How To Guard Against Cyber Attacks

Centralized IT decision-making at universities has lessons for other sectors

Jun 01, 2020
Technology
As Featured In 
Journal of Management Information Systems

Can centralized IT decision-making protect an organization from cybersecurity breaches?

In a recent study, researchers from the University of Maryland’s Robert H. Smith School of Business examined how an important information technology governance mechanism – the degree of centralized decision-making – affects the likelihood of a cyber break-in. They scrutinized 504 higher education institutions over a four-year period and found that universities with a centralized IT governance model had fewer breaches.

Of course, the effect doesn’t play out in exactly the same way everywhere.

Universities with an assortment of IT platforms and applications, and a variety of technology vendors, appeared to benefit more from centralized IT authority, according to the research from Maryland Smith professors Peng Huang and Henry Lucas, and Maryland Smith PhD graduate Che-Wei Liu, now at Indiana University.

The researchers argued that in the presence of more complex, diverse information systems, specialization and economies of scale played a more critical role in the defense against cybersecurity intrusions. Individual business units were less likely to afford a specialized cybersecurity expert, whereas a centralized IT office is more likely to acquire such specialized skills, because it can use resources more efficiently and avoid duplication of effort.

The researchers also found that public universities and ones with more intensive research activities benefitted the most from centralized IT governance. The research has been accepted for publication in the Journal of Management Information Systems.

The findings are important as information security becomes a more pressing issue across the public and private sectors. Major cybersecurity breaches have caused massive disruptions across business operations, along with giant financial losses and other damages, says Huang, associate professor of decisions, information and operations technology. The 2013 Target data breach, for example, affected 70 million customers, cost $67 million in settlement payouts, and resulted in the exit of the company’s CIO and later its CEO.

Larger universities have lots of sensitive data, such as student financial information and social security numbers. That makes those schools highly valued targets for cyber intruders, the researchers explain. Larger universities that are also research and development (R&D) hubs are an even more attractive target, because of the intellectual property that can be stolen and misappropriated.

The centralized IT structure facilitates information-sharing across subunits, and that allows one subunit to benefit from the lessons learned by another, Huang says. “For example, once areas of security vulnerability are identified, a central IT governing body can quickly send out alerts and deploy countermeasures throughout the organization.”

Huang and his co-authors focused their empirical research on higher education because the industry sees a significant fraction of all cyber attacks. In fact, 16.8% of data breaches from 2005-2015 targeted higher ed. Only the healthcare industry saw more breaches, at 26.9% of the total number of breaches.

Higher education institutions also varied in size and ownership structure (public and private), and had diverging priorities on IT efficiency and flexibility, which allowed for the comparison among subgroups and the evaluation of the generalizability of the findings. The team’s findings, Huang says, offers insights across sectors and industries well beyond higher ed.

Read more: “Centralized IT Decision Making and Cybersecurity Breaches: Evidence from U.S. Higher Education Institutions” will be published in a forthcoming issue of the Journal of Management Information Systems.

About the Author(s)

Peng Huang

Peng Huang is an assistant professor in the Decisions, Operations and Information Technologies Department at the Robert H. Smith School of Business at the University of Maryland. His research interests include: 1) platform-based information technology and innovation ecosystem in the enterprise software industry; 2) how consumers search for information and make decisions in the context of electronic commerce, and its implication for public policy and firm strategy. His research has appeared or is forthcoming in premier scholarly journals such as Management Science, MIS Quarterly, and Journal of Marketing. His work received the Runner-Up Best Conference Paper Award at the 2009 International Conference on Information Systems.

Henry Lucas

Professor Henry Lucas' research interests include information technology-enabled transformations of organizations, markets, industries and our daily lives. He has conducted research on the impact of information technology on organizations, IT in organization design, electronic commerce, and the value of information technology. Lucas co-produced and co-wrote The Transformation Age: Surviving a Technology Revolution with Robert X. Cringely, a documentary co-developed by Maryland Public Television and the Smith School shown on public television stations around the U.S. He has authored a dozen books as well as monographs and more than 70 articles in professional periodicals on the impact of technology, information technology in organization design, the return on investments in technology, implementation of information technology, expert systems, decision-making for technology, and information technology and corporate strategy.

More in

Technology

A New Approach to Data-driven Modeling
Research offers new approach for data-driven predictive analytics models as an alternative or compliment to AI approaches.
Apr 30, 2020
A Mathematically Rigorous Way To Analyze Statistics from Simulations
New research from Maryland Smith’s Michael C. Fu offers a rigorous way to analyze statistics generated from simulation models.
Apr 30, 2020
In Healthcare, Marketing Should Focus on Patients
Big regulatory shifts and advancing technology in healthcare call for big shifts in healthcare marketing, where creating value for patients is paramount, say researchers at Maryland Smith’s Center for Health Information and Decision Systems.
Mar 03, 2020