Information security risk assessments following cybersecurity breaches: The mediating role of top management attention to cybersecurity

Information Systems (IS) research on managerial response to cybersecurity breaches has largely focused externally oriented actions such as customer redressal and crisis response. Within the firm itself, a breach may be symptom of systematic problems, narrow, siloed focus only fixing immediate issues through technical fixes controls might preclude other ensure future cybersecurity. Towards this end, Security Risk Assessments (ISRA) can help surface vulnerabilities following breach. While role governance in exercises is emphasized standards, it undertheorized IS lacks empirical evidence. We draw attention-based view theorize that principles attention, structural distribution situated attention lead top management team (TMT) according greater relatively high costs. Using level data, we find costs result TMT cybersecurity, while also making more likely firms will carry out an ISRA. Moreover, partially mediates relation between decision because best positioned oversee resource allocation, consider business implications, centrally orchestrate Our findings stress need for function work with managing