The exponential rate of increase in IT security breach incidents has led governments, regulators, and practitioners to respond by introducing standards and frameworks for the disclosure and management of organizational cybersecurity risk exposure. Cybersecurity, which is a part of IT risk management, is affected by the capability and the ability of senior leadership responsible for IT-related decisions. This paper uses hand-collected data related to the Chief Information Officer (CIO) for S&P 500 firms and explores whether the presence of a CIO role, human capital characteristics of the CIO, and structural capital characteristics of the firm and the CIO are related to a firm’s cybersecurity risk exposure. This study finds that firms disclosing the presence of a CIO are more likely to be breached, even after matching on the likelihood of a breach and controlling for the likelihood that a firm would choose to disclose a CIO. This study also finds predictable variations in the likelihood of a breach among CIOs based on various human capital dimensions (including past technology experience, external board memberships, firm tenure, and CIO tenure) and structural capital dimensions (including a recognized commitment to IT and charging the CIO with multiple responsibilities). Finally, this study finds evidence that the observed associations depend on both the source of the breach (external vs. internal) as well as the type of data compromised by the breach (e.g. financial, personal, etc.). The results of this study contribute to the growing body of academic breach literature, while also informing practitioners as they evaluate the costs and benefits of various methods for combating breaches.

IT 安全漏洞事件呈指数级增长，导致政府、监管机构和从业人员通过引入用于披露和管理组织网络安全风险暴露的标准和框架来做出响应。网络安全是 IT 风险管理的一部分，它受到负责 IT 相关决策的高级领导的能力和能力的影响。本文使用与标准普尔 500 指数公司的首席信息官 (CIO) 相关的手工收集数据，并探讨了 CIO 角色的存在、CIO 的人力资本特征以及公司和 CIO 的结构性资本特征是否与公司的网络安全风险敞口。这项研究发现，披露 CIO 存在的公司更有可能遭到破坏，即使在匹配了违规的可能性并控制了公司选择披露 CIO 的可能性之后。本研究还发现，基于各种人力资本维度（包括过去的技术经验、外部董事会成员、公司任期和 CIO 任期）和结构性资本维度（包括公认的 IT 和收费承诺），CIO 之间发生违约的可能性存在可预测的变化。 CIO 肩负多重责任）。最后，本研究发现证据表明，观察到的关联取决于数据泄露的来源（外部与内部）以及数据泄露的类型（例如财务、个人等）。这项研究的结果有助于越来越多的学术违规文献，