Cybersecurity breaches pose a significant risk to firms. To combat these risks, many firms engage in strategic cybersecurity risk management initiatives. While these efforts may reduce the likelihood of a cybersecurity breach, they do not eliminate the risk of a breach. In the event of a cybersecurity breach, firms may issue an apology to investors. This study uses an experiment to examine whether a firm indicates cybersecurity risk management is a strategic initiative and whether a post-cybersecurity breach apology by the CEO impacts nonprofessional investors’ investment interest in the firm. Results show that, in response to a cybersecurity breach, the presence of a CEO apology positively impacts investors’ investment impression and their perceptions of CEO affective and CEO cognitive trust. We find that investors’ investment interest is lowest for a firm that previously indicates cybersecurity risk management is a strategic initiative and where the CEO does not issue an apology. The CEO apology, however, does not significantly impact investment amount, a secondary measure of investor interest. Results from this study have implications for managers, investors, and regulators.

网络安全漏洞对公司构成重大风险。为了应对这些风险，许多公司都参与了战略性网络安全风险管理计划。虽然这些努力可能会降低网络安全漏洞的可能性，但它们并不能消除漏洞的风险。如果发生网络安全漏洞，公司可能会向投资者道歉。本研究使用实验来检验一家公司是否表明网络安全风险管理是一项战略举措，以及首席执行官在网络安全漏洞后的道歉是否会影响非专业投资者对公司的投资兴趣。结果表明，在应对网络安全漏洞时，CEO 的道歉会对投资者的投资印象以及他们对 CEO 情感和 CEO 认知信任的看法产生积极影响。我们发现，投资者的投资兴趣对于之前表明网络安全风险管理是一项战略举措并且首席执行官没有道歉的公司来说是最低的。然而，首席执行官的道歉并没有显着影响投资金额，这是衡量投资者兴趣的次要指标。这项研究的结果对管理者、投资者和监管者都有​​影响。