Date of Award

8-2025

Document Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department

Management

Committee Chair/Advisor

William Kettinger

Committee Member

He Li

Committee Member

Jiahui Mo

Committee Member

John Tripp

Abstract

This dissertation investigates strategic implications of information security and privacy for organizations and society in the contexts of ransomware and mobile apps. The first study examines how organizations’ disclosures of responses to ransomware attacks affect ransomware strain survival. Ransomware attacks force organizations to make consequential decisions regarding disclosure—whether to reveal ransom payments, negotiation attempts, or coordination with external stakeholders. This study investigates how these disclosure choices influence the survival of ransomware strains. Drawing on disclosure theory and institutional theory, we theorize that disclosure behavior is shaped by dual logics and audiences: strategic signaling towards attackers and institutional conformity aimed at regulators and professionals. Public ransom payment disclosures unintentionally signal profitability to attackers, reinforcing strain persistence. In contrast, disclosures of coordination with law enforcement reflect institutional compliance and bolster collective cybersecurity defenses. Disclosures of negotiation efforts serve as legitimacy signals that may attenuate the signaling impact of ransom payments. We test these mechanisms using a longitudinal dataset of 388 publicly disclosed ransomware attacks between 2018 and 2023 and estimate strain survival via Cox proportional hazards modeling. Results show that ransom payment disclosures increase strain survival, while coordination disclosures reduce it. Negotiation disclosures weaken the signaling effect of payments. Our study contributes to information systems and cybersecurity research by demonstrating how strategically and institutionally motivated disclosures influence adversarial dynamics and threat persistence. We offer implications for organizational disclosure strategy and cybersecurity governance.

The second study leverages Apple’s introduction of app tracking transparency to the iOS platform as an exogenous shock to estimate the impacts of mobile app platform transparency policy on apps’ in-app advertising and performance. Mobile apps use in-app advertising to attract new users in the hypercompetitive app platform marketplace. In-app advertising is highly targeted and relies on detailed user data, raising privacy concerns. In response, app platforms implement transparency policies requiring apps to disclose their data collection practices and seek user consent for tracking. This study examines how advertiser apps alter their ad platform scope, which is the extent to which an advertiser’s app uses different ad platforms for in-app advertising, in response to a platform transparency policy. We find that implementing iOS app tracking transparency significantly reduces advertiser apps’ ad platform scope, which reduces advertiser apps’ new downloads. We find that treatment effects on ad platform scope are heterogeneous, i.e., significant for (1) ad platforms that use alternative user tracking identifiers but not for those that update their advertising approaches, (2) higher cost ad platforms, and (3) apps with higher complexity. We rule out alternative explanations at the app level (i.e., an app’s targeted advertising capability and innovation capability) and ad platform level (i.e., ad platform reach).

Collectively, these studies provide an understanding of the challenges organizations face when responding to information security and privacy events. This dissertation clarifies the strategic landscape for organizations and provides a roadmap for responses that bolster cybersecurity and competitiveness.

Download

Available for download on Monday, August 31, 2026

Share

COinS