Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government

IF 8.7 2区管理学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Strategic Information Systems Pub Date : 2022-03-01 DOI:10.1016/j.jsis.2022.101707

Min-Seok Pang , Hüseyin Tanriverdi

{"title":"Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government","authors":"Min-Seok Pang , Hüseyin Tanriverdi","doi":"10.1016/j.jsis.2022.101707","DOIUrl":null,"url":null,"abstract":"<div><p>Many organizations run their core business operations on decades-old legacy IT systems. Some security professionals argue that legacy IT systems significantly increase security risks because they are not designed to address contemporary cybersecurity risks. Others counter that the legacy systems might be “secure by antiquity” and argue that due to lack of adequate documentation on the systems, it is very difficult for potential attackers to discover and exploit security vulnerabilities. There is a shortage of empirical evidence on either argument. Routine activity theory (RAT) argues that an organization’s guardianship is critical for reducing security incidents. However, RAT does not well explain how organizations might guard against security risks of legacy IT systems. We theorize that organizations can enhance their guardianship by either modernizing their legacy IT systems in-house or by outsourcing them to cloud vendors. With datasets from the U.S. federal agencies, we find that agencies that have more legacy IT systems experience more frequent security incidents than others with more modern IT systems. A 1%-point increase in the proportion of IT budgets spent on IT modernization is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with the number of security incidents. The findings advance the literature on strategic information systems by extending RAT to explain why the “security by antiquity” argument is not valid and how organizations can reduce the security risks of legacy IT systems through modernization and migration to the cloud.</p></div>","PeriodicalId":50037,"journal":{"name":"Journal of Strategic Information Systems","volume":"31 1","pages":"Article 101707"},"PeriodicalIF":8.7000,"publicationDate":"2022-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Strategic Information Systems","FirstCategoryId":"91","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0963868722000038","RegionNum":2,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 7

Abstract

Many organizations run their core business operations on decades-old legacy IT systems. Some security professionals argue that legacy IT systems significantly increase security risks because they are not designed to address contemporary cybersecurity risks. Others counter that the legacy systems might be “secure by antiquity” and argue that due to lack of adequate documentation on the systems, it is very difficult for potential attackers to discover and exploit security vulnerabilities. There is a shortage of empirical evidence on either argument. Routine activity theory (RAT) argues that an organization’s guardianship is critical for reducing security incidents. However, RAT does not well explain how organizations might guard against security risks of legacy IT systems. We theorize that organizations can enhance their guardianship by either modernizing their legacy IT systems in-house or by outsourcing them to cloud vendors. With datasets from the U.S. federal agencies, we find that agencies that have more legacy IT systems experience more frequent security incidents than others with more modern IT systems. A 1%-point increase in the proportion of IT budgets spent on IT modernization is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with the number of security incidents. The findings advance the literature on strategic information systems by extending RAT to explain why the “security by antiquity” argument is not valid and how organizations can reduce the security risks of legacy IT systems through modernization and migration to the cloud.

查看原文本刊更多论文

IT现代化和云迁移在降低组织网络安全风险中的战略作用:以美国联邦政府为例

许多组织在几十年前的遗留IT系统上运行其核心业务操作。一些安全专家认为，遗留的IT系统显著增加了安全风险，因为它们不是为解决当代网络安全风险而设计的。其他人则反驳说，遗留系统可能是“安全的”，并认为由于缺乏足够的系统文档，潜在的攻击者很难发现和利用安全漏洞。这两种观点都缺乏经验证据。常规活动理论(RAT)认为，组织的监管对于减少安全事件至关重要。然而，RAT并没有很好地解释组织如何防范遗留IT系统的安全风险。我们的理论是，组织可以通过在内部现代化其遗留IT系统或将其外包给云供应商来增强其监护。使用来自美国联邦机构的数据集，我们发现拥有更多遗留IT系统的机构比拥有更现代IT系统的机构经历更频繁的安全事件。用于IT现代化的IT预算比例每增加1%，安全事件数量就会减少5.6%。此外，将遗留系统迁移到云与安全事件的数量呈负相关。研究结果通过扩展RAT来解释为什么“古老的安全”论点是无效的，以及组织如何通过现代化和迁移到云来降低遗留IT系统的安全风险，从而推进了战略信息系统的文献。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Strategic Information Systems 工程技术-计算机：信息系统

CiteScore

17.40

自引率

4.30%

发文量

审稿时长

>12 weeks

期刊介绍： The Journal of Strategic Information Systems focuses on the strategic management, business and organizational issues associated with the introduction and utilization of information systems, and considers these issues in a global context. The emphasis is on the incorporation of IT into organizations'' strategic thinking, strategy alignment, organizational arrangements and management of change issues.