Many organizations run their core business operations on decades-old legacy IT systems. Some security professionals argue that legacy IT systems significantly increase security risks because they are not designed to address contemporary cybersecurity risks. Others counter that the legacy systems might be “secure by antiquity” and argue that due to lack of adequate documentation on the systems, it is very difficult for potential attackers to discover and exploit security vulnerabilities. There is a shortage of empirical evidence on either argument. Routine activity theory (RAT) argues that an organization’s guardianship is critical for reducing security incidents. However, RAT does not well explain how organizations might guard against security risks of legacy IT systems. We theorize that organizations can enhance their guardianship by either modernizing their legacy IT systems in-house or by outsourcing them to cloud vendors. With datasets from the U.S. federal agencies, we find that agencies that have more legacy IT systems experience more frequent security incidents than others with more modern IT systems. A 1%-point increase in the proportion of IT budgets spent on IT modernization is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with the number of security incidents. The findings advance the literature on strategic information systems by extending RAT to explain why the “security by antiquity” argument is not valid and how organizations can reduce the security risks of legacy IT systems through modernization and migration to the cloud.

许多组织在已有数十年历史的遗留 IT 系统上运行其核心业务运营。一些安全专业人士认为，遗留 IT 系统显着增加了安全风险，因为它们并非旨在解决当代网络安全风险。其他人则反驳说，遗留系统可能是“古老的安全”，并认为由于系统缺乏足够的文档，潜在的攻击者很难发现和利用安全漏洞。这两种论点都缺乏经验证据。日常活动理论 (RAT) 认为，组织的监护对于减少安全事件至关重要。然而，RAT 并没有很好地解释组织如何防范遗留 IT 系统的安全风险。我们认为，组织可以通过在内部对其遗留 IT 系统进行现代化改造或将其外包给云供应商来加强他们的监护。通过美国联邦机构的数据集，我们发现拥有更多旧 IT 系统的机构比其他拥有更现代 IT 系统的机构更频繁地发生安全事件。用于 IT 现代化的 IT 预算比例每增加 1%，安全事件数量就会减少 5.6%。此外，遗留系统向云的迁移与安全事件的数量呈负相关。