Turning IT Weaknesses into Lessons: the Interplay between Preventive and Reactive Approach, and IT Governance

Project: Research

View graph of relations


Firms these days invest a lot in IT security but the effect has been mixed – while firms are more informed and well-prepared than in the past, breach incidents continue to occur. It is also an on-going process for firms to assess the IT security risk that they face. One way that they can discover potential major weaknesses of their IT infrastructure is through internal audits of the firm’s functional IT assets (data, processes, systems, etc.). Alternatively, firms may also learn about their potential IT weaknesses through breach incidents that have occurred. They represent the preventive and reactive approach to discover weaknesses in IT assets. The discoveries of major weaknesses have severe impact on how we manage our IT assets, and directly affect board-level and management-level IT governance structure and decisions. For example, major weaknesses may reveal ineffective IT leadership in the organization. In other cases, it indicates an inappropriate attitude towards the management of IT assets. Therefore, prior literature has often examined the impact of IT material weaknesses (ITMW) on IT governance, as well as the subsequent impact of changes in IT governance on ITMW. However, prior literature often takes the internal control viewpoint, i.e., the major IT weaknesses are discovered through using preventive approach. So far, there has been limited literature that examines how the reactive approach affects IT governance and vice versa. We propose to fill the gap in the literature by examining the interrelationship between breach incidents and IT governance, along with the interrelationship between ITMW and IT governance. By doing so, we contrast the interplay of the different approaches of IT system weakness discovery and IT governance. Our study has broad normative implications on how we should manage our IT assets. Currently, firms and industries are spending millions of dollars on auditing IT controls. One criticism is that such an approach decouples firms from addressing cybersecurity issues that are genuinely relevant to them. Instead, firms focus on achieving routine self-assessment exercises. Our study can shed light on whether practicing such IT audit paradigm is indeed effective, or whether a more market-based approach should be embraced. Furthermore, there is also debate about whether board-level decision-makers truly care about cybersecurity. By contrasting the impact of preventive and reactive approach-led incidents, we aim to learn more about the predispositions of firms on cybersecurity issues. 


Project number9043072
Grant typeGRF
Effective start/end date1/01/21 → …