A Pathway Model to Five Lines of Accountability in Cybersecurity Governance

54 Pages Posted: 4 Aug 2022 Last revised: 4 Oct 2023

See all articles by Sergeja Slapničar

Sergeja Slapničar

University of Queensland

Micheal Axelsen

University of Queensland

Ivano Bongiovanni

University of Queensland

David Stockdale

University of Queensland

Date Written: July 29, 2022

Abstract

In an in-depth field study, we investigate cyber security governance configurations vis-à-vis the five lines of accountability (5 LoA) - that is, the Three Lines Model extended by the accountability of executive management and the board of directors (IIA, 2020). The aim is to explore the configurations adopted by organizations in governing cybersecurity, and why it would matter for cyber security whether the five lines of accountability are adopted. We define the type of the 5 LoA adoption by: (i) the segregation of the lines that spans from blended to segregated and (ii) the level of engagement of those in line roles that ranges from low to high. In this way, we identify four types of adoption of the 5 LoA: ‘no adoption, ‘ostensible’, ‘implicit’, and ‘explicit’ adoption. We theorize how the type of adoption of the 5 LoA is affected by the interplay of institutional forces and organizations’ need for efficiency and effectiveness, and develop a pathway model for organizations’ adoption of the 5 LoA. We find that organizations that adopt the 5 LoA with clear segregation between these lines (‘ostensible’ and ‘explicit’ adoption) are those subject to prudential regulation (coercive forces), whereas efficiency motives and mimetic forces drive organizations to seek fluidity and flexibility by ‘blending’ the segregated lines (‘implicit’ adoption) to ensure fast reactions to changing environment. Regardless of the segregation between lines and whether they are blended or not, we found that all organizations see scope to improve the level of engagement in the 5 LoA to improve the effectiveness of cyber security governance.

Keywords: cyber risk management, cybersecurity governance, five lines of accountability, institutional theory, constrained-efficiency framework

JEL Classification: M15, M42, M48

Suggested Citation

Slapničar, Sergeja and Axelsen, Micheal and Bongiovanni, Ivano and Stockdale, David, A Pathway Model to Five Lines of Accountability in Cybersecurity Governance (July 29, 2022). Available at SSRN: https://ssrn.com/abstract=4176559 or http://dx.doi.org/10.2139/ssrn.4176559

Sergeja Slapničar (Contact Author)

University of Queensland ( email )

St Lucia
Brisbane, Queensland 4072
Australia

Micheal Axelsen

University of Queensland ( email )

St Lucia
Brisbane, Queensland 4072
Australia

Ivano Bongiovanni

University of Queensland

David Stockdale

University of Queensland

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
149
Abstract Views
638
Rank
390,882
PlumX Metrics