An Empirical Study on the Impact of the IT Organization on Cyber Risk Management

Abstract

Cyber risks pose a growing threat to both private and public organizations as the world moves towards increased digitalization and interconnectedness. Recently, several high-profile cyber inci-dents have shown the enormous financial and reputational burdens that cyberattacks place on the victims. At the center of these risks are the information technology (IT) assets and capabilities that support and drive a growing array of business functions. This paper examines how the configura-tion of these assets and capabilities – as organized within the IT organization – impact the cyber risk management maturity of an organization. Based on a review of the existing literature, a con-ceptualization is developed to describe the IT organization through four related components: de-cision-making rights, resource allocation, interdepartmental communication, and the outsourcing strategy. This model is then tested empirically through primary data collection. Using a web-based questionnaire, data is collected about these four components as well as cyber risk management activities. This resulted in a survey of 53 respondents with insight into business strategy, IT, or cybersecurity from various organizations in Denmark. Using multiple linear regression analysis, this data was used to generate insights about the influence of the IT organization on the cyberse-curity program maturity in the participating firms. The results show that decision rights structures, financial resource allocation, and IT outsourcing significantly impact the cyber risk management maturity level. For decision rights and resources, the IT and cybersecurity domains showed re-versed centralization/decentralization patterns. These findings imply that the internal configuration of the IT organization is complex, and that IT and cybersecurity activities should be organized separately. IT outsourcing should be kept at a minimum in order to retain in-house IT competences that are important to cyber risk management. This study contributes to the academic and practical understanding of IT and cybersecurity in a management context. Previous research has primarily focused on either IT or cybersecurity activities, and by considering the two together, this study provides a novel perspective on the organizational factors that influence cybersecurity.