Data breaches can severely damage a firm’s reputation and its customers’ confidence. Firms must therefore continuously invest in security measures to prevent such breaches. However, the effectiveness of security investment has been questioned by both practitioners and academics. We illustrate the bidirectional dynamic relationship between information technology (IT) investment and data breaches moderated by threat and countermeasure security awareness using an eight-year panel of 311 U.S.-listed firms to provide empirical evidence that threat awareness broadens firms’ scope for addressing data-breach issues by investing more in IT than in security. Countermeasure awareness equips firms with sufficient knowledge and experience to ensure effective implementation of IT, which provides more comprehensive protection than security investment alone. Our results suggest that firms should evolve beyond the reactive mindset of solely upgrading security and begin nurturing both threat awareness and countermeasure awareness to address the underlying IT system issues that are the cause of data breaches.

中文翻译：

---

信息安全中的 IT 在哪里？IT 投资、安全意识和数据泄露之间的相互关系

数据泄露会严重损害公司的声誉及其客户的信心。因此，公司必须不断投资于安全措施以防止此类违规行为。然而，证券投资的有效性一直受到从业者和学术界的质疑。我们使用一个由 311 家美国上市公司组成的为期八年的小组来说明信息技术 (IT) 投资与受威胁和对策安全意识调节的数据泄露之间的双向动态关系，以提供经验证据表明威胁意识扩大了公司处理数据的范围-通过在 IT 上的投资多于在安全上的投资来解决违规问题。对策意识使企业具备足够的知识和经验来确保IT的有效实施，这比单纯的安全投资提供了更全面的保护。