Week 13 Reading Summary – Pang and Tanriverdi (2017) – Xi Wu
Pang and Tanriverdi (2017) Security Breaches in the U.S. Federal Government
There has been limited research on the mitigation mechanisms of security vulnerabilities with actual breach incident data at the organization level. This paper studies the effectiveness of three organizational IT risks mitigation mechanisms: modernization of legacy IT systems, institution of effective IT GRC, and migration of legacy IT system to the cloud. The hypotheses are developed based on criminology theories such as rational choice theory and crime opportunity theory. (1) Federal agencies that spend higher percentages of their IT budgets on the maintenance of legacy IT systems are likely to experience more security incidents than ones that spend higher percentages of their IT budgets on IT modernization and new IT development; (2a) IT GRC effectiveness reduces security incidents in federal agencies; (2b) IT GRC effectiveness substitutes IT modernization in reducing security incidents; (3) Federal agencies that migrate their IT systems more to the cloud are likely to experience fewer security incidents.
The unit of analysis is a U.S. federal agency. Data on security incidents in the federal agencies is obtained by FIMSA report. Security breaches to the federal agencies in 2005-2016 is obtained from an independent source PRC. Data on the IT investment profiles of federal agencies is collected from the Federal IT Dashboard.
The study finds that (1) A 1%-point increase in the share of IT modernization in the IT budget is associated with a 5% decrease in security incidents. (2) the institution of effective IT GRC mechanisms significantly reduces the security incidents. (3) a negative interaction effect between IT modernization and IT GRC. The findings complement the extant IS security literature on the technical mitigating mechanisms by assessing the effectiveness of more managerially actionable mechanisms.