IT Security Controls Quality and Firm Performance: A Strategic Liability Lens

The information systems literature and the public press has called for organizations to more closely scrutinize their information technology (IT) security controls; however, little more than anecdotal evidence exists on the business value of IT security investments, beyond regulatory compliance. Drawing on the strategy and accounting literature, we (a) advance a strategic liability perspective to the question of information systems security value; and (b) use the unique setting provided by the enactment of the Sarbanes-Oxley Act of 2002 (SOX) to investigates the relationship between IT security controls quality and both accounting earnings (a contemporaneous measure of firm performance) and market value (a forward looking measure of firm performance). Using a data set that provides audited annual assessments of the effectiveness of both IT and non-IT internal controls for a cross-section of companies as mandated by SOX, we find that firms that report an IT internal control weakness (ICW) have lower accounting earnings and lower earnings response coefficient compared to firms with strong IT internal controls. These results are sustained even after controlling for non-IT ICW and firm-specific potential determinants of ICW. The results are also robust to econometric corrections for potential simultaneity and self-selection bias using Heckman’s two-stage procedure. Overall, our results provide empirical evidence which suggests that information systems security is a strategic necessity and that information systems risk is priced by the capital markets.

[1]  George Foster,et al.  Brand Values and Capital Market Valuation , 1998 .

[2]  William R. Kinney,et al.  The Discovery and Reporting of Internal Control Deficiencies Prior to SOX-Mandated Audits , 2007 .

[3]  J. Lainhart COBIT™: A Methodology for Managing and Controlling Information and Information Technology Risks and Vulnerabilities , 2000 .

[4]  Jacqueline S. Hammersley,et al.  Market reactions to the disclosure of internal control weaknesses and to the characteristics of those weaknesses under section 302 of the Sarbanes Oxley Act of 2002 , 2007 .

[5]  B. Wernerfelt,et al.  A Resource-Based View of the Firm , 1984 .

[6]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[7]  William R. Kinney,et al.  The Effect of SOX Internal Control Deficiencies and Their Remediation on Accrual Quality , 2007 .

[8]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[9]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[10]  William Lucyshyn,et al.  The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities , 2006 .

[11]  Weili Ge,et al.  Accruals Quality and Internal Control Over Financial Reporting , 2007 .

[12]  T. C. Powell Competitive advantage: logical and philosophical considerations , 2001 .

[13]  Mani R. Subramani,et al.  The Matrix of Control: Combining Process and Structure Approaches to Managing Software Development , 2003, J. Manag. Inf. Syst..

[14]  J. Heckman Sample selection bias as a specification error , 1979 .

[15]  B. Lev,et al.  Value-Relevance of Nonfinancial Information: The Wireless Communications Industry , 1996 .

[16]  Michael R. Wade,et al.  The Resource-Based View and Information Systems Research: Review, Extension, and Suggestions for Future Research , 2004, MIS Q..

[17]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[18]  Gautam Ray,et al.  Information Technology and the Performance of the Customer Service Process: A Resource-Based Analysis , 2005, MIS Q..

[19]  James Backhouse,et al.  Circuits of Power in Creating de jure Standards: Shaping an International Information Systems Security Standard , 2006, MIS Q..

[20]  H. White A Heteroskedasticity-Consistent Covariance Matrix Estimator and a Direct Test for Heteroskedasticity , 1980 .

[21]  Jacqueline S. Hammersley,et al.  Market reactions to the disclosure of internal control weaknesses and to the characteristics of those weaknesses under section 302 of the Sarbanes Oxley Act of 2002 , 2008 .

[22]  Jingguo Wang,et al.  Research Note - A Value-at-Risk Approach to Information Security Investment , 2008, Inf. Syst. Res..

[23]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[24]  T. C. Powell,et al.  Information technology as competitive advantage: the role of human , 1997 .

[25]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[26]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[27]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[28]  James A. Ohlson On Transitory Earnings , 1999 .

[29]  Dennis G. Severance,et al.  Data processing control: a state-ofthe- art survey of attitudes and concerns of DP executives , 1981 .

[30]  Anandhi S. Bharadwaj,et al.  A Resource-Based Perspective on Information Technology Capability and Firm Performance: An Empirical Investigation , 2000, MIS Q..

[31]  J. Barney,et al.  Organizational Culture: Can It Be a Source of Sustained Competitive Advantage? , 1986 .

[32]  Richard L. Arend The Definition of Strategic Liabilities, and their Impact on Firm Performance , 2004 .

[33]  James A. Ohlson Earnings, Book Values, and Dividends in Equity Valuation* , 1995 .

[34]  William L. Fuerst,et al.  Information technology and sustained competitive advantage: a resource-based analysis , 1995 .

[35]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[36]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[37]  Terry J. Shevlin,et al.  The value-relevance of nonfinancial information: A discussion , 1996 .

[38]  J. Barney Firm Resources and Sustained Competitive Advantage , 1991 .

[39]  IV JohnW.Lainhart COBIT™: A Methodology for Managing and Controlling Information and Information Technology Risks and Vulnerabilities , 2000, J. Inf. Syst..

[40]  Varun Grover,et al.  Shaping Agility through Digital Options: Reconceptualizing the Role of Information Technology in Contemporary Firms , 2003, MIS Q..

[41]  Suresh Kotha,et al.  The Value-Relevance of Network Advantages: The Case of E-Commerce Firms , 2003 .

[42]  M. Wade,et al.  Review: the resource-based view and information systems research: review, extension, and suggestions for future research , 2004 .

[43]  Prem C. Jain,et al.  Sustained Earnings and Revenue Growth, Earnings Quality, and Earnings Response Coefficients , 2004 .

[44]  J. Heckman Dummy Endogenous Variables in a Simultaneous Equation System , 1977 .

[45]  B. Lev,et al.  The capitalization, amortization, and value-relevance of R&D , 1996 .

[46]  Edward I. Altman,et al.  FINANCIAL RATIOS, DISCRIMINANT ANALYSIS AND THE PREDICTION OF CORPORATE BANKRUPTCY , 1968 .

[47]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[48]  Weili Ge,et al.  Determinants of Weaknesses in Internal Control over Financial Reporting , 2006 .

[49]  Vernon J. Richardson,et al.  Information technology investments and firm value , 2005, Inf. Manag..

[50]  Omar M. G. Keshk CDSIMEQ: A Program to Implement Two-stage Probit Least Squares , 2003 .

[51]  N. Carr IT doesn't matter , 2003, IEEE Engineering Management Review.

[52]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[53]  P. Schmidt,et al.  Limited-Dependent and Qualitative Variables in Econometrics. , 1984 .

[54]  Gregg Stults An Overview of Sarbanes-Oxley for the Information Security Professional , 2004 .

[55]  Radhika Santhanam,et al.  Issues in Linking Information Technology Capability to Firm Performance , 2003, MIS Q..