IT Governance, Security Outsourcing, and Cybersecurity Breaches: Evidence from the U.S. Higher Education
49 Pages Posted: 17 Oct 2016
Date Written: October 9, 2016
Prior research on information security management often considers information security as an operational decision instead of a strategic decision, and there is lack of empirical research that uses archival data to examine cybersecurity breaches. We study how two important strategic decisions with regard to information systems -- IT governance, and the outsourcing of information security -- affect the likelihood of cybersecurity breaches by using a sample of 505 U.S. higher education institutions over a 4-year period. We find that a university with centralized IT decision making is associated with fewer cybersecurity breaches. By our estimate, a one standard deviation increase in IT centralization is associated with a reduction in the probability of a cybersecurity breach by 3.5%. Interestingly, the effect of centralized IT governance is contingent on the complexity of a university’s computing environment -- schools with sophisticated IT infrastructure benefit more from centralized governance. In addition, we find that correcting for the self-selection bias, universities that opt for outsourcing their information security have a lower likelihood of suffering from a cybersecurity breach. We discuss the implications for research and practices.
Keywords: information security, cybersecurity breach, IT governance, centralization, IT complexity, outsourcing, managed security service
Suggested Citation: Suggested Citation