Given the financial consequences of security breaches, security risk management has gained more attention in board rooms and garnered more involvement from top management. We undertake a study to understand the top managers’ role in cybersecurity strategy, specifically with cyberinsurance. This study draws from institutional and upper echelons theories to explain how top managers’ values and perceptions mediate the impact of external institutional pressures on the commitment to use cyberinsurance as a risk management strategy. We empirically test proposed hypotheses using data collected from executive-level managers of various firms and perform semi-structured interviews of six case sites as post hoc analysis. The results suggest that institutional pressures positively affect top managers’ perceptions of job security, breach risk, financial risk, transaction cost, and regulatory oversight. In turn, these perceptions influence their commitment to cyberinsurance. We find that values and perceptions of personal relevance have a significant impact on their strategic decisions. The findings emphasize the critical role that top management plays in mediating the influence of institutional pressures on cybersecurity strategy. Implications for research and practice, along with limitations and future directions, are discussed.

鉴于安全漏洞的财务后果，安全风险管理在董事会中得到了更多关注，并获得了高层管理人员的更多参与。我们进行了一项研究，以了解高层管理人员在网络安全战略中的作用，特别是在网络保险方面。本研究借鉴制度和高层理论，解释高层管理者的价值观和观念如何调节外部制度压力对使用网络保险作为风险管理策略的承诺的影响。我们使用从不同公司的高管层收集的数据对提出的假设进行实证检验，并对六个案例站点进行半结构化访谈作为事后分析。结果表明，制度压力对高层管理者对工作保障、违约风险、财务风险、交易成本和监管监督。反过来，这些看法会影响他们对网络保险的承诺。我们发现价值观和个人相关性的看法对其战略决策有重大影响。调查结果强调了高层管理人员在调解制度压力对网络安全战略的影响方面发挥的关键作用。讨论了对研究和实践的影响，以及局限性和未来的方向。