•  
  •  
 

Article Type

Research Article

Abstract

This study contributes novel difference-in-differences evidence on ISO/IEC 27001 certification and bank performance in an emerging market. Using a sequential mixed-methods design combining CISO interviews and panel data from twelve Tunisian banks (2016-2023), we document a cybersecurity performance paradox: certification is operationally indispensable yet financially invisible in the short run. The DiD coefficient is non-significant for profitability (ROE: β = +0.0046, p = 0.827), while a significant delayed revenue effect emerges post-certification (NBI: β = +0.123, p = 0.036). Institutional voids and low stakeholder cyber-literacy may weaken the signaling mechanism, suggesting mandatory certification frameworks in emerging banking markets.

Keywords

Cybersecurity governance, ISO/IEC 27001, signaling failure, panel data, emerging markets

Share

COinS