ArticlePDF Available

Abstract

The exponential rate of increase in IT security breach incidents has led governments, regulators, and practitioners to respond by introducing standards and frameworks for the disclosure and management of organizational cybersecurity risk exposure. Cybersecurity, which is a part of IT risk management, is affected by the capability and the ability of senior leadership responsible for IT-related decisions. This paper uses hand-collected data related to the Chief Information Officer (CIO) for S&P 500 firms and explores whether the presence of a CIO role, human capital characteristics of the CIO, and structural capital characteristics of the firm and the CIO are related to a firm’s cybersecurity risk exposure. This study finds that firms disclosing the presence of a CIO are more likely to be breached, even after matching on the likelihood of a breach and controlling for the likelihood that a firm would choose to disclose a CIO. This study also finds predictable variations in the likelihood of a breach among CIOs based on various human capital dimensions (including past technology experience, external board memberships, firm tenure, and CIO tenure) and structural capital dimensions (including a recognized commitment to IT and charging the CIO with multiple responsibilities). Finally, this study finds evidence that the observed associations depend on both the source of the breach (external vs. internal) as well as the type of data compromised by the breach (e.g. financial, personal, etc.). The results of this study contribute to the growing body of academic breach literature, while also informing practitioners as they evaluate the costs and benefits of various methods for combating breaches.
THE IMPACT OF CIO CHARACTERISTICS ON DATA BREACHES
Thomas Smith
Associate Professor of Accounting
University of South Florida
4202 E Fowler Avenue
Tampa, FL 33620
Phone: (813) 974-6597
Email: tsmith46@usf.edu
Amanuel F. Tadesse
Associate Professor of Accounting
University of New Orleans
2000 Lakeshore Drive
New Orleans, LA 70148
Phone: (504) 280-6436
Email: aftadess@uno.edu
Nishani Edirisinghe Vincent
Associate Professor of Accounting
The University of Tennessee at Chattanooga
615 McCallie Avenue
Chattanooga, TN 37403
Phone: (813) 368-7103
Email: surani-vincent@utc.edu
Forthcoming: International Journal of Accounting Information Systems
THE IMPACT OF CIO CHARACTERISTICS ON DATA BREACHES
ABSTRACT
The exponential rate of increase in IT security breach incidents has led governments, regulators,
and practitioners to respond by introducing standards and frameworks for the disclosure and
management of organizational cybersecurity risk exposure. Cybersecurity, which is a part of IT
risk management, is affected by the capability and the ability of senior leadership responsible for
IT-related decisions. This paper uses hand-collected data related to the Chief Information Officer
(CIO) for S&P 500 firms and explores whether the presence of a CIO role, human capital
characteristics of the CIO, and structural capital characteristics of the firm and the CIO are related
to a firm’s cybersecurity risk exposure. This study finds that firms disclosing the presence of a
CIO are more likely to be breached, even after matching on the likelihood of a breach and
controlling for the likelihood that a firm would choose to disclose a CIO. This study also finds
predictable variations in the likelihood of a breach among CIOs based on various human capital
dimensions (including past technology experience, external board memberships, firm tenure, and
CIO tenure) and structural capital dimensions (including a recognized commitment to IT and
charging the CIO with multiple responsibilities). Finally, this study finds evidence that the
observed associations depend on both the source of the breach (external vs. internal) as well as the
type of data compromised by the breach (e.g. financial, personal, etc.). The results of this study
contribute to the growing body of academic breach literature, while also informing practitioners
as they evaluate the costs and benefits of various methods for combating breaches.
Key Words: Cybersecurity, Chief Information Officer, CIO Characteristics, Human Capital, Structural
Capital
1
THE IMPACT OF CIO CHARACTERISTICS ON DATA BREACHES
I. INTRODUCTION
Cybersecurity is a major concern among regulators, management, and investors today.
Contrary to the common misconception that it is highly technical in nature, cybersecurity risks
can stem from various sources such as malfunctioning equipment, natural disasters,
environmental influences, and employee negligence (NIST 2002). Given the widespread media
coverage on cybersecurity incidents, it is not surprising that prior research has found that the
market reacts negatively to news of a breach. For example, Spanos and Angelis (2016) conduct a
systematic review of event study research and report that 75 percent of the 45 studies they
examine observe a significant stock market reaction to information security issues.1 Recent
research has studied the ways that various stakeholders attempt to mitigate the threat and costs
associated with breaches. For example, Wang and Hsu (2013) show that board size is negatively
associated with the likelihood of breaches, and Higgs et al. (2016) show that voluntary board-
level committee formations can impact the likelihood of a reported breach, while Smith et al.
(2019) and Lawrence et al. (2018) show that breaches are priced by the external auditor.
Although these studies provide interesting insights into the importance of corporate governance
and external monitors on breaches, the literature remains relatively sparse on the relationship
between management (i.e. the individuals dealing with the breach risk on a daily basis)
characteristics and breaches. Hence, this study attempts to address the gap in the literature by
investigating the role of information technology (IT) management in breaches; first, we identify
whether having a Chief Information Officer (CIO) is associated with security breaches; second,
we explore whether there is an association between CIO’s human capital characteristics and
1 A recent study by Richardson et al. (2019) questions the economic significance of these breaches, as the negative
abnormal returns are often less than one percent in magnitude.
2
breaches; third, we observe whether there is an association between the firm’s structural capital
related to the CIO and breaches; and fourth, we explore whether these associations vary based on
the source of the breach (external vs. internal) or the type of data compromised (financial,
personal, etc.).
Prior research in this area examines the impact of management risk appetite (Feng and
Wang 2019) and executive pay (Kwon et al. 2013) on breaches. Using agency and contract
theory, Feng and Wang (2019) construct a risk aversion measure and find that the CIO’s risk
aversion is negatively associated with the likelihood of a breach. Kwon et al. (2013) and Haislip
et al. (2021) focus on the top five paid executives in the firm and find that a CIO’s membership
in top management teams is also negatively associated with the likelihood of a breach.2
However, the current understanding and discussion among executives are not whether a breach
could take place but when would a breach take place. Even though risk management can be
influenced by risk aversion as suggested by Feng and Wang (2019), the current trend indicates
that all executives despite their risk preference would deal with cybersecurity breaches. Given
the imminent threat, the extent to which cybersecurity incidents are managed may not be based
on the risk appetite of the manager rather, on the capability and attributes such as education,
training, intelligence, and skills (i.e. human capital) that are embodied in the manager. Based on
upper echelon theory, Haislip et al. (2021) explore the IT expertise of executives and find that
chief executive officers (CEO) and chief financial officers (CFO) with IT expertise are less likely
to report a data security breach. Even though the top management team’s IT expertise may
increase awareness of IT risk exposure, the responsibility of managing IT risks still falls under an
2 Our study differs from prior research in that we select CIOs regardless of whether they are one of the top five paid
executives in the company. This is particularly important because it helps separate the effect of compensation (and
CIO power) from the mere presence of the CIO role.
3
IT expert, generally with a CIO job title. Further, the manager’s ability to address cybersecurity
can either be enhanced or hindered by processes established in a firm (i.e. structural capital).
Therefore, we incorporate both human capital and structural capital variables in this study.
We focus on CIO characteristics because popular risk management and IT governance
frameworks, such as the COSO Enterprise Risk Management (COSO ERM 2004) framework
and the COBIT 5 framework (ISACA 2012), imply that the CIO is responsible for assessing,
managing, and responding to IT risk. The underlying assumption in these frameworks is that
management characteristics have a direct impact on setting the tone at the top, hence, the firm’s
operations. Consequently, we assume in this study that the tone at the top concerning
cybersecurity is set by the CIO. This assumption is based, in part, on the Securities Exchange
Commission (SEC) enhanced proxy disclosure requirement on risk oversight (SEC 2009). As a
result of this new requirement, firms now have to report on who is in charge of risk management
in the firm and discuss the lines of communication established between management and the
board on risk oversight. With the proliferation of IT in business operations and the increase in
cybercrime against firms, IT risk has become a major component of a firm’s overall risk.
Decisions regarding IT strategy, directly and indirectly, influence the firm’s overall strategic
direction. Therefore, regulators, such as the SEC, have shown a concern over how to increase
transparency for investors and current shareholders through disclosures on IT risks, mainly
focusing on cybersecurity incidents, without inducing detrimental consequences on the firms’
operations (SEC 2011). Given that IT-related decisions and IT strategy are the primary
responsibilities of the CIO (s)he is expected to be the most influential person with regard to IT
decisions.3 Consequently, we suggest that the CIO will directly influence the establishment and
3 Recognizing the importance and the complexity of information and security, many firms are creating specialized
positions such as CISO (Chief Information and Security Officer) and CSO (Chief Security Officer). However,
4
enforcement of policies, procedures, and processes related to technology, the adoption of new
technologies, and the management of IT risk in the firm.4 Consistent with the importance of the
CIO in IT risk strategy, we hand-collect CIO data among S&P 500 companies from 2005
through 2014 and find that even after matching based on the likelihood of a breach and
controlling for whether the firm will choose to have a CIO, firms that have CIOs are more likely
to report a breach.5 While this finding may seem counterintuitive, it is similar to the Higgs et al.
(2016) finding that firms that voluntarily form board-level technology committees (presumably
to bolster IT oversight) are more likely to be breached. Further, we find that the incremental
significance of breach incidents reduces with CIO tenure. This finding is similar to the signaling
effect discussed in Higgs et al. (2016).
After investigating the association between CIOs and reported breaches, we then use our
CIO-specific data to examine whether individual differences among CIOs explain variation in
the likelihood of a breach among firms with CIOs. Extant literature finds that individual
characteristics of management influence their risk-taking behavior (MacCrimmon and Wehrung
1990; Dohmen et al. 2011). Feng and Wang (2019) find that CIO risk aversion is associated with
according to a survey on the evolving role of CISOs (Ponemon 2017), 50 percent of CISOs report to the CIO and
only four percent report to the CEO (Chief Executive Officer). This finding suggests that the CIO still has the
ultimate responsibility for information technology, and that security and IT risk are components of the overall
responsibility. Therefore, we focus on the CIO’s characteristics even though we see an emergence of other titles
such as CISO and CSO.
4 As Haislip et al. (2021) suggest the extent to which the CIO’s job will be influenced may depend on the IT
expertise of the other executives. Even though strategic choices are influenced by the top management as suggested
by upper echelon theory, the executives will still look to the CIO to identify, plan, manage, and respond to IT risk
and inform the other executives of the IT risk exposure. Additionally, the other executives’ IT expertise may also
influence the firm’s processes and procedures that may help or hinder the CIO from carrying out his/her
responsibilities.
5 We acknowledge that larger firms may be more likely to report a breach and may also be more likely to have a
CIO, creating a potential confound where an observed relation between the presence of a CIO and a reported breach
could be due to the size of the firm. We address this limitation in a number of ways. First, we limit our sample to
S&P 500 firms which are more likely to have similar resources to support a CIO position. Second, we include size
variables in our first stage model designed to control for the likelihood that a firm would create a CIO position.
Finally, we include size controls in our second stage model as well.
5
the management of security risks i.e. a more risk-averse CIO is less likely to experience
information security breaches. We, therefore, explore whether there are certain characteristics
that enable CIOs to better manage a firm’s IT exposure hence mitigate data breaches. We
broadly group these characteristics into human capital i.e. education (undergraduate/graduate
technology-related degree), experience (past technology experience inside/outside the firm and
other board memberships), and tenure (how long the CIO has been with the firm/how long the
CIO has been in the CIO position) and structural capital, i.e. public recognition of the firm's
commitment to IT, the roles and responsibilities (whether a CIO has multiple responsibilities),
and whether the firm has elevated the CIO to an executive-level position to develop our
hypotheses. We find that CIOs with past IT experience in the firm, outside board membership,
and longer tenure as a CIO result in an incrementally lower likelihood of breaches, while CIOs
with a longer tenure at the firm increase the likelihood of a breach. We also find limited evidence
that a firm's recognized commitment to IT and charging the CIO with multiple responsibilities
increase the likelihood of reporting a breach incident. While we acknowledge that this evidence
could be due to noisy structural capital proxies, one implication of our findings is that human
capital dimensions are potentially more important relative to structural capital dimensions in
explaining variation in the likelihood of reporting a breach. Collectively, our results suggest that
firms planning on filling a CIO position and wishing to reduce the likelihood of reporting
breaches may wish to consider candidates with past tech experience, currently serving on outside
boards, with more experience as a CIO, and with shorter tenure at the firm.
In supplemental analyses, we first examine whether our observed associations between
CIO characteristics and breaches vary based on the source of the breach. The majority of prior
breach research finds that the association between studied variables and breaches is limited to
6
external breaches (Higgs et al. 2016; Smith et al. 2019).6 Interestingly, we find that firms with
CIOs are more likely to suffer both external and internal breaches. We also find that the majority
of our human capital hypotheses are driven by internal breaches, complementing prior research.7
Second, we separately analyze the impact of CIO position appointment on breaches. Specifically,
we examine the association in the first, first two, and first three years that the CIO position is
started. While our main analysis documents a negative association between tenure at the CIO
position and breaches, we document an incremental increase in the likelihood of observing a
breach the year that the CIO starts. This is consistent with a curvilinear relation, whereby the
creation of the CIO position initially increases the likelihood of a breach but then the association
becomes negative over time. This finding is similar to the over time association between
technology committees and breaches as documented by Higgs et al. (2016). Finally, we examine
a subset of our external breaches (hacks) using data from Audit Analytics to examine whether
the association between CIO and breaches depends on the type of data compromised. We find
that while the negative association continues to exist for “Personal” and “Other” data, we are
unable to find a significant association for “Financial” data. This finding provides some limited
evidence that the association between CIO and breaches likely depends on the data being
targeted.
The findings from this study provide several important contributions to both academics
and practice. Regarding academics, we contribute to the growing breach literature by providing
6 For example, Higgs et al. (2016) find that the presence of a technology committee only increases the likelihood of
an external breach. Similarly, Smith et al. (2019) find that the positive association between breaches and audit fees
is only observed among the external breaches. Other breach studies choose to focus only on hacks (which is a
subset of external breaches as defined by Higgs et al. 2016), or do not compare breaches by source (Lawrence et al.
2018; Li et al. 2020).
7 Feng and Wang (2019) similarly explore whether their findings depend on the source of the breach, finding that
their observed negative association between CIO risk aversion and reported security incidence are driven by internal
breaches.
7
evidence on the existence of the CIO position and security breaches. Prior breach research has
examined the association between breaches and various voluntary board-level committees (Higgs
et al. 2016), but the formations of these committees are much less common and are not as
directly instrumental in setting the IT risk tone at the top as the CIO. In addition, the information
systems literature has established the association between CIO characteristics and firm
performance (e.g. Sobol and Klein 2009; Chen et al. 2010; Li and Tan 2013). Contrary to the
common belief that having a CIO may mitigate security breaches, the results show the opposite.
Therefore, the initial findings of this study act as a precursor of sorts to Feng and Wang (2019)
and Haislip et al. (2021), which conditions their analysis on firms with highly compensated
CIOs. Another underlying assumption in their studies is that the CIO has the expertise necessary,
however, they do not consider what attributes of the CIO are specifically important in detecting
and reporting data breaches. Further, we use hand-collected data to provide a unique extension to
the CIO breach literature by documenting systematic associations between both human capital
characteristics (education, experience, external board membership, tenure at the firm, and tenure
as a CIO) and structural capital characteristics (reputation for IT commitment and assigning too
many responsibilities to the CIO role) and the likelihood of breaches. Our findings suggest that
human capital associations are primarily driven by internal breaches, which provides an
incremental contribution to the literature that has focused primarily on external breaches.
Additionally, we provide a novel contribution to the breach literature that has thus far failed to
find that overall breach associations exist for both internal breaches and external breaches
separately. Our findings also inform practice by suggesting that firms are not likely to reduce the
likelihood of being breached by simply creating a CIO role or establishing structural capital
8
dimensions. Rather, our results suggest that they will need to carefully consider human capital
dimensions if they wish for their CIO to help mitigate breach risk.
II. LITERATURE REVIEW AND HYPOTHESES DEVELOPMENT
Prior research on IT Security and CIOs
According to the EY global information security survey (EYGM 2018), firms continue to
increase their annual spending on cybersecurity and devote more resources to improve their
security defenses. However, the survey results suggest that 87 percent still do not feel as though
they have sufficient budgets to provide an adequate level of security for their respective firms.
Consequently, firms are challenged to establish adequate lines of defense, invest in emerging and
innovative technologies to enhance existing protection mechanisms, and enable growth by
implementing security-by-design for new technologies and applications. Consistent with this
survey, Vincent et al. (2019) find that firms are often not able to keep abreast of IT risk
management practices, which can lead to an increase in possible security vulnerabilities. A
firm’s security vulnerability not only impacts the firm performance but also affects external
stakeholders such as vendors, customers, and investors.
Information security management (ISM) is increasingly becoming an important part of
risk management for IT managers (Disterer 2013, Kwon et al. 2013). ISM is the intricate process
of ensuring confidentiality, integrity, and availability of information assets through the
systematic management of organizational processes, timely implementation of information
security policy, effective management of enterprise information architecture and IT
infrastructure, adequate employment of qualified IT and security personnel, optimal investment
in IT and security resources, and active cultivation of a security-aware culture among employees
(Soomro et al. 2016, Choobineh et al. 2007). The complexity of ISM leads most organizations to
9
adopt information security frameworks such as ISO/IEC 27001, NIST 800-53, CIS Critical
Security Controls, and COBIT 5 for guidance in managing IT risks (Kwon et al. 2013).
Moreover, IT executives play a pivotal role in controlling the effectiveness of ISM through better
risk management, IT strategic alignment, and value delivery (Feng and Wang 2019; Kwon et al.
2013). ISM research also suggests that top management plays an important role in the
development of a security-aware culture and adherence to security policies, and security controls
(Knapp et al. 2006; Vincent et al. 2017; Tu et al. 2018). Research in ISM provides some
evidence that firms that create IT-related executive roles within the top management team are
negatively associated with cybersecurity breaches (Kwon et al. 2013). While this finding is
relevant to the fundamental research questions posed by our study, they employ very different
identification criteria to obtain their sample of treatment firms. Specifically, they rely on
EXECUCOMP to identify top management and define an IT executive as any employee holding
a technology-oriented role: including but not limited to Chief Digital Officer, Chief Privacy
Officer, Chief Information Officer, etc. In our study, we focus exclusively on the CIO role and
include CIOs at all levels (not limited to only top management) within the organization when we
examine the association between the presence of a CIO and reported breaches.
Anecdotal evidence from the profession suggests that CIOs are responsible for
cybersecurity in most organizations (Pettey 2019, Davenport 2016, Zurkus 2015). The EY global
security survey also indicates that among a significant percent of firms, the responsibility for
information security resides primarily with the CIO (EYGM 2018). The CIO has the
responsibility to lead the IT department, oversee IT risk assessment and management, create
security awareness throughout the firm, learn about emerging risks and ensure security from
software vendors, communicate any threats with other senior management, advocate for budget
10
allocations, and oversee the establishment of proper security controls throughout the firm (Feng
and Wang 2019). Since any outcome of a firm is most often influenced by management’s
decisions, we assume that vulnerabilities of a firm experiencing a breach result from the ISM
decisions made by the CIO.
Recognizing the importance of the CIO position to information security, academic
researchers have documented a negative association between CIO risk aversion and security
breach incidents (Feng and Wang 2019) and studied how certain characteristics of the CIO affect
overall enterprise system success (Shao et al. 2016). Research has also found that a cybersecurity
breach results in a turnover of the CIO, particularly when the source of the breach is a system
deficiency or when the CIO is an executive director (Banker and Feng 2019; Benaroch and
Chernobai 2017; Feng 2015).
A related stream of research examines the impact of IT experience among the
management team and various firm outcomes. Haislip et al. (2015) explores the consequences of
significant IT weaknesses (which may enable security vulnerabilities) on C-suite executives and
finds that CEOs and CFOs who lose their job due to material weaknesses related to IT weakness
are less likely to find an equivalent job opportunity. Further, firms that report significant material
weakness related to IT, remediate the deficiencies by hiring CEOs and CFOs with more IT
expertise (Haislip et al. 2016). Haislip and Richardson (2018) find that CEO’s with IT expertise
are more likely to make more accurate forecasts, while Sharma and Rai (2015) examine whether
IS leaders’ individual factors (IS leader’s hierarchical position and job tenure) and their
perceptions of technological factors influence a firm’s adoption of IS innovation. They find the
IS leaders’ job tenure and hierarchical position differentiate IS adopters from non-adopters.
Given that the CIO position is influential in IS performance of a firm, the next section develops
11
the hypotheses to explore the association between CIO characteristics and the likelihood of a
security breach.
Theory and Hypotheses Development
Hambrick and Mason’s (1984) upper echelon theory perspective suggests that firm
outcomes are a function of the top management decision-making. An underlying assumption in
upper echelon theory, drawing from psychology theories, is that human limitations influence
perceptions, evaluations, and decision-making. Accordingly, top management, consisting of
various individuals with differing characteristics, influences a firm’s strategic choices, which
leads to a positive or negative firm outcome. Based on the upper echelon theory, management
literature explores the association between management demographic characteristics and firm
performance (Crossland and Hambrick 2011; Nielsen and Nielsen 2013), strategic change (Díaz-
fernández et al. 2015), corporate illegal acts (Daboub et al. 1995), etc.
After gaining prominence throughout the 1990s, the CIO’s role and responsibilities
transitioned from being solely a technical expert to a business strategist as well (Stephens et al.
1992; Chun and Mooney 2009). As firms realized the importance of and the dependence on
technology, they increasingly incorporated the CIO position into the top management team.
Extant literature explores the association between firm performance and the CIO’s characteristics
(e.g. age, experience, and tenure), and the role and responsibilities of the CIO (Sobol and Klein
2009; Li and Tan 2013). Further, Chen et al. (2010) find that CIO’s human capital has a direct
impact on IT’s contribution to firm efficiency and strategic growth.
Given the stream of extant research based on the upper echelon theory, it is evident that
management characteristics play a vital role in firm outcomes. Further, the security breach
literature shows that management has to bear the consequences of reported incidents implying
12
that the market and internal/external stakeholders hold management responsible for their
decisions. Therefore, given these two streams of literature, we contend that CIO’s characteristics
can influence his/her decisions regarding technology. However, firms, recognizing the need for
better planning and control of IT, may first establish a formal position and hire CIOs to oversee,
direct, and manage IT within a firm. Consequently, we expect that if the presence of a CIO
position within the firm is indicative of better management and control of IT, these firms will be
able to implement adequate controls to prevent security breaches which will lead to a lower
likelihood of an occurrence of a security breach in the firm. Therefore, we may observe a
negative association between the likelihood of a reported breach and the presence of a CIO
position at a firm.
We argue that it is also possible that the presence of a CIO position is indicative of
underlying heightened IT risks. For example, Higgs et al. (2016) examines a growing trend in IT
governance, the creation of a board-level technology committee, and finds that firms with
technology committees are more likely to be breached. They note that this relation could be a
sign that the firm is better equipped to detect a breach and more willing to report a breach.
Furthermore, publicly disclosing the presence of the committee could provide an attractive signal
of valuable information assets to potential criminals. In support of this notion, Ettredge et al.
(2018) find that firms that publicly disclose the existence of trade secrets in the annual report
(Form 10-K) are more likely to have subsequent breaches. Consequently, creating a CIO
position/having a CIO position would signal increased dependence on IT and significant
investment in IT assets in the firm. Therefore, having a CIO position may attract cybercriminals
resulting in breaches.
13
Existing undetected breaches may also be more likely to be detected when a CIO is hired.
Since IT risk management requires firms to take a holistic view of IT rather than a concentrated
view on security controls (Vincent and Pinsker 2020), creating a CIO position will enable the
firm to take a holistic view of IT and better manage information security. Consequently, firms
with CIO positions, taking a holistic view, may be better equipped to implement a set of
comprehensive controls. Most security breaches go undetected because of the lack of adequate
detection controls and the complexity involved in monitoring database activity, processes, access
controls (physical and digital) of numerous integrated information systems, and end-points
(Varonis 2019). Given the complexity and a large number of known vulnerabilities in existing
enterprise applications and operating systems, firms are faced with an imminent danger of their
information systems being breached. Consequently, firms creating CIO positions may be better
equipped to centrally monitor and detect security breaches.8 Once breaches are detected CIOs are
required by security breach notification laws to report the breach to their customers and other
related parties (NCSL.org). Given the legislative requirements, CIOs will likely help firms report
detected breaches to the appropriate parties, authorities, and regulatory bodies because of the
consequences that accompany not disclosing the breach. Given the increased litigation risk for
the firm, if a firm fails to disclose material breaches in a timely manner, CIOs may also face
negative consequences. Banker and Feng (2019) find that CIO turnover is related to security
breaches, i.e. they are terminated after a security breach caused by system deficiency. In contrast,
firms without CIOs may lack the necessary guidance to centrally monitor and detect security
breaches; hence, breaches in such firms will likely go undetected and unreported. Therefore, it is
8 When a CIO position is created, the CIO joining the firm may be able to take a holistic view, enabling the CIO to
detect and disclose breaches. Once the CIO addresses the pressing concerns and establishes better processes, he/she
may be able to prevent future breaches. We explore this possibility with CIO tenure.
14
also reasonable to expect a positive association between the presence of the CIO position and
reported breaches.
Given the possibility of either a positive or negative association between CIOs and
reported breaches, we state our first hypothesis in null form:
H1: The likelihood of observing a reported breach is not associated with the
presence of a CIO role at the firm.
After exploring the overall association between firms that employ CIOs and reported
breaches, we then formulate directional predictions about cross-sectional variations within
different CIO characteristics. Specifically, we leverage prior research to motivate predictions
based on variations in observable CIO characteristics related to human capital (e.g. education,
experience, tenure) and structural capital (e.g. firm support for IT, breadth of responsibilities
given to the CIO, CIO’s executive rank).9
Human Capital
One factor influencing decision-making is the human capital of the individual. Developed
in the field of economics and extensively researched in human resource development, the human
capital theory suggests that developing employee skills through training and education leads to
better firm outcomes (Becker 1993, Hendricks 2002; and Engelbrecht 2003). Human capital
developed through education consists of a mixture of abilities to share knowledge and expertise
with others, create performance possibilities, learn and develop skills through various
experiences, and motivate and train others (Becker 1993). Additionally, the upper echelon theory
applies the foundational thoughts of human capital to the top management of the firm.
Consequently, top managers’ skills and abilities developed through training and education are
9 Li and Tan (2013) use a survey to examine the impact of matching business strategy with CIO characteristics on
firm performance. Similar to studies by Miles and Snow (1978) and Thomas and Ramaswamy (1994, 1996) related
to CEOs, Li and Tan (2013) focus on the human capital dimensions of age, tenure, and education in their survey.
15
associated with and impact the firm’s outcomes (Crossland and Hambrick 2011; Nielsen and
Nielsen 2013). Based on human capital and upper echelon theory, we consider three dimensions
related to our CIO data - education, experience, tenure (both with the firm and at the CIO
position) - to develop our next set of hypotheses.
CIO education
According to upper echelon theory, CIOs influence technology adoption, use, and risk
management in a firm by communicating and convincing other managers to invest, implement,
and follow IT-related procedures and processes. CIOs are now expected to assume more of a
strategist role (Hamblen 2018) and are required to take a holistic view of the firm and drive
business strategy by selecting appropriate IT strategies (Kayworth and Whitten 2010). Smaltz et
al. (2006) find that CIO capabilities have a direct impact on CIO effectiveness as a strategist,
relationship architect, and integrator. Further, Sobol and Klein (2009) observe better firm
performance measures for firms with CIOs from a primarily IT background rather than a general
management background, supporting the preference for a CIO with a technical degree.10 Using
job characteristics theory, Chen and Wu (2011) survey CIOs and top management teams and find
that IT competency has a significant impact on the effectiveness of the CIO’s IT management
activity, which in turn positively influences the CIO role performance.
Concerning breaches specifically, a CIO needs to increase security awareness throughout
the firm, establish detective and preventive procedures, and understand the impact of a security
breach on business operations. Upper echelon theory suggests that the CIO’s cognitive base
(knowledge or assumptions about future events, alternatives, and consequences) influences
his/her ability to make the best strategic choices, in this case, with regard to increasing security
10 There are number of degrees that are technical in nature. Please see Appendix B for a list of all of the degrees that
we have identified as being technical.
16
awareness among other top managers and establishing the appropriate procedures, etc.
(Hambrick and Mason, 1984). Accordingly, the CIO’s education serves as an indicator of his/her
cognitive preferences (Hambrick and Mason, 1984). Khallaf and Majdalawieh (2012) survey 24
federal government agencies and find that CIOs’ technical skills have a positive impact on IT
security posture when the CIO is a direct report of the head of the agency.11 Kimberly and
Evanisko (1981) show the importance of the level of education on a person’s ability to provide
solutions for complex problems that involve many aspects of the organization. Security
management is a complex problem that requires securing information assets while enabling the
business to innovate using IT, maintaining compliance, and ensuring cultural fit (Kayworth and
Whitten 2010). Given the complexity of security management, a higher level of technical
education may enable CIOs to provide better guidance on security management that involves
collaboration and involvement of the whole enterprise to help prevent breaches. Although tech-
savvy CIOs may also end up implementing controls to better detect breaches, it is likely that they
will understand that prevention is far less costly and prioritize security investments as well as
enterprise-wide preventative measures and initiatives. Given that IT security consists of technical
details, we expect that a CIO with a technical degree will be able to provide better guidance on
IT security, which leads to our first human capital hypothesis:
H2a: The likelihood of observing a reported breach for firms with a CIO is lower if
they have a technical degree.
CIO experience
Concerning CIO experience, based on interviews with CIOs, Spitze and Lee (2012) find
that successful CIOs are life-long learners, who are able to draw from an extensive network, and
11 Khallaf and Majdalawieh (2012) measure IT security posture through a measurement system for federal agencies
of a letter performance grade that ranges from F to A.
17
develop a compelling and achievable vision. The life-long learner characteristic suggests that
past experiences are important drivers of future success. Hambrick and Mason (1984) suggest
that past experiences can exert some influence over the CIO’s decision-making process that
materialize in either a positive or a negative outcome for the firm. These past experiences can be
obtained both from within the firm as well as from prior employment with another firm.
Consistent with this notion, prior research on information technology-based material weaknesses
over internal controls finds that firms often recruit individuals with IT experience from other
firms as a way to restore investor trust (Haislip et al. 2016). Consequently, we expect that CIO’s
past technology-related experience at both the current firm as well as other firms will similarly
help them recognize patterns and provide guidance on IT use and risk management related to
potential breaches.12 Further, the more IT experience the CIO has, the more familiar (s)he
becomes with various business processes, strategies, and risk events which in turn will help
him/her develop better IT strategies and risk management practices. Therefore, we predict that
the CIO’s past technology-related experience will help him/her identify patterns of security
vulnerabilities in a firm such that (s)he will be more proactive and develop adequate security
measures.
In addition to past technology-related experience, CIOs are also likely to gain
contemporaneous experience to combat emerging challenges through their involvement on the
board of directors of other firms. According to upper echelon theory, CIOs can expand their
cognitive base and their perspective by being involved in other career activities (Hambrick and
12 We make a distinction between experience and tenure. Experience indicates whether a CIO has IT related
experience whereas tenure is an indication of how long they have been with the firm or at the current position. In
H2b we observe whether the CIO has past experience at a different firm or at the current firm, H2c we observe
whether the CIO’s technology experience is enhanced by serving on the board of directors in other firms, H2d we
observe whether the CIO is more effective when (s)he has long tenure and has been promoted through the ranks of
the firm, and in H2e we observe whether the CIO is more effective when (s)he holds the CIO position for a longer
period.
18
Mason 1984), such as serving on the board of directors of another firm. Hütter and Riedl (2017)
summarize the roles of the CIO position and designate responsibilities of security and privacy
under the relationship manager role because the CIO has to scan the external environment,
interact with stakeholders, and make changes in IT infrastructure and policies to meet
organizational needs. Cheng et al. (2017) examine the CIO’s interaction with her external
environment in the context of social learning through board interlocks and find that firms with
higher IT investments are associated with an interlocked firm’s IT investment level. Their
finding suggests that CIOs and top management learn the value of IT investment from their
involvement in other firms’ boards and allocate IT resources accordingly. In the context of the
risk of financial misstatement, Clements et al. (2015) find that when directors serve on multiple
boards there is a negative association with the number of material weaknesses in internal
controls. This finding also suggests that the board of directors expand their experience by serving
on other boards. Just as CIO’s training can increase his/her human capital, exposure to other
industries and firms within one’s industry can also enhance the CIO’s knowledge of technology
advancements, technology management, IT risk management, emerging security threats, security
attack types, etc. Therefore, CIOs serving on another firms’ board of directors can broaden their
experience, which will better prepare them to be proactive rather than reactive.
Collectively, we expect that CIOs with past technology experience as well as external
board membership will be better equipped to prevent breaches from occurring, leading us to the
following experience related human capital hypotheses:
H2b: The likelihood of observing a reported breach for firms with a CIO is
negatively associated with their past technology experience.
H2c: The likelihood of observing a reported breach for firms with a CIO is
negatively associated with their external board membership experience.
19
CIO’s tenure
Tenure plays an important role in decision making because it is assumed that the longer
an executive stays with a firm the better they understand the business. We explore two aspects of
CIOs’ tenure. First, the CIO’s tenure with the firm indicates how long the current CIO has stayed
with the firm. Second, the CIO’s position tenure is how long the CIO has been in the current
position. If a firm hires a CIO from outside the firm, the CIO’s tenure with the firm and CIO’s
position tenure will be the same. On the contrary, if an employee is promoted through the ranks
to the CIO position, CIO’s tenure with the firm will be longer than the CIO’s position tenure.
Both aspects of tenure provide important information and experiences that enhance the CIO’s
cognitive base.
By staying longer in a firm, employees gain a greater knowledge of organizational goals
and power through formal power structures. As suggested by upper echelon theory, when a CIO
gets promoted through the company, the shared experiences will help the CIO work well with the
other top managers. Ng and Feldman (2010) mention that firm tenure is also useful in building
procedural knowledge. Further, they find that tenure in the firm is associated with core task
performance, citizenship behavior, and less counterproductive behavior. However, studies
confirm the relationship between tenure and performance to be curvilinear (Sturman 2003; Ng
and Feldman 2010). Uppal (2017) further investigates the curvilinear relationship and finds that
with longer tenure, specific job skills and knowledge become elementary and routinized leading
to a decline in job performance. In a security management context, we postulate that CIOs who
have risen through the ranks of a firm and have longer firm tenure may become familiar with the
firm’s business, processes, structures therefore, even when promoted to a new position may
continue the routines rather than improvise and innovate. Given the changing nature of
20
cybersecurity risks, CIOs continually need to monitor risk and change their risk response and
management practices by changing the firm’s systems, processes, infrastructure, etc. However,
longer tenure with the firm may hinder the CIO from acquiring new skills and knowledge and
implementing innovative solutions to mitigate IT security risks.
Henderson et al. (2006) suggest that the reason research finds a negative longer-term
effect between tenure and performance can be attributed to assuming a stable external
environment. They argue that opportunities for adoptive learning will be limited by assuming a
fixed paradigm that does not change radically and a stable external environment. However, CIOs
cannot adhere to these assumptions because of the rapid changes in the environment due to
technological advancement. Despite the possibility that long tenure with the firm may hinder
change and reduce the CIO’s ability to prevent breaches, it is possible that job-specific tenure
(particularly as CIO), will enhance IT security. Simsek (2007) argues that job-specific skills can
be enhanced through better organizational knowledge and a track record of performing. The
dynamic nature of technology may rapidly and continuously change the CIO’s external
environment, increasing the complexity of the CIO’s job responsibility. Therefore, tenure at the
CIO position, even if it is at a different firm, may help the CIO expand their cognitive base
(Hambrick and Mason 1984). Werlinger et al. (2009) find 18 challenges related to technical,
human, and organizational factors that affect IT security management suggesting the complexity
of the CIO’s role. To respond to environmental changes, CIOs have to gain the trust of the CEO,
the board of directors, and business unit managers, implement the necessary policies and
procedures, and create awareness throughout the organization, all of which require building long-
term relationships. In addition, Burke et al. (2006) and Khallaf and Majdalawieh (2012) find that
CIO tenure is positively associated with greater technology adoption and the firm’s security
21
posture.13 Given these findings, we suggest that as the individual continues to work as a CIO in a
firm, (s)he will be familiar with the business, technology, business processes, and
management/staff, hence, will able to be more involved and influence the firm’s IT investments,
IT usage, and IT risk exposure. Since it takes time for a firm to identify, assess, and respond to
IT risk exposure, longer tenure CIOs are better able to assess vulnerabilities, implement controls,
and manage change than newer CIOs. Consequently, the CIO being better informed of the
current state of IT risk exposure will implement better controls to reduce the firm’s IT risk
exposure. This leads to our final human capital hypotheses relating to tenure:
H2d: The likelihood of observing a reported breach for firms with a CIO is
positively associated with their tenure at the firm.
H2e: The likelihood of observing a reported breach for firms with a CIO is
negatively associated with their tenure at the CIO position within the firm.
Structural Capital
Structural capital, identified in organizational research as an important component of
intellectual capital, includes the firm’s infrastructure, databases, processes, procedures, etc. that
enable the productive use of human capital. Kogut and Zander (1996) define structural capital as
elements that belong to the firm and facilitate its configuration as an entity providing coherence
and superior principles for coordination. Consequently, a firm’s structural capital enables
communication, collaboration, and knowledge sharing between IT and various functions. García-
Álvarez et al. (2011) suggest that structural capital has three dimensions: infrastructure, quality
evaluation processes, and technological effort. Further, some indicators proposed to measure the
three dimensions of structural capital include the organizational reporting structure, shared
13 One limitation of the tenure measure used by Khallaf and Majdalawieh (2012) is that it is the total number of
years with a federal agency and does not separate the years spent in the CIO role from total years at the same agency
(years as CIO role + years prior to holding the role).
22
strategic management, and organizational innovation and management.14 We discuss three
dimensions of the structural capital below.
Firm’s support for IT
An important dimension of structural capital is the technological effort in terms of
organizational innovation and development, protected internal and external knowledge, and non-
protected intellectual property (García-Álvarez et al. 2011). The level of IT investment, outside
recognition of IT infrastructure of a firm, board’s involvement through various technology-
related committees, etc. can be perceived as indications of a firm’s support of IT. Given the IT
risk context, one aspect of technological effort that might influence CIO effectiveness is the
importance of IT for the firm in providing strategic direction and operational efficiency. Vincent
et al. (2017) find that strategic use of IT is positively associated with IT risk exposure of the firm
indicating the more dependent the firm is on IT the more vulnerable it is to security incidents.
While a commitment to support IT would seem to reduce breach risk, it is also possible that a
commitment to IT and public recognition of that commitment could make the firm a more
attractive breach target.15 For example, press releases indicating innovation and new
technologies can inform hackers about potential known vulnerabilities in software applications
that can be exploited by cybercriminals, as a non-trivial percentage of known vulnerabilities
remain unpatched for more than a year (Sanders 2019). Further, when IT receives public
attention and endorsement, the more the employees are likely to embrace technological change in
14 García-Álvarez et al. (2011) proposed measures are as follows: 1. Infrastructure knowledge related to
organizational mission, knowledge related to business philosophy, organizational structure, social climate,
organizational stability, and social compromise with the environment. 2. Quality evaluation processes – business
management models, shared strategic management, strategic reflection processes, and organizational learning
capacity 3. Technological effort organizational innovation and development, protected internal and external
knowledge, and non-protected intellectual property.
15 Higgs et al. (2016) offers a similar signaling argument to explain the observed positive association between the
public disclosure of the formation of a board level technology committee and reported breaches.
23
a firm which will further increase technology dependence and increase IT vulnerabilities. We,
therefore, state our first structural capital hypothesis as:
H3a: The likelihood of observing a reported breach for firms with a CIO is
positively related to a recognized commitment to support IT.
The role and responsibilities of the CIO
The creation of the CIO position elevated technology to the C-suite and increased
appreciation for the use of technology in achieving business strategy. Research has found that the
market also views the CIO position as a value add to the firm, as evidenced by a positive reaction
to CIO appointment announcements (Chatterjee, Richardson, and Zmud, 2001). However, since
most CIOs came from a technical background, changing managements’ perception of CIOs from
a back-office mentality to a strategic thinker represented a significant challenge (Dunbar 2008).
Over the years, there has been debate as to whether the role and the responsibilities of the
CIO have changed from an IT manager to an IT strategist. In an observational study, Stephens et
al. (1992) found (from observations of the length of scheduled/unscheduled meetings,
interactions outside of the information technology unit, areas of responsibility, skilled reading of
situations, and participation in strategic meetings) that the CIO operates as an executive rather
than a functional manager. Further, Ball (2002) suggests that CIOs should also pay attention to
additional issues such as risk analysis, disaster recovery planning, employee protection, public
relations, and scenario planning. Overall, Chun and Mooney (2009) summarize this stream of
literature by categorizing the CIO roles into two distinct areas 1) CIOs that focus on invigorating
IT infrastructure to achieve ROI and 2) CIOs that focus on increasing revenue hence focus on
implementing new IS throughout the firm for business innovation.
As more firms create executive and senior vice president positions for the CIO, the
responsibilities of the CIO have expanded to include other non-IT-related responsibilities
24
(operations, mergers, and acquisitions integration, or strategic planning) as well (Rowsell-Jones
2007). Further, firms not recognizing the strategic nature of technology may give the
responsibility to manage IT to a non-IT executive burdening him/her with unfamiliar
responsibilities. When the CIO is burdened with many responsibilities, he/she might not be able
to provide adequate attention to IT issues. CIOs engaged in security management have to
consider many different aspects such as the strategic alignment of IT, operational needs, and
technology innovation while reducing risk exposure. Burdening them with non-IT-related
responsibilities can impose constraints on CIOs' time and cognitive ability. These constraints can
hinder the CIO from performing due diligence on security management. The busyness
hypothesis suggests that when an individual is asked to perform two or more tasks
simultaneously, they tend to make more errors (Gilbert and Hixon 1991; Gilbert and Osborne
1989). Individuals with more cognitive demands are unable to make more accurate inferences
than individuals with lesser cognitive demands. Based on the busyness hypothesis, we deduce
that CIOs with more responsibilities will be less effective in providing adequate IT risk
management practices.
H3b: The likelihood of observing a reported breach for firms with a CIO is
positively associated with having multiple responsibilities.
CIO’s executive position
Raghunathan and Raghunathan (1989) found the rank of the IT manager is significantly
associated with the strategic orientation of IT and the importance given to IT planning. Further,
they found that the CIO has an impact on IT strategy and IT planning only when (s)he is one
rank below the CEO hence reports directly to the CEO. Gottschalk (1999) found that firms with
a formal IT strategy are more likely to have a higher ranking CIO with more people reporting to
the CIO compared to firms without a formal IT strategy. Further, a firm’s strategic position
25
(product/service differentiation or cost leadership) may also determine the CIO reporting
structure (Banker et al. 2011). According to Banker et al. CIOs are more likely to report to the
CEO in firms with a product/service differentiation focus; whereas cost leaders are more likely to
have the CIO report to the CFO. Preston et al. (2008) discover that the CIOs structural power
(CIO rank) directly influences the CIO’s strategic decision-making authority hence, firm
performance. Further, studies show the positive influence of the CIO’s reporting structure on the
maturity of business/IT alignment (Luftman and Kempaiah 2007) and the maturity of IT risk
management practices (Vincent et al. 2017).
Chen et al. (2010) examine whether the CIO's structural power, measured based on
formal membership of the top management team and whether the CIO directly reports to the
CEO, impacts CIO leadership and find a positive association. Zafar et al. (2016) find that having
a CIO in the top management team helps firm performance (measured using Tobin’s q) after a
security breach. If executive management recognizes the importance of IT for business
operations and the consequences of IT vulnerabilities, they will likely create an executive
position within the firm to address IT issues. Consequently, the higher the CIO in the corporate
structure, the CEO will be better informed of IT threats and opportunities. Further, a risk-aware
firm may be able to communicate and signal the importance of IT risk issues throughout the firm
by promoting the CIO to a higher rank. The higher the CIO position within the firm, the CIO will
have more decision-making authority to influence risk management, create a risk-aware culture,
manage investments, etc. Further, Vincent et al. (2017) find that strategic and operational IT risk
management practices are more mature in firms where the CIO directly reports to the CEO. In
support of this argument, Feng and Wang (2019) argue and find that CIO risk aversion
26
(measured by compensation ratios16) is related to cybersecurity breaches only when the CIO has
structural power. Consequently, we expect that the CIO position will lead to a reduced risk of
breach for firms with higher ranking (more powerful) CIOs, which leads to our final structural
capital hypothesis:
H3c: The likelihood of observing a reported breach for firms with a CIO is
negatively associated with the CIO position being designated as a higher-level
executive.
III. SAMPLE & RESEARCH METHODOLOGY
Sample
To examine our hypotheses, we first identified firms in the S&P 500 for each year from
2005 through 2014.17 We then hand collected CIO data for each of these firms for each year of
our sample. The first step was to identify the CIO. This process involved visiting SEC forms 10-
K and DEF 14-A, the corporate website, and searching the web for corporate announcements of
CIO appointments in news and magazine articles. For each CIO identified, we performed a
search on LinkedIn.com, Boardroominsiders.com, and Bloomberg.com for the executive’s
profile. The collected data include the CIO’s gender, age, degree type, responsibilities, past
experience, external board involvements, title, and tenure with the firm. After eliminating
observations missing data required for our control variables our sample consists of 6,203 firm-
year observations. Consistent with prior research (Higgs et al. 2016; Haislip et al. 2018; Smith et
16 Feng and Wang (2019) restrict their analysis to CIOs with available compensation data in EXECUCOMP,
naturally restricting their sample to only highly compensated CIOs (proxy statement disclosures are only required
for the top 5 highest paid employees). Our sample does not impose this restriction our sample of CIOs, and
consequently we are unable to obtain compensation data for many of our CIOs. Consequently, we only examine the
main effect of assigning more power to the CIO on the likelihood of reporting a breach.
17 Given that our CIO data had to be hand collected from various sources, we restricted the firms in our sample to
S&P 500 firms. Restricting the sample to larger (and oftentimes more high profile) firms allows us to collect more
granular attributes about the CIO role (prior experience, education, other board involvement, etc.) that are not as
readily available for smaller firms. An additional benefit of restricting the sample to only S&P 500 firms is that our
sample naturally excludes small firms that may lack the resources to have a separate CIO position. A limitation to
this sample selection criteria is that our results may not generalize to smaller firms.
27
al. 2019), our breach data comes primarily from privacyrights.org, where we identify 355 firm-
year breach observations. We then perform a propensity score matching procedure so that our
non-breach observations are similar to our breach observations to strengthen the inferences one
can draw from our study. Our matching technique requires that each non-breach observation be
within a three percent caliper distance of our breach firms, which reduces our sample to 276
breach observations and 276 non-breach observations to conduct our test of H1. We further
restrict our sample to only CIO observations to conduct the tests of H2 and H3 on 206 firm-year
observations. Table 1 provides additional details about how we arrive at our sample.
<<< Insert Table 1 Here >>>
In Table 2 we report the breakdown of our breach observations by year and industry in
our sample. Comparing breach occurrence over time reveals that the fewest number of breaches
in our sample occurred in 2009 (12 breaches) while the greatest number of breaches in our
sample occurred in 2007 (40 breaches). While we have a number of industries represented in our
sample of breaches, the majority of our breaches occur in the Finance, Insurance, & Real Estate
(32.25%), Services (21.74%), and Manufacturing (21.01%) industries. In addition, very few
breaches occur in the Mining (0.36%), Wholesale Trade (0.72%), or Construction (1.45%)
industries.
<<< Insert Table 2 Here >>>
Research Methodology
As previously alluded to, we employ a propensity score matching technique based on the
estimation of the following model to eliminate non-breach firms that are not similar to our
breach firms. Consistent with prior research (Higgs et al. 2016; Smith et al. 2019) our matching
model includes firm-specific variables related to performance, governance, and the external
28
auditor. We obtain financial performance and external auditor variables from COMPUSTAT and
Audit Analytics, respectively. We use Seek iNF (Search Engine to Extract Knowledge from
Industry Filings) to obtain our governance variables (RISK, COMPLIANCE, and
TECHNOLOGY) by searching the same keywords as Smith et al. (2019) to identify firms with
risk, compliance, and technology committees. We then estimate the following model to perform
our propensity score matching technique:
Prob (BREACHi,t = 1) = F[ß0 + β1INTANGIBLESi,t + β2RISKi,t +β3COMPLIANCEi,t +
β4TECHNOLOGYi,t + β5LNASSETSi,t + β6LEVERAGEi,t + β7RDi,t +
β8LAG_LNAUDFEESi,t + β9LOSSi,t + β10INADEQUATEi,t +
β11PAST_BREACHi,t + YEAR_FIXED_EFFECTSi,t +
INDUSTRY_FIXED_EFFECTSi,t + ɛ] (1)18
Our matching procedure involves selecting one non-breach firm from the same industry
and year as a breach firm having a similar predicted probability of a breach (within a 3 percent
caliper distance). This one-to-one matching technique provides us with 276 breach
announcement observations and 276 non-breach announcement observations with a similar
probability of announcing a breach. This approach is similar to what has been done in prior
breach research (see Smith et al. 2019), and the reason for performing this match is to eliminate
non-breach firm-year observations that are not similar to a breach firm-year observation. This
allows us to have a balanced sample of similar firm-year observations where half of the sample
announces a breach and the other half of the sample does not. Model (1) is reported in Table 3.
Consistent with Higgs et al. (2016) and Smith et al. (2019), we report positive coefficient
estimates for size (LNASSETS), prior breaches (PAST_BREACH), and one of our measures of
intellectual property (INTANGIBLES) that likely make the firm a more financially attractive
18 All variable definitions are provided in Appendix A.
29
breach target. We also find that firms with voluntary COMPLIANCE committees on their board
are more likely to report a breach. Finally, we report an area under the ROC of 0.872, suggesting
that the model used to conduct our match has adequate fit.
<<< Insert Table 3 Here >>>
Model for testing our hypotheses
We test our hypotheses by estimating a breach prediction model on our matched sample.
We recognize that firms self-select with respect to whether (or not) to create a CIO role. To
address the self-selection problem we follow Heckman (1979) and estimate the following CIO
selection model, which includes variables used in our main breach model, as well as two
exclusion variables (CEO_AGE, and CEO_GENDER) which we expect to be associated with the
likelihood of having a CIO but not with the likelihood of reporting a breach (Lennox et al. 2012).
We chose CEO_AGE because prior research suggests that older CEOs tend to make different
decisions than younger CEOs in other strategic contexts. As a CEO ages, he/she develops a
portfolio of personal values, experiences, and mindsets that shape his or her attitudes and
behaviors. These attitudes and behaviors are eventually reflected in organizational actions and
outcomes (Davidson, Nemec, and Worrell, 2006). Aging induces certain psychological changes
such as changes in values, needs, expectations, and mindsets (Rhodes 1983) which could
eventually affect the attitudes and preferences that an individual holds toward various strategic
issues facing the firm. Consequently, strategic choices such as whether to appoint a CIO may
then reflect the preferences and interests of the CEO. Extant literature in accounting also
suggests a positive association between age and ethical behavior. Huang et al. (2012) find that
the older the executive, the more likely he/she acts ethically hence has higher financial reporting
quality. Al Shammari (2018) finds that as the CEO’s age increases the risk-taking behavior is
30
weakened. For example, Yim (2013) finds that younger CEOs are more likely to engage in
acquisitions relative to older CEOs. Consequently, an older CEO may be more likely to hire a
CIO to help him/her make more informed decisions concerning technology issues and reduce the
IT risk exposure of the firm. We, therefore, anticipate that there will be a difference in the
propensity to disclose a CIO position based on the age of the CEO. In addition, research has
examined gender-based leadership style differences, concluding that - among other things -
female CEOs are less likely to exhibit behaviors linked to overconfidence (Huang and Kisgen
2013) and are more likely to delegate (Statham 1987). Further, Faccio et al. (2016) document
statistically significant differences in corporate risk-taking based on the CEO’s gender. They find
that female CEOs have lower leverage, less volatile earnings, and a higher chance of survival
than firms run by male CEOs. Consequently, the gender of the CEO may also influence whether
the CEO creates and hires a CIO to manage and reduce the firm’s IT risk exposure. Importantly,
while we expect that CEO age and gender will be associated with the likelihood of CIO, we do
not expect that CEO age or gender would be associated with disclosing a breach.19 We then
include the inverse Mills ratio from this estimation of the following model (Model (2)) in our
breach prediction models used to test our hypotheses:
Prob (CIOi,t = 1) = F[ß0 + β1CEO_AGEi,t + β2CEO_GENDERi,t + β3INTANGIBLESi,t +
β4RISKi,t +β5COMPLIANCEi,t + β6TECHNOLOGYi,t + β7LNASSETSi,t +
β8LEVERAGEi,t + β9RDi,t + β10LOSSi,t + β11INADEQUATEi,t + β12PAST_BREACHi,t
+
YEAR_FIXED_EFFECTSi,t + INDUSTRY_FIXED_EFFECTSi,t + ɛ] (2)20
19 Prior research has found that personal characteristics such as age and gender are also associated with risk
preference (Cohn et al. 1975; Donkers et al. 2001; Feng and Wang 2019), which one could argue could also be
associated with the likelihood of observing a disclosed breach.
20 As a sensitivity, we substitute a measure of overconfidence - based on whether an executive continues to hold
vested options that have appreciated more than 40 percent since grant date (Malmendier et al. 2011) - in place of our
CEO_AGE and CEO_GENDER variables in model (2). Our tabulated results are robust to this alternative approach
for calculating IMR.
31
Prob (BREACHi,t = 1) = F[ß0 + β1CIOi,t + β2INTANGIBLESi,t + β3RISKi,t +
β4COMPLIANCEi,t+ β5TECHNOLOGYi,t + β6LNASSETSi,t + β7LEVERAGEi,t +
β8RDi,t + β9LAG_LNAUDFEESi,t + β10LOSSi,t + β11INADEQUATEi,t +
β12PAST_BREACHi,t + β13CROi,t + β14ERMi,t + β15CRO_RESP_ERMi,t + β16IMRi,t +
YEAR_FIXED_EFFECTSi,t + INDUSTRY_FIXED_EFFECTSi,t + ɛ] (3)
We report the estimation of Model (2) in Table 4 and report significant coefficient
estimates for nearly all control variables. We also report significant coefficient estimates for both
CEO_AGE and CEO_GENDER, providing support for using these two variables in the first
stage model. As an untabulated falsification test, we add CEO_AGE and CEO_GENDER as
additional variables to our breach prediction model and do not estimate significant coefficients
for either variable. This provides additional support for the appropriateness of including these
two variables in our CIO prediction model and excluding them from our breach prediction
models. We also find that firms are more likely to have a CIO if they are larger and in better
financial health, have intangible assets, and formed voluntary risk committees. They are less
likely to have a CIO if they have a technology committee on the board. Most relevant to our
study among our control variables, we find that firms are more likely to have a CIO if they have
suffered a breach in the past, which may suggest that firms hire CIOs following a breach. Model
(2), similar to Model (1), also appears to be well specified with an area under the ROC of 0.808.
Collectively, the regression estimates reported in Tables 3 and 4 are consistent with prior
research and help alleviate concerns over non-random breach disclosures and CIO self-selection.
<<< Insert Table 4 Here >>>
In addition to the variables included in our breach prediction model used to conduct our
match (see Model (1) above) we also include additional firm-specific variables in our breach
prediction models used to test our hypotheses (see Model (3) above and Model (4) below) to
control for other roles and/or characteristics that may influence the likelihood of a breach and also
32
may influence how involved the CIO is in managing risks associated with breaches. These
variables need to be hand collected, and thus we only collect them for our matched sample of
observations (n=552), which precludes us from including them in the initial breach prediction
model that is estimated on the full sample of 6,203 firm-year observations. Specifically, we collect
additional variables for our matched sample regarding whether they disclose the presence of a
Chief Risk Officer (CRO), an Enterprise Risk Management (ERM) program, and if the CRO is
charged with overseeing the ERM program.21
The variable of interest in Model (3) related to our first hypothesis is CIO, where a positive
(negative) coefficient estimate for β1 would suggest that having a CIO increases (decreases) the
likelihood of a breach.
We test H2 and H3 through the estimation of the following Model (4):
Prob (BREACHi,t = 1) = F[ß0 + β1AGEj,t + β2TECH_UNDERGRADj,t + β3TECH_GRADj,t +
β4PAST_TECH_EXP_INj,t + β5PAST_TECH_EXP_OUTj,t + β6OTHER_BOARDj,t +
β7FIRM_TENUREj,t + β8POSITION_TENUREj,t + β9IW500i,+ β10MULTY_DUTYi, +
β11EXECi, + β12INTANGIBLESi,t + β13RISKi,t + β14COMPLIANCEi,t +
β15TECHNOLOGYi,t + β16LNASSETSi,t + β17LEVERAGEi,t + β18RDi,t +
β19LAG_LNAUDFEESi,t + β20LOSSi,t + β21INADEQUATE,t + β22PAST_BREACHi,t +
β23CROi,t + β24ERMi,t + β25CRO_RESP_ERMi,t + β26IMRi,t + YEAR_FIXED_EFFECTSi,t
+ INDUSTRY_FIXED_EFFECTSi,t + ɛ] (4)
We estimate this model on both our matched sample as well as a subsample of only firm-
year observations where CIO=1. The variables of interest in the tests of our human capital
hypotheses (H2) include TECH_UNDERGRAD (H2a), TECH_GRAD (H2a),
PAST_TECH_EXP_IN/OUT (H2b), OTHER_BOARD (H2c), FIRM_TENURE (H2d), and
POSITION_TENURE (H2e) where negative coefficient estimates are predicted on β2 (H2a),
21 We gather this data primarily from the proxy statements. In some cases the firm discloses an ERM program, but
is silent on who is responsible for overseeing it. In other cases, the board of directors or a committee within the
board of directors supervises it.
33
β3(H2a), β4(H2a), β5(H2b), β6(H2c), and β8(H2e), and a positive coefficient estimate is predicted
on β7(H2d). We measure two aspects of CIO education. CIO’s educational background is
measured based on whether the CIO has a technical undergraduate degree
(TECH_UNDERGRAD). Technical backgrounds represent degrees in fields such as computer
science and computer engineering, with a comprehensive list included in Appendix B. All other
degrees are categorized as non-technical. Further, we measure the CIO’s level of graduate-level
education based on whether they have completed a graduate technical degree (TECH_GRAD).
We identify CIOs as having prior tech experience (PAST_TECH_EXP_IN/OUT) if the CIO has
IT-related work experience within their own firm or from a different firm. For each CIO, we look
at their prior work experience and determine if they held any technical position prior to the
current appointment (example: information security associate, IT director, full-stack developer,
IT consultant, Chief Technology Officer, Chief Information Officer, etc.) If the individual had
technology experience outside the firm, PAST_TECH_EXP_OUT = 1, if the experience is inside
the firm then PAST_TECH_EXP_IN = 1, else 0. We also identify CIOs who sit on outside
boards (OTHER_BOARD). Finally, our tenure variables are log-transformed measures of the
number of years that the individual has been at the firm (FIRM_TENURE) as well as at the CIO
position (POSITION_TENURE).22
The variables of interest in the tests of our structural capital hypotheses (H3) include
IW500 (H3a), MULTY_DUTY (H3b), and EXEC (H3c) where positive coefficient estimates are
predicted on β9(H3a), β10(H3b), and a negative coefficient estimate is predicted on β11(H3c). It is
22 Approximately half of the CIOs in our sample are hired from other firms, so their FIRM_TENURE =
POSITION_TENURE. However, for the CIOs that are hired before being appointed to CIO the mean (median) years
that a CIO has been with the firm is 14.71 (12), while they have been a CIO for mean (median) 3.65 (3) years. The
POSITION_TENURE variable is remarkably similar for those firms that hire external CIOs with a mean (median)
3.86 (3) years, suggesting that our POSITION_TENURE variable is not simply capturing whether the CIO was
appointed from within or hired externally.
34
worth noting that a number of our Model (3) breach model control variables (e.g. RISK,
TECHNOLOGY, COMPLIANCE, CRO, ERM) are also likely to capture various forms of
structural capital dimensions. Please see Figure 1 for a summary of our hypotheses and findings.
<<< Insert Figure 1 Here >>>
IV. RESULTS
Hypothesis 1 - Univariate analysis
We report the descriptive statistics of the variables used in our Model (3) estimation in
Panel A of Table 5. The first three columns present the mean, median, and standard deviation of
the full sample, with the final two columns presenting the means, conditioned on whether the
observation represents a breach observation or a non-breach observation. The table begins with
our control variables, where we report that 18 (11) [4] percent of our sample disclose the
presence of a voluntary risk (compliance) [technology] committee on their board of directors. In
addition, 12 percent of the firms in our sample report a loss and 15 percent have disclosed a
breach in the past. The final three columns are potentially more informative, as they show very
few significant differences among our control variables. Specifically, when we break the sample
into the breach and non-breach observations we find that with the exception of TECHNOLOGY
and LAG_LNAUDFEES all of the control variables (including CRO and ERM) are
insignificantly different23, providing additional support for the effectiveness of our matching
technique. It also highlights the importance of the inclusion of the inverse Mills ratio to control
for selection bias in our main analysis, as this variable is also significantly different between the
breach and non-breach observations.
23 These differences are consistent with Higgs et al. (2016) and Smith et al. (2019) who similarly note significantly
higher incidence of technology committees and higher audit fees for breach firms relative to non-breach firms
among a matched sample.
35
The test variable is presented at the bottom of Panel A of Table 5. We note that CIOs are
much more prevalent among our breach observations (52.5%) relative to our non-breach
observations (22.1%), which suggests that there is likely to be a positive relation between CIO
and breach in our multivariate tests, consistent with rejecting H1.
<<< Insert Table 5 Here >>>
We report the pairwise Pearson correlations in Panel B of Table 5. Consistent with the
presence of a CIO increasing the likelihood of a breach, we observe a positive correlation
between BREACH and CIO (0.315, p-value<0.01), providing additional support in favor of
rejecting our null H1. With respect to our control variables, we report a positive correlation
between TECHNOLOGY and BREACH and our IMR variable and BREACH. We note that
there are several very high correlations between our human capital and structural capital proxies.
To alleviate concerns that severe multicollinearity could negatively impact the interpretability of
our results we estimate and report variance inflation factors (VIF) for all of our regressions. We
note that despite these high correlations, VIFs for all test variables are below the conventional
cut-off of 10 (Feng et al. 2009).
Hypothesis 1 - Multivariate Analysis
We report the coefficient estimates of Model (3), used to test H1, in Table 6. Given that
we include variables not in our CIO prediction model (CRO, ERM, CRO_RESP), we report
Model (3) both without (first estimation) and with (second estimation) these variables included.
Consistent with our univariate statistics, we estimate a positive and significant coefficient
estimate on CIO for both estimations (0.875, p-value <0.01; 0.895, p-value<0.01), suggesting
that even after controlling for the likelihood of a firm having a CIO (with our IMR variable that
is also significant), and not considering any human or structural capital dimensions related to the
36
CIO function, that firms with CIOs are more likely to be breached. This finding supports the
rejection of H1 and is consistent with the Higgs et al. (2016) finding regarding technology
committees. We also report the variance inflation factors and note that they are all well below the
conventional cut-off of 10, suggesting that severe multicollinearity is not adversely influencing
our estimates. Finally, despite our relatively small sample, we note an area under the ROC curve
of 0.725, suggesting that Model (3) provides an adequate fit.
<<< Insert Table 6 Here >>>
Hypotheses 2
After testing whether having a CIO is associated with being breached (H1), our human
capital (H2) and structural capital (H3) tests provide a more granular examination of the ways in
which different CIO characteristics may incrementally increase or decrease the likelihood of
observing a reported breach. We report descriptive statistics related to our H2 and H3 variables
in Panel A of Table (7). Regarding our descriptive statistics, over 70 percent of our sample of
CIO firms announce a breach. We further note that while over 40 percent of the firms with CIOs
are listed in the Information Week 500, less than 14 percent have elevated the CIO role to an
executive position. We also note that less than 40 (17) percent of our CIOs have undergraduate
(graduate) technology degrees. Further, over 50 (76) percent of CIOs have gained past
technology experience within (outside) the current firm before assuming the CIO role. Finally,
we note that about half of the CIOs in our sample serves as a board member on another firm.
We report the coefficient estimates of Model (4) in Panel B of Table 7. The first set of
columns reports regression estimates using our full matched sample (n=552), where the H2 and
H3 variables among non-CIO firms are assigned a value of zero and thus the CIO indicator
variable in Model (3) is permitted to vary based on the various human capital and structural
37
capital measures. The second set of columns reports regression estimates on only those firm-year
observations with a CIO (n=206). Consistent with the predicted effects of human capital (H2),
we find evidence that past tech experience obtained from within the firm
(PAST_TECH_EXP_IN: Match Sample = -0.489, p-value = 0.04; CIO-only = -1.001, p-value
<0.01), external board membership (OTHER_BOARD: Match Sample = -0.436, p-value=0.02;
CIO-only = -0.356, p-value = 0.09), and tenure as CIO (POSITION_TENURE: Match Sample =
-0.781, p-value=0.01; CIO-only = -0.604, p-value = 0.09) appear to be associated with fewer
reported breaches possibly indicating the CIO’s effectiveness in preventing and managing risks
associated with breaches. We further find, as predicted, that tenure at the firm appears to increase
the likelihood that a CIO will be associated with a reported breach (FIRM_TENURE: Match
Sample = 1.101, p-value<0.01; CIO-only = 1.300, p-value = 0.01), but do not find evidence that
possessing a technical degree at either the undergraduate or graduate level impacts the likelihood
of a breach. In sum, we find support for H2b, H2c, H2d, and H2e; but are unable to find support
for H2a. Consistent with the predicted effects of structural capital (H3), we find limited evidence
that firms identified as having a commitment to IT (IW500: Match Sample=0.331, p-value=0.08)
and CIOs that are charged with responsibilities outside of technology (MULTI_DUTY: Match
Sample=0.594, p-value=0.08). However, these findings are limited to our larger match sample
analysis. We are also unable to find any evidence that the CIO being designated as an executive-
level position is associated with the likelihood of observing a reported breach. Collectively, we
find limited support for H3a and H3b; but are unable to find support for H3c. Regarding our
control variables, consistent with prior research we find that firms with weaker internal controls
over financial reporting are more likely to report a breach. We further find that while board-level
risk committees reduce the likelihood of a reported breach, firms with compliance committees
38
are more likely to report a breach.24 Finally, we note that our IMR variable becomes insignificant
when we restrict our sample to only those observations where the firm has a CIO, suggesting that
self-selection is less of a concern when we focus our analysis on firms that have already made
the decision to appoint a CIO.
<<< Insert Table 7 Here >>>
Supplemental Analysis
Prior breach research has found that associations between test variables and breaches
often vary based on the source of the breach. For example, Higgs et al. (2016) find that the
positive association between the formation of a board-level technology (risk and compliance)
committee and breaches is constrained to external (internal) breaches. In addition, Feng and
Wang (2019) find that CIO risk aversion is negatively (not) associated with the likelihood of
observing internal (external) breaches. We therefore separately estimate Model (3) and Model
(4) conditional on the source of the breach. We have 186 reported external breaches in our
sample and 90 reported internal breaches in our sample. We, therefore, remove the 90 internal
breach (186 external breach) observations and re-estimate our models to separately test our
hypotheses for external (internal) breaches.
The results from this analysis are reported in Table 8, with Panel A presenting coefficient
estimates for Model (3) on our matched sample and Panel B presenting coefficient estimates for
Model (4) on our CIO-only subsample. With respect to Panel A, we estimate positive coefficient
estimates on CIO for both external breaches (1.025, p-value < 0.01) and internal breaches (0.652,
p-value < 0.01). Although the magnitude of the coefficient for the external breaches appears
24 Although we include these voluntary board committees primarily as control variables in our models, it is possible
that they are capturing corporate governance structural capital dimensions where firms with risk committees are
perhaps better at preventing breaches, while firms with compliance committees are more likely to report a
discovered breach.
39
larger than the internal breaches, estimating a significant coefficient for both internal and
external breaches provides a novel contribution to the breach literature that has thus far failed to
find that overall breach associations exist for both internal breaches and external breaches
separately. With respect to Panel B, we find that all of the associations found in our main
analysis appear to be driven by internal breaches. For example, four of our human capital
hypotheses (H2b: PAST_TECH_EXP_IN = -3.986, p-value < 0.01; H2c: OTHER_BOARD = -
1.950, p-value = 0.03; H2d: FIRM_TENURE = 8.018, p-value < 0.01; H2e:
POSITION_TENURE = -2.694, p-value = 0.02) and two of our structural capital hypotheses
(H3a: IW500 = 3.416 p-value = 0.02; H3b: MULTY_DUTY = 6.307, p-value = 0.03) are
supported among internal breaches. Collectively, the results reported in Table 8 provide some
evidence that while the presence of a CIO is associated with both internal and external breaches,
variation in CIO human and structural capital characteristics is primarily associated with the
likelihood of observing an internal breach. The latter finding is similar to what Feng and Wang
(2019) observe in their supplemental analysis exploring the association between CIO risk
aversion and reported breaches.
<<< Insert Table 8 Here >>>
We also more deeply explore the length of time that the CIO has been in their position, as
prior breach research has found that the effectiveness of an IT governance monitoring function
appears to depend on how long the function has been in place. For example, Higgs et al. (2016)
show that the increase in the likelihood of a breach for a firm with a board-level technology
committee is driven by younger technology committees. Consequently, we focus on the time that
the CIO has been in the position in our final analysis. Specifically, we identify whether the CIO
has been in the current position for one year or less (FIRSTYEAR_CIO), two years or less
40
(FIRST2YEARS_CIO), or three years or less (FIRST3YEARS_CIO) and estimate the following
modification of Model (3):
Prob (BREACHi,t = 1) = F[ß0 + β1CIOi,t + β2(FIRSTYEAR_CIO/ FIRST2YEARS_CIO/
FIRST3YEARS_CIO) i,t + β3INTANGIBLESi,t + β4RISKi,t + β5COMPLIANCEi,t+
β6TECHNOLOGYi,t + β7LNASSETSi,t + β8LEVERAGEi,t + β9RDi,t +
β10LAG_LNAUDFEESi,t + β11LOSSi,t + β12INADEQUATEi,t + β13PAST_BREACHi,t +
β14CROi,t + β15ERMi,t + β16CRO_RESP_ERMi,t + β17IMRi,t +
YEAR_FIXED_EFFECTSi,t + INDUSTRY_FIXED_EFFECTSi,t + ɛ] (5)
We report the estimation of each of the three estimations of Model (5) in Table 9. It is
important to note that the variables of interest in these estimations are CIO and the indicator
variables capturing the first year (FIRSTYEAR_CIO), the first two years
(FIRST2YEARS_CIO), and the first three years (FIRST3YEARS_CIO). Our CIO variable
captures the baseline association between a firm having a CIO and breaches, and where each of
the indicator variables captures the incremental effect of observing a breach within the first,
second, or third year of starting as CIO. We find that while we continue to estimate a positive
coefficient estimate for CIO among all three model specifications, we are only able to estimate
an incrementally positive effect for the first-year CIO (0.945, p-value < 0.01). This is consistent
with the notion that the appointment of a new CIO leads to an initial increase in the likelihood of
a breach. However, after the initial year effect, the CIO does not appear to be any more likely to
disclose a reported breach than the average tenure CIO.
<<< Insert Table 9 Here >>>
As a final sensitivity test, we attempt to examine the type of data stolen in the breach.
Audit Analytics broadly classifies the data stolen by external hacks as “financial”; “personal”;
“not disclosed”; or “other”. We, therefore, merge the audit analytics data with a subset of our
external breaches (Hacks), yielding a sample of 54 breaches where audit analytics has classified
41
the stolen data. We then separately estimate Model (3) to evaluate whether the association
between the presence of a CIO and the likelihood of a hack is conditional on the type of data
targeted. We combine “not disclosed” and “other” into “Other” for the sake of this analysis.
Despite the substantial drop in sample size, we estimate positive coefficient estimates for CIO
for two of the three data types (“Financial”: 0.610, p-value =0.12; “Personal”: 1.23, p-
value<0.01; “Other”: 1.326, p-value<0.01). It is somewhat interesting to note that the coefficient
on CIO when “Financial” data is stolen is smaller in magnitude than “Personal” and “Other” and
is also no longer significant. However, given the small sample size of this analysis, it is difficult
to draw any strong conclusions other than to say that CIOs appear to be more likely to report
hacks that involve non-financial information.
V. CONCLUSION
In this study, we examine the association between CIO and CIO characteristics and the
likelihood of observing a reported breach. We find that among a matched sample of breached
firms and similar non-breach firms, firms with CIOs are more likely to be breached, even after
controlling for firm size, the presence of a CRO, and the likelihood of a firm having a CIO. We
further find that among firms with CIOs, breach likelihood varies predictably with different
human capital and structural capital proxies in place. Regarding human capital, we find strong
evidence that firms who have CIOs with past technology experience, outside board membership,
and tenure as CIO are less likely to be breached. In contrast, we find that firms with CIOs who
have been employed in the company for a long time are more likely to experience a breach.
Concerning structural capital, we find limited evidence that the firms that have been identified by
a third party as committing to IT and firms who task their CIOs with multiple responsibilities are
more likely to be breached.
42
The supplemental analysis shows that the association between CIOs and breaches is not
limited to only external breaches, which provides an important contribution to prior research that
has either exclusively focused on external (e.g. hacks) breaches or has found that many breach
associations are not significant for internal breaches (Higgs et al. 2016; Smith et al. 2019).
Further, we find that our human capital associations are primarily driven by internal breaches
which provides an additional contribution to the literature that has focused primarily on external
breaches. We also explore the length of time that the CIO has held their position and find that
there is a higher likelihood of reporting a breach in the first year. This is consistent with the
Higgs et al. (2016) finding regarding technology committees which suggests that firms are
initially more likely to be breached when the committee is first formed. Finally, we explore the
type of data that is stolen for a subset of our external breaches (specifically hacks) and find
evidence that the observed positive association between CIO and breaches does not appear to be
as strong or significant for “Financial” data.
Our finding that higher breach likelihood results when a CIO is present is most
interesting because it implies that a firm is more likely to be targeted as having attractive
information assets that it needs to protect when it has a CIO role. This is somewhat consistent
with Higgs et al.'s (2016) finding of a higher likelihood of a breach for firms that form board
technology committees. The implications of the findings related to human capital are that firms
can improve their cybersecurity risk posture by having CIOs with past technology experience,
encouraging them to serve on boards of other organizations, and giving them time to gain
experience in the CIO role. While CIOs need time to familiarize themselves with the role;
however, having a CIO that has been at the firm for an extended period of time may result in the
CIO becoming comfortable in that role, becoming stale, and failing to respond to emerging
43
threats in a timely manner. The implications of the findings related to structural capital are that
firms that are not publicly identified as having a commitment to IT and firms that allow the CIO
to focus on IT security are less likely to report breaches.
Our study is not without limitations. For example, the proxies that we use to capture
various dimensions of human capital are inherently noisy, which could have contributed to us not
finding support for education-based hypothesized relation. Additionally, our use of disclosed
breaches introduces another limitation common to breach studies. Reported breaches are only a
proxy of security performance, while a better measure of security performance would likely
reflect the number of breaches prevented and the losses avoided by having the CIO and security
measures in place. It is also possible that our “non-breach” observations have also suffered
breaches and are either unaware that a breach has occurred or chose not to report the breach.
Finally, our findings related to tenure are limited to the CIOs’ years of work experience inside
our sample firms. Future research can examine whether the extent of a CIOs experience before
joining a firm is associated with cybersecurity breaches.
The findings of this study contribute to the academic literature and are also very relevant
to practitioners. From the academic perspective, our study acts as a precursor to Feng and Wang
(2019) and Haislip et al. (2021). These studies focus on firms with CIOs and assume that the
CIO has the expertise necessary and do not consider what attributes of the CIO are specifically
important in detecting and reporting data breaches. Therefore, this study contributes to the
growing breach literature by providing evidence on the association between individual
characteristics of the more popular IT governance participant (relative to the much less prevalent
board-level technology committees studied by Higgs et al. 2016 for example) and the reported
breaches. Further, the evidence indicates that the breach association extends to internal breaches.
44
Our findings also add to the upper echelon theory, human capital, and structural capital literature
by applying these theories in a cybersecurity context. From the practitioners and regulatory
perspective, our findings provide evidence on the efficacy of various CIO traits that firms may
wish to consider when they are making recruiting and procurement decisions related to IT
security.
45
REFERENCES
Al Shammari, H. 2018. CEO Incentive compensation and risk-taking behavior: The moderating
role of CEO characteristics. Academy of Strategic Management Journal 17 (3): 1-15.
Ball, L. D. 2002. CIO on center stage: 9/11 changes everything. Information Systems
Management 19 (2): 8-11.
Banker, R. D., and C. Feng. 2019. The impact of information security breach incidents on CIO
turnover. Journal of Information Systems 33 (3): 309-329.
Banker, R. D., N. Hu, P. A. Pavlou, and J. Luftman. 2011. CIO reporting structure, strategic
positioning, and firm performance. MIS Quarterly 35 (2): 487-504.
Becker, G. S. 1993. Nobel lecture: the economic way of looking at behavior. Journal of Political
Economy 101: 385-409.
Benaroch, M., and A. Chernobai. 2017. Operational IT failures, IT value destruction, and board-
level IT governance changes. MIS Quarterly 41 (3): 730-762.
Burke, D., N. Menachemi., and R. Brooks. 2006. Health care CIOs: Assessing their fit in the
organizational hierarchy and their influence on information technology capability. The
Health Care Manager 25 (2): 167-172.
Chen, D. Q., D. S. Preston., and W. Xia. 2010. Antecedents and effects of CIO supply-side and
demand-side leadership: A staged maturity model. Journal of Management Information
Systems 27 (1): 231.
Chen, Y., and J. Wu. 2011. IT management capability and its impact on the performance of a
CIO. Information & Management 48(4-5): 145-156.
Cheng, Z., A. Rai, F. Tian, and S.X. Xu. 2017. Social Learning in Information Technology
Investment: The Role of Board Interlocks. Working paper, The Hong Kong Polytechnic
University.
Chatterjee, D., V. J. Richardson., and R. W. Zmud. 2001. Examining the shareholder wealth
effects of announcements of newly created CIO positions. MIS Quarterly 25 (1): 43-70.
Choobineh, J., G. Dhillon, M.R. Grimaila, and J. Rees. 2007. Management of information
security: Challenges and research directions. Communications of the Association for
Information Systems 20 (1): 958-971.
Chun, M., and J. Mooney. 2009. CIO roles and responsibilities: Twenty-five years of evolution
and change. Information & Management 46 (6): 323.
Clements, C., J. Neill., and P. Wertheim. 2015. Multiple directorships, industry relatedness, and
corporate governance effectiveness. Corporate Governance 15 (5): 590-606.
Cohn, R., W. Lewellen, R. Lease, G. Schlarbaum. 1975. Individual investor risk aversion and
investment portfolio composition. Journal of Finance 30: 605–620.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise
risk management – Integrated framework. American Institute of Certified Public
Accountants, New York.
Crossland, C., and D. Hambrick. 2011. Differences in managerial discretion across countries:
how nation-level institutions affect degree to which CEOs matter. Strategic Management
Journal 32 (8): 797-819.
Daboub, A. J., A. Rasheed., R. Priem., and D. Gray. 1995. Top management team characteristics
and corporate illegal activity. Academy of Management. The Academy of Management
Review 20 (1): 138-170.
Davenport, T. 2016. Why No One Wants to Be a Chief Information Officer Any More. Forbes.
March 10, 2016. Available online from:
46
http://fortune.com/2016/03/10/why-no-one-wants-to-be-a-chief-information-officer-any-
more/?utm_source=emailshare&utm_medium=email&utm_campaign=email-share-
article&utm_content=20190531
Davidson, W.N., Nemec, C. and D. Worrell. 2006. Determinants of CEO age at succession.
Journal of Management and Governance 10: 35-57
Disterer, G. 2013. ISO/IEC 27000, 27001 and 27002 for information security management.
Journal of Information Security 4: 92-100
az-fernández, M., M. González-rodríguez., and B. Simonetti. 2015. Top management teams'
demographic characteristics and their influence on strategic change. Quality and Quantity
49 (3): 1305-1322.
Dohmen, T., A. Falk, D. Huffman, U. Sunde, J. Schupp, and G. Wagner. 2011. Individual risk
attitudes: Measurement, determinants, and behavioral consequences. Journal of the
European Economic Association 9 (3): 522–550.
Donkers, B., B. Melenberg, and A. Van Soest. 2001. Estimating risk attitudes using lotteries: A
large sample approach. Journal of Risk and Uncertainty 22: 165-195.
Dunbar, R. 2008. CIO response: Bat demonstrates an effective "two-handed clap". MIS
Quarterly Executive 1 (1).
Engelbrecht, H. 2003. Human capital and economic growth: cross-section evidence for OECD
countries. Economic Record 79 (Special Issue): 40 –51.
Ettredge, M., F. Guo, and Y. Li. 2018. Trade secrets and cybersecurity breaches. Journal of
Accounting and Public Policy 37 (6): 564-585.
EYGM Limited. 2018. Is cybersecurity about more than protection? EY global information
security survey 2018-2019. Retrieved from
https://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-
2018-19/$FILE/ey-global-information-security-survey-2018-19.pdf
Feng, M., C. Li, and S. McVay. 2009. Internal control and management guidance. Journal of
Accounting & Economics 48: 190–209.
Feng, Q. 2015. “A Study of CIOs’ Selection, Compensation, and Turnover,” Unpublished
Doctoral Dissertation, Temple University, Philadelphia, PA.
Feng, C. Q., and T. Wang. 2019. Does CIO risk appetite matter? Evidence from information
security breach incidents. International Journal of Accounting Information Systems 32:
59-75.
Faccio, M., Marchica, M., and R. Mura. 2016. CEO gender, corporate risk-taking, and the
efficiency of capital allocation. Journal of Corporate Finance 39: 193-209.
García-Álvarez, M. T. G. A., Mariz-Perez, R. M., and Alvarez, M. T. 2011. Structural capital
management: A guide for indicators. International Journal of Management &
Information Systems 15 (3): 41-52.
Gilbert, D. T., and J. G. Hixon. 1991. The trouble of thinking: Activation and application of
stereotypic beliefs. Journal of Personality and Social Psychology 60: 509-517.
Gilbert, D. T., and R. E. Osborne. 1989. Thinking backward: Some curable and incurable
consequences of cognitive busyness. Journal of Personality and Social Psychology 57:
940-949.
Gottschalk, P. 1999. Strategic management of IS/IT functions: The role of the CIO in Norwegian
organizations. International Journal of Information Management 19 (5): 389-399.
Haislip, J., J. Lim., and R. Pinsker. 2021. The impact of executives’ IT expertise on reported data
security breaches. Information Systems Research, articles in advance, 1-17.
47
Haislip, J., A. Masli, V. Richardson, and J. Sanchez. 2016. Repairing organizational legitimacy
following information technology (IT) material weaknesses: Executive turnover, IT
expertise, and IT system upgrades. Journal of Information Systems 30 (1): 41-70.
Haislip, J., A. Masli., V. Richardson., and M. Watson. 2015. External reputation penalties for
CEOs following information technology material weaknesses. International Journal of
Accounting Information Systems 17: 1-15.
Haislip, J., and V. Richardson. 2018. The effect of CEO IT expertise on the information
environment: Evidence from earnings forecasts and announcements. Journal of
Information Systems 32 (2): 71-94.
Hamblen, M. 2018. CIOs’ evolving role: Think revenue and strategy. Information Week January,
9. Online. Available at https://www.informationweek.com/strategic-cio/cios-evolving-
role-think-revenue-and-strategy/d/d-id/1330764
Hambrick, and P. Mason. 1984. Upper echelons: The organization as a reflection of its top
managers. Academy of Management. The Academy of Management Review April: 193-
206.
Heckman, J. 1979. Sample selection bias as a specification error. Econometrica 47: 153-162.
Henderson, A. D., D. Miller., and D. C. Hambrick. 2006. How quickly do CEOs become
obsolete? industry dynamism, CEO tenure and company performance. Strategic
Management Journal 27 (5): 447-460.
Hendricks, L. 2002. How important is human capital for development? Evidence from immigrant
earnings. American Economic Review 92 (1): 198– 219.
Higgs, J., Pinsker, R., Smith, T., and Young, G. 2016. The relationship between board-level
technology committees and reported security breaches. Journal of Information Systems
30 (3): 79-98.
Huang, H., Rose-Green, E., and C. Lee. 2012. CEO age and financial reporting quality.
Accounting Horizons 26 (4): 725-740.
Huang, J., and D. J. Kisgen. 2013. Gender and corporate finance: Are male executives
overconfident relative to female executives?. Journal of Financial Economics 108 (3):
822-839.
Hütter, A., and Riedl, R., 2017. Chief Information Officer Role Effectiveness: Literature Review
and Implications for Research and Practice. In Chief Information Officer Role
Effectiveness (pp. 1-30). Springer, Cham.
ISACA. 2012. COBIT 5: A business framework for the governance and management of
enterprise IT. Retrieved from www.isaca.org.
Kayworth, T., and D. Whitten. 2010. Effective Information Security Requires a Balance of
Social and Technology Factors. MIS Quarterly Executive 9: 163-175.
Khallaf, A., and M. Majdalawieh, M. 2012. Investigating the impact of CIO competencies on IT
security performance of the U.S. federal government agencies. Information Systems
Management 29 (1): 55-78.
Kimberly, J., and M. Evanisko. 1981. Organizational innovation: The influence of individual
organizational and contextual factors on hospital adoption of technical and administrative
innovations. Academy of Management Journal 24 (4): 689-713.
Knapp, K. J., T. E. Marshall, R. Kelly Rainer, and F. Nelson Ford. 2006. Information security:
management's effect on culture and policy. Information Management & Computer
Security 14 (1): 24-36.
48
Kogut, B., and U. Zander. 1996. What firms do? Coordination, identity, and learning.
Organization Science 7 (5): 502-518.
Kwon, J., J.R. Ulmer, and T. Wang. 2013. The association between top management
involvement and compensation and information security breaches. Journal of Information
Systems 27 (1): 219-236.
Lawrence, A., M. Minutti-Meza, D. Vyas. 2018. Is operational control risk informative of
financial reporting deficiencies? Auditing: A Journal of Practice & Theory 37 (1): 139-
165.
Lennox, C., J. Francis, and Z. Wang. 2012. Selection models in accounting research. The
Accounting Review 87 (2): 589-616.
Li, Y., and C. Tan. 2013. Matching business strategy and CIO characteristics: The impact on
organizational performance. Journal of Business Research 66 (2): 248-259.
Li, H., No, W. G., and J. E. Boritz. 2020. Are external auditors concerned about cyber incidents?
Evidence from audit fees. Auditing: A Journal of Practice and Theory 39 (1): 151–171.
Luftman, J., and R. Kempaiah. 2007. An update on business-it alignment: "A line" has been
drawn. MIS Quarterly Executive 6 (3): 165-177
MacCrimmon, K., and D. Wehrung. 1990. Characteristics of risk taking executives. Management
Science 36: 422-435.
Malmendier, U., G. Tate, and J. Yan. 2011. Overconfidence and early‐life experiences: the effect
of managerial traits on corporate financial policies. The Journal of Finance 66 (5): 1687-
1733.
Miles, R., and C. Snow. 1978. Organizational strategy, structure, and process. New York:
McGraw-Hill Book Co.
National Institute of Standards and Technology (NIST). 2002. Risk management guide for
information technology systems. Fall Church, VA: Booz Allen Hamilton Inc.
Ng, T., and Feldman, D. 2010. Organizational Tenure and Job Performance. Journal of
Management 36 (5): 1220–1250.
Nielsen, B., and S. Nielsen. 2013. Top management team nationality diversity and firm
performance: a multilevel study. Strategic Management Journal 34 (3): 373-382.
Pettey, C. 2019. CIO Agenda 2019: Take a Hard and Soft Approach to Cybersecurity. Gartner.
April 29, 2019. Available online at: https://www.gartner.com/smarterwithgartner/cio-
agenda-2019-take-a-hard-and-soft-approach-to-cybersecurity/
Ponemon Institute. 2017. The evolving role of CISOs and their importance to the business.
Retrieved from https://interact.f5.com/rs/653-SMC-783/images/RPRT-SEC-1167223548-
global-ciso-benchmarkUPDATED.pdf.
Preston, D., D. Chen, and D. Leidner. 2008. Examining the antecedents and consequences of
CIO strategic decision-making authority: An empirical study. Decision Science 39 (4):
605-642.
Raghunathan, B., and T. Raghunathan. 1989. Relationship of the rank of information systems
executive to the organizational role and planning dimensions of information systems.
Journal of Management Information Systems 6 (1): 111-126.
Rhodes, S.R. 1983. Age-related differences in work attitudes and behavior: A review and
conceptual analysis. Psychological Bulletin 93: 328-367.
Richardson, V., M. Watson, and R. Smith. 2019. Much ado about nothing: The (lack of)
economic impact of data privacy breaches. Journal of Information Systems 33 (3): 227–
265.
49
Rowsell-Jones, A. 2007. The emergence of enterprise dynamics. CIO Canada, 15(8), 1.
Sanders, J. 2019. 25% of software vulnerabilities remain unpatched for more than a year.
TechRepublic March 12, 2019. Online, available at:
https://www.techrepublic.com/article/25-of-software-vulnerabilities-remain-unpatched-
for-more-than-a-year/?ftag=CMG-01-10aaa1b
Securities and Exchange Commission. 2009. Securities and Exchange Commission Proxy
Disclosure Enhancements, Release Nos. 33-9089; 34-61175; IC-29092; File No. S7-13-
09. Retrieved from http://www.sec.gov/news/press/2009/2009-268.htm.
Securities and Exchange Commission. 2011. CF Disclosure Guidance: Topic No. 2:
Cybersecurity. Retrieved from
https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
Sharma, S., and A. Rai. 2015. Adopting IS process innovations in organizations: the role of IS
leaders’ individual factors and technology perceptions in decision making. European
Journal of Information Systems 24 (1): 23-37.
Shao, Z., T. Wang, and Y. Feng. 2016. Impact of chief information officer’s strategic knowledge
and structural power on enterprise systems success. Industrial Management & Data Systems
116 (1): 43-64.
Simsek, Z. 2007. CEO tenure and organizational performance: An intervening model. Strategic
Management Journal 28(6): 653-662.
Smaltz, D. H., V. Sambamurthy, and R. Agarwal. 2006. The antecedents of CIO role
effectiveness in organizations: An empirical study in the healthcare sector. IEEE
transactions on Engineering Management 53 (2): 207-222.
Smith, T., J. Higgs, and R. Pinsker. 2019. Do auditors price breach risk in their audit fees?
Journal of Information Systems 33 (2): 177-204.
Sobol, M. G., and G. Klein. 2009. Relation of CIO background, IT infrastructure, and economic
performance. Information & Management 46 (5): 271-278.
Soomro, Z.A., M.H. Shah, and J. Ahmed. 2016. Information security management needs more
holistic approach: A literature review. International Journal of Information Management 36
(2): 215-225.
Spanos, G., and L. Angelis. 2016. The impact of information security events to the stock market:
A systematic literature review. Computer & Security 58: 216-229.
Spitze, J., and J. Lee. 2012. The renaissance CIO project: The invisible factors of extraordinary
success. California Management Review 54 (2): 73-91.
Statham, A. 1987. The gender model revisited: Differences in the management styles of men and
women. Sex Roles 16(7-8): 409-430.
Stephens, C. S., W. N. Ledbetter., A. Mitra., and F. N. Ford. 1992. Executive or functional
manager? The nature of the CIO's job. MIS Quarterly 16 (4): 449-467.
Sturman, M.C. 2003. Searching for the inverted U-shaped relationship between time and
performance: meta-analyses of the experience/performance, tenure/performance, and
age/performance relationships. Journal of Management 29(5): 609-640.
Thomas, A., and K. Ramaswamy. 1994. Matching managers to strategy: An investigation of
performance implications and boundary conditions. Australian Journal of Management
19: 73-93.
Thomas, A., and K. Ramaswamy. 1996. Matching managers to strategy: Further tests of miles
and snow topology. British Journal of Management 7: 247-261.
50
Tu, C., Y. Yufei., N. Archer., and C. Connelly. 2018. Strategic value alignment for information
security management: A critical success factor analysis. Information and Computer
Security 26(2): 150-170.
Uppal, N. 2017. Uncovering curvilinearity in the organizational tenure-job performance
relationship: A moderated mediation model of continuance commitment and motivational
job characteristics. Personnel Review 46(8): 1552-1570.
Varonis. 2019. Data gets personal: 2019 global data risk report from the Varonis data lab.
Retrieved from
https://info.varonis.com/hubfs/Varonis%202019%20Global%20Data%20Risk%20Report
.pdf
Vincent, N., J. Higgs., and R. Pinsker. 2017. IT governance and the maturity of IT risk
management practices. Journal of Information Systems 31 (1): 59-77.
Vincent, N. E., J. L. Higgs., and R. Pinsker. 2019. Board and management level factors affecting
the maturity of IT risk management practices. Journal of Information Systems 33 (3):
117-135.
Vincent, N. E., and R. Pinsker. 2020. IT risk management: Interrelationships based on strategy
implementation. International Journal of Accounting & Information Management 28 (3):
553-575.
Wang, T., and C. Hsu. 2013. Board composition and operational risk events of financial
institutions. Journal of Banking & Finance 37 (6): 2042-2051.
Werlinger, R., K. Hawkey., and K. Beznosov. 2009. An integrated view of human,
organizational, and technological challenges of IT security management. Information
Management & Computer Security 17(1): 4-19.
Yim, S. 2013. The acquisitiveness of youth: CEO age and acquisition behavior. Journal of
Financial Economics 108(1): 250-273.
Zafar, H., Ko, M. S., and Osei-Bryson, K. M. 2016. The value of the CIO in the top management
team on performance in the case of information security breaches. Information Systems
Frontiers 18 (6): 1205-1215.
Zurkus, K. 2015. Why every CIO needs a cybersecurity attorney. CIO. August 4, 2015.
Available at:
https://www.cio.com/article/2956374/why-every-cio-needs-a-cybersecurity-attorney.html
51
Appendix A
Variable definitions (in the order they appear the first time in the equations):
BREACH = one if the firm announces a breach disclosed on privacyrights.org
in the current year, and zero otherwise;
INTANGIBLES = the natural log of (1+ total intangible assets per Compustat),
measure at the beginning of the year;
RISK = one if the company discloses the presence of a “Risk” committee
in their proxy statement for the current year, and zero otherwise;
COMPLIANCE = one if the company discloses the presence of a “Compliance”
committee in their proxy statement for the current year, and zero
otherwise;
TECHNOLOGY = one if the company discloses the presence of a “Technology”
committee in their proxy statement for the current year, and zero
otherwise;
LNASSETS = the natural log of total assets;
LEVERAGE = the ratio of long-term debt to total assets;
RD = the natural log of (1+R&D expense);
LAG_LNAUDFEES = the natural log of prior period total audit fees;
LOSS = one if the firm reports negative Income Before Extraordinary
Items, and zero otherwise;
INADEQUATE = one if the firm fails to receive an unqualified opinion on their
Internal Control over Financial Reporting (ICFR), and zero
otherwise;
PAST_BREACH = one if the firm disclosed a breach prior to the current year, and
zero otherwise;
CIO = one if the firm discloses that they have a Chief Information
Officer (CIO), and zero otherwise;
CEO_AGE = the natural log of the age of the current CEO;
CEO_GENDER = one if the current CEO is a female, and zero otherwise;
CRO = one if the firm discloses that the firm has a Chief Risk Officer
(CRO), and zero otherwise;
ERM = one if the firm discloses an Enterprise Risk Management
program in their proxy statement, and zero otherwise;
CRO_RESP_ERM = one if the CRO is responsible for the ERM program, and zero
otherwise;
IMR = the inverse Mills ratio from the estimation of Model (2);
AGE = the natural log of the age of the CIO;
TECH_UNDERGRAD = one if the CIO earned a technical undergraduate degree (see
Appendix B), and zero otherwise;
TECH_GRAD = one if the CIO earned a technical graduate degree, and
zero otherwise;
PAST_TECH_EXP_IN = one if the CIO has technology-related prior work experience (e.g.
IT director, software engineer, IT consultant, etc.) from the current
firm, and zero otherwise;
52
PAST_TECH_EXP_OUT = one if the CIO has technology-related prior work experience (e.g.
IT director, software engineer, IT consultant, CIO, etc.) from a
different firm, and zero otherwise;
OTHER_BOARD = one if the CIO serves on an external board, and zero otherwise;
FIRM_TENURE = the natural log of the number of years that the CIO has been with
the firm;
POSITION_TENURE = the natural log of the number of years that the CIO has served in
the CIO role;
IW500 = one if the firm is identified in the Information Week 500 list, and
zero otherwise;
MULTI_DUTY = one if the CIO has additional responsibilities beyond
technology25, and zero otherwise;
EXEC = one if the CIO position is also listed as a higher-level executive
position (e.g. VP, SVP, EVP), and zero otherwise;
FIRSTYEAR_CIO = one if this is the first year of the CIO tenure, and zero otherwise;
FIRST2YEARS_CIO = one if this is the first two years of the CIO tenure, and zero
otherwise; and
FIRST3YEARS_CIO = one if this is the first three years of the CIO tenure, and zero
otherwise.
25 Two of the authors independently determined the responsibilities for each CIO by examining their job description
obtained via various sources (e.g. company website, CIO appointment announcement, press releases). If they both
noted more than one additional responsibility the observation was coded as MULTI_DUTY=1. For example,
MULTI_DUTY was 1 for the CIO of AGL Resources, Joe Suber, because “he is responsible for the ongoing
enhancement of the company's technology platform in alignment with business goals and responsible for
information technology, supply chain, supplier diversity, fleet, real estate, and facilities.” MULTI_DUTY was coded
as 1 for Zahid Afzal, CIO of Huntington Bancshares 2006-2012, since he had more than the typical CIO role as he
was “responsible for corporate-wide Information Technology, Mergers and Acquisitions, Banking Operations,
Project Management Office, and eCommerce functions.” MetLife had a CIO and COO dual position, which we also
coded as MULTI_DUTY = 1. ” MULTI_DUTY was coded as 0 for Mark Boxer, CIO of Cigna in 2012, because his
responsibilities were not outside the typical CIO’s duties: “he is responsible for driving Cigna's world wide
technology strategy and ensuring the company's infrastructure and applications are innovative, flexible and aligned
with the business strategy and the needs of customers, partners and employees.”
53
Appendix B
The following is a list of the different degrees that we identified as being technical:
Accounting and Information System
Accounting/MIS
Administrative Science and Math
B Tech
Biology with a minor in computer science
BS in Computer Science and BA in Mathematics
Business Admin with Spec. in Computer Science
Business Computer Systems
Business Information Systems
Business Administration and MIS
Chemical Engineering
Communications and Computer Science
Computational and Applied Mathematics
Computer and Information Science
Computer Engineering
Computer Information
Computer Information Systems
Computer Information Systems / Computer
Technology
Computer Science
Computer Science and Accounting
Computer Science and Applied Mathematics
Computer Science and Economics
Computer Science and Engineering
Computer Science and Mathematics
Computer Science and Mathematics
Computer Science and Qualitative Methods
Computer Science and Systems Design
Computer Science Operations Research
Computer Tech
Computing Degree
Computing Science
54
FIGURE 1
Summary of hypotheses and findings
Hypotheses
Prediction
Supported or
Not Supported
H1
The likelihood of observing a reported breach is not
associated with the presence of a CIO role at the firm.
Supported
Human Capital
H2a
The likelihood of observing a reported breach for firms
with a CIO is lower if they have a technical degree.
-
Not Supported
H2b
The likelihood of observing a reported breach for firms
with a CIO is negatively associated with their past
technology experience.
-
Supported
H2c
The likelihood of observing a reported breach for firms
with a CIO is negatively associated with their external
board membership experience.
-
Supported
H2d
The likelihood of observing a reported breach for firms
with a CIO is positively associated with their tenure at
the firm.
+
Supported
H2e
The likelihood of observing a reported breach for firms
with a CIO is negatively associated with their tenure at
the CIO position within the firm.
-
Supported
Structural Capital
H3a
The likelihood of observing a reported breach for firms
with a CIO is positively related to a recognized
commitment to support IT.
+
Supported*
H3b
The likelihood of observing a reported breach for firms
with a CIO is positively associated with having
multiple responsibilities.
+
Supported*
H3c
The likelihood of observing a reported breach for firms
with a CIO is negatively associated with the CIO
position being designated as a higher-level executive.
-
Not supported
*Not supported in main CIO-only subsample analysis
55
TABLE 1
Sample Determination
Firm-year
Observations
Breach-year
Observations
Active Firm-year observations for years 2005-2014
with non-missing price and assets from
COMPUSTAT and audit fee data from Audit
Analytics
51,981
388
Less firm-year observations:
Non-S&P 500 firms
(45,778)
(33)
Firm-year observations for estimation of Model (1)
and Model (2)
6,203
355
Less firm year observations:
Excluded by propensity score matching
procedure
(21,594)
(79)
Firm-year observations for matched sample
hypotheses testing (H1-H3)
552
276
Less firm-year observations:
Exclude firms without CIOs
(346)
(131)
Firm-year observations for subsample CIO only
hypotheses testing (H2-H3)
206
145
56
Table 2: Breach breakdown by year and industry
Year
Number of
Breaches
Percentage of Breaches
2005
17
6.16%
2006
39
14.13%
2007
40
14.49%
2008
20
7.25%
2009
12
4.35%
2010
28
10.14%
2011
26
9.42%
2012
34
12.32%
2013
36
13.04%
2014
24
8.70%
Total
276
100.00%
Industry
Number of
Breaches
Percentage of Breaches
Mining
1
0.36%
Construction
4
1.45%
Manufacturing
58
21.01%
Transportation & Public Utilities
29
10.51%
Wholesale Trade
2
0.72%
Retail Trade
32
11.59%
Finance, Insurance, & Real Estate
89
32.25%
Services
60
21.74%
Other
1
0.36%
Total
276
100.00%
Our industry breakdown is based on the following 2 digit SIC classifications:
Mining: 13 Oil & Gas Extraction
Construction: 15 General Building Contractors; 16 Heavy Construction, Except Building
Manufacturing: 20 Food & Kindred Products; 22 Textile Mill Products; 23 Apparel & Other Textile Products; 24
Lumber & Wood Products; 28 Chemical & Allied Products; 29 Petroleum & Coal Products; 30 Rubber &
Miscellaneous Plastics Products; 31 Leather & Leather Products; 33 Primary Metal Industries; 35 Industrial
Machinery & Equipment; 36 Electronic & Other Electric Equipment; 37 Transportation Equipment; 38 Instruments
& Related Products
Transportation & Public Utilities: 40 Railroad Transportation; 42 Trucking & Warehousing; 45 Transportation by
Air; 48 Communications; 49 Electric, Gas, & Sanitary Services
Wholesale Trade: 50 Wholesale Trade Durable Goods
Retail Trade: 52 Building Materials & Gardening Supplies; 53 General Merchandise Stores; 55 Automotive
Dealers & Service Stations; 56 Apparel & Accessory Stores; 57 Furniture & Home furnishings Stores; 58 Eating &
Drinking Places; 59 Miscellaneous Retail
Finance, Insurance, & Real Estate: 60 Depository Institutions; 61 Non-depository Institutions; 62 Security &
Commodity Brokers; 63 Insurance Carriers; 64 Insurance Agents, Brokers, & Service; 65 Real Estate; 67 Holding &
Other Investment Offices
57
Services: 70 Hotels & Other Lodging Places; 72 Personal Services; 73 Business Services; 75 Auto Repair, Services,
& Parking; 76 Miscellaneous Repair Services; 78 Motion Pictures; 79 Amusement & Recreation Services; 80 Health
Services; 87 Engineering & Management Services
Other: 99 Non-Classifiable Establishments
58
TABLE 3: Estimation of Model (1) for Propensity Score Match
Prob (BREACHi,t = 1) = F[ß0 + β1INTANGIBLESi,t + β2RISKi,t +β3COMPLIANCEi,t+
β4TECHNOLOGYi,t + β5LNASSETSi,t + β6LEVERAGEi,t + β7RDi,t +
β8LAG_LNAUDFEESi,t + β9LOSSi,t + β10INADEQUATEi,t +
β11PAST_BREACHi,t + YEAR_FIXED_EFFECTSi,t +
INDUSTRY_FIXED_EFFECTSi,t + ɛ] (1)
Variable
1
Coefficient
Estimate
p-value
Intercept
-4.661***
<0.01
INTANGIBLES
0.112***
<0.01
RISK
-0.046
0.65
COMPLIANCE
0.182*
0.07
TECHNOLOGY
0.066
0.62
LNASSETS
0.220***
<0.01
LEVERAGE
-0.025
0.27
RD
0.027
0.15
LAG_LNAUDFEES
-0.061
0.33
LOSS
-0.172
0.22
INADEQUATE
0.227
0.35
PAST_BREACH
0.226***
<0.01
Year Fixed Effects
Yes
Industry Fixed Effects
Yes
N
6,203
Area under ROC
0.872
*, **, *** indicate significance at the 0.10, 0.05, and 0.01 levels based on two-tails.
1Variables are defined in Appendix A
59
TABLE 4: Estimation of Model (2) for inverse Mills ratio
Prob (CIOi,t = 1) = F[ß0 + β1CEO_AGEi,t + β2CEO_GENDERi,t + β3INTANGIBLESi,t +
β4RISKi,t +β5COMPLIANCEi,t + β6TECHNOLOGYi,t + β7LNASSETSi,t +
β8LEVERAGEi,t + β9RDi,t + β10LOSSi,t + β11INADEQUATEi,t +
β12PAST_BREACHi,t + YEAR_FIXED_EFFECTSi,t +
INDUSTRY_FIXED_EFFECTSi,t + ɛ] (2)
Variable
1
Coefficient
Estimate
p-value
Intercept
-4.834***
<0.01
CEO_AGE
0.010***
<0.01
CEO_GENDER
0.464***
<0.01
INTANGIBLES
0.042***
<0.01
RISK
0.117**
0.04
COMPLIANCE
-0.002
0.97
TECHNOLOGY
-0.130*
0.08
LNASSETS
0.310***
<0.01
LEVERAGE
-0.019
0.13
RD
0.001
0.96
LOSS
-0.367***
<0.01
INADEQUATE
0.066
0.66
PAST_BREACH
0.620***
<0.01
Year Fixed Effects
Yes
Industry Fixed Effects
Yes
N
6,203
Area under ROC
0.808
*, **, *** indicate significance at the 0.10, 0.05, and 0.01 levels based on two-tails.
1Variables are defined in Appendix A.
60
TABLE 5, Panel A: Descriptive Statistics for our Matched Sample
Mean
Median
Std.
Dev
BREACH=1
(N=276)
Mean
BREACH=0
(N=276)
Mean
Variable
1
N
p-value
BREACH
552
0.500
0.500
0.500
Control Variables
INTANGIBLES
552
7.162
7.405
2.483
7.167
7.156
(0.96)
RISK
552
0.181
0.000
0.385
0.185
0.178
(0.83)
COMPLIANCE
552
0.114
0.000
0.318
0.134
0.094
(0.14)
TECHNOLOGY
552
0.042
0.000
0.200
0.062
0.022
(0.02)
LNASSETS
552
9.706
9.585
1.947
9.800
9.612
(0.26)
LEVERAGE
552
0.893
0.457
1.940
0.805
0.982
(0.28)
RD
552
1.889
0.000
3.033
1.980
1.797
(0.48)
LAG_LNAUDFEES
552
1.639
1.614
1.004
1.714
1.564
(0.08)
LOSS
552
0.120
0.000
0.325
0.112
0.127
(0.60)
INADEQUATE
552
0.024
0.000
0.167
0.024
0.025
(0.95)
PAST_BREACH
552
0.149
0.000
0.356
0.170
0.127
(0.15)
CRO
552
0.147
0.000
0.354
0.159
0.134
(0.40)
ERM
552
0.359
0.000
0.544
0.388
0.330
(0.21)
CRO_RESP_ERM
552
0.074
0.000
0.262
0.080
0.069
(0.63)
IMR
552
0.261
0.322
0.258
0.325
0.198
(<0.01)
Test Variable
CIO
552
0.373
0.000
0.484
0.525
0.221
(<0.01)
1Variables are defined in Appendix A.
61
TABLE 5, Panel B: Pearson Correlation Matrix for our Matched Sample
Variable1 (n=552)
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
1. BREACH
0.002
0.009
0.063
0.100
0.048
-0.046
0.030
0.075
-0.022
-0.002
0.061
0.036
0.053
0.021
0.247
0.315
2. INTANGIBLES
0.084
-0.008
0.086
0.645
-0.039
0.262
0.596
-0.096
-0.025
0.219
0.083
0.199
0.116
0.196
0.312
3. RISK
0.038
0.043
0.189
-0.033
-0.114
0.106
-0.115
-0.049
0.134
0.363
0.356
0.226
0.096
0.211
4. COMPLIANCE
0.153
-0.061
0.047
-0.044
0.035
0.008
-0.029
0.106
-0.004
0.130
0.050
0.059
0.029
5. TECHNOLOGY
0.007
0.038
0.164
0.111
-0.049
-0.031
0.117
-0.010
0.063
0.045
0.139
0.177
6. LNASSETS
0.054
0.131
0.637
-0.205
-0.034
0.170
0.316
0.156
0.286
0.190
0.357
7. LEVERAGE
-0.077
-0.101
-0.006
0.019
-0.033
0.024
-0.010
0.029
-0.056
-0.105
8. RD
0.331
-0.035
-0.045
0.012
-0.195
-0.056
-0.098
0.110
0.105
9. LAG_LNAUDFEES
-0.080
-0.024
0.233
0.146
0.164
0.187
0.157
0.357
10. LOSS
0.075
-0.091
-0.042
-0.038
-0.083
-0.102
-0.157
11. INADEQUATE
-0.040
-0.018
-0.055
-0.013
-0.062
-0.066
12. PAST_BREACH
0.100
0.334
0.173
-0.006
0.246
13. CRO
0.292
0.664
-0.015
0.103
14. ERM
0.245
0.050
0.166
15. CRO_RESP_ERM
0.048
0.167
16. IMR
0.490
17. CIO
1Variables are defined in Appendix A. Variables in bold are significant at the 0.05 level.
62
TABLE 6: Estimation of Model (3)
Prob (BREACHi,t = 1) = F[ß0 + β1CIOi,t + β2INTANGIBLESi,t + β3RISKi,t +
β4COMPLIANCEi,t+ β5TECHNOLOGYi,t + β6LNASSETSi,t + β7LEVERAGEi,t +
β8RDi,t + β9LAG_LNAUDFEESi,t + β10LOSSi,t + β11INADEQUATEi,t +
β12PAST_BREACHi,t + β13CROi,t + β14ERMi,t + β15CRO_RESP_ERMi,t + β16IMRi,t +
YEAR_FIXED_EFFECTSi,t + INDUSTRY_FIXED_EFFECTSi,t + ɛ] (3)
Variable
1
Prediction
Coefficient
Estimate
p-value
Variance
Inflation
Factor
Coefficient
Estimate
p-value
Variance
Inflation
Factor
Intercept
?
0.123
0.82
0.129
0.82
CIO
H1:?
0.875***
<0.01
1.856
0.895***
<0.01
1.893
INTANGIBLES
?
-0.001
0.68
2.838
-0.001
0.67
1.148
RISK
+
-0.233
0.17
1.315
-0.293*
0.09
1.454
COMPLIANCE
+
0.275*
0.08
1.202
0.287*
0.08
1.237
TECHNOLOGY
+
0.190
0.28
1.204
0.199
0.27
1.206
LNASSETS
+
-0.062
0.29
4.200
-0.064
0.28
3.865
LEVERAGE
-
0.003
0.94
1.338
0.004
0.92
1.386
RD
+
-0.009
0.80
2.984
-0.006
0.84
3.095
LAG_LNAUDFEES
+
0.008
0.47
2.983
0.005
0.48
3.457
LOSS
-
0.019
0.93
1.285
-0.003
0.49
1.297
INADEQUATE
+
0.648**
0.05
1.165
0.664**
0.05
1.177
PAST_BREACH
+
-0.013
0.94
1.413
-0.016
0.93
1.455
CRO
?
0.291
0.26
2.511
ERM
?
0.081
0.53
1.554
CRO_RESP_ERM
-
-0.416*
0.08
1.967
IMR
?
0.810***
<0.01
1.688
0.815***
<0.01
1.753
Year Fixed Effects
Yes
Yes
Industry Fixed Effects
Yes
Yes
N
552
552
Area under ROC
0.723
0.725
1Variables are defined in Appendix A. *, **, *** indicate significance at the 0.10, 0.05, and 0.01
levels based on two-tails (one tail for predictions).
63
TABLE 7, Panel A: Descriptive Statistics of our CIO attributes
Variable
1
N
Mean
Median
Std.
Dev
BREACH
206
0.704
1.000
0.458
AGE
206
3.414
3.850
1.247
TECH_UNDERGRAD
206
0.398
0.000
0.491
TECH_GRAD
206
0.165
0.000
0.372
PAST_TECH_EXP_IN
206
0.505
1.000
0.501
PAST_TECH_EXP_OUT
206
0.767
1.000
0.423
OTHER_BOARD
206
0.498
0.000
0.573
FIRM_TENURE
206
1.006
1.103
0.407
POSITION_TENURE
206
0.764
0.870
0.391
IW500
206
0.403
0.000
0.492
MULTI_DUTY
206
0.087
0.000
0.283
EXEC
206
0.136
0.000
0.344
1Variables are defined in Appendix A.
64
TABLE 7, Panel B: Estimation of Model (4)
Prob (BREACHi,t = 1) = F[ß0 + β1AGEj,t + β2TECH_UNDERGRADj,t + β3TECH_GRADj,t +
β4PAST_TECH_EXP_INj,t + β5PAST_TECH_EXP_OUTj,t + β6OTHER_BOARDj,t +
β7FIRM_TENUREj,t + β8POSITION_TENUREj,t + β9IW500i,+ β10MULTY_DUTYi, +
β11EXECi, + β12INTANGIBLESi,t + β13RISKi,t + β14COMPLIANCEi,t +
β15TECHNOLOGYi,t + β16LNASSETSi,t + β17LEVERAGEi,t + β18RDi,t +
β19LAG_LNAUDFEESi,t + β20LOSSi,t + β21INADEQUATE,t + β22PAST_BREACHi,t +
β23CROi,t + β24ERMi,t + β25CRO_RESP_ERMi,t + β26IMRi,t + YEAR_FIXED_EFFECTSi,t +
INDUSTRY_FIXED_EFFECTSi,t + ɛ] (4)
Matched Sample CIO-only Subsample
Variable
1
Prediction
Coefficient
Estimate
p-value
Variance
Inflation
Factor
Coefficient
Estimate
p-value
Variance
Inflation
Factor
Intercept
?
0.214
0.69
-3.704
0.14
AGE
?
0.181***
<0.01
5.017
0.148
0.25
1.870
TECH_UNDERGRAD
H2a:-
0.199
0.40
1.927
0.136
0.69
1.925
TECH_GRAD
H2a:-
0.077
0.80
1.460
0.159
0.71
1.900
PAST_TECH_EXP_IN
H2b:-
-0.489**
0.04
3.190
-1.001***
<0.01
2.850
PAST_TECH_EXP_OUT
H2b:-
0.045
0.85
3.429
0.319
0.39
1.857
OTHER_BOARD
H2c: -
-0.436**
0.02
2.189
-0.356*
0.09
2.137
FIRM_TENURE
H2d: +
1.101***
<0.01
4.330
1.300**
0.01
4.302
POSITION_TENURE
H2e: -
-0.781**
0.01
2.325
-0.604*
0.09
2.315
IW500
H3a: +
0.331*
0.08
1.845
0.086
0.39
1.795
MULTY_DUTY
H3b: +
0.594*
0.08
1.426
0.209
0.34
1.670
EXEC
H3c: -
-0.127
0.34
1.350
-0.398
0.19
1.955
INTANGIBLES
?
-0.001
0.62
1.137
0.290
0.57
1.335
RISK
+
-0.338*
-0.06
1.466
-0.809**
0.01
1.786
COMPLIANCE
+
0.408**
0.02
1.284
0.423
0.18
1.875
TECHNOLOGY
+
-0.064
0.74
1.244
-0.110
0.83
1.634
LNASSETS
+
-0.071
0.20
3.513
0.344**
0.03
5.988
LEVERAGE
-
0.004
0.91
1.381
0.036
0.73
1.553
RD
+
0.006
0.43
3.252
-0.061
0.36
4.963
LAG_LNAUDFEES
+
-0.022
0.83
3.112
-0.496
0.12
4.607
LOSS
-
0.013
0.95
1.300
-0.278
0.36
2.412
INADEQUATE
+
0.762**
0.03
1.175
5.998
0.99
1.444
PAST_BREACH
+
0.000
0.99
1.531
-0.467
0.17
1.959
CRO
?
0.366
0.15
2.471
1.353**
0.03
3.884
ERM
?
0.066
0.60
1.556
-0.075
0.83
2.450
CRO_RESP_ERM
-
-0.590*
0.06
2.018
-1.042
0.11
3.470
IMR
?
0.964***
<0.01
1.645
0.832
0.52
3.339
Year Fixed Effects
Yes
Yes
Industry Fixed Effects
Yes
Yes
N
552
206
Area under ROC
0.737
0.844
1Variables are defined in Appendix A. *, **, *** indicate significance at the 0.10, 0.05, and 0.01
levels based on two-tails (one tail for predictions).
65
TABLE 8, Panel A: Estimation of Model (3), conditioned on breach type
Prob (BREACHi,t = 1) = F[ß0 + β1CIOi,t + β2INTANGIBLESi,t + β3RISKi,t +
β4COMPLIANCEi,t+ β5TECHNOLOGYi,t + β6LNASSETSi,t + β7LEVERAGEi,t +
β8RDi,t + β9LAG_LNAUDFEESi,t + β10LOSSi,t + β11INADEQUATEi,t +
β12PAST_BREACHi,t + β13CROi,t + β14ERMi,t + β15CRO_RESP_ERMi,t + β16IMRi,t +
YEAR_FIXED_EFFECTSi,t + INDUSTRY_FIXED_EFFECTSi,t + ɛ] (3)
External Breach Internal Breach
Variable
1
Prediction
Coefficient
Estimate
p-value
Variance
Inflation
Factor
Coefficient
Estimate
p-value
Variance
Inflation
Factor
Intercept
?
0.312
0.62
-1.255
0.53
CIO
H1:?
1.025***
<0.01
1.909
0.652***
<0.01
2.003
INTANGIBLES
?
-0.001
0.46
1.150
-0.000
0.92
1.259
RISK
+
-0.395**
0.05
1.403
-0.216
0.19
1.745
COMPLIANCE
+
0.224
0.16
1.248
0.122
0.32
1.234
TECHNOLOGY
+
-0.030
0.94
1.230
0.698*
0.06
1.176
LNASSETS
+
-0.053
0.42
3.627
-0.095
0.22
3.697
LEVERAGE
-
0.031
0.48
1.517
-0.015
0.37
1.471
RD
+
0.019
0.30
3.091
-0.030
0.53
2.848
LAG_LNAUDFEES
+
-0.041
0.72
3.089
0.138
0.17
3.217
LOSS
-
0.212
0.21
1.338
-0.422*
0.08
1.352
INADEQUATE
+
0.593*
0.09
1.186
0.898*
0.07
1.229
PAST_BREACH
+
-0.183
0.42
1.484
0.071
0.39
1.506
CRO
?
0.113
0.70
2.345
0.505
0.13
2.683
ERM
?
0.235
0.11
1.660
-0.086
0.62
1.524
CRO_RESP_ERM
-
-0.465*
0.10
1.894
-0.299
0.21
1.991
IMR
?
0.731**
0.02
1.762
0.914**
0.03
1.695
Year Fixed Effects
Yes
Yes
Industry Fixed
Effects
Yes
Yes
N
462
366
Area under ROC
0.758
0.812
1Variables are defined in Appendix A. *, **, *** indicate significance at the 0.10, 0.05, and 0.01
levels based on two-tails (one tail for predictions). Consistent with Higgs et al. (2016) External
Breaches are breaches identified by privacyrights.org as “HACK (hacking or malware)”, “STAT
(stationary theft)”, and “PORT (portable device theft)”. Internal Breaches are all other
breaches.
66
TABLE 8, Panel B: Estimation of Model (4) on CIO-subsample, conditioned on breach type
Prob (BREACHi,t = 1) = F[ß0 + β1AGEj,t + β2TECH_UNDERGRADj,t + β3TECH_GRADj,t +
β4PAST_TECH_EXP_INj,t + β5PAST_TECH_EXP_OUTj,t + β6OTHER_BOARDj,t +
β7FIRM_TENUREj,t + β8POSITION_TENUREj,t + β9IW500i,+ β10MULTY_DUTYi, + β11EXECi, +
β12INTANGIBLESi,t + β13RISKi,t + β14COMPLIANCEi,t + β15TECHNOLOGYi,t + β16LNASSETSi,t +
β17LEVERAGEi,t + β18RDi,t + β19LAG_LNAUDFEESi,t + β20LOSSi,t + β21INADEQUATE,t +
β22PAST_BREACHi,t + β23CROi,t + β24ERMi,t + β25CRO_RESP_ERMi,t + β26IMRi,t +
YEAR_FIXED_EFFECTSi,t + INDUSTRY_FIXED_EFFECTSi,t + ɛ] (4)
External Breach Internal Breach
Variable
1
Prediction
Coefficient
Estimate
p-value
Variance
Inflation
Factor
Coefficient
Estimate
p-value
Variance
Inflation
Factor
Intercept
?
2.455
0.52
-22.444
0.99
AGE
?
0.159
0.29
2.270
1.520**
0.02
4.641
TECH_UNDERGRAD
H2a:-
0.166
0.69
2.272
-0.315
0.37
3.024
TECH_GRAD
H2a:-
0.441
0.36
2.017
1.143
0.36
3.022
PAST_TECH_EXP_IN
H2b:-
-0.550
0.12
3.020
-3.986***
<0.01
3.979
PAST_TECH_EXP_OUT
H2b:-
0.032
0.94
2.162
6.618**
0.01
3.483
OTHER_BOARD
H2c: -
-0.431
0.11
2.372
-1.950**
0.03
4.605
FIRM_TENURE
H2d: +
0.621
0.20
5.211
8.018***
<0.01
5.198
POSITION_TENURE
H2e: -
0.237
0.34
2.543
-2.694**
0.02
3.283
IW500
H3a: +
-0.032
0.94
2.117
3.416**
0.02
3.056
MULTY_DUTY
H3b: +
0.479
0.20
1.709
6.307**
0.03
2.896
EXEC
H3c: -
-0.228
0.35
1.956
-0.461
0.37
3.001
INTANGIBLES
?
0.941
0.32
1.447
-3.955
0.21
4.841
RISK
+
-0.912**
0.02
1.906
0.371
0.37
2.704
COMPLIANCE
+
0.329
0.27
2.007
3.528***
<0.01
2.571
TECHNOLOGY
+
-0.138
0.83
1.881
-1.664
0.25
2.012
LNASSETS
+
0.438**
0.03
6.683
0.310
0.31
11.344
LEVERAGE
-
-0.023
0.43
1.605
-0.009
0.48
2.621
RD
+
-0.037
0.67
5.888
0.262*
0.07
5.771
LAG_LNAUDFEES
+
-0.336
0.34
5.727
-2.031
0.12
8.047
LOSS
-
0.742
0.47
3.010
-4.003**
0.04
5.196
INADEQUATE
+
3.859
0.99
1.582
16.666
0.99
3.791
PAST_BREACH
+
-0.774*
0.07
2.268
-0.946
0.33
2.674
CRO
?
1.242
0.14
4.620
12.633**
0.01
5.657
ERM
?
-0.033
0.94
2.830
-3.577**
0.04
3.970
CRO_RESP_ERM
-
-0.992
0.13
4.572
-9.392***
<0.01
3.911
IMR
?
0.615
0.69
4.264
-4.517
0.18
5.020
Year Fixed Effects
Yes
Yes
Industry Fixed Effects
Yes
Yes
N
159
108
Area under ROC
0.897
0.948
1Variables are defined in Appendix A. *, **, *** indicate significance at the 0.10, 0.05, and 0.01
levels based on two-tails (one tail for predictions).
67
TABLE 9: Estimation of Model (5)
Prob (BREACHi,t = 1) = F[ß0 + β1CIOi,t + β2(FIRSTYEAR_CIO/ FIRST2YEARS_CIO/ FIRST3YEARS_CIO) i,t +
β3INTANGIBLESi,t + β4RISKi,t + β5COMPLIANCEi,t+ β6TECHNOLOGYi,t + β7LNASSETSi,t + β8LEVERAGEi,t + β9RDi,t +
β10LAG_LNAUDFEESi,t + β11LOSSi,t + β12INADEQUATEi,t + β13PAST_BREACHi,t + β14CROi,t + β15ERMi,t +
β16CRO_RESP_ERMi,t + β17IMRi,t + YEAR_FIXED_EFFECTSi,t + INDUSTRY_FIXED_EFFECTSi,t + ɛ] (5)
Variable
1
Prediction
Coefficient
Estimate
p-value
Variance
Inflation
Factor
Coefficient
Estimate
p-value
Variance
Inflation
Factor
Coefficient
Estimate
p-value
Variance
Inflation Factor
Intercept
?
0.141
0.73
0.140
0.80
0.141
0.80
CIO
H1:?
0.771***
<0.01
2.016
0.810***
<0.01
2.171
0.827***
<0.01
2.370
FIRSTYEAR_CIO
?
0.954***
<0.01
1.253
FIRST2YEARS_CIO
?
0.305
0.18
1.438
FIRST3YEARS_CIO
?
0.171
0.41
1.645
INTANGIBLES
?
-0.001
0.49
1.134
-0.001
0.30
1.134
-0.001
0.65
1.134
RISK
+
-0.300*
0.10
1.444
-0.316*
0.08
1.451
-0.294*
0.10
1.444
COMPLIANCE
+
0.287*
0.08
1.216
0.266*
0.09
1.221
0.269*
0.09
1.227
TECHNOLOGY
+
0.252
0.22
1.205
0.243
0.23
1.211
0.232
0.24
1.216
LNASSETS
+
-0.063
0.29
3.478
-0.063
0.29
3.478
-0.064
0.28
3.478
LEVERAGE
-
0.001
0.98
1.341
0.001
0.49
1.343
0.002
0.95
1.344
RD
+
-0.006
0.84
3.013
-0.007
0.84
3.013
-0.006
0.85
3.013
LAG_LNAUDFEES
+
0.005
0.48
2.997
-0.007
0.95
3.009
0.001
0.49
3.002
LOSS
-
-0.012
0.48
1.286
-0.007
0.49
1.287
-0.003
0.49
1.287
INADEQUATE
+
0.642*
0.06
1.172
0.662*
0.05
1.169
0.661*
0.05
1.169
PAST_BREACH
+
-0.044
0.82
1.452
-0.019
0.92
1.451
-0.022
0.91
1.452
CRO
?
0.275
0.29
2.440
0.310
0.23
2.439
0.289
0.26
2.440
ERM
?
0.086
0.51
1.521
0.089
0.48
1.525
0.087
0.50
1.524
CRO_RESP_ERM
-
-0.431*
0.08
1.930
-0.427*
0.08
1.930
-0.418*
0.08
1.931
IMR
?
0.786***
<0.01
1.695
0.805***
<0.01
1.693
0.810***
<0.01
1.692
Year Fixed Effects
Yes
Yes
Yes
Industry Fixed
Effects
Yes
Yes
Yes
N
552
552
552
Area under ROC
0.732
0.725
0.726
1Variables are defined in Appendix A. *, **, *** indicate significance at the 0.10, 0.05, and 0.01 levels based on two-tails (one tail for
predictions).
... Prior research has mostly documented that the IT expertise of executives (CEO, CFO and CIO) or the presence of an IT executive on the management board significantly reduces reportable data security breaches (Feng and Wang;2018;Haislip, Masli et al., 2016;Haislip et al., 2020;2021;Kwon et al., 2013;Vincent et al., 2019;Smith et al., 2021). The only exception is the study of Haislip et al. (2021) finding that if a CEO has IT expertise, it can lead to higher incidence of cyber breaches, which has been interpreted as their being more likely to detect and report security breaches. ...
Article
Full-text available
In an in-depth field study, we investigate cybersecurity governance configurations vis-à-vis five lines of accountability (5 LoA) - that is, the Three Lines Model extended by the accountability of executive management and the board of directors. The aim is to explore the combined functioning of the 5 LoA by outlining the accountabilities organizations assign to various roles and how these roles interact to progress cybersecurity. We define the level of the 5 LoA adoption by: (i) the segregation of duties that spans from blended to segregated and (ii) the level of engagement in the line roles that ranges from reactive to proactive. We theorize how the level of the 5 LoA adoption is affected by the interplay of institutional forces and organizations’ need for efficiency and effectiveness and develop a pathway model towards the 5 LoA adoption over time. Organizations closest to full adoption are those under the prudential regulation (coercive forces), whereas efficiency motives and mimetic forces drive organizations to seek fluidity by ‘blending’ the segregated lines to ensure fast reactions to changing environment. Regardless of the number of lines and their blending, we found that all organizations see scope to improve engagement in the 5 LoA.
Preprint
Full-text available
Despite the relevance and maturity of the Chief Information Officer (CIO) research field, no studies exist that exhaustively summarize the current body of knowledge, focusing on the development of the field over its entire timespan. The paper at hand addresses this research gap and presents an exhaustive literature review on the CIO research field using main path analysis. We identify the central papers in CIO research and eight main research streams by quantitatively and qualitatively analyzing 466 papers. We find that established research streams, e.g., ‘Evolving role of the CIO’ and ‘CIO hierarchical position and relationships’ as well as recently emerging research streams, e.g., ‘CIO as business enabler’ and ‘CIOs and IT security,’ draw growing attention. Based on our findings, we develop promising further avenues for research in the CIO field.
Article
Full-text available
Data security breaches (DSBs) are increasing investor and regulator pressure on firms to improve their IT governance (ITG) in an effort to mitigate the related risk. We argue that DSB risk cannot be mitigated by one executive alone, but, rather, is a shared leadership responsibility of the top management team (TMT) (i.e., Chief Executive Officer [CEO], Chief Financial Officer [CFO], and Chief Information Officer [CIO]). Our results suggest that IT-savvy CEOs see technologies related to mitigating DSBs as a top-three most important type of digital methodology for their firm. Similarly, the results related to CFOs with IT expertise single out the critical investment in controls designed to prevent DSBs. Our strong findings for CIOs on the TMT add to the related guidance from COBIT 5 for information security and consistently suggest that they are the key executive for securing IT systems. Finally, our granular explanation of each executive’s DSB-related responsibility could potentially provide firms the start of a governance-led roadmap for compliance to the Securities and Exchange Commission’s and Justice Department’s cyber regulations.
Article
Full-text available
Purpose Risk management is an under-explored topic in information systems (IS) research that involves complex and interrelated activities. Consequently, the authors explore the importance of interrelated activities by examining how the maturity of one type of information technology risk management (ITRM) practice is influenced by the maturity of other types of ITRM practices. The purpose of this paper is to explore these relationships, the authors develop a model based on organizational strategy implementation theory and the COBIT framework. The model identifies four types of ITRM practices, namely, IT governance (ITG); communications; operations; and monitoring. Design/methodology/approach The authors use a survey methodology to collect data on senior information technology (IT) executives' perceptions on ITRM practices. The authors use an exploratory factor analysis (EFA) to identify four dimensions of ITR M practices and conduct a structural equation model to observe the associations. Findings The survey of senior IT executives' perceptions suggests that the maturity of ITRM practices related to ITG, communications and monitoring positively influence the maturity of operations-related ITRM practices. Further, the maturity of communications-related ITRM practices mediates the relationship between ITG and operations-related ITRM practices. The aggregate results demonstrate the inter-relatedness of ITRM practices and highlight the importance of taking a holistic view of ITRM. Research limitations/implications Given the content and complexity of the study, it is difficult to obtain senior executives’ responses in large firms. Therefore, this study did not use a separate sample to conduct the EFA to obtain the underlying four constructs. Also, the ITRM practices identified are perceptions. Even though the authors consider this to be a limitation, it also communicates the pressing areas that senior IT professionals are expected to focus given various external and internal pressures. This study focuses on large firms, hence, small to midsize firms are not well represented. Practical implications Given the demanding regulatory and financial reporting requirements and the complexity of IT, there is an increasing possibility that the accounting profession will require IT professionals to focus on operations-related ITRM practices, such as security, availability and confidentially of data and IS are closely related to internal controls. However, as this study demonstrates, the maturity of operations-related ITRM practices cannot be achieved by focusing solely on operations-related IT risks. Therefore, IT practitioners can use this study to raise awareness of the complex interrelationships among ITRM practices among managers to improve the overall ITRM practices in a firm. Social implications The study also shows the importance of establishing proper communication channels among various business functions with regard to ITRM. Extant IT research identifies the importance of the firm’s communication structure on various firm performance measures. For example, Krotov (2015) mentions the importance of communication in improving trust between the Chief Executive Officer and Chief Financial Officer. Firms with established communication channels have the necessary medium to educate and involve other departments with regard to the security of data. Thus, such firms are more likely to have mature risk management practices because of increased awareness of risks and preventive techniques. Originality/value The study contributes to ITG and risk management literature by identifying the role of monitoring-related ITRM practices on improving other areas of risk management. The study also extends the existing ITRM literature by providing an organizational strategy perspective to ITRM practices and showing how ITRM practices follow organizational strategy implementation. Further, the authors identify four underlying ITRM categories. Consequently, researchers could choose between two factors (Vincent et al. , 2017) or four factors based on the level of detail required for the particular study.
Article
Full-text available
We investigate the relationship between security breaches and chief information officer (CIO) turnover. Because CIOs are directly responsible for IT performance, we argue that their turnover likelihood is higher when they fail to meet IT performance expectations, as reflected by security breaches. Specifically, we find that breaches caused by system deficiency increase CIO turnover likelihood by 72 percent. However, we find no such association for breaches caused by criminal fraud or human error. We extend our analyses to other executives and document that CEOs are more likely to turn over following breaches caused by both system deficiency and human error, consistent with their broader role within the firm. By contrast, we find no evidence suggesting that CFOs are more likely to turn over following breaches. The findings indicate negative labor market consequences for executives who fail to meet performance expectations within the scope of their duties.
Article
Full-text available
Do Auditors Price Breach Risk in Their Audit Fees? ABSTRACT Data security breaches have been shown in the literature to negatively affect firm operations. Auditors serve as an important, external governance mechanism with respect to a firm’s overall risk management protocol. Consequently, our study examines whether auditors price breach risk into their fees and if a firm’s internal governance can mitigate the potential increases in audit fees. Using a sample of breached firms ranging from 2005-2014, we adapt Houston et al.’s (2005) model to explore how auditors view audit risk related to breach risk. We find that breaches are associated with an increase in fees, but the result is driven by external breaches. Our evidence suggests the presence of board-level risk committees and more active audit committees may help mitigate the breach risk audit fee premium. Additional evidence suggests that both past breach disclosures as well as future disclosures are associated with audit fees.
Article
While the importance of addressing cybersecurity risks and cyber incidents is widely acknowledged, there is no explicit requirement by regulators or audit standard setters for auditors to do so. This paper investigates 1) whether external auditors respond to cyber incidents by charging higher audit fees, 2) whether they anticipate and price material cybersecurity risk before cyber incidents occur, and 3) whether increases in audit fees for firms experiencing a cyber incident in the current period are associated with subsequent cyber incidents. We define cyber incidents as cyber-attacks that are initiated by hackers as distinct from various other information security and privacy breaches where the consequences are far less severe than those resulting from attacks by hackers. We find that only cyber incidents are associated with increases in audit fees and that the association is driven by more severe incidents. We also provide some evidence that increases in audit fees are smaller for firms with prior cybersecurity risk disclosure after 2011 when the SEC issued cybersecurity disclosure guidance. Finally, larger increases in audit fees for firms experiencing cyber incidents in the current period are associated with a lower likelihood of subsequent cyber incidents.
Article
In this paper, we examine the consequences of data breaches for a breached company. We find the economic consequences are, on average, very small for breached companies. On average, breaches result in less than −0.3 percent cumulative abnormal returns in the short window around the breach disclosure. Except for a few catastrophic breaches, the nominal difference in cumulative abnormal returns between breach companies and the matched companies disappears within days after the breach. We also test whether data breaches affect future accounting measures of performance, audit and other fees, and future Sarbanes-Oxley Section 404 reports of material internal control weaknesses, but find no differences between breach and matched companies. Our results address the question why companies are not spending more to reduce breaches. We conclude by providing a few explanations of why there appears to be an effect at the economy-wide level, but no noticeable effect on individual company performance.
After a series of recent high-profile information security breach incidents, practitioners have engaged in heated debates about the role of the chief information officer (CIO), particularly his/her role in information security risk management. However, little is known in the academic literature about how a CIO's appetite for risk affects the effectiveness of information security management. We address this gap by examining how a CIO's risk appetite is associated with information security breach incidents. We show that the level of CIO risk aversion is negatively associated with the likelihood of breach incidents. Furthermore, we find that this association is stronger if the company's chief executive officer (CEO) is also risk averse. In additional analyses, we show that the relationship between CIO risk aversion and breach incidents varies depending on breach type and the strategic position of the company and is moderated by the CIO's power.
Article
We study the association between firms’ disclosures in Forms 10-K of the existence of trade secrets, and cyber theft of corporate data (which we refer to as “Breaches”). Prior academic research explaining occurrence of Breaches is scarce, and no prior study has focused specifically on Breaches that likely target trade secrets. We provide such evidence, and our use of Form 10-K contents related to trade secrets is a first step toward determining whether corporations actually attract Breach activity through their public disclosures. We find that firms mentioning the existence of trade secrets have a significantly higher subsequent probability of being Breached relative to firms that do not do so. Our results are stronger among younger firms, firms with fewer employees, and firms operating in less concentrated industries. By conducting a battery of additional tests, we attempt to go beyond merely establishing correlations to provide evidence whether such proprietary information can actually attract cyber attacks. Specifically, our results are robust to additional control variables, an instrumental variable approach, firm fixed effects, and a propensity score matching technique.