Antecedents of Optimal Information Security Investment: IT Governance Mechanism and Organizational Digital Maturity

  • Samuel Okae
  • Francis Kofi Andoh-BaidooEmail author
  • Emmanuel Ayaburi
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 558)


Information security risk is of concern to both researchers and practitioners. In this study, we investigate the antecedents of optimal information security investment from organizational perspective using the concept of information technology governance. Specifically, we examine how board attributes including IT savviness, board duality, experience, and functional debate along with an organizational attribute, digital maturity, influence optimal information security investments. Data was collected from board members in organization to test the research model. Our results offer both theoretical and practical implications.


Digital-maturity Board Dysfunctional Duality IT-savviness Optimal security investment 


  1. Allen, J.H.: Governing for Enterprise Security (GES), Implementation Guide: Characteristics of Effective Security Governance1, pp. 5–7. Carnegie Mellon University, USA (2005)Google Scholar
  2. Andriole, S.J.: Boards of Directors and Technology Governance: The Surprising State of the Practice Boards of Directors and Technology Governance: The Surprising State of the Practice I. Boards and Technology Governance. Fortune 24(March), 373–394 (2009)Google Scholar
  3. Brisebois, R., Boyd, G., Shadid, Z.: What is IT Governance and why is it important for the IS auditor. INTOSAI IT J. 25, 30–35 (2007)Google Scholar
  4. Chang, S.E., Ho, C.B.: Organizational factors to the effectiveness of implementing information security management. Ind. Manag. Data Syst. 106, 345–361 (2006)CrossRefGoogle Scholar
  5. Chin, W.W., Newsted, P.R.: Structural equation modeling analysis with small samples using partial least squares. Stat. Strat. Small Sample Res. 1(1), 307–341 (1999)Google Scholar
  6. Dangolani, S.K.: The impact of information technology in banking system (A case study in Bank Keshavarzi IRAN). Procedia-Soc. Behav. Sci. 30, 13–16 (2011)CrossRefGoogle Scholar
  7. FFIEC: FFIEC Updates Cybersecurity Expectations for Boards (2017). Accessed 25 Dec 2017
  8. Forbes, D.P., Milliken, F.J.: Cognition and corporate governance: understanding boards of directors as strategic decision-making groups. Acad. Manag. Rev. 24(3), 489–505 (1999)CrossRefGoogle Scholar
  9. Fornell, C., Larcker, D.F.: Structural equation models with unobservable variables and measurement error: algebra and statistics. J. Mark. Res. 18, 382–388 (1981)CrossRefGoogle Scholar
  10. Gabrielsson, J., Huse, M., Minichilli, A.: Understanding the leadership role of the board chairperson through a team production approach. Int. J. Leadersh. Stud. 3(1), 21–39 (2007)Google Scholar
  11. Gartner: Magic Quadrant for Content-Aware Data Loss Prevention. G00277564, January 2016Google Scholar
  12. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)CrossRefGoogle Scholar
  13. Hair Jr., J.F., Sarstedt, M., Hopkins, L., Kuppelwieser, V.G.: Partial least squares structural equation modeling (PLS-SEM) an emerging tool in business research. Eur. Bus. Rev. 26(2), 106–121 (2014)Google Scholar
  14. Harrison, D.A., Mykytyn Jr., P.P., Riemenschneider, C.K.: Executive decisions about adoption of information technology in small business: theory and empirical tests. Inf. Syst. Res. 8(2), 171 (1997)CrossRefGoogle Scholar
  15. Heenetigala, K.: Corporate Governance Practices and Firm Performance of Listed Companies in Sri Lanka. Corporate Governance, April (2011)Google Scholar
  16. Hermalin, B.E., Weisbach, M.S.: The determinants of board composition. RAND J. Econ. 19(4), 589–606 (1988)CrossRefGoogle Scholar
  17. Huang, C.D., Hu, Q., Behara, R.S.: Economics of Information Security Investment in the Case of Simultaneous Attacks Economics of Information Security Investment in the Case of Simultaneous Attacks. Information Security (Weis 2006) (2006)Google Scholar
  18. Jewer, J., McKay, K.N.: Antecedents and consequences of board IT governance: Institutional and strategic choice perspectives. J. Assoc. Inf. Syst. 13(7), 581 (2012)Google Scholar
  19. Johnson, A.M.: Business and security executives views of information security investment drivers: results from a Delphi study. J. Inf. Priv. Secur. 5(1), 3–27 (2009)Google Scholar
  20. Kane, G.C., Palmer, D., Nguyen-Phillips, A., Kiron, D., Buckley, N.: Achieving digital maturity. MIT Sloan Manag. Rev. 59(1), 1–31 (2017)Google Scholar
  21. Kane, G.C., Palmer, D., Phillips, A.N., Kiron, D.: Is your business ready for a digital future? MIT Sloan Manag. Rev. 56(4), 37–44 (2015)Google Scholar
  22. Kozak, S.: The role of information technology in the profit and cost efficiency improvements in the banking sector. J. Acad. Bus. Econ. 2(1), 34–38 (2005)Google Scholar
  23. Massey, G.R., Dawes, P.L.: The antecedents and consequence of functional and dysfunctional conflict between marketing managers and sales managers. Ind. Mark. Manag. 36(8), 1118–1129 (2007)CrossRefGoogle Scholar
  24. Mohammed, A.A.: Ghanaian Banks Systems at Risk of Cybercrime—Cyber Security Expert (2017)Google Scholar
  25. Morgan, S.: 2017 Cyber Ventures Cybercrime Report. Cybersecurity Ventures, 14 (2017)Google Scholar
  26. Nolan, R., McFarlan, F.: Information technology and the board of directors. Harvard Bus. Rev. 83(10), 96 (2005)Google Scholar
  27. Organisation for Economic Co-operation and Development: OECD principles of corporate governance [Internet document] (Organisation for Economic Cooperation and Development) (2004).
  28. Pereira, R., da Silva, M.M.: IT governance implementation: The determinant factors. Commun. IBIMA 2012, 1 (2012)CrossRefGoogle Scholar
  29. Ponemon Institute: Cost of Data Breach. Ponemon Institute, pp. 1–30, May 2015Google Scholar
  30. Soomro, Z.A., Shah, M.H., Ahmed, J.: Information security management needs more holistic approach: a literature review. Int. J. Inf. Manag. 36(2), 215–225 (2016)CrossRefGoogle Scholar
  31. Straub, D.W., Welke, R.J.: Coping with systems risk. MIS Q. 22(404), 441–469 (1998)CrossRefGoogle Scholar
  32. Tatsumi, K., Goto, M.: Optimal timing of information security investment: a real options approach. In: Moore, T., Pym, D., Ioannidis, C. (eds.) Economics of Information Security and Privacy, pp. 211–228. Springer, Boston, MA (2010). Scholar
  33. Thornton, G.: Locking down the value of data Contents: Executive summary (2017)Google Scholar
  34. Valentine, E., Stewart, G.: Enterprise business technology governance: three competencies to build board digital leadership capability. In: 2015 48th Hawaii International Conference on System Sciences, pp. 4513–4522. IEEE, January 2015Google Scholar
  35. Wang, G., DeGhetto, K., Ellen, B.P., Lamont, B.T.: Board antecedents of CEO duality and the moderating role of country‐level managerial discretion: a meta‐analytic investigation. J. Manag. Stud. 56(1), 172–202 (2019)CrossRefGoogle Scholar
  36. Weill, P.: Don’t just lead, govern: how top-performing firms govern IT. MIS Q. Exec. 3(1), 1–17 (2004)Google Scholar
  37. Westphal, J.D., Milton, L.P.: How experience and network ties affect the influence of demographic minorities on corporate boards. Adm. Sci. Q. 45(2), 366–398 (2000)CrossRefGoogle Scholar
  38. Wilkin, C.L., Chenhall, R.H.: A review of IT governance: a taxonomy to inform accounting information systems. J. Inf. Syst. 24(2), 107–146 (2010)CrossRefGoogle Scholar
  39. Zahra, S.A., Pearce, J.A.: Boards of directors and corporate financial performance: a review and integrative model. J. Manag. 15(2), 291–334 (1989)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  • Samuel Okae
    • 1
  • Francis Kofi Andoh-Baidoo
    • 2
    Email author
  • Emmanuel Ayaburi
    • 2
  1. 1.Nobel International Business SchoolAccraGhana
  2. 2.University of Texas Rio Grande ValleyEdinburgUSA

Personalised recommendations