To Prevent or Promote? CEO Regulatory Focus and Corporate Information Security Awareness: The Moderating Role of Relative Performance
Prof. Daniel Q. Chen
Randall W. and Sandra Ferguson Endowed Professor
Hankamer School of Business
Baylor University
A fundamental question in cybersecurity research pertains to the factors that contribute to firms developing a higher level of information security awareness (ISA). However, this line of inquiry has yet to thoroughly explore why firms with certain types of CEOs exhibit greater awareness of security issues and/or are more proactive in preventing potential cyber threats. Drawing upon regulatory focus theory, we investigate how CEO regulatory focus, which captures the extent to which CEOs pursue their goals through promotion or prevention focus, shapes a firm’s level of ISA. Moreover, leveraging the behavioral theory of firms, we contend that the relationship between CEO regulatory focus and ISA is nuanced and contingent upon the firm’s performance relative to its aspiration level. Using panel data comprising 3,803 firm-year observations across S&P 500 firms, we demonstrate that CEO prevention focus is positively associated with ISA, while CEO promotion focus is negatively correlated with ISA. Furthermore, when firm performance exceeds its aspiration level, the positive (negative) impact of CEO prevention focus (CEO promotion focus) on firm ISA becomes more pronounced (diminishes). Conversely, when firm performance falls below the aspiration level, the negative (positive) impact of CEO promotion focus (CEO prevention focus) on ISA intensifies (weakens).
