The Role of Corporate Reputation and Cri

Journal of Management Information Systems
ISSN: 0742-1222 (Print) 1557-928X (Online) Journal homepage: http://www.tandfonline.com/loi/mmis20
The Role of Corporate Reputation and Crisis

Response Strategies in Data Breach Management
Kholekile L. Gwebu, Jing Wang & Li Wang
To cite this article: Kholekile L. Gwebu, Jing Wang & Li Wang (2018) The Role of Corporate
Reputation and Crisis Response Strategies in Data Breach Management, Journal of Management
Information Systems, 35:2, 683-714, DOI: 10.1080/07421222.2018.1451962
To link to this article: https://doi.org/10.1080/07421222.2018.1451962
View supplementary material
Published online: 15 May 2018.
Submit your article to this journal
Article views: 54
View related articles
View Crossmark data
Full Terms & Conditions of access and use can be found at

http://www.tandfonline.com/action/journalInformation?journalCode=mmis20
The Role of Corporate Reputation and
Crisis Response Strategies in Data Breach
Management
KHOLEKILE L. GWEBU, JING WANG, AND LI WANG
KHOLEKILE L. GWEBU (khole.gwebu@unh.edu) is an associate professor of decision

sciences at the Peter T. Paul College of Business and Economics, University of
New Hampshire. His research focuses on data security management, information
privacy, and information technology adoption and use. His publications appear in
Journal of Strategic Information Systems, Decision Support Systems, and
Information Society, among others.
JING WANG (jing.wang@unh.edu; corresponding author) is an associate professor of

decision sciences at the Peter T. Paul College of Business and Economics,
University of New Hampshire. Her research focuses on the areas of information
technology (IT) outsourcing, open source software, IT adoption and use, privacy,
and data security. Her work has been published in Decision Support Systems,
Journal of Strategic Information Systems, Journal of Business Research, and in
the proceedings of national and international information systems conferences.
LI WANG (lw37@uakron.edu) is an associate professor at the George W. Daverio

School of Accountancy, College of Business Administration, University of Akron.
Her research interests include capital markets, financial accounting and reporting,
and information technology. Her work has been published in Review of Accounting
Studies, Journal of Strategic Information Systems, Journal of Banking and Finance,
and others.
ABSTRACT: Despite the significant financial losses associated with data breaches,
little is known about the (in)effectiveness of the tools that firms have to protect their
value following a breach. Drawing on cognitive dissonance theory and the research
on cue diagnosticity and crisis management, this study examines the relative
efficacy of firm reputation and a range of post-breach response strategies. The
results indicate that firm reputation is an important asset in protecting firm value.
However, only certain response strategies are found to mitigate the negative
financial impact of a breach on lower-reputation firms, and response strategies
are found to matter less for high-reputation firms. These findings offer practitioners
evidence-based guidance for protecting firm value following data breaches and
underscore the need for developing more nuanced strategies for managing breaches.
The theoretical arguments developed here serve as a conceptual base for examining
the efficacy of various data breach response strategies.
KEY WORDS AND PHRASES: crisis response strategies, damage control strategies, data
breach, firm reputation.
Journal of Management Information Systems / 2018, Vol. 35, No. 2, pp. 683–714.
Copyright © Taylor & Francis Group, LLC
ISSN 0742–1222 (print) / ISSN 1557–928X (online)
DOI: https://doi.org/10.1080/07421222.2018.1451962
684 GWEBU, WANG, AND WANG
Data breaches are becoming increasingly common and afflicted firms are believed
to incur substantial financial cost, including the cost of providing a remedy and
meeting legal liabilities, loss of brand image, customer trust, and ultimately market
share and sales [53]. Researchers have sought to quantify the financial cost asso-
ciated with data breaches and have generally found an overall negative effect of
breaches on shareholder wealth [1, 12, 13, 29, 30]. These findings have spurred
information systems (IS) researchers and practitioners alike to search for fruitful
avenues to develop effective preventive controls, mainly around planning and
mitigation of security risks [35, 37]. Yet regardless of the level of apparent controls,
a key practical lesson is that complete security risk prevention is essentially
infeasible [15, 62]. Thus, the stakes in implementing effective recovery and damage
control strategies to protect firm value following a breach are at an all-time high.
Unlike other organizational crises, data breaches pose unique challenges for the
IS function of an organization. Managing the moving parts of a breach requires IS
expertise, including identifying control and security failures, conducting forensic
investigation, restoring operation and security, preventing possible repeated attack,
and determining when and what to communicate with senior executives, business
functions, legal counsel, and the public relations function [23, 46]. As a breach
exposes the weakness in the firm’s system and control, an effective forensic
investigation is often essential to identify the root cause of the breach and to
minimize the risk of a repeated incident [23, 46]. Adding to the complexity is the
possibility that the breach could still be ongoing causing everything to remain in a
state of flux. And the goal to swiftly contain the problem and restore business
operations may compete with the goal to preserve evidence for forensic analyses
[23].
Due to these complexities, selecting an appropriate damage control and response
strategy is a nontrivial task [15, 18, 20]. In recent IS literature, scholars have begun
to identify mechanisms that may help firms effectively recover from data breaches.
Focusing on voluntary risk factor disclosure as a damage control mechanism, one
study finds that the market reacts less negatively to the breach announcements of
firms that disclosed action-oriented security risk factors prior to the breach [62].
Another study suggests that recovery endeavors targeting customers’ distributive,
procedural, and interactional justice perceptions jointly impact perceived breach
and feeling of violation, which in turn drive customers’ post-breach behaviors
including word of mouth and likelihood of switching [15]. Still another study
suggests that apology and denial are effective in post-breach trust repair, particu-
larly when the breach can be attributed to factors external to the firm [6]. Despite
these important pioneering efforts, currently very little is known about the arsenal
of recovery mechanisms available and their relative efficacy in mitigating the
negative impacts of a breach [15].
In response to this void in the IS literature, this study investigates the possibility
of corporate reputation and a range of response strategies as damage control
mechanisms to protect the market value of a breached firm. Following prior
CORPORATE REPUTATION AND CRISIS REPONSE STRATEGIES 685
research, we define a firm’s reputation as an intangible asset based on the collective

public recognition of the firm’s demonstrated ability to deliver stakeholders quality
and value relative to its peers [27, 51]. We assume that all the sample firms in this
research are perceived by their investors as having a neutral or high reputation
rather than a negative reputation because investors are holding the stocks of these
firms, an indication that they do not truly perceive these firms negatively. We
further draw on the crisis management literature to identify a taxonomy of response
strategies. Due to the dearth of research and the resultant lack of knowledge on how
firms should respond in the unique context of data breach, there is a natural appeal
for a breached firm to rely on the insights from the general crisis management
literature to manage the breach. Thus, the empirically identifiable and theoretically
plausible response strategies included in the taxonomy provide a logical starting
point to examine which strategy is (in)effective in the context of data breach and
whether it is necessary to develop more nuanced, context-specific response strate-
gies to better manage a breach crisis.
From a research perspective, this study expands the data security literature
beyond its current focus on prevention. It identifies a taxonomy of response
strategies and systematically examines their efficacy in the unique context of data
breach. Taking the view that firm reputation and response strategies can be used as
persuasive cues, we draw on cognitive dissonance theory (CDT) [24], which has
been the basis of much of the persuasion literature, to examine the efficacy of the
two types of cues in changing investors’ negative opinion on data breaches. CDT
assumes that incongruent cognitive elements produce mental distress that indivi-
duals will make every effort to reduce [24]. A persuader can thus create cognitive
dissonance by injecting information that contradicts the individual’s beliefs, con-
fronting the individual with a need to reduce the dissonance, hopefully through
opinion and behavior changes in the direction desired by the persuader [4, 8]. In
keeping with CDT, we investigate the possibility of firm reputation and response
strategies being leveraged to induce desired market reaction by creating a state of
dissonance in the minds of investors. Because investors process the reputation cue
and the strategy cue in relation to each other, this study further builds on research
on cue diagnosticity to discuss how the ability of the two cues to induce cognitive
dissonance largely depends on the way in which investors prioritize the cues. By
integrating the CDT and cue diagnosticity literature, this research offers novel
theoretical arguments on the dynamics occurring between the response strategies
and firm reputation, as well as investors’ reaction to such dynamics. Lastly, despite
its limitations [16, 34], the elaboration likelihood model (ELM) remains the
dominant paradigm in the IS persuasion literature. If supported, the CDT and cue
diagnosticity arguments developed here may provide a basis to extend the ELM-
based IS models through the integration of the cognitive dissonance and cue
diagnosticity concepts.
From a practical perspective, different IS capabilities and priorities are required to
manage the many moving parts of a breach and they compete with one another for
resources and managerial attention. Findings of this research not only shed light on
how a firm can better protect its value amid a breach, but also help to define how IS
managers should lead and prioritize to prepare the firm with the right capabilities
that support the implementation of the effective response strategies.
The remainder of the paper is organized as follows. The next section presents the
theoretical foundation and the subsequent hypothesis development. We then
describe the methodology employed to test the hypotheses and report the findings.
Finally, we discuss the findings in the context of prior related studies and examine
the implications for theory and practice.
Conceptual Development
Response Strategies
Responding to a data breach can be challenging because of the immediate action
required and the uncertain yet possibly looming threat. Due to the dearth of research
and the resultant lack of knowledge on how to best manage a breach, firms will likely
rely on the insights from the general crisis management literature when responding to
a breach. The traditional paradigm in crisis management is a retrospective model and
centers mainly on image restoration by taking remedial actions, explaining and
framing what has happened, who is at fault, and what has been done to address the
crisis. Attribution theory advocates that people make attributions for the responsi-
bilities of events, particularly when the events are negative [33]. Both the attribution
of responsibilities and the perceived severity of a crisis impact people’s emotions and
behaviors [20]. If people consider the afflicted firm to be responsible and anticipate
severe damage from a crisis, negative emotions and behaviors can be evoked [20].
Based on the insights from attribution theory, firms adopting the image restoration
paradigm will typically take measures that fall along a defensive-accommodative
continuum. On one extreme, defensive strategies focus on the denial of the crisis or
the responsibilities for the crisis. On the other extreme, accommodative strategies
accept responsibility by offering an apology and taking remedial actions. Strategies
in the middle seek to minimize the perceived severity of the crisis instead of
influencing the attribution of responsibilities [19].
Recently, researchers have called for extending the image restoration paradigm to
a model of postcrisis renewal [59, 60]. By focusing on what will happen and how
the organization will move forward, the renewal paradigm is a prospective model.
The image renewal strategy is inherently optimistic and seeks to motivate the
stakeholders to remain with the organization and to move the organization to a
level that surpasses the precrisis status [59, 60]. When engaging in the image
renewal strategy, a firm will seek to rebuild stakeholder confidence by emphasizing
the firm’s commitment to its stakeholders and core values and pledging to avoid
similar incidents in the future [59, 60]. Table 1 shows the specific strategies that fall
Table 1. Response Strategies, Their Definitions, and Sample Examples
Image Restoration
Strategy type Component strategies and definitions Sample examples
Accommodative Apology: explicitly apologizing for the occurrence of the breach ● explicitly stating that the organization apologizes for the breach
strategy Remedial actions: taking steps to repair and control the damage ● offering free credit monitoring services
● offering financial compensations
● stating that the firm has shut down access to the breached data, or
has taken steps such as training and strengthening policies and
CORPORATE REPUTATION AND CRISIS REPONSE STRATEGIES

procedures to improve security
Moderate Ingratiation: seeking to make the stakeholders like the organization ● stating that the firm has a strong history of data privacy
strategy ● stating that the firm has a strong history of valuing the relationship
with the stakeholders and the trust the stakeholders have in the firm
Justification: seeking to minimize the perceived damage associated with ● stating that the firm does not believe that the lost data have been or
the breach will be misused
● stating that the lost data were encrypted and password protected
● stating that the breach is an isolated act
Defensive Denial: seeking to frame that no breach crisis exists * not used by the firms
strategy Excuse: seeking to minimize the organization’s responsibility for the breach ● claiming that the breach occurred due to third-party negligence
Image Renewal Correction commitment: reassuring stakeholders that the organization ● claiming that the firm has implemented security measures to pre-
will take whatever steps are necessary to avoid similar breach incidents vent a recurrence of such an attack
in the future
Stakeholder commitment: reassuring stakeholders that the firm is ● claiming that the firm is committed to assisting the stakeholder
committed to providing the best services and/or products in spite of the ● claiming that the firm is committed to protecting stakeholder data
breach incident
Value commitment: reassuring stakeholders that the firm is committed to ● claiming that the firm takes security of customer data extremely
its core values seriously
● claiming that the firm values the stakeholders’ privacy
● claiming that safeguarding the privacy of stakeholder data is a top
priority
687
under the different strategy categories, the definitions of the strategy, and the
sample statements that exemplify each strategy.
Cognitive Dissonance in the Presence of Multiple Cues

Cognitive dissonance theory (CDT) assumes that individuals strive to maintain
cognitive consistency and that the existence of nonfitting cognitive elements pro-
duces mental distress that a person tries to reduce [24]. Based on CDT, the
persuasion literature suggests that a persuader can present a view contrary to
the one held by the message recipient. In this event, the persuader hopes that the
recipient will be confronted with a need to reduce the dissonance produced by the
presence of two contrary cognitions, and will hopefully change his or her cognition
and subsequent behavior in the direction advocated by the persuader [4, 8].
Following this line of reasoning, we posit that to protect firm value in the wake
of a breach, firm reputation and response strategies must (1) effectively induce
dissonance in the minds of the investors and (2) motivate the investors to reduce the
induced dissonance by changing their negative opinion about the breach. Since
investors draw on the firm reputation cue and the strategy cue in relation to each
other to assess the breach’s financial implications, we first discuss how these two
cues interact to impact investors.
Research on cue diagnosticity suggests that in the presence of multiple cues, the
diagnosticity of a cue determines the likelihood of its utilization [55]. A piece of
information is diagnostic if it discriminates between alternative categorizations
whereas information that is ambiguous and implies multiple possible categoriza-
tions is less diagnostic [55]. When assessing the financial implication of a breach,
the investors are essentially categorizing the breached firms into those that will
swiftly recover and those that will not. A cue that is helpful with this categorization
is diagnostic and will more likely be used by the investors in their assessment of the
breach.
As a cue whose valence has been established and validated over time through a
demonstrated track record, the reputation cue is stable, credible, and difficult to
manipulate [45]. Research suggests that such cues can “stand alone” in the sense
that their diagnosticity depends more on their own valence than the existence/
valence of other cues [45]. More extreme valence in reputation (positive or nega-
tive) has been found to be more diagnostic in judgment than less extreme valence
(neutral reputation) [32, 55]. As an indicator for the possession/lack of the under-
lying capability and quality to deliver value, a positive/negative reputation is
diagnostic in helping investors discern firms that will swiftly overcome a breach
from those that will not. In contrast, a neutral/lower reputation is less diagnostic
because a firm with such a reputation lacks a consistently superior or inferior track
record for investors to make such distinctions.
Compared with the reputation cue, the strategy cues have the advantage of being
specifically geared toward the breach event. They nevertheless suffer from being
transient and less credible given the data breach context. They are transient because
the investigation of the breach could be still ongoing and the firm itself may not
have precise knowledge of the cause and severity of the incident. In some cases, the
affected firm is forced not to disclose the details of the breach to avoid jeopardizing
law enforcement’s efforts. They are less credible because in addition to giving an
account of the anticipated cause and severity of the breach, they may be used to
“spin” the issue. Research suggests that the diagnosticity of a transient and less
credible cue depends on the existence/valence of the stable and credible “stand-
alone” cues [45]. Therefore, the presence of the highly diagnostic positive reputa-
tion cue moderates the diagnosticity of the response strategies.
Thus, when a breach occurs in a highly reputable firm, investors will draw upon
the stable, credible, and diagnostic high reputation cue to assess the implication of
the breach, regardless of the response strategies employed. Cognitive dissonance is
expected to arise in this case since the established positive belief about the reputa-
tion of the firm contradicts the negative breach event. Although the strategy cues
are specifically geared toward the breach incident, investors may have some doubt
in these transient and less credible cues, and will thus have less incentive to use
them to assess a breach when the credible, stable, and diagnostic high reputation
cue is present. Supporting this argument, research in marketing has long found that
general cues such as country of origin or firm reputation are particularly valuable if
consumers do not have enough confidence in cues that are specifically related to
product characteristics [21, 41]. Documented as the most relevant and convincing
evidence of a firm’s underlying capabilities to deliver valued outcomes and perfor-
mance [38], the high reputation built upon historical accomplishment is perhaps one
of the most diagnostic indicators of a firm’s ability to recover from a breach. The
averaging model of information integration suggests that people assign weights to
each cue with the weights summing to unity [2, 3]. Thus, when assessing the
financial implication of a breach, investors are expected to assign immense weight
to the diagnostic high reputation cue, leaving the strategy cues with little weight
and little likelihood of being used. Without being used, the response strategies
employed by reputable firms are expected to produce little cognitive dissonance
beyond what has been evoked by the high reputation cue.
When a breach occurs at firms with a lower reputation, its neutral reputation is
not diagnostic and the absence of an alternative diagnostic cue gives the investors
more incentive to use the response strategies to assess the breach. The strategies are
expected to induce dissonance in the minds of the investors because the persuasion
advocated through the strategies that the breached firm will be unscathed likely
contradicts the negative opinions the investors typically hold toward a breach. The
extent of dissonance produced will depend on the strategies employed.
In the two dissonance-producing situations where a breach occurs at a reputable
firm or where a lower-reputation firm employs a response strategy following a
breach, investors may choose to reduce dissonance through different avenues with
opposing implications [4, 8]. Through the desirable avenue, investors will accept
the persuasion and change their negative opinion about the breach, or through the
undesirable avenue, investors will reject the persuasion and discount or discredit the
cue. The avenue an investor chooses to reduce the dissonance evoked depends on
several factors. These include the credibility and diagnostic value of the cues, as
well as the extent of the discrepancy between the persuasion that the breached firm
is unscathed and the investors’ own assessment of the breach. In general, investors
will give credible and diagnostic cues more weight and discard or discount cues
with low diagnosticity and/or credibility [55]. In the worst-case scenario where a
cue has little credibility or diagnostic value, investors will reduce the dissonance by
discounting and discrediting the cue because it is easy to do so. In the best-case
scenario where a cue has great credibility and diagnostic value, dissonance can only
be reduced by accepting the persuasion because the cue cannot be easily derogated
or discredited. In between, when a cue is fairly credible and diagnostic, the avenue
investors choose to reduce the evoked dissonance will hinge on the extent of the
discrepancy between the persuasion and the investors’ own assessment of the
breach. If the discrepancy is reasonably small, investors will likely accept the
persuasion since the dissonance can be more easily reduced by a slight shift in
their assessment than by discrediting the fairly credible cue. But if the discrepancy
is extreme with the investors’ own assessment of the breach vastly different from
the persuasion, investors can reduce the dissonance more easily by discrediting the
cue and believing that the persuasion is unrealistic or untrustworthy [4, 8].
Hypotheses Development
Based on the preceding discussion, we develop the hypotheses regarding the (in)
effectiveness of firm reputation and response strategies in protecting firm value
amid a breach, in the context of their (in)effectiveness in inducing cognitive
dissonance and in motivating the shareholders to reduce the evoked dissonance in
the desired direction. Because multiple cues are involved, we first discuss the
overall impact of a breach disclosure on the stock market reaction without untan-
gling the effect of the individual cues. We then proceed sequentially with a
discussion of the (in)effectiveness of firm reputation and response strategies in
mitigating the negative financial impacts of a breach.
The Financial Impact of a Breach Disclosure

Stakeholders and firms maintain a set of norms, that is, shared expectations on
reciprocal rights, obligations, and acceptable behaviors that lie at the foundation of
the stakeholder-firm exchange relationship [39, 66]. One set of norms that governs
data security practices is the expectation concerning organizations’ ability and
responsibility to properly and safely collect, use, and protect the stakeholder data.
A firm’s failure to protect such data violates stakeholders’ expectancy. Research in
expectancy violation theory suggests that a target’s violations of the expectancy,
both positive and negative, attract attention due to their deviation from commonly
shared expectations and lead to more positive or negative outcomes than conformity
to expectations [10, 11]. Negative violations will generate undesirable emotions
including betrayal, distress, anger, and distrust, and exert adverse impacts on
behavior [39]. Thus, investors are expected to view a breach as a violation of
their expectations of appropriate firm behavior and to sell the breached firm’s
stocks. The anticipated expensive lawsuits and negative public image stemming
from the data breach may ultimately result in more negative reactions from the
investors and greater financial losses for the breached firm. When a firm discloses a
data breach, the firm is likely to employ various response strategies to actively
control the damage. Prior studies have not explicitly taken the response strategies
into account but have found that having integrated all information disclosed about a
breach on the announcement day, investors on average reacted negatively to the
disclosure of a breach [1, 12, 13, 29, 30]. Considering the above reasoning and prior
findings, we expect that investors will react negatively to a data breach disclosure,
which encompasses all the breach-related information disclosed on the announce-
ment day including the firm’s response strategies.
Hypothesis 1: A breach announcement will have a negative impact on a
breached firm’s market value.
A Favorable Reputation: A Shield or a Double-edged Sword?

Research suggests that individuals interpret new and uncertain information stimuli by
linking them to previously understood schemata [5]. The high reputation cue is one
such schema that provides a powerful interpretative frame within which the share-
holders make sense of a breach. As previously discussed, when a breach occurs at a
highly reputable firm, the stable, credible, and diagnostic high reputation cue will be
tapped into by the investors to assess the breach’s financial implication, regardless of
the response strategies used. And the high reputation cue is expected to evoke a
significant dissonance in the minds of the investors as the established positive belief
about the reputation of the firm contradicts the negative breach event. To relieve
themselves from the dissonance, investors must go through biased cognitive processing
by discarding or discounting the negative event, or by altering their positive beliefs
about the reputation of the firm. Research suggests that humans are subject to a
pervasive negativity bias and tend to give more weight to negative events [7, 50, 64].
Hence, one plausible speculation could be that investors will give more weight to the
negative breach event and alter their favorable beliefs about the reputation of the firm to
reduce their cognitive dissonance. Actually, due to the elevated expectations on the
highly reputable firms, investors may view a breach as a greater violation of expectancy
when the breach occurs at a high-reputation firm [47]. Consequently, it is possible that
the good name may backfire and investors could potentially respond more harshly to a
high-reputation firm amid a breach.
While this speculation seems plausible, research on information diagnosticity

suggests that negativity biases are more pervasive merely because they are gen-
erally more diagnostic in judgment than positive cues [31, 50, 55]. But positivity
biases can also occur when positive cues are more diagnostic than negative cues
[55]. When assessing a breach, investors are essentially seeking to categorize a
breached firm into the group that will swiftly overcome or the group that will not.
Both groups of firms can experience a data breach and a breach can be attributed to
situational factors such as poor execution or oversight rather than changes in the
firm’s underlying security defense capability. Thus, the occurrence of a breach is
not a diagnostic cue because it is not exclusively indicative of the firm’s underlying
lack of capability to recover from the breach, and it also does not suggest one
categorization (the firm will recover) over the other (the firm will not).
By contrast, firms build high reputation by consistently demonstrating quality
capabilities and behaviors [28]. Once a firm has demonstrated its ability to perform
at a certain level, future evaluations take this performance as a given, and stake-
holders will believe that the firm is capable of creating a similar level of value [38].
As perhaps the most relevant and convincing evidence of a firm’s underlying
capabilities to deliver valued outcomes and performance, a favorable reputation
built upon historical achievement is a decisive indicator of a firm’s ability to
recover from a breach [38]. Thus, investors will give the high-reputation cue greater
diagnostic credence and discount the negative breach event. Supporting this argu-
ment, other studies find that positivity biases are fairly common in judgments
related to performance and ability [38, 44, 55, 65]. This is because bad things
can happen to all and can be attributed to many causes, but ability can only be
demonstrated through diagnostic positive cues such as achievements and perfor-
mance [33, 38, 54, 55].
In addition, the diagnostic reputation cue is also a stable and credible signal that is
difficult to discredit. Thus, beliefs about a firm’s reputation are enduring and
“sticky” [27, 49]. Because of the stickiness, credibility, and great diagnostic
credence of the high-reputation cue, investors are expected to go through positively
biased cognitive processing to relieve themselves from the dissonance: they would
discount the negative breach event, give the positive-reputation cue more weight,
and react less negatively to the breach of a high-reputation firm. By contrast, when
a breach occurs at a lower-reputation firm, the firm’s neutral reputation is not
diagnostic in aiding investors to discern its ability to recover post-breach. In the
absence of an alternative diagnostic cue, investors will focus on and react nega-
tively to the breach event. Thus, we propose:
Hypothesis 2: There will be a less negative reaction from shareholders when a
breach occurs at a high-reputation firm than at a lower-reputation firm.
The effectiveness of response strategies by a high-reputation firm

We have previously argued that in the presence of the credible, stable, and diagnostic
high-reputation cue, investors have little incentive to use the less diagnostic response
strategy cue to assess the financial implication of a breach. Without being used, the
response strategies employed by reputable firms are expected to produce little
cognitive dissonance beyond what has been evoked by the high-reputation cue, and
consequently to exert little persuasive impact on investors. Further, as previously
discussed, investors are expected to discount or discard the negative breach event and
believe that the high-reputation firm will recover quickly from the breach. Thus, the
central message (our firm will overcome and succeed) conveyed through post-breach
response strategies is expected to confirm rather than contradict the shareholders’
own expectation of the breach’s financial impact on the high-reputation firm, leading
to little additional dissonance aroused in the mind of the shareholders, and subse-
quently little impact in changing shareholders’ opinions and behaviors. For these
reasons, post-breach response strategies are expected to add little additional value
beyond reputation in protecting the high-reputation firms’ market value following a
breach. Supporting this argument, prior research suggests that one cue can only
explain what is not already explained by other available cue(s) [42]. In the presence
of a highly dominant cue, a second cue adds little marginal value in predicting the
dependent variable [36, 61]. For instance, one study finds that organic labeling has
little marginal effect on consumers’ product quality evaluation in the presence of high
brand equity [36]. Another study suggests that the cue about a second brand ally does
not improve consumers’ evaluation of a previously unknown brand relative to the
single ally cue, possibly because once the perceived risk associated with the unknown
brand is reduced by the existence of an ally, additional allies may be ineffectual to
further reduce the risk [61].
Hypothesis 3: Post-breach response strategies will exert little residual impact

on the firm value of high-reputation firms.
The effectiveness of response strategies by a lower-reputation firm

As discussed in the conceptual development section, response strategies employed by
a lower-reputation firm will be used by investors because alternative diagnostic cues
are not available to help them assess the financial implications of a data breach. And
the persuasion, the firm is and will be unscathed, cued through the response strategies
is expected to be significantly discrepant from the investors’ own negative assess-
ment of the breach’s impacts, invoking significant dissonance in the minds of the
investors. Based on the thrust of CDT, the (in)effectiveness of a response strategy in
mitigating the negative impacts of the breach will hinge on the likelihood that the
strategy can motivate the investors to reduce their cognitive dissonance through the
desired avenue. This in turn will first depend on the credibility of the strategy. When a
response strategy has little credibility, the advocated persuasion that is built upon the
strategy will also have little credibility. Investors will hence choose the undesirable
avenue to reduce dissonance by discounting and discrediting the noncredible strategy
and persuasion since it is extremely easy to do so. When a response strategy is fairly
credible, the avenue the investors choose to reduce their cognitive dissonance will
hinge on the extent of the discrepancy between the advocated persuasion and the
investors’ own assessment of the financial implication of the breach. Ultimately, the
degree of the discrepancy will be influenced by how the adopted strategy impacts (1)
the investors’ perception of the persuasion and (2) the investors’ assessment of the
financial implication of the breach.
Defensive strategies focus on the denial of any crisis or the responsibility for the
crisis and are thus best suited for situations where the organization has concrete
evidence to build the case that there is no crisis (e.g., a rumor) or the firm
is completely not responsible for the crisis (e.g., a natural disaster or terror attack)
[18, 20]. The news about a breach is unlikely to stem from rumors. And as
discussed earlier, the public expects an organization to properly and safely collect,
use, and protect the stakeholder data. Therefore, unless the breach is due to reasons
completely beyond the control of the firm such as natural disasters, stakeholders are
expected to perceive a defensive strategy as noncredible and inappropriate and to
hold the breached firm accountable even in situations where the data are compro-
mised under the care of a third party. Built upon a noncredible strategy, the
persuasion that the breached firm is unscathed will likely lose its credibility.
Thus, the adoption of the defensive strategy makes it much easier for the share-
holders to minimize their cognitive dissonance through discounting and discrediting
the noncredible strategy and persuasion. In this discrediting process, shareholders’
negative emotions and behaviors may be triggered, exerting an adverse effect on the
firm’s market value. Supporting this argument, research suggests that when a firm
does not have unambiguous grounds to use a defensive strategy, using it could
evoke suspicion and perceptions of dishonesty and consequently adversely impact
any response efforts [18, 20].
Hypothesis 4: Using defensive response strategies amid a data security breach

will negatively impact the market value of lower-reputation firms.
Accommodative strategies featuring apologies and remedial actions encompass

both positive and negative signals. On one hand, highly accommodative strategies
may trigger legal and financial liabilities [18, 58]. Apologies require the firm to
publicly accept responsibility for a breach, therefore attracting lawsuits and weaken-
ing the firm’s legal position in the event of a lawsuit. Remedial actions including
compensation may also incur legal and financial liabilities. These anticipated damage
restitution and litigation costs weaken the persuasion that the breached firm is or will
be unscathed by raising concerns about the lower-reputation firm’s ability to recover
from a breach as the firm is less likely than a high-reputation firm to have sufficient
resources needed to withstand the financial strain of a breach. Further, since the
common recommendation is that the more severe a crisis, the more the firm must try
to accommodate the victims [18], highly accommodative strategies may send an

unintended signal that the firm believes that the crisis is severe, leading to a more
negative assessment of the breach by the investors. In the context of a breach, the
statement regarding the technical fix of the breach may expose the deeper problem in
the firm’s systems and controls, evoking suspicion of repeated incidents with the root
cause not fully understood or addressed [23]. For instance, statements such as “We
have shut down access to the breached data” reveal that serious system and control
failures that led to the breach exist, compelling a technical solution (shutting down
access) that does not address the underlying root cause.
On the other hand, this category of strategies has the advantage of showing that the
breached firm realizes the problem, is honest about it, and trying to fix it [18, 52].
Research suggests that accommodative strategies such as compensation are posi-
tively associated with customers’ distributive justice perceptions [6]. The honest and
apologetic cue is, unfortunately, not relevant and the cue about the technical fix of the
breach is not indicative/diagnostic of the lower-reputation firm’s ability to address the
root problem to overcome the breach. Given the pervasive negativity bias humans are
subject to and the low relevance and diagnosticity of the accommodative strategy,
investors will likely be particularly cognizant of and consequently place greater
weight on the risks and negative signals cued via the accommodative strategies
used by lower-reputation firms, thereby resulting in a more negative assessment of
the breach. As a result, the discrepancy between the advocated persuasion (the firm
will be unscathed) and the shareholders’ augmented negative assessment of the
breach may be so large that shareholders can reduce their cognitive dissonance
much more easily by discrediting and discounting the strategy and the weak persua-
sion, believing that the firm is being unrealistic or naive [4], leading to a more
negative market reaction following the breach. Supporting this argument, researchers
have found that more accommodative strategies such as early voluntary recall exert a
more negative impact on firm value than the delayed recall strategies [14].
Hypothesis 5: Using accommodative response strategies amid a data security

breach will negatively impact the market value of lower-reputation firms.
Moderate strategies feature justification and ingratiation. With justification stra-

tegies, firms seek to minimize the perceived severity of the breach [18, 20]. With
ingratiation strategies, firms seek to positively influence stakeholders’ attitude
toward the firm [18, 20]. Relative to the defensive strategies, moderate strategies
appear more credible and acceptable because the firm is not denying any respon-
sibility. When compared with the accommodative strategies, the moderate strategies
have less inherent risks and negative consequences because they do not induce
similar suspicions that the breach is severe and there may be looming legal and
financial liabilities associated with the breach. Justification strategies also help
portray a positive image that the firm has knowledge on the nature and severity
of the breach. Through the relatively less risky and more credible signals that seek
to portray a positive image and minimize the perceived severity of the breach, the
moderate strategies could strengthen the persuasion that the breached firm is or will
be unscathed and lead to a less negative appraisal about the breach from the
investors. This improved yet still negative appraisal suggests that moderate strate-
gies have the potential to evoke dissonance in the minds of the shareholders
because the advocated persuasion that the breached firm is and will be unscathed
still contradicts the negative assessment from the shareholders. Nonetheless, the
improvement in the assessment suggests that the magnitude of the discrepancy is
not expected to be extreme. In other words, shareholders’ assessment under the
influence of the moderate strategies is expected to be different yet reasonably close
to the advocated persuasion. Thus, investors are likely to alter their negative
assessment about the breach since the not-so-extreme dissonance can be more
easily reduced by shifting the negative assessment of the breach closer to the
advocated persuasion than discrediting the fairly credible and acceptable moderate
strategies. Thus, we propose:
Hypothesis 6: Using moderate response strategies amid a data security breach
will positively impact the market value of lower-reputation firms.
Image renewal strategies emphasize the commitment to the firm’s core values,
stakeholders’ well-being, and the prevention of any similar future breaches [59]. As
a prospective response model, a firm employing image renewal strategies will
appear more proactive rather than merely being reactive. Investors may also view
the promise of no similar future breaches as a positive indication that the firm has
identified the root cause and is able to fully address the problem. With an emphasis
on commitment to core values, image renewal strategies show that the firm under-
stands social norms and will do whatever is necessary to renew its image [59].
Thus, image renewal strategies have the potential to signal that the firm has the
underlying capability to fully address the root cause and positively impact inves-
tors’ perception of the firms’ ability and commitment to overcome the breach. It
may be tempting to adopt an image renewal strategy considering its relatively low
imminent risks. However, firms need to exercise caution because knowingly mak-
ing false promises can lead to dire future consequences such as lawsuits or loss of
investor confidence. Thus, this strategy is only likely to be used when there is
reasonable certainty that such promises can be kept. Given their associated positive
signal and low imminent risk, image renewal strategies, when used by a lower-
reputation firm, will strengthen the persuasion that the breached firm will be
unscathed and improve the public’s negative assessment of the breach. This
improved assessment, albeit still negative, is expected to be reasonably close to
the persuasion. Consequently, we expect that the investors will likely shift their
negative opinion closer toward the advocated persuasion, because the existing
dissonance can be more easily reduced by a shift in opinion than discrediting the
relatively credible message. Hence, the use of the proactive image renewal strate-
gies by a lower-reputation firm is expected to have a positive impact on the stock
market reaction to the breach.
Hypothesis 7: Using image renewal response strategies amid a data security

breach will positively impact market value of lower-reputation firms.
Methodology
We use an event study methodology, which is widely used in the IS literature [22, 40],
to empirically evaluate the proposed hypotheses (see the Online Appendix for a
description of the event study methodology). The choice of the methodology is driven
by the premise that in an efficient market, when an event occurs and has economic
implications for the firm, changes in stock price over a short time period surrounding
the event will reflect the market’s evaluation of the overall economic impact of the
event. Since this evaluation is based on investors’ interpretation of various informa-
tion cues, changes in stock price should also capture the impacts of information cues
such as firm reputation and response strategies.
Data Sources, Sample Selection, and Measurement

We draw breach disclosure data from academic publications listing security breach
incidents and public databases such as the Privacy Rights Clearinghouse and
DatalossDB.org, which collect data breach information from user contributions and
through scouring the websites of states, attorneys generals, or consumer protection
bureaus for data breach filings. Many states have enacted laws that mandate firms to
disclose breaches [53] and to file documentation detailing the breach incident and the
copies of the breach notification letters sent to the affected parties.
Following previous research, firm reputation is captured using two widely pub-
licized rankings of corporate reputation, the Wall Street Journal/Harris Interactive
Corporate Reputation list [28] and Fortune’s Most Admired Companies list [26, 44,
49]. We code a dummy variable equal to one if the firm appeared on either list prior
to the breach announcement (high-reputation), otherwise we code the variable equal
to zero (lower-reputation). This operationalization is chosen because investors pay
heed to such publicized reputation ranking when making investment decisions [44].
A high reputation ranking implies relative investment security [63], attracts new
investors for the firm [26], and impacts existing investors’ loyalty and confidence
[9]. Empirical work finds that changes in firms’ reputation rating cause significant
changes in share prices [57], and firms with high reputation ratings suffer a
significantly lower market valuation loss during a negative event [14, 44].
Response strategies are coded using the communicative statements issued by the
breached firm to its stakeholders, which normally contain an account of the nature
and magnitude of the breach and the remedial actions the firm is taking. Social
cognition research has long recognized that the nature of available information
affects impression and judgment [25]. Therefore, the breached firms will try to use
the communicative statements to actively influence the shareholders. Thus, these
statements serve as a valuable data source for coding the response strategies
because a successful recovery from a crisis requires actions and masterful commu-
nication [17, 18, 59], and actions are effective only to the extent that the firm is able
to effectively communicate them to the stakeholders. Two independent raters read
the communicative statements and categorized the response strategies using the
definition outlined in Table 1. The agreement between the two raters on the strategy
categorization is high (94 percent) and all categorization differences are resolved
though discussion.
The search of the breach data sources yields an initial sample of 5,008 incidents.
Since stock market price is required for the analyses, incidents involving non-
publicly traded entities are discarded from the sample. Some of the incidents are
duplicates and are also removed from the sample. Using LexisNexis, we verify that
the communicative statements from the firm and announcements about the breach
are issued on the same day. To ensure that the observed market reactions are related
to the data breach rather than other events, we check for confounding events such as
merger, acquisition, or earnings announcements during the two-week period sur-
rounding the breach announcement. After the removal of those announcements with
confounding events, 303 breach announcements remain and are used as the sample
for the univariate analysis.
Finally, the Center for Research in Security Prices (CRSP) and Standard & Poor’s
Compustat database are the two primary data sources for stock returns and financial
performance data, which also allow us to control for firm and industry character-
istics for more rigorous multivariate analyses. The elimination of the firms that are
not included in these two databases leaves us with 221 observations for the final
multiple regression analyses.
Table 2 Panels A and B present the distribution of the breach incidents over time
and across industries, respectively. The majority of breaches occur in the finance
industry and the least number of breaches occur in the energy and utilities industries.
Descriptive data shown in Table 2, Panel C suggests that the range of the firm size is
quite dispersed as reflected in the mean, median, and minimum and maximum values
of total assets, sales, and market value. To mitigate the influence of extreme values,
we winsorize the sample at the top and bottom 1 percent level for all the analyses.
Results
Univariate Analysis
Table 3 shows the market’s reaction to the breach disclosures, measured by average
abnormal returns (AR) and average cumulative abnormal returns (CAR) using the
Fama–French three-factor model (see the Online Appendix for the calculation of
AR and CAR). The Fama–French model incorporates market anomalies with
respect to firm size and the value premium and is considered more reliable in
estimating AR than a standard market model. We estimate the model parameters
using the daily stock return data during the period of t = –255 to t = –46 (0 is the
Table 2. Descriptive Statistics
Panel A: Distribution of Announcements over Time
High-reputation Low-reputation Full sample

Year N % N % N %
2000 0 0.0 1 0.5 1 0.3
2001 1 1.2 0 0.0 1 0.3
2002 1 1.2 2 0.9 3 0.9
2003 1 1.2 1 0.5 2 0.7
2004 2 2.4 2 0.9 4 1.3
2005 12 14.6 7 3.2 19 6.3
2006 18 22.0 50 22.6 68 22.4
2007 18 22.0 58 26.2 76 25.1
2008 18 22.0 51 23.1 69 22.8
2009 5 6.1 26 11.8 31 10.2
2010 6 7.3 23 10.4 29 9.6
Total 82 100 221 100 303 100
Panel B: Distribution of Announcements by Industry
High-reputation Low-reputation Full sample

Industry N % N % N %
Consumer nondurables 5 6 5 2 10 3
Consumer durables 2 2 3 1 5 2
Manufacturing 7 9 17 8 24 8
Energy 2 2 2 1 4 1
Chemicals 1 1 0 0 1 0
Business equipment 8 10 30 14 38 13
Telecom 11 13 5 2 16 5
Utilities 0 0 4 2 4 1
Shops 11 13 30 14 41 14
Health 7 9 6 3 13 4
Finance 24 29 79 36 103 34
Other 4 5 40 18 44 15
Total 82 100 221 100 303 100
Panel C: Firm Characteristics
Mean Median Std. deviation Min. Max.

Total assets ($million) 189,832 19,224 472,410 33 2,527,465
Total sales ($million) 29,819 8,140 51,298 35 458,361
Market value ($million) 43,955 10,058 79963 3 723,527
Table 3. Average Abnormal Return (AR) and Cumulative Abnormal Return (CAR)
Results
Panel A: Average AR, Full Sample (N = 303)
Day Average AR, % t-statistics z-statistics

–5 –0.06 –0.468 –0.196
–4 0.06 0.494 0.223
–3 0.08 0.617 0.426
–2 –0.23 –1.82** –1.678**
–1 0.14 1.117 1.328*
0 –0.20 –1.570* –2.139**
+1 –0.21 –1.677** –1.014
+2 0.00 0.019 0.647
+3 –0.23 –1.799** –0.917
+4 0.06 0.514 0.594
+5 0.12 0.957 0.277
Panel B: Average CAR, Full Sample (N = 303)
Days Average CAR, % t-statistics z-statistics

(–2, +2) –0.49 –1.758** –1.277
(–1, +1) –0.27 –1.230 –1.054
(–1, 0) –0.06 –0.320 –0.573
(0,+1) –0.41 –2.296** –2.230**
(–2, 0) –0.29 –1.312* –1.437*
(0, +2) –0.41 –1.864** –1.447*
Notes: AR = abnormal returns, that is, risk-adjusted return in excess of the expected stock market
return (see the Online Appendix); CAR = cumulative abnormal returns during the event window
(see the Online Appendix). *, **, and *** denote significance at the 10 percent, 5 percent, and 1
percent levels, respectively; one-tailed tests.
announcement date) and calculate average AR for 5 days before and 5 days after the
event (–5, +5). Panels A and B show the changes in firm valuation around the event
date for the full sample. Investors on average react negatively to breaches on the
announcement day (Average AR = –0.20 percent) and one day after (Average AR =
–0.21 percent). The average CAR for the 2-day window (0, +1) is –0.41 percent,
significant at the 5 percent level. The significant downward movements of stock
prices surrounding the event dates lend support to H1, which posits a negative
overall impact on a firm’s market value from the disclosure of a breach.
When only the lower-reputation firms are included in the analysis, investors on
average reacted negatively to the breaches for event windows (0, +1) and (0, +2) (see
Table 4, Panel A). In contrast, stock returns were not significantly different from zero for
Table 4. CAR: Low- vs. High-reputation Firm
Panel A: Average CAR, Low-reputation Firm Sample (N = 224)

(–2, +2) –0.65 –1.88** –1.272
(–1, +1) –0.43 –1.609* –1.419*
(–1, 0) –0.12 –0.549 –0.347
(0, +1) –0.63 –2.844*** –2.785***
(–2, 0) –0.41 –1.502* –1.17
(0, +2) –0.56 –2.086** –1.611*
Panel B: Average CAR, High-reputation Firm Sample (N = 79)

(–2, +2) 0.13 0.316 –0.193
(–1, +1) 0.18 0.58 0.243
(–1, 0) 0.15 0.593 –0.551
(0, +1) 0.13 0.517 0.113
(–2, 0) 0.11 0.346 –0.81
(0, +2) 0.12 0.389 –0.039
701
702
GWEBU, WANG, AND WANG
Panel C: OLS Regression (N = 298, 220 Low-reputation and 78 High-reputation Firms)
CARi ð0;1Þ ¼ αi þ β1 HighRepit þ β2 Priorit þ β3 MBit þ β4 Consumerit þ β5 Financeit þ β6 Healthit þ β7 Numit þ β8 Sensitiveit þ eit ð1Þ
Intercept HighRep Prior MB Consumer Finance Health Num Sensitive

Expected sign – + ? + – – – – –
Estimate –0.007 0.006 –0.001 0.001 –0.012 0.002 0.005 0.001 –0.003
T-value –2.016** 1.594* –0.445 0.578 –1.405* 0.414 0.619 –1.853** –1.451*
Adj. R2 0.01
Notes: CARi(0,1) = cumulative abnormal returns for firm i during the event window (0, 1) (see the Online Appendix); HighRepit = 1 if firm i is included either on the
Wall Street Journal/Harris Interactive “Corporate Reputation” list or the Fortune’s “Most Admired Companies” list in year t; else 0; Priorit = the number of prior
breaches that firm i had experienced in year t; MBit = market value of firm i’s equity (calculated as closing price times the number of shares outstanding at the end of
year t) divided by the book value of firm i’s equity at the end of year t; Consumerit = 1 if firm i is in the consumer industry in year t; else 0; Financeit = 1 if firm i is in
the finance industry in year t; else 0; Healthit = 1 if firm i is in the health industry in year t; else 0; Numit = number of records compromised scaled by sales for firm i
in year t; Sensitiveit = 1 if social security number, medical, financial information, date of birth, or credit card information is comprised during a breach for firm i in
year t; else 0. *, **, *** denote significance at the 10 percent, 5 percent, and 1 percent levels, respectively; one-tailed tests.
the high-reputation sample for all the event windows (see Table 4, Panel B). Investors’
differential reaction toward the breaches occurring at lower-reputation versus those
occurring at high-reputation firms captures the effect of high-reputation cue on firm
value and provides support for H2, which suggests that high-reputation firms would
experience less negative market reaction to breaches than lower-reputation firms.
Multivariate Analysis
Panel C of Table 4 presents the result of a more rigorous ordinary least squares
(OLS) multiple regression test of the market reaction to the breach disclosures
made by high- versus low-reputation firms:
CARi ð0;1Þ ¼ αi þ β1 HighRepit þ β2 Priorit þ β3 MBit þ β4 Consumerit

þ β5 Financeit þ β6 Healthit þ β7 Numit þ β8 Sensitiveit þ eit ; (1)
where
CARi(0,1) = cumulative abnormal returns during the event window (0, +1) for
firm i; abnormal return is a risk-adjusted return in excess of the
expected stock market return (the Online Appendix).
HighRepit = 1 if firm i is included either on the Wall Street Journal/Harris
Interactive Corporate Reputation list or Fortune’s Most Admired
Companies list in year t, otherwise 0.
Priorit = the number of prior breaches that firm i had experienced in year t.
MBit = market value of firm i’s equity (calculated as closing price times
the number of shares outstanding at the end of year t) divided by
the book value of firm i’s equity at the end of year t.
Consumerit = 1 if firm i is in the consumer industry in year t, otherwise 0.
Financeit = 1 if firm i is in the finance industry in year t, otherwise 0.
Healthit = 1 if firm i is in the health industry in year t, otherwise 0.
Numit = number of records compromised during a breach scaled by sales
for firm i in year t.
Sensitiveit = 1 if social security number, medical, financial information, date
of birth, or credit card information is comprised during a breach for
firm i in year t, otherwise 0.
Control variables: Since a breach may signal poor internal controls or the
vulnerability of the firm to future breaches, multiple breaches may in fact confirm
such suspicions and lead to a more negative market reaction. Thus, we use Prior to
control for the number of prior breaches. Recent breaches are more widely pub-
licized and their financial ramifications are better understood [13]. To control for
this time effect, we set the last incident year appearing in the data set as the baseline
and use Prior to compare previous incidents to this baseline. Without knowing
empirically which effect would dominate, we do not predict the sign of the
coefficient of Prior. Because the market may react more negatively to breaches
involving sensitive data [12], we use Consumer, Finance, Health, and Sensitive to
control for the market reaction to breaches involving or in industries that administer
sensitive data, and we expect their coefficients to be negative. MB is the market
value equity divided by the book value of equity for firm i at year t and captures the
risks that the market assigned to the firm. We expect the coefficient of MB to be
positive. Num, the number of records compromised, captures the severity of the
breaches and is expected to be negatively associated with stock returns.
Panel C of Table 4 shows the OLS estimation of Model 1. As predicted, the
coefficients for Consumer, Num, and Sensitive are negative and significant at the 10
percent level or better. Based on H2, we expect the intercept term α, which captures
the market reaction to breaches at lower-reputation firms, to be negative. We expect
the coefficient of HighRep (β1), which captures the differential market reaction
between the high- and lower-reputation firms, to be positive but smaller than α in
magnitude, indicating that the market reacted less negatively to the breaches of the
high-reputation firms. Table 4, Panel C shows that the intercept term is negative and
significant at the 5 percent level (–0.007, t = –2.016) and the coefficient of HighRep
is positive and significant at the 10 percent level (0.005, t = 1.594). These results
suggest that before considering the effects of response strategies, shareholders
responded less negatively when a breach occurred at a high-reputation firm than
at a lower-reputation firm, providing further support for H2.
To test H2–H7, we separate our sample into high- versus lower-reputation firms
and employ the following regression model. A split-sample approach was indicated
due to high multicollinearity encountered when simultaneously including the direct
effects of strategy and firm reputation as well as their interaction effect in the model.
CARit ¼ αi þ β1 Strategyit þ β2 Priorit þ β3 MBit þ β4 Consumerit

þ β5 Financeit þ β6 Healthit þ β7 Numit þ β8 Sensitiveit þ eit ; (2)
where Strategyit = S1= 1 if the response strategy is accommodative; Strategy = S2 =

1 if the response strategy is moderate; Strategy = S3 = 1 if the response strategy is
defensive; Strategy = S4 = 1 if the response strategy is image renewal; otherwise
Strategy = 0. All other variables are defined as before.
Tables 5 and 6 report the OLS estimation of Model 2 for the high- versus lower-
reputation firm samples, respectively. The results show that none of the intercepts for
the high-reputation sample were significantly different from zero (Table 5) whereas
the intercepts of the lower-reputation firm sample are all negative and two of them are
significant at the 10 percent level (Table 6). These results collectively indicate that
after considering the effects of response strategies, investors on average reacted
negatively to breaches at lower reputation firms but did not react negatively to
breaches at high reputation firms, providing further support for H2, which suggests
that investors reacted less negatively when a breach occurs at a high-reputation firm
than at a lower-reputation firm. Lending support to H3, which predicts that response
strategies would exert little residual effect on the market reaction to breaches for
high-reputation firms, none of the coefficients of strategies is significant.
Table 5. OLS Regression—High Reputation Firm Response Strategies
CARit ¼ αi þ β1 Strategyit þ β2 Priorit þ β3 MBit þ β4 Consumerit þ β5 Financeit þ β6 Healthit þ β7 Numit þ β8 Sensitiveit þ eit ð2Þ
Intercept S1 S2 S3 S4 Prior MB Consumer Finance Health Num Sensitive Adj. R2

Estimate 0.003 0.001 –0.001 0.000 –0.010 –0.004 –0.001 –0.029 0.000 0.01
T–value 0.418 0.233 –0.790 –0.620 –1.297* –0.642 –0.114 –0.001 –0.045
Estimate 0.001 0.002 –0.001 –0.001 –0.011 –0.004 –0.002 0.144 –0.001 0.01
T–value 0.146 0.795 –0.672 –0.786 –1.288* –0.612 –0.219 0.005 –0.140
Estimate 0.003 0.004 –0.001 0.000 –0.011 –0.004 –0.002 –0.062 0.000 0.02
T–value 0.464 0.664 –0.622 –0.634 –1.371* –0.655 –0.169 –0.002 –0.072
Estimate 0.005 –0.002 –0.001 0.000 –0.010 –0.005 –0.001 –2.242 0.000 0.01
T–value 0.680 –0.416 –0.792 –0.570 –1.156* –0.726 –0.134 –0.074 –0.029
Notes: CARi(0,1) = cumulative abnormal returns for firm i during the event window (0, 1) (see the Online Appendix); Strategy = S1= 1 if the response strategy is
Accommodative, Strategy = S2 = 1 if the response strategy is Moderate, Strategy = S3 = 1 if the response strategy is Defensive, Strategy = S4 = 1 if the response
strategy is Image Renewal; else Strategy = 0; Priorit = the number of prior breaches that firm i had experienced in year t; MBit = market value of firm i’s equity
(calculated as closing price times the number of shares outstanding at the end of year t) divided by the book value of firm i’s equity at the end of year t; Consumerit =
1 if firm i is in the consumer industry in year t; else 0; Financeit = 1 if firm i is in the finance industry in year t; else 0; Healthit = 1 if firm i is in the health industry in
year t; else 0; Num it = number of records compromised scaled by sales for firm i in year t; Sensitiveit = 1 if social security number, medical, financial information,
date of birth, or credit card information is comprised during a breach for firm i in year t; else 0. *, **, *** denote significance at the 10 percent, 5 percent, and 1
705
706
GWEBU, WANG, AND WANG
Table 6. OLS Regression—Low-reputation Firm Response Strategies
CARit ¼ αi þ β1 Strategyit þ β2 Priorit þ β3 MBit þ β4 Consumerit þ β5 Financeit þ β6 Healthit þ β7 Numit þ β8 Sensitiveit þ eit ð2Þ
Intercept S1 S2 S3 S4 Prior MB Consumer Finance Health Num Sensitive Adj. R2

Estimate –0.002 –0.001 0.001 0.001 –0.014 0.004 0.014 –0.612 –0.004 0.02
T-value –0.385 –0.446 0.273 0.925 –1.083 0.834 0.965 –1.533* –1.289*
Estimate –0.010 0.004 0.001 0.001 –0.013 0.004 0.013 –0.637 –0.004 0.02
T-value –1.541* 1.796** 0.454 0.942 –1.066 0.722 0.952 –1.606* –1.422*
Estimate –0.004 –0.001 0.001 0.001 –0.014 0.004 0.013 –0.607 –0.004 0.02
T-value –0.605 –0.238 0.260 0.899 –1.112 0.804 0.918 –1.521* –1.363*
Estimate –0.008 0.011 0.001 0.001 –0.015 0.003 0.011 –0.692 –0.004 0.03
T-value –1.378* 2.406*** 0.322 1.141 –1.204 0.614 0.773 –1.751** –1.340*
Notes: CARi(0,1) = cumulative abnormal returns for firm i during the event window (0, 1) (see the Online Appendix); Strategy = S1= 1 if the response strategy is
Accommodative, Strategy = S2 = 1 if the response strategy is Moderate, Strategy = S3 = 1 if the response strategy is Defensive, Strategy = S4 = 1 if the response
strategy is Image Renewal; else Strategy = 0; Priorit = the number of prior breaches that firm i had experienced in year t; MBit = market value of firm i’s equity
(calculated as closing price times the number of shares outstanding at the end of year t) divided by the book value of firm i’s equity at the end of year t; Consumerit =
1 if firm i is in the consumer industry in year t; else 0; Financeit = 1 if firm i is in the finance industry in year t; else 0; Healthit = 1 if firm i is in the health industry in
year t; else 0; Num it = number of records compromised scaled by sales for firm i in year t; Sensitiveit = 1 if social security number, medical, financial information,
date of birth, or credit card information is comprised during a breach for firm i in year t; else 0. *, **, *** denote significance at the 10 percent, 5 percent, and 1
H4 and H5, respectively, posit that investors would react more negatively to a
lower-reputation firm using defensive strategies or accommodative strategies. As
shown in Table 6, the coefficients for S3 (defensive strategies) and S1 (accommo-
dative strategies) are negative but not significant at the 10 percent level. Thus,
neither H4 nor H5 is supported. H4 is grounded on the argument that the investors
will reduce their cognitive dissonance by discounting and discrediting the noncred-
ible defensive strategies, which in turn may trigger further negative emotions and
behaviors and adversely impact the lower-reputation firm’s market value. One
explanation for the lack of the anticipated relationship could be that defensive
strategies were simply discounted by the investors without triggering further nega-
tive emotions and behaviors, H5 is based on the logic that accommodative strate-
gies used by lower-reputation firms may produce extreme cognitive dissonance,
making it much easier for the investors to reduce the dissonance by discrediting the
strategies than by changing their negative opinion of the breach. The accommoda-
tive strategies may also induce augmented negative assessment that the financial
implication of the breach may be more severe than originally thought, leading to a
sell-off of the breached firm’s stocks. One possible explanation for the lack of
relationship could be that the large cognitive dissonance evoked by the accommo-
dative strategies may not be extreme enough to induce vigorous effort in discredit-
ing the firm. And the augmented negative assessment of the breach due to the use
of the accommodative strategies may not be large enough to induce further negative
impact on firm valuation. In contrast, the coefficients for S2 (moderate strategies:
0.004, p < 0.04) and S4 (image renewal strategies: 0.011, p < 0.01) shown in
Table 6 are positive and significant at 5 percent or better, lending support to H6 and
H7, which respectively postulate that the stock market’s downward valuation would
be less severe for low-reputation firms using moderate or image renewal strategies.
Robustness Tests
The results in Tables 3 and 4 suggest that our sample firms experienced negative
returns in other days beyond the (0, 1) window period. Hence we estimated Model 2
using windows (0, 2) and (–2, 2) for both the high- and lower-reputation firms. The
results continue to support H3 suggesting that response strategies have little residual
effect on the market reaction to breaches at high-reputation firms. For the lower-
reputation firms, none of the strategies coefficients is significant, which indicates that
the less negative market reaction to lower-reputation firms using moderate or renewal
strategies was only observed in the short window (0, 1), but not in the extended
windows (0, 2) and (–2, 2). The evidence is consistent with the market efficiency
theory, which suggests that the market can impound new value relevant information
very quickly. We also used Verizon’s and Acquisti’s classification of breach size as
alternative controls for severity. Although neither variable is significant, the main
results stay robust when either variable is included in the models.
Discussion, Implications, and Conclusion

This research integrates the CDT and the research on cue diagnosticity and crisis
management to examine the efficacy of reputation and a wide range of response
strategies in post-breach recovery. The results provide considerable support for our
theoretical arguments and point to the importance of this research. Specifically, this
study confirms prior findings that the stock market response to the breach disclo-
sures is negative and significant [1, 12, 13, 29, 30]. The results also reveal that firm
reputation is an important asset in protecting firm value amid a breach. Lower-
reputation firms suffer significant and negative returns after they disclosure a
breach whereas firms with superior reputation do not. Not all response strategies
used by lower-reputation firms are effective in protecting firm value. Although the
market responds positively to the moderate or image renewal strategies, no effect is
observed for the defensive or accommodative strategies. Response strategies are
found to matter less for high-reputation firms. The positive effects of the moderate
and image renewal strategies are only detected for the lower-reputation sample, but
not for the high-reputation sample.
Nevertheless, these encouraging results should be viewed with the limitations of
the study in mind. First, although the results are largely consistent with our theory-
based predictions, the data did not allow us to directly assess the theorized cue
diagnosticity and cognitive dissonance arguments. While this “black box” approach
is commonly used in research using archival data [44], it would be fruitful for future
research to explicitly measure and test these arguments. Further, this research focuses
on one type of reputational asset and one specific group of stakeholders (investors).
In the literature, researchers have shown that the specific effects from reputation on
performance outcomes vary depending on the conceptualization and operationaliza-
tion of the reputation construct [48]. Different stakeholder groups may also interpret
and react to a security breach disclosure, firm reputation, and response strategies
differently. For instance, accommodative strategies such as compensation and apolo-
gies are found to be ineffective in this study. Yet other studies have suggested that
they positively impact consumers’ justice perceptions and trust repair [6, 15]. Thus,
one logical extension is for scholars to develop theory and comparative research
designs that precisely specify and compare the differential effects of various reputa-
tion constructs and response strategies in post-breach recovery when different stake-
holder groups are considered. Such comparative studies may be critical in reconciling
the contradictory findings and contributing to the development of a more general-
izable theory regarding the buffering [44] versus exacerbating [47] effects of firm
reputation and response strategies in reducing the consequences of a negative event.
Finally, this research suggests that investors have less incentive to use the response
strategy cues that are specifically geared toward the breach incident than the general
high-reputation cue because the former suffers from being transient and less credible.
Future research may consider investigating how firms can overcome the challenges
associated with the response strategies to increase their marginal benefits in post-
breach recovery. Additionally, given that this research focuses on the effect of distinct
response strategy categories, future studies may also systematically categorize dif-
ferent strategy combinations and explore their potential impacts.
Despite these limitations, this research makes important contributions to the data-
breach literature. First, as complete security risk prevention becomes effectively
infeasible [15, 62], there is an urgent need for IS scholars to expand the current
research focus beyond security mitigation and prevention to investigating issues
spanning the life cycle of a breach (from prevention to recovery) [15]. Currently,
very little has been done to provide guidelines on the mechanisms available to help
firms effectively weather the adverse effects of data breaches [15]. In the absence of
guidelines, firms’ ad hoc and often reactive damage control and recovery efforts
may be in vain. This research adds to the emerging IS research on data breach
recovery [6, 15, 62] by offering theoretically sound and evidence-based guidance
on how to best protect value amid a data breach. Extending prior work that focuses
on one or two recovery mechanisms [6, 62], the study synthesizes the literature on
crisis management and identifies a taxonomy of response strategies so that the
efficacy of these strategies can be systematically investigated. The differences
theorized and the different effects observed in the empirical results regarding the
relative efficacy of the various response strategies point to the theoretical and
practical importance of this systematic approach.
Second, this research highlights the importance of cross-pollination between the
IS security and crisis management literatures. The results show that the various
response strategies identified in the crisis management literature are indeed used by
the firms in our sample, although only moderate and image renewal strategies are
found to be beneficial for the lower-reputation firms. Thus, one immediate possi-
bility for cross-pollination is for the IS researchers to translate the general moderate
and image renewal strategy guidelines into concrete plans for IS capability building
and priority setting both before and during the breach. This is important because the
implementation of these two strategies requires that a breached firm have the right
IS capabilities prior to the breach, and prioritize the right activities during the
breach to expeditiously assess the severity of the breach and identify the root cause
to prevent repeated breach incidents. The limited benefits of the identified response
strategies also underscore the significance for IS researchers to incorporate the data
breach contextual insights to develop more nuanced and context-specific strategies.
For instance, the finding that the market reacts less negatively to the breach
announcements of firms that disclosed action-oriented security risk factors in
their annual report before the breach [62] may be an indication of shareholders’
interest in information regarding the technical specifics of a breach. Other research-
ers highlight the importance of distributive, procedural, and interactional justice
perceptions on post-breach recovery [15]. These results imply that investigating
how firms can effectively manage the breach crisis by incorporating certain tech-
nical specifics into the breached firms’ communicative statements, or by framing
such statements to positively impact investors’ justice perceptions, may be a
worthwhile endeavor for IS and crisis management scholars.
By framing the effectiveness of firm reputation and response strategies in protect-

ing the breached firms’ value in the context of persuasion, the CDT and cue
diagnosticity arguments developed here have the potential to extend the IS persua-
sion literature. Due to its strength in integrating contextual, message, and individual
variables under one umbrella framework, the elaboration likelihood model (ELM)
has remained the dominant reference framework in the IS persuasion literature,
even though other fields have sought to address the theoretical limitations of ELM
through alternative perspectives [16, 34]. ELM posits that there are central and
peripheral routes to message persuasion. When elaboration likelihood is high, that
is, the motivation and capability to process the message is high, individuals will
rely on the central cues, and persuasion will occur via the central route. When
elaboration likelihood is low, individuals will rely on peripheral cues, and persua-
sion will occur through the peripheral route [43]. Some critiques of the ELM stem
from the ambiguous distinction between the central and peripheral cues and the
assumption that the central processing is better predictive of behaviors [16, 34].
Echoing these critiques, empirical evidence suggests that peripheral processing is
more predictive of behavior in the web personalization context [56]. Similarly, this
research observes that the high-reputation cue, a peripheral cue within the ELM
framework, is more persuasive than the response strategies that the ELM definition
would consider as central cues. This result, which appears to contradict certain
ELM assumptions, underscores the importance of extending the IS persuasion
literature through the exploration and integration of the CDT and cue diagnosticity
arguments developed here.
This research also contributes to the crisis management and reputation literature.
Despite the improved knowledge on postcrisis response strategies and their effects
on stakeholders [18, 19, 20], the circumstances under which the efficacy of the
strategies may vary are not fully understood [66]. By exploring the dynamics
occurring between response strategies and firm reputation, this research suggests
that reputation presents a boundary condition that affects the effectiveness of
certain response strategies in protecting firm value amid a breach. Further, employ-
ing a relatively large sample, this research has yielded important findings, extend-
ing prior crisis management empirical literature that has been largely qualitative
and case-based [17, 59, 60]. Contrary to the conjecture that reputable organizations
should be more successful at employing response strategies [59, 60], this study
finds that response strategies matter less for high-reputation firms. This difference
in findings calls for more research to examine the dynamics occurring between
response strategies and firm reputation. Lastly, this research draws insights from the
information diagnosticity literature and suggests that a clear distinction between
ability-related judgments and other types of judgments may be an important
boundary condition for the buffering or exacerbating role of firm reputation in a
crisis, and could thus be critical in reconciling the inconsistent results in the
literature [44].
The results also suggest several important practical implications. First, the overall
negative market reaction to security breach disclosures underscores that safeguarding
information assets and regaining control after a breach are critical capabilities that
organizations should develop. These capabilities are even more important for lower-
reputation firms because the negative market reaction is more apparent for this group of
firms. Second, it is essential for lower-reputation firms to employ information cues that
are diagnostic, dissonance arousing, and capable of motivating the stakeholders to reduce
the induced dissonance in the direction desired. Specifically, lower-reputation firms
should engage in moderate and image renewal strategies as they are found to be beneficial
for them. Strategically, IS managers should lead and prioritize to ensure that the firm has
the right IS capability prior to the breach so that the moderate and image renewal strategies
can indeed be implemented. Finally, reputation building is critical because a well-
managed and carefully nurtured reputation can be stored over time to shield the afflicted
firm from a negative stock market reaction stemming from a data breach.
Supplemental File
Supplemental data for this article can be accessed on the publisher’s website at 10.
1080/07421222.2018.1451962
REFERENCES
1. Acquisti, A.; Friedman, A.; and Telang, R. Is there a cost to privacy breaches? An
event study. Twenty Seventh International Conference on Information Systems Proceedings.
Paper 94. Milwaukee, WI, Dec 10 2006–Dec 13 2006.
2. Anderson, N.H. Methods of Information Integration Theory. San Diego, CA:
Academic Press, 1982.
3. Anderson, N.H. Integration theory and attitude change. Psychological Review, 78, 3
(1971), 171–206.
4. Aronson, E.; Turner, J.A.; and Carlsmith, J.M. Communicator credibility and commu-
nication discrepancy as determinants of opinion change. Journal of Abnormal and Social
Psychology, 67, 1 (1963), 31–36.
5. Axelrod, R. Schema theory: An information processing model of perception and
cognition. American Political Science Review, 67, 4 (1973), 1248–1266.
6. Bansal, G., and Zahedi, F.M. Trust violation and repair: The information privacy
perspective. Decision Support Systems, 71 (2015), 62–77.
7. Baumeister, R.F.; Bratslavsky, E.; Finkenauer, C.; and Vohs, K.D. Bad is stronger than
good. Review of General Psychology, 5, 4 (2001), 323–370.
8. Bergin, A.E. The effect of dissonant persuasive communications upon changes in a
self-referring attitude. Journal of Personality, 30, 3 (1962), 423–438.
9. Bravo, F. Forward-looking disclosure and corporate reputation as mechanisms to
reduce stock return volatility. Revista de Contabilidad, 19, 1 (2016), 122–131.
10. Burgoon, J.K. Interpersonal expectations, expectancy violations, and emotional com-
munication. Journal of Language and Social Psychology, 12, 1–2 (1993), 30–48.
11. Burgoon, J.K., and Hale, J.L. Nonverbal expectancy violations: Model elaboration and
application to immediacy behaviors. Communication Monographs, 55, 1 (1988), 58–79.
12. Campbell, K.; Gordon, L.A.; Loeb, M.P.; and Zhou, L. The economic cost of publicly
announced information security breaches: Empirical evidence from the stock market. Journal
of Computer Security, 11, 3 (2003), 431–448.
13. Cavusoglu, H.; Mishra, B.; and Raghunathan, S. The effect of Internet security breach
announcements on market value: Capital market reactions for breached firms and Internet
security developers. International Journal of Electronic Commerce, 9, 1 (Fall 2004), 69–104.
14. Chen, Y.; Ganesan, S.; and Liu, Y. Does a firm’s product-recall strategy affect its
financial value? An examination of strategic alternatives during product-harm crises. Journal
of Marketing, 73, 6 (2009), 214–226.
15. Choi, B.C.; Kim, S.S.; and Jiang, Z. Influence of firm’s recovery endeavors upon
privacy breach on online customer behavior. Journal of Management Information Systems,
33, 3 (2016), 904–933.
16. Choi, S.M., and Salmon, C.T. The elaboration likelihood model of persuasion after two
decades: A review of criticisms and contributions. Kentucky Journal of Communication, 22,
1 (2003), 47–77.
17. Coombs, W.T. Protecting organization reputations during a crisis: The development
and application of situational crisis communication theory. Corporate Reputation Review, 10,
3 (2007), 163–176.
18. Coombs, T.W., and Holladay, S.J. Helping crisis managers protect reputational assets.
Management Communication Quarterly, 16, 2 (2002), 165–186.
19. Coombs, T.W. An analytic framework for crisis situations: Better responses from a
better understanding of the situation. Journal of Public Relations Research, 10, 3 (1998),
177–191.
20. Coombs, T.W., and Holladay, S.J. Communication and attributions in a crisis: An
experiment study in crisis communication. Journal of Public Relations Research, 8, 4 (1996),
279–295.
21. Cox, D.F. The measurement of information value: A study in consumer decision-
making. In W. S. Decker (Ed.), Emerging concept in marketing. Chicago: American
Marketing Association, (1962), 413–421.
22. Dehning, B.; Richardson, V.J.; Urbaczewski, A.; and Wells, J.D. Reexamining the
value relevance of e-commerce initiatives. Journal of Management Information Systems, 21,
1 (2004), 55–82.
23. Deloitte, D. Cyber crisis management: Readiness, response, and recovery. https://
www2.deloitte.com/content/dam/Deloitte/global/Documents/Risk/gx-cm-cyber-pov.pdf.
24. Festinger, L. A Theory of Cognitive Dissonance. Stanford, CA: Stanford University
Press, 1962.
25. Fiske, S.T., and Taylor, S.E. Social Cognition. New York: McGraw-Hill, 1991.
26. Fombrun, C., and Shanley, M. What’s in a name? Reputation building and corporate
strategy. Academy of Management Journal, 33, 2 (1990), 233–258.
27. Fombrun, C.J., and Riel, C.B.M.v. Fame & Fortune: How Successful Companies Build
Winning Reputations. Upper Saddle River, NJ: Pearson Education, 2004.
28. Gardberg, N.A., and Fombrun, C.J. The global reputation quotient project: First steps
towards a cross-nationally valid measure of corporate reputation. Corporate Reputation
Review, 4, 4 (2002), 303–307.
29. Gatzlaff, K.M., and McCullough, K.A. The effect of data breaches on shareholder
wealth. Risk Management and Insurance Review, 13, 1 (2010), 61–83.
30. Goel, S., and Shawky, H.A. Estimating the market impact of security breach announce-
ments on firm values. Information and Management, 46, 7 (2009), 404–410.
31. Herr, P.M.; Kardes, F.R.; and Kim, J. Effects of word-of-mouth and product-attribute
information on persuasion: An accessibility-diagnosticity perspective. Journal of Consumer
Research, 17, 4 (1991), 454–462.
32. Jo, M.; Nakamoto, K.; and Nelson, J.E. The shielding effects of brand image against
lower quality countries-of-origin in global manufacturing. Journal of Business Research, 56,
8 (2003), 637–646.
33. Kelley, H.H. The processes of causal attribution. American Psychologist, 28, 2 (1973),
107–128.
34. Kitchen, P.J.; Kerr, G.E.; Schultz, D.; McColl, R.; and Pals, H. The elaboration
likelihood model: Review, critique and research agenda. European Journal of Marketing,
48, 11/12 (2014), 2033–2050.
35. Kwon, J., and Johnson, M.E. Health-care security strategies for data protection and
regulatory compliance. Journal of Management Information Systems, 30, 2 (2013), 41–66.
36. Larceneux, F.; Benoit-Moreau, F.; and Renaudin, V. Why might organic labels fail to
influence consumer choices? Marginal labelling and brand equity effects. Journal of
Consumer Policy, 35, 1 (2012), 85–104.
37. Liang, N.; Biros, D.P.; and Luse, A. An empirical validation of malicious insider
characteristics. Journal of Management Information Systems, 33, 2 (2016), 361–392.
38. Mishina, Y.; Block, E.S.; and Mannor, M.J. The path dependence of organizational
reputation: How social judgment influences assessments of capability and character.
Strategic Management Journal, 33, 5 (2012), 459–477.
39. Morrison, E.W., and Robinson, S.L. When employees feel betrayed: A model of how
psychological contract violation develops. Academy of Management Review, 22, 1 (1997),
226–256.
40. Oh, W.; Gallivan, M.J.; and Kim, J.W. The market’s perception of the transactional
risks of information technology outsourcing announcements. Journal of Management
Information Systems, 22, 4 (Spring 2006), 271–303.
41. Olson, J.C., and Jacoby, J. Cue utilization in the quality perception process.
Proceedings of the Third Annual Conference of the Association for Consumer Research
Iowa City, IA: Association for Consumer Research, (1972), pp. 167–179.
42. Park, C.W.; Jun, S.Y.; and Shocker, A.D. Composite branding alliances: An investigation
of extension and feedback effects. Journal of Marketing Research, 33, 4 (1996), 453–466.
43. Petty, R.E., and Cacioppo, J.T. The elaboration likelihood model of persuasion.
Advances in Experimental Social Psychology, 19 (1986), 123–205.
44. Pfarrer, M.D.; Pollock, T.G.; and Rindova, V.P. A tale of two assets: The effects of firm
reputation and celebrity on earnings surprises and investors’ reactions. Academy of
Management Journal, 53, 5 (2010), 1131–1152.
45. Purohit, D., and Srivastava, J. Effect of manufacturer reputation, retailer reputation,
and product warranty on consumer judgments of product quality: A cue diagnosticity frame-
work. Journal of Consumer Psychology, 10, 3 (2001), 123–134.
46. PWC, P. Cyber crisis management: A bold approach to a bold and shadowy nemesis.
(2011). https://www.pwc.com/ca/en/technologyconsulting/security/publications/pwccyber-
security-crisismanagement-2013-05-en.pdf
47. Rhee, M., and Haunschild, P.R. The liability of good reputation: A study of product
recalls in the US automobile industry. Organization Science, 17, 1 (2006), 101–117.
48. Rindova, V.P.; Williamson, I.O.; Petkova, A.P.; and Sever, J.M. Being good or being
known: An empirical examination of the dimensions, antecedents, and consequences of
organizational reputation. Academy of Management Journal, 48, 6 (2005), 1033–1049.
49. Roberts, P.W., and Dowling, G.R. Corporate reputation and sustained superior financial
performance. Strategic Management Journal, 23, 12 (2002), 1077–1093.
50. Rozin, P., and Royzman, E.B. Negativity bias, negativity dominance, and contagion.
Personality and Social Psychology Review, 5, 4 (2001), 296–320.
51. Schultz, M.; Mouritsen, J.; and Gabrielsen, G. Sticky reputation: Analyzing a ranking
system. Corporate Reputation Review, 4, 1 (Spring 2001), 24–41.
52. Sellnow, T.L.; Ulmer, R.R.; and Snider, M. The compatibility of corrective action in
organizational crisis communication. Communication Quarterly, 46, 1(Winter 1998), 60–74.
53. Sen, R., and Borle, S. Estimating the contextual risk of data breach: An empirical
approach. Journal of Management Information Systems, 32, 2 (2015), 314–341.
54. Skowronski, J.J. Honesty and intelligence judgments of individuals and groups: The
effects of entity-related behavior diagnosticity and implicit theories. Social Cognition, 20, 2
(2002),136–169.
55. Skowronski, J.J., and Carlston, D.E. Social judgment and social memory: The role of
cue diagnosticity in negativity, positivity, and extremity biases. Journal of Personality and
Social Psychology, 52, 4 (1987), 689–699.
56. Tam, K.Y., and Ho, S.Y. Web personalization as a persuasion strategy: An elaboration
likelihood model perspective. Information Systems Research, 16, 3 (2005), 271–291.
57. Tischer, S., and Hildebrandt, L. Linking corporate reputation and shareholder value
using the publication of reputation rankings. Journal of Business Research, 67, 5 (2014),
1007–1017.
58. Tyler, L. Liability means never being able to say you’re sorry corporate guilt, legal
constraints, and defensiveness in corporate communication. Management Communication
Quarterly, 11, 1 (1997), 51–73.
59. Ulmer, R.; Seeger, M.W.; and Sellnow, T.L. Post-crisis communication and renewal:
Expanding the parameters of post-crisis discourse. Public Relations Review, 33, 2 (2007),
130–134.
60. Ulmer, R.R., and Sellnow, T.L. Crisis management and the discourse of renewal:
Understanding the potential for positive outcomes of crisis. Public Relations Review, 28, 4
(2002), 361–365.
61. Voss, K.E., and Gammoh, B.S. Building brands through brand alliances: Does a second
ally help? Marketing Letters, 15, 2–3 (2004), 147–159.
62. Wang, T.; Kannan, K.N.; and Ulmer, J.R. The association between the disclosure and
the realization of information security risk factors. Information Systems Research, 24, 2
(2013), 201–218.
63. Williams, R.J., and Barrett, J.D. Corporate philanthropy, criminal activity, and firm
reputation: Is there a link? Journal of Business Ethics, 26, 4 (2000), 341–350.
64. Wojciszke, B. Affective concomitants of information on morality and competence.
European Psychologist, 10, 1 (2005), 60–70.
65. Wojciszke, B.; Brycz, H.; and Borkenau, P. Effects of information content and eva-
luative extremity on positivity and negativity biases. Journal of Personality and Social
Psychology, 64, 3 (1993), 327–335.
66. Zavyalova, A.; Pfarrer, M.D.; Reger, R.K.; and Shapiro, D.L. Managing the message:
The effects of firm actions and industry spillovers on media coverage following wrongdoing.
Academy of Management Journal, 55, 5 (2012), 1079–1101.

The Role of Corporate Reputation and Cri

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Role of Corporate Reputation and Cri

Uploaded by

Copyright:

Available Formats

Journal of Management Information Systems

ISSN: 0742-1222 (Print) 1557-928X (Online) Journal homepage: http://www.tandfonline.com/loi/mmis20

The Role of Corporate Reputation and Crisis

Kholekile L. Gwebu, Jing Wang & Li Wang

To link to this article: https://doi.org/10.1080/07421222.2018.1451962

View supplementary material

Published online: 15 May 2018.

Submit your article to this journal

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

KHOLEKILE L. GWEBU (khole.gwebu@unh.edu) is an associate professor of decision

JING WANG (jing.wang@unh.edu; corresponding author) is an associate professor of

LI WANG (lw37@uakron.edu) is an associate professor at the George W. Daverio

research, we define a firm’s reputation as an intangible asset based on the collective

Strategy type Component strategies and definitions Sample examples

CORPORATE REPUTATION AND CRISIS REPONSE STRATEGIES

Cognitive Dissonance in the Presence of Multiple Cues

The Financial Impact of a Breach Disclosure

A Favorable Reputation: A Shield or a Double-edged Sword?

While this speculation seems plausible, research on information diagnosticity

The effectiveness of response strategies by a high-reputation firm

Hypothesis 3: Post-breach response strategies will exert little residual impact

The effectiveness of response strategies by a lower-reputation firm

Hypothesis 4: Using defensive response strategies amid a data security breach

Accommodative strategies featuring apologies and remedial actions encompass

to accommodate the victims [18], highly accommodative strategies may send an

Hypothesis 5: Using accommodative response strategies amid a data security

Moderate strategies feature justification and ingratiation. With justification stra-

Hypothesis 7: Using image renewal response strategies amid a data security

Data Sources, Sample Selection, and Measurement

Table 2. Descriptive Statistics

Panel A: Distribution of Announcements over Time

High-reputation Low-reputation Full sample

Panel B: Distribution of Announcements by Industry

High-reputation Low-reputation Full sample

Panel C: Firm Characteristics

Mean Median Std. deviation Min. Max.

Panel A: Average AR, Full Sample (N = 303)

Day Average AR, % t-statistics z-statistics

Panel B: Average CAR, Full Sample (N = 303)

Days Average CAR, % t-statistics z-statistics

Panel A: Average CAR, Low-reputation Firm Sample (N = 224)

Days Average CAR, % t-statistics z-statistics

CORPORATE REPUTATION AND CRISIS REPONSE STRATEGIES

Panel B: Average CAR, High-reputation Firm Sample (N = 79)

Days Average CAR, % t-statistics z-statistics

Intercept HighRep Prior MB Consumer Finance Health Num Sensitive

CARi ð0;1Þ ¼ αi þ β1 HighRepit þ β2 Priorit þ β3 MBit þ β4 Consumerit

CARit ¼ αi þ β1 Strategyit þ β2 Priorit þ β3 MBit þ β4 Consumerit

where Strategyit = S1= 1 if the response strategy is accommodative; Strategy = S2 =

Intercept S1 S2 S3 S4 Prior MB Consumer Finance Health Num Sensitive Adj. R2

CORPORATE REPUTATION AND CRISIS REPONSE STRATEGIES

Intercept S1 S2 S3 S4 Prior MB Consumer Finance Health Num Sensitive Adj. R2

Discussion, Implications, and Conclusion

By framing the effectiveness of firm reputation and response strategies in protect-

You might also like