A Preemptive and Curative Solution to Mitigate Data Breaches: Corporate Social Responsibility as a Double Layer of Protection
研究提出企业社会责任(CSR)可双重保护企业:内部CSR降低数据泄露概率,外部CSR在泄露后短期缓解财务损失,但长期效果有限。
Data breaches have the potential to weaken employee morale, corporate reputations, and customer and supplier relationships, while also disrupting marketing investments and financial performance. Research on reducing their frequency and harm focuses on tactical solutions, though breaches represent serious, even existential threats to firms. To date, research has not attempted to simultaneously address the closely connected phenomena of preventing and recovering from data breaches. The authors propose that corporate social responsibility (CSR) is a strategic variable offering dual protection: reducing the likelihood of data breaches and attenuating harm when breaches occur. Drawing on stakeholder theory, the authors distinguish between internal (addressing primary stakeholders) and external (addressing secondary stakeholders) CSR. Study 1 shows that external CSR has no prophylactic effect, while moderate and high levels of internal CSR are equally effective at preventing data breaches, compared with low levels of internal CSR. Study 2 assesses mitigation following a data breach by examining (1) short-term effects (in the form of an event study on cumulative abnormal returns) and (2) long-term effects (with time-series analysis of Tobin's q). The results suggest that internal CSR props up financial performance only at high levels while the positive effect of external CSR is short-lived.