Start Date

10-12-2017 12:00 AM

Description

Prior research on information security management often considers information security as an operational decision instead of a strategic decision, and there is a lack of empirical research that uses archival data to examine cybersecurity breaches. We study how two important strategic decisions with regard to information systems – IT centralization, and the outsourcing of information security – affect the likelihood of cybersecurity breaches by using a sample of 505 U.S. higher education institutions over a 4-year period. We find that a university with centralized IT decision making is associated with fewer cybersecurity breaches. Interestingly, the effect of centralized IT governance is contingent on the complexity of a university’s computing environment – schools with sophisticated IT infrastructure benefit more from centralized governance. In addition, we find that correcting for the self-selection bias, universities that opt for outsourcing their information security have a lower likelihood of suffering from a cybersecurity breach.

Share

COinS
 
Dec 10th, 12:00 AM

IT Centralization, Security Outsourcing, and Cybersecurity Breaches: Evidence from the U.S. Higher Education

Prior research on information security management often considers information security as an operational decision instead of a strategic decision, and there is a lack of empirical research that uses archival data to examine cybersecurity breaches. We study how two important strategic decisions with regard to information systems – IT centralization, and the outsourcing of information security – affect the likelihood of cybersecurity breaches by using a sample of 505 U.S. higher education institutions over a 4-year period. We find that a university with centralized IT decision making is associated with fewer cybersecurity breaches. Interestingly, the effect of centralized IT governance is contingent on the complexity of a university’s computing environment – schools with sophisticated IT infrastructure benefit more from centralized governance. In addition, we find that correcting for the self-selection bias, universities that opt for outsourcing their information security have a lower likelihood of suffering from a cybersecurity breach.