TY - JOUR
T1 - The impact of executives’ IT expertise on reported data security breaches
AU - Haislip, Jacob
AU - Lim, Jee Hae
AU - Pinsker, Robert
N1 - Funding Information:
History: T. S. Raghu, Senior Editor; Pallab Sanyal, Associate Editor. Funding: J. H. Lim acknowledges partial funding by the Social Sciences and Humanities Research Council (SSHRC) [Grant 435-2015-0630], CGA-Canadian Academic Accounting Association (CAAA) research grant, and the Shidler College Distinguished Professorship at the University of Hawaii. Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2020.0986.
Publisher Copyright:
Copyright: © 2021 INFORMS
PY - 2021/6
Y1 - 2021/6
N2 - Data security breaches (DSBs) are increasing investor and regulator pressure on firms to improve their IT governance (ITG) in an effort to mitigate the related risk. Drawing on upper echelon theory, we argue that DSB risk cannot be mitigated by one executive alone, but, rather, is a shared leadership responsibility of the top management team (TMT; i.e., Chief Executive Officer (CEO), Chief Financial Officer (CFO), and Chief Information Officer (CIO)). By examining a sample of DSBs from 2005 to 2017, our study finds that CEOs with IT expertise are associated with fewer DSBs, with some evidence of a focus on DSBs containing consumer information. Our evidence also suggests that CFOs with IT expertise are less likely to report a DSB in general, as well as DSBs involving employee information or instigated by a person outside of the firm and, to a weaker extent, DSBs containing consumer information. Further, the presence of a CIO as part of the TMT is significantly associated with reduced DSBs of all types examined. Our results are robust to endogeneity concerns and an alternative propensity score matched sample. This study contributes a granular investigation of DSB risk involving executives with IT expertise that extends the upper echelon and ITG literatures.
AB - Data security breaches (DSBs) are increasing investor and regulator pressure on firms to improve their IT governance (ITG) in an effort to mitigate the related risk. Drawing on upper echelon theory, we argue that DSB risk cannot be mitigated by one executive alone, but, rather, is a shared leadership responsibility of the top management team (TMT; i.e., Chief Executive Officer (CEO), Chief Financial Officer (CFO), and Chief Information Officer (CIO)). By examining a sample of DSBs from 2005 to 2017, our study finds that CEOs with IT expertise are associated with fewer DSBs, with some evidence of a focus on DSBs containing consumer information. Our evidence also suggests that CFOs with IT expertise are less likely to report a DSB in general, as well as DSBs involving employee information or instigated by a person outside of the firm and, to a weaker extent, DSBs containing consumer information. Further, the presence of a CIO as part of the TMT is significantly associated with reduced DSBs of all types examined. Our results are robust to endogeneity concerns and an alternative propensity score matched sample. This study contributes a granular investigation of DSB risk involving executives with IT expertise that extends the upper echelon and ITG literatures.
KW - Data security breaches
KW - IT expertise
KW - IT governance (ITG)
KW - Upper echelon theory
UR - http://www.scopus.com/inward/record.url?scp=85109131282&partnerID=8YFLogxK
U2 - 10.1287/ISRE.2020.0986
DO - 10.1287/ISRE.2020.0986
M3 - Article
AN - SCOPUS:85109131282
VL - 32
SP - 318
EP - 334
JO - Information Systems Research
JF - Information Systems Research
SN - 1047-7047
IS - 2
ER -