Deakin University
Browse

File(s) under embargo

To alert or alleviate? A natural experiment on the effect of anti-phishing laws on corporate IT and security investments

journal contribution
posted on 2024-03-14, 04:32 authored by X Wang, Wilson LiWilson Li, ACM Leung, WT Yue
In the United States, between 2005 and 2017, 23 states enacted anti-phishing laws to prosecute those suspected of phishing. As the primary targets of phishing attacks, firms' interpretations and reactions toward these laws are worth investigating. Utilizing a unique dataset in a natural experimental setting, this study employed the difference-in-differences method to contrast firms' investment decisions related to IT and cybersecurity in states in which such laws had been enacted and those in states without such laws, both before and after their enactment. We found that firms with different operational experiences react to the enactment of the anti-phishing laws in different ways. We further demonstrate the moderating roles of the industry risk landscape and IT capability. Specifically, firms with high-IT increased investments in both IT and cybersecurity while the risk landscape stimulated investments in cybersecurity only. This suggests that the risk landscape facilitates sensitivity to the immediate risk signaled by enactment of the laws, and IT capability further enables the alignment between IT investments and security objectives. This study also discusses the policy implications of our findings.

History

Journal

Decision Support Systems

Volume

179

Article number

114173

Pagination

114173-114173

ISSN

0167-9236

Language

en

Publisher

Elsevier BV

Usage metrics

    Research Publications

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC