Journal of Management Information Systems

Volume 41 Number 3 2024 pp. 744-778

Cyber Failures and Information Technology Capability Reputation: Examining Ex Ante and Ex Post Interplay Effects

Benaroch, Michel

ABSTRACT:

We study the interplay between cyber failures and information technology (IT) capability reputation (ITCAPR). Cyber failures often reveal vulnerable information systems (IS) processes and IT assets at their root that point to firm IT capability weakness. For external stakeholders, firm IT capability is unobservable and therefore a matter of perception or reputation. We theorize about cyber failures’ adverse impacts on firm market value and firm ITCAPR based on how external stakeholders reconcile their ex ante perception of firm IT capability strength, or established ITCAPR, and their perception of an ex post revelation of IT capability weakness by cyber failures. Our analysis of 264 cyber failures finds empirical support for our theory-based predictions. We find that ex post revelation of IT capability weakness leads external stakeholders to adjust downward their ex ante perceptions of firm IT capability proportional to the severity of IT capability weakness. Two ex post consequences are commensurate loss of firm market value and decline in firm ITCAPR. Based on our main finding, that external stakeholders perceive IT capability weakness as an endogenous contributory factor to cyber failures that leads to erosion of firm ITCAPR, we contribute to theory in significant ways. First, we theoretically complement a predominant research focus on IT capability strength as a value-relevant intangible asset by confirming that IT capability weakness is a value-relevant intangible liability as well as adding “vulnerability” or “weakness” as a distinctive process aspect absent from prior literature linking IS processes and IT capabilities. Second, we theoretically add to an almost exclusive focus of research on cyber failures’ short-term adverse effect on firm market value by documenting for the first time a time-lagged eroding effect on firm ITCAPR. Last, we theoretically show IT controls and particularly ones embedded in IS processes as an essential aspect of IT capability strength as well as cybersecurity protection and prevention.

Key words and phrases: IT capability, IT capability reputation, cyber failures, IS process vulnerability, firm market value, IT controls