Article Type
Research Article
Abstract
This study contributes novel difference-in-differences evidence on ISO/IEC 27001 certification and bank performance in an emerging market. Using a sequential mixed-methods design combining CISO interviews and panel data from twelve Tunisian banks (2016-2023), we document a cybersecurity performance paradox: certification is operationally indispensable yet financially invisible in the short run. The DiD coefficient is non-significant for profitability (ROE: β = +0.0046, p = 0.827), while a significant delayed revenue effect emerges post-certification (NBI: β = +0.123, p = 0.036). Institutional voids and low stakeholder cyber-literacy may weaken the signaling mechanism, suggesting mandatory certification frameworks in emerging banking markets.
Keywords
Cybersecurity governance, ISO/IEC 27001, signaling failure, panel data, emerging markets
Recommended Citation
REDISSI, Asma
(2025)
"Cybersecurity Governance and Bank Performance in Tunisia: An Exploratory Mixed-Methods Analysis of ISO/IEC 27001 Certification,"
Arab Economic and Business Journal: Vol. 17
:
Iss.
2
, Article 7.
Available at: https://doi.org/10.38039/2214-4625.1066
Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.