Help
Cart
Skip main navigation

Available Issues

April 10, 2013 - April 2, 2026

Available Issues

April 10, 2013 - April 2, 2026

Too Good to Be True: Firm Social Performance and the Risk of Data Breach

Published Online:18 Sep 2020https://doi.org/10.1287/isre.2020.0939

References

  • Adjerid I, Acquisti A, Telang R, Padman R, Adler-Milstein J (2015) The impact of privacy regulation and technology incentives: The case of health information exchanges. Management Sci. 62(4):1042–1063.LinkGoogle Scholar
  • Aguinis H, Glavas A (2012) What we know and don’t know about corporate social responsibility: A review and research agenda. J. Management 38(4):932–968.CrossrefGoogle Scholar
  • Aguinis H, Glavas A (2013) Embedded vs. peripheral corporate social responsibility: Psychological foundations. Indust. Organ. Psych. 6(4):314–332.CrossrefGoogle Scholar
  • Angrist JD, Pischke J-S (2008) Mostly Harmless Econometrics: An Empiricist’s Companion, 1st ed. (Princeton University Press, Princeton, NJ).CrossrefGoogle Scholar
  • Angst CM, Block ES, D’Arcy J, Kelley K (2017) When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. Management Inform. Systems Quart. 41(3):893–916.CrossrefGoogle Scholar
  • Arthur C (2015) What will happen to the Lizard Squad hackers? The Guardian Online (February 20), https://www.theguardian.com/technology/2015/feb/20/lizard-squad-hackers-lulzsec-anonymous-what-will-happen.Google Scholar
  • AT&T (2015) What every CEO needs to know about cybersecurity. Accessed June 4, 2020, https://www.business.att.com/content/dam/attbusiness/reports/decodingtheadversary.pdf.Google Scholar
  • Ayyagari R (2012) An exploratory analysis of trends of data breaches from 2005-2011: Trends and insights. J. Inform. Privacy Security 8(2):33–56.CrossrefGoogle Scholar
  • Barnett ML (2007) Stakeholder influence capacity and the variability of financial returns to corporate social responsibility. Acad. Management Rev. 32(3):794–816.CrossrefGoogle Scholar
  • Baron DP (2009) A positive theory of moral management, social pressure, and corporate social performance. J. Econom. Management Strategy 18(1):7–43.CrossrefGoogle Scholar
  • Baron DP, Diermeier D (2007) Introduction to the special issue on nonmarket strategy and social responsibility. J. Econom. Management Strategy 16(3):539–545.CrossrefGoogle Scholar
  • Bauman CW, Skitka LJ (2012) Corporate social responsibility as a source of employee satisfaction. Res. Organ. Behav. 32:63–86.CrossrefGoogle Scholar
  • Benjamin V, Zhang B, Nunamaker JF Jr, Chen H (2016) Examining hacker participation length in cybercriminal internet-relay-chat communities. J. Management Inform. Systems 33(2):482–510.CrossrefGoogle Scholar
  • Bergal J (2017) “Hacktivists” increasingly target local and state government computers. Accessed February 24, 2019, https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2017/01/10/hacktivists-increasingly-target-local-and-state-government-computers.Google Scholar
  • Bermiss YS, Zajac EJ, King BG (2014) Under construction: How commensuration and management fashion affect corporate reputation rankings. Organ. Sci. 25(2):591–608.LinkGoogle Scholar
  • Bharadwaj AS, Bharadwaj SG, Konsynski BR (1999) Information technology effects on firm performance as measured by Tobin’s q. Management Sci. 45(7):1008–1024.LinkGoogle Scholar
  • Brammer SJ, Pavelin S (2006) Corporate reputation and social performance: The importance of fit. J. Management Stud. 43(3):435–455.CrossrefGoogle Scholar
  • Briscoe F, Gupta A (2016) Social activism in and around organizations. Acad. Management Ann. 10(1):671–727.CrossrefGoogle Scholar
  • Brown TJ, Dacin PA (1997) The company and the product: Corporate associations and consumer product responses. J. Marketing. 61(1):68–84.CrossrefGoogle Scholar
  • Campbell K, Gordon LA, Loeb MP, Zhou L (2003) The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. J. Comput. Security 11(3):431–448.CrossrefGoogle Scholar
  • Chatla S, Shmueli G (2016) Linear probability models (LPM) and big data: The good, the bad, and the ugly. Indian School of Business Research Paper Series, Indian School of Business, Telangana, India.Google Scholar
  • Chatterji AK, Toffel MW (2010) How firms respond to being rated. Strategic Management J. 31(9):917–945.CrossrefGoogle Scholar
  • Chen Y-S, Lin C-L, Chang C-H (2014) The influence of greenwash on green word-of-mouth (green WOM): The mediation effects of green perceived quality and green satisfaction. Quality Quantity 48(5):2411–2425.CrossrefGoogle Scholar
  • Choi BB, Lee D, Park Y (2013) Corporate social responsibility, corporate governance and earnings quality: Evidence from Korea. Corporate Governance 21(5):447–467.CrossrefGoogle Scholar
  • Choi J, Wang H (2009) Stakeholder relations and the persistence of corporate financial performance. Strategic Management J. 30(8):895–907.CrossrefGoogle Scholar
  • Chun HHE, Giebelhausen M (2012) Reversing the green backlash in services: Credible competitors help large companies go green. J. Service Management 23(3):400–415.CrossrefGoogle Scholar
  • Collins A (2018) World Economic Forum: The Global Risks Report 2018, 13th ed. Accessed June 4, 2020, http://wef.ch/risks2018.Google Scholar
  • Cram W, D’Arcy AJ, Proudfoot JG (2019) Seeing the forest and the trees: A meta-analysis of the antecedents of information security policy compliance. Management Inform. Systems Quart. 43(2):525–554.CrossrefGoogle Scholar
  • Cummings A, Lewellen T, McIntire D, Moore A, Trzeciak R (2012) Insider threat study: Illicit cyber activity involving fraud in the U.S. financial services sector. Accessed November 1, 2016, https://resources.sei.cmu.edu/asset_files/SpecialReport/2012_003_001_28137.pdf.Google Scholar
  • Dans E (2015) Volkswagen and the failure of corporate social responsibility. Forbes Online (September 27), https://www.forbes.com/sites/enriquedans/2015/09/27/volkswagen-and-the-failure-of-corporate-social-responsibility/#26b5603f4405.Google Scholar
  • David P, Bloom M, Hillman AJ (2007) Investor activism, managerial responsiveness, and corporate social performance. Strategic Management J. 28(1):91–100.CrossrefGoogle Scholar
  • Donaldson T, Preston LE (1995) The stakeholder theory of the corporation: Concepts, evidence, and implications. Acad. Management Rev. 20(1):65–91.CrossrefGoogle Scholar
  • Donia MBL, Sirsly C-AT (2016) Determinants and consequences of employee attributions of corporate social responsibility as substantive or symbolic. Eur. Management J. 34(3):232–242.CrossrefGoogle Scholar
  • Donia MBL, Ronen S, Sirsly C-AT, Bonaccio S (2019) CSR by any other name? The differential impact of substantive and symbolic CSR attributions on employee outcomes. J. Bus. Ethics 157(2):503–523.CrossrefGoogle Scholar
  • Edelman (2015) Edelman Trust Barometer 2015 Annual Global Study. Accessed December 27, 2016, https://www.scribd.com/doc/252750985/2015-Edelman-Trust-Barometer-Executive-Summary.Google Scholar
  • Edwards B, Hofmeyr S, Forrest S (2016) Hype and heavy tails: A closer look at data breaches. J. Cybersecurity 2(1):3–14.CrossrefGoogle Scholar
  • Firth D (1993) Bias reduction of maximum likelihood estimates. Biometrika 80(1):27–38.CrossrefGoogle Scholar
  • Flammer C (2013) Corporate social responsiblity and shareholder reaction: The environmental awareness of investors. Acad. Management J. 56(3):758–781.CrossrefGoogle Scholar
  • Francis J, Nanda D, Olsson P (2008) Voluntary disclosure, earnings quality, and cost of capital. J. Accounting Res. 46(1):53–99.CrossrefGoogle Scholar
  • Freeman RE (1984) Strategic Management: A Stakeholder Approach (Pitman, Boston).Google Scholar
  • Gandhi R, Sharma A, Mahoney W, Sousan W, Zhu Q, Laplante P (2011) Dimensions of cyber-attacks: Cultural, social, economic, and political. IEEE Tech. Soc. Magazine 30(1):28–38.CrossrefGoogle Scholar
  • Gemalto (2018) 2017: The year of internal threats and accidental data breaches: Findings from the 2017 breach level index. Accessed June 4, 2020, https://www6.gemalto.com/breach-level-index-2017-csoonline-in.Google Scholar
  • Godfrey PC, Merrill CB, Hansen JM (2009) The relationship between corporate social responsibility and shareholder value: An empirical test of the risk management hypothesis. Strategic Management J. 30(4):425–445.CrossrefGoogle Scholar
  • Goel S, Shawky HA (2009) Estimating the market impact of security breach announcements on firm values. Inform. Management 46(7):404–410.CrossrefGoogle Scholar
  • Goode S, Hoehle H, Venkatesh V, Brown SA (2017) User compensation as a data breach recovery action: An investigation of the Sony PlayStation network breach. Management Inform. Systems Quart. 41(3):703–727.CrossrefGoogle Scholar
  • Graves SB, Waddock SA (1994) Institutional owners and corporate social performance. Acad. Management J. 37(4):1034–1046.CrossrefGoogle Scholar
  • Hansen SD, Dunford BB, Boss AD, Boss RW, Angermeier I (2011) Corporate social responsibility and the benefits of employee trust: A cross-disciplinary perspective. J. Bus. Ethics 102(1):29–45.CrossrefGoogle Scholar
  • Hart TA, Sharfman M (2015) Assessing the concurrent validity of the revised Kinder, Lydenberg, and Domini corporate social performance indicators. Bus. Soc. 54(5):575–598.CrossrefGoogle Scholar
  • Heinze G, Schemper M (2002) A solution to the problem of separation in logistic regression. Statist. Medicine 21(16):2409–2419.CrossrefGoogle Scholar
  • Hsu JS-C, Shih S-P, Hung YW, Lowry PB (2015) The role of extra-role behaviors and social controls in information security policy effectiveness. Inform. Systems Res. 26(2):282–300.LinkGoogle Scholar
  • Hubbard TD, Christensen DM, Graffin SD (2017) Higher highs and lower lows: The role of corporate social responsibility in CEO dismissal. Strategic Management J. 38(11):2255–2265.CrossrefGoogle Scholar
  • Hui K-L, Kim SH, Wang Q-H (2017) Cybercrime deterrence and international legislation: Evidence from distributed denial of service attacks. Management Inform. Systems Quart. 41(2):497–523.CrossrefGoogle Scholar
  • Hull CE, Rothenberg S (2008) Firm performance: The interactions of corporate social performance with innovation and industry differentiation. Strategic Management J. 29(7):781–789.CrossrefGoogle Scholar
  • Ioannou I, Serafeim G (2015) The impact of corporate social responsibility on investment recommendations: Analysts’ perceptions and shifting institutional logics. Strategic Management J. 36(7):1053–1081.CrossrefGoogle Scholar
  • Kankanhalli AM, Teo HH, Tan BCY, Wei KK (2003) An integrative study of information systems security effectiveness. Internat. J. Inform. Management 23(2):139–154.CrossrefGoogle Scholar
  • Kennedy P (1992) A Guide to Econometrics (Blackwell, Oxford, UK).Google Scholar
  • Kim HL, Han J (2019) Do employees in a “good” company comply better with information security policy? A corporate social responsibility perspective. Inform. Tech. People 32(4):858–875.Google Scholar
  • Kim S (2014) What’s worse in times of product-harm crisis? Negative corporate ability or negative CSR reputation? J. Bus. Ethics 123(1):157–170.CrossrefGoogle Scholar
  • Kim Y, Park MS, Wier B (2012) Is earnings quality associated with corporate social responsibility? Accounting Rev. 87(3):761–796.CrossrefGoogle Scholar
  • King B, McDonnell M-H (2015) Good firms, good targets: The relationship between corporate social responsibility, reputation, and activist targeting. Tsutsui K, Lim A, eds. Corporate Social Responsibility in a Globalizing World: Toward Effective Global CSR Frameworks (Cambridge University Press, Cambridge, UK), 430-454.Google Scholar
  • King G, Zeng L (2001) Logistic regression in rare events data. Political Anal. 9(2):137–163.CrossrefGoogle Scholar
  • Kölbel JF, Busch T, Jancso LM (2017) How media coverage of corporate social irresponsibility increases financial risk. Strategic Management J. 38(11):2266–2284.CrossrefGoogle Scholar
  • Kwon J, Johnson ME (2013) Health-care security strategies for data protection and regulatory compliance. J. Management Inform. Systems 30(2):41–66.CrossrefGoogle Scholar
  • Kwon J, Johnson ME (2014) Proactive vs. reactive security investments in the healthcare sector. Management Inform. Systems Quart. 38(2):451–471.CrossrefGoogle Scholar
  • Kwon J, Johnson ME (2018) Meaningful healthcare security: Does meaningful-use attestation improve information security performance? Management Inform. Systems Quart. 42(4):1043–1067.Google Scholar
  • Laplume A, Sonpar K, Litz RA (2008) Stakeholder theory: Reviewing a theory that moves us. J. Management 34(6):1152–1189.CrossrefGoogle Scholar
  • Laszlo C, Zhexembayeva N (2011) Embedded Sustainability: The Next Big Competitive Advantage (Stanford University Press, Palo Alto, CA).Google Scholar
  • Liang N, Biros DP, Luse A (2016) An empirical validation of malicious insider characteristics. J. Management Inform. Systems 33(2):361–392.CrossrefGoogle Scholar
  • Lin C-P, Chen S-C, Chiu C-K, Lee W-Y (2011) Understanding purchase intention during product-harm crises: Moderating effects of perceived corporate ability and corporate social responsibility. J. Bus. Ethics 102(3):455–471.CrossrefGoogle Scholar
  • Liu C-W, Huang P, Lucas H (2017) IT centralization, security outsourcing, and cybersecurity breaches: Evidence from the U.S. higher education. Kim YJ, Agarwal R, Lee JK, eds.. Proc. 38th Internat. Conf. Inform. Systems (AIS, Atlanta), 1–18.Google Scholar
  • Luo J, Meier S, Oberholzer-Gee F (2012) No news is good news: CSR strategy and newspaper coverage of negative firm events. Harvard Business School. Accessed March 1, 2016, https://www0.gsb.columbia.edu/mygsb/faculty/research/pubfiles/5640/Reputation%20Oil%202012-04-16.pdf.Google Scholar
  • Lyon TP, Maxwell JW (2011) Greenwash: Corporate environmental disclosure under threat of audit. J. Econom. Management Strategy 20(1):3–41.CrossrefGoogle Scholar
  • Mahmood MA, Siponen M, Straub D, Rao HR, Raghu TS (2010) Moving toward black hat research in information systems security: An editorial introduction to the special issue. Management Inform. Systems Quart. 34(3):431–433.CrossrefGoogle Scholar
  • Margolis JD, Elfenbein HA, Walsh JP (2009) Does it pay to be good … and does it matter? A meta-analysis of the relationship between corporate social and financial performance. Accessed March 1, 2016, http://ssrn.com/abstract=1866371.Google Scholar
  • Marquis C, Qian C (2014) Corporate social responsibility reporting in China: Symbol or substance? Organ. Sci. 25(1):127–148.LinkGoogle Scholar
  • Marquis C, Toffel MW, Zhou Y (2016) Scrutiny, norms, and selective disclosure: A global study of greenwashing. Organ. Sci. 27(2):483–504.LinkGoogle Scholar
  • Matten D, Moon J (2008) “Implicit” and “explicit” CSR: A conceptual framework for a comparative understanding of corporate social responsibility. Acad. Management Rev. 33(2):404–424.CrossrefGoogle Scholar
  • Mattingly JE (2017) Corporate social performance: A review of empirical research examining the corporation–society relationship using Kinder, Lydenberg, Domini social ratings data. Bus. Soc. 56(6):796–839.CrossrefGoogle Scholar
  • Mattingly JE, Berman SL (2006) Measurement of corporate social action: Discovering taxonomy in the Kinder Lydenburg Domini ratings data. Bus. Soc. 45(1):20–46.CrossrefGoogle Scholar
  • McLeod A, Dolezel D (2018) Cyber-analytics: Modeling factors associated with healthcare data breaches. Decision Support Systems 108:57–68.CrossrefGoogle Scholar
  • Miller AR, Tucker C (2017) Privacy protection, personalized medicine, and genetic testing. Management Sci. 64(10):4648–4668.LinkGoogle Scholar
  • Minor D (2015) The value of corporate citizenship: Protection. Accessed November 11, 2016, https://ssrn.com/abstract=2651890.Google Scholar
  • Mitchell RK, Agle BR, Wood DJ (1997) Toward a theory of stakeholder identification and salience: Defining the principle of who and what really counts. Acad. Management Rev. 22(4):853–886.CrossrefGoogle Scholar
  • Montgomery C, Wernerfelt B (1988) Diversification, Ricardian rents, and Tobin’s q. RAND J. Econom. 19(4):623–632.CrossrefGoogle Scholar
  • Newman J (2014) Survey: Most hackers do it for the lulz. Accessed October 12, 2019, https://www.pcworld.com/article/2465209/survey-most-hackers-do-it-for-the-lulz.html.Google Scholar
  • Nyilasy G, Gangadharbatla H, Paladino A (2014) Perceived greenwashing: The interactive effects of green advertising and corporate environmental performance on consumer reactions. J. Bus. Ethics 125(4):693–707.CrossrefGoogle Scholar
  • Orlitzky M, Schmidt FL, Rynes SL (2003) Corporate social and financial performance: A meta-analysis. Organ. Stud. 24(3):403–441.CrossrefGoogle Scholar
  • Pang M-S, Tanriverdi H (2017) Security breaches in the U.S. federal government. Accessed May 30, 2018, https://ssrn.com/abstract=2933577.Google Scholar
  • Peloza J (2009) The challenge of measuring financial impacts from investments in corporate social performance. J. Management 35(6):1518–1541.CrossrefGoogle Scholar
  • Peloza J, Shang J (2011) How can corporate social responsibility activities create value for stakeholders? A systematic review. J. Acad. Marketing Sci. 39(1):117–135.CrossrefGoogle Scholar
  • Perrault E, Quinn MA (2018) What have firms been doing? Exploring what KLD data report about firms’ corporate social performance in the period 2000-2010. Bus. Soc. 57(5):890–928.CrossrefGoogle Scholar
  • Pfarrer MD, Pollock TG, Rindova VP (2010) A tale of two assets: The effects of firm reputation and celebrity on earnings surprises and investors’ reactions. Acad. Management J. 53(5):1131–1152.CrossrefGoogle Scholar
  • Png IP, Wang C-Y, Wang Q-H (2008) The deterrent and displacement effects of information security enforcement: International evidence. J. Management Inform. Systems 25(2):125–144.CrossrefGoogle Scholar
  • Ramus CA, Montiel I (2005) When are corporate environmental policies a form of greenwashing? Bus. Soc. 44(4):377–414.CrossrefGoogle Scholar
  • Ransbotham S, Mitra S (2009) Choice and chance: A conceptual model of paths to information security compromise. Inform. Systems Res. 20(1):121–139.LinkGoogle Scholar
  • Riepenhoff J, Wagner M (2014) Breaches of personal data a daily occurrence. Columbus Dispatch Online (January 17), http://www.dispatch.com/content/stories/local/2014/01/17/breaches-of-personal-data-a-daily-occurrence.html.Google Scholar
  • Rindova VP, Pollock TG, Hayward ML (2006) Celebrity firms: The social construction of market popularity. Acad. Management Rev. 31(1):50–71.CrossrefGoogle Scholar
  • Rogers MK (2001) Modern-day Robin Hood or Moral Disengagement: Understanding the Justification for Criminal Computer Activity, Psychology (University of Manitoba, Winnipeg, MB, Canada).Google Scholar
  • Ruf BM, Muralidhar K, Paul K (1993) The development of a systematic, aggregate measure of corporate social performance. J. Management 24(1):119–133.Google Scholar
  • Rupp DE, Mallory DB (2015) Corporate social responsibility: Psychological, person-centric, and progressing. Annual Rev. Organ. Psych. Organ. Behav. 2(1):211–236.CrossrefGoogle Scholar
  • Sen R, Borle S (2015) Estimating the contextual risk of data breach: An empirical approach. J. Management Inform. Systems 32(2):314–341.CrossrefGoogle Scholar
  • Son JY (2011) Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Inform. Management 48(7):296–302.CrossrefGoogle Scholar
  • Spears JL, Barki H (2010) User participation in information systems security risk management. Management Inform. Systems Quart. 34(3):503–522.CrossrefGoogle Scholar
  • Straub DW (1990) Effective IS security: An empirical study. Inform. Systems Res. 1(3):255–276.LinkGoogle Scholar
  • Strike VM, Gao J, Bansal P (2006) Being good while being bad: Social responsibility and the international diversification of US firms. J. Internat. Bus. Stud. 37(6):850–862.CrossrefGoogle Scholar
  • Tam KY (1998) The impact of information technology investments on firm performance and evaluation: Evidence from newly industrialized economies. Inform. Systems Res. 9(1):85–98.LinkGoogle Scholar
  • Turban DB, Greening DW (1997) Corporate social performance and organizational attractiveness to prospective employees. Acad. Management J. 40(3):658–672.CrossrefGoogle Scholar
  • Verizon (2012) 2012 data breach investigations report. Accessed March 12, 2019, https://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf.Google Scholar
  • Verizon (2018) 2018 data breach investigations report. Accessed May 1, 2018, https://www.verizonenterprise.com/verizon-insights-lab/dbir/.Google Scholar
  • Waddock SA, Graves SB (1997) The corporate social performance-financial performance link. Strategic Management J. 18(4):303–319.CrossrefGoogle Scholar
  • Wang J, Gupta M, Rao HR (2015) Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. Management Inform. Systems Quart. 39(1):91–112.CrossrefGoogle Scholar
  • Wang T, Kannan KN, Ulmer JR (2013) The association between the disclosure and the realization of information security risk factors. Inform. Systems Res. 24(2):201–218.LinkGoogle Scholar
  • Wartick SL, Cochran PL (1985) The evolution of the corporate social performance model. Acad. Management Rev. 10(4):758–769.CrossrefGoogle Scholar
  • Wood DJ (1991) Corporate social performance revisited. Acad. Management Rev. 16(4):691–718.CrossrefGoogle Scholar
  • Xu Z, Hu Q, Zhang C (2013) Why computer talents become computer hackers. Comm. ACM 56(4):64–74.CrossrefGoogle Scholar
  • Yoon Y, Gürhan‐Canli Z, Schwarz N (2006) The effect of corporate social responsibility (CSR) activities on companies with bad reputations. J. Consumer Psych. 16(4):377–390.CrossrefGoogle Scholar
  • Young R, Zhang L, Prybutok VR (2007) Hacking into the minds of hackers. Inform. Systems Management 24(4):281–287.CrossrefGoogle Scholar
  • Zetter K (2015) Hacking team show the world how not to stockpile exploits. Accessed October 1, 2019, https://www.wired.com/2015/07/hacking-team-shows-world-not-stockpile-exploits/.Google Scholar
Previous
Back to Top
Next
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree