Inexpert Supervision: Field Evidence on Boards’ Oversight of Cybersecurity

56 Pages Posted: 11 Jan 2022 Last revised: 31 Jan 2022

See all articles by Michelle Lowry

Michelle Lowry

Virginia Tech

Anthony Vance

Brigham Young University - Department of Information Systems

Marshall D. Vance

Virginia Tech

Date Written: December 28, 2021

Abstract

We conduct an interview-based field study to investigate how directors provide cybersecurity oversight and the role of expertise in determining its effectiveness. Our interviews suggest that directors’ cybersecurity expertise is an important determinant of oversight effectiveness, primarily through increasing directors’ attention to cybersecurity issues and enabling them to ask incisive questions of management. Moreover, in the absence of board expertise, directors rely heavily on chief information security officers (CISOs) to “coach” them on cybersecurity concepts, third-party validation, and even the process of cybersecurity oversight itself. Thus, a lack of board expertise can result in circular governance between the board and management, whereby the terms of oversight are largely dictated by the supposed subjects of that oversight. Further, our CISO participants believe their peers filter reports to the board to obfuscate potentially damaging information, and that boards lacking cybersecurity expertise are not able to detect such filtering.

Keywords: Corporate governance, boards of directors, board oversight, risk oversight, cybersecurity risk, agency theory, self-efficacy theory, qualitative field study

Suggested Citation

Lowry, Michelle and Vance, Anthony and Vance, Marshall D., Inexpert Supervision: Field Evidence on Boards’ Oversight of Cybersecurity (December 28, 2021). Available at SSRN: https://ssrn.com/abstract=4002794 or http://dx.doi.org/10.2139/ssrn.4002794

Michelle Lowry

Virginia Tech ( email )

Pamplin College of Business
Blacksburg, VA 24061
United States

HOME PAGE: http://https://acis.pamplin.vt.edu/directory/michelle-lowry.html

Anthony Vance

Brigham Young University - Department of Information Systems ( email )

510 Tanner Building
Marriott School
Provo, UT 84602
United States

Marshall D. Vance (Contact Author)

Virginia Tech ( email )

Blacksburg, VA 24061
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
359
Abstract Views
1,261
Rank
126,923
PlumX Metrics