Article Preview
TopIntroduction
The ongoing growth in the collection, storage, and analysis of data brings new opportunities and challenges for both practitioners and researchers in the fields of information systems, finance, and accounting. The sensitivity of stored data and information privacy are concerns for all firms’ stakeholders (Park et al., 2018; Park & Shin, 2020). The benefits obtained from collecting data about customers, potential customers, employees, creditors, and investors, among others, are not without risks. For example, in the California Data-Breach Report, nearly three out of five Californians were victims of a data breach in 2015 alone (Harris, 2016). The recent public health crisis has made companies rely even more on information systems for the continuity of their operations. Thus, organizations are becoming more vulnerable to perpetrators of sensitive data that could weaken the organization’s performance and reputation.
A data breach refers to internal or external unauthorized access to or use of a firm’s data in a way that compromises the confidentiality, integrity, or availability of the data. Companies guarantee the availability of data for authorized users when needed to meet the firms’ objectives. Also, firms safeguard the integrity of data by employing and implementing preventive measures against unauthorized or accidental modifications, loss, or disclosures (Rosati et al., 2019; Yayla & Hu, 2011; Goel & Shawky, 2009). There are many types of information and cybersecurity incursions, such as data manipulation, alterations, or theft, and malicious malware intrusions, such as viruses, logic bombs, worms, Trojan horses, backdoors, spyware, and ransomware, which may financially damage a firm’s reputation (Rosati et al., 2018; Sen & Borle, 2015; Shabtai et al., 2012). Firms adopt security procedures and policies that are related to the inherent risk of their information systems by using data encryption, firewalls, data backups, and off-site rotations, and engaging in continuing planning (Yayla & Hu, 2011; Schmidt et al., 2008).
Compliance with IS security policies is an important factor that the end-users and employees should abide by to prevent breaches. Not protecting firms’ assets increases the possibility of cybersecurity incidents due to human behavior that can be responsible for losses of (portable) assets (Chen et al., 2015). Considerable cybersecurity incidents also occur from inside—cyberattacks that are related to unethical or behavioral issues of employees (Li et al., 2019). Employees may use neutralization techniques to rationalize IS policy violations; these violations plague firms worldwide (Teh et al., 2015) and affect firms’ reputations. The IS culture improves employees’ security awareness, and through training, firms can improve employee’s security behavior (Lyu & Zhang, 2015). Dinev et al. (2006) argue that individuals react differently based on their culture, and therefore through employee training, firms can enhance employee relations and encourage accountability and engagement in complying with IS policies (He & Zhang, 2019; Yaokumah et al., 2019).