizations. His work appears in a number of prestigious journals, such as Journal of Management Information Systems, MIS Quarterly, Information Systems Research, Journal of Applied Psychology, Journal of the Association for Information Systems, and in others outlets.