IDEAS home Printed from https://ideas.repec.org/a/eee/ijoais/v32y2019icp59-75.html
   My bibliography  Save this article

Does CIO risk appetite matter? Evidence from information security breach incidents

Author

Listed:
  • Feng, Cecilia (Qian)
  • Wang, Tawei

Abstract

After a series of recent high-profile information security breach incidents, practitioners have engaged in heated debates about the role of the chief information officer (CIO), particularly his/her role in information security risk management. However, little is known in the academic literature about how a CIO's appetite for risk affects the effectiveness of information security management. We address this gap by examining how a CIO's risk appetite is associated with information security breach incidents. We show that the level of CIO risk aversion is negatively associated with the likelihood of breach incidents. Furthermore, we find that this association is stronger if the company's chief executive officer (CEO) is also risk averse. In additional analyses, we show that the relationship between CIO risk aversion and breach incidents varies depending on breach type and the strategic position of the company and is moderated by the CIO's power.

Suggested Citation

  • Feng, Cecilia (Qian) & Wang, Tawei, 2019. "Does CIO risk appetite matter? Evidence from information security breach incidents," International Journal of Accounting Information Systems, Elsevier, vol. 32(C), pages 59-75.
    • Handle: RePEc:eee:ijoais:v:32:y:2019:i:c:p:59-75
    DOI: 10.1016/j.accinf.2018.11.001
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1467089517301161
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.accinf.2018.11.001?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Donkers, Bas & Melenberg, Bertrand & Van Soest, Arthur, 2001. "Estimating Risk Attitudes Using Lotteries: A Large Sample Approach," Journal of Risk and Uncertainty, Springer, vol. 22(2), pages 165-195, March.
    2. Daniel A. Ackerberg & Maristella Botticini, 2002. "Endogenous Matching and the Empirical Determinants of Contract Form," Journal of Political Economy, University of Chicago Press, vol. 110(3), pages 564-591, June.
    3. Curtis P. Armstrong & V. Sambamurthy, 1999. "Information Technology Assimilation in Firms: The Influence of Senior Leadership and IT Infrastructures," Information Systems Research, INFORMS, vol. 10(4), pages 304-327, December.
    4. Kenneth R. MacCrimmon & Donald A. Wehrung, 1990. "Characteristics of Risk Taking Executives," Management Science, INFORMS, vol. 36(4), pages 422-435, April.
    5. Milidonis, Andreas & Stathopoulos, Konstantinos, 2014. "Managerial Incentives, Risk Aversion, and Debt," Journal of Financial and Quantitative Analysis, Cambridge University Press, vol. 49(2), pages 453-481, April.
    6. Tawei Wang & Karthik N. Kannan & Jackie Rees Ulmer, 2013. "The Association Between the Disclosure and the Realization of Information Security Risk Factors," Information Systems Research, INFORMS, vol. 24(2), pages 201-218, June.
    7. Cohn, Richard A, et al, 1975. "Individual Investor Risk Aversion and Investment Portfolio Composition," Journal of Finance, American Finance Association, vol. 30(2), pages 605-620, May.
    8. Moers F. & Peek E, 2000. "An Empirical Analysis of the Role of Risk Aversion in Executive Compensation Contracts," Research Memorandum 013, Maastricht University, Maastricht Research School of Economics of Technology and Organization (METEOR).
    9. John Core & Wayne Guay, 2002. "Estimating the Value of Employee Stock Option Portfolios and Their Sensitivities to Price and Volatility," Journal of Accounting Research, Wiley Blackwell, vol. 40(3), pages 613-630, June.
    10. Humayun Zafar & Myung S. Ko & Kweku-Muata Osei-Bryson, 2016. "The value of the CIO in the top management team on performance in the case of information security breaches," Information Systems Frontiers, Springer, vol. 18(6), pages 1205-1215, December.
    11. Allen, Douglas W & Lueck, Dean, 1995. "Risk Preferences and the Economics of Contracts," American Economic Review, American Economic Association, vol. 85(2), pages 447-451, May.
    12. Ali Lazrak & Murray Carlson, 2010. "Leverage Choice and Credit Spreads when Managers Risk Shift," Post-Print hal-00585953, HAL.
    13. Samuelson, William & Zeckhauser, Richard, 1988. "Status Quo Bias in Decision Making," Journal of Risk and Uncertainty, Springer, vol. 1(1), pages 7-59, March.
    14. Lawrence Gordon & Martin Loeb & Tashfeen Sohail & Chih-Yang Tseng & Lei Zhou, 2008. "Cybersecurity, Capital Allocations and Management Control Systems," European Accounting Review, Taylor & Francis Journals, vol. 17(2), pages 215-241.
    15. Stephen A. Ross, 2004. "Compensation, Incentives, and the Duality of Risk Aversion and Riskiness," Journal of Finance, American Finance Association, vol. 59(1), pages 207-225, February.
    16. Rogers, Daniel A., 2002. "Does executive portfolio structure affect risk management? CEO risk-taking incentives and corporate derivatives usage," Journal of Banking & Finance, Elsevier, vol. 26(2-3), pages 271-295, March.
    17. Graham, John R. & Harvey, Campbell R. & Puri, Manju, 2013. "Managerial attitudes and corporate actions," Journal of Financial Economics, Elsevier, vol. 109(1), pages 103-121.
    18. Tine Buyl & Christophe Boone & Walter Hendriks & Paul Matthyssens, 2011. "Top Management Team Functional Diversity and Firm Performance: The Moderating Role of CEO Characteristics," Journal of Management Studies, Wiley Blackwell, vol. 48(1), pages 151-177, January.
    19. Murray Carlson & Ali Lazrak, 2010. "Leverage Choice and Credit Spreads when Managers Risk Shift," Journal of Finance, American Finance Association, vol. 65(6), pages 2323-2362, December.
    20. Friend, Irwin & Blume, Marshall E, 1975. "The Demand for Risky Assets," American Economic Review, American Economic Association, vol. 65(5), pages 900-922, December.
    21. Joseph E. Stiglitz, 2002. "Information and the Change in the Paradigm in Economics," American Economic Review, American Economic Association, vol. 92(3), pages 460-501, June.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Zhang, Yimei & Smith, Thomas, 2023. "The impact of customer firm data breaches on the audit fees of their suppliers," International Journal of Accounting Information Systems, Elsevier, vol. 50(C).
    2. Smith, Thomas & Tadesse, Amanuel F. & Vincent, Nishani Edirisinghe, 2021. "The impact of CIO characteristics on data breaches," International Journal of Accounting Information Systems, Elsevier, vol. 43(C).
    3. Jacob Haislip & Jee-Hae Lim & Robert Pinsker, 2021. "The Impact of Executives’ IT Expertise on Reported Data Security Breaches," Information Systems Research, INFORMS, vol. 32(2), pages 318-334, June.
    4. Zhen, Jie & Xie, Zongxiao & Dong, Kunxiang, 2021. "Impact of IT governance mechanisms on organizational agility and the role of top management support and IT ambidexterity," International Journal of Accounting Information Systems, Elsevier, vol. 40(C).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Jean Canil & Bruce Rosser, 2015. "Evidence on exercise pricing in CEO option grants in two countries," Annals of Finance, Springer, vol. 11(3), pages 383-410, November.
    2. Steffen Brenner, 2015. "The Risk Preferences of U.S. Executives," Management Science, INFORMS, vol. 61(6), pages 1344-1361, June.
    3. Gormley, Todd A. & Matsa, David A. & Milbourn, Todd, 2013. "CEO compensation and corporate risk: Evidence from a natural experiment," Journal of Accounting and Economics, Elsevier, vol. 56(2), pages 79-101.
    4. Smith, Thomas & Tadesse, Amanuel F. & Vincent, Nishani Edirisinghe, 2021. "The impact of CIO characteristics on data breaches," International Journal of Accounting Information Systems, Elsevier, vol. 43(C).
    5. A. Rashad Abdel-Khalik, 2014. "CEO Risk Preference and Investing in R&D," Abacus, Accounting Foundation, University of Sydney, vol. 50(3), pages 245-278, September.
    6. Patricia Boyallian & Pablo Ruiz-Verdú, 2018. "Leverage, CEO Risk-Taking Incentives, and Bank Failure during the 2007–10 Financial Crisis [Endogenous matching and the empirical determinants of contract form]," Review of Finance, European Finance Association, vol. 22(5), pages 1763-1805.
    7. King, Timothy & Srivastav, Abhishek & Williams, Jonathan, 2016. "What's in an education? Implications of CEO education for bank performance," Journal of Corporate Finance, Elsevier, vol. 37(C), pages 287-308.
    8. Lim, Terence & Lo, Andrew W. & Merton, Robert C. & Scholes, Myron S., 2006. "The Derivatives Sourcebook," Foundations and Trends(R) in Finance, now publishers, vol. 1(5–6), pages 365-572, April.
    9. O’Connor, Matthew & Rafferty, Matthew & Sheikh, Aamer, 2013. "Equity compensation and the sensitivity of research and development to financial market frictions," Journal of Banking & Finance, Elsevier, vol. 37(7), pages 2510-2519.
    10. Ziyang Li & Qianwei Ying & Yuying Chen & Xuehui Zhang, 2020. "Managerial risk appetite and asymmetry cost behavior: evidence from China," Accounting and Finance, Accounting and Finance Association of Australia and New Zealand, vol. 60(5), pages 4651-4692, December.
    11. Peter J Phillips, 2009. "Are Larger Self Managed Superannuation Funds Riskier?," Asian Journal of Finance & Accounting, Macrothink Institute, vol. 1(1), pages 5475-5475, December.
    12. Marco A. Marini & Paolo Polidori & Désirée Teobaldelli & Davide Ticchi, 2018. "Optimal Incentives in a Principal–Agent Model with Endogenous Technology," Games, MDPI, vol. 9(1), pages 1-13, February.
    13. Coles, Jeffrey L. & Daniel, Naveen D. & Naveen, Lalitha, 2006. "Managerial incentives and risk-taking," Journal of Financial Economics, Elsevier, vol. 79(2), pages 431-468, February.
    14. Guiso, Luigi & Sodini, Paolo, 2013. "Household Finance: An Emerging Field," Handbook of the Economics of Finance, in: G.M. Constantinides & M. Harris & R. M. Stulz (ed.), Handbook of the Economics of Finance, volume 2, chapter 0, pages 1397-1532, Elsevier.
    15. Alessandro Bucciol & Raffaele Miniaci, 2011. "Household Portfolios and Implicit Risk Preference," The Review of Economics and Statistics, MIT Press, vol. 93(4), pages 1235-1250, November.
    16. Colonnello, Stefano & Curatola, Giuliano & Hoang, Ngoc Giang, 2017. "Direct and indirect risk-taking incentives of inside debt," Journal of Corporate Finance, Elsevier, vol. 45(C), pages 428-466.
    17. repec:zbw:bofrdp:2017_016 is not listed on IDEAS
    18. Bulan, Laarni & Sanyal, Paroma & Yan, Zhipeng, 2010. "A few bad apples: An analysis of CEO performance pay and firm productivity," Journal of Economics and Business, Elsevier, vol. 62(4), pages 273-306, July.
    19. Ricardo M. Sousa, 2007. "Wealth Shocks and Risk Aversion," NIPE Working Papers 28/2007, NIPE - Universidade do Minho.
    20. Alderson, Michael J. & Bansal, Naresh & Betker, Brian L., 2014. "CEO turnover and the reduction of price sensitivity," Journal of Corporate Finance, Elsevier, vol. 25(C), pages 376-386.
    21. Fang, Guanfu & Li, Wei & Zhu, Ying, 2022. "The shadow of the epidemic: Long-term impacts of meningitis exposure on risk preference and behaviors," World Development, Elsevier, vol. 157(C).

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijoais:v:32:y:2019:i:c:p:59-75. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-accounting-information-systems/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.