Abstract
This study investigates whether presence of a CIO in the top management team (TMT) is an important indicator for better management of information, especially when an organization is involved in an information security breach incident. Using Upper Echelons Theory, our study relates the status of the CIO in an organization to organizational performance in the case of information security breaches using Tobin’s q. We argue that when an organization experiences an information security breach, the organization that has the CIO in the TMT can recover any damages or losses from the security breach incident quicker than the organization that does not. We categorize security breach incidents using the confidentiality, integrity, and availability (CIA) triad (Solomon and Chapple 2005), and conclude that having the CIO in the TMT has a significant positive impact on firm performance in the aftermath of security breach incidents. However, the degree of impact on performance varies, depending on the type of security breach.
Similar content being viewed by others
References
Acquisti, A. (2004). Privacy and security of personal information: Economic incentives and technological solutions. In J. Camp & R. Lewis (Eds.), The economics of information security (pp. 1-9). Boston: Kluwer.
Acquisti, A., Friedman, A., & Telang, R. (2006). Is there a cost to privacy breaches? An event study. Proceedings of the Twenty-Seventh International Conference on Information Systems, Milwaukee, Wisconsin.
Adams, W. (1972). New role for top management in computer applications. Financial Executive, 40(4), 54–56.
Alter, A. (2005). The changing role of the CIO. http://www.cioinsight.com/c/a/Research/The-Changing-Role-of-the-CIO/. Accessed 20 Nov 2009.
Altman, E. I. (1968). Financial ratios, discriminant analysis and the prediction of corporate bankruptcy. Journal of Finance, 23(4), 589–609.
Andoh-Baidoo, F. K., & Osei-Bryson, K. M. (2007). Exploring the characteristics of internet security breaches that impact the market value of breached firms. Expert Systems with Applications, 32(3), 703–725.
Armstrong, C. & Sambarmurthy, V. (1996). Creating business value through information technology: The effects of Chief Information Officer and top management team characteristics. Proceedings of the Proceedings of the Seventh International Conference on Information Systems, Cleveland, OH.
Armstrong, C., & Sambamurthy, V. (1999). Information technology assimilation in firms: the influence of senior leadership and IT infrastructures. Information Systems Research, 10(4), 304–327.
Banker, R., Hu, N., Pavlou, P. A., & Luftman, J. (2011). CIO reporting structure, strategic positioning, and firm performance. MIS Quarterly, 35(2), 487–504.
Barber, B., & Lyon, J. (1996). Detecting abnormal operating performance: the empirical power and specification of test statistics. Journal of Financial Economics, 41(3), 359–399.
Beck, T., Demirgüc-Kunt, A., & Maksimovic, V. (2005). Financial and legal constraints to growth: does firm size matter? The Journal of Finance, LX(1), 137–177.
Bharadwaj, A. S. (2000). A resource-based perspective on information technology capability and firm performance: an empirical investigation. MIS Quarterly, 24(1), 169–196.
Bharadwaj, A., Bharadwaj, S., & Konsynski, B. (1999). Information technology effects on firm performance as measured by Tobin’s q. Management Science, 45(7), 1008–1024.
Boyle, R., & Panko, R. (2013). Corporate computer security. Upper Saddle River: Pearson.
Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security, 11(3), 431–448.
Carpenter, M. A. et al. (2004). Upper echelons research revisited: antecedents, elements, and consequences of top management team composition. Journal of Management, 30(6), 749–778.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1), 70–104.
Chang, K., & Wang, C. (2011). Information systems resources and information security. Information Systems Frontiers, 13(4), 579–593.
Chatterjee, D. et al. (2001). Examining the shareholder wealth effects of announcements of newly created CIO positions. MIS Quarterly, 25(1), 43–70.
Chen, K. C., & Lee, J. (1995). Accounting measures of business performance and Tobin’s Q theory. Journal of Accounting, Auditing and Finance, 10(3), 587–609.
Chen, Y. C., & Wu, J. H. (2011). IT management capability and its impact on the performance of a CIO. Information & Management, 48(4), 145–156.
Chen, D. Q., Preston, D. S., & Xia, W. (2010). Antecedents and effects of CIO supply-side and demand-side leadership: a stage maturity model. Journal of Management Information Systems, 27(1), 231–271.
Chun, M., & Mooney, J. (2009). CIO roles and responsibilities: twenty-five years of evolution and change. Information & Management, 46(6), 323–334.
Chung, K., & Pruitt, S. (1994). A simple approximation of Tobin’s q. Financial Management, 23(3), 70–74.
Cleary, S. (1999). The relationship between firm investment and financial status. Journal of Finance, 54(2), 673–692.
Cohen, J., Cohen, P., West, S. G., & Aiken, L. S. (2002). Applied multiple regression/correlation analysis for the behavioral sciences. Routledge Academic.
Connolly, R., & Hirschey, M. (2005). Firm size and the effect of R & D on Tobin’s q. R and D Management, 35(2), 217–223.
Donovan, J. J. (1988). Beyond chief information officer to network manager. Harvard Business Review, 66(5), 1134–1140.
Earl, M., & Feeny, D. (1994). Is your CIO adding value? Sloan Management Review, 35(3), 11–20.
Enns, H. G., Huff, S. L., & Higgins, C. A. (2003). CIO lateral influence behaviors: gaining peers’ commitment to strategic information systems. MIS Quarterly, 27(1), 155–176.
Ezingeard, J. N., McFadzean, E., & Birchall, D. (2005). A model of information assurance benefits. Information Systems Management, 22, 20–29.
Feeny, D. F., Edwards, B. R., & Simpson, K. M. (1992). Understanding the CEO/CIO relationship. MIS Quarterly, 16(4), 435–448.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.
Gottschalk, P. (1999). Strategic management of IS/IT functions: the role of the CIO in Norwegian Organisations. International Journal of Information Management, 19(5), 389–399.
Griliches, S. (1981). Market value, R&D, and patents. Economics Letters, 7(2), 183–187.
Grover, V., Jeong, S. R., Kettinger, W. J., & Lee, C. C. (1993). The chief information officer: a study of managerial roles. Journal of Management Information Systems, 10(2), 107–130.
Gupta, Y. (1991). The chief executive officer and the chief information officer: the strategic partnership. Journal of Information Technology, 6(3), 128–139.
Hambrick, D. C. (2007). Upper echelons theory: an update. Academy of Management Review, 32(2), 334–343.
Hambrick, D. C., & Mason, P. A. (1984). Upper echelons: the organization as a reflection of its top managers. Academy of Management Review, 9(2), 193–206.
Henningsson, S., & Carlsson, S. (2011). The DySIIM model for managing IS integration in mergers and acquisitions. Information Systems Journal. doi:10.1111/j.1365-2575.2011.00374.x.
Hitt, L. M., & Brynjolfsson, E. (1996). Productivity, business profitability, and consumer surplus: three different measures of information technology value. MIS Quarterly, 20(2), 121–142.
Hovav, A., & D’Arcy, J. (2003). The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review, 6(2), 97–121.
Hovav, A., & D’Arcy, J. (2004). The impact of virus attack announcements on the market value of firms. Information Systems Security, 13(3), 32–40.
Jarvenpaa, S., & Ives, B. (1991). Executive involvement and participation in the management of information technology. MIS Quarterly, 15(2), 205–227.
Johnson, A. M., & Lederer, A. L. (2006). The impact of communication between CEOs and CIOs on their shared views of the current and future role of IT. Information Systems Management, 24(1), 85–90.
Karahanna, E., & Preston, D. (2013). The effect of social capital of the relationship between the CIO and top management team on firm performance. Journal of Management Information Systems, 30(1), 15–55.
Karimi, J., Gupta, Y., & Somers, T. (1996). The congruence between a firm’s competitive strategy and information technology leader’s rank and role. Journal of Management Information Systems, 13(1), 63–88.
Kearns, G. S. (2006). The effect of top management support of SISP on strategic IS management: insights from the US electric power industry. Omega, 34, 236–253.
Kim, Y., Lacina, M., & Park, M. (2008). Positive and negative information transfers from management forecasts. Journal of Accounting Research, 46(4), 885–908.
Ko, M., Osei-Bryson, K., & Dorantes, C. (2009). Investigating the impact of publicly announced information security breaches on three performance indicators of the breached firms. Information Resources Management Journal, 22(2), 1–21.
Kutner, M., Nachtsheim, C., Neter, J., & Li, W. (2004). Applied linear regression models. Chicago: McGraw-Hill/Irwin.
Lang, L. H. P., & Stulz, R. M. (1994). Tobin’s q, corporate diversification, and firm performance. Journal of Political Economy, 102(6), 1248–1280.
Lewellen, J. (2004). Predicting returns with financial ratios. Journal of Financial Economics, 74(2), 209–235.
Li, M., & Ye, L. (1999). Information technology and firm performance: linking with environmental, strategic and managerial contexts. Information & Management, 35(1), 43–51.
Liang, H., et al. (2007). Assimilation of enterprise systems: the effect of institutional pressures and the mediating role of top management. MIS Quarterly, 31(1), 59–87.
Markoff, J. (2010). Survey of executives finds a growing fear of cyberattacks, The New York Times. http://www.nytimes.com/2010/01/29/science/29cyber.html. Accessed 5 Feb 2010.
Nicolaou, A. I. (2004). Firm performance effects in relation to the implementation and use of enterprise resource planning systems. Journal of Information Systems, 18(2), 79–105.
Perfect, S., & Wiles, K. (1994). Alternative constructions of Tobin’s q: an empirical comparison. Journal of Empirical Finance, 1(3–4), 313–341.
Ponemon (2010). 2010 Annual Study: U.S. Cost of a Data Breach. http://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf. Accessed 20 Apr 2011.
Preston, D. S., & Karahanna, E. (2009). Antecedents of IS strategic alignment: a nomological network. Information Systems Research, 20(2), 159–179.
Raghunathan, C., & Jha, S. (2008). Do CIOs matter? Assessing the value of CIO presence in top management teams. Proceedings of the 29th International Conference on Information Systems.
Raghunathan, B., & Raghunathan, T. (1989). Relationship of the rank of information systems executive to the organizational role and planning dimensions of information systems. Journal of Management Information Systems, 6(1), 111–119.
Raghunathan, B., Raghunathan, T., & Tu, Q. (1998). An empirical analysis of the organizational commitment of information systems executives. Omega, 26(5), 569–580.
Sharma, R., & Yetton, P. (2003). The contingent effects of management support and task interdependence on successful information systems implementation. MIS Quarterly, 27(4), 533–556.
Simon, C., & Sullivan, M. (1993). The measurement and determinants of brand equity: a financial approach. Marketing Science, 12(1), 28–52.
Smaltz, D., Sambamurthy, V., & Agarwal, R. (2006). The antecedents of CIO role effectiveness in organizations: an empirical study in the healthcare sector. IEEE Transactions on Engineering Management, 53(2), 207–222.
Sobol, M. G., & Klein, G. (2009). Relation of CIO background, IT infrastructure, and economic performance. Information & Management, 46(5), 271–278.
Solomon, M. G., & Chapple, M. (2005). Information security illuminated. Sudbury: Jones and Bartlett Publisher.
Tobin, J. (1969). A general equilibrium approach to monetary theory. Journal of Money, Credit and Banking, 1(1), 15–29.
Villalonga, B. (2004). Intangible resources, Tobin’s q, and sustainability of performance differences. Journal of Economic Behavior & Organization, 54(2), 205–230.
Wernerfelt, B., & Montgomery, C. (1988). Tobin’s q and the importance of focus in firm performance. The American Economic Review, 78(1), 246–250.
Zafar, H., Ko, M., & Osei-Bryson, K. (2012). Financial impact of information security breaches on breached firms and their non-breached competitors. Information Resource Management Journal, 25(1), 21–37.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zafar, H., Ko, M.S. & Osei-Bryson, KM. The value of the CIO in the top management team on performance in the case of information security breaches. Inf Syst Front 18, 1205–1215 (2016). https://doi.org/10.1007/s10796-015-9562-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-015-9562-5