Should your firm invest in cyber risk insurance?

Firms have increasingly been turning to cyber risk insurance in order to better manage cyber threats and any resulting legal liability from data breaches. But how useful is this tactic? Herein, I analyze the impact of cyber attacks on firms, some of the applicable U.S. law shaping private sector responses to data breaches, and the extent to which cyber risk insurance helps mitigate the cyber threat. Ultimately, I argue that firms must take a proactive stance toward managing cyber attacks—not only for their wellbeing, but also to enhance overall cybersecurity and help secure critical national infrastructure.     

Exploring SME cybersecurity practices in developing countries

The continued use of information technology systems by small and medium enterprises (SMEs) in developing countries has the potential to bring significant benefits but, at the same time, expose them to online cybersecurity threats. Addressing these threats is, therefore, of paramount importance for developing countries, not only because SMEs are seen as the vehicle for employment and job creation, but because research on SMEs and cybersecurity in this context is limited. This study is a contribution toward addressing this gap.

The purpose of this study is, therefore, to explore SME cybersecurity practices and the challenges they face in developing countries. The goal is to sensitize practitioners and government institutions about the challenges and practices faced by SMEs, so that the various parties can work collaboratively in providing context-specific solutions to address these challenges and improve current cybersecurity practices. The study follows a qualitative enquiry approach to solicit information from three South African SMEs that had implemented cybersecurity practices. The findings show that an SME’s perception of cybersecurity is constrained by internal factors of budget, management support, and attitudes. Further findings show that SMEs’ cybersecurity practices are affected by the landscape of cybersecurity, as well as institutional pressures.     

Diagnosing a healthcare cybersecurity crisis: The impact of IoMT advancements and 5G

Internet of Medical Things (IoMT) technology remains in early stages of adoption, but advancements and breakthroughs are quickly moving this process forward. There is a critical need for cybersecurity to be a priority in the development of these new tools, alongside design and utility. Given the rapid pace and potential magnitude of the coming advancements in IoMT, if privacy and security risks are neglected, a significant crisis could emerge in the form of more frequent cybersecurity breaches. This article examines the market opportunities and risks associated with IoMT and outlines a plan for proactively mitigating concerns and providing a platform to foster growth, to modify attitudes and behaviors, and to continue to build consumer confidence in the overall health system without sacrificing security.     

Where is the Security Blanket? Developing Social Media Marketing Capability as a Shield from Perceived Cybersecurity Risk

Although cybersecurity is important for any organization, firms have little understanding of the ramifications of perceived cybersecurity risk and how marketers can avert its negative marketing outcomes. The inability of firms to prevent massive data breaches in the recent past has heightened cybersecurity risk perceptions of customers and cybersecurity-related marketing challenges and opportunities. This study links cybersecurity risk with firm risk through firm reputation by developing a conceptual framework grounded in perceived risk theory in conjunction with dynamic capabilities and social network theoretical perspectives. Our findings show that social media marketing capabilities enable firms in mitigating the adverse impact of cybersecurity risk in declining firm reputation and value. Thus, this study provides significant implications for marketing theory and practice.     

A $10 million question and other cybersecurity-related ethical dilemmas amid the COVID-19 pandemic

Cybercrime and cybersecurity are like two sides of the same coin: They are opposites but cannot exist without each other. Their mutual relation generates a myriad of ethical issues, ranging from minor to vital. The rapid development of technology will surely involve even more ethical concerns, like the infamous example of a fitness tracking company allegedly paying $10 million worth of ransom. Every cybersecurity solution, tool, or practice has to be ethical by design if it is to protect people and their rights. To identify the ethical issues that cybersecurity/cybercrime might bring about in the future, we conducted the first broad and comprehensive horizon-scanning study since the COVID-19 pandemic arose. As we began this project, nobody had the slightest idea that the coming months would bring the COVID-19 pandemic, and that the reality we had known was about to change dramatically. As it soon became apparent, the deadly coronavirus brought completely new cybersecurity/cybercrime ethical dilemmas to light, and some of the ones known before were transformed or shifted. This article presents the results of our horizon-scanning study concerning the ethical dilemmas that emerged amid the COVID-19 pandemic.     

Cybersecurity: Risk management framework and investment cost analysis

As organizations accelerate digital transformation with mobile devices, cloud services, social media, and Internet of Things services, cybersecurity has become a key priority in enterprise risk management. While improving cybersecurity leads to higher levels of customer trust and increased revenue opportunities, rapidly evolving data protection and privacy regulations have complicated cybersecurity management. Against the backdrop of rapidly rising cyberbreaches and the emergence of novel cybersecurity technologies such as machine learning and artificial intelligence, this article introduces a cyber risk management framework, discusses a cyber risk assessment process, and illustrates a continuous improvement of cybersecurity performance and cyberinvestment cost analysis with a real-world cybersecurity example.     

Should executives go to jail over cybersecurity breaches?

The Consumer Data Protection Act, a new bill introduced by Senator Ron Wyden, is proposing “jail time of up to 20 years for executives who knowingly sign off on incorrect or inaccurate annual certifications of their companies’ data-security practices.” The bill also recommends that companies be fined “up to 4 percent of their annual revenue.” While the critics consider the penalties too harsh and severe, the proposed legislation reflects two key realities – a) active involvement and commitment of senior management is essential to achieving a high level of cybersecurity preparedness; and b) legislation and fear of severe penalties (such as Sarbanes-Oxley Act of 2002 and European Union’s General Data Protection Regulation) is often necessary to motivate desired organizational behavior. In an increasingly digital ecosystem characterized by high levels of electronic connectivity, vulnerability to cyberattacks is growing. Organizations are in a perpetual state of breach with rapidly expanding attack surfaces and evolving threat vectors. Protecting confidential data and related digital assets is becoming critical to survival and success. Senior management must come to terms with this new business reality and give strategic priority to cybersecurity preparedness and investments. Research finds active involvement of top management in cyber risk mitigation initiatives to be a critical success factor and best practice. The onus is also on senior management to create a high-performance security culture founded on three key cornerstones – commitment, preparedness, and discipline. They also must lead the charge in establishing a cybersecurity governance structure characterized by joint ownership, responsibility, and accountability.     

Muddling through cybersecurity: Insights from the U.S. healthcare industry

The U.S. healthcare sector is inadequately prepared to deal with the reality of cyber threats. The increasing use of smart medical equipment and mobile devices is making healthcare organizations more susceptible to ransomware and other types of malware. The size and complexity of operations, coupled with the presence of numerous legacy and incompatible systems, make it difficult to implement effective cybersecurity measures. The daunting nature of the problem often results in an if-it-ain’t-broke-don’t-fix-it stance among senior healthcare leaders. The preponderance of healthcare-related laws, compliance regulations, and security guidance frameworks serve to complicate the cybersecurity challenge further and too often results in senior leadership assuming a state of blissful ignorance. This study sheds light on the key factors contributing to the chaotic state of affairs and presents a roadmap to a more deliberate and proactive approach to cybersecurity risk management.     

Effects of Entrepreneurial and Environmental Sustainability Orientations on Firm Performance: A Study of Small Businesses in the Philippines

Why do small businesses in developing countries embrace sustainable business practices and what are the effects on their performance? We address these questions by drawing on the natural‐resource based view of the firm to argue that the environmental sustainability orientation of small businesses can be explained by their entrepreneurial orientation. Our study of 197 small businesses in the Philippines shows that an entrepreneurial strategic orientation enables them to develop a more proactive stance toward environmental sustainability practices which lead to superior firm performance. The implications of the findings for future research and for public policy for small businesses are also discussed.     

Segmentation of both reviewers and businesses on social media

Employing online consumer reviews, this research develops a market segmentation procedure that is feasible to businesses present on social media. Because online reviews typically encompass large numbers of both reviewers and businesses, this data structure allows for both reviewer segmentation and business segmentation. This two-side segmentation approach segments not only reviewers in the preferences expressed in their reviews, but also businesses in their business practices specified in the reviews. Whereas common existing segmentation approaches predominantly use survey and transaction data, the proposed procedure uses publicly available and detailed consumption information in such reviews. A large number of product features elicited from such reviews lead to rich and detailed profiling of both reviewer segments and business segments. Using restaurant reviews on Yelp, this research demonstrates how the proposed procedure can help businesses develop segmentation strategies on social media.     

Systems theoretic process analysis of information security: the case of aadhaar

ABSTRACT

A new way of thinking about cybersecurity is much needed to deal with the complex and dynamic cyber-ecosystem. In this paper, we introduce a systems thinking based approach for solving problems related to cybersecurity. We adapt the powerful safety-hazard analysis method, Systems Theoretic Process Analysis (STPA) based on systems theory to analyze the cybersecurity related features of India’s massive digital identity program, Aadhaar. Our findings produce important insights. On one hand, it helps identify the security gaps of the Aadhaar system, and on the other hand, it provides controls using systems thinking to overcome these gaps. We contribute to understanding the world of cybersecurity practices and develop risk mitigation strategies that can benefit the Aadhaar.     

The law and ethics of big data analytics: A new role for international human rights in the search for global standards

The Economist recently declared that digital information has overtaken oil as the world’s most valuable commodity. Big data technology is inherently global and borderless, yet little international consensus exists over what standards should govern its use. One source of global standards benefitting from considerable international consensus might be used to fill the gap: international human rights law. This article considers the extent to which international human rights law operates as a legal or ethical constraint on global commercial use of big data technologies. By providing clear baseline standards that apply worldwide, human rights can help shape cultural norms—implemented as ethical practices and global policies and procedures—about what businesses should do with their information technologies. In this way, human rights could play a broad and important role in shaping business thinking about the proper handling of this increasingly valuable commodity in the modern global society.     

Strategic Goals and Practices of Innovative Family Businesses

A profile of 231 Washington state family businesses is presented. This article focuses on the business strategies of these firms, analyzing the relationship between strategy, performance, and business practices. Firms categorized as Prospector firms reported more gains in their current market position than all other strategic types. These firms were more likely to value an effective management and employee team and to develop new quality products and services and career development plans for non-family employees. Implications for family businesses are discussed.     

Customer Relationship Management: A Comparative Analysis of Family and Nonfamily Business Practices*

It has been reported that family businesses perceive excellent customer service as critical to the future of their businesses. However, little research into the customer relationship management (CRM) practices of family businesses has been performed. In this study, we examine CRM implementation among 82 family and 370 nonfamily firms. Family and nonfamily businesses report similar attitudes toward the importance of CRM, their knowledge of CRM, and their success when they do implement it. However, using a logit regression model, we find that the actual implementation strategies of family businesses are significantly different from those of nonfamily businesses. These results remain constant when controlling for size and industry sector.     

Adequacy versus equivalency: Financial data protection and the U.S.–EU divide

In 1995, the European Union passed Directive 95/46/EC, which set the legal framework for European Union citizens to own the rights to their personal data. However, American law bestows ownership to the holder of the data, not the individual, and officials feared the European Union initiative might disrupt data sharing among United States and European Union affiliates. Thus, they negotiated the 2000 Safe Harbor Agreement to allow companies to voluntarily submit to yearly certifications that fulfilled European Union demands, but kept U.S. businesses in control of their data; nevertheless, the Agreement does not include financial and banking services. Instead, the United States argued that the privacy protections within the Gramm-Leach-Bliley Act adequately fulfilled European Union guidelines. The European Union disagreed and financial data sharing has operated under a moratorium for the past decade. However, the 2008 financial crisis has governments and clients clamouring for more data transparency to determine risk in the financial system. These global efforts, the European Union's recent push to strengthen the Directive, and the Dodd-Frank Act have pushed data sharing to the policy forefront. This article asserts that transatlantic data sharing will ultimately have to accommodate the privacy cultures in both the United States and the European Union, but firms must be prepared to cope with demands on their data by establishing government relations offices, standardizing information systems, enhancing education for compliance officers, and improving business school curricula.     

‘Where everybody knows your name’: Lessons from small business about preventing workplace violence

Recently, we have seen a number of high profile examples of workplace violence. Large organizations are armed with many of the programs that have been developed to minimize the occurrence of workplace violence. In contrast, smaller organizations—which constitute the majority of businesses in the United States—possess neither the resources nor the manpower to implement the aforementioned programs. Additionally, due to a number of individual, social, and situational factors, small businesses appear to be more vulnerable to workplace violence than large businesses. Despite these disadvantages, however, it seems that small businesses do not experience higher levels of workplace violence than their more sizeable counterparts. In this article, we uncover a number of small business practices that may counteract the threat of workplace violence, and proffer these as lessons for all managers who wish to work toward that goal.     

Failures in Regulator-Led Deinstitutionalization of Questionable Business Practices

Prior works in institutional theory are characterized by an assumption that the legal basis for authority of regulatory agencies is sufficient to ensure compliance by business organizations. From a business ethics standpoint, this would imply that regulatory oversight can hinder organizations’ pursuit of questionable business practices. However, the evidence for regulatory efficacy is far from clear as questionable business practices tend to persist despite regulatory monitoring. Drawing on the case of the regulatory failure to trigger a shift away from aggressive banking practices in Ireland, which had serious social and economic costs, we highlight three barriers to deinstitutionalization: (1) insufficient advocacy for change coupled with an inability to problematize the risks of extant business practices, (2) unwillingness to impose change through the use of threats, power, or sanctions, and (3) contradictions in the institutional environment that can obfuscate the regulators’ message. Thus, our study proposes that regulator-led change might not be as straightforward as previously theorized. In doing so, it advances prior theory through an explicit focus on the importance of three types of institutional work that are necessary for regulator-led deinstitutionalization.     

End Matter

This paper presents findings from a qualitative research investigation into tourism firms and the environment. It focuses on the factors preventing a sample of small environmentally accredited businesses from undertaking further action. Attitudinal, financial and operational factors are identified. It argues that in order to encourage businesses to undertake environmentally responsible practices the conditions in which they operate must be favourable; these include adequate support and infrastructure. Crucial, however, is addressing widespread scepticism towards environmental alternatives in both the public and operators, so as to make ‘going green’ commercially viable.     

Building a risk model for data incidents: A guide to assist businesses in making ethical data decisions

Data protection is important to businesses, and increasingly so as the paper-based world fades into memory. Information safeguards that were sufficient in the past no longer are in the current digitized environment. It is incumbent upon companies to keep their data secure, but what constitutes reasonable protection? In this installment of Business Law & Ethics Corner, we tackle this question and proffer Draper’s Catastrophe Value Curve as an assessment tool toward that end.