Professional Documents
Culture Documents
The Role of Corporate Reputation and Cri
The Role of Corporate Reputation and Cri
To cite this article: Kholekile L. Gwebu, Jing Wang & Li Wang (2018) The Role of Corporate
Reputation and Crisis Response Strategies in Data Breach Management, Journal of Management
Information Systems, 35:2, 683-714, DOI: 10.1080/07421222.2018.1451962
Article views: 54
ABSTRACT: Despite the significant financial losses associated with data breaches,
little is known about the (in)effectiveness of the tools that firms have to protect their
value following a breach. Drawing on cognitive dissonance theory and the research
on cue diagnosticity and crisis management, this study examines the relative
efficacy of firm reputation and a range of post-breach response strategies. The
results indicate that firm reputation is an important asset in protecting firm value.
However, only certain response strategies are found to mitigate the negative
financial impact of a breach on lower-reputation firms, and response strategies
are found to matter less for high-reputation firms. These findings offer practitioners
evidence-based guidance for protecting firm value following data breaches and
underscore the need for developing more nuanced strategies for managing breaches.
The theoretical arguments developed here serve as a conceptual base for examining
the efficacy of various data breach response strategies.
KEY WORDS AND PHRASES: crisis response strategies, damage control strategies, data
breach, firm reputation.
Journal of Management Information Systems / 2018, Vol. 35, No. 2, pp. 683–714.
Copyright © Taylor & Francis Group, LLC
ISSN 0742–1222 (print) / ISSN 1557–928X (online)
DOI: https://doi.org/10.1080/07421222.2018.1451962
684 GWEBU, WANG, AND WANG
Data breaches are becoming increasingly common and afflicted firms are believed
to incur substantial financial cost, including the cost of providing a remedy and
meeting legal liabilities, loss of brand image, customer trust, and ultimately market
share and sales [53]. Researchers have sought to quantify the financial cost asso-
ciated with data breaches and have generally found an overall negative effect of
breaches on shareholder wealth [1, 12, 13, 29, 30]. These findings have spurred
information systems (IS) researchers and practitioners alike to search for fruitful
avenues to develop effective preventive controls, mainly around planning and
mitigation of security risks [35, 37]. Yet regardless of the level of apparent controls,
a key practical lesson is that complete security risk prevention is essentially
infeasible [15, 62]. Thus, the stakes in implementing effective recovery and damage
control strategies to protect firm value following a breach are at an all-time high.
Unlike other organizational crises, data breaches pose unique challenges for the
IS function of an organization. Managing the moving parts of a breach requires IS
expertise, including identifying control and security failures, conducting forensic
investigation, restoring operation and security, preventing possible repeated attack,
and determining when and what to communicate with senior executives, business
functions, legal counsel, and the public relations function [23, 46]. As a breach
exposes the weakness in the firm’s system and control, an effective forensic
investigation is often essential to identify the root cause of the breach and to
minimize the risk of a repeated incident [23, 46]. Adding to the complexity is the
possibility that the breach could still be ongoing causing everything to remain in a
state of flux. And the goal to swiftly contain the problem and restore business
operations may compete with the goal to preserve evidence for forensic analyses
[23].
Due to these complexities, selecting an appropriate damage control and response
strategy is a nontrivial task [15, 18, 20]. In recent IS literature, scholars have begun
to identify mechanisms that may help firms effectively recover from data breaches.
Focusing on voluntary risk factor disclosure as a damage control mechanism, one
study finds that the market reacts less negatively to the breach announcements of
firms that disclosed action-oriented security risk factors prior to the breach [62].
Another study suggests that recovery endeavors targeting customers’ distributive,
procedural, and interactional justice perceptions jointly impact perceived breach
and feeling of violation, which in turn drive customers’ post-breach behaviors
including word of mouth and likelihood of switching [15]. Still another study
suggests that apology and denial are effective in post-breach trust repair, particu-
larly when the breach can be attributed to factors external to the firm [6]. Despite
these important pioneering efforts, currently very little is known about the arsenal
of recovery mechanisms available and their relative efficacy in mitigating the
negative impacts of a breach [15].
In response to this void in the IS literature, this study investigates the possibility
of corporate reputation and a range of response strategies as damage control
mechanisms to protect the market value of a breached firm. Following prior
CORPORATE REPUTATION AND CRISIS REPONSE STRATEGIES 685
resources and managerial attention. Findings of this research not only shed light on
how a firm can better protect its value amid a breach, but also help to define how IS
managers should lead and prioritize to prepare the firm with the right capabilities
that support the implementation of the effective response strategies.
The remainder of the paper is organized as follows. The next section presents the
theoretical foundation and the subsequent hypothesis development. We then
describe the methodology employed to test the hypotheses and report the findings.
Finally, we discuss the findings in the context of prior related studies and examine
the implications for theory and practice.
Conceptual Development
Response Strategies
Responding to a data breach can be challenging because of the immediate action
required and the uncertain yet possibly looming threat. Due to the dearth of research
and the resultant lack of knowledge on how to best manage a breach, firms will likely
rely on the insights from the general crisis management literature when responding to
a breach. The traditional paradigm in crisis management is a retrospective model and
centers mainly on image restoration by taking remedial actions, explaining and
framing what has happened, who is at fault, and what has been done to address the
crisis. Attribution theory advocates that people make attributions for the responsi-
bilities of events, particularly when the events are negative [33]. Both the attribution
of responsibilities and the perceived severity of a crisis impact people’s emotions and
behaviors [20]. If people consider the afflicted firm to be responsible and anticipate
severe damage from a crisis, negative emotions and behaviors can be evoked [20].
Based on the insights from attribution theory, firms adopting the image restoration
paradigm will typically take measures that fall along a defensive-accommodative
continuum. On one extreme, defensive strategies focus on the denial of the crisis or
the responsibilities for the crisis. On the other extreme, accommodative strategies
accept responsibility by offering an apology and taking remedial actions. Strategies
in the middle seek to minimize the perceived severity of the crisis instead of
influencing the attribution of responsibilities [19].
Recently, researchers have called for extending the image restoration paradigm to
a model of postcrisis renewal [59, 60]. By focusing on what will happen and how
the organization will move forward, the renewal paradigm is a prospective model.
The image renewal strategy is inherently optimistic and seeks to motivate the
stakeholders to remain with the organization and to move the organization to a
level that surpasses the precrisis status [59, 60]. When engaging in the image
renewal strategy, a firm will seek to rebuild stakeholder confidence by emphasizing
the firm’s commitment to its stakeholders and core values and pledging to avoid
similar incidents in the future [59, 60]. Table 1 shows the specific strategies that fall
Table 1. Response Strategies, Their Definitions, and Sample Examples
Image Restoration
Accommodative Apology: explicitly apologizing for the occurrence of the breach ● explicitly stating that the organization apologizes for the breach
strategy Remedial actions: taking steps to repair and control the damage ● offering free credit monitoring services
● offering financial compensations
● stating that the firm has shut down access to the breached data, or
has taken steps such as training and strengthening policies and
687
688 GWEBU, WANG, AND WANG
under the different strategy categories, the definitions of the strategy, and the
sample statements that exemplify each strategy.
transient and less credible given the data breach context. They are transient because
the investigation of the breach could be still ongoing and the firm itself may not
have precise knowledge of the cause and severity of the incident. In some cases, the
affected firm is forced not to disclose the details of the breach to avoid jeopardizing
law enforcement’s efforts. They are less credible because in addition to giving an
account of the anticipated cause and severity of the breach, they may be used to
“spin” the issue. Research suggests that the diagnosticity of a transient and less
credible cue depends on the existence/valence of the stable and credible “stand-
alone” cues [45]. Therefore, the presence of the highly diagnostic positive reputa-
tion cue moderates the diagnosticity of the response strategies.
Thus, when a breach occurs in a highly reputable firm, investors will draw upon
the stable, credible, and diagnostic high reputation cue to assess the implication of
the breach, regardless of the response strategies employed. Cognitive dissonance is
expected to arise in this case since the established positive belief about the reputa-
tion of the firm contradicts the negative breach event. Although the strategy cues
are specifically geared toward the breach incident, investors may have some doubt
in these transient and less credible cues, and will thus have less incentive to use
them to assess a breach when the credible, stable, and diagnostic high reputation
cue is present. Supporting this argument, research in marketing has long found that
general cues such as country of origin or firm reputation are particularly valuable if
consumers do not have enough confidence in cues that are specifically related to
product characteristics [21, 41]. Documented as the most relevant and convincing
evidence of a firm’s underlying capabilities to deliver valued outcomes and perfor-
mance [38], the high reputation built upon historical accomplishment is perhaps one
of the most diagnostic indicators of a firm’s ability to recover from a breach. The
averaging model of information integration suggests that people assign weights to
each cue with the weights summing to unity [2, 3]. Thus, when assessing the
financial implication of a breach, investors are expected to assign immense weight
to the diagnostic high reputation cue, leaving the strategy cues with little weight
and little likelihood of being used. Without being used, the response strategies
employed by reputable firms are expected to produce little cognitive dissonance
beyond what has been evoked by the high reputation cue.
When a breach occurs at firms with a lower reputation, its neutral reputation is
not diagnostic and the absence of an alternative diagnostic cue gives the investors
more incentive to use the response strategies to assess the breach. The strategies are
expected to induce dissonance in the minds of the investors because the persuasion
advocated through the strategies that the breached firm will be unscathed likely
contradicts the negative opinions the investors typically hold toward a breach. The
extent of dissonance produced will depend on the strategies employed.
In the two dissonance-producing situations where a breach occurs at a reputable
firm or where a lower-reputation firm employs a response strategy following a
breach, investors may choose to reduce dissonance through different avenues with
opposing implications [4, 8]. Through the desirable avenue, investors will accept
690 GWEBU, WANG, AND WANG
the persuasion and change their negative opinion about the breach, or through the
undesirable avenue, investors will reject the persuasion and discount or discredit the
cue. The avenue an investor chooses to reduce the dissonance evoked depends on
several factors. These include the credibility and diagnostic value of the cues, as
well as the extent of the discrepancy between the persuasion that the breached firm
is unscathed and the investors’ own assessment of the breach. In general, investors
will give credible and diagnostic cues more weight and discard or discount cues
with low diagnosticity and/or credibility [55]. In the worst-case scenario where a
cue has little credibility or diagnostic value, investors will reduce the dissonance by
discounting and discrediting the cue because it is easy to do so. In the best-case
scenario where a cue has great credibility and diagnostic value, dissonance can only
be reduced by accepting the persuasion because the cue cannot be easily derogated
or discredited. In between, when a cue is fairly credible and diagnostic, the avenue
investors choose to reduce the evoked dissonance will hinge on the extent of the
discrepancy between the persuasion and the investors’ own assessment of the
breach. If the discrepancy is reasonably small, investors will likely accept the
persuasion since the dissonance can be more easily reduced by a slight shift in
their assessment than by discrediting the fairly credible cue. But if the discrepancy
is extreme with the investors’ own assessment of the breach vastly different from
the persuasion, investors can reduce the dissonance more easily by discrediting the
cue and believing that the persuasion is unrealistic or untrustworthy [4, 8].
Hypotheses Development
Based on the preceding discussion, we develop the hypotheses regarding the (in)
effectiveness of firm reputation and response strategies in protecting firm value
amid a breach, in the context of their (in)effectiveness in inducing cognitive
dissonance and in motivating the shareholders to reduce the evoked dissonance in
the desired direction. Because multiple cues are involved, we first discuss the
overall impact of a breach disclosure on the stock market reaction without untan-
gling the effect of the individual cues. We then proceed sequentially with a
discussion of the (in)effectiveness of firm reputation and response strategies in
mitigating the negative financial impacts of a breach.
both positive and negative, attract attention due to their deviation from commonly
shared expectations and lead to more positive or negative outcomes than conformity
to expectations [10, 11]. Negative violations will generate undesirable emotions
including betrayal, distress, anger, and distrust, and exert adverse impacts on
behavior [39]. Thus, investors are expected to view a breach as a violation of
their expectations of appropriate firm behavior and to sell the breached firm’s
stocks. The anticipated expensive lawsuits and negative public image stemming
from the data breach may ultimately result in more negative reactions from the
investors and greater financial losses for the breached firm. When a firm discloses a
data breach, the firm is likely to employ various response strategies to actively
control the damage. Prior studies have not explicitly taken the response strategies
into account but have found that having integrated all information disclosed about a
breach on the announcement day, investors on average reacted negatively to the
disclosure of a breach [1, 12, 13, 29, 30]. Considering the above reasoning and prior
findings, we expect that investors will react negatively to a data breach disclosure,
which encompasses all the breach-related information disclosed on the announce-
ment day including the firm’s response strategies.
Hypothesis 1: A breach announcement will have a negative impact on a
breached firm’s market value.
strategy will also have little credibility. Investors will hence choose the undesirable
avenue to reduce dissonance by discounting and discrediting the noncredible strategy
and persuasion since it is extremely easy to do so. When a response strategy is fairly
credible, the avenue the investors choose to reduce their cognitive dissonance will
hinge on the extent of the discrepancy between the advocated persuasion and the
investors’ own assessment of the financial implication of the breach. Ultimately, the
degree of the discrepancy will be influenced by how the adopted strategy impacts (1)
the investors’ perception of the persuasion and (2) the investors’ assessment of the
financial implication of the breach.
Defensive strategies focus on the denial of any crisis or the responsibility for the
crisis and are thus best suited for situations where the organization has concrete
evidence to build the case that there is no crisis (e.g., a rumor) or the firm
is completely not responsible for the crisis (e.g., a natural disaster or terror attack)
[18, 20]. The news about a breach is unlikely to stem from rumors. And as
discussed earlier, the public expects an organization to properly and safely collect,
use, and protect the stakeholder data. Therefore, unless the breach is due to reasons
completely beyond the control of the firm such as natural disasters, stakeholders are
expected to perceive a defensive strategy as noncredible and inappropriate and to
hold the breached firm accountable even in situations where the data are compro-
mised under the care of a third party. Built upon a noncredible strategy, the
persuasion that the breached firm is unscathed will likely lose its credibility.
Thus, the adoption of the defensive strategy makes it much easier for the share-
holders to minimize their cognitive dissonance through discounting and discrediting
the noncredible strategy and persuasion. In this discrediting process, shareholders’
negative emotions and behaviors may be triggered, exerting an adverse effect on the
firm’s market value. Supporting this argument, research suggests that when a firm
does not have unambiguous grounds to use a defensive strategy, using it could
evoke suspicion and perceptions of dishonesty and consequently adversely impact
any response efforts [18, 20].
moderate strategies could strengthen the persuasion that the breached firm is or will
be unscathed and lead to a less negative appraisal about the breach from the
investors. This improved yet still negative appraisal suggests that moderate strate-
gies have the potential to evoke dissonance in the minds of the shareholders
because the advocated persuasion that the breached firm is and will be unscathed
still contradicts the negative assessment from the shareholders. Nonetheless, the
improvement in the assessment suggests that the magnitude of the discrepancy is
not expected to be extreme. In other words, shareholders’ assessment under the
influence of the moderate strategies is expected to be different yet reasonably close
to the advocated persuasion. Thus, investors are likely to alter their negative
assessment about the breach since the not-so-extreme dissonance can be more
easily reduced by shifting the negative assessment of the breach closer to the
advocated persuasion than discrediting the fairly credible and acceptable moderate
strategies. Thus, we propose:
Hypothesis 6: Using moderate response strategies amid a data security breach
will positively impact the market value of lower-reputation firms.
Image renewal strategies emphasize the commitment to the firm’s core values,
stakeholders’ well-being, and the prevention of any similar future breaches [59]. As
a prospective response model, a firm employing image renewal strategies will
appear more proactive rather than merely being reactive. Investors may also view
the promise of no similar future breaches as a positive indication that the firm has
identified the root cause and is able to fully address the problem. With an emphasis
on commitment to core values, image renewal strategies show that the firm under-
stands social norms and will do whatever is necessary to renew its image [59].
Thus, image renewal strategies have the potential to signal that the firm has the
underlying capability to fully address the root cause and positively impact inves-
tors’ perception of the firms’ ability and commitment to overcome the breach. It
may be tempting to adopt an image renewal strategy considering its relatively low
imminent risks. However, firms need to exercise caution because knowingly mak-
ing false promises can lead to dire future consequences such as lawsuits or loss of
investor confidence. Thus, this strategy is only likely to be used when there is
reasonable certainty that such promises can be kept. Given their associated positive
signal and low imminent risk, image renewal strategies, when used by a lower-
reputation firm, will strengthen the persuasion that the breached firm will be
unscathed and improve the public’s negative assessment of the breach. This
improved assessment, albeit still negative, is expected to be reasonably close to
the persuasion. Consequently, we expect that the investors will likely shift their
negative opinion closer toward the advocated persuasion, because the existing
dissonance can be more easily reduced by a shift in opinion than discrediting the
relatively credible message. Hence, the use of the proactive image renewal strate-
gies by a lower-reputation firm is expected to have a positive impact on the stock
market reaction to the breach.
CORPORATE REPUTATION AND CRISIS REPONSE STRATEGIES 697
Methodology
We use an event study methodology, which is widely used in the IS literature [22, 40],
to empirically evaluate the proposed hypotheses (see the Online Appendix for a
description of the event study methodology). The choice of the methodology is driven
by the premise that in an efficient market, when an event occurs and has economic
implications for the firm, changes in stock price over a short time period surrounding
the event will reflect the market’s evaluation of the overall economic impact of the
event. Since this evaluation is based on investors’ interpretation of various informa-
tion cues, changes in stock price should also capture the impacts of information cues
such as firm reputation and response strategies.
because a successful recovery from a crisis requires actions and masterful commu-
nication [17, 18, 59], and actions are effective only to the extent that the firm is able
to effectively communicate them to the stakeholders. Two independent raters read
the communicative statements and categorized the response strategies using the
definition outlined in Table 1. The agreement between the two raters on the strategy
categorization is high (94 percent) and all categorization differences are resolved
though discussion.
The search of the breach data sources yields an initial sample of 5,008 incidents.
Since stock market price is required for the analyses, incidents involving non-
publicly traded entities are discarded from the sample. Some of the incidents are
duplicates and are also removed from the sample. Using LexisNexis, we verify that
the communicative statements from the firm and announcements about the breach
are issued on the same day. To ensure that the observed market reactions are related
to the data breach rather than other events, we check for confounding events such as
merger, acquisition, or earnings announcements during the two-week period sur-
rounding the breach announcement. After the removal of those announcements with
confounding events, 303 breach announcements remain and are used as the sample
for the univariate analysis.
Finally, the Center for Research in Security Prices (CRSP) and Standard & Poor’s
Compustat database are the two primary data sources for stock returns and financial
performance data, which also allow us to control for firm and industry character-
istics for more rigorous multivariate analyses. The elimination of the firms that are
not included in these two databases leaves us with 221 observations for the final
multiple regression analyses.
Table 2 Panels A and B present the distribution of the breach incidents over time
and across industries, respectively. The majority of breaches occur in the finance
industry and the least number of breaches occur in the energy and utilities industries.
Descriptive data shown in Table 2, Panel C suggests that the range of the firm size is
quite dispersed as reflected in the mean, median, and minimum and maximum values
of total assets, sales, and market value. To mitigate the influence of extreme values,
we winsorize the sample at the top and bottom 1 percent level for all the analyses.
Results
Univariate Analysis
Table 3 shows the market’s reaction to the breach disclosures, measured by average
abnormal returns (AR) and average cumulative abnormal returns (CAR) using the
Fama–French three-factor model (see the Online Appendix for the calculation of
AR and CAR). The Fama–French model incorporates market anomalies with
respect to firm size and the value premium and is considered more reliable in
estimating AR than a standard market model. We estimate the model parameters
using the daily stock return data during the period of t = –255 to t = –46 (0 is the
CORPORATE REPUTATION AND CRISIS REPONSE STRATEGIES 699
Table 3. Average Abnormal Return (AR) and Cumulative Abnormal Return (CAR)
Results
Notes: AR = abnormal returns, that is, risk-adjusted return in excess of the expected stock market
return (see the Online Appendix); CAR = cumulative abnormal returns during the event window
(see the Online Appendix). *, **, and *** denote significance at the 10 percent, 5 percent, and 1
percent levels, respectively; one-tailed tests.
announcement date) and calculate average AR for 5 days before and 5 days after the
event (–5, +5). Panels A and B show the changes in firm valuation around the event
date for the full sample. Investors on average react negatively to breaches on the
announcement day (Average AR = –0.20 percent) and one day after (Average AR =
–0.21 percent). The average CAR for the 2-day window (0, +1) is –0.41 percent,
significant at the 5 percent level. The significant downward movements of stock
prices surrounding the event dates lend support to H1, which posits a negative
overall impact on a firm’s market value from the disclosure of a breach.
When only the lower-reputation firms are included in the analysis, investors on
average reacted negatively to the breaches for event windows (0, +1) and (0, +2) (see
Table 4, Panel A). In contrast, stock returns were not significantly different from zero for
Table 4. CAR: Low- vs. High-reputation Firm
701
702
GWEBU, WANG, AND WANG
Panel C: OLS Regression (N = 298, 220 Low-reputation and 78 High-reputation Firms)
CARi ð0;1Þ ¼ αi þ β1 HighRepit þ β2 Priorit þ β3 MBit þ β4 Consumerit þ β5 Financeit þ β6 Healthit þ β7 Numit þ β8 Sensitiveit þ eit ð1Þ
Notes: CARi(0,1) = cumulative abnormal returns for firm i during the event window (0, 1) (see the Online Appendix); HighRepit = 1 if firm i is included either on the
Wall Street Journal/Harris Interactive “Corporate Reputation” list or the Fortune’s “Most Admired Companies” list in year t; else 0; Priorit = the number of prior
breaches that firm i had experienced in year t; MBit = market value of firm i’s equity (calculated as closing price times the number of shares outstanding at the end of
year t) divided by the book value of firm i’s equity at the end of year t; Consumerit = 1 if firm i is in the consumer industry in year t; else 0; Financeit = 1 if firm i is in
the finance industry in year t; else 0; Healthit = 1 if firm i is in the health industry in year t; else 0; Numit = number of records compromised scaled by sales for firm i
in year t; Sensitiveit = 1 if social security number, medical, financial information, date of birth, or credit card information is comprised during a breach for firm i in
year t; else 0. *, **, *** denote significance at the 10 percent, 5 percent, and 1 percent levels, respectively; one-tailed tests.
CORPORATE REPUTATION AND CRISIS REPONSE STRATEGIES 703
the high-reputation sample for all the event windows (see Table 4, Panel B). Investors’
differential reaction toward the breaches occurring at lower-reputation versus those
occurring at high-reputation firms captures the effect of high-reputation cue on firm
value and provides support for H2, which suggests that high-reputation firms would
experience less negative market reaction to breaches than lower-reputation firms.
Multivariate Analysis
Panel C of Table 4 presents the result of a more rigorous ordinary least squares
(OLS) multiple regression test of the market reaction to the breach disclosures
made by high- versus low-reputation firms:
where
CARi(0,1) = cumulative abnormal returns during the event window (0, +1) for
firm i; abnormal return is a risk-adjusted return in excess of the
expected stock market return (the Online Appendix).
HighRepit = 1 if firm i is included either on the Wall Street Journal/Harris
Interactive Corporate Reputation list or Fortune’s Most Admired
Companies list in year t, otherwise 0.
Priorit = the number of prior breaches that firm i had experienced in year t.
MBit = market value of firm i’s equity (calculated as closing price times
the number of shares outstanding at the end of year t) divided by
the book value of firm i’s equity at the end of year t.
Consumerit = 1 if firm i is in the consumer industry in year t, otherwise 0.
Financeit = 1 if firm i is in the finance industry in year t, otherwise 0.
Healthit = 1 if firm i is in the health industry in year t, otherwise 0.
Numit = number of records compromised during a breach scaled by sales
for firm i in year t.
Sensitiveit = 1 if social security number, medical, financial information, date
of birth, or credit card information is comprised during a breach for
firm i in year t, otherwise 0.
Control variables: Since a breach may signal poor internal controls or the
vulnerability of the firm to future breaches, multiple breaches may in fact confirm
such suspicions and lead to a more negative market reaction. Thus, we use Prior to
control for the number of prior breaches. Recent breaches are more widely pub-
licized and their financial ramifications are better understood [13]. To control for
this time effect, we set the last incident year appearing in the data set as the baseline
and use Prior to compare previous incidents to this baseline. Without knowing
empirically which effect would dominate, we do not predict the sign of the
coefficient of Prior. Because the market may react more negatively to breaches
704 GWEBU, WANG, AND WANG
involving sensitive data [12], we use Consumer, Finance, Health, and Sensitive to
control for the market reaction to breaches involving or in industries that administer
sensitive data, and we expect their coefficients to be negative. MB is the market
value equity divided by the book value of equity for firm i at year t and captures the
risks that the market assigned to the firm. We expect the coefficient of MB to be
positive. Num, the number of records compromised, captures the severity of the
breaches and is expected to be negatively associated with stock returns.
Panel C of Table 4 shows the OLS estimation of Model 1. As predicted, the
coefficients for Consumer, Num, and Sensitive are negative and significant at the 10
percent level or better. Based on H2, we expect the intercept term α, which captures
the market reaction to breaches at lower-reputation firms, to be negative. We expect
the coefficient of HighRep (β1), which captures the differential market reaction
between the high- and lower-reputation firms, to be positive but smaller than α in
magnitude, indicating that the market reacted less negatively to the breaches of the
high-reputation firms. Table 4, Panel C shows that the intercept term is negative and
significant at the 5 percent level (–0.007, t = –2.016) and the coefficient of HighRep
is positive and significant at the 10 percent level (0.005, t = 1.594). These results
suggest that before considering the effects of response strategies, shareholders
responded less negatively when a breach occurred at a high-reputation firm than
at a lower-reputation firm, providing further support for H2.
To test H2–H7, we separate our sample into high- versus lower-reputation firms
and employ the following regression model. A split-sample approach was indicated
due to high multicollinearity encountered when simultaneously including the direct
effects of strategy and firm reputation as well as their interaction effect in the model.
CARit ¼ αi þ β1 Strategyit þ β2 Priorit þ β3 MBit þ β4 Consumerit þ β5 Financeit þ β6 Healthit þ β7 Numit þ β8 Sensitiveit þ eit ð2Þ
705
706
GWEBU, WANG, AND WANG
Table 6. OLS Regression—Low-reputation Firm Response Strategies
CARit ¼ αi þ β1 Strategyit þ β2 Priorit þ β3 MBit þ β4 Consumerit þ β5 Financeit þ β6 Healthit þ β7 Numit þ β8 Sensitiveit þ eit ð2Þ
H4 and H5, respectively, posit that investors would react more negatively to a
lower-reputation firm using defensive strategies or accommodative strategies. As
shown in Table 6, the coefficients for S3 (defensive strategies) and S1 (accommo-
dative strategies) are negative but not significant at the 10 percent level. Thus,
neither H4 nor H5 is supported. H4 is grounded on the argument that the investors
will reduce their cognitive dissonance by discounting and discrediting the noncred-
ible defensive strategies, which in turn may trigger further negative emotions and
behaviors and adversely impact the lower-reputation firm’s market value. One
explanation for the lack of the anticipated relationship could be that defensive
strategies were simply discounted by the investors without triggering further nega-
tive emotions and behaviors, H5 is based on the logic that accommodative strate-
gies used by lower-reputation firms may produce extreme cognitive dissonance,
making it much easier for the investors to reduce the dissonance by discrediting the
strategies than by changing their negative opinion of the breach. The accommoda-
tive strategies may also induce augmented negative assessment that the financial
implication of the breach may be more severe than originally thought, leading to a
sell-off of the breached firm’s stocks. One possible explanation for the lack of
relationship could be that the large cognitive dissonance evoked by the accommo-
dative strategies may not be extreme enough to induce vigorous effort in discredit-
ing the firm. And the augmented negative assessment of the breach due to the use
of the accommodative strategies may not be large enough to induce further negative
impact on firm valuation. In contrast, the coefficients for S2 (moderate strategies:
0.004, p < 0.04) and S4 (image renewal strategies: 0.011, p < 0.01) shown in
Table 6 are positive and significant at 5 percent or better, lending support to H6 and
H7, which respectively postulate that the stock market’s downward valuation would
be less severe for low-reputation firms using moderate or image renewal strategies.
Robustness Tests
The results in Tables 3 and 4 suggest that our sample firms experienced negative
returns in other days beyond the (0, 1) window period. Hence we estimated Model 2
using windows (0, 2) and (–2, 2) for both the high- and lower-reputation firms. The
results continue to support H3 suggesting that response strategies have little residual
effect on the market reaction to breaches at high-reputation firms. For the lower-
reputation firms, none of the strategies coefficients is significant, which indicates that
the less negative market reaction to lower-reputation firms using moderate or renewal
strategies was only observed in the short window (0, 1), but not in the extended
windows (0, 2) and (–2, 2). The evidence is consistent with the market efficiency
theory, which suggests that the market can impound new value relevant information
very quickly. We also used Verizon’s and Acquisti’s classification of breach size as
alternative controls for severity. Although neither variable is significant, the main
results stay robust when either variable is included in the models.
708 GWEBU, WANG, AND WANG
response strategy categories, future studies may also systematically categorize dif-
ferent strategy combinations and explore their potential impacts.
Despite these limitations, this research makes important contributions to the data-
breach literature. First, as complete security risk prevention becomes effectively
infeasible [15, 62], there is an urgent need for IS scholars to expand the current
research focus beyond security mitigation and prevention to investigating issues
spanning the life cycle of a breach (from prevention to recovery) [15]. Currently,
very little has been done to provide guidelines on the mechanisms available to help
firms effectively weather the adverse effects of data breaches [15]. In the absence of
guidelines, firms’ ad hoc and often reactive damage control and recovery efforts
may be in vain. This research adds to the emerging IS research on data breach
recovery [6, 15, 62] by offering theoretically sound and evidence-based guidance
on how to best protect value amid a data breach. Extending prior work that focuses
on one or two recovery mechanisms [6, 62], the study synthesizes the literature on
crisis management and identifies a taxonomy of response strategies so that the
efficacy of these strategies can be systematically investigated. The differences
theorized and the different effects observed in the empirical results regarding the
relative efficacy of the various response strategies point to the theoretical and
practical importance of this systematic approach.
Second, this research highlights the importance of cross-pollination between the
IS security and crisis management literatures. The results show that the various
response strategies identified in the crisis management literature are indeed used by
the firms in our sample, although only moderate and image renewal strategies are
found to be beneficial for the lower-reputation firms. Thus, one immediate possi-
bility for cross-pollination is for the IS researchers to translate the general moderate
and image renewal strategy guidelines into concrete plans for IS capability building
and priority setting both before and during the breach. This is important because the
implementation of these two strategies requires that a breached firm have the right
IS capabilities prior to the breach, and prioritize the right activities during the
breach to expeditiously assess the severity of the breach and identify the root cause
to prevent repeated breach incidents. The limited benefits of the identified response
strategies also underscore the significance for IS researchers to incorporate the data
breach contextual insights to develop more nuanced and context-specific strategies.
For instance, the finding that the market reacts less negatively to the breach
announcements of firms that disclosed action-oriented security risk factors in
their annual report before the breach [62] may be an indication of shareholders’
interest in information regarding the technical specifics of a breach. Other research-
ers highlight the importance of distributive, procedural, and interactional justice
perceptions on post-breach recovery [15]. These results imply that investigating
how firms can effectively manage the breach crisis by incorporating certain tech-
nical specifics into the breached firms’ communicative statements, or by framing
such statements to positively impact investors’ justice perceptions, may be a
worthwhile endeavor for IS and crisis management scholars.
710 GWEBU, WANG, AND WANG
The results also suggest several important practical implications. First, the overall
negative market reaction to security breach disclosures underscores that safeguarding
information assets and regaining control after a breach are critical capabilities that
organizations should develop. These capabilities are even more important for lower-
reputation firms because the negative market reaction is more apparent for this group of
firms. Second, it is essential for lower-reputation firms to employ information cues that
are diagnostic, dissonance arousing, and capable of motivating the stakeholders to reduce
the induced dissonance in the direction desired. Specifically, lower-reputation firms
should engage in moderate and image renewal strategies as they are found to be beneficial
for them. Strategically, IS managers should lead and prioritize to ensure that the firm has
the right IS capability prior to the breach so that the moderate and image renewal strategies
can indeed be implemented. Finally, reputation building is critical because a well-
managed and carefully nurtured reputation can be stored over time to shield the afflicted
firm from a negative stock market reaction stemming from a data breach.
Supplemental File
Supplemental data for this article can be accessed on the publisher’s website at 10.
1080/07421222.2018.1451962
REFERENCES
1. Acquisti, A.; Friedman, A.; and Telang, R. Is there a cost to privacy breaches? An
event study. Twenty Seventh International Conference on Information Systems Proceedings.
Paper 94. Milwaukee, WI, Dec 10 2006–Dec 13 2006.
2. Anderson, N.H. Methods of Information Integration Theory. San Diego, CA:
Academic Press, 1982.
3. Anderson, N.H. Integration theory and attitude change. Psychological Review, 78, 3
(1971), 171–206.
4. Aronson, E.; Turner, J.A.; and Carlsmith, J.M. Communicator credibility and commu-
nication discrepancy as determinants of opinion change. Journal of Abnormal and Social
Psychology, 67, 1 (1963), 31–36.
5. Axelrod, R. Schema theory: An information processing model of perception and
cognition. American Political Science Review, 67, 4 (1973), 1248–1266.
6. Bansal, G., and Zahedi, F.M. Trust violation and repair: The information privacy
perspective. Decision Support Systems, 71 (2015), 62–77.
7. Baumeister, R.F.; Bratslavsky, E.; Finkenauer, C.; and Vohs, K.D. Bad is stronger than
good. Review of General Psychology, 5, 4 (2001), 323–370.
8. Bergin, A.E. The effect of dissonant persuasive communications upon changes in a
self-referring attitude. Journal of Personality, 30, 3 (1962), 423–438.
9. Bravo, F. Forward-looking disclosure and corporate reputation as mechanisms to
reduce stock return volatility. Revista de Contabilidad, 19, 1 (2016), 122–131.
10. Burgoon, J.K. Interpersonal expectations, expectancy violations, and emotional com-
munication. Journal of Language and Social Psychology, 12, 1–2 (1993), 30–48.
11. Burgoon, J.K., and Hale, J.L. Nonverbal expectancy violations: Model elaboration and
application to immediacy behaviors. Communication Monographs, 55, 1 (1988), 58–79.
12. Campbell, K.; Gordon, L.A.; Loeb, M.P.; and Zhou, L. The economic cost of publicly
announced information security breaches: Empirical evidence from the stock market. Journal
of Computer Security, 11, 3 (2003), 431–448.
712 GWEBU, WANG, AND WANG
13. Cavusoglu, H.; Mishra, B.; and Raghunathan, S. The effect of Internet security breach
announcements on market value: Capital market reactions for breached firms and Internet
security developers. International Journal of Electronic Commerce, 9, 1 (Fall 2004), 69–104.
14. Chen, Y.; Ganesan, S.; and Liu, Y. Does a firm’s product-recall strategy affect its
financial value? An examination of strategic alternatives during product-harm crises. Journal
of Marketing, 73, 6 (2009), 214–226.
15. Choi, B.C.; Kim, S.S.; and Jiang, Z. Influence of firm’s recovery endeavors upon
privacy breach on online customer behavior. Journal of Management Information Systems,
33, 3 (2016), 904–933.
16. Choi, S.M., and Salmon, C.T. The elaboration likelihood model of persuasion after two
decades: A review of criticisms and contributions. Kentucky Journal of Communication, 22,
1 (2003), 47–77.
17. Coombs, W.T. Protecting organization reputations during a crisis: The development
and application of situational crisis communication theory. Corporate Reputation Review, 10,
3 (2007), 163–176.
18. Coombs, T.W., and Holladay, S.J. Helping crisis managers protect reputational assets.
Management Communication Quarterly, 16, 2 (2002), 165–186.
19. Coombs, T.W. An analytic framework for crisis situations: Better responses from a
better understanding of the situation. Journal of Public Relations Research, 10, 3 (1998),
177–191.
20. Coombs, T.W., and Holladay, S.J. Communication and attributions in a crisis: An
experiment study in crisis communication. Journal of Public Relations Research, 8, 4 (1996),
279–295.
21. Cox, D.F. The measurement of information value: A study in consumer decision-
making. In W. S. Decker (Ed.), Emerging concept in marketing. Chicago: American
Marketing Association, (1962), 413–421.
22. Dehning, B.; Richardson, V.J.; Urbaczewski, A.; and Wells, J.D. Reexamining the
value relevance of e-commerce initiatives. Journal of Management Information Systems, 21,
1 (2004), 55–82.
23. Deloitte, D. Cyber crisis management: Readiness, response, and recovery. https://
www2.deloitte.com/content/dam/Deloitte/global/Documents/Risk/gx-cm-cyber-pov.pdf.
24. Festinger, L. A Theory of Cognitive Dissonance. Stanford, CA: Stanford University
Press, 1962.
25. Fiske, S.T., and Taylor, S.E. Social Cognition. New York: McGraw-Hill, 1991.
26. Fombrun, C., and Shanley, M. What’s in a name? Reputation building and corporate
strategy. Academy of Management Journal, 33, 2 (1990), 233–258.
27. Fombrun, C.J., and Riel, C.B.M.v. Fame & Fortune: How Successful Companies Build
Winning Reputations. Upper Saddle River, NJ: Pearson Education, 2004.
28. Gardberg, N.A., and Fombrun, C.J. The global reputation quotient project: First steps
towards a cross-nationally valid measure of corporate reputation. Corporate Reputation
Review, 4, 4 (2002), 303–307.
29. Gatzlaff, K.M., and McCullough, K.A. The effect of data breaches on shareholder
wealth. Risk Management and Insurance Review, 13, 1 (2010), 61–83.
30. Goel, S., and Shawky, H.A. Estimating the market impact of security breach announce-
ments on firm values. Information and Management, 46, 7 (2009), 404–410.
31. Herr, P.M.; Kardes, F.R.; and Kim, J. Effects of word-of-mouth and product-attribute
information on persuasion: An accessibility-diagnosticity perspective. Journal of Consumer
Research, 17, 4 (1991), 454–462.
32. Jo, M.; Nakamoto, K.; and Nelson, J.E. The shielding effects of brand image against
lower quality countries-of-origin in global manufacturing. Journal of Business Research, 56,
8 (2003), 637–646.
33. Kelley, H.H. The processes of causal attribution. American Psychologist, 28, 2 (1973),
107–128.
34. Kitchen, P.J.; Kerr, G.E.; Schultz, D.; McColl, R.; and Pals, H. The elaboration
likelihood model: Review, critique and research agenda. European Journal of Marketing,
48, 11/12 (2014), 2033–2050.
CORPORATE REPUTATION AND CRISIS REPONSE STRATEGIES 713
35. Kwon, J., and Johnson, M.E. Health-care security strategies for data protection and
regulatory compliance. Journal of Management Information Systems, 30, 2 (2013), 41–66.
36. Larceneux, F.; Benoit-Moreau, F.; and Renaudin, V. Why might organic labels fail to
influence consumer choices? Marginal labelling and brand equity effects. Journal of
Consumer Policy, 35, 1 (2012), 85–104.
37. Liang, N.; Biros, D.P.; and Luse, A. An empirical validation of malicious insider
characteristics. Journal of Management Information Systems, 33, 2 (2016), 361–392.
38. Mishina, Y.; Block, E.S.; and Mannor, M.J. The path dependence of organizational
reputation: How social judgment influences assessments of capability and character.
Strategic Management Journal, 33, 5 (2012), 459–477.
39. Morrison, E.W., and Robinson, S.L. When employees feel betrayed: A model of how
psychological contract violation develops. Academy of Management Review, 22, 1 (1997),
226–256.
40. Oh, W.; Gallivan, M.J.; and Kim, J.W. The market’s perception of the transactional
risks of information technology outsourcing announcements. Journal of Management
Information Systems, 22, 4 (Spring 2006), 271–303.
41. Olson, J.C., and Jacoby, J. Cue utilization in the quality perception process.
Proceedings of the Third Annual Conference of the Association for Consumer Research
Iowa City, IA: Association for Consumer Research, (1972), pp. 167–179.
42. Park, C.W.; Jun, S.Y.; and Shocker, A.D. Composite branding alliances: An investigation
of extension and feedback effects. Journal of Marketing Research, 33, 4 (1996), 453–466.
43. Petty, R.E., and Cacioppo, J.T. The elaboration likelihood model of persuasion.
Advances in Experimental Social Psychology, 19 (1986), 123–205.
44. Pfarrer, M.D.; Pollock, T.G.; and Rindova, V.P. A tale of two assets: The effects of firm
reputation and celebrity on earnings surprises and investors’ reactions. Academy of
Management Journal, 53, 5 (2010), 1131–1152.
45. Purohit, D., and Srivastava, J. Effect of manufacturer reputation, retailer reputation,
and product warranty on consumer judgments of product quality: A cue diagnosticity frame-
work. Journal of Consumer Psychology, 10, 3 (2001), 123–134.
46. PWC, P. Cyber crisis management: A bold approach to a bold and shadowy nemesis.
(2011). https://www.pwc.com/ca/en/technologyconsulting/security/publications/pwccyber-
security-crisismanagement-2013-05-en.pdf
47. Rhee, M., and Haunschild, P.R. The liability of good reputation: A study of product
recalls in the US automobile industry. Organization Science, 17, 1 (2006), 101–117.
48. Rindova, V.P.; Williamson, I.O.; Petkova, A.P.; and Sever, J.M. Being good or being
known: An empirical examination of the dimensions, antecedents, and consequences of
organizational reputation. Academy of Management Journal, 48, 6 (2005), 1033–1049.
49. Roberts, P.W., and Dowling, G.R. Corporate reputation and sustained superior financial
performance. Strategic Management Journal, 23, 12 (2002), 1077–1093.
50. Rozin, P., and Royzman, E.B. Negativity bias, negativity dominance, and contagion.
Personality and Social Psychology Review, 5, 4 (2001), 296–320.
51. Schultz, M.; Mouritsen, J.; and Gabrielsen, G. Sticky reputation: Analyzing a ranking
system. Corporate Reputation Review, 4, 1 (Spring 2001), 24–41.
52. Sellnow, T.L.; Ulmer, R.R.; and Snider, M. The compatibility of corrective action in
organizational crisis communication. Communication Quarterly, 46, 1(Winter 1998), 60–74.
53. Sen, R., and Borle, S. Estimating the contextual risk of data breach: An empirical
approach. Journal of Management Information Systems, 32, 2 (2015), 314–341.
54. Skowronski, J.J. Honesty and intelligence judgments of individuals and groups: The
effects of entity-related behavior diagnosticity and implicit theories. Social Cognition, 20, 2
(2002),136–169.
55. Skowronski, J.J., and Carlston, D.E. Social judgment and social memory: The role of
cue diagnosticity in negativity, positivity, and extremity biases. Journal of Personality and
Social Psychology, 52, 4 (1987), 689–699.
56. Tam, K.Y., and Ho, S.Y. Web personalization as a persuasion strategy: An elaboration
likelihood model perspective. Information Systems Research, 16, 3 (2005), 271–291.
714 GWEBU, WANG, AND WANG
57. Tischer, S., and Hildebrandt, L. Linking corporate reputation and shareholder value
using the publication of reputation rankings. Journal of Business Research, 67, 5 (2014),
1007–1017.
58. Tyler, L. Liability means never being able to say you’re sorry corporate guilt, legal
constraints, and defensiveness in corporate communication. Management Communication
Quarterly, 11, 1 (1997), 51–73.
59. Ulmer, R.; Seeger, M.W.; and Sellnow, T.L. Post-crisis communication and renewal:
Expanding the parameters of post-crisis discourse. Public Relations Review, 33, 2 (2007),
130–134.
60. Ulmer, R.R., and Sellnow, T.L. Crisis management and the discourse of renewal:
Understanding the potential for positive outcomes of crisis. Public Relations Review, 28, 4
(2002), 361–365.
61. Voss, K.E., and Gammoh, B.S. Building brands through brand alliances: Does a second
ally help? Marketing Letters, 15, 2–3 (2004), 147–159.
62. Wang, T.; Kannan, K.N.; and Ulmer, J.R. The association between the disclosure and
the realization of information security risk factors. Information Systems Research, 24, 2
(2013), 201–218.
63. Williams, R.J., and Barrett, J.D. Corporate philanthropy, criminal activity, and firm
reputation: Is there a link? Journal of Business Ethics, 26, 4 (2000), 341–350.
64. Wojciszke, B. Affective concomitants of information on morality and competence.
European Psychologist, 10, 1 (2005), 60–70.
65. Wojciszke, B.; Brycz, H.; and Borkenau, P. Effects of information content and eva-
luative extremity on positivity and negativity biases. Journal of Personality and Social
Psychology, 64, 3 (1993), 327–335.
66. Zavyalova, A.; Pfarrer, M.D.; Reger, R.K.; and Shapiro, D.L. Managing the message:
The effects of firm actions and industry spillovers on media coverage following wrongdoing.
Academy of Management Journal, 55, 5 (2012), 1079–1101.