ABSTRACT
Despite the consensus that information security should become an important consideration in information technology (IT) governance rather than the sole responsibility of the IT department, important IT governance decisions are often made on the basis of fulfilling business needs with a minimal amount of attention paid to their implications for information security. We study how an important IT governance mechanism—the degree of centralized decision making—affects the likelihood of cybersecurity breaches. Examining a sample of 504 U.S. higher-education institutions over a four-year period, we find that a university with centralized IT governance is associated with fewer breaches. Interestingly, the effect of centralized IT governance is contingent on the heterogeneity of a university’s computing environment: Universities with more heterogeneous IT infrastructure benefit more from centralized IT decision making. In addition, we find the relationship between centralized governance and cybersecurity breaches is most pronounced in public universities and those with more intensive research activities. Collectively, these findings highlight the tradeoff between granting autonomy and flexibility in the use of information systems and enforcing standardized, organization-wide security protocols.
Supplemental Material
Supplemental data for this article can be accessed on the publisher’s website.
Notes
1. There are a number of notable exceptions. For example, see Kwon and Johnson [Citation53].
2. For a detailed discussion of the sources of security breach data, see Adebayo [Citation1].
3. In our sample of 1,278 observations, only one has reported two security breaches in a year.
4. For example, a university that suffers from a security breach may invest heavily in security countermeasures after the event in the same year. The use of contemporaneous predictors will lead to the incorrect inference that more investment in security countermeasures causes more breaches, due to reverse causality.
5. These programs include: Higher Education Information Security Council (HEISC); REN-ISAC (Research and Education Network Information Sharing and Analysis Center); Public/private information sharing activities such as the U.S. FBI InfraGard program; National Security Higher Education Board; EDUCAUSE Security Discussion List; EDUCAUSE Policy Discussion List; EDUCAUSE Identity Management Discussion List; State or regional group; Internet2.
6. There are a few universities reported an unusually small number of students, low IT Funding, or low number of data centers. We identified 23 observations (with 18 universities) as possible outliers, and all the results still hold when we exclude these outliers.
7. We calculated the variance inflations (VIFs) to test the multicollinearity. The average VIF is 1.57, and the maximum variance inflation factor value is 5.74, which is smaller than the usual threshold of 10.
8. In addition, we perform a test using the residual centering approach [Citation55] and find our results to be robust.
9. Other models such as logistic models and survival models show similar results.
Additional information
Notes on contributors
Che-Wei Liu
Che-Wei Liu ([email protected]; corresponding author) is an Assistant Professor of Information Systems at the Kelley School of Business, Indiana University. He received his Ph.D. at the Robert H. Smith School of Business, University of Maryland. His research interests include business analytics, mobile health, and business value of IT. Specifically, his research addresses the impact of digital technologies on users’ behaviors in mobile health, IT labor market, and stock market. His work has been accepted for publication in Information Systems Research and Journal of Economic Behavior & Organization.
Peng Huang
Peng Huang ([email protected]) is an Associate Professor of Information Systems at the Robert H. Smith School of Business, University of Maryland. He holds a Ph.D. from the College of Management, Georgia Institute of Technology. His research interests include platform ecosystems, knowledge-sharing virtual communities, and as technology entrepreneurship. His recent work has appeared in such journals as Management Science, Information Systems Research, MIS Quarterly, Journal of Marketing, and MIT Sloan Management Review. He received the Sandra Slaughter Early Career Award from the Information Systems Society, the Kauffman Dissertation Fellowship from the Ewing Marion Kauffman Foundation, the Ashford Watson Stalnaker Memorial Prize at Georgia Tech, and multiple Best Conference Paper Awards at the International Conference on Information Systems.
Henry C. Lucas
Henry C. Lucas, Jr. ([email protected]) is the Robert H. Smith Professor Emeritus of Information Systems at the Robert H. Smith School of Business, University of Maryland. He received his Ph.D. from the Sloan School of Management, M.I.T. Dr. Lucas is the author of 20 books and nearly 100 articles in professional periodicals on the impact of information technology (IT), the value of investments in technology, implementation of IT, decision-making for technology, and IT and corporate strategy. His most recent research concerns technology-enabled transformations and disruptions. Dr. Lucas has served on the faculties of Stanford and NYU and has taught at INSEAD in France and NTU in Singapore on sabbaticals.