The Roles of IT Strategies and Security Investments in Reducing Organizational Security Breaches

ABSTRACT

This research examines the joint effects of information technology (IT) strategies and security investments on organizational security breaches. We focus on two forms of IT strategies: digitalization and embeddedness in IT outsourcing networks. Our longitudinal analysis of U.S. hospitals demonstrates that IT security investments reduce security breaches in less digitalized organizations but increase security breaches for highly digitalized organizations. Investing in technical network control security systems such as anti-virus and intrusion detection systems reduces external breaches. Implementing identity and access management security systems such as biometric scanning and user authentication decreases internal breaches but increases external breaches. However, organizations’ embeddedness in IT outsourcing networks weakens the impacts of these technologies investments on external breaches but amplifies the negative relationship between identity and access management security systems and internal breaches. Our results offer an alternative understanding of organizational IT security investments and explain contrary results found in prior studies. Practical guidelines on organizational IT security strategies are discussed.

KEYWORDS:

• IT security investments
• security breaches
• digitalization
• network embeddedness
• routine activity theory
• healthcare informatics

Notes

1 In the RAT framework, Value refers to the assessment of the gain of undertaking criminal activity. Although the value is often considered and operationalized as financial benefit, potential offenders may seek enjoyment and social value. Visibility refers to the likelihood that potential offenders know the existence and location of a target. The visibility of a target is positively associated with offenders’ suitability since the visibility forms the exposure factor of a target to potential offenders. Accessibility measures an offender’s ability to access the target and get away from the location and the scene of the crime. A target with a higher level of accessibility is more suitable for theft.

2 Source: https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread

3 Source: https://healthitsecurity.com/news/ransomware-resurgence-shows-gaps-in-health-it-security-planning

4 Note that not all hospitals filled HIMSS survey every year. Thus, the number of unique hospitals in our final unbalanced panel data is greater than the number of surveyed hospitals in some years.

5 HIMSS has surveyed hospitals’ adoption of five main types of EHR systems: Clinical Data Repository, Clinical Decision Support Systems, Computerized Physician Order Entry, Order Entry, and Physician Documentation.

6 We also run robustness checks using eigenvector centrality and degree centrality to measure hospitals’ network embeddedness. The results are consistent with our primary analysis. We do not report them due to space limits, but they are available upon request.

7 We do not report the fixed effects logit (i.e., conditional logit) model since it only uses observations of hospitals that have experienced security breaches in some years, which only keeps 3570 observations (i.e., 7.85 percent of the full sample) in the estimation. However, the results with the conditional logit model estimation are consistent with our hypothesis testing.

8 To derive the critical threshold level based on Column (2), we compute the partial differentiation $\frac{\mathrm{\partial }\widehat{\mathrm{P}\mathrm{r}\left(Breac{h}_{i,t+1}\right)}}{\mathrm{\partial }ITSe{c}_{it}}=-0.0025+0.0029\times \mathrm{l}\mathrm{o}\mathrm{g}\left(1+Digitalizatio{n}_{it}\right)-0.0059\times \mathrm{l}\mathrm{o}\mathrm{g}\left(1+Embeddednes{s}_{it}\right)$. Let $\mathrm{l}\mathrm{o}\mathrm{g}\left(1+Embeddednes{s}_{it}\right)$ equals to its mean value 0.1831. The conditions when $ITSe{c}_{it}$ positively influence the likelihood of security breaches is calculated as: $\frac{\mathrm{\partial }\widehat{\mathrm{P}\mathrm{r}\left(Breac{h}_{i,t+1}\right)}}{\mathrm{\partial }ITSe{c}_{it}}=-0.0025+0.0029\times \mathrm{l}\mathrm{o}\mathrm{g}\left(1+Digitalizatio{n}_{it}\right)-0.0059\times 0.1831>0$. We thus have $Digitalizatio{n}^{\ast }>2.4369$.

9 We thank an anonymous reviewer for providing this insightful suggestion and encouraging us to conduct the additional analysis to explain the mechanisms.

10 Source: https://www.computerweekly.com/news/4500245821/Hackers-likely-to-target-IAM-warns-SailPoint

11 We thank an anonymous reviewer for suggesting this possible explanation from IAM system integration or centralization perspective.

12 We did not discuss the model including the interaction terms between digitalization and two types of security investments, for two main reasons. First, the moderating effects of digitalization (H1A) is supported in hypothesis testing. Second, the results of the moderating effects of digitalization in this granular analysis are identical to the main hypothesis testing. We did not find additional insights and therefore do not discuss it due to space limit.

13 Our results provide an important explanation of the inconsistent findings regarding the impacts of IT security investments on security breaches. In addition to the mechanisms identified in Angst et al. [1], we found that the IT security protection systems used in Angst et al. [1] and Kwon and Johnson [32] are not the same. Kwon and Johnson [32] used all five TNC systems and only one IAM system (i.e., user authentication), and their results are highly consistent with our findings regarding TNC’s negative impacts on external breaches and its insignificant effects on internal breaches. In contrast, Angst et al. [1] used all TNC and IAM systems in their study and found average positive effects of these systems on firms’ all types of security breaches. Our results found the positive impacts of IAM systems on external breaches. Therefore, our results are qualitatively consistent with prior studies but offer additional explanations to reconcile their inconsistencies.

Additional information

Notes on contributors

He Li

He Li ([email protected]) is an Assistant Professor of Information Systems at Wilbur O. and Ann Powers College of Business, Clemson University. He holds a Ph.D. in Business Information & Technology from the University of Memphis. Dr. Li’s research focuses on organizational competitive strategies in the IT-enabled emerging contexts such as digital platform ecosystems, IT security management, and digital transformation. His work has been published in International Journal of Production Research, Information & Management, and International Journal of Medical Informatics, among others.

Sungjin Yoo

Sungjin Yoo ([email protected]) is an Assistant Professor of Information Systems in LaPenta School of Business at Iona College. He holds a Ph.D. in Business Information & Technology from the University of Memphis.  Dr. Yoo’s research interests focus on organizational IT security strategies, sharing economy platforms, and digital business strategy. His work has been published in such journals as MIS Quarterly Executive and Information Technology & People.

William J. Kettinger

William J. Kettinger ([email protected]; corresponding author) is the William S. Lee Distinguished Professor of Information Systems at Clemson University. He previously served at the FedEx Chair of Excellence in MIS at the University of Memphis. His research interests include strategic information management; platforms and digital business strategy; IS management and service quality; IT and the supply chain; and process management. Dr. Kettinger has published four books and over 80 refereed papers in such journals as MIS Quarterly, Information Systems Research, Journal of Management Information Systems, Sloan Management Review and many others. He has served as a senior or associate editor of several leading IS journals.