Strategic Roles of IT Modernization and Cloud Migration in Reducing Cybersecurity Risks of Organizations: The Case of U.S. Federal Government
39 Pages Posted: 18 Mar 2017 Last revised: 15 May 2020
Date Written: February 27, 2019
Many organizations rely on decade-old legacy IT systems, which were not designed to address contemporary cybersecurity risks, to run their core business operations. Some professionals argue that the legacy systems significantly increase security incidents in the organizations. Other professionals disagree with this claim and argue that the legacy systems are “secure by antiquity”; due to lack of adequate documentation on the legacy systems, they argue that it is very difficult and costly for potential attackers to discover and exploit security vulnerabilities in the systems. To the best of our knowledge, there is a shortage of theory and empirical evidence in the literature to explain if and how legacy systems affect security risks. We build on routine activity theory to address these questions. We choose the U.S. federal government as our empirical context of inquiry. We find that federal agencies that have more legacy IT systems experience more frequent security incidents than ones with more modern IT systems. A 1%-point increase in investments in new IT system development is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with security incidents. These findings contribute to the literature on strategic information systems management by providing new theory and empirical evidence that counter the “security by antiquity” argument.
Keywords: Security risks, Legacy IT systems, IT modernization, Migration to the cloud, U.S. federal government
Suggested Citation: Suggested Citation