IDEAS home Printed from https://ideas.repec.org/a/pal/ijodag/v22y2025i2d10.1057_s41310-024-00226-7.html
   My bibliography  Save this article

How the three lines of defense can contribute to public firms’ cybersecurity effectiveness

Author

Listed:
  • Sylvie Héroux

    (Université du Québec à Montréal (ESG-UQAM))

  • Anne Fortin

    (Université du Québec à Montréal (ESG-UQAM))

Abstract

This interpretative field study examines how public firms deal with cybersecurity-related issues, emphasizing how the three lines of defense can contribute to cybersecurity effectiveness. Sixteen interviews were conducted with 18 participants, including 13 executives/senior managers in internal audit, information technology (IT), and information security (IS) in 13 different public firms. The many cybersecurity structures, processes, or relational mechanisms established by the three lines of defense in the participating organizations are identified. These governance mechanisms are used as a baseline for analyzing how teams in internal audit, IT, IS, cybersecurity, legal, finance, corporate communications, and environmental, social and governance (ESG) are engaged and collaborate in dealing with cybersecurity-related issues. This study entered into the “black box” to document how different organizational functions are involved in IT/IS governance mechanisms associated with cybersecurity. Findings can help board of directors and management reflect on the nature of cybersecurity activities that could be implemented to enhance cybersecurity effectiveness. Regulators may consider the issues raised by participants to clarify regulations about cybersecurity disclosure.

Suggested Citation

  • Sylvie Héroux & Anne Fortin, 2025. "How the three lines of defense can contribute to public firms’ cybersecurity effectiveness," International Journal of Disclosure and Governance, Palgrave Macmillan, vol. 22(2), pages 377-396, June.
    • Handle: RePEc:pal:ijodag:v:22:y:2025:i:2:d:10.1057_s41310-024-00226-7
    DOI: 10.1057/s41310-024-00226-7
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1057/s41310-024-00226-7
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1057/s41310-024-00226-7?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to

    for a different version of it.

    References listed on IDEAS

    as
    1. repec:eme:maj000:maj-07-2017-1595 is not listed on IDEAS
    2. Andrew D. Chambers & Marjan Odar, 2015. "A new vision for internal audit," Managerial Auditing Journal, Emerald Group Publishing, vol. 30(1), pages 34-55, January.
    3. Jessica Rose Carre & Shelby R. Curtis & Daniel Nelson Jones, 2018. "Ascribing responsibility for online security and data breaches," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 436-446, March.
    4. repec:eme:maj000:maj-02-2018-1804 is not listed on IDEAS
    5. repec:eme:maj000:maj-11-2017-1693 is not listed on IDEAS
    6. Elina Haapamäki & Jukka Sihvonen, 2019. "Cybersecurity in accounting research," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 34(7), pages 808-834, July.
    7. repec:eme:maj000:maj-09-2018-2004 is not listed on IDEAS
    8. Lawrence Gordon & Martin Loeb & Tashfeen Sohail & Chih-Yang Tseng & Lei Zhou, 2008. "Cybersecurity, Capital Allocations and Management Control Systems," European Accounting Review, Taylor & Francis Journals, vol. 17(2), pages 215-241.
    9. Md. Shariful Islam & Nusrat Farah & Thomas F. Stafford, 2018. "Factors associated with security/cybersecurity audit by internal audit function," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 377-409, April.
    10. Andrew D. Chambers & Marjan Odar, 2015. "A new vision for internal audit," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 30(1), pages 34-55, January.
    11. Sezer Bozkus Kahyaoglu & Kiymet Caliyurt, 2018. "Cyber security assurance process from the internal audit perspective," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 360-376, May.
    12. Slapničar, Sergeja & Vuko, Tina & Čular, Marko & Drašček, Matej, 2022. "Effectiveness of cybersecurity audit," International Journal of Accounting Information Systems, Elsevier, vol. 44(C).
    13. repec:eme:maj000:maj-08-2014-1073 is not listed on IDEAS
    14. Thomas Stafford & George Deitz & Yaojie Li, 2018. "The role of internal audit and user training in information security policy compliance," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 410-424, March.
    15. Eli Amir & Shai Levi & Tsafrir Livne, 2018. "Do firms underreport information on cyber-attacks? Evidence from capital markets," Review of Accounting Studies, Springer, vol. 23(3), pages 1177-1206, September.
    16. Plöckinger, Martin & Aschauer, Ewald & Hiebl, Martin R.W. & Rohatschek, Roman, 2016. "The influence of individual executives on corporate financial reporting: A review and outlook from the perspective of upper echelons theory," Journal of Accounting Literature, Elsevier, vol. 37(C), pages 55-75.
    17. repec:eme:maj000:maj-08-2018-1980 is not listed on IDEAS
    18. Oktay Turetken & Stevens Jethefer & Baris Ozkan, 2020. "Internal audit effectiveness: operationalization and influencing factors," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 35(2), pages 238-271, January.
    19. Martin Plöckinger & Ewald Aschauer & Martin R.W. Hiebl & Roman Rohatschek, 2016. "The influence of individual executives on corporate financial reporting: A review and outlook from the perspective of upper echelons theory," Journal of Accounting Literature, Emerald Group Publishing Limited, vol. 37(1), pages 55-75, October.
    20. Petros Lois & George Drogalas & Alkiviadis Karagiorgos & Alkis Thrassou & Demetris Vrontis, 2021. "Internal auditing and cyber security: audit role and procedural contribution," International Journal of Managerial and Financial Accounting, Inderscience Enterprises Ltd, vol. 13(1), pages 25-47.
    21. repec:eme:maj000:maj-07-2017-1596 is not listed on IDEAS
    22. Slapničar, Sergeja & Axelsen, Micheal & Bongiovanni, Ivano & Stockdale, David, 2023. "A pathway model to five lines of accountability in cybersecurity governance," International Journal of Accounting Information Systems, Elsevier, vol. 51(C).
    23. repec:eme:jal000:j.acclit.2016.09.002 is not listed on IDEAS
    24. Steinbart, Paul John & Raschke, Robyn L. & Gal, Graham & Dilla, William N., 2012. "The relationship between internal audit and information security: An exploratory investigation," International Journal of Accounting Information Systems, Elsevier, vol. 13(3), pages 228-243.
    25. Steinbart, Paul John & Raschke, Robyn L. & Gal, Graham & Dilla, William N., 2018. "The influence of a good relationship between the internal audit and information security functions on information security outcomes," Accounting, Organizations and Society, Elsevier, vol. 71(C), pages 15-29.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Slapničar, Sergeja & Axelsen, Micheal & Bongiovanni, Ivano & Stockdale, David, 2023. "A pathway model to five lines of accountability in cybersecurity governance," International Journal of Accounting Information Systems, Elsevier, vol. 51(C).
    2. Slapničar, Sergeja & Vuko, Tina & Čular, Marko & Drašček, Matej, 2022. "Effectiveness of cybersecurity audit," International Journal of Accounting Information Systems, Elsevier, vol. 44(C).
    3. Sylvie Héroux & Anne Fortin, 2024. "Board of directors’ attributes and aspects of cybersecurity disclosure," Journal of Management & Governance, Springer;Accademia Italiana di Economia Aziendale (AIDEA), vol. 28(2), pages 359-404, June.
    4. Rakhman, Fuad & Wijayana, Singgih, 2024. "Human development and the quality of financial reporting among the local governments in Indonesia," Journal of International Accounting, Auditing and Taxation, Elsevier, vol. 56(C).
    5. Natalie Elms & Pamela Fae Kent, 2023. "Nomination committees in Australia, outcomes for influence of a powerful CEO and diversity," Journal of Accounting Literature, Emerald Group Publishing Limited, vol. 46(4), pages 481-509, July.
    6. Agbodoh-Falschau, Kouassi Raymond & Ravaonorohanta, Bako Harinivo, 2023. "Investigating the influence of governance determinants on reporting cybersecurity incidents to police: Evidence from Canadian organizations’ perspectives," Technology in Society, Elsevier, vol. 74(C).
    7. Pascale Lapointe-Antunes & Kevin Veenstra & Kareen Brown & Heather Li, 2022. "Welcome to the Gray Zone: Shades of Honesty and Earnings Management," Journal of Business Ethics, Springer, vol. 177(1), pages 125-149, April.
    8. Wang, Xinchun, 2024. "Does CEO temporal myopia always lead to firm short-termism? The critical role of CEO optimism and perceived opportunity costs," Journal of Business Research, Elsevier, vol. 180(C).
    9. Ya-Fang Wang & Yu-Chu Hsieh, 2023. "Credit Rating and Board Evaluation of Family Firms," International Journal of Business and Economic Sciences Applied Research (IJBESAR), Democritus University of Thrace (DUTH), Kavala Campus, Greece, vol. 16(1), pages 7-18, October.
    10. Zhang, Yimei & Smith, Thomas, 2023. "The impact of customer firm data breaches on the audit fees of their suppliers," International Journal of Accounting Information Systems, Elsevier, vol. 50(C).
    11. Stéphane Lhuillery & Marion Tellechea & Stéphanie Thiéry, 2023. "Innovation in lieu of compliance: Internal audit departments’ standardized and non-standardized knowledge sources," Post-Print hal-04056227, HAL.
    12. Stéphane Lhuillery & Marion Tellechea & Stéphanie Thiery, 2021. "Open innovation in managerial innovation: the case of internal audit," Working Papers of BETA 2021-19, Bureau d'Economie Théorique et Appliquée, UDS, Strasbourg.
    13. Patrick Hertrampf & Thomas M. Brunner-Kirchmair & Martin R. W. Hiebl & Arnd Wiedemann, 2025. "The Relationship Between CEO Characteristics and Banks’ Risk-Taking: Review and Research Directions [Die Beziehung zwischen CEO-Charakteristika und der Risikobereitschaft von Banken: Literaturüberb," Schmalenbach Journal of Business Research, Springer, vol. 77(1), pages 127-178, March.
    14. Veerawin Korphaibool & Pongsapak Chindasombatcharoen & Pattanaporn Chatjuthamard & Pornsit Jiraporn & Sirimon Treepongkaruna, 2024. "Business sustainability under the influence of female directors toward the risk‐taking in innovation: Evidence from textual analysis," Business Strategy and the Environment, Wiley Blackwell, vol. 33(3), pages 1578-1591, March.
    15. Masoud, Najeb & Al-Utaibi, Ghassan, 2022. "The determinants of cybersecurity risk disclosure in firms’ financial reporting: Empirical evidence," Research in Economics, Elsevier, vol. 76(2), pages 131-140.
    16. Liu, Xiaohui & Luo, Juan & Yawson, Alfred, 2025. "Equity offering following cyberattacks," Journal of Corporate Finance, Elsevier, vol. 91(C).
    17. Ahsan Habib & Dinithi Ranasinghe & Julia Yonghua Wu & Pallab Kumar Biswas & Fawad Ahmad, 2022. "Real earnings management: A review of the international literature," Accounting and Finance, Accounting and Finance Association of Australia and New Zealand, vol. 62(4), pages 4279-4344, December.
    18. Christine Weigel & Klaus Derfuss & Martin R. W. Hiebl, 2023. "Financial managers and organizational ambidexterity in the German Mittelstand: the moderating role of strategy involvement," Review of Managerial Science, Springer, vol. 17(2), pages 569-605, February.
    19. Zhang, Wei & Qin, Chu & Zhang, Wenyao, 2023. "Top management team characteristics, technological innovation and firm's greenwashing: Evidence from China's heavy-polluting industries," Technological Forecasting and Social Change, Elsevier, vol. 191(C).
    20. Wasswa Asaph Senoga, 2023. "The Effect of Accountability, Transparency, And Integrity of Church Leaders on Fraud Prevention in The Management of Church Funds," International Journal of Research and Innovation in Social Science, International Journal of Research and Innovation in Social Science (IJRISS), vol. 7(1), pages 1388-1409, January.

    More about this item

    Keywords

    ;
    ;
    ;
    ;
    ;

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:pal:ijodag:v:22:y:2025:i:2:d:10.1057_s41310-024-00226-7. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.palgrave.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.