In this study, we seek to provide insights into the conflicting findings from prior research about whether the consequences of a cybersecurity breach spillover to non-breached bystander firms in the same industry − a phenomenon known as contagion effects. When considering the implications of a breach for a bystander firm, we suggest investors will rely on the loss heuristic and thus view loss (profit) bystander firms as more (less) likely to suffer a similar breach in the future. This will lead to greater cybersecurity breach contagion effects for loss firms than for profit firms. Furthermore, we propose that internal control quality will mitigate contagion effects and to a greater extent for loss firms than for profit firms. To test our hypotheses, we use a sample of cybersecurity breaches and identify a sample of non-breached bystander firms in the same subindustry as the breached firms. Our findings support our predictions and help explain the mixed findings from research on cybersecurity breach contagion effects. Results should also be informative to boards of directors and firm management considering ways to minimize costs associated with contagion effects.

中文翻译：

---

了解网络安全漏洞传染效应：损失启发式和内部控制的作用


在这项研究中，我们试图提供对先前研究中相互矛盾的发现的见解，即网络安全漏洞的后果是否会溢出到同一行业中未被泄露的旁观者公司——这种现象被称为传染效应。在考虑数据泄露对旁观者公司的影响时，我们建议投资者将依赖损失启发式方法，从而将损失（利润）旁观者公司视为未来发生类似数据泄露的可能性更大（更小）。这将导致亏损公司的网络安全漏洞传染效应大于盈利公司。此外，我们提出内部控制质量将减轻传染效应，并且对亏损公司的影响大于对盈利公司的影响。为了检验我们的假设，我们使用了网络安全漏洞的样本，并确定了与被泄露公司位于同一子行业的未泄露旁观者公司的样本。我们的研究结果支持我们的预测，并有助于解释关于网络安全漏洞传染效应的研究结果。结果还应为董事会和公司管理层考虑如何最大限度地降低与传染效应相关的成本提供信息。