Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government

IF 8.7 2区 管理学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS Journal of Strategic Information Systems Pub Date : 2022-03-01 DOI:10.1016/j.jsis.2022.101707
Min-Seok Pang , Hüseyin Tanriverdi
{"title":"Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government","authors":"Min-Seok Pang ,&nbsp;Hüseyin Tanriverdi","doi":"10.1016/j.jsis.2022.101707","DOIUrl":null,"url":null,"abstract":"<div><p>Many organizations run their core business operations on decades-old legacy IT systems. Some security professionals argue that legacy IT systems significantly increase security risks because they are not designed to address contemporary cybersecurity risks. Others counter that the legacy systems might be “secure by antiquity” and argue that due to lack of adequate documentation on the systems, it is very difficult for potential attackers to discover and exploit security vulnerabilities. There is a shortage of empirical evidence on either argument. Routine activity theory (RAT) argues that an organization’s guardianship is critical for reducing security incidents. However, RAT does not well explain how organizations might guard against security risks of legacy IT systems. We theorize that organizations can enhance their guardianship by either modernizing their legacy IT systems in-house or by outsourcing them to cloud vendors. With datasets from the U.S. federal agencies, we find that agencies that have more legacy IT systems experience more frequent security incidents than others with more modern IT systems. A 1%-point increase in the proportion of IT budgets spent on IT modernization is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with the number of security incidents. The findings advance the literature on strategic information systems by extending RAT to explain why the “security by antiquity” argument is not valid and how organizations can reduce the security risks of legacy IT systems through modernization and migration to the cloud.</p></div>","PeriodicalId":50037,"journal":{"name":"Journal of Strategic Information Systems","volume":"31 1","pages":"Article 101707"},"PeriodicalIF":8.7000,"publicationDate":"2022-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Strategic Information Systems","FirstCategoryId":"91","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0963868722000038","RegionNum":2,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 7

Abstract

Many organizations run their core business operations on decades-old legacy IT systems. Some security professionals argue that legacy IT systems significantly increase security risks because they are not designed to address contemporary cybersecurity risks. Others counter that the legacy systems might be “secure by antiquity” and argue that due to lack of adequate documentation on the systems, it is very difficult for potential attackers to discover and exploit security vulnerabilities. There is a shortage of empirical evidence on either argument. Routine activity theory (RAT) argues that an organization’s guardianship is critical for reducing security incidents. However, RAT does not well explain how organizations might guard against security risks of legacy IT systems. We theorize that organizations can enhance their guardianship by either modernizing their legacy IT systems in-house or by outsourcing them to cloud vendors. With datasets from the U.S. federal agencies, we find that agencies that have more legacy IT systems experience more frequent security incidents than others with more modern IT systems. A 1%-point increase in the proportion of IT budgets spent on IT modernization is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with the number of security incidents. The findings advance the literature on strategic information systems by extending RAT to explain why the “security by antiquity” argument is not valid and how organizations can reduce the security risks of legacy IT systems through modernization and migration to the cloud.

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
IT现代化和云迁移在降低组织网络安全风险中的战略作用:以美国联邦政府为例
许多组织在几十年前的遗留IT系统上运行其核心业务操作。一些安全专家认为,遗留的IT系统显著增加了安全风险,因为它们不是为解决当代网络安全风险而设计的。其他人则反驳说,遗留系统可能是“安全的”,并认为由于缺乏足够的系统文档,潜在的攻击者很难发现和利用安全漏洞。这两种观点都缺乏经验证据。常规活动理论(RAT)认为,组织的监管对于减少安全事件至关重要。然而,RAT并没有很好地解释组织如何防范遗留IT系统的安全风险。我们的理论是,组织可以通过在内部现代化其遗留IT系统或将其外包给云供应商来增强其监护。使用来自美国联邦机构的数据集,我们发现拥有更多遗留IT系统的机构比拥有更现代IT系统的机构经历更频繁的安全事件。用于IT现代化的IT预算比例每增加1%,安全事件数量就会减少5.6%。此外,将遗留系统迁移到云与安全事件的数量呈负相关。研究结果通过扩展RAT来解释为什么“古老的安全”论点是无效的,以及组织如何通过现代化和迁移到云来降低遗留IT系统的安全风险,从而推进了战略信息系统的文献。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Journal of Strategic Information Systems
Journal of Strategic Information Systems 工程技术-计算机:信息系统
CiteScore
17.40
自引率
4.30%
发文量
19
审稿时长
>12 weeks
期刊介绍: The Journal of Strategic Information Systems focuses on the strategic management, business and organizational issues associated with the introduction and utilization of information systems, and considers these issues in a global context. The emphasis is on the incorporation of IT into organizations'' strategic thinking, strategy alignment, organizational arrangements and management of change issues.
期刊最新文献
Do CEOs matter? Divergent impact of CEO power on digital and non-digital innovation A knowledge-centric model for government-orchestrated digital transformation among the microbusiness sector A process model for design-oriented machine learning research in information systems Is AI a strategic IS? Reflections and opportunities for research A socio-cognitive perspective of knowledge integration in digital innovation networks
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1