An Extended TOE Framework for Cybersecurity Adoption Decisions

High-profile cybersecurity incidents, such as the 2019 Capital One data breach and the 2017 Equifax breach, have engendered doubts about firms’ trustworthiness and resulted cybersecurity becoming a critical risk factor firms must address. Breaches can precipitate extreme consequences for affected firms’ managers, shareholders, and customers. Unsurprisingly, data breaches represent IT leaders’ biggest concern. In this paper, we report on a qualitative field study in which we interviewed C-level executives and IT consultants to investigate cybersecurity concerns and factors that influence adoption decisions for cybersecurity. We found that the traditional technology-organization-environment (TOE) framework does not fully capture the range of issues in the cybersecurity context. Thus, we propose a new extended TOE framework that pertains specifically to cybersecurity-adoption decisions. This extended framework includes new dimensions, cyber catalysts, practice standards, and new factors under the traditional technology, organization, and environment dimensions.