The impact of anti-phishing laws on it and security investment

Many companies have been attacked by phishing leading to serious financial loss. In the United States, 23 states have enacted anti-phishing laws to ensure information security. However, the punishment rules of each state are different and the effects of the laws vary. Therefore, it is meaningful to study what kind of laws are the most effective to motivate firms to make appropriate IT and security investment decisions against phishing. Moreover, we posit that multi-site companies that operate in both with-law state and without-law state may have different IT and security investment decisions. We have collected 530 thousand corporates' investment data from 2010 and 2017. We plan to apply propensity score matching method and difference-in-difference model to answer our research questions. We hope that we can get some insights on developing effective anti-phishing laws and provide governments and regulatory agencies with some suggestions to motivate firms to adopt better anti-phishing solutions.