ABSTRACT Despite the consensus that information security should become an important consideration in information technology (IT) governance rather than the sole responsibility of the IT department, important IT governance decisions are often made on the basis of fulfilling business needs with a minimal amount of attention paid to their implications for information security. We study how an important IT governance mechanism—the degree of centralized decision making—affects the likelihood of cybersecurity breaches. Examining a sample of 504 U.S. higher-education institutions over a four-year period, we find that a university with centralized IT governance is associated with fewer breaches. Interestingly, the effect of centralized IT governance is contingent on the heterogeneity of a university’s computing environment: Universities with more heterogeneous IT infrastructure benefit more from centralized IT decision making. In addition, we find the relationship between centralized governance and cybersecurity breaches is most pronounced in public universities and those with more intensive research activities. Collectively, these findings highlight the tradeoff between granting autonomy and flexibility in the use of information systems and enforcing standardized, organization-wide security protocols.

中文翻译：

---

集中 IT 决策和网络安全漏洞：来自美国高等教育机构的证据

摘要 尽管人们一致认为信息安全应该成为信息技术 (IT) 治理中的一个重要考虑因素，而不是 IT 部门的唯一责任，但重要的 IT 治理决策往往是在满足业务需求的基础上做出的，而很少受到关注。其对信息安全的影响。我们研究重要的 IT 治理机制——集中决策的程度——如何影响网络安全漏洞的可能性。在四年期间对 504 所美国高等教育机构的样本进行检查后，我们发现具有集中 IT 治理的大学与更少的违规相关。有趣的是，集中 IT 治理的效果取决于大学计算环境的异构性：拥有更多异构 IT 基础设施的大学从集中式 IT 决策中受益更多。此外，我们发现集中治理和网络安全漏洞之间的关系在公立大学和研究活动更密集的大学中最为明显。总的来说，这些发现强调了在信息系统使用中授予自主权和灵活性与执行标准化的、组织范围的安全协议之间的权衡。