Association for Information Systems

AIS Electronic Library (AISeL)

ICIS 2017 Proceedings

Dec 10th, 12:00 AM

IT Centralization, Security Outsourcing, and

Cybersecurity Breaches: Evidence from the U.S.
Higher Education
Che-Wei Liu
Robert H. Smith School of Business, University of Maryland, [email protected]

Peng Huang
University of Maryland, [email protected]

Henry Lucas
U of Maryland, [email protected]

Follow this and additional works at: http://aisel.aisnet.org/icis2017

Liu, Che-Wei; Huang, Peng; and Lucas, Henry, "IT Centralization, Security Outsourcing, and Cybersecurity Breaches: Evidence from
the U.S. Higher Education" (2017). ICIS 2017 Proceedings. 1.
http://aisel.aisnet.org/icis2017/Security/Presentations/1

This material is brought to you by the International Conference on Information Systems (ICIS) at AIS Electronic Library (AISeL). It has been accepted
for inclusion in ICIS 2017 Proceedings by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact
[email protected].
 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

IT Centralization, Security Outsourcing, and

Cybersecurity Breaches: Evidence from the
U.S. Higher Education
Completed Research Paper

Che-Wei Liu Peng Huang

University of Maryland University of Maryland
Robert H. Smith School of Business, Robert H. Smith School of Business,
University of Maryland, College Park, University of Maryland, College Park,
[email protected] [email protected]

Henry C. Lucas
University of Maryland
Robert H. Smith School of Business,
University of Maryland, College Park,
[email protected]

Abstract
Prior research on information security management often considers information security as an
operational decision instead of a strategic decision, and there is a lack of empirical research that uses
archival data to examine cybersecurity breaches. We study how two important strategic decisions with
regard to information systems – IT centralization, and the outsourcing of information security – affect
the likelihood of cybersecurity breaches by using a sample of 505 U.S. higher education institutions over
a 4-year period. We find that a university with centralized IT decision making is associated with fewer
cybersecurity breaches. Interestingly, the effect of centralized IT governance is contingent on the
complexity of a university’s computing environment – schools with sophisticated IT infrastructure benefit
more from centralized governance. In addition, we find that correcting for the self-selection bias,
universities that opt for outsourcing their information security have a lower likelihood of suffering from
a cybersecurity breach.
Keywords: information security, cybersecurity breach, IT centralization, IT complexity, outsourcing,
managed security service

Introduction
Information security has become one of the top priorities for IS managers in both public and private sectors.
With organizations facing increasingly sophisticated methods of security intrusions, and cybersecurity
breaches causing significant disruptions of business operations, financial damage, and other long-term,
intangible consequences, information security management has drawn the attention of researchers. For
example, prior research has investigated software patching policies (Arora et al. 2010; August and Tunca
2008), paths leading to security compromises (Ransbotham and Mitra 2009), and information security
planning (Straub and Welke 1998).
Although there is considerable progress in research on information security management, there remain at
least two related challenges in current understanding. First, barring a number of exceptions (Doherty and
Fulford 2006; Karyda et al. 2005), most existing research studies information security as an operational IT
decision. As a result, current studies focus heavily on information security processes (Straub and Welke

Thirty Eighth International Conference on Information Systems, South Korea 2017 1

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

1998), patching policies (Arora et al. 2010; August and Tunca 2008; Cavusoglu et al. 2008), or contracting
issues (Cezar et al. 2013; Lee et al. 2013). Very few have investigated how strategic decisions, such as IT
governance mode or the decision to outsource information security influence an organization’s capability
for securing its digital assets against intruders. In other words, information security rarely enters the
calculus of strategic IT decision making. As highlighted by Cavusoglu et al. (2004), senior management in
organizations often regards information security as “nice to have” rather than “need to have”. This is a
surprise, considering that organizations bear significant costs and, in some cases, suffer catastrophic
consequences in the wake of a cybersecurity breach. For example, the Target data breach during the
Christmas season of 2013 affected 40 million customers, resulted in $67 million settlement payouts,1 and
cost its CIO and eventually its CEO their jobs.2
Second, existing literature on IT governance often emphasizes its implications for business outcomes
through efficiency, flexibility, innovativeness, and growth opportunities, but few have examined the
influences of IT governance decisions on managing information security risks. For example, some argue
that a centralized decision making approach leads to efficient operations and a high degree of
standardization, and therefore is associated with higher profitability. On the other hand, a decentralized
mode can maximize creativity, foster innovation and reduce time to market by refraining from rigid
structures and standard business processes, and therefore is more conducive to capitalizing on growth
opportunities (Weill and Ross 2005). However, without a complete understanding of the implications of IT
governance, in which risk management is an important consideration, choices of governance mode based
on pure economic considerations will likely lead to faulty recommendations.
In this paper, we aim to address these gaps in the literature by examining how two important strategic
decisions with regard to information systems – the degree of centralized decision making, and the
outsourcing of information security -- affect the likelihood of cybersecurity breaches. We first develop the
theoretical foundation by linking literature on IT governance (Weill and Ross 2005; Weill and Ross 2004)
with prior work on IT risk management (Bulgurcu et al. 2010; Johnston and Hale 2009), and highlight a
set of mechanisms through which IT governance decisions influence security risks. We then formulate a set
of hypotheses based on the theoretical framework and test them empirically by examining a sample of 505
U.S. higher education institutions over a 4-year period. Using panel data models, we find that a university
with centralized IT decision making is associated with fewer cybersecurity breaches. By our estimate, a one
standard deviation increase in IT centralization is associated with a reduction in the probability of a
cybersecurity breach by 3.5%. Interestingly, the effect of centralized IT governance is contingent on the
complexity of a university’s computing environment. In addition, we find that correcting for self-selection
bias, universities that opt for outsourcing their information security have a lower likelihood of suffering
from a cybersecurity breach. Overall, our findings highlight that information security should become a
crucial consideration in strategic IT decision making, and provide several important insights for mitigating
security risks in the context of universities.

Theory and Hypotheses

Consistent with prior literature, we define cybersecurity breach as “an incident in which sensitive, protected
or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so”
(Adebayo 2012). A variety of sensitive information may be involved in the breach incident, such as personal
health information, financial information, personal identities such as social security numbers, or
intellectual properties such as trade secrets. Cybersecurity breaches can be very costly for an organization.
Although it is impossible to estimate the true costs of a security breach because it often involves the loss of
intangible assets such as reputation and customer good will, estimates based on capital market valuation
suggests that on average, a public firm losses 2.1% of its market value within two days of its announcement
of a security breach (Cavusoglu et al. 2004). Therefore, it is imperative that management in an organization
recognizes how strategic decisions regarding information systems affect its information security.

1 http://www.wsj.com/articles/target-reaches-settlement-with-visa-over-2013-data-breach-1439912013
2 http://www.forbes.com/sites/ericbasu/2014/06/15/target-ceo-fired-can-you-be-fired-if-your-company-is-hacked/#4de24ef7bc1c

Thirty Eighth International Conference on Information Systems, South Korea 2017 2

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

IT Governance and IT Risk Management

IT governance is the specification of decision rights and accountability, which is intended to encourage
desirable outcomes from an organization’s investment in IT (adapted from Weill and Ross 2004). IT
governance is a popular research topic and a number of frameworks have been proposed (Sambamurthy
and Zmud 1999; Tiwana and Konsynski 2010; Weill and Ross 2004).3 According to Weill and Ross (2005),
three IT major governance mechanisms are IT decision making structure, alignment processes, and formal
communications. In addition, effective IT governance is often measured by its implications for business
performance metrics, such as cost-effectiveness, growth, asset utilization, or business flexibility (Weill and
Ross 2005), but is rarely measured by its information security ramifications.
Prior research on IT risk management highlighted a number of mechanisms through which an organization
can reduce its IT risk exposure, such as efficient information security resource management (Wilkin 2010),
uniform control and organizational-wide coordination (Spears and Barki 2010), the establishment of
security standards and compliance with security policies and procedures (Bulgurcu et al. 2010), and regular
risk assessment and auditing (Moulton 2003). We argue that the strategic decisions regarding IT
governance will likely influence the effectiveness with which an organization manages its IT risks, an
important consideration that has often been ignored in prior IT governance studies. In the rest of this
section, we present a discussion of how two IT governance decisions, IT centralization and information
security outsourcing, influences IT risk management practices and therefore the probability of a
cybersecurity breach.

Centralized IT Decision Making and Cybersecurity Breaches

Prior studies have identified different decision areas involved in IT governance and made recommendations
with regard to the location of decision rights. For example, an important theme of research in this area is
the question of whether various decision rights about IT in the organization, such as IT application,
infrastructure, or project implementation, should be centralized (Brown 1997; Sambamurthy and Zmud
1999). There are significant advantages and downsides associated with both centralized and decentralized
decision authority. For example, Xue et al. (2011) argue that delegating the authority of IT decisions to
business units may reap the benefits of quality and timeliness of decision making because the business units
are best positioned to make swift and informed decisions in response to their idiosyncratic local needs,
changing environment and opportunities (Anand and Mendelson 1997; Nault 1998). On the other hand,
decentralized IT governance may also raise the issues of control because of agency problems – the objectives
of business unit and the organization are not always perfectly aligned (Holmstrom and Milgrom 1991;
Jensen and Meckling 1992). Tiwana and Kim (2015) suggest that firms exhibit more strategic agility when
local units possess the decision rights for applications while a central IT group makes decisions on IT
infrastructure. Ultimately, the choice of the degree of IT centralization depends on the tradeoffs between
the costs and benefits of different assignments of decision rights.
We argue that when it comes to information security in a university, centralized IT decision making will
likely lead to lower cybersecurity risks through a number of mechanisms. First, IT centralization leads to
more efficient information security resource management. Information security is an integral part of a
university’s IT infrastructure (Tiwana and Kim 2015), which provides a campus-wide foundation that
supports the various applications for education and research. Information security decisions require highly
specialized skills, as well as a holistic understanding of the university’s digital assets. Under such conditions,
a central IT office, by virtue of specialization and economies of scale, is more likely to possess the requisite
skills and expertise (Jensen and Heckling 1995). For example, a centralized IT office can afford to have a
critical mass of personnel devoted to information security, budget for procurement of expensive security
software, firewalls, and intrusion detection tools, and have a stronger bargaining power with external
security software and service vendors. In contrast, an academic department may be unable to dedicate
enough resources or personnel to security due to resource constraints.
Second, a centralized IT governance mode leads to more effective organizational-wide coordination and
more rapid responses to security threats. With an increasingly interconnected computing environment,
most security breaches today arrive via a network and spread quickly throughout the campus. Therefore,

3 For an extensive review, see Tallon et al. (2013) and Wu et al. (2015).

Thirty Eighth International Conference on Information Systems, South Korea 2017 3

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

the prevention of intrusions and breaches needs an integrated security management solution and campus-
wide coordination; an isolationist approach is unlikely to be successful (Peltier 2016). The coordination
costs associated with decentralized IT decision making tend to be high, and the processes can be time-
consuming, resulting in the delay of swift responses to cybersecurity threats. Specialists in the central IT
office are most knowledgeable about the topology of the campus-wide network and architecture of its
computing infrastructure, and therefore are best positioned to coordinate the various stakeholders of its
enterprise information systems to protect its digital assets against security threats.
Finally, a central IT office can establish universal information security policies, and enforce the compliance
of security procedures and protocols (Young and Windsor 2010). In contrast, under a decentralized IT
governance mode where academic units are left to make most of their IT-related decisions, the local units
will only be concerned with their own systems, resulting in fragmented information security policies.
However, in an interconnected computing network, security risks of different organizational units become
correlated (Chen et al. 2011), and the information security of the whole system is only as good as its weakest
link (Anderson and Moore 2006). In addition, a concerted effort by a central IT unit raises the level of
awareness across the campus about information security issues, leading to more effective security
information gathering, diagnosis, and dissemination. Therefore, we hypothesize:
Hypothesis 1: Universities with a higher degree of centralized IT governance will have fewer
cybersecurity breaches.

The Moderating Role of IT Complexity

Developing new information systems introduces ambiguity and uncertainty and frequently adds to IT
complexity in the organization (McKeen et al. 1994). Technological complexity may be determined by a host
of factors, such as the diversity of platforms, the variety of applications, and the effort needed for system
integration (Meyer and Curley 1991). We argue that with a more complex computing infrastructure
environment, the benefits of centralized IT governance and coordination on strengthening information
security are amplified. This is because in the presence of heterogeneous, complex information systems,
specialization and economies of scale, and therefore efficient security resources management, play a more
critical role in defending against cybersecurity intrusions. An academic department is unlikely to afford a
highly skilled IT security staff that is well versed in intrusion prevention, detection, and remedies across a
variety of platforms and technologies. A centralized IT office is more likely to acquire such specialized skills
by pooling resources.
In addition, as the computing environment becomes more complex, the requirement for interoperability
and coordination increases, and centralized IT governance is better able to address the security challenges
associated with complex systems. It is well known that under a decentralized IT governance, system
integration is difficult and standardization faces greater challenges (Braa et al. 2007; DeSanctis and Jackson
1994). For example, when a university has multiple heterogeneous enterprise application systems for
education and research, centralized identity and access management (IAM) with single sign-on not only
meets control requirements but also makes life easier for the end-user (Pulkkinen et al. 2007). On the other
hand, a decentralized IAM results in multiple, fragmented identities for the same end user, creating
difficulty in using systems and hence is more prone to security breaches. Studies have shown that it is hard
to integrate systems and exchange data when an organization has multiple heterogeneous information
systems (Hasselbring 2000). A decentralized governance mode therefore increases the difficulty of
maintaining security when there is a need to integrate information or exchange data from multiple units.
Therefore, we hypothesize:
Hypothesis 2: The effect of centralized IT governance on reducing cybersecurity breaches is greater when
a university as a complex IT environment.

Information Security Outsourcing and Cybersecurity Breaches

With the use of a multitude of new IT platforms and technologies such as cloud computing, data analytics,
and virtualization, enterprise information systems are constantly subject to ever more sophisticated
cybersecurity attacks, and it becomes increasingly difficult and costly for an organization to protect its
digital assets against cybersecurity intrusions. As a result, some organizations choose to employ external
vendors – often called managed security service providers (MSSPs) – to manage their information systems
Thirty Eighth International Conference on Information Systems, South Korea 2017 4
 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

security and defend against intruders. MSSPs provide a wide range of security services, such as managed
services for firewalls, intrusion detection, virtual private networks, security monitoring, incident
management and forensic analysis, vulnerability assessment, anti-virus and content filtering services, etc.
(Allen et al. 2003). Organizations opt for outsourcing their information security operations for a variety of
reasons, such as cost savings, access to a staff with highly specialized skills and expertise, dedicated facilities,
and liability protection (Gupta and Zhdanov 2012). However, there is continued debate over whether
outsourcing information security leads to better information protection, due to a series of related issues
such as moral hazard (Cezar et al. 2013; Lee et al. 2013), difficulty building trust between a client and its
MSSP, and other hidden costs (Allen et al. 2003).
We argue that information security outsourcing by a university reduces the likelihood of security breaches,
for the following reasons. First, like other types of IT outsourcing relationships, the outsourcing of
information security benefits from economies of scale and access to highly specialized labor (Lacity et al.
2009), which are difficult to obtain if security is managed in-house. Managing information security is a
complex process that requires specialized, skilled labor and sophisticated software tools. Most universities
are not equipped with such capability, and are usually unwilling to make significant investment to build
this capability in-house because they lack the economies of scale and are not be able to use these resources
efficiently. Managed security service providers, on the other hand, by virtue of scale economics, can afford
to invest heavily in human resources and proprietary software tools, and spread the costs across multiple
clients (Ding et al. 2005). MSSPs dedicate significant resources and trainings to keep up with the latest
reports of security vulnerabilities, computer viruses, and software patches, and often acquire or develop
state-of-the-art security software tools. Most universities are not able to provide in-house security services
at a level comparable to those provided by MSSPs.
Second, in addition to the typical benefits of cost savings and access to specialized labor, some have
emphasized that organizations that outsource their information security also benefit from information
sharing (Gupta and Zhdanov 2012; Rowe 2008). Literature on cybersecurity breaches has found that
information sharing results in reduced IT spending and increased levels of security (Gal-Or and Ghose
2005; Gordon et al. 2003). Sharing data and information on breaches allows one organization to benefit
from the lessons learned by other organizations. However, in a typical setup of public or private data sharing
consortia, there is a strong incentive for the participants to free ride – i.e., the participants make use of
others shared data without sharing data themselves. A number of factors contribute to this free-riding
behavior: for example, a participant may feel that others will not share the same amount/quality of data, or
fear that other organizations may compromise the integrity of the data it shares. Outsourcing information
security to a MSSP helps to mitigate the concerns over free riding, as a binding outsourcing contract will
hold the service provider accountable for any loss caused by the compromise of its customer’s data. The
MSSPs, by pooling the information and data collected from multiple clients, is able to identify patterns and
detect security risks more swiftly, and take counter measures to address the identified issues. Therefore, by
choosing to outsource information security, an organization also gains access to an information sharing
network with lower risk and less free riding. The above arguments lead to the following hypothesis:
Hypothesis 3: Universities that outsource their information security will have fewer cybersecurity
breaches than those that operate information security in-house.

Data and Methods

Sources of Data

We assembled a longitudinal data set of cybersecurity breaches occurred in the higher education sector, as
well as the institutional characteristics, IT-related investments and practices of a sample of 505 U.S. higher
education institutions during a four-year period (2011- 2014). Our data set consists of three major
components, which we gathered from three separate data sources. We collected data on cybersecurity
breaches from two databases that provide open access to the public: the Identity Theft Resource Center
(ITRC), and the Privacy Rights Clearinghouse (PRC). ITRC is a non-profit organization that provides
assistance to victims who have encountered data breaches, and educates consumers, corporations,
government agencies in the best practices to handle fraud and identity theft. PRC is another non-profit
organization that aims to raise consumers’ awareness of how technology affects personal privacy. It
compiles a chronology of cybersecurity breaches from 2005 to present, and for each incidence it provides

Thirty Eighth International Conference on Information Systems, South Korea 2017 5

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

detailed information such as the information sources, the victim organization, the type of breach, and the
number of records breached.
We obtain the measures of IT investments, IT governance, security outsourcing decisions, and other related
IT practices and policies from the Educause Core Data Service (CDS) survey. We also obtained various
institutional characteristics, as well as other student/faculty-related information from the Integrated
Postsecondary Education Data System (IPEDS) data center. In addition to these three databases, in some
robustness tests and sample selection models, we also use data obtained from the Internet Crime Complaint
Center (IC3) from the Federal Bureau of Investigation (FBI), as well as data from the U.S. Bureau of Labor
Statistics.

Empirical Models and Identification

We specify that for a university i, the expected number of cybersecurity breaches it experiences in year t is
the product of two factors, i.e.
𝐸[𝑁$% 𝑏𝑟𝑒𝑎𝑐ℎ ] = 𝑀$% 𝑎𝑡𝑡𝑎𝑐𝑘 ∗ 𝑝$% (𝑏𝑟𝑒𝑎𝑐ℎ|𝑎𝑡𝑡𝑎𝑐𝑘) (1)
where M is the number of the cybersecurity attacks that the university encountered during the year, and
p(breach|attack) is the conditional probability of a security breach when the university is subject to an
attack. The first factor is likely to be affected by a host of variables X that make the university a high value
target for the hackers, such as the size of the institution, the number of data centers, and the number of
programs it offers. The second factor is likely a function of a set of variables Z that determine the school’s
ability to secure its digital assets against cybersecurity attacks, such as its IT security policies, its intrusion
detection and prevention efforts, and the complexity of its computing infrastructure. Note that our main
independent variables, such as IT governance and information security outsourcing decisions, fall into this
category. Assuming that the elements in X and Z multiplicatively shape M and p, we have
𝐸[𝑁$% 𝑏𝑟𝑒𝑎𝑐ℎ ] = 𝑒 67𝜷𝟏𝑿𝒊𝒕 ∗ 𝑒 =7𝜷𝟐𝒁𝒊𝒕
Or in log form,
𝑙𝑛𝐸[𝑁$% ] = 𝛽C + 𝜷𝟏 𝑿𝒊𝒕 + 𝜷𝟐 𝒁𝒊𝒕 (2)
where 𝛽C = 𝛼 + 𝛾. Equation 2 can be estimated by a number of regression models, such as Poisson model
or linear regression models. In reality, however, it is extremely rare that a university suffered more than
one cybersecurity breaches during any given year. Therefore, the dependent variable, 𝑙𝑛𝐸[𝑁$% ], is binary. As
a result, we replace the dependent variable with the binary response to estimate the following model:
𝐸[𝑝_𝑏𝑟𝑒𝑎𝑐ℎ$% ] = 𝑓(𝛽C + 𝜷𝟏 𝑿𝒊𝒕 + 𝜷𝟐 𝒁𝒊𝒕 ) (3)
where p_breach is the probability of observing a security breach in a given year. A natural estimation model
that is often used for binary responses is the logistic regression model, where the log-odds ratio is a linear
function of the predictors. Logistic regressions relax the assumption that the error terms need to be
normally distributed, and addresses issues such as heteroscedastic errors and the out-of-the-range
probability predictions produced by linear models (Greene 2003).
A second approach for estimating equation 3 is the linear probability model (LPM), which represents a
linear approximation to the nonlinear model. LPM has its limitations – for example, it may result in
predictions of probabilities that are not bounded by the range of zero and one, and the error term is
heteroskedastic by definition. However, LPM is more amenable to controlling for unobserved
heterogeneities by using panel data methods (i.e., through the use of fixed effects), and has well-developed
methods to address endogeneity issues. In addition, prior research has shown that LPM generates
reasonable estimates within the region of support of the data with appropriate robust standard error
corrections (Angrist and Pischke 2008; Miller and Tucker 2009). Therefore, we use LPM as our baseline
estimation model, and use logistic regression as a secondary estimation method4.

4 In some of the robustness tests, we also employ an alternative estimation strategy – the hazard models.

Thirty Eighth International Conference on Information Systems, South Korea 2017 6

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

Endogeneity of IT Centralization

One of the identification challenges in the context of our study is the endogeneity of the degree of IT
centralization. Although our use of fixed effects panel data models helps control for many time-invariant
unobserved school-level heterogeneities, and we explicitly control for many other university characteristics
(more details will be presented in the next sub-section), there may still be a number of time-varying
unobservables that are correlated with both IT governance mode and the probability of cybersecurity
breaches. To the extent that these unobservables may produce bias in our estimation of the true effect of IT
centralization, we turn to instrumental variables methods to correct for the potential bias.
The ideal instruments, in our context, should be correlated with a school’s decision of centralized IT
decision making, but not correlated with components in the error term that may influence the probability
of security breaches. We find two such variables. First, the IPEDS survey data includes an item that
indicates whether a university belongs to a multi-campus university system. Schools that belong to the same
university system are more likely to have centralized IT management because such governance mode
achieves greater economies of scale and affords the central IT greater bargaining power over its vendors. In
addition, centralized IT governance and management are essential in ensuring the compatibility and inter-
operability of the information systems across different campuses under the same system. Second, for
schools that belong to a university system, we calculate the average distance between the focal campus and
all other campuses in the same system. Prior research has highlighted that one of the critical factors in the
tradeoffs between centralized and decentralized IT governance is the costs of monitoring and control
associated with agency issues. For example, if the principle is able to monitor a local unit’s decisions
perfectly, it is more likely to use a decentralized IT governance mode without escalating the agency cost
(Xue et al. 2011). As a business unit moves further away from its corporate headquarter, the costs of
monitoring and control increase dramatically, making decentralized IT governance a less favorable choice
from an agency standpoint. The spatial separation among units incurs more operation and coordination
costs (Eden and Miller 2004), and can be mitigated by an well integrated information technology structure
(Dong et al. 2009). Therefore, we expect this variable to be positively correlated with centralized IT
governance. On the other hand, these two variables should not be directly correlated with cybersecurity
risks, making them valid candidates for instrumental variables.

Selection of Security Outsourcing

It is well known that IT outsourcing decisions reflect revealed preferences of the contracting parties (e.g.,
Gopal et al. 2003), and therefore the universities in our sample likely self-select into outsourcing modes
based on their calculations of benefits and costs associated with outsourcing. It has been documented that
in the presence of self-selection, Ordinary Least Squares (OLS) estimates are biased and inconsistent
(Maddala 1983). A number of methods have been developed to address the selection issues, particularly
where the endogenous decision is binary (Heckman 1976; Maddala 1983). Here we use the Heckman two-
stage model (Heckman 1976) to address the selection issues associated with information security
outsourcing. We use an endogenous treatment regression 5 which is composed of a first-stage selection
equation using a Probit specification and a second-stage outcome equation, allowing for a specific
correlation structure between the unobservables that affect the treatment and the unobservables that affect
the potential outcomes:
𝑝_𝑏𝑟𝑒𝑎𝑐ℎ$% = 𝛽C + 𝜷𝟏 𝑿𝒊𝒕 + 𝜷𝟐 𝒁𝒊𝒕 + 𝛽I ∗ 𝑂𝑢𝑡𝑠𝑜𝑢𝑟𝑐𝑒𝑑𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑦$% + 𝜖$%
1, 𝑖𝑓 𝜸𝑾𝒊𝒕 + 𝑢$% > 0 (4)
𝑂𝑢𝑡𝑠𝑜𝑢𝑟𝑐𝑒𝑑𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑦$% =
0, 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒
where 𝑾𝒊𝒕 are the covariates used to model the assignment of treatment, and the error terms 𝜖$% and 𝑢$%
follow a bivariate normal distribution. We include in 𝑾𝒊𝒕 two variables that drive the IT outsourcing
decisions of universities but do not directly influence the school’s cybersecurity breaches -- these variables
reflect the characteristics of IT workers in the labor market where the school is located, namely the supply
of IT professionals and their wage levels in the local market. The first selection variable, the amount of local
IT labor supply, reflects the ease with which a school is able to find qualified IT professionals in the local

5 We used the ‘etregress’ (endogenous treatment-regression model) command in STATA.

Thirty Eighth International Conference on Information Systems, South Korea 2017 7

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

labor market to fill its IT staff, and therefore we expect it to be negatively correlated with IT outsourcing.
The second selection variable, wage of IT labor in the local market, is associated with a school’s costs of
delivering IT services in house, and therefore is expected to be positively correlated with IT outsourcing
decisions. Because these two variables are measures of local labor markets, there is no reason to believe
they should be directly correlated with security breaches, the outcome in the second stage equation.

Sample and Variables

The sample of our empirical investigation is defined as follows. We start with the universe of the schools
surveyed by IPEDS, which by the definition of IPEDS, fall into one of the following categories: 1) Degree-
granting, graduate with no undergraduate degrees; 2) Degree-granting, primarily baccalaureate or above;
3) Degree-granting, not primarily baccalaureate or above; 4) Degree-granting, associate's and certificates;
5) Nondegree-granting, above the baccalaureate; 6) Nondegree-granting, sub-baccalaureate; 7) Not
reported; 8) Not applicable. Because the Educause CDS survey primarily targets universities in the second
category, we limit our sample to a more homogeneous group and focus on those that are degree-granting,
primarily baccalaureate or above. We then match these universities with the ones that report data to the
Educause CDS survey database. To allow for a causal interpretation, all the independent variables are lagged
for one year, meaning that we use IT governance, security outsourcing decisions, and other institutional
characteristics in year (t-1) to predict cybersecurity breach in year t. As year 2011 marks the first availability
of Educause data, we collect data for a 4-year period from 2011 to 2014 for all the independent variables,
and data from 2012-2015 for the dependent variable -- cybersecurity breaches at the universities. In total,
our sample consists of 1,287 university-year observations for 505 universities over a 4-year period,
representing an unbalanced panel. In Table 1 we present an overview of all the variables included in this
study, which are described in details below.
Table 1. Variables description
Variable Description Source
Dependent variable
Security Breach Whether a university encounter a cybersecurity breach in a given year or not. ITRC and PRC
Independent variables
IT Centralization The degree of IT centralization. Educause CDS
Outsourced Security Whether a university outsource IT Security or not. Educause CDS
IT Complexity The average of Blau’s Indexes of operating systems and hardware systems used Educause CDS
in the data centers.
Variables that influence cybersecurity attacks (X)
Students Number of students in a university. IPEDS
Faculty Number of full-time faculties in a university. IPEDS
Schools Number of schools in a university. IPEDS
Programs Number of programs offered by a university. IPEDS
Data Centers Number of data centers a university manages. Educause CDS
Carnegie Classification Carnegie Classification 2010. IPEDS
Research Grants The sum of federal, state and local research grants. IPEDS
Locale Codes Locale codes identify the geographic status of a school on an urban continuum IPEDS
ranging from city size, suburb size, town size, to rural.
State Cybercrimes Number of complaints of Internet crime / population (per 1,000,000 residents) IC3
of each state.
NCAA Whether a university is a member of National Collegiate Athletic Association IPEDS
(NCAA) or not.
Calendar system Calendar system used by the school. IPEDS
Variables that influence the probability of cybersecurity breach (Z)
Scan Policy Whether a university conduct proactive scans for its critical systems and Educause CDS
institutionally owned or leased computers or not.
Patch Policy Whether a university require its critical systems and institutionally owned or Educause CDS
leased computers to be expeditiously patched or updated or not.
Multi-institutional Whether an institution participate public/private information sharing activities Educause CDS
Collaboration such as the U.S. FBI InfraGard program or not.
IT Staff Number of full-time equivalent employee in central IT. Educause CDS
IT Expense The dollar amount of central IT spending during the fiscal year. Educause CDS
Variables for the selection of security outsourcing
IT Labor Supply The number of jobs (employment) in computer-related occupations per 1,000 BLS
jobs in a metro area.
IT Labor Wage The median annual wage of computer-related occupations in a metro area. BLS
IVs for IT centralization

Thirty Eighth International Conference on Information Systems, South Korea 2017 8

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

Multi-campus Whether an institution is part of a multi-institution or multi-campus IPEDS

Organization organization or not.
Average Distance Average physical distance between the focal school and other schools in the same IPEDS
multi-campus system.

Notes: ITRC: Identity Theft Resource Center; PRC: Privacy Rights Clearinghouse; Educause CDS: Educause Core Data Service; IPEDS:
Integrated Postsecondary Education Data System; IC3: Internet Crime Complaint database; BLS: Bureau of Labor Statistics

Dependent variable

The dependent variable (Security Breach) is a binary indicator that represents whether a university
encountered a cybersecurity breach in a given year. We use a binary measure because it is extremely rare
that a school experiences more than one breach in a year.6 We collect the security breach data from both
ITRC and PRC databases for all incidents in the higher education sector, and use the union of the two data
sets to define our dependent variable by matching the security breach list to our sample universities.
According to the breach report, a data breach usually contains personal identifying information such as
credit cards, social security numbers, bank accounts, or protected health information. Security Breach is
set to 1 if a university encountered at least one security breach event in a year; and to 0 otherwise. Overall,
we observed 73 breaches among the 1,287 observations in our sample during the period of 2012-2015,
representing a small fraction -- 5.67% of the sample.

Independent variables

IT Centralization: We construct the measure of the degree of IT centralization from the Educause CDS
database. Particularly, the Educause CDS survey asks its respondents a question with regard to the
organizational unit that is primarily responsible for a series of IT functions and services. For each IT
function or service, the respondent indicates if it is provided by: (i) primarily central IT; (ii) shared between
central IT and other admin or academic unit(s); (iii) primarily other admin or academic unit(s); (iv)
primarily system or district office; (v) primarily outsourced; (vi) not applicable - no organizational unit
responsible. Because there are slight differences in the IT functions and services included in the CDS survey
across the 4-year period under our study, we construct our IT centralization variable using only the 12 IT
functions that were consistently included in the survey across the four years; these IT functions are
considered the most mission critical ones.7 For each university-year observation, we then calculated the
percentage of IT functions that the central IT office was responsible, as use this percentage as our measure
of IT centralization.8
Outsourced Security: The Educause CDS survey includes a question which asks the respondents whether
IT Security is primarily the responsibility of outsourced vendors. According to the definition of the
Educause, information security is defined as “functions and resources associated with providing
information and systems security services and programs for the institution, including directory, identity
management, and access provisioning/de-provisioning functions and roles, etc.” We created the binary
indicator variable, outsourced security, which is set to 1 if a university outsources its IT security; and to 0
otherwise.
IT Complexity: Prior research has emphasized that system integration and the exchange of data are
particularly difficult when an organization has a multitude of heterogeneous and autonomous information
systems (Hasselbring 2000). The heterogeneity may exist in the use of different database management
systems, network protocols, enterprise application architecture, or operating systems. We capture the
complexity of a university’s computing environment by the heterogeneity of operating systems and the
hardware systems used in its data centers, which are obtained from Educause CDS database. For operating
systems, the survey respondent indicates whether operating systems (1) Windows, (2) Unix, (3) Linux, or
(4) other operating systems are used in each data center that the university operates. For hardware systems,

6 In our sample of 1,287 observations, only one has reported two security breaches in a year.
7 The 12 IT functions are: IT policy; Project management/Business process/Systems analysis; IT support services - Help desk;
Classroom and learning space support; Library; Institutional research; IT in an affiliated hospital; Research technology services; Data
center; Network infrastructure and services; IT security; Enterprise infrastructure and services; and Identity management.
8 We also performed robustness tests using an alternative definition of IT centralization which is based on the full set of IT functions

and services included in the Educause CDS survey (therefore some IT functions may be present in one year but not in another). All of
our findings are robust to this alternative variable definition. The results of this set of robustness tests can be obtained upon request.

Thirty Eighth International Conference on Information Systems, South Korea 2017 9

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

the survey respondent indicates if any of the following system was deployed in each data center: (1) Apple
servers, (2) Cisco servers, (3) Dell servers, (4) Fujitsu servers, (5) Hitachi servers, (6) HP servers, (7) IBM
servers, (8) Sun/Oracle servers, or (9) other servers. We employ a commonly used measure of heterogeneity
– the Blau’s index (Blau 1977) – to calculate the heterogeneity of operating systems and hardware systems
in the data centers, and average the two as our measure of IT complexity. The variable is calculated as:
fgh e fmn e
𝑂𝑆 𝑐𝑜𝑚𝑝𝑙𝑒𝑥𝑖𝑡𝑦 + 𝐻𝑊 𝑐𝑜𝑚𝑝𝑙𝑒𝑥𝑖𝑡𝑦 1− cd_$ij 𝑝cd_$ ) + (1 − kl_$ij 𝑝kl_$
𝐼𝑇 𝑐𝑜𝑚𝑝𝑙𝑒𝑥𝑖𝑡𝑦 = =
2 2
where p represents the percentage of data centers that deploy operating system os_i or hardware system
hw_i, and R represents the total number of operation systems or hardware systems. A higher level of the
Blau’s index implies a higher level of heterogeneity and therefore greater IT complexity.

Control variables

We also control for a variety of institutional characteristics that are likely to influence the amount of
cybersecurity attacks a school attracts, or the probably of an information security breach conditional on an
attack. Due to space limit we omit their detailed descriptions. These include school characteristics such as
the number of students and the types of school, which are commonly used in similar studies. For instance,
Kwon and Johnson (2014) control the bed size and hospital types to investigate the effects of proactive
security investments on security failure rate.

Summary statistics

In Table 2 we present the summary statistics of the main variables used in the data analyses. On average,
the central IT office is responsible for 61% of IT functions and services, indicating a relatively high level of
centralized IT governance in higher education institutions. There is a small fraction of universities (2.0%)
that choose to outsource their IT security to external vendors. The universities in our sample have
moderately heterogeneous computing environment in their data centers (the average Blau’s Index is 0.60).
The majority of the universities patch critical systems and institutional-owned computers (70%), but only
about a third (39%) of the universities conduct proactive scan on critical systems and institutional-owned
computers. Universities in our sample on average have 3.94 data centers. The mean IT expense is roughly
equal to $10.54 million a year. Furthermore, a university has, on average, 770 full-time faculty members
and 94 full-time equivalent staff members in the central IT office.
Table 2. Descriptive Statistics
Variables Mean S.D. Min Max
Security Breach 0.06 0.23 0.00 1.00
IT Centralization 0.61 0.14 0.00 1.00
Outsourced Security 0.02 0.15 0.00 1.00
IT Complexity 0.60 0.16 0.00 0.81
Data Centers 3.94 7.43 0.00 98.00
Programs 123.31 94.23 8.00 532.00
Schools 21.00 5.21 1.00 32.00
Students (in thousands) 12.79 12.63 0.58 74.37
Faculty (in thousands) 0.77 0.93 0.01 5.97
IT Staff (in hundreds) 0.94 1.05 0.04 6.65
IT Expense (in million $) 10.54 16.54 0.00 143.28
Research Grants (in million $) 62.64 162.39 0.00 1314.76
State Cybercrimes (per million residents) 7.28 1.85 4.24 37.48
NCAA 0.92 0.28 0.00 1.00
Multi-institutional Collaboration 0.38 0.49 0.00 1.00
Scan Policy 0.39 0.49 0.00 1.00
Patch Policy 0.70 0.46 0.00 1.00

Notes: Number of obs: 1287. Number of universities: 505.

Thirty Eighth International Conference on Information Systems, South Korea 2017 10

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

Results
Baseline Estimations

We start estimating the relationship between IT centralization, information security outsourcing, and
cybersecurity breaches by employing linear probability models as specified in equation (3). In all the
regressions we use robust standard errors clustered by the universities. Particularly, we present the results
from an OLS estimation of LPM in column 1 (the main effects) and column 2 (with moderating effect) of
Table 3, while controlling for the set of institutional characteristics and a set of year fixed effects. A pooled
OLS estimation may suffer from omitted variable bias, which may lead to incorrect inferences when the
omitted variables are correlated with our independent variables of interest. With a panel data set, LPM
allows for the controlling of unobserved heterogeneity by introducing university-level idiosyncratic errors.
In column 3 (the main effects) and column 4 (with moderating effect) we report the estimations from
random effects LPM. The random effect models rely on the assumption that the idiosyncratic error terms
are orthogonal to the regressors. We further relax this assumption by estimating the LPM using first
difference (FD) panel data methods. By taking first differences, the FD methods eliminate the effects of all
the time-invariant university heterogeneities, and use only with-in group variations for statistical
inferences. We present the FD results in column 5 (the main effects) and column 6 (with moderating effect)
of Table 3. Finally, column 7 (the main effects) and column 8 (with moderating effect) show the fixed effects
(FE) panel data LPM, which also helps control the unobserved heterogeneity over time.
We find strong support for Hypothesis 1, which predicts that universities with more centralized IT
governance will have fewer cybersecurity breaches than the ones with decentralized IT. Particularly, the
results from the main effect models across the different specifications, presented in column 1, 3, 5 and 7,
consistently show that IT centralization reduces the probability of suffering a cybersecurity breach
(although the estimation in the FE model is slightly short of significance, probably due to the slow-changing
nature of IT governance). The coefficient estimate from the OLS model implies that a one standard
deviation increase in IT centralization (0.14) is associated with a reduction in the probability of a
cybersecurity breach by |0.14*(-0.14)|= 1.96% (p<0.05). Given that the sample mean of security breach
probability is 5.67%, this represents a 34.6% reduction. The random-effects model shows a very similar
magnitude of the marginal effects, although the estimation of the standard deviation is more accurate. In
contrast, the first-differences models yield a slightly higher magnitude: calculations based on column (5)
suggest that a one s.d. increase in IT centralization is associated with a reduction in the probability of a
cybersecurity breach by 3.5% (p<0.1), or a 61.7% reduction.
Table 3. Cybersecurity Breach: Linear Probability Models
(1) (2) (3) (4) (5) (6) (7) (8)
OLS Random Effects First Difference Fixed Effects
IT Centralization -0.141** 0.322** -0.141*** 0.322* -0.249** 0.459 -0.150 0.522
(0.060) (0.157) (0.051) (0.192) (0.126) (0.364) (0.107) (0.348)
Outsourced Security 0.004 0.008 0.004 0.008 0.217* 0.213 0.071 0.073
(0.054) (0.053) (0.044) (0.044) (0.126) (0.132) (0.083) (0.083)
IT Complexity -0.037 0.457** -0.037 0.457** 0.031 0.795* -0.003 0.729*
(0.035) (0.191) (0.047) (0.203) (0.103) (0.446) (0.123) (0.381)
IT Centr. X IT Comp. -0.775*** -0.775** -1.161* -1.132**
(0.290) (0.310) (0.614) (0.558)
Constant -0.004 -0.309* -0.004 -0.309 -0.025 -0.025 0.036 -0.430
(0.134) (0.160) (0.162) (0.203) (0.024) (0.024) (1.721) (1.733)
Year fixed effects Yes Yes Yes Yes Yes Yes Yes Yes
N 1287 1287 1287 1287 713 713 1287 1287
(with-in) R2 0.083 0.088 0.030 0.034 0.044 0.049
Log likelihood 114.100 117.210
Prob > Chi2 0.000 0.000

Notes: All regressions include the control variables: Data Centers; Programs; Schools; Students; Faculty; IT Staff; IT Expense;
Research Grants; State Cybercrimes; NCAA; and Multi-institutional Collaboration. We also include a set of categorical variables as
controls: Carnegie Classification, Locale Code, Calendar System, and Intrusion Prevention Policies.
Robust standard errors clustered by universities are in parentheses. * p < .1, ** p < .05, *** p < .01

Next, we turn to the evaluation of the moderating effect of IT complexity on the relationship between
centralized IT governance and cybersecurity breaches. We find strong support for Hypothesis 2, and the

Thirty Eighth International Conference on Information Systems, South Korea 2017 11

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

negative coefficients of the interaction term, (IT complexity) X (IT centralization), presented in column 2,
4, 6, and 8 consistently show that when a university has a more complex computing environment, the
benefits of having a centralized IT governance on reducing cybersecurity breaches is greater. For example,
the marginal effect calculations based on column 6 (the FD model) suggest that when IT complexity is at
the 1st quartile of the sample (0.549), the effect of IT centralization on the probability of cybersecurity breach
is 0.459+(-1.161)*0.549= -0.178, which implies that one s.d. increase in IT centralization is associated with
0.14*|(-0.178)| = 2.5% reduction in the probability of a security breach. In contrast, when the IT complexity
is at the 3rd quartile of the sample (0.708), the marginal effect of IT centralization is 0.459+(-1.161)*0.708=-
0.363 (p<0.1), which implies that one s.d. increase in IT centralization is associated with a reduction of
0.14*|(-0.363)| = 5.1% in the probability of cybersecurity breach.
It is interesting to note that in the baseline LPM estimations, we do not find that outsourced security leads
to a reduction in the probability of cybersecurity breaches. As we discussed earlier, the information security
outsourcing variable is subject to self-selection issues, and the failure to account for the self-selection issue
is likely to result in incorrect inferences.
Table 4. Cybersecurity Breach: Alternative Models
(1) (2) (3) (4) (5) (6)
Random-effects Logit Survival Model (Cox) Survival Model (Exponential)
IT Centralization -2.581*** 5.887 -2.213*** 4.839 -2.146*** 5.077
(0.912) (4.454) (0.752) (3.855) (0.758) (3.819)
Outsourced Security -0.118 0.064 -0.112 0.071 -0.116 0.100
(1.014) (0.966) (0.821) (0.786) (0.838) (0.800)
IT Complexity -1.014 6.853 -0.875 5.567 -0.813 5.811
(1.230) (4.271) (1.077) (3.612) (1.078) (3.622)
IT Centr. X IT Comp. -13.129** -10.842* -11.134**
(6.640) (5.606) (5.549)
Constant -8.676*** -14.376*** -8.278*** -13.164***
(3.261) (4.592) (2.741) (3.903)
Year fixed effects Yes Yes Yes Yes Yes Yes
N 1287 1287 1287 1287 1287 1287
Log pseudolikelihood -223.154 -221.459 -372.093 -370.753 -185.851 -184.399
Prob > Chi2 0.117 0.082 0.000 0.000 0.000 0.000

Notes: All regressions include the control variables: Data Centers; Programs; Schools; Students; Faculty; IT Staff; IT Expense;
Research Grants; State Cybercrimes; NCAA; and Multi-institutional Collaboration. We also include a set of categorical variables as
controls: Carnegie Classification, Locale Code, Calendar System, and Intrusion Prevention Policies.
Robust standard errors clustered by universities are in parentheses. * p < .1, ** p < .05, *** p < .01 Log pseudolikelihood indicates the fit
of the model with higher values indicating a better fit.

To test the robustness of our findings (H1 and H2), especially with regard to the model assumptions
underlying the LPM estimations such as the distribution of the error term, we test a number of alterative
model specifications and present these results in Table 4. Particularly, in column 1 and 2 of Table 4 we
present the results from a binary response model using a logistic link function that controls for unobserved
heterogeneity through random effects (Wooldridge 2002). We do not include the conditional logit (also
known as the fixed-effects logit) models because the conditional logit model only uses observations of
schools that switched status (schools that suffered security breaches in some years but not others) in the
estimation (Baltagi 2008, p.211). Therefore, the use of such models would result in dropping the majority
of the observations from our sample, because for a large number of schools the dependent variable does not
vary over the years (i.e. they never suffered a cybersecurity breach).
In addition to the binary response models, we further investigate the robustness of H1 and H2 using survival
models. Particularly, we test two functional forms that are most frequently used in survival analyses – a
semiparametric specification in the form of Cox proportional hazard model, and a parametric specification
where the hazard rate follows an exponential distribution (Stanley et al. 2016). The results are presented in
column 3 – column 6 of Table 4. We find that Hypothesis 1 and Hypothesis 2 are consistently supported
across all the model specifications, although the interpretations of the marginal effects are different from
the LPM approach due to the nonlinear nature of these models. For example, the calculations based on the
results in column 3 suggest that when comparing a situation where IT centralization is 1 (completely
centralized) to a situation where IT centralization is 0 (completely decentralized), the hazard ratio (or the
ratio of the two hazard rates) is 0.109 (=exp(-2.213)), or a reduction in the instantaneous hazard rate by
89% when IT centralization changes from 0 to 1. Similarly, the hazard ratio based on results in column 5 is

Thirty Eighth International Conference on Information Systems, South Korea 2017 12

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

0.116 (=exp(-2.146)), which implies a reduction in instantaneous hazard rate by 88% when IT centralization
changes from 0 to 1.

Instrumental Variables Models

To address the endogeneity issue of IT Centralization, we use instrumental variables methods with fixed
effects panel data models, and instrument IT Centralization using two IVs: Multi-campus Organization
and Average Distance between the focal campus and other campuses in the same university system. 480
out of 1,287 observations belong to a multi-campus system, accounting for 37.3% of the total sample.
We first perform a two-stage least square (2SLS) analysis with fixed effects to investigate the main effect of
IT centralization, and present the results in Table 5. In the first stage, as we expected, both IVs – Multi-
campus Organization and Average Distance – are positively associated with centralized IT governance.
The second stage of the IV regression confirms that Hypothesis 1 is robust to the endogeneity of IT
centralization, as it remains negative and highly significant (p<0.01). The F-statistic of the excluded
instruments in the first stage has a value of 39.42, which is greater than the conventional threshold value
of 10 (Staiger and Stock 1997), and indicates that our instruments are not weak. This is further confirmed
by the Kleibergen-Paap rk Wald F statistic (with a value of 39.42), which is greater than the Stock-Yogo
critical value (Baum et al. 2007; Stock and Yogo 2005) at 10% maximal IV size (19.93). In addition, the
Hansen J statistic has a value of 0.32 and cannot reject the null (p=0.57), which confirms that the
overidentification restrictions are satisfied and our IVs are valid9.
Table 5. Instrument for IT centralization - Main effect
First Stage Second Stage
IT centralization Security Breach
Multi-campus Organization 0.059
(0.059)
Average Distance 0.025*
(0.013)
Outsourced Security -0.025 -0.016
(0.026) (0.113)
IT Complexity 0.097* 0.509**
(0.044) (0.238)
IT Centralization -4.533***
(1.132)
N 1180
Hansen J 0.320 (p=0.57)
F test of excluded instruments 39.42 (p=0.0000)
Kleibergen-Paap rk Wald F statistic 39.420
Stock-Yogo critical value, 10% maximal IV size 19.93

Notes: IV regressions with fixed effects are reported. All regressions include the control variables: Data Centers; Programs; Schools;
Students; Faculty; IT Staff; IT Expense; Research Grants; State Cybercrimes; NCAA; and Intrusion Prevention Policies. Robust
Standard errors are in parentheses. 107 observations were dropped due to singleton. * p < .1, ** p < .05, *** p < .01

Sample Selection Models

In order to correct for the selection problems associated with information security outsourcing decisions,
we test the endogenous treatment-regression models as specified in equation (4). The results are reported
in Table 6. The results in the odd-numbered columns show the estimation coefficients from the selection
equation, and the results in the even-numbered columns show the coefficients estimates of the outcome
equation.
We find that correcting for the self-selection issues, Hypothesis 3 -- which states that a university that
outsources its information security to external vendors faces a lower chance of a cybersecurity breach
compared to a university that operates its own IT security -- is supported. For example, the results from
column 2 (the outcome equation from the treatment regression) suggest that when a university changes

9We also address the endogeneity of the interaction term IT Centralization X IT Complexity. We use the interactions of IT Complexity
and the two IVs – Multi-campus Organization X IT Complexity, and Average Distance X IT Complexity – as additional instruments,
and find consistent support for Hypothesis 2.

Thirty Eighth International Conference on Information Systems, South Korea 2017 13

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

from operating its IT security in-house to outsourcing, the probability of suffering from a security breach is
reduced by 26.5%. Consistent with our expectation, in the first stage selection equations (column 1 and
column 3), higher levels of IT labor supply in the local market is significantly associated with reduced
propensity for IT security outsourcing, and higher levels of IT labor wage are associated with increased
propensity for IT security outsourcing. These results show that the two measures of local IT labor market
are valid sample selection variables. A Wald test of 𝜌 rejects the null hypothesis of no correlation between
the errors in the selection equation and the errors in the outcome equation, indicating that the Outsourced
Security variable indeed suffers from self-selection issues and therefore needs to be corrected. In addition,
we find that the main effect of centralized IT governance (in column 2) and the moderating effect of IT
complexity (in column 4) in the sample selection models are very similar to those in the baseline, FD linear
probability models (presented in column 5 and 6 of Table 3), which further lend support to Hypothesis 1
and Hypothesis 2.
Table 6. Endogenous Treatment Regression Models for Outsourced Security
(1) (2) (3) (4)
Treatreg, main effects Treatreg, interaction
Selection eq. Outcome eq. Selection eq. Outcome eq.
Outsourced Security -0.265*** -0.305**
(0.069) (0.126)
IT Centralization -3.531*** -0.167* -12.864** 0.467*
(0.931) (0.091) (6.465) (0.248)
IT Complexity 0.664 -0.061 -8.465 0.611**
(0.812) (0.058) (6.024) (0.278)
IT Centr. X IT Comp. 15.843 -1.052**
(10.813) (0.431)
IT Labor Supply -0.054*** -0.048**
(0.019) (0.020)
IT Labor Wage 0.072*** 0.063**
(0.025) (0.030)
Constant -10.200*** -0.048 -3.748 -0.456*
(3.126) (0.218) (5.164) (0.255)
Year fixed effects Yes Yes Yes Yes
N 700 700 700 700
Wald Test of ρ 0.009 0.078

Notes: All regressions include the control variables: Data Centers; Programs; Schools; Students; Faculty; IT Staff; IT Expense;
Research Grants; State Cybercrimes; NCAA; and Multi-institutional Collaboration. We also include a set of categorical variables as
controls: Carnegie Classification, Locale Code, Calendar System, and Intrusion Prevention Policies.
Robust standard errors clustered by universities are in parentheses. 587 observations were dropped due to availability of IT labor
supply and wage. * p < .1, ** p < .05, *** p < .01

Finally, we evaluate the validity of Hypothesis 3 by correcting for the self-selection issues using two
alternative identification strategies – estimating the treatment effects of IT security outsourcing from
observational data by propensity-score matching (PSM),10 and by inverse-probability weighting (IPW).11
Particularly, the PSM method imputes the missing potential outcome for each subject by using an average
of the outcomes of similar subjects that receive the other treatment level, where the similarity between
subjects is based on estimated treatment probabilities, known as propensity scores. The average treatment
effect (ATE) is computed by taking the average of the difference between the observed and potential
outcomes for each subject (Abadie and Imbens 2006). The IPW method, on the other hand, uses estimated
probability weights to correct for the missing-data problem arising from the fact that each subject is
observed in only one of the potential outcomes. The IPW estimators are computed using a two-step
approach: in the first step, parameters of the treatment model are estimated and the estimated inverse-
probability weights are computed. In the second step, the estimated inverse-probability weights are used to
compute weighted averages of the outcomes for each treatment level. The contrasts of these weighted
averages provide the estimates of the ATEs (Cattaneo 2010). Consistent with Hypothesis 3, we find that a
change from operating IT security in-house to outsourcing reduces the likelihood of cybersecurity breach
by 7% (p<0.01 in both cases), and the magnitudes of the treatment effect estimates are highly similar

10 Estimated using STATA command “teffects psmatch”.

11 Estimated using STATA command “teffects ipw”.

Thirty Eighth International Conference on Information Systems, South Korea 2017 14

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

between the two models. Overall, the various sample selection models show that the failure to recognize the
self-selection of IT security outsourcing is likely to result in incorrect statistical inferences.

Conclusions
In this study we examine the information security implications of strategic IT decisions using a sample of
505 universities. We focus on two important decisions regarding the deployment of IT: the degree to which
IT decision making is centralized, and the outsourcing of information security management to MSSPs. Our
results suggest that centralized IT governance in a university is associated with fewer cybersecurity
breaches, and that the effect is much stronger when the university has a more complex IT environment. We
also find that correcting for self-selection bias, outsourcing information security leads to a lower probability
of encountering cybersecurity breaches.
This research provides several insights for information security management practices. For example, in a
university where a central IT office holds the responsibility for the campus-wide infrastructure, the central
group often enjoys the benefits of specialization and economies of scale, and therefore can afford to dedicate
significant resources and IT staff members to information security. A centralized IT group can also establish
universal security standards and protocols throughout the campus, and enforce user compliance. In
addition, a central IT group is more efficient in system integration and coordination among various
departments, and is likely to be more responsive to security concerns. However, it should not be ignored
that decentralized IT governance has significant implications for shaping IT agility (Tiwana and Konsynski
2010) and accommodating idiosyncratic business unit needs (Xue et al. 2011). Therefore, a hybrid approach
which combines centralized infrastructure governance (including security) and decentralized application
governance, as proposed by Tiwana and Kim (2015), may be a sensible choice.
Our research contributes to the literature on information security management in a number of ways. First,
we focus on how strategic IT decisions and policies impact information security, beyond the usual
operational decisions such as software patching (August and Tunca 2008; Cavusoglu et al. 2008), intrusion
detection and prevention (Cavusoglu et al. 2005; D'Arcy et al. 2009), or information security contracting
(Cezar et al. 2013; Lee et al. 2013). The results of our study suggest that information security should enter
the calculus when management makes strategic IT decisions, and it needs to be considered alongside other
factors such as flexibility (Duncan 1995), agility (Weill et al. 2002) and efficiency (Banker et al. 1990). This
will invariably introduce subtle tradeoffs in information systems planning and sometimes lead to delicate
compromises, for example, sacrificing the flexibility of information systems for the benefits of enforcing
standardized security protocols. Our research provides empirical justifications for making such tradeoffs.
Second, cybersecurity is ranked as number one among the most important concerns of IT leaders and is the
third largest IT investment in organizations in 2015 (Kappelman et al. 2016). However, there is a lack of
empirical results to quantify the effects of IT governance structure on security breaches. By studying the
outcome of information security management, we provide benchmark data that may aid the management
in making information security sourcing decisions. Prior research has highlighted a number of difficulties
associated with security outsourcing, such as moral hazard (Lee et al. 2013) and incentive alignment (Cezar
et al. 2013). Our results show that despite these difficulties, universities that opt for security outsourcing on
average outperform the ones that operate information security in-house, therefore support a policy of
outsourcing to obtain access to skilled labor and to gain the benefits of sharing information. It is likely that
the difficulties associated with outsourcing can be mitigated by a number of mechanisms, such as reputation
and repeated interactions (Dellarocas 2005), or careful contract design (Lee et al. 2013).
While this study is restricted to higher education institutions, these findings may also be of interest to
private-sector firms that face a constant threat of cybersecurity breaches. IT strategic decision making in
the corporate world shares many similarities to that in the public sector, and a variety of security breaches
have become an unfortunate byproduct of the benefits technology has brought to firms, oftentimes with
devastating consequences. Senior management as well as the CIO should consider security risk mitigation
as a major component of IT governance and invest sufficient resources to protect their organizations from
attacks, and empirical evidence is sorely needed to provide guidance in the process. We call for further
empirical research on information security management in the corporate settings.

Thirty Eighth International Conference on Information Systems, South Korea 2017 15

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

Reference
Abadie, A., and Imbens, G. W. 2006. "Large Sample Properties of Matching Estimators for Average
Treatment Effects," Econometrica (74:1), pp. 235-267.
Adebayo, A. O. 2012. "A Foundation for Breach Data Analysis," Journal of Information Engineering and
Applications (2:4), pp. 17-23.
Allen, J., Gabbard, D., May, C., Hayes, E., and Sledge, C. 2003. "Outsourcing Managed Security Services,"
Carnegie Mellon Software Engineering Institute.
Anand, K. S., and Mendelson, H. 1997. "Information and Organization for Horizontal Multimarket
Coordination," Management Science (43:12), pp. 1609-1627.
Anderson, R., and Moore, T. 2006. "The Economics of Information Security," Science (314:5799), pp. 610-
613.
Angrist, J. D., and Pischke, J.-S. 2008. Mostly Harmless Econometrics: An Empiricist's Companion.
Princeton university press.
Arora, A., Krishnan, R., Telang, R., and Yang, Y. 2010. "An Empirical Analysis of Software Vendors' Patch
Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research (21:1), pp.
115-132.
August, T., and Tunca, T. I. 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch
Restrictions," Information Systems Research (19:1), pp. 48-70.
Baltagi, B. 2008. Econometric Analysis of Panel Data. John Wiley & Sons.
Banker, R. D., Kauffman, R. J., and Morey, R. C. 1990. "Measuring Gains in Operational Efficiency from
Information Technology: A Study of the Positran Deployment at Hardee’s Inc," Journal of
Management Information Systems (7:2), pp. 29-54.
Baum, C. F., Schaffer, M. E., and Stillman, S. 2007. "Enhanced Routines for Instrumental Variables/Gmm
Estimation and Testing," Stata Journal (7:4), pp. 465-506.
Blau, P. M. 1977. Inequality and Heterogeneity: A Primitive Theory of Social Structure. Free Press New
York.
Braa, J., Hanseth, O., Heywood, A., Mohammed, W., and Shaw, V. 2007. "Developing Health Information
Systems in Developing Countries: The Flexible Standards Strategy," MIS Quarterly (31:2), pp. 381-
402.
Brown, C. V. 1997. "Examining the Emergence of Hybrid IS Governance Solutions: Evidence from a Single
Case Site," Information Systems Research (8:1), pp. 69-94.
Bulgurcu, B., Cavusoglu, H., and Benbasat, I. 2010. "Information Security Policy Compliance: An Empirical
Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly (34:3), pp.
523-548.
Cattaneo, M. D. 2010. "Efficient Semiparametric Estimation of Multi-Valued Treatment Effects under
Ignorability," Journal of Econometrics (155:2), pp. 138-154.
Cavusoglu, H., Cavusoglu, H., and Zhang, J. 2008. "Security Patch Management: Share the Burden or Share
the Damage?," Management Science (54:4), pp. 657-670.
Cavusoglu, H., Mishra, B., and Raghunathan, S. 2004. "The Effect of Internet Security Breach
Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet
Security Developers," International Journal of Electronic Commerce (9:1), pp. 70-104.
Cavusoglu, H., Mishra, B., and Raghunathan, S. 2005. "The Value of Intrusion Detection Systems in
Information Technology Security Architecture," Information Systems Research (16:1), pp. 28-46.
Cezar, A., Cavusoglu, H., and Raghunathan, S. 2013. "Outsourcing Information Security: Contracting Issues
and Security Implications," Management Science (60:3), pp. 638-657.
Chen, P.-Y., Kataria, G., and Krishnan, R. 2011. "Correlated Failures, Diversification, and Information
Security Risk Management," MIS Quarterly (35:2), pp. 397-422.
D'Arcy, J., Hovav, A., and Galletta, D. 2009. "User Awareness of Security Countermeasures and Its Impact
on Information Systems Misuse: A Deterrence Approach," Information Systems Research (20:1),
pp. 79-98.
Dellarocas, C. 2005. "Reputation Mechanism Design in Online Trading Environments with Pure Moral
Hazard," Information Systems Research (16:2), pp. 209-230.
DeSanctis, G., and Jackson, B. M. 1994. "Coordination of Information Technology Management: Team
Based Structures and Computer Based Communication Systems," Journal of Management
Information Systems (10:4), pp. 85-110.

Thirty Eighth International Conference on Information Systems, South Korea 2017 16

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

Ding, W., Yurcik, W., and Yin, X. 2005. "Outsourcing Internet Security: Economic Analysis of Incentives
for Managed Security Service Providers," in Internet and Network Economics. Springer, pp. 947-
958.
Doherty, N. F., and Fulford, H. 2006. "Aligning the Information Security Policy with the Strategic
Information Systems Plan," Computers & Security (25:1), pp. 55-63.
Dong, S., Xu, S. X., and Zhu, K. X. 2009. "Research Note—Information Technology in Supply Chains: The
Value of It-Enabled Resources under Competition," Information Systems Research (20:1), pp. 18-
32.
Duncan, N. B. 1995. "Capturing Flexibility of Information Technology Infrastructure: A Study of Resource
Characteristics and Their Measure," Journal of Management Information Systems (12:2), pp. 37-
57.
Eden, L., and Miller, S. R. 2004. "Distance Matters: Liability of Foreignness, Institutional Distance and
Ownership Strategy," in " Theories of the Multinational Enterprise: Diversity, Complexity and
Relevance". Emerald Group Publishing Limited, pp. 187-221.
Gal-Or, E., and Ghose, A. 2005. "The Economic Incentives for Sharing Security Information," Information
Systems Research (16:2), pp. 186-208.
Gopal, A., Sivaramakrishnan, K., Krishnan, M. S., and Mukhopadhyay, T. 2003. "Contracts in Offshore
Software Development: An Empirical Analysis," Management Science (49:12), pp. 1671-1683.
Gordon, L. A., Loeb, M. P., and Lucyshyn, W. 2003. "Sharing Information on Computer Systems Security:
An Economic Analysis," Journal of Accounting and Public Policy (22:6), pp. 461-485.
Greene, W. H. 2003. Econometric Analysis, (5th ed.). Upper Saddle River, NJ.
Gupta, A., and Zhdanov, D. 2012. "Growth and Sustainability of Managed Security Services Networks: An
Economic Perspective," MIS Quarterly (36:4), pp. 1109-1130.
Hasselbring, W. 2000. "Information System Integration," Communications of the ACM (43:6), pp. 32-38.
Heckman, J. J. 1976. "The Common Structure of Statistical Models of Truncation, Sample Selection and
Limited Dependent Variables and a Simple Estimator for Such Models," in Annals of Economic
and Social Measurement, Volume 5, Number 4. NBER, pp. 475-492.
Holmstrom, B., and Milgrom, P. 1991. "Multitask Principal-Agent Analyses: Incentive Contracts, Asset
Ownership, and Job Design," Journal of Law, Economics, & Organization (7:sp), pp. 24-52.
Jensen, M. C., and Heckling, W. H. 1995. "Specific and General Knowledge, and Organizational Structure,"
Journal of Applied Corporate Finance (8:2), pp. 4-18.
Jensen, M. C., and Meckling, W. H. 1992. "Specific and General Knowledge and Organizational Structure,"
in Contract Economics, L.W.a.H. Wijkander (ed.). Blackwell, Oxford: pp. 251-274.
Johnston, A. C., and Hale, R. 2009. "Improved Security through Information Security Governance,"
Communications of the ACM (52:1), pp. 126-129.
Kappelman, L., McLean, E., Johnson, V., and Torres, R. 2016. "The 2015 SIM IT Issues and Trends Study,"
MIS Quarterly Executive (15:1).
Karyda, M., Kiountouzis, E., and Kokolakis, S. 2005. "Information Systems Security Policies: A Contextual
Perspective," Computers & Security (24:3), pp. 246-260.
Lacity, M. C., Khan, S. A., and Willcocks, L. P. 2009. "A Review of the IT Outsourcing Literature: Insights
for Practice," The Journal of Strategic Information Systems (18:3), pp. 130-146.
Lee, C. H., Geng, X., and Raghunathan, S. 2013. "Contracting Information Security in the Presence of
Double Moral Hazard," Information Systems Research (24:2), pp. 295-311.
Maddala, G. S. 1983. Limited-Dependent and Qualitative Variables in Econometrics. Cambridge university
press.
McKeen, J. D., Guimaraes, T., and Wetherbe, J. C. 1994. "The Relationship between User Participation and
User Satisfaction: An Investigation of Four Contingency Factors," MIS Quarterly (18:4), pp. 427-
451.
Meyer, M. H., and Curley, K. F. 1991. "An Applied Framework for Classifying the Complexity of Knowledge-
Based Systems," MIS Quarterly (15:4), pp. 455-472.
Miller, A. R., and Tucker, C. 2009. "Privacy Protection and Technology Diffusion: The Case of Electronic
Medical Records," Management Science (55:7), pp. 1077-1093.
Moulton, R. 2003. "Applying Information Security Governance," Computers and Security (22:7), p. 580.
Nault, B. R. 1998. "Information Technology and Organization Design: Locating Decisions and
Information," Management Science (44:10), pp. 1321-1335.

Thirty Eighth International Conference on Information Systems, South Korea 2017 17

 IT Centralization, Security Outsourcing, and Cybersecurity Breaches

Peltier, T. R. 2016. Information Security Policies, Procedures, and Standards: Guidelines for Effective
Information Security Management. CRC Press.
Pulkkinen, M., Naumenko, A., and Luostarinen, K. 2007. "Managing Information Security in a Business
Network of Machinery Maintenance Services Business – Enterprise Architecture as a Coordination
Tool," Journal of Systems and Software (80:10), pp. 1607-1620.
Ransbotham, S., and Mitra, S. 2009. "Choice and Chance: A Conceptual Model of Paths to Information
Security Compromise," Information Systems Research (20:1), pp. 121-139.
Rowe, B. R. 2008. "Will Outsourcing IT Security Lead to a Higher Social Level of Security?," in: Sixth
Workshop on the Economics of Information Security. Pittsburgh, PA.
Sambamurthy, V., and Zmud, R. W. 1999. "Arrangements for Information Technology Governance: A
Theory of Multiple Contingencies," MIS Quarterly (23:2), pp. 261-290.
Spears, J. L., and Barki, H. 2010. "User Participation in Information Systems Security Risk Management,"
MIS quarterly), pp. 503-522.
Staiger, D., and Stock, J. H. 1997. "Instrumental Variables Regression with Weak Instruments,"
Econometrica (65:3), p. 557.
Stock, J. H., and Yogo, M. 2005. "Testing for Weak Instruments in Linear IV Regression," in: Ch. 5
indentification and Inference for Econometric Models: Essays in Honor of Thomas J. Rothenberg,
J.H.S.a.D.W.K. Andrews (ed.). Cambridge University Press.
Straub, D. W., and Welke, R. J. 1998. "Coping with Systems Risk: Security Planning Models for
Management Decision Making," MIS Quarterly (22:4), pp. 441-469.
Tallon, P. P., Ramirez, R. V., and Short, J. E. 2013. "The Information Artifact in IT Governance: Toward a
Theory of Information Governance," Journal of Management Information Systems (30:3), pp.
141-178.
Tiwana, A., and Kim, S. K. 2015. "Discriminating IT Governance," Information Systems Research (26:4),
pp. 656-674.
Tiwana, A., and Konsynski, B. 2010. "Complementarities between Organizational IT Architecture and
Governance Structure," Information Systems Research (21:2), pp. 288-304.
Weill, P., and Ross, J. 2005. "A Matrixed Approach to Designing IT Governance," MIT Sloan Management
Review (46:2), p. 26.
Weill, P., and Ross, J. W. 2004. IT Governance: How Top Performers Manage IT Decision Rights for
Superior Results. Harvard Business Press.
Weill, P., Subramani, M., and Broadbent, M. 2002. "Building IT Infrastructure for Strategic Agility," MIT
Sloan Management Review (44:1), p. 57.
Wilkin, C. L. 2010. "A Review of IT Governance: A Taxonomy to Inform Accounting Information Systems,"
Journal of Information Systems (24:2), p. 107.
Wooldridge, J. M. 2002. Econometric Analysis of Cross Section and Panel Data. The MIT Press.
Wu, S. P.-J., Straub, D. W., and Liang, T.-P. 2015. "How Information Technology Governance Mechanisms
and Strategic Alignment Influence Organizational Performance: Insights from a Matched Survey
of Business and IT Managers," MIS Quarterly (39:2), pp. 497-518.
Xue, L., Ray, G., and Gu, B. 2011. "Environmental Uncertainty and IT Infrastructure Governance: A
Curvilinear Relationship," Information Systems Research (22:2), pp. 389-399.
Young, R. F., and Windsor, J. 2010. "Empirical Evaluation of Information Security Planning and
Integration," Communications of the Association for Information Systems (26:1), p. 13.

Thirty Eighth International Conference on Information Systems, South Korea 2017 18