Security Breaches in the U.S. Federal Government

Abstract

Cybersecurity incidents in the U.S. federal government have increased by 1,121 percent between 2006 and 2014, leading to growing concerns on the security of the federal IT infrastructures. We examine potential drivers and mitigation mechanisms of security breaches in the U.S. federal government. Technologically, many argue that the large stock of legacy IT systems in federal agencies, which are not designed for security, cause security vulnerabilities. Some IT professionals, however, counter with a “security-by-antiquity” argument that legacy systems are more secure. We consider both arguments and empirically test how legacy systems are associated with security breach incidents in the federal government. Organizationally, federal agencies exhibit significant heterogeneity; some are highly centralized whereas others are highly decentralized geographically or functionally. We examine how their organizational forms affect security vulnerability. We find that agencies that invest more in new IT development and modernization experience fewer security breaches than ones that invest more in maintenance of legacy systems. Outsourcing legacy systems to the cloud also reduces the frequency of security breaches. Our results also find that effective IT governance, risk, and control mechanisms also mitigate security risks of the legacy systems. Finally, federal agencies that are geographically or functionally dispersed experience security breaches less frequently than centralized agencies.