Centralized IT decision-making at universities has lessons for other sectors
Can centralized IT decision-making protect an organization from cybersecurity breaches?
In a recent study, researchers from the University of Maryland’s Robert H. Smith School of Business examined how an important information technology governance mechanism – the degree of centralized decision-making – affects the likelihood of a cyber break-in. They scrutinized 504 higher education institutions over a four-year period and found that universities with a centralized IT governance model had fewer breaches.
Of course, the effect doesn’t play out in exactly the same way everywhere.
Universities with an assortment of IT platforms and applications, and a variety of technology vendors, appeared to benefit more from centralized IT authority, according to the research from Maryland Smith professors Peng Huang and Henry Lucas, and Maryland Smith PhD graduate Che-Wei Liu, now at Indiana University.
The researchers argued that in the presence of more complex, diverse information systems, specialization and economies of scale played a more critical role in the defense against cybersecurity intrusions. Individual business units were less likely to afford a specialized cybersecurity expert, whereas a centralized IT office is more likely to acquire such specialized skills, because it can use resources more efficiently and avoid duplication of effort.
The researchers also found that public universities and ones with more intensive research activities benefitted the most from centralized IT governance. The research has been accepted for publication in the Journal of Management Information Systems.
The findings are important as information security becomes a more pressing issue across the public and private sectors. Major cybersecurity breaches have caused massive disruptions across business operations, along with giant financial losses and other damages, says Huang, associate professor of decisions, information and operations technology. The 2013 Target data breach, for example, affected 70 million customers, cost $67 million in settlement payouts, and resulted in the exit of the company’s CIO and later its CEO.
Larger universities have lots of sensitive data, such as student financial information and social security numbers. That makes those schools highly valued targets for cyber intruders, the researchers explain. Larger universities that are also research and development (R&D) hubs are an even more attractive target, because of the intellectual property that can be stolen and misappropriated.
The centralized IT structure facilitates information-sharing across subunits, and that allows one subunit to benefit from the lessons learned by another, Huang says. “For example, once areas of security vulnerability are identified, a central IT governing body can quickly send out alerts and deploy countermeasures throughout the organization.”
Huang and his co-authors focused their empirical research on higher education because the industry sees a significant fraction of all cyber attacks. In fact, 16.8% of data breaches from 2005-2015 targeted higher ed. Only the healthcare industry saw more breaches, at 26.9% of the total number of breaches.
Higher education institutions also varied in size and ownership structure (public and private), and had diverging priorities on IT efficiency and flexibility, which allowed for the comparison among subgroups and the evaluation of the generalizability of the findings. The team’s findings, Huang says, offers insights across sectors and industries well beyond higher ed.
Read more: “Centralized IT Decision Making and Cybersecurity Breaches: Evidence from U.S. Higher Education Institutions” will be published in a forthcoming issue of the Journal of Management Information Systems.