Download this Paper Open PDF in Browser

IT Governance, Security Outsourcing, and Cybersecurity Breaches: Evidence from the U.S. Higher Education

49 Pages Posted: 17 Oct 2016  

Che-Wei Liu

University of Maryland, Robert H. Smith School of Business, Students

Peng Huang

University of Maryland - Robert H. Smith School of Business

Henry C. Lucas

University of Maryland - Robert H. Smith School of Business

Date Written: October 9, 2016

Abstract

Prior research on information security management often considers information security as an operational decision instead of a strategic decision, and there is lack of empirical research that uses archival data to examine cybersecurity breaches. We study how two important strategic decisions with regard to information systems -- IT governance, and the outsourcing of information security -- affect the likelihood of cybersecurity breaches by using a sample of 505 U.S. higher education institutions over a 4-year period. We find that a university with centralized IT decision making is associated with fewer cybersecurity breaches. By our estimate, a one standard deviation increase in IT centralization is associated with a reduction in the probability of a cybersecurity breach by 3.5%. Interestingly, the effect of centralized IT governance is contingent on the complexity of a university’s computing environment -- schools with sophisticated IT infrastructure benefit more from centralized governance. In addition, we find that correcting for the self-selection bias, universities that opt for outsourcing their information security have a lower likelihood of suffering from a cybersecurity breach. We discuss the implications for research and practices.

Keywords: information security, cybersecurity breach, IT governance, centralization, IT complexity, outsourcing, managed security service

Suggested Citation

Liu, Che-Wei and Huang, Peng and Lucas, Henry C., IT Governance, Security Outsourcing, and Cybersecurity Breaches: Evidence from the U.S. Higher Education (October 9, 2016). Available at SSRN: https://ssrn.com/abstract=2850178 or http://dx.doi.org/10.2139/ssrn.2850178

Che-Wei Liu (Contact Author)

University of Maryland, Robert H. Smith School of Business, Students ( email )

College Park, MD
United States

Peng Huang

University of Maryland - Robert H. Smith School of Business ( email )

College Park, MD 20742-1815
United States

Henry C. Lucas

University of Maryland - Robert H. Smith School of Business ( email )

College Park, MD 20742-1815
United States

Paper statistics

Downloads
255
rank
103,492
Abstract Views
668