![Sample our Information Science journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5940/TOC-Subject-Sample-2021-Communication-Studies.jpg"})
Abstract
Data breach incidents are on the rise, and have resulted in severe financial and legal implications for the affected organizations. We apply the opportunity theory of crime, the institutional anomie theory, and institutional theory to identify factors that could increase or decrease the contextual risk of data breach. We investigate the risk of data breach in the context of an organization’s physical location, its primary industry, and the type of data breach that it may have suffered in the past. Given the location of an organization, the study finds support for application of the opportunity theory of crime and the institutional anomie theory in estimating the risk of data breach incidents within a state. In the context of the primary industry in which an organization operates, we find support for the institutional theory and the opportunity theory of crime in estimating risk of data breach incidents within an industry. Interestingly though, support for the opportunity theory of crime is partial. We find that investment in information technology (IT) security corresponds to a higher risk of data breach incidents within both a state and an industry, a result contrary to the one predicted by the opportunity theory of crime. A possible explanation for the contradiction is that investments in IT security are not being spent on the right kind of data security controls, a fact supported by evidence from the industry. The work has theoretical and practical implications. Theories from criminology are used to identify the risk factors of data breach incidents and the magnitude of their impact on the risk of data breach. Insights from the study can help IT security practitioners to assess the risk environment of their firm (in terms of data breaches) based on the firm’s location, its industry sector, and the kind of breaches that the firm may typically be prone to.
Key words and phrases:
Notes
1. The 2014 Cost of Data Breach Study: United States, Ponemon Institute, May 2014.
2. The percentage of cases for the type of data compromised adds up to more than 100 percent because in some incidents two or more types of data were compromised
3. We also ran an estimation with the current values of IT investments rather than lagged values. The direction of results was the same.
4. We also ran the estimation with current values of IT investments. The direction of results was the same.
5. These eight types are listed in the section on “Risk of Types of Data Breach Incident.”
Additional information
Notes on contributors
Ravi Sen
Ravi Sen is an associate professor in the Department of Information and Operations Management at the Mays Business School, Texas A&M University. He received his Ph.D. in business administration from the University of Illinois at Urbana–Champaign. His research interests include economics of electronic commerce, open source software, and software security. He has published in the Journal of Management Information Systems, Decision Support Systems, International Journal of Electronic Commerce, Communications of the AIS, Electronic Markets, Journal of Electronic Commerce Research, and other venues.
Sharad Borle
Sharad Borle is an associate professor at the Jones Graduate School of Business, Rice University. He received his Ph.D. from Carnegie Mellon University. His research interests include application of Bayesian econometrics and data analytics in marketing and information science. He has published in various marketing, management, and statistics journals.
