Advanced search
Publication Cover
Journal of Management Information Systems Volume 37, 2020 - Issue 3
Journal homepage
3,048
Views
17
CrossRef citations to date
0
Altmetric
Research Article

Centralized IT Decision Making and Cybersecurity Breaches: Evidence from U.S. Higher Education Institutions

Che-Wei Liua Kelley School of Business, Indiana University, Bloomington, USACorrespondence[email protected]
View further author information
,
Peng Huangb Robert H. Smith School of Business, University of Maryland, College ParkView further author information
&
Henry C. Lucas Jr.b Robert H. Smith School of Business, University of Maryland, College ParkView further author information
Pages 758-787 | Published online: 18 Nov 2020

References

  • Adebayo, A.O. A foundation for breach data analysis. Journal of Information Engineering and Applications, 2, 4 (2012), 17–23.
  • Alreemy, Z.; Chang, V.; Walters, R.; and Wills, G. Critical success factors (CSFs) for information technology governance (ITG). International Journal of Information Management, 36, 6 (2016), 907–916.
  • Anand, K.S.; and Mendelson, H. Information and organization for horizontal multimarket coordination. Management Science, 43, 12 (1997), 1609-1627.
  • Angrist, J.D.; and Pischke, J.-S. Mostly Harmless Econometrics: An Empiricist’s Companion. Princeton, NJ: Princeton University Press, 2008.
  • Angst, C.M.; Block, E.S.; D’Arcy, J.; and Kelley, K. When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly, 41, 3 (2017), 893–916.
  • Arora, A.; Krishnan, R.; Telang, R.; and Yang, Y. An empirical analysis of software vendors’ patch release behavior: impact of vulnerability disclosure. Information Systems Research, 21, 1 (2010), 115–132.
  • August, T.; and Tunca, T.I. Let the pirates patch? An economic analysis of software security patch restrictions. Information Systems Research, 19, 1 (2008), 48–70.
  • August, T.; and Tunca, T.I. Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Science, 57, 5 (2011), 934–959.
  • Baltagi, B. Econometric Analysis of Panel Data. John Wiley & Sons, New York, 2008.
  • Banker, R.D.; Kauffman, R.J.; and Morey, R.C. Measuring gains in operational efficiency from information technology: A study of the positran deployment at Hardee’s Inc. Journal of Management Information Systems, 7, 2 (1990), 29–54.
  • Basu, E. Target CEO fired - Can you be fired if your company is hacked?, Forbes, 15 June, 2014.
  • Baum, C.F.; Schaffer, M.E.; and Stillman, S. Enhanced routines for instrumental variables/GMM estimation and testing. Stata Journal, 7, 4 (2007), 465–506.
  • Blau, P.M. Inequality and Heterogeneity: A Primitive Theory of Social Structure. Free Press, New York, 1977.
  • Braa, J.; Hanseth, O.; Heywood, A.; Mohammed, W.; and Shaw, V. Developing health information systems in developing countries: The flexible standards strategy. MIS Quarterly, 31, 2 (2007), 381–402.
  • Bradley, R.V.; Byrd, T.A.; Pridmore, J.L.; Thrasher, E.; Pratt, R.M.; and Mbarika, V.W. An empirical examination of antecedents and consequences of IT governance in US hospitals. Journal of Information Technology, 27, 2 (2012), 156–177.
  • Brown, C.V. Examining the emergence of hybrid IS governance solutions: Evidence from a single case site. Information Systems Research, 8, 1 (1997), 69–94.
  • Brown, C.V.; and Magill, S.L. Reconceptualizing the context-design issue for the information systems function. Organization Science, 9, 2 (1998), 176–194.
  • Bulgurcu, B.; Cavusoglu, H.; and Benbasat, I. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34, 3 (2010), 523–548.
  • Caruso, J.B. Information Technology Security: Governance, Strategy, and Practice in Higher Education. Educause Center for Applied Research, EDUCAUSE, 2003. https://library.educause.edu/resources/2003/10/information-technology-security-governance-strategy-and-practice-in-higher-education
  • Cavusoglu, H.; Cavusoglu, H.; and Zhang, J. Security patch management: Share the burden or share the damage? Management Science, 54, 4 (2008), 657–670.
  • Cavusoglu, H.; Mishra, B.; and Raghunathan, S. The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16, 1 (2005), 28–46.
  • Cerullo, V.; and Cerullo, M.J. Business continuity planning: A comprehensive approach. Information Systems Management, 21, 3 (2004), 70–78.
  • Chong, J.L.; and Tan, F.B. IT governance in collaborative networks: A socio-technical perspective. Pacific Asia Journal of the Association for Information Systems, 4, 2 (2012).
  • Collins, J.D.; Sainato, V.A.; and Khey, D.N. Organizational data breaches 2005-2010: Applying SCP to the healthcare and education sectors. International Journal of Cyber Criminology, 5, 1 (2011), 794–810.
  • D’Arcy, J.; Hovav, A.; and Galletta, D. User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20, 1 (2009), 79–98.
  • DeSanctis, G.; and Jackson, B.M. Coordination of information technology management: Team based structures and computer based communication systems. Journal of Management Information Systems, 10, 4 (1994), 85–110.
  • Duncan, N.B. Capturing flexibility of information technology infrastructure: A study of resource characteristics and their measure. Journal of Management Information Systems, 12, 2 (1995), 37–57.
  • Ferguson, C.; Green, P.; Vaswani, R.; and Wu, G.H. Determinants of effective information technology governance. International Journal of Auditing, 17, 1 (2013), 75–99.
  • Firth, D. Bias reduction of maximum likelihood estimates. Biometrika, 80, 1 (1993), 27–38.
  • Gal-Or, E.; and Ghose, A. The economic incentives for sharing security information. Information Systems Research, 16, 2 (2005), 186–208.
  • Goode, S.; Hoehle, H.; Venkatesh, V.; and Brown, S.A. User compensation as a data breach recovery action: An investigation of the Sony Playstation network breach. MIS Quarterly, 41, 3 (2017), 703–727.
  • Gordon, L.A.; Loeb, M.P.; and Lucyshyn, W. Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22, 6 (2003), 461–485.
  • Greene, W.H. Econometric analysis. Prentice Hall, Upper Saddle River, NJ, 2003.
  • Gwebu, K.L.; Wang, J.; and Wang, L. The role of corporate reputation and crisis response strategies in data breach management. Journal of Management Information Systems, 35, 2 (2018), 683–714.
  • Hasselbring, W. Information system integration. Communications of the ACM, 43, 6 (2000), 32–38.
  • Heinze, G.; and Schemper, M. A solution to the problem of separation in logistic regression. Statistics in Medicine, 21, 16 (2002), 2409–2419.
  • Holmstrom, B.; and Milgrom, P. Multitask principal-agent analyses: Incentive contracts, asset ownership, and job design. Journal of Law, Economics, & Organization, 7, SP (1991), 24–52.
  • Hosmer, D.W.; Lemeshow, S.; and May, S. Applied Survival Analysis: Regression Modeling of Time to Event Data. Wiley, 2008.
  • Huang, P.; Ceccagnoli, M.; Forman, C.; and Wu, D.J. Appropriability mechanisms and the platform partnership decision: Evidence from enterprise software. Management Science, 59, 1 (2013), 102–121.
  • Huang, R.; Zmud, R.W.; and Price, R.L. Influencing the effectiveness of IT governance practices through steering committees and communication policies. European Journal of Information Systems, 19, 3 (2010), 288–302.
  • Hui, K.-L.; Ke, P.F.; Yao, Y.; and Yue, W.T. Bilateral liability-based contracts in information security outsourcing. Information Systems Research, 30, 2 (2019), 411–429.
  • Huq, N. Follow the data: Analyzing breaches by industry. Trend Micro Analysis of Privacy Rights Clearinghouse, 2015. https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/follow-the-data
  • Jensen, M.C.; and Meckling, W.H. Specific and general knowledge and organizational structure. In L. Werin and H. Wijkander (eds.), Contract Economics. Oxford: Blackwell, 1992, pp. 251–274.
  • Johnson, N.L. Survival Models and Data Analysis. John Wiley & Sons, New York, 1999.
  • Johnston, A.C.; and Hale, R. Improved security through information security governance. Communications of the ACM, 52, 1 (2009), 126–129.
  • Kankanhalli, A.; Teo, H.-H.; Tan, B.C.; and Wei, K.-K. An integrative study of information systems security effectiveness. International Journal of Information Management, 23, 2 (2003), 139–154.
  • Khey, D.N.; and Sainato, V.A. Examining the correlates and spatial distribution of organizational data breaches in the United States. Security Journal, 26, 4 (2013), 367–382.
  • King, G.; and Zeng, L. Logistic regression in rare events data. Political Analysis, 9, 2 (2001), 137–163.
  • King, J.L. Centralized Versus Decentralized Computing: Organizational Considerations and Management Options. ACM Computing Surveys (CSUR), 15, 4 (1983), 319–349.
  • Kotulic, A.G.; and Clark, J.G. Why there aren’t more information security research studies. Information & Management, 41, 5 (2004), 597–607.
  • Kshetri, N. Pattern of global cyber war and crime: A conceptual framework. Journal of International Management, 11, 4 (2005), 541–562.
  • Kwon, J.; and Johnson, M.E. Health-care security strategies for data protection and regulatory compliance. Journal of Management Information Systems, 30, 2 (2013), 41–66.
  • Kwon, J.; and Johnson, M.E. Proactive versus reactive security investments in the healthcare sector. MIS Quarterly, 38, 2 (2014), 451–472.
  • Lacity, M.C.; Khan, S.A.; and Willcocks, L.P. A review of the IT outsourcing literature: Insights for practice. The Journal of Strategic Information Systems, 18, 3 (2009), 130–146.
  • Lance, C.E. Residual centering, exploratory and confirmatory moderator analysis, and decomposition of effects in path models containing interactions. Applied Psychological Measurement, 12, 2 (1988), 163–175.
  • Lee, C.H.; Geng, X.; and Raghunathan, S. Mandatory standards and organizational information security. Information Systems Research, 27, 1 (2016), 70–86.
  • Liu, C.Z.; Au, Y.A.; and Choi, H.S. Effects of freemium strategy in the mobile app market: An empirical study of google play. Journal of Management Information Systems, 31, 3 (2014), 326–354.
  • Lorange, P. Corporate Planning: An Executive Viewpoint. Englewood Cliffs, NJ: Prentice-Hall, 1980.
  • McKeen, J.D.; Guimaraes, T.; and Wetherbe, J.C. The relationship between user participation and user satisfaction: an investigation of four contingency factors. MIS Quarterly, 18, 4 (1994), 427–451.
  • Miller, A.R.; and Tucker, C. Privacy protection and technology diffusion: The case of electronic medical records. Management Science, 55, 7 (2009), 1077–1093.
  • Miller, A.R.; and Tucker, C.E. Encryption and the loss of patient data. Journal of Policy Analysis and Management, 30, 3 (2011), 534–556.
  • Moulton, R. Applying information security governance. Computers and Security, 22, 7 (2003), 580.
  • Nash, K.S. Information Technology Budgets: Which Industry Spends the Most?, CIO, 2007. https://www.cio.com/article/2437731/information-technology-budgets--which-industry-spends-the-most-.html
  • Nault, B.R. Information technology and organization design: Locating decisions and information. Management Science, 44, 10 (1998), 1321–1335.
  • Nolan, R.; and McFarlan, F.W. Information technology and the board of directors. Harvard Business Review, 83, 10 (2005), 96.
  • Patton, M. Battling data breaches. Community College Journal, 86, 1 (2015), 20.
  • Pomerleau, M. Does a centralized approach help or hurt DOD cybersecurity?, Defense Systems, 2015. https://defensesystems.com/articles/2015/11/05/dod-cybersecurity-open-architecture-summit.aspx
  • Pulkkinen, M.; Naumenko, A.; and Luostarinen, K. Managing information security in a business network of machinery maintenance services business – Enterprise architecture as a coordination tool. Journal of Systems and Software, 80, 10 (2007), 1607-1620.
  • Ransbotham, S.; and Mitra, S. Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research, 20, 1 (2009), 121–139.
  • Ransbotham, S.; Mitra, S.; and Ramsey, J. Are Markets for vulnerabilities effective? MIS Quarterly, 36, 1 (2012), 43–64.
  • Raymond, L. Organizational context and information systems success: A contingency approach. Journal of Management Information Systems, 6, 4 (1990), 5–20.
  • Rothrock, R.A.; Kaplan, J.; and Van Der Oord, F. The board’s role in managing cybersecurity risks. MIT Sloan Management Review, 59, 2 (2018), 12–15.
  • Sambamurthy, V.; and Zmud, R.W. Arrangements for information technology governance: A theory of multiple contingencies. MIS Quarterly, 23, 2 (1999), 261–290.
  • Sen, R.; and Borle, S. Estimating the contextual risk of data breach: An empirical approach. Journal of Management Information Systems, 32, 2 (2015), 314–341.
  • Shackelford, S.J. Protecting intellectual property and privacy in the digital age: The use of national cybersecurity strategies to mitigate cyber risk. Chapman Law Review, 19 (2016), 445.
  • Sidel, R. Target to settle claims over data breach. The Wall Street Journal, 18 August, 2015.
  • Snyder, T.D.; de Brey, C.; and Dillow, S.A. Digest of Education Statistics 2015. National Center for Education Statistics, Institute of Education Sciences, U.S. Department of Education Washington, DC, 2016.
  • Srivastava, S.C.; and Teo, T.S. Contract performance in offshore systems development: Role of control mechanisms. Journal of Management Information Systems, 29, 1 (2012), 115–158.
  • Staiger, D.; and Stock, J.H. Instrumental variables regression with weak instruments. Econometrica, 65, 3 (1997), 557.
  • Stanley, C.; Molyneux, E.; and Mukaka, M. Comparison of performance of exponential, Cox proportional hazards, weibull and frailty survival models for analysis of small sample size data. Journal of Medical Statistics and Informatics, 4, 1 (2016).
  • Stock, J.H.; and Yogo, M. Testing for weak instruments in linear IV regression. In D.W.K. Andrews and J.H. Stock (eds.), Ch. 5 Identification and Inference for Econometric Models: Essays in Honor of Thomas J. Rothenberg. Cambridge University Press, New York, 2005.
  • Straub, D.W.; and Welke, R.J. Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22, 4 (1998), 441–469.
  • Tallon, P.P. A Process-oriented perspective on the alignment of information technology and business strategy. Journal of Management Information Systems, 24, 3 (2007), 227–268.
  • Tallon, P.P.; Ramirez, R.V.; and Short, J.E. The information artifact in IT governance: toward a theory of information governance. Journal of Management Information Systems, 30, 3 (2013), 141–178.
  • Thong, J.Y.; Yap, C.-S.; and Raman, K. Top management support, external expertise and information systems implementation in small businesses. Information Systems Research, 7, 2 (1996), 248–267.
  • Tiwana, A. Systems development ambidexterity: Explaining the complementary and substitutive roles of formal and informal controls. Journal of Management Information Systems, 27, 2 (2010), 87–126.
  • Tiwana, A.; and Kim, S.K. Discriminating IT governance. Information Systems Research, 26, 4 (2015), 656–674.
  • Tiwana, A.; and Konsynski, B. Complementarities between organizational IT architecture and governance structure. Information Systems Research, 21, 2 (2010), 288–304.
  • U.S. Bureau of Labor Statistics. Employment status of the civilian noninstitutional population, 1947 to date 2017. https://www.bls.gov/cps/cpsaat01.pdf ( accessed March 17, 2018).
  • Warkentin, M.; and Johnston, A.C. IT security governance and centralized security controls. In M. Warkentin and R. Vaughn (eds.), Enterprise Information Assurance and System Security: Managerial and Technical Issues, Idea Group Publishing, Hershey, PA, 2006, pp. 16–24.
  • Weill, P.; and Ross, J. A matrixed approach to designing IT governance. MIT Sloan Management Review, 46, 2 (2005), 26.
  • Weill, P.; and Ross, J.W. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business Press, Boston, 2004.
  • Weill, P.; Subramani, M.; and Broadbent, M. Building IT infrastructure for strategic agility. MIT Sloan Management Review, 44, 1 (2002), 57.
  • Wilkin, C.L. A review of IT governance: A taxonomy to inform accounting information systems. Journal of Information Systems, 24, 2 (2010), 107.
  • Wooldridge, J.M. Econometric Analysis of Cross Section and Panel Data. The MIT Press, Boston, 2002.
  • World Bank. World Bank GDP 1960-2016 2018. https://data.worldbank.org/indicator/NY.GDP.MKTP.CD ( accessed March 17, 2018).
  • Wu, S.P.-J.; Straub, D.W.; and Liang, T.-P. How information technology governance mechanisms and strategic alignment influence organizational performance: Insights from a matched survey of business and IT managers. MIS Quarterly, 39, 2 (2015), 497–518.
  • Xue, L.; Ray, G.; and Gu, B. Environmental uncertainty and IT infrastructure governance: A curvilinear relationship. Information Systems Research, 22, 2 (2011), 389–399.
  • Yerby, J.; and Floyd, K. Faculty and staff information security awareness and behaviors. Journal of The Colloquium for Information System Security Education, 6, 1 (2018), pp. 23–23.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.