Abstract
Firms have increasingly invested in information technology (IT) security to protect their information resources. Nevertheless, deciding when to invest in IT security is rather difficult for executives because of the irreversibility of spending and uncertainty of IT security investments performance. A review of the literature on IT security investments reveals that previous studies largely neglected the strategy and timing of investments. Basing on real options theory, this research examines IT security investments for the commercial exploitation strategy versus the IT security improvement strategy in terms of proactive and reactive investments. An event methodology is used to estimate the effect of IT security investment timing on the stock performance of the investments. Our results show that reactive investments for IT security improvement and proactive investments for commercial exploitation earn positive abnormal returns. Moreover, the market reacts more positively to aligned than misaligned IT security investments. The implications of the research findings are presented and discussed.
Similar content being viewed by others
References
Adner, R., & Levinthal, D. A. (2004). What is not a real option: Considering boundaries for the application of real options to business strategy. Academy of Management Review, 29(1), 74–85.
Agrawal, M., Kishore, R., & Rao, H. R. (2006). Market reactions to e-business outsourcing announcements: An event study. Information Management, 43(7), 861–873.
Anderson, E. E. (2010). Firm objectives, IT alignment, and information security. Ibm Journal of Research and Development, 54(3).
Armitage, S. (1995). Event study methods and evidence on their performance. Journal of Economic Surveys, 9(1), 25–52.
Avison, D., Jones, J., Powell, P., & Wilson, D. (2004). Using and validating the strategic alignment model. The Journal of Strategic Information Systems, 13(3), 223–246.
Benaroch, M. (2001). Option-based management of technology investment risk. IEEE Transactions on Engineering Management, 48(4), 428–444.
Bergeron, F., Raymond, L., & Rivard, S. (2004). Ideal patterns of strategic alignment and business performance. Information Management, 41(8), 1003–1020.
Black, F., & Scholes, M. (1973). The pricing of options and corporate liabilities. The journal of political economy, 637-654.
Bohme, R., & Moore, T. (2010). The iterated weakest link. Security & Privacy, IEEE, 8(1), 53–55.
Bowman, E. H., & Hurry, D. (1993). Strategy through the option lens: An integrated view of resource investments and the incremental-choice process. Academy of Management Review, 18(4), 760–782.
Busby, J., & Pitts, C. (1997). Real Options in Practice: An Exploratory Survey of How Finance Officers Deal with Flexibility in Capital Appraisal. Management Accounting Research, 8(2), 169–187.
Byrd, T. A., Lewis, B. R., & Bryan, R. W. (2006). The leveraging influence of strategic alignment on IT investment: an empirical examination. Information Management, 43(3), 308–321.
Campa, J. M. (1994). Multinational investment under uncertainty in the chemical processing industries. Journal of International Business Studies, 25, 557–578.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004a). The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1), 70–104.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004b). A model for evaluating IT security investments. Communications of the ACM, 47(7), 87–92.
Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game-theoretic approaches to IT security investment. Journal of Management Information Systems, 25(2), 281–304.
Chai, S., Kim, M., & Rao, H. R. (2011). Firms' information security investment decisions: Stock market evidence of investors' behavior. Decision Support Systems, 50(4), 651–661.
Chatterjee, D., Pacini, C., & Sambamurthy, V. (2002). The shareholder-wealth and trading-volume effects of information-technology infrastructure investments. Journal of Management Information Systems, 19(2), 7–42.
Chatterjee, D., Richardson, V. J., & Zmud, R. W. (2001). Examining the shareholder wealth effects of announcements of newly created CIO positions. MIS Quarterly, 25(1), 43–70.
Chintakananda, A., & McIntyre, D. P. (2014). Market Entry in the Presence of Network Effects A Real Options Perspective. Journal of Management, 40(6), 1535–1557.
Corrado, C. J., & Zivney, T. L. (1992). The specification and power of the sign test in event study hypothesis tests using daily stock returns. Journal of Financial and Quantitative Analysis, 27(03), 465–478.
Cowan, A. R. (1992). Nonparametric event study tests. Review of Quantitative Finance and Accounting, 2(4), 343–358.
Dehning, B., Richardson, V. J., & Zmud, R. W. (2003). The value relevance of announcements of transformational information technology investments. MIS Quarterly, 27(4), 637–656.
Dierickx, I., & Cool, K. (1989). Asset stock accumulation and sustainability of compentitive advantage. Management Science, 35(12), 1504–1511.
DiRomauldo, A., & Gurbaxani, V. (1998). Strategic intent for IT outsourcing. Center for Research on Information Technology and Organizations.
Dixit, A. K., & Pindyck, R. S. (1994). Investment under uncertainty: Princeton University Press.
Dixon, W. J., & Mood, A. M. (1946). The statistical sign test. Journal of the American Statistical Association, 41(236), 557–566.
Doherty, N. F., & Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25(1), 55–63.
Dos Santos, B. L., Peffers, K., & Mauer, D. C. (1993). The impact of information technology investment announcements on the market value of the firm. Information Systems Research, 4(1), 1–23.
Dulipovici, A., & Robey, D. (2013). Strategic alignment and misalignment of knowledge management systems: A social representation perspective. Journal of Management Information Systems, 29(4), 103–126.
Elango, B. (2006). When does cross-border acquisition of insurance firms lead to value creation? Journal of Risk Finance, 7(4), 402–414.
Fama, E. F., Fisher, L., Jensen, M. C., & Roll, R. (1969). The adjustment of stock prices to new information. International Economic Review, 10(1), 1–21.
Fichman, R. G. (2004). Real options and IT platform adoption: Implications for theory and practice. Information Systems Research, 15(2), 132–154.
Fichman, R. G., Keil, M., & Tiwana, A. (2005). Beyond valuation: "Options thinking" in IT project management. California Management Review, 47(2), 74.
Fisch, J. H. (2008). Investment in new foreign subsidiaries under receding perception of uncertainty. Journal of International Business Studies, 39(3), 370–386.
Folta, T. B., Johnson, D. R., & O'Brien, J. (2006). Uncertainty, irreversibility, and the likelihood of entry: An empirical assessment of the option to defer. Journal of Economic Behavior & Organization, 61, 432–452.
Folta, T. B., & Miller, K. D. (2002). Real options in equity partnerships. Strategic Management Journal, 23, 77–88.
Folta, T. B., & O'Brien, J. P. (2004). Entry in the presence of dueling options. Strategic Management Journal, 25(2), 121–138.
Gao, X., Zhong, W., & Mei, S. (2015). Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers, 17(2), 423–438.
Gartner (2014). Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware. (available at http://www.gartner.com/newsroom/id/2828722).
Gebauer, J., & Schober, F. (2006). Information system flexibility and the cost efficiency of business processes. Journal of the Association for Information Systems, 7(3), 122–146.
Goel, S., & Shawky, H. A. (2009). Estimating the market impact of security breach announcements on firm values. Information Management, 46(7), 404–410.
Goldstein, J., Chernobai, A., & Benaroch, M. (2011). An event study analysis of the economic impact of IT operational risk and its subcategories. Journal of the Association for Information Systems, 12(9), 606–631.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security (TISSEC), 5(4), 438–457.
Gordon, L. A., & Loeb, M. P. (2006). Budgeting process for information security expenditures. Communications of the ACM, 49(1), 121–125.
Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Information security expenditures and real options: A wait-and-see approach. Computer Security Journal, 19(2).
Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Zhou, L. (2015). The impact of information sharing on cybersecurity underinvestment: A real options perspective. Journal of Accounting and Public Policy, 34(5), 509–519.
Guiso, L., & Parigi, G. (1999). Investment and demand uncertainty. Quarterly Journal of Economics, 114, 185–227.
Gunther McGrath, R., & Nerkar, A. (2004). Real options reasoning and a new look at the R&D investment strategies of pharmaceutical firms. Strategic Management Journal, 25(1), 1–21.
Hausken, K. (2006). Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers, 8(5), 338–349.
Hausken, K. (2014). Returns to information security investment: Endogenizing the expected loss. Information Systems Frontiers, 16(2), 329–336.
Henderson, J. C., & Venkatraman, N. (1993). Strategic alignment: Leveraging information technology for transforming organizations. IBM Systems Journal, 32(1), 4–16.
Herath, H. S. B., & Herath, T. C. (2008). Investments in information security: a real options perspective with bayesian postaudit. Journal of Management Information Systems, 25(3), 337–375.
Iheagwara, C. B., Andrew, & Singhal, M. (2004). Cost effective management frameworks for intrusion detection systems. Journal of Computer Security, 12(5), 777–798.
Im, K. S., Dow, K. E., & Grover, V. (2001). Research report: a reexamination of IT investment and the market value of the firm—An event study methodology. Information Systems Research, 12(1), 103–117.
Johnston, A. C., & Hale, R. (2009). Improved Security through Information Security Governance. Communications of the ACM, 52(1), 126–129.
Kauffman, R. J., & Li, X. (2005). Technology competition and optimal investment timing: a real options perspective. IEEE Transactions on Engineering Management, 52(1), 15–29.
Keown, A. J., Martin, J. D., Petty, J. W., & Scott, D. F. (2002). Financial management: principles and applications.
Kester, W. C. (1984). Today's options for tomorrow's growth. Harvard Business Review, 62, 153–160.
Kim, S., & Lee, H. J. (2005). Cost-benefit analysis of security investments: methodology and case study. In (pp. 1239-1248): ICCSA 2005.
Kim, Y. J., & Sanders, G. L. (2002). Strategic actions in information technology investment based on real option theory. Decision Support Systems, 33(1), 1–11.
Kogut, B. (1991). Joint ventures and the option to expand and acquire. Management Science, 37(1), 19–33.
Kogut, B., & Kulatilaka, N. (1994). Options thinking and platform investments - investing in opportunity. California Management Review, 36(2), 52–71.
Kong, H. K., Kim, T. S., & Kim, J. (2012). An analysis on effects of information security investments: a BSC perspective. Journal of Intelligent Manufacturing, 23(4), 941–953.
Kulatilaka, N., & Perotti, E. C. (1998). Strategic growth options. Management Science, 44, 1021–1031.
Kwon, J., & Johnson, M. E. (2014). Proactive versus reactive security investments in the healthcare sector. MIS Quarterly, 38(2), 451–471.
Lee, M., & Lee, J. (2012). The impact of information security failure on customer behaviors: A study on a large-scale hacking incident on the internet. Information Systems Frontiers, 14(2), 375–393. https://doi.org/10.1007/s10796-010-9253-1.
Leiblein, M. J., & Ziedonis, A. A. (2007). Deferral and growth options under sequential innovation. Advances in Strategic Management, 24, 225–245.
Lin, L., & Kulatilaka, N. (2007). Strategic growth options in network industries. Advances in Strategic Management, 24(3), 177–198.
Loderer, C. F., & Mauer, D. C. (1992). Corporate dividends and seasoned equity issues: An empirical investigation. The Journal of Finance, 47(1), 201–225.
MacKinlay, A. C. (1997). Event studies in economics and finance. Journal of economic literature, 13-39.
Majd, S., & Pindyck, R. S. (1987). Time to build, option value, and investment decisions. Journal of Financial Economics, 18(1), 7–27.
McDonald, R., & Siegel, D. (1986). The value of waiting to invest. Quarterly Journal of Economics, 101, 707–728.
Miaoui, Y., & Boudriga, N. (2017). Enterprise security investment through time when facing different types of vulnerabilities. Information Systems Frontiers, 1-40.
Miller, K. D., & Folta, T. B. (2002). Option value and entry timing. Strategic Management Journal, 23(7), 655–665.
Miller, M. H., & Modigliani, F. (1961). Dividend policy, growth, and the valuation of shares. the. Journal of Business, 34(4), 411–433.
Myers, S. C. (1977). Determinants of corporate borrowing. Journal of Financial Economics, 5(2), 147–175.
Pindyck, R. S. (1986). Irreversible investment, capacity choice, and the value of the firm. National Bureau of Economic Research.
Ranganathan, C., & Brown, C. V. (2006). ERP investments and the market value of firms: Toward an understanding of influential ERP project variables. Information Systems Research, 17(2), 145–161.
Reuer, J. J., & Tong, T. W. (2005). Real options in international joint ventures. Journal of Management, 31(3), 403–423.
Roztocki, N., & Weistroffer, H. R. (2015). Investments in enterprise integration technology: An event study. Information Systems Frontiers, 17(3), 659–672.
Tiwana, A., Keil, M., & Fichman, R. G. (2006). Information systems project continuation in escalation situations: A real options model. Decision Sciences, 37(3), 357–391.
Tong, T. W., Reuer, J. J., & Peng, M. W. (2008). International joint ventures and the value of growth options. Academy of Management Journal, 51(5), 1014–1029.
Trigeorgis, L. (1991). Anticipated competitive entry and early preemptive investment in deferrable projects. Journal of Economics and Business, 43, 143–156.
Wang, J., Chaudhury, A., & Rao, H. R. (2008). Research Note—A Value-at-Risk Approach to Information Security Investment. Information Systems Research, 19(1), 106–120.
Wu, S. P.-J., Straub, D. W., & Liang, T.-P. (2015). How information technology governance mechanisms and strategic alignment influence organizational performance: Insights from a matched survey of business and IT managers. MIS Quarterly, 39(2), 497–518.
Yao, T., Jiang, B., Young, S. T., & Talluri, S. (2010). Outsourcing timing, contract selection, and negotiation. International Journal of Production Research, 48(2), 305–326.
Ziedonis, A. A. (2007). Real options in technology licensing. Management Science, 53(10), 1618–1633.
Zingales, L. (2000). In search of new foundations. National Bureau of Economic Research.
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
1.1 Z-statistics
For purposes of testing the significance of abnormal returns caused by security investment announcements, we try to calculate the standardized abnormal return (SAR) for firm i on event day t as.
\( {SAR}_{it}=\frac{AR_{it}}{SD_{it}}, \)
with. \( {SD}_{it}=\left\{{Si}^2\left[1+\frac{1}{T}+\frac{1}{T}\right]\right\}0.5. \)
We calculate Si2 (the residual variance) and Rm (the mean return) in the market model during the period of the estimation date.
The cumulative standardized abnormal return (CSAR) for each firm i is calculated as.
\( {CSAR}_i=\sum \limits_{t={t}_1}^{t_2}{SAR}_{it}/\sqrt{t_2-{t}_1+1}. \)
Finally, to evaluate whether the average cumulative abnormal returns are significantly different from zero, we define the Z-statistic as.
\( Z=\sqrt{N}\times \sum \limits_{i=1}^N{CSAR}_i/N. \)
The significant Z-statistic score of abnormal returns indicates that the market will react significantly to security investment announcements (Loderer and Mauer 1992).
1.2 T-statistics
\( Var\left({AR}_{it}\right)=\left\{{Si}^2\left[1+\frac{1}{T}+\frac{1}{T}\right]\right\}. \)
We calculate Si2 (the residual variance) and Rm (the mean return) in the market model during the period of the estimation date:
\( {\displaystyle \begin{array}{c} Var\left({CAR}_i\right)=\sum \limits_{t={t}_1}^{t_2}\mathit{\operatorname{var}}\left({AR}_{it}\right),\\ {}\overline{CAR}=\frac{1}{N}\sum \limits_{i=1}^n{CAR}_i,\end{array}} \)
along with.
\( Var\left(\ \overline{CAR}\right)=\frac{1}{N^2}\sum \limits_{i=1}^N\mathit{\operatorname{var}}\left({CAR}_i\right). \)
We use t-test to estimate the significance of the security investment’s effect on stock performance over the event period.
\( t=\frac{\overline{CAR}}{\sqrt{\mathit{\operatorname{var}}\left(\overline{CAR}\right)}}{t}_{\left(a, df=N-1\right)}. \)
Rights and permissions
About this article
Cite this article
Xu, F., Luo, X.(., Zhang, H. et al. Do Strategy and Timing in IT Security Investments Matter? An Empirical Investigation of the Alignment Effect. Inf Syst Front 21, 1069–1083 (2019). https://doi.org/10.1007/s10796-017-9807-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-017-9807-6