Centralized IT Decision Making and Cybersecurity Breaches: Evidence from U.S. Higher Education Institutions
47 Pages Posted: 17 Oct 2016 Last revised: 29 Jul 2019
Date Written: July 25, 2019
Despite the consensus that information security should become an important consideration in IT governance rather than the responsibility of the IT department alone, important IT governance decisions are often made on the basis of fulfilling business needs while ignoring their implications for information security. We study how an important IT governance mechanism – the degree of centralized decision making – affects the likelihood of cybersecurity breaches. Examining a sample of 504 U.S. higher-education institutions over a 4-year period, we find that a university with centralized IT governance is associated with fewer breaches. Interestingly, the effect of centralized IT governance is contingent on the heterogeneity of a university’s computing environment: Schools with more sophisticated IT infrastructure benefit more from centralized governance. In addition, we find the relationship between centralized governance and cybersecurity breaches is most pronounced in public universities and those with high research activities. We discuss the implications for research and practice.
Keywords: information security, cybersecurity breach, IT governance, centralized decision making, IT heterogeneity
Suggested Citation: Suggested Citation