Informing cybersecurity strategic commitment through top management perceptions: The role of institutional pressures

Abstract

Given the financial consequences of security breaches, security risk management has gained more attention in board rooms and garnered more involvement from top management. We undertake a study to understand the top managers’ role in cybersecurity strategy, specifically with cyberinsurance. This study draws from institutional and upper echelons theories to explain how top managers’ values and perceptions mediate the impact of external institutional pressures on the commitment to use cyberinsurance as a risk management strategy. We empirically test proposed hypotheses using data collected from executive-level managers of various firms and perform semi-structured interviews of six case sites as post hoc analysis. The results suggest that institutional pressures positively affect top managers’ perceptions of job security, breach risk, financial risk, transaction cost, and regulatory oversight. In turn, these perceptions influence their commitment to cyberinsurance. We find that values and perceptions of personal relevance have a significant impact on their strategic decisions. The findings emphasize the critical role that top management plays in mediating the influence of institutional pressures on cybersecurity strategy. Implications for research and practice, along with limitations and future directions, are discussed.

Introduction

Cybersecurity breaches often result in the compromise of customer data that are ultimately very costly for organizations. Costs include notifying the individuals who are impacted by the security breach as well as legal fees, fines, and recovering from the breach [1]. For example, the security breach at Target in 2013 costs the company an estimated US$293 million, with over US$18 million in legal settlements [2]. Because of these high-profile breaches and the resulting costs, organizational board members and senior management have begun to pay more attention to them [3,4]. Thus, organizations are not only using traditional security risk management strategies (risk mitigation, risk acceptance, and risk avoidance), but also focusing on risk transfer strategies that can offer an even stronger overall cybersecurity solution [1]. The traditional approaches focus largely on deterrence, prevention, detection, and response [2,3] and have informed our understanding of managing security risk. However, these approaches do not help organizations address breach-related losses and residual security risks after a breach has occurred [4].

Risk transfer is a risk management approach that does address these types of losses. Research has shown that risk transfer through cyberinsurance provides a more comprehensive solution for cybersecurity [1,5]. Cyberinsurance protects organizations from risks incurred through internet and information systems (IS) usage [6,7] by mitigating the financial impact of a cybersecurity breach. Cyberinsurance allows the companies to transfer security risks to the cyberinsurance provider [5]. In fact, many government standards and regulatory agencies now require the use of cyberinsurance. For example, the Securities and Exchange Commission (SEC) requires publicly traded firms to disclose the type of insurance used in their cybersecurity plans [14]. As such, the purchase of such insurance is a decision made by an organization; thus choosing to use cyberinsurance is a strategic decision [15].

Although there is ample literature on IS-related strategic decisions [e.g., [8], [9], [10], [11], [12]], IS strategy within the cybersecurity context is a relatively underdeveloped topic. A close examination of the strategic choice and decision-making literature in IS indicates that there are few studies that have specifically examined the cybersecurity strategic decision (see Appendix A). Studies have examined information technology (IT)/IS management and IT strategic management [12,13]. However, we found only one study that specifically examines IS strategy within the context of cybersecurity, Angst et al. [14].

Researchers have explored theories that explain organizations’ strategic choices or decisions. Among them is an institutional theory [15], which posits that external institutional pressures influence organizational decisions. In the IS field, several researchers have examined the role of institutional pressures on an organization's decision to adopt or assimilate technological innovations [16,17]. In addition, top echelons theory [18], which suggests that organizational outcomes are reflections of the values and perceptions of the organization's top executives, has been used in IS to examine strategic innovations and security investments in healthcare [10,14].

There has been little research, however, that uses the lens of both institutional theory and upper echelons theory (UET) to focus specifically on cybersecurity strategy. Fewer still are studies that unpack the top manager's values and perceptions of personal relevance with respect to the strategic decisions surrounding cybersecurity. This research gap should be addressed because a more detailed understanding of how institutional pressures and top manager's values and perceptions affect cybersecurity as an organizational strategy could be very useful for practice and could provide theoretical implications as well. Drawing from UET, institutional theory, and the cybersecurity literature, we propose a conceptual model to better understand how organizations commit to cybersecurity strategies in response to institutional pressures, values, and perceptions. Extending the findings from Liang et al. [16] who suggest that institutional pressures are mediated by top manager perceptions¹ in their effect on strategic enterprise resource planning (ERP) assimilation, we argue that institutional pressures influence cybersecurity strategic decisions. Due to the forces surrounding the cybersecurity landscape, not only are organizational decisions subject to the normative, mimetic, and coercive pressures exerted by other organizations, institutions, partners, and vendors, but the decisions are also subject to the top managers’ values and perceptions. These assertions are supported by the top echelons theory that argues that external and internal stimuli are mediated by the top manager's perceptions [18].

While one can assume that institutional pressures and managerial perceptions may influence commitment to using cyberinsurance as a risk management strategy, there are currently few studies that have theoretically and empirically integrated these perspectives within the cybersecurity context. As such, more theory-based IS strategic studies in cybersecurity are important and timely in the currently fast-evolving cybersecurity landscape, especially since cybersecurity has moved to the top of the management agenda as a strategic issue [19,20] and occupies top managers’ attention [21,22].

This research makes several contributions. First, by incorporating UET and institutional theory to study cybersecurity risk management strategy, this study complements prior integrative framework approaches to understanding top manager perspectives [e.g., 16]. Also, because this study bridges several perspectives in institutional theory [15], top echelons theory [18], and cybersecurity literature [22], we believe that it provides comprehensive insight and evidence of the top management decision-making towards a cybersecurity strategy. Second, and more importantly, by examining the values and perceptions that have personal relevance (e.g., job security and breach risk severity) to top managers, this study highlights how these factors could be leveraged to change and influence their commitment to a cybersecurity strategy. To our knowledge, no other study has employed UET and institutional theory to examine cybersecurity strategy and especially focused on individual risk factors that may affect organizational decisions. Thus, this study presents a novel inquiry into the use of UET in IS strategy.