JIS Senior Editors' Blog

Journal of Information Systems

This is a public blog  publicRSS

blog entry

    Overview of JIS paper: The Relationship Between Board-Level...
    blog entry posted February 25, 2016 by Roger S Debreceny, last edited February 26, 2016, tagged research 
    153 Views
    title:
    Overview of JIS paper: The Relationship Between Board-Level Technology Committees and Reported Security Breaches
    intro text:

    A forthcoming paper in JIS is by Julia L. Higgs, Robert Pinsker, Thomas Smith and George Young, is entitled The Relationship Between Board-Level Technology Committees and Reported Security Breaches. This blog by the authors provides an overview of the paper. doi: http://dx.doi.org/10.2308/isys-51402

    Julia Higgs

    Julia Higgs

     

    Rob Pinsker

    Rob Pinsker

    George Young

    George Young

    Thomas Smith

    Thomas Smith

    body:

    Cyber-attacks are increasing at a phenomenal rate across the globe and are doing significant damage to firms’ valuations, regulatory compliance practices, and reputation. The longer it takes to detect a breach, the more costly it becomes. Consequently, firms need a strong information technology governance (ITG) structure in order to quickly detect and ultimately resolve breach scenarios.

    Firms have multiple ITG approaches for dealing with breaches. The traditional approaches involve having either the audit committee of the board or overall board monitor the related IT risk. More recently, a concentrated board approach involves forming a technology committee to monitor and control IT risks, including security breaches. This study incorporates signaling theory to investigate the role of technology committees with regard to reported breaches, as well as examining whether the existence of a technology committee serves as a positive signal to the market.

    Results examining reported breaches from 2005-2014 indicate that firms with a technology committee have a significantly greater likelihood of being breached relative to firms without technology committees. In trying to understand why firms may elect various committees to respond to different risks, we find that the external breaches are more likely for firms with board-level technology committees while internal breaches are more likely for firms with risk and compliance committees. We further find that as a technology committee becomes more established, the firm is less likely to be breached. This result suggests that over time technology committees play a role in preventing, not just detecting and reporting, breaches.

    When examining market reactions, initial results support the prior literature’s findings that a security breach is associated with a negative market reaction, but the presence of a technology committee mitigates the negative market reaction for external breaches. Thus, we argue that the market reaction results provide a firm-provided signal indicating it has governance mechanisms in place to better handle the risk associated with security breaches.

    Board-level technology committees are a relatively new phenomenon, as prior research indicates none existed for public companies as recently as 2000. However, there has been an increasing trend in their formation over the past 10 years, presumably as an ITG mechanism. Our results suggest that these committees are helpful for firms when addressing the security risk component of the larger IT risk category. Consequently, study findings add to the extant ITG, disclosure, and signaling literatures.