Investigating the Impact of CIO Competencies on IT Security Performance of the U.S. Federal Government Agencies

Abstract

Based on data gathered from the Federal Information of Security Management Act reports, agencies' IT budget, and Chief Information Officers' competencies, we find that IT security performance is positively associated with Chief Information Officers who have technical skills, long tenure, and domain experience. However, managerial skills appear to have a stronger positive impact on IT security performance when Chief Information Officer's report directly to agency heads. These results suggest that agency's heads should consider specific Chief Information Officer's capabilities when making strategic decisions to appoint or promote new Chief Information Officers.

Keywords:

• information technology
• IT security performance
• Chief Information Officer competencies
• Federal Information of Security Management Act
• U.S. federal government agencies
• computer security scorecard

Notes

1. http://www.allbusiness.com/technology/11702304-1.html

2. http://www.readwriteweb.com/jobwire/2008/11/irs-hires-its-first-chief-tech.php

3. http://csrc.nist.gov/groups/SMA/fisma/index.html

4. HGORC does not disclose the exact criteria it uses to assign a score for federal agencies. It only indicates that it uses agencies reports, FISMA report, and other information to assign a grade for an agency.

5. OMB FISMA reports were obtained from the OMB official website http://www.whitehouse.gov/omb/legislative_reports/

6. HGORC FISMA Reports Cards were obtained from http://www.house.gov/

7. CIO competencies were obtained from several resources including: http://www.cio.com, http://www.cio.gov, http://www.usa.gov/ and the 24 agencies web sites.

8. IT security performance measures represent FISMA security report card provided by Ranking Member Tom Davis Committee on oversight Government Reform.

9. With the exception of CIO experience variable where e the median is used to split this variable into two groups.

10. We thank the reviewers for raising this important issue.

11. Since we could not track the hierarchical position of the CIO in the federal agencies over the study period, we assume that the distance between the CIO and the agency head detected in the current year does not change over the study period.

12. Since Chi-square test assumes that each cell has an expected frequency of five or more, we used Fisher test that has no such assumption when the above condition violated and results do not change significantly.

13. Since Chi-square test assumes that each cell has an expected frequency of five or more, we used Fisher test that has no such assumption when the above condition violated and results do not change significantly.