{"title":"IT现代化和云迁移在降低组织网络安全风险中的战略作用:以美国联邦政府为例","authors":"Min-Seok Pang , Hüseyin Tanriverdi","doi":"10.1016/j.jsis.2022.101707","DOIUrl":null,"url":null,"abstract":"<div><p>Many organizations run their core business operations on decades-old legacy IT systems. Some security professionals argue that legacy IT systems significantly increase security risks because they are not designed to address contemporary cybersecurity risks. Others counter that the legacy systems might be “secure by antiquity” and argue that due to lack of adequate documentation on the systems, it is very difficult for potential attackers to discover and exploit security vulnerabilities. There is a shortage of empirical evidence on either argument. Routine activity theory (RAT) argues that an organization’s guardianship is critical for reducing security incidents. However, RAT does not well explain how organizations might guard against security risks of legacy IT systems. We theorize that organizations can enhance their guardianship by either modernizing their legacy IT systems in-house or by outsourcing them to cloud vendors. With datasets from the U.S. federal agencies, we find that agencies that have more legacy IT systems experience more frequent security incidents than others with more modern IT systems. A 1%-point increase in the proportion of IT budgets spent on IT modernization is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with the number of security incidents. The findings advance the literature on strategic information systems by extending RAT to explain why the “security by antiquity” argument is not valid and how organizations can reduce the security risks of legacy IT systems through modernization and migration to the cloud.</p></div>","PeriodicalId":50037,"journal":{"name":"Journal of Strategic Information Systems","volume":"31 1","pages":"Article 101707"},"PeriodicalIF":8.7000,"publicationDate":"2022-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":"{\"title\":\"Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government\",\"authors\":\"Min-Seok Pang , Hüseyin Tanriverdi\",\"doi\":\"10.1016/j.jsis.2022.101707\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Many organizations run their core business operations on decades-old legacy IT systems. Some security professionals argue that legacy IT systems significantly increase security risks because they are not designed to address contemporary cybersecurity risks. Others counter that the legacy systems might be “secure by antiquity” and argue that due to lack of adequate documentation on the systems, it is very difficult for potential attackers to discover and exploit security vulnerabilities. There is a shortage of empirical evidence on either argument. Routine activity theory (RAT) argues that an organization’s guardianship is critical for reducing security incidents. However, RAT does not well explain how organizations might guard against security risks of legacy IT systems. We theorize that organizations can enhance their guardianship by either modernizing their legacy IT systems in-house or by outsourcing them to cloud vendors. With datasets from the U.S. federal agencies, we find that agencies that have more legacy IT systems experience more frequent security incidents than others with more modern IT systems. A 1%-point increase in the proportion of IT budgets spent on IT modernization is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with the number of security incidents. The findings advance the literature on strategic information systems by extending RAT to explain why the “security by antiquity” argument is not valid and how organizations can reduce the security risks of legacy IT systems through modernization and migration to the cloud.</p></div>\",\"PeriodicalId\":50037,\"journal\":{\"name\":\"Journal of Strategic Information Systems\",\"volume\":\"31 1\",\"pages\":\"Article 101707\"},\"PeriodicalIF\":8.7000,\"publicationDate\":\"2022-03-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Strategic Information Systems\",\"FirstCategoryId\":\"91\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0963868722000038\",\"RegionNum\":2,\"RegionCategory\":\"管理学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Strategic Information Systems","FirstCategoryId":"91","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0963868722000038","RegionNum":2,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government
Many organizations run their core business operations on decades-old legacy IT systems. Some security professionals argue that legacy IT systems significantly increase security risks because they are not designed to address contemporary cybersecurity risks. Others counter that the legacy systems might be “secure by antiquity” and argue that due to lack of adequate documentation on the systems, it is very difficult for potential attackers to discover and exploit security vulnerabilities. There is a shortage of empirical evidence on either argument. Routine activity theory (RAT) argues that an organization’s guardianship is critical for reducing security incidents. However, RAT does not well explain how organizations might guard against security risks of legacy IT systems. We theorize that organizations can enhance their guardianship by either modernizing their legacy IT systems in-house or by outsourcing them to cloud vendors. With datasets from the U.S. federal agencies, we find that agencies that have more legacy IT systems experience more frequent security incidents than others with more modern IT systems. A 1%-point increase in the proportion of IT budgets spent on IT modernization is associated with a 5.6% decrease in the number of security incidents. Furthermore, migration of the legacy systems to the cloud is negatively associated with the number of security incidents. The findings advance the literature on strategic information systems by extending RAT to explain why the “security by antiquity” argument is not valid and how organizations can reduce the security risks of legacy IT systems through modernization and migration to the cloud.
期刊介绍:
The Journal of Strategic Information Systems focuses on the strategic management, business and organizational issues associated with the introduction and utilization of information systems, and considers these issues in a global context. The emphasis is on the incorporation of IT into organizations'' strategic thinking, strategy alignment, organizational arrangements and management of change issues.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
