Cybersecurity, Capital Allocations and Management Control Systems

The design and use of management control systems can play a key role in dealing with cybersecurity issues that have arisen in tandem with the emergence of the Internet. Efficient management control systems will reduce a firm's likelihood of suffering significant losses from cybersecurity breaches. Drawing on and extending the extant agency-based capital budgeting literature, this paper demonstrates the relevance of the study of management accounting controls to problems arising in the cybersecurity setting. The main finding is that firms can use an information security audit (which is an integral part of a management control system) along with adjustments to the compensation payments to the agent and the investment decision rules, to mitigate a Chief Information Security Officer's inherent empire building preferences. The paper also identifies additional research areas where management accountants with expertise in management control systems can contribute to the academic literature and practice surrounding cybersecurity issues.

[1]  William Lucyshyn,et al.  The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities , 2006 .

[2]  Doyoung Kim Capital budgeting for new projects: On the role of auditing in information acquisition , 2006 .

[3]  Lawrence A. Gordon,et al.  Capital budgeting and informational impediments: a management accounting perspective , 2006 .

[4]  Alnoor Bhimani Management accounting and digitization , 2006 .

[5]  Alnoor Bhimani Contemporary Issues in Management Accounting , 2006 .

[6]  Kanta Matsuura,et al.  The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market , 2006 .

[7]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[8]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[9]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[10]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[11]  Alnoor Bhimani,et al.  Management Accounting in the Digital Economy , 2003 .

[12]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[13]  Lawrence A. Gordon,et al.  Information Security Expenditures and Real Options: A Wait-and-See Approach , 2003 .

[14]  Tim Baldenius,et al.  Delegated Investment Decisions and Private Benefits of Control , 2003 .

[15]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[16]  Sunil Dutta,et al.  Capital Budgeting and Managerial Compensation: Incentive and Retention Effects , 2003 .

[17]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[18]  Antonio E. Bernardo,et al.  Capital Budgeting in Multi-Division Firms: Information, Agency, and Incentives , 2002 .

[19]  Charles T. Horngren Management and Cost Accounting , 2001 .

[20]  R. Power CSI/FBI computer crime and security survey , 2001 .

[21]  Richard A. Lambert,et al.  Contracting Theory and Accounting , 2001 .

[22]  Jiang Luo,et al.  Capital Budgeting and Compensation with Asymmetric Information and Moral Hazard , 2000 .

[23]  John C. Fellingham,et al.  Capital Budgeting, the Hold-up Problem, and Information System Design , 2000 .

[24]  Peter Miller,et al.  Capital Budgeting Practices and Complementarity Relations in the Transition to Modern Manufacture: A Field Based Analysis , 1997 .

[25]  Regine Slagmulder,et al.  Using Management Control Systems to Achieve Alignment Between Strategic Investment Decisions and Strategy , 1997 .

[26]  Artur Raviv,et al.  The Capital Budgeting Process: Incentives and Information , 1996 .

[27]  Rick Antle,et al.  Information Rents and Preferences among Information Systems in a Model of Resource Allocation , 1995 .

[28]  Lokman Mia,et al.  The usefulness of management accounting systems, functional differentiation and managerial effectiveness , 1994 .

[29]  Lawrence A. Gordon,et al.  Postauditing capital assets and firm performance: An empirical investigation , 1991 .

[30]  Stanley Baiman,et al.  AGENCY RESEARCH IN MANAGERIAL ACCOUNTING: A SECOND LOOK. , 1990 .

[31]  Gary D. Eppen,et al.  Capital Rationing and Organizational Slack in Capital Budgeting , 1985 .

[32]  David P. Baron,et al.  Regulation, Asymmetric Information, and Auditing , 1984 .

[33]  Lawrence A. Gordon,et al.  Management accounting systems, perceived environmental uncertainty and organization structure: An empirical investigation , 1984 .

[34]  David F. Larcker,et al.  The association between performance plan adoption and corporate capital investment , 1983 .

[35]  Charles H. Kriebel,et al.  Asymmetric Information, Incentives and Intrafirm Resource Allocation , 1982 .

[36]  Anthony J. Berry,et al.  Control, organisation and accounting , 1980 .

[37]  Martin P. Loeb,et al.  Incentives in a Divisionalized Firm , 1979 .

[38]  R. Myerson Incentive Compatibility and the Bargaining Problem , 1979 .

[39]  Bengt Holmstrom,et al.  Moral Hazard and Observability , 1979 .