To alert or alleviate? A natural experiment on the effect of anti-phishing laws on corporate IT and security investments

Abstract

In the United States, between 2005 and 2017, 23 states enacted anti-phishing laws to prosecute those suspected of phishing. As the primary targets of phishing attacks, firms' interpretations and reactions toward these laws are worth investigating. Utilizing a unique dataset in a natural experimental setting, this study employed the difference-in-differences method to contrast firms' investment decisions related to IT and cybersecurity in states in which such laws had been enacted and those in states without such laws, both before and after their enactment. We found that firms with different operational experiences react to the enactment of the anti-phishing laws in different ways. We further demonstrate the moderating roles of the industry risk landscape and IT capability. Specifically, firms with high-IT increased investments in both IT and cybersecurity while the risk landscape stimulated investments in cybersecurity only. This suggests that the risk landscape facilitates sensitivity to the immediate risk signaled by enactment of the laws, and IT capability further enables the alignment between IT investments and security objectives. This study also discusses the policy implications of our findings.