Founder's Note
Every company today is essentially a digital company — which means every company is one bad breach away from a crisis that no PR team can fully fix. What this research reveals is that the danger isn't just out there; it's hiding inside how you're managed, who's on your board, and what your IT culture looks like every single day.
— Sanjay Verma, Founder · NavsoraTimesIn This Article
- The Study That Finally Connected the Dots
- Why Research on Cyber Risk Was So Fragmented
- Why Does Who Runs Your Company Determine If You Get Hacked?
- The Hidden Long-Term Cost of a Breach
- What Companies and Regulators Should Do Next
Every few months, another household name joins the breach hall of shame. Equifax. T-Mobile. Yahoo. Each time, the story follows the same script: hackers got in, data walked out, the share price dropped, and lawyers got busy. But what if the real story of corporate cybersecurity isn't about the moment the hackers arrived — it's about everything that happened before? A landmark new review of 203 empirical studies, published in the Australian Journal of Management, suggests that's exactly the case. The research, led by Chelsea Liu and Muhammad Ali Babar at the University of Adelaide, offers the most comprehensive map yet of what actually makes businesses vulnerable to cyberattacks — and the findings go far beyond firewalls.
The Study That Finally Connected the Dots
Cybersecurity research has a fragmentation problem. Computer scientists, accountants, lawyers, and management scholars have all studied data breaches — but mostly in isolation, talking past each other in different journals. That siloed approach has left a critical gap: no unified picture of what drives corporate cyber risk or what the real-world fallout looks like. Liu and Babar set out to fix that, pulling together 203 peer-reviewed studies across 12 disciplines — from finance and accounting to law, management, and information systems — into one coherent framework. The result is a taxonomy of risk factors and breach consequences that speaks to executives, investors, and policymakers alike.
Why Research on Cyber Risk Was So Fragmented
Before this review, you'd need to read dozens of journals across finance, law, and computer science just to piece together a basic picture of corporate cyber risk. Scholars working in information systems rarely cited work from accounting journals, and vice versa. This created blind spots — especially around the human and organisational factors that determine whether a company gets breached. The researchers used a three-pronged search strategy spanning major publishers (Cambridge, Elsevier, SAGE, Wiley, and more) plus discipline-specific journal searches and Google Scholar, casting the widest net to date. After reviewing thousands of papers, 203 met the bar: empirical, data-backed, and focused specifically on corporations.
Why Does Who Runs Your Company Determine If You Get Hacked?
This is where the review gets genuinely surprising. The largest discipline represented in the sample was information systems, but the most striking findings came from governance and management research. Board composition matters enormously. Companies with more independent directors, greater gender diversity on the board, and dedicated cybersecurity subcommittees show better cybersecurity disclosure practices and lower breach risk. When it comes to executives, the picture gets complicated: IT leaders like Chief Information Officers can reduce breach frequency if they're well-compensated and empowered — but some evidence also suggests that firms with higher inherent cyber risk are simply more likely to appoint CIOs in the first place. Leadership succession after a breach also divides researchers: some studies find that replacing the CIO reduces future risk, while others find no significant change. One thing most research agrees on? Profitable and high-growth firms face more cyberattacks, not fewer — because they're simply more attractive targets.
"Our study provides valuable insights to executives, investors, and regulators by enhancing risk awareness and enabling industry practitioners and policymakers to harness the power of academic research to strengthen corporate cybersecurity resilience."
— Liu & Babar, University of Adelaide · Australian Journal of Management, 2024The Hidden Long-Term Cost of a Breach
When a data breach hits the news, the immediate damage is obvious: share price falls, regulatory fines land, legal costs pile up. What gets less attention is the slow, invisible damage that follows. According to the studies reviewed, breached companies pull back on R&D spending and experience fewer patent filings — effectively choking their innovation pipeline at exactly the moment they need to rebuild trust. They also become more risk-averse in M&A, missing growth opportunities because excessive cyber risk makes them unattractive partners or overly cautious dealmakers. IBM's annual Cost of a Data Breach Report puts the average global breach cost at $4.88 million — but the research here suggests the compounding effects on strategy and competitiveness may be even more expensive in the long run.
What Companies and Regulators Should Do Next
The review is candid about its limits: the majority of studies draw on US data, and international generalisability remains an open question. The researchers also note that many findings rely on breach occurrences as a proxy for cyber risk — a blunt instrument that misses near-misses and unreported incidents. What the study calls for, convincingly, is more cross-disciplinary collaboration: lawyers thinking alongside computer scientists, accountants talking to management scholars. For policymakers, the message is clear — governance frameworks like NIST need to go beyond technical compliance and address the boardroom behaviours that set a company's risk trajectory long before any attack begins.
- Board diversity reduces cyber risk — Companies with more independent, gender-diverse boards and dedicated cybersecurity subcommittees demonstrate measurably better security practices and lower breach exposure.
- Breaches kill innovation quietly — Beyond the immediate financial hit, breached companies cut R&D, file fewer patents, and grow more cautious in M&A — compounding damage that can last years.
- Interdisciplinary research is overdue — Cybersecurity can't be solved by IT teams alone; finance, law, management, and governance all shape whether a company gets attacked and how well it recovers.
"By consolidating multidisciplinary research, we develop a novel framework mapping the inter-relationships between the drivers of cybersecurity risk, impacts of cyberattacks, and potential feedback mechanisms enabling firms to learn from breaches to improve cybersecurity outcomes." — Liu & Babar, Australian Journal of Management, 2024.
📄 Source & Citation
Primary Source: Liu C, Babar MA. (2024). Corporate cybersecurity risk and data breaches: A systematic review of empirical research. Australian Journal of Management, 51(1). https://doi.org/10.1177/03128962241293658
Authors & Affiliations: Chelsea Liu (Adelaide Business School, University of Adelaide) and Muhammad Ali Babar (University of Adelaide)
Data & Code: Available via the journal's online portal at SAGE Journals. Open access article.
Key Themes: Corporate Cybersecurity · Data Breach Consequences · Cyber Risk Determinants · Board Governance · Innovation & M&A Impact
Supporting References:
[1] Kamiya S et al. (2021). Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics, 139(3):719–749.
[2] IBM Security. (2024). Cost of a Data Breach Report 2024. ibm.com/reports/data-breach
[3] NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity (v1.1). nist.gov/cyberframework
No comments yet. Be the first to share your thoughts.
Leave a Comment