A fundamental question in cybersecurity research is what makes firms develop a higher level of information security awareness (ISA), referring to a sense of awareness of senior managers on security threats and countermeasures. Recent research suggests that top managers’ attributes may influence their engagement in information security (IS) activities. However, this line of research has yet to seriously consider why some CEOs are more aware of security issues and/or are more active in preventing potential threats from information security than others. Drawing upon the regulatory focus literature, we examine how CEO regulatory focus, which captures the degree to which CEOs pursue their goals through promotion or prevention focus, shapes the ISA of firms. In particular, we demonstrate that CEO prevention focus is positively related to ISA, while CEO promotion focus is negatively associated with ISA. Furthermore, we show that promotion-focused CEOs are more likely to engage in ISA when their firms experience data breaches, while the engagement of prevention-focused CEOs in ISA is not affected as much. Moreover, building upon the literature on behavioral theory of firms (BTOF), we argue that the relationship between CEO and ISA is more nuanced depending upon the firm performance relative to aspiration level. Our results underscore that the regulatory focus of CEOs is a pivotal lever to promote or impede ISA contingent upon the data breaches and the aspiration level of their firms.
