After a series of recent high-profile information security breach incidents, practitioners have engaged in heated debates about the role of the chief information officer (CIO), particularly his/her role in information security risk management. However, little is known in the academic literature about how a CIO's appetite for risk affects the effectiveness of information security management. We address this gap by examining how a CIO's risk appetite is associated with information security breach incidents. We show that the level of CIO risk aversion is negatively associated with the likelihood of breach incidents. Furthermore, we find that this association is stronger if the company's chief executive officer (CEO) is also risk averse. In additional analyses, we show that the relationship between CIO risk aversion and breach incidents varies depending on breach type and the strategic position of the company and is moderated by the CIO's power.

在最近发生了一系列备受瞩目的信息安全漏洞事件之后，从业人员就首席信息官（CIO）的角色，尤其是其在信息安全风险管理中的角色展开了激烈的辩论。但是，在学术文献中，关于CIO的风险偏好如何影响信息安全管理的有效性知之甚少。我们通过研究CIO的风险偏好与信息安全违规事件之间的关系来解决这一差距。我们表明，CIO风险规避的程度与违反事件的可能性呈负相关。此外，我们发现，如果公司首席执行官（CEO）也规避风险，则这种关联会更强。在其他分析中，