3.1. Baseline results
[Table 2 about here]
In Table 2, the coefficient of THREATS remains positive and statistically significant at 1% significance level in all regression specifications, suggesting a positive association between US-Russia geopolitical risk and US firms’ cybersecurity risk. Specifically, the coefficient of THREATS in the baseline model regression (Column 3) is 0.4211, implying that one standard deviation change in US-Russia geopolitical risk is associated with a 0.432 standard deviation change in the cybersecurity risk measure of US firms. We see that the adjusted R-squared of the bivariate regression in Column 1 is 0.2967, meaning that the variations in US-related US-Russia geopolitical risk explain 29.67% of variations in US firms’ cybersecurity risk, which is substantial. The adjusted R-squared of the full model regression (Column 3) is 0.6777, indicating that our model explains about two-thirds of the variations in firm-level cybersecurity risk in the sample. The empirical results support our conjecture on a significant association between US-Russia geopolitical risk and firm-level cybersecurity risk in the US.
The regression results of the control variables are also worth mentioning. From the results of the baseline regression (Column 3, Table 2), we see that larger firms and firms with more employees are generally exposed to more cybersecurity risk. The findings from our firm-level analysis corroborate previous studies' findings that cyber costs are higher for larger firms (Aldasoro et al., 2022) and human errors are a crucial part of cybersecurity risk (Gozon et al., 2021).
Cybersecurity risk may differ across sectors as they have different levels of engagement in cyber operations and cyberinfrastructure. For example, financial firms (e.g., commercial banks, investment funds, and other financial services) rely more on online transactions and online services, thus they invest more in cyberinfrastructure than general manufacturing firms. On the other hand, firms from heavy industrial sectors typically invest less in cyberinfrastructure, therefore, their exposure to cybersecurity risk is likely higher than some other firms. Following this argument, we expect the newfound effect to vary across sectors.
Table 3 presents the test results of the baseline model on different sector subsamples.[5] From Table 3, we find the evidence of the effect of US-Russia geopolitical risk on all sectors of US firms. Sector classification follows the Global Industry Classification Standards (GICS). Specifically, the coefficient of THREATS ranges from 0.2975 to 0.4904, remains positive and significant mostly at 1% significance level across all sector regressions in Table 3. This is further evidence of the persistence of the effect of US-Russia geopolitical risk on cybersecurity risk of US firms. Our finding corroborates and provides supporting empirical evidence for the arguments from the foreign affairs and international economics on Russian cyber operations surrounding geopolitical conflicts (Shuya, 2018; Jasper, 2020) and US election (Fidler, 2016), and involving cybersecurity norms as the US and Russia have incompatibility of goals regarding cyberspace (Olga, 2022).
[Table 3 about here]
To conclude, our empirical analysis suggests that when the geopolitical risk between US and Russia increases, US firms’ cybersecurity risk increases significantly. This is the evidence of Russia’s cyberwarfare affecting US firms. Whilst the size of the effect is substantial, we also indicate that the variations in the US-Russia geopolitical risk explain more than a quarter of the variations in US firms’ cybersecurity risk. We find that the effect is quite consistent and contagious to all sectors of the US economy. As such, the political tensions between the two supernations are no longer confined to the physical world.
3.2. The time variation of the effect
Table 4 shows the further investigation of how the effect of US-Russia geopolitical risk on US firms’ cybersecurity risk varies in the time dimension. We alternatively replace THREATS in the model with its lags by one to five years to see how the effect evolves in the long run. Then we reperform the regression of the baseline model with the each of lags. Interestingly, we find that the effect seems to persist in a four-years period before turning statistically insignificant starting from the fourth year from the observation year. Specifically, the size of the effect gradually decreases from 0.4594 at the first lag to 0.3631 at the third lag. The coefficient is statistically not different from zero at the fourth- and fifth-lag model specifications, suggesting that the effect diminishes after four years.
[Table 4 about here]
Figure 1 illustrates the persistence of the effect over time. This implies that US-Russia geopolitical risk results in more cyber vulnarabilities in the four-year period.
[Figure 1 about here]
Collectively, the effect is consistent and persists for four years following the geopolitical tensions surrounding Russia.
3.3. Endogeneity treatments
We use two methods to curb the potential endogeneity issues of the relationship between US-Russia geopolitical risk and US firms’ cybersecurity risk. First, we employ the IV/2SLS regression to establish causal inference of the newfound relationship. The instrumental variable is a discrete variable that indicates the number of the North Atlantic Treaty Organization (i.e., NATO) summit events (NATO_SUMMIT) during a year. As NATO was formed to provide collective security against the threat posed by the Union of Soviet Socialist Republics (USSR), its presence alone is a symbol of foreign threats to Russia and the tensions between the West and Russia. Hence, the assembly of NATO members during a NATO summit led by the US would be highly correlates with THREATS, but is exogenous to US firm cybersecurity risk. We suggest that NATO_SUMMIT can serve well as the instrumental variables for THREATS. We report the IV/2SLS estimation results in Panel A, Table 5.
[Table 5 about here]
The coefficient of instrumented THREATS in the second stage regression (Panel A, Table 5) is 0.0819 (p-value < 0.0001), suggesting that US-Russia geopolitical risk stimulates cybersecurity risk of US firms. The diagnostic test results are satisfactory. The first-stage F-stat of excluded instruments’ p-value is smaller than 0.0001; the Anderson-Rubin wald test’s p-value is smaller than 0.0001; the Kleibergen-Paap weak identification test statistic is 3,188.878; the Anderson-Rubin confidence interval is (0.0603, 0.1047). Furthermore, NATO_SUMMIT is arguably exogenous to firm-level operations because general corporate operations in US may not significantly influence the occurrence of NATO’s summits. So, the instrumental variable is likely well identified in the model, thus bolstering our confidence in the causal inference of our baseline finding.
Another method to deal with endogeneity in the newfound relationship is Entropy Balancing (EB) (Hainmueller, 2012; Tübbicke, 2022). The method relies on a maximum entropy reweighting process that adjusts the inequalities in the moments of the covariate distributions, thus ensuring that balance improves on all reweighted covariate moments. There are several advantages of EB over the propensity score matching (PSM), including EB being doubly robust regarding linear outcome regression and logistic propensity score regression, EB is consistent for the Population Average Treatment Effect for the treated, and EB is able to reach the asymptotic semiparametric variance bound (Zhao & Percival, 2017). EB, however, only applies to binary treatments. Tübbicke (2022) enhance the method by enabling the entropy balancing method to be applied to continuous treatments (EBCT). EBCT eradicates the Pearson correlations between covariates (and their transformations) and the continuous treatment, thus serving as an appealing alternative to PSM.
As the geopolitical risk index (Caldara & Iacoviello, 2022) is a news-based index, it might have some inherent measurement errors that generate correlation (linear and non-linear correlations) between the treatment variable and covariates (and their moments) in the model despite them being economically uncorrelated. Indeed, the pairwise correlation matrix in Appendix A1 shows that THREATS is statistically correlated with most of the covariates in our model at 1% significant level. Pairwise correlations between control variables and THREATS, the variable-of-interest, might alter the true effect of THREATS on CYBER_RISK. EBCT helps eliminate those correlations and allows us to estimate the model without the impact of correlation. Moreover, EB and EBCT can suggest causal inferences for studies that cannot be randomized efficiently (Hainmueller, 2012; Zhao & Percival, 2017). Because Florackis et al. (2022) can only measure firm-level cybersecurity risk for listed firms that discuss their risk factors in 10-K reports, our sample falls into this category. Based on this understanding, we apply EBCT to estimate the effect of THREATS on US firms’ cybersecurity risk. Panel B, Table 5, presents the estimation results.The estimation results in Panel B, Table 5, are consistent with the baseline results. Specifically, the coefficient of THREATS is 0.4509 (p-value < 0.0001). The result well aligns with the coefficient of THREATS from the baseline regression in Column 3, Table 2 (0.4211, p-value < 0.0001). From the IV/2SLS and EBCT approach, we suggest the impact of US-Russia geopolitical risk on US firms’ cybersecurity risk.
A common driver of endogeneity is measurement error. As mentioned above, the geopolitical risk index might exhibit a certain degree of measurement errors. First, the annualised geopolitical risk variable (THREATS) represents the mean value of the monthly geopolitical risk index during a year, so it might not well capture the developments of geopolitics surrounding Russia across months in the year. Political events and conflicts may occur at different times during a year, thus causing the monthly distribution of the geopolitical risk index to be skewed and the effect of TREATS on CYBER_RISK might be time-variant within a year. To account for this problem, we assign weights from one to twelve to the monthly geopolitical risk index from January to December to calculate the increasing-weighted geopolitical risk index (IW_THREATS). In a similar way, we assign weights from twelve to one to the monthly geopolitical risk index from January to December to calculate the decreasing-weighted geopolitical risk index (DW_THREATS). Using IW_THREATS and DW_THREATS as the alternative measures of foreign threats to Russia, we can see how the effect varies if we change weights between the year-beginning and year-ending months. From there, we can tell whether the timing of the geopolitical events surrounding Russia within a year matter to the effect of THREATS on CYBER_RISK. We report the regression results of CYBER_RISK on IW_THREATS and DW_THREATS in columns 1–2, Panel C of Table 5. Interestingly, the coefficients of both measures are positive and significant at the 0.01 significance level while their magnitudes are not too different from each other (0.4881 compared to 4321, respectively), suggesting that the timings of geopolitical events do not alter our empirical findings.
For further robustness check, we use US-China geopolitical risk measure as the alternative foreign threats to US firms’ cybersecurity risk. Intuitively, the increasing number of China-originated cyber breaches on US firms (Kolton, 2017) leads to concern of another cyberwarfare between the US and China for various reasons, including the Taiwan issues, and the US-China trade war. We construct the US-China geopolitical risk measure (CHN_THREATS) similar to that of the THREATS variable (see section 2.1 for more details), then use it as the explanatory variable to re-estimate Model (1). The regression results are reported in Column 3 of Panel C, Table 5. Interestingly, we find that the coefficient of CHN_THREATS in the regression is statistically insignificant, suggesting that the US-China geopolitical risk is not a significant driver of US firms’ cyber risk. Therefore, the impact of US-Russia geopolitical risk on US firms’ cybersecurity risk is likely not contaminated by a potential trend of cyber threats originated from another country. This further validates our baseline findings.
To summarise, the endogeneity treatment tests suggest a causal effect of THREATS on CYBER_RISK and alleviate the concern about the measurement error of THREATS as the main explanatory variable in our model. Figure 2 summarises the effect size of THREATS on CYBER_RISK using different measurements and estimation specifications.
[Figure 2 about here]
3.4. The effect of foreign sanctions
Sanctions are another form of foreign threat to a country. There are different types of sanctions, including military, arms, financial, trade, and travel sanctions. This raises the question that do sanctions play a role as significant foreign threats that stimulate hostile cyberattacks from Russia on US businesses? Although this question is compelling, we do not find any empirical study in the literature attempting to answer it. To address this question, we use a comprehensive dataset of global sanctions (Felbermayr et al., 2020) and construct two measures of foreign sanctions on Russia. The first measure is the log-transformed number of total foreign sanctions imposed by foreign states on Russia during a year (SANCTIONS). The second measure is a dummy variable that equals one if the US imposes sanctions on Russia during the year, and zero otherwise (US_SANCTIONS). An important note is that all the military sanctions placed on Russia by the US are after the Crimea annexation in 2014, as indicated in Felbermayr et al. (2020)’s data. While most of the sanctions on Russia are economic and travel sanctions imposed after the Crimea annexation event in 2014 (Felbermayr et al., 2020), SANCTIONS represents the foreign threats on the economic battlefronts, while US_SANCTIONS represents the attempts of the US to restrain Russia. We re-estimate the baseline model alternatively using SANCTIONS and US_SANCTIONS as the variable of interest. Table 6 presents the estimation results.
[Table 6 about here]
The coefficient of SANCTIONS in Column 1, Table 6, is 0.0586 (p-value < 0.001), while the coefficient of US_SANCTIONS in Column 2, Table 6, is 0.2175 and significant at 1% level. The results are in line with our baseline finding and suggest that US firms’ cybersecurity risk increases with more sanctions against Russia. While recent studies show that sanctions are not likely to work very well against Russia (Bělín & Hanousek, 2022; Park & Choi, 2022); our finding shows that sanctions also trigger hostile retaliation in cyberspace.
In summary, the empirical results suggest that foreign sanctions imposed on Russia also provoke cyber hostility toward US firms.
3.5. Offshoring activities and cybersecurity risk
As globalization is the undeniable trend in the world economy, firms having offshoring activities becomes more common. However, offshoring operations have to bear more risk relative to inbound operations (Murtha & Lenway, 1994; Mihalache & Mihalache, 2016; Hansen et al., 2017; Mukherjee et al., 2023). Based on this understanding, we conjecture that US firms with more offshoring activities with Russia might bear more cybersecurity risk during periods of period of heightened geopolitical tensions between the US and Russia. That is, those firms have economic benefits in Russia and easily become the prominent targets of cyberattacks amid waves of cyber retaliation from “Russian patriots”.
In this section, we investigate how the impact varies across US firms with different degrees of offshoring activities with Russia. After matching our sample with the US firms’ offshoring activities database provided by Hoberg and Moon (2019), we generate a dummy variable that equals one if the US firm has offshoring activities of any kind with Russia and zero otherwise (USOPS_RUSSIA). We add the interaction term between USOPS_RUSSIA and THREATS to the baseline model and re-estimate the model.
Table 7 reports the estimation results. As observable from Table 7, the coefficient of the interaction term THREATS × USOPS_RUSSIA is positive and statistically significant, thus corroborating our conjecture that US firms with offshoring activities with Russia experience more cybersecurity risk under increased geopolitical risk in Russia. The finding holds for both the reduced-form regression (Column 1) and the full regression specifications (Column 2). Comparing the coefficient of the interaction term and that of THREATS in the full model regression, we see that the effect is stronger for Russia-offshoring firms relative to that of non-Russia-offshoring firms. The finding implies potential losses and higher exposure to cybersecurity risk when firms have economic benefits in Russia under intensified tensions between Russia and the US. This is in line with the detrimental economic effect of cyber risk (Goldstein et al., 2011; Romanosky, 2016; Kamiya et al., 2021).
[Table 7 about here]
In summary, our empirical evidence suggests that US firms with economic benefits in Russia suffer more from cyberattacks under increased geopolitical risk between the US and Russia in comparison to their counterparts.
3.6. The moderating effect of corporate innovation
Corporate innovation has important implications for firm growth and nationwide sustainable development (Kanter, 1999; Demirel & Mazzucato, 2012; Muthuri et al., 2012), especially when it becomes a dimension of corporate culture. Innovative firms are firms with a strong technological base, original business strategies, optimized operation processes, and efficient back-office operations (Li et al., 2022). These traits could build up corporate resilience under increasing uncertainty and risk. Given that innovative firms generally have a higher level of technological intensity relative to their counterparts, we expect those firms to have better knowledge management and understanding of information system technologies, thus resulting in better self-protection against cyberattacks. Following this argument, we test whether the baseline finding would vary across firm groups with different degrees of corporate innovation.
Using a score of corporate innovation culture computed by a machine learning approach by Li et al. (2022), we approach corporate innovation, not by corporate R&D spending, number of patents, or number of citations as in conventional empirical studies in economics, business, and finance. The score is constructed using the word embedded model and 209,480 earnings conference call transcripts of US listed firms during the 2001–2018 period. Li et al. (2022) show that their measurement of corporate innovation is broader than the previous proxies of corporate innovation in the literature. We merge their data with our sample and add the interaction term between the corporate innovation score (INNOVATION) and THREATS in the baseline model, then re-estimate the model. Table 8 presents the estimation results.
[Table 8 about here]
From Table 8, we observe that the coefficient of the interaction term is negative and significant, implying a moderating effect of INNOVATION on the impact of US-Russia geopolitical risk firm-level cybersecurity risk in the US. The finding holds for both the reduced-form regression and the full regression specifications in Column 1 and Column 2, respectively. More specifically, the coefficient of THREATS × INNOVATION is -0.0374 (p-value < 0.05), while the coefficient of THREATS in the same regression is 0.5519 (p-value < 0.01). The empirical finding is in line with our conjecture and suggests the role of corporate innovation in alleviating cybersecurity risk arising from geopolitical upheaval. For example, using more advanced information systems (e.g., cloud services) would reduce cyber risk and the economic cost of cybersecurity (Aldasoro et al., 2022), such back-office efficient solution would serve against cyberattacks.
In summary, corporate innovation play an important role in mitigating cybersecurity risk under intensified US-Russia geopolitical tensions.