Strategic Roles of IT Modernization and Cloud Migration in Reducing Cybersecurity Risks of Organizations: The Case of U.S. Federal Government

Pang, Min-Seok; Tanriverdi, Hüseyin

doi:10.2139/ssrn.2933577

Download This Paper

Open PDF in Browser

Add Paper to My Library

Strategic Roles of IT Modernization and Cloud Migration in Reducing Cybersecurity Risks of Organizations: The Case of U.S. Federal Government

forthcoming at Journal of Strategic Information Systems

41 Pages Posted: 18 Mar 2017 Last revised: 22 Sep 2021

See all articles by Min-Seok Pang

Min-Seok Pang

Temple University - Department of Management Information Systems

Hüseyin Tanriverdi

University of Texas at Austin - Red McCombs School of Business

Date Written: September 16, 2021

Abstract

Many organizations run their core business operations on decades-old legacy IT systems. Some security professionals argue that legacy IT systems significantly increase security risks because they are not designed to address contemporary cybersecurity risks. Others counter that the legacy systems might be “secure by antiquity” and argue that due to lack of adequate documentation on the systems, it is very difficult for potential attackers to discover and exploit security vulnerabilities. There is a shortage of empirical evidence on either argument. Routine activity theory (RAT) argues that an organization’s guardianship is critical for reducing security incidents. However, RAT does not well explain how organizations might guard against security risks of legacy IT systems. We theorize that organizations can enhance their guardianship by either modernizing their legacy IT systems in-house or by outsourcing them to cloud vendors. With datasets from the U.S. federal agencies, we find that agencies that have more legacy IT systems experience more frequent security incidents than others with more modern IT systems. A 1%-point increase in the proportion of IT budgets spent on IT modernization is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with the number of security incidents. The findings advance the literature on strategic information systems by extending RAT to explain why the “security by antiquity” argument is not valid and how organizations can reduce the security risks of legacy IT systems through modernization and migration to the cloud.

Keywords: Security risks, Legacy IT systems, IT modernization, Migration to the cloud, U.S. federal government

Suggested Citation: Suggested Citation

Pang, Min-Seok and Tanriverdi, Huseyin, Strategic Roles of IT Modernization and Cloud Migration in Reducing Cybersecurity Risks of Organizations: The Case of U.S. Federal Government (September 16, 2021). forthcoming at Journal of Strategic Information Systems, Available at SSRN: https://ssrn.com/abstract=2933577 or http://dx.doi.org/10.2139/ssrn.2933577