Where Is IT in Security - IT Investment, IS Governance and Information Security


Student thesis: Doctoral Thesis

View graph of relations


Related Research Unit(s)


Awarding Institution
Award date6 Oct 2021


As business processes become increasingly dependent on information systems, firms address the challenge of protecting digital systems by allocating security budgets and implementing security policies and practices. However, the proliferation of data breach incidents casts doubt on the effectiveness of the traditional security planning approach, which solely focuses on security measures and overlooks the alignment with other organizational resources and business processes. This dissertation argues that firms should align security with IT objectives and examines the relationship between general IT planning and security performance (e.g., data breaches, IT material weakness), and it consists of two studies.

The first study, “The Interrelationship among IT Investment, Security Awareness, and Data Breaches,” focuses on the interrelationship between data breaches and the general IT (security) planning process. I illustrate the bidirectional dynamic relationship between information technology (IT) investment and data breaches using an eight-year panel of 311 U.S.-listed firms, moderated by threat and countermeasure security awareness. I provide empirical evidence that investing solely in security measures may not effectively prevent data breaches. IT investment must instead be combined with heightened security awareness. My results suggest that firms should reconsider whether security performance is a direct outcome of security measures and take a broader perspective when addressing information security concerns.

The second study, “An Empirical Examination of Board-Level IS Governance, IT Material Weaknesses, and IT Outsourcing,” aims to examine how firms’ board-level IS governance (ISG) affects IT material weaknesses (ITMWs), and whether and how firms respond to identified ITMWs by adjusting IT outsourcing strategies and improving ISG. The results indicate that firms fall into a vicious cycle when addressing ITMW issues. That is, firms with weak ISG have a higher chance of ITMWs, and firms reduce IT infrastructure outsourcing after ITMWs, which further dampens ISG. More importantly, my results imply that security awareness at firms’ senior management level helps firms to break the vicious cycle. My results suggest that firms should nurture security awareness among top management and address ITMW issues from the perspective of improving governance in the long run. My findings also raise the awareness of managers on different outcomes of IT outsourcing on governance and control effectiveness.

This dissertation contributes to the IS security literature in several ways. First, this dissertation deepens the understanding of security resource allocation by identifying the business value of IT investment on security performance and showing that security awareness moderates IT investment rather than security investment. Second, this work extends the boundary of security awareness from the individual to the organizational level and furthers the discussion on how security awareness improves firms’ overall security environment. Third, I contribute to ISG and IT control literature by proposing a holistic framework to understand the vicious cycle of addressing IT control issues and investigate how external IT expertise (e.g., IT outsourcing) affects ISG.

    Research areas

  • Data Breaches, Security Investment, IT Investment, IS Governance, ITMWs, IT Outsourcing, Security Awareness