Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity

Ahmad, 2015, A case analysis of information systems and security incident responses, Int. J. Inf. Manag., 35, 717, 10.1016/j.ijinfomgt.2015.08.001 AlGhamdi, 2020, Information security governance challenges and critical success factors: systematic review, Comput. Secur., 99, 39, 10.1016/j.cose.2020.102030 Andrus, 2019, Go your own way: exploring the causes of top executive turnover, Strat. Manag. J., 40, 1151, 10.1002/smj.3020 Angwin, 2009, Connecting up strategy: are senior strategy directors a missing link?, Calif. Manag. Rev., 51, 74, 10.2307/41166494 Banker, 2011, CIO reporting structure, strategic positioning, and firm performance, MIS Q., 35, 487, 10.2307/23044053 Baron, 1986, The moderator-mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations, J. Pers. Soc. Psychol., 51, 1173, 10.1037/0022-3514.51.6.1173 Benaroch, 2017, Operational IT failures, IT value destruction, and board-level IT governance changes, MIS Q., 41, 729, 10.25300/MISQ/2017/41.3.04 Bojanc, 2008, An economic modelling approach to information security risk management, Int. J. Inf. Manag., 28, 413, 10.1016/j.ijinfomgt.2008.02.002 Borrett, 2014, How is cyber threat evolving and what do organisations need to consider?, J. Bus. Contin. Emer. Plan., 7, 163 Cavusoglu, 2005, The value of intrusion detection systems in information technology security architecture, Inf. Syst. Res., 16, 28, 10.1287/isre.1050.0041 Cavusoglu, 2008, Decision-theoretic and game-theoretic approaches to IT security investment, J. Manag. Inf. Syst., 25, 281, 10.2753/MIS0742-1222250211 Cerullo, 2004, Business continuity planning: a comprehensive approach, Inf. Syst. Manag., 21, 70, 10.1201/1078/44432.21.3.20040601/82480.11 Chang, 2017, The risk implications of mergers and acquisitions with information technology firms, J. Manag. Inf. Syst., 34, 232, 10.1080/07421222.2017.1297641 Chopra, 2020 DCMS. (2021). Cyber Security Breaches Survey 2021. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021 Deloitte. (2004). Sarbanes-Oxley Section 404: 10 Threats to Compliance. Retrieved November 10 from https://www2.deloitte.com/content/dam/Deloitte/us/Documents/audit/us-aers-assur-ten-threats-sep2004.pdf Douglas, 2014 Dutta, 2002, Management's role in information security in a cyber economy, Calif. Manag. Rev., 45, 67, 10.2307/41166154 Enns, 2003, CIO lateral influence behaviors: gaining peers' commitment to strategic information systems, MIS Q., 27, 155, 10.2307/30036522 Feng, 2019, Does CIO risk appetite matter? Evidence from information security breach incidents, Int. J. Account. Inf. Syst., 32, 59, 10.1016/j.accinf.2018.11.001 Fiske, 2013 GDPR. (2018). General Data Protection Regulation - Right to Compensation and Liability. https://gdprinfo.eu/en-article-82 Geiger, 2006, Does hiring a new CFO change things? An investigation of changes in discretionary accruals, Account. Rev., 81, 781, 10.2308/accr.2006.81.4.781 Goel, 2009, Estimating the market impact of security breach announcements on firm value, Inf. Manag., 46, 404, 10.1016/j.im.2009.06.005 Goode, 2017, User compensation as a data breach recovery action: an investigation of the Sony Playstation network breach, MIS Q., 41, 703, 10.25300/MISQ/2017/41.3.03 Gwebu, 2018, The role of corporate reputation and crisis response strategies in data breach management, J. Manag. Inf. Syst., 35, 683, 10.1080/07421222.2018.1451962 Hambrick, 1984, Upper echelons - the organization as a reflection of its top managers, Acad. Manag. Rev., 9, 193, 10.2307/258434 Haunschild, 2002, Learning from complexity: effects of prior accidents and incidents on airlines' learning, Adm. Sci. Q., 47, 609, 10.2307/3094911 Hillman, 2003, Boards of directors and firm performance: integrating agency and resource dependence perspectives, Acad. Manag. Rev., 28, 383, 10.2307/30040728 HISCOX. (2020). Hiscox Cyber Readiness Report. https://www.hiscox.co.uk/sites/uk/files/documents/2020-06/Hiscox_Cyber_Readiness_Report_2020_UK.PDF Homeland Security. (2021). Cybersecurity Glossary. Retrieved 10 October 2021 from https://niccs.cisa.gov/about-niccs/cybersecurity-glossary Iacobucci, 2007, A meditation on mediation: evidence that structural equations models perform better than regressions, J. Consum. Psychol., 17, 139, 10.1016/S1057-7408(07)70020-7 2018 2006 Johnston, 2009, Improved security through information security governance, Commun. ACM, 52, 126, 10.1145/1435417.1435446 Khan, 2021, Data breach management: an integrated risk model, Inf. Manag., 58, 10.1016/j.im.2020.103392 Knight, 2020, A framework for effective corporate communication after cyber security incidents, Comput. Secur., 99, 18, 10.1016/j.cose.2020.102036 Kwon, 2013, Health-care security strategies for data protection and regulatory compliance, J. Manag. Inf. Syst., 30, 41, 10.2753/MIS0742-1222300202 Kwon, 2014, Proactive versus reactive security investments in the healthcare sector, MIS Q., 38, 451, 10.25300/MISQ/2014/38.2.06 Landoll, 2016 Li, 2010, Financial executive qualifications, financial executive turnover, and adverse SOX 404 opinions, J. Account. Econ., 50, 93, 10.1016/j.jacceco.2010.01.003 Li, 2020, Are external auditors concerned about cyber incidents? Evidence from audit fees, Audit.: J. Pract. Theory, 39, 151 Liu, 2020, Centralized IT decision making and cybersecurity breaches: evidence from U.S. Higher education institutions, J. Manag. Inf. Syst., 37, 758, 10.1080/07421222.2020.1790190 Marcellus, 1991, Interactive process quality improvement, Manag. Sci., 37, 1365, 10.1287/mnsc.37.11.1365 March, J.G., and Simon, H.A. (1958). Organizations. Mehmetoglu, 2018, Medsem: a stata package for statistical mediation analysis, Int. J. Comput. Econ. Econometr., 8, 63, 10.1504/IJCEE.2018.088321 Menz, 2012, Functional top management team members: a review, synthesis, and research agenda, J. Manag., 38, 45 Miller, G.P. (2014). The compliance function: an overview. NYU Law and Economics Research Paper No. 14-36. Mishra, 2015, Organizational objectives for information security governance: a value focused assessment, Inf. Comput. Secur., 23, 122, 10.1108/ICS-02-2014-0016 Moulton, 2003, Applying information security governance, Comput. Secur., 22, 580, 10.1016/S0167-4048(03)00705-3 Ng, 2013 Nicho, 2018, A process model for implementing information systems security governance, Inf. Comput. Secur., 26, 10, 10.1108/ICS-07-2016-0061 2021 Nolan, 2019, Cybersecurity: today's most pressing governance issue, J. Cyber Policy, 4, 425, 10.1080/23738871.2019.1673458 Nolan, 2005, Information technology and the board of directors, Harv. Bus. Rev., 83, 96 Ocasio, 1997, Towards an attention-based view of the firm, Strat. Manag. J., 18, 187, 10.1002/(SICI)1097-0266(199707)18:1+<187::AID-SMJ936>3.0.CO;2-K Ocasio, W., Rhee, L., and Milner, D. (2020). Attention, knowledge, and organizational learning. https://doi.org/10.1093/oxfordhb/9780190263362.013.33 Peterson, 1999, Cause or effect? Rasoulian, 2017, Service crisis recovery and firm performance: insights from information breach announcements, J. Acad. Mark. Sci., 45, 789, 10.1007/s11747-017-0543-8 Raza, 2018, Paradoxical tensions between digital innovation and information security compliance in a large financial services organization Rebollo, 2014, ISGcloud: a security governance framework for cloud computing, Comput. J., 58, 2233, 10.1093/comjnl/bxu141 Rerup, 2009, Attentional triangulation: learning from unexpected rare crises, Org. Sci., 20, 876, 10.1287/orsc.1090.0467 Rothrock, 2018, The board's role in managing cybersecurity risks, MIT Sloan Manag. Rev., 59, 12 Sambamurthy, 1999, Arrangements for information technology governance: a theory of multiple contingencies, MIS Q., 23, 261, 10.2307/249754 Santos, 2018 Say, 2020, Learning from digital failures? The effectiveness of firms’ divestiture and management turnover responses to data breaches, Strategy Sci., 5, 117, 10.1287/stsc.2020.0106 Sen, 2015, Estimating the contextual risk of data breach: an empirical approach, J. Manag. Inf. Syst., 32, 314, 10.1080/07421222.2015.1063315 Seshadri, 2001, Managerial allocation of time and effort: the effects of interruptions, Manag. Sci., 47, 647, 10.1287/mnsc.47.5.647.10481 Shedden, 2010, Information security risk assessment: towards a business practice perspective Shedden, 2009, Towards a knowledge perspective in information security risk assessments – an illustrative case study Simon, 1991, Bounded rationality and organizational learning, Org. Sci., 2, 125, 10.1287/orsc.2.1.125 Siponen, 2009, Information security management standards: problems and solutions, Inf. Manag., 46, 267, 10.1016/j.im.2008.12.007 Smith, 2018, Do auditors price breach risk in their audit fees?, J. Inf. Syst., 33, 177 Sobel, 1987, Direct and indirect effects in linear structural equation models, Sociol. Methods Res., 16, 155, 10.1177/0049124187016001006 Spanos, 2016, The impact of information security events to the stock market: a systematic literature review, Comput. Secur., 58, 216, 10.1016/j.cose.2015.12.006 Spears, 2010, User participation in information systems security risk management, MIS Q., 34, 503, 10.2307/25750689 Straub, 1998, Coping with systems risk: security planning models for management decision making, MIS Q., 22, 441, 10.2307/249551 Sullivan, 2010, Competition and beyond: problems and attention allocation in the organizational rulemaking process, Org. Sci., 21, 432, 10.1287/orsc.1090.0436 Sun, 2006, An information systems security risk assessment model under the Dempster-Shafer theory of belief functions, J. Manag. Inf. Syst., 22, 109, 10.2753/MIS0742-1222220405 Sutton, 2008, Risk analysis in extended enterprise environments: identification of critical risk factors in B2B e-commerce relationships, J. Assoc. Inf. Syst., 9, 151 Tallon, 2013, The information artifact in IT governance: toward a theory of information governance, J. Manag. Inf. Syst., 30, 141, 10.2753/MIS0742-1222300306 Tuggle, 2010, Commanding Board of Director attention: investigating how organizational performance and CEO duality affect board members' attention to monitoring, Strat. Manag. J., 31, 946, 10.1002/smj.847 Veiga, 2007, An information security governance framework, Inf. Syst. Manag., 24, 361, 10.1080/10580530701586136 Vincent, 2015, IT governance and the maturity of IT risk management practices, J. Inf. Syst., 31, 59 Volchkov, 2019 Wang, 2015, Insider threats in a financial institution: analysis of attack-proneness of information systems applications, MIS Q., 39, 91, 10.25300/MISQ/2015/39.1.05 Wangen, 2016, An initial insight into information security risk assessment practices Wangen, 2017, Information security risk assessment: a method comparison, Computer (Long Beach Calif), 50, 52 Wangen, 2018, A framework for estimating information security risk assessment method completeness: core unified risk framework, CURF, Int. J. Inf. Secur., 17, 681, 10.1007/s10207-017-0382-0 Webb, 2014, A situation awareness model for information security risk management, Comput. Secur., 44, 1, 10.1016/j.cose.2014.04.005 Weill, 2005, A matrixed approach to designing IT governance, MIT Sloan Manag. Rev., 46, 26 Weishaupl, 2018, Information security investments: an exploratory multiple case study on decision-making, evaluation and learning, Comput. Secur., 77, 807, 10.1016/j.cose.2018.02.001 Wilshusen, G.C., and Powner, D.A. (2009). Cybersecurity: Continued efforts are Needed to Protect Information Systems from Evolving Threats. https://apps.dtic.mil/sti/citations/ADA516401 Yu, 2005, The integration journey: an attention-based view of the merger and acquisition integration process, Org. Stud., 26, 1501, 10.1177/0170840605057071 Yue, 2007, Intrusion prevention in information systems: reactive and proactive responses, J. Manag. Inf. Syst., 24, 329, 10.2753/MIS0742-1222240110 Zhao, 2013, Managing interdependent information security risks: cyberinsurance, managed security services, and risk pooling arrangements, J. Manag. Inf. Syst., 30, 123, 10.2753/MIS0742-1222300104