The Influence of Ethical Beliefs and Attitudes, Norms, and Prior Outcomes on Cybersecurity Investment Decisions

Abstract

Recent data breaches underscore the importance of organizational cybersecurity. However, the high costs of such security can force chief financial officers (CFOs) to make difficult financial and ethical trade-offs that have both business and societal implications. We employ a 2 × 2 randomized experiment that varies both an observed scenario CFO’s investment decision (invest/not invest in security) and organizational outcomes (positive/negative) to investigate these trade-offs. Participant managers assess the observed CFO’s investment behavior and indicate their own intentions to invest. Results indicate that when the observed scenario CFO invests in security, managers primarily follow their peers when making investment decisions. However, when the observed CFO does not invest in security, managers make their own decisions by engaging in more in-depth reasoning that includes assessment of the seriousness of consequences, as well as the ethical and societal considerations. Moderated mediation findings further deconstruct and corroborate these relationships.