IDEAS home Printed from https://ideas.repec.org/a/eee/ijoais/v51y2023ics1467089523000349.html
   My bibliography  Save this article

A pathway model to five lines of accountability in cybersecurity governance

Author

Listed:
  • Slapničar, Sergeja
  • Axelsen, Micheal
  • Bongiovanni, Ivano
  • Stockdale, David

Abstract

In an in-depth field study, we investigate cyber security governance configurations vis-à-vis the five lines of accountability (5 LoA) – that is, the Three Lines Model extended by the accountability of executive management and the board of directors (IIA, 2020). The aim is to explore the configurations adopted by organizations in governing cybersecurity, and why it would matter for cyber security whether the five lines of accountability are adopted. We define the type of the 5 LoA adoption by: (i) the segregation of the lines that spans from blended to segregated and (ii) the level of engagement of those in line roles that ranges from low to high. In this way, we identify four types of adoption of the 5 LoA: ‘no adoption, ‘ostensible’, ‘implicit’, and ‘explicit’ adoption. We theorize how the type of adoption of the 5 LoA is affected by the interplay of institutional forces and organizations’ need for efficiency and effectiveness, and develop a pathway model for organizations’ adoption of the 5 LoA. We find that organizations that adopt the 5 LoA with clear segregation between these lines (‘ostensible’ and ‘explicit’ adoption) are those subject to prudential regulation (coercive forces), whereas efficiency motives and mimetic forces drive organizations to seek fluidity and flexibility by ‘blending’ the segregated lines (‘implicit’ adoption) to ensure fast reactions to changing environment. Regardless of the segregation between lines and whether they are blended or not, we found that all organizations see scope to improve the level of engagement in the 5 LoA to improve the effectiveness of cyber security governance.

Suggested Citation

  • Slapničar, Sergeja & Axelsen, Micheal & Bongiovanni, Ivano & Stockdale, David, 2023. "A pathway model to five lines of accountability in cybersecurity governance," International Journal of Accounting Information Systems, Elsevier, vol. 51(C).
    • Handle: RePEc:eee:ijoais:v:51:y:2023:i:c:s1467089523000349
    DOI: 10.1016/j.accinf.2023.100642
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1467089523000349
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.accinf.2023.100642?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. repec:eme:maj000:maj-07-2017-1595 is not listed on IDEAS
    2. Rajagopal, 2019. "Managing Brands in Competitive Marketplaces," Springer Books, in: Competitive Branding Strategies, chapter 0, pages 3-37, Springer.
    3. Aghion, Philippe & Tirole, Jean, 1997. "Formal and Real Authority in Organizations," Journal of Political Economy, University of Chicago Press, vol. 105(1), pages 1-29, February.
    4. Williamson, Oliver E., 2007. "Transaction Cost Economics: An Introduction," Economics Discussion Papers 2007-3, Kiel Institute for the World Economy (IfW Kiel).
    5. Gordon, Lawrence A. & Loeb, Martin P. & Tseng, Chih-Yang, 2009. "Enterprise risk management and firm performance: A contingency perspective," Journal of Accounting and Public Policy, Elsevier, vol. 28(4), pages 301-327, July.
    6. Oliver E. Williamson, 2009. "Transaction Cost Economics: The Precursors," Chapters, in: Claude Ménard & Michel Ghertman (ed.), Regulation, Deregulation, Reregulation, chapter 1, Edward Elgar Publishing.
    7. Lee, In, 2021. "Cybersecurity: Risk management framework and investment cost analysis," Business Horizons, Elsevier, vol. 64(5), pages 659-671.
    8. repec:eme:maj000:maj-02-2018-1804 is not listed on IDEAS
    9. Md. Shariful Islam & Nusrat Farah & Thomas F. Stafford, 2018. "Factors associated with security/cybersecurity audit by internal audit function," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 377-409, April.
    10. Steven Tadelis & Oliver E.Williamson, 2012. "Transaction Cost Economics [The Handbook of Organizational Economics]," Introductory Chapters,, Princeton University Press.
    11. Sezer Bozkus Kahyaoglu & Kiymet Caliyurt, 2018. "Cyber security assurance process from the internal audit perspective," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 360-376, May.
    12. Slapničar, Sergeja & Vuko, Tina & Čular, Marko & Drašček, Matej, 2022. "Effectiveness of cybersecurity audit," International Journal of Accounting Information Systems, Elsevier, vol. 44(C).
    13. Power, Michael, 2009. "The risk management of nothing," Accounting, Organizations and Society, Elsevier, vol. 34(6-7), pages 849-855, August.
    14. Soomro, Zahoor Ahmed & Shah, Mahmood Hussain & Ahmed, Javed, 2016. "Information security management needs more holistic approach: A literature review," International Journal of Information Management, Elsevier, vol. 36(2), pages 215-225.
    15. Thomas Stafford & George Deitz & Yaojie Li, 2018. "The role of internal audit and user training in information security policy compliance," Managerial Auditing Journal, Emerald Group Publishing Limited, vol. 33(4), pages 410-424, March.
    16. Jacob Haislip & Jee-Hae Lim & Robert Pinsker, 2021. "The Impact of Executives’ IT Expertise on Reported Data Security Breaches," Information Systems Research, INFORMS, vol. 32(2), pages 318-334, June.
    17. Azza E Ahmed & Jacob Heldenbrand & Yan Asmann & Faisal M Fadlelmola & Daniel S Katz & Katherine Kendig & Matthew C Kendzior & Tiffany Li & Yingxue Ren & Elliott Rodriguez & Matthew R Weber & Justin M , 2019. "Managing genomic variant calling workflows with Swift/T," PLOS ONE, Public Library of Science, vol. 14(7), pages 1-20, July.
    18. Smith, Thomas & Tadesse, Amanuel F. & Vincent, Nishani Edirisinghe, 2021. "The impact of CIO characteristics on data breaches," International Journal of Accounting Information Systems, Elsevier, vol. 43(C).
    19. repec:eme:maj000:maj-07-2017-1596 is not listed on IDEAS
    20. Wendy Mason Burdon & Mohamed Karim Sorour, 2020. "Institutional Theory and Evolution of ‘A Legitimate’ Compliance Culture: The Case of the UK Financial Service Sector," Journal of Business Ethics, Springer, vol. 162(1), pages 47-80, February.
    21. V. Sambamurthy & Robert W. Zmud, 2000. "Research Commentary: The Organizing Logic for an Enterprise's IT Activities in the Digital Era—A Prognosis of Practice and a Call for Research," Information Systems Research, INFORMS, vol. 11(2), pages 105-114, June.
    22. Steinbart, Paul John & Raschke, Robyn L. & Gal, Graham & Dilla, William N., 2018. "The influence of a good relationship between the internal audit and information security functions on information security outcomes," Accounting, Organizations and Society, Elsevier, vol. 71(C), pages 15-29.
    23. Lin, Jiabao & Luo, Zhimei & Luo, Xin, 2020. "Understanding the roles of institutional pressures and organizational innovativeness in contextualized transformation toward e-business: Evidence from agricultural firms," International Journal of Information Management, Elsevier, vol. 51(C).
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Slapničar, Sergeja & Vuko, Tina & Čular, Marko & Drašček, Matej, 2022. "Effectiveness of cybersecurity audit," International Journal of Accounting Information Systems, Elsevier, vol. 44(C).
    2. Agbodoh-Falschau, Kouassi Raymond & Ravaonorohanta, Bako Harinivo, 2023. "Investigating the influence of governance determinants on reporting cybersecurity incidents to police: Evidence from Canadian organizations’ perspectives," Technology in Society, Elsevier, vol. 74(C).
    3. Arnold, Vicky & Benford, Tanya & Canada, Joseph & Sutton, Steve G., 2015. "Leveraging integrated information systems to enhance strategic flexibility and performance: The enabling role of enterprise risk management," International Journal of Accounting Information Systems, Elsevier, vol. 19(C), pages 1-16.
    4. Blome, Constantin & Schoenherr, Tobias, 2011. "Supply chain risk management in financial crises--A multiple case-study approach," International Journal of Production Economics, Elsevier, vol. 134(1), pages 43-57, November.
    5. Nicholas Bloom & Luis Garicano & Raffaella Sadun & John Van Reenen, 2014. "The Distinct Effects of Information Technology and Communication Technology on Firm Organization," Management Science, INFORMS, vol. 60(12), pages 2859-2885, December.
    6. Elisabetta Mafrolla & Felice Matozza, 2014. "Risk management and firm size: a survey of Italian private companies," MANAGEMENT CONTROL, FrancoAngeli Editore, vol. 2014(3), pages 87-108.
    7. Ya-Fang Wang & Yu-Chu Hsieh, 2023. "Credit Rating and Board Evaluation of Family Firms," International Journal of Business and Economic Sciences Applied Research (IJBESAR), Democritus University of Thrace (DUTH), Kavala Campus, Greece, vol. 16(1), pages 7-18, October.
    8. Yuepeng Zhou & Xiaoping Shi & Dengyan Ji & Xianlei Ma & Satish Chand, 2019. "Property rights integrity, tenure security and forestland rental market participation: Evidence from Jiangxi Province, China," Natural Resources Forum, Blackwell Publishing, vol. 43(2), pages 95-110, May.
    9. Zhang, Yimei & Smith, Thomas, 2023. "The impact of customer firm data breaches on the audit fees of their suppliers," International Journal of Accounting Information Systems, Elsevier, vol. 50(C).
    10. Alexis Catanzaro & Christine Teyssier, 2021. "Export promotion programs, export capabilities, and risk management practices of internationalized SMEs," Small Business Economics, Springer, vol. 57(3), pages 1479-1503, October.
    11. Matolcsy, Zoltan & Wakefield, James, 2017. "Multinational headquarter control of wholly owned foreign subsidiaries," The British Accounting Review, Elsevier, vol. 49(3), pages 275-293.
    12. Allam YOUSUF & Janos Felfoldi, 2017. "The Relationship Between Transaction Costs And Flexibility In Outsourcing: A Conceptual Framework," Annals of Faculty of Economics, University of Oradea, Faculty of Economics, vol. 1(1), pages 883-891, July.
    13. Jacqueline Christensen & Pamela Kent & Tom Smith, 2016. "The decision to outsource risk management services," Accounting and Finance, Accounting and Finance Association of Australia and New Zealand, vol. 56(4), pages 985-1015, December.
    14. Vargas, Paola & Tien, Iris, 2023. "Impacts of 5G on cyber-physical risks for interdependent connected smart critical infrastructure systems," International Journal of Critical Infrastructure Protection, Elsevier, vol. 42(C).
    15. Christopher D. Ittner & Jeremy Michels, 2017. "Risk-based forecasting and planning and management earnings forecasts," Review of Accounting Studies, Springer, vol. 22(3), pages 1005-1047, September.
    16. Setene, Letlama, 2020. "Coordination strategies in the South African egg value chain: A review of chain performance and fragility," Research Theses 334761, Collaborative Masters Program in Agricultural and Applied Economics.
    17. Tahira Naseem & Faisal Shahzad & Ghazanfar Ali Asim & Ijaz Ur Rehman & Faisal Nawaz, 2020. "Corporate social responsibility engagement and firm performance in Asia Pacific: The role of enterprise risk management," Corporate Social Responsibility and Environmental Management, John Wiley & Sons, vol. 27(2), pages 501-513, March.
    18. Nawrocki, Tomasz Leszek & Jonek-Kowalska, Izabela, 2016. "Assessing operational risk in coal mining enterprises – Internal, industrial and international perspectives," Resources Policy, Elsevier, vol. 48(C), pages 50-67.
    19. Therese R. Viscelli & Mark S. Beasley & Dana R. Hermanson, 2016. "Research Insights About Risk Governance," SAGE Open, , vol. 6(4), pages 21582440166, November.
    20. Doris Morales & Ahmad H. Juma´h & Antonio Llorens-Rivera & Félix Cue & Ángel Ruiz, 2012. "Tendencias del traslado de actividades en las manufactureras en Puerto Rico y el título de propiedad sobre la planta física, 2005-2011," Economic Analysis Working Papers (2002-2010). Atlantic Review of Economics (2011-2016), Colexio de Economistas de A Coruña, Spain and Fundación Una Galicia Moderna, vol. 2, pages 1-1, December.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijoais:v:51:y:2023:i:c:s1467089523000349. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-accounting-information-systems/ .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.