EXPRESS: Impact of Data Breach on IT Investment: Embracing Both Failure Learning and Threat Rigidity

The extant literature has provided valuable insights into post-failure behavior of organizations, highlighting two distinct tendencies: failure learning and threat rigidity. While failure learning involves organizations embracing change and seeking improvements after experiencing failures, threat rigidity leads to a more conservative and resistant approach to change during such times. In our study, we take a pioneering approach by integrating these seemingly competing perspectives within the context of data breaches. Employing a propensity score matching (PSM)-combined-difference-in-differences (DiD) approach, we have uncovered a dual impact of data breaches on firms’ information technology (IT) investment—after data breaches, firms tend to increase their IT investment intensity (a promoting effect) while simultaneously reducing their new IT investments (an inhibiting effect). Furthermore, we find that a firm with a strong quality culture exhibits a stronger tendency to increase its IT investment intensity following a data breach, while a firm highly valuing innovation demonstrates a weaker trend in reducing new IT investments after a breach. In post hoc analyses, we find that the impact of data breaches on IT investments is contingent on a series of factors related to the nature of the breach and the specific type of IT investments considered. Overall, our study provides valuable insights into the complex and diverse relationship between data breaches and IT investments in firms.