A pathway model to five lines of accountability in cybersecurity governance

In an in-depth field study, we investigate cyber security governance configurations vis-à-vis the five lines of accountability (5 LoA) – that is, the Three Lines Model extended by the accountability of executive management and the board of directors (IIA, 2020). The aim is to explore the configurations adopted by organizations in governing cybersecurity, and why it would matter for cyber security whether the five lines of accountability are adopted. We define the type of the 5 LoA adoption by: (i) the segregation of the lines that spans from blended to segregated and (ii) the level of engagement of those in line roles that ranges from low to high. In this way, we identify four types of adoption of the 5 LoA: ‘no adoption, ‘ostensible’, ‘implicit’, and ‘explicit’ adoption. We theorize how the type of adoption of the 5 LoA is affected by the interplay of institutional forces and organizations’ need for efficiency and effectiveness, and develop a pathway model for organizations’ adoption of the 5 LoA. We find that organizations that adopt the 5 LoA with clear segregation between these lines (‘ostensible’ and ‘explicit’ adoption) are those subject to prudential regulation (coercive forces), whereas efficiency motives and mimetic forces drive organizations to seek fluidity and flexibility by ‘blending’ the segregated lines (‘implicit’ adoption) to ensure fast reactions to changing environment. Regardless of the segregation between lines and whether they are blended or not, we found that all organizations see scope to improve the level of engagement in the 5 LoA to improve the effectiveness of cyber security governance.