IDEAS home Printed from https://ideas.repec.org/a/eee/ijoais/v51y2023ics1467089523000349.html
   My bibliography  Save this article

A pathway model to five lines of accountability in cybersecurity governance

Author

Listed:
  • Slapničar, Sergeja
  • Axelsen, Micheal
  • Bongiovanni, Ivano
  • Stockdale, David

Abstract

In an in-depth field study, we investigate cyber security governance configurations vis-à-vis the five lines of accountability (5 LoA) – that is, the Three Lines Model extended by the accountability of executive management and the board of directors (IIA, 2020). The aim is to explore the configurations adopted by organizations in governing cybersecurity, and why it would matter for cyber security whether the five lines of accountability are adopted. We define the type of the 5 LoA adoption by: (i) the segregation of the lines that spans from blended to segregated and (ii) the level of engagement of those in line roles that ranges from low to high. In this way, we identify four types of adoption of the 5 LoA: ‘no adoption, ‘ostensible’, ‘implicit’, and ‘explicit’ adoption. We theorize how the type of adoption of the 5 LoA is affected by the interplay of institutional forces and organizations’ need for efficiency and effectiveness, and develop a pathway model for organizations’ adoption of the 5 LoA. We find that organizations that adopt the 5 LoA with clear segregation between these lines (‘ostensible’ and ‘explicit’ adoption) are those subject to prudential regulation (coercive forces), whereas efficiency motives and mimetic forces drive organizations to seek fluidity and flexibility by ‘blending’ the segregated lines (‘implicit’ adoption) to ensure fast reactions to changing environment. Regardless of the segregation between lines and whether they are blended or not, we found that all organizations see scope to improve the level of engagement in the 5 LoA to improve the effectiveness of cyber security governance.

Suggested Citation

  • Slapničar, Sergeja & Axelsen, Micheal & Bongiovanni, Ivano & Stockdale, David, 2023. "A pathway model to five lines of accountability in cybersecurity governance," International Journal of Accounting Information Systems, Elsevier, vol. 51(C).
    • Handle: RePEc:eee:ijoais:v:51:y:2023:i:c:s1467089523000349
    DOI: 10.1016/j.accinf.2023.100642
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1467089523000349
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.accinf.2023.100642?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Azza E Ahmed & Jacob Heldenbrand & Yan Asmann & Faisal M Fadlelmola & Daniel S Katz & Katherine Kendig & Matthew C Kendzior & Tiffany Li & Yingxue Ren & Elliott Rodriguez & Matthew R Weber & Justin M , 2019. "Managing genomic variant calling workflows with Swift/T," PLOS ONE, Public Library of Science, vol. 14(7), pages 1-20, July.
    2. Wendy Mason Burdon & Mohamed Karim Sorour, 2020. "Institutional Theory and Evolution of ‘A Legitimate’ Compliance Culture: The Case of the UK Financial Service Sector," Journal of Business Ethics, Springer, vol. 162(1), pages 47-80, February.
    3. Lin, Jiabao & Luo, Zhimei & Luo, Xin, 2020. "Understanding the roles of institutional pressures and organizational innovativeness in contextualized transformation toward e-business: Evidence from agricultural firms," International Journal of Information Management, Elsevier, vol. 51(C).
    4. Slapničar, Sergeja & Vuko, Tina & Čular, Marko & Drašček, Matej, 2022. "Effectiveness of cybersecurity audit," International Journal of Accounting Information Systems, Elsevier, vol. 44(C).
    5. Soomro, Zahoor Ahmed & Shah, Mahmood Hussain & Ahmed, Javed, 2016. "Information security management needs more holistic approach: A literature review," International Journal of Information Management, Elsevier, vol. 36(2), pages 215-225.
    6. Steven Tadelis & Oliver E.Williamson, 2012. "Transaction Cost Economics [The Handbook of Organizational Economics]," Introductory Chapters,, Princeton University Press.
    7. V. Sambamurthy & Robert W. Zmud, 2000. "Research Commentary: The Organizing Logic for an Enterprise's IT Activities in the Digital Era—A Prognosis of Practice and a Call for Research," Information Systems Research, INFORMS, vol. 11(2), pages 105-114, June.
    8. Aghion, Philippe & Tirole, Jean, 1997. "Formal and Real Authority in Organizations," Journal of Political Economy, University of Chicago Press, vol. 105(1), pages 1-29, February.
    9. Steinbart, Paul John & Raschke, Robyn L. & Gal, Graham & Dilla, William N., 2018. "The influence of a good relationship between the internal audit and information security functions on information security outcomes," Accounting, Organizations and Society, Elsevier, vol. 71(C), pages 15-29.
    10. repec:eme:maj000:maj-07-2017-1595 is not listed on IDEAS
    11. repec:eme:maj000:maj-02-2018-1804 is not listed on IDEAS
    12. Md. Shariful Islam & Nusrat Farah & Thomas F. Stafford, 2018. "Factors associated with security/cybersecurity audit by internal audit function," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 377-409, April.
    13. Oliver E. Williamson, 2009. "Transaction Cost Economics: The Precursors," Chapters, in: Claude Ménard & Michel Ghertman (ed.), Regulation, Deregulation, Reregulation, chapter 1, Edward Elgar Publishing.
    14. repec:ner:ucllon:http://discovery.ucl.ac.uk/17678/ is not listed on IDEAS
    15. Rajagopal, 2019. "Managing Brands in Competitive Marketplaces," Springer Books, in: Competitive Branding Strategies, chapter 0, pages 3-37, Springer.
    16. Williamson, Oliver E., 2007. "Transaction Cost Economics: An Introduction," Economics Discussion Papers 2007-3, Kiel Institute for the World Economy (IfW Kiel).
    17. Sezer Bozkus Kahyaoglu & Kiymet Caliyurt, 2018. "Cyber security assurance process from the internal audit perspective," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 360-376, May.
    18. Power, Michael, 2009. "The risk management of nothing," Accounting, Organizations and Society, Elsevier, vol. 34(6-7), pages 849-855, August.
    19. Thomas Stafford & George Deitz & Yaojie Li, 2018. "The role of internal audit and user training in information security policy compliance," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 410-424, March.
    20. Smith, Thomas & Tadesse, Amanuel F. & Vincent, Nishani Edirisinghe, 2021. "The impact of CIO characteristics on data breaches," International Journal of Accounting Information Systems, Elsevier, vol. 43(C).
    21. Oliver E. Williamson, 2025. "Transaction Cost Economics," Springer Books, in: Claude Ménard & Mary M. Shirley (ed.), Handbook of New Institutional Economics, edition 0, chapter 4, pages 47-71, Springer.
    22. repec:eme:maj000:maj-07-2017-1596 is not listed on IDEAS
    23. Gordon, Lawrence A. & Loeb, Martin P. & Tseng, Chih-Yang, 2009. "Enterprise risk management and firm performance: A contingency perspective," Journal of Accounting and Public Policy, Elsevier, vol. 28(4), pages 301-327, July.
    24. Lee, In, 2021. "Cybersecurity: Risk management framework and investment cost analysis," Business Horizons, Elsevier, vol. 64(5), pages 659-671.
    25. Jacob Haislip & Jee-Hae Lim & Robert Pinsker, 2021. "The Impact of Executives’ IT Expertise on Reported Data Security Breaches," Information Systems Research, INFORMS, vol. 32(2), pages 318-334, June.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Slapničar, Sergeja & Vuko, Tina & Čular, Marko & Drašček, Matej, 2022. "Effectiveness of cybersecurity audit," International Journal of Accounting Information Systems, Elsevier, vol. 44(C).
    2. Blome, Constantin & Schoenherr, Tobias, 2011. "Supply chain risk management in financial crises--A multiple case-study approach," International Journal of Production Economics, Elsevier, vol. 134(1), pages 43-57, November.
    3. Agbodoh-Falschau, Kouassi Raymond & Ravaonorohanta, Bako Harinivo, 2023. "Investigating the influence of governance determinants on reporting cybersecurity incidents to police: Evidence from Canadian organizations’ perspectives," Technology in Society, Elsevier, vol. 74(C).
    4. Matolcsy, Zoltan & Wakefield, James, 2017. "Multinational headquarter control of wholly owned foreign subsidiaries," The British Accounting Review, Elsevier, vol. 49(3), pages 275-293.
    5. Allam YOUSUF & Janos Felfoldi, 2017. "The Relationship Between Transaction Costs And Flexibility In Outsourcing: A Conceptual Framework," Annals of Faculty of Economics, University of Oradea, Faculty of Economics, vol. 1(1), pages 883-891, July.
    6. Setene, Letlama, 2020. "Coordination strategies in the South African egg value chain: A review of chain performance and fragility," Research Theses 334761, Collaborative Masters Program in Agricultural and Applied Economics.
    7. Arnold, Vicky & Benford, Tanya & Canada, Joseph & Sutton, Steve G., 2015. "Leveraging integrated information systems to enhance strategic flexibility and performance: The enabling role of enterprise risk management," International Journal of Accounting Information Systems, Elsevier, vol. 19(C), pages 1-16.
    8. Doris Morales & Ahmad H. Juma´h & Antonio Llorens-Rivera & Félix Cue & Ángel Ruiz, 2012. "Tendencias del traslado de actividades en las manufactureras en Puerto Rico y el título de propiedad sobre la planta física, 2005-2011," Economic Analysis Working Papers (2002-2010). Atlantic Review of Economics (2011-2016), Colexio de Economistas de A Coruña, Spain and Fundación Una Galicia Moderna, vol. 2, pages 1-1, December.
    9. Yuepeng Zhou & Xiaoping Shi & Dengyan Ji & Xianlei Ma & Satish Chand, 2019. "Property rights integrity, tenure security and forestland rental market participation: Evidence from Jiangxi Province, China," Natural Resources Forum, Blackwell Publishing, vol. 43(2), pages 95-110, May.
    10. Ding, Yanyan & Jian, Sisi, 2022. "Strategic collaboration between land owners and charging station operators: Lease or outsource?," Transportation Research Part B: Methodological, Elsevier, vol. 166(C), pages 183-211.
    11. Schmid, Andreas, 2007. "Incentive Compatibility and Efficiency in the contractual Insurer-Provider Relationship: Economic Theory and practical Implications: The Case of North Carolina," MPRA Paper 23311, University Library of Munich, Germany, revised 2008.
    12. Paskalev, Zdravko & Yildirim, Huseyin, 2017. "A theory of outsourced fundraising: Why dollars turn into “Pennies for Charity”," Journal of Economic Behavior & Organization, Elsevier, vol. 137(C), pages 1-18.
    13. Schneider, Christian O. & Bremen, Philipp & Schönsleben, Paul & Alard, Robert, 2013. "Transaction cost economics in global sourcing: Assessing regional differences and implications for performance," International Journal of Production Economics, Elsevier, vol. 141(1), pages 243-254.
    14. Nicholas Bloom & Luis Garicano & Raffaella Sadun & John Van Reenen, 2014. "The Distinct Effects of Information Technology and Communication Technology on Firm Organization," Management Science, INFORMS, vol. 60(12), pages 2859-2885, December.
    15. David E. Cantor & Tingting Yan & Mark Pagell & Wendy L. Tate, 2022. "From the editors: Introduction to the emerging discourse incubator on the topic of leveraging multiple types of resources within the supply network for competitive advantage," Journal of Supply Chain Management, Institute for Supply Management, vol. 58(2), pages 3-7, April.
    16. Yi-Ju Lo & Tung Hung, 2015. "Structure offshoring and returns on offshoring," Asia Pacific Journal of Management, Springer, vol. 32(2), pages 443-479, June.
    17. Stephan Gundel & Achim Hecker, 2006. "Funding and operation of stadiums and arenas beside high-class leagues," Working Papers 0604, International Association of Sports Economists;North American Association of Sports Economists.
    18. T. Gries & R. Grundmann & I. Palnau & M. Redlin, 2017. "Innovations, growth and participation in advanced economies - a review of major concepts and findings," International Economics and Economic Policy, Springer, vol. 14(2), pages 293-351, April.
    19. Jackie Krafft, 2006. "Business history and the organization of industry," Post-Print hal-00211780, HAL.
    20. Lydia Bals & Jon F. Kirchoff & Kai Foerstl, 2016. "Exploring the reshoring and insourcing decision making process: toward an agenda for future research," Operations Management Research, Springer, vol. 9(3), pages 102-116, December.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijoais:v:51:y:2023:i:c:s1467089523000349. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-accounting-information-systems/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.