{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,3]],"date-time":"2026-07-03T19:07:52Z","timestamp":1783105672666,"version":"3.54.6"},"reference-count":110,"publisher":"MIS Quarterly","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,3,1]]},"abstract":"<jats:p>Data breaches can severely damage a firm\u2019s reputation and its customers\u2019 confidence. Firms must therefore continuously invest in security measures to prevent such breaches. However, the effectiveness of security investment has been questioned by both practitioners and academics. We illustrate the bidirectional dynamic relationship between information technology (IT) investment and data breaches moderated by threat and countermeasure security awareness using an eight-year panel of 311 U.S.-listed firms to provide empirical evidence that threat awareness broadens firms\u2019 scope for addressing data-breach issues by investing more in IT than in security. Countermeasure awareness equips firms with sufficient knowledge and experience to ensure effective implementation of IT, which provides more comprehensive protection than security investment alone. Our results suggest that firms should evolve beyond the reactive mindset of solely upgrading security and begin nurturing both threat awareness and countermeasure awareness to address the underlying IT system issues that are the cause of data breaches.<\/jats:p>","DOI":"10.25300\/misq\/2022\/15713","type":"journal-article","created":{"date-parts":[[2023,5,4]],"date-time":"2023-05-04T16:58:03Z","timestamp":1683219483000},"page":"317-342","source":"Crossref","is-referenced-by-count":54,"title":["Where is IT in Information Security? The Interrelationship among IT Investment, Security Awareness, and Data Breaches"],"prefix":"10.25300","volume":"47","author":[{"given":"Wilson Weixun","family":"Li","sequence":"first","affiliation":[{"name":"Deakin Business School, Deakin University Burwood, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Alvin Chung Man","family":"Leung","sequence":"additional","affiliation":[{"name":"Department of Information Systems, College of Business, City University of Hong Kong Kowloon, Hong Kong"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Wei Thoo","family":"Yue","sequence":"additional","affiliation":[{"name":"Department of Information Systems, College of Business, City University of Hong Kong Kowloon, Hong Kong"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"10933","published-online":{"date-parts":[[2023,3,1]]},"reference":[{"key":"2025082212292029500_b1-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.102030","article-title":"Information security governance challenges and critical success factors: Systematic review","volume":"99","author":"AlGhamdi","year":"2020","journal-title":"Computers & Security"},{"issue":"3","key":"2025082212292029500_b2-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"893","DOI":"10.25300\/MISQ\/2017\/41.3.10","article-title":"When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches","volume":"41","author":"Angst","year":"2017","journal-title":"MIS Quarterly"},{"issue":"5","key":"2025082212292029500_b3-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"763","DOI":"10.1287\/orsc.1070.0306","article-title":"IT assets, organizational capabilities, and firm performance: How resource allocations and organizational differences explain performance variation","volume":"18","author":"Aral","year":"2007","journal-title":"Organization Science"},{"issue":"2","key":"2025082212292029500_b4-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"277","DOI":"10.2307\/2297968","article-title":"Some tests of specification for panel data: Monte Carlo evidence and an application to employment equations","volume":"58","author":"Arellano","year":"1991","journal-title":"Review of Economic Studies"},{"issue":"2","key":"2025082212292029500_b5-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"73","DOI":"10.2753\/MIS0742-1222240204","article-title":"Proximity and information technology outsourcing: How local are IT services markets?","volume":"24","author":"Arora","year":"2007","journal-title":"Journal of Management Information Systems"},{"key":"2025082212292029500_b6-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4842-2068-9_1","volume-title":"Cybersecurity lexicon","author":"Ayala","year":"2016"},{"issue":"4","key":"2025082212292029500_b7-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"628","DOI":"10.2307\/1924522","article-title":"The Canadian-US exchange rate: Evidence from a vector autoregression","volume":"68","author":"Backus","year":"1986","journal-title":"The Review of Economics and Statistics"},{"issue":"59","key":"2025082212292029500_b8-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"9","DOI":"10.1016\/j.cose.2016.02.007","article-title":"Information system security commitment: A study of external influences on senior management","volume":"100","author":"Barton","year":"2016","journal-title":"Computers & Security"},{"key":"2025082212292029500_b9-11_rn_10_25300_misq_2022_15713","article-title":"Information security control decision theory: Management reasoning in threes","author":"Baskerville","year":"2009"},{"issue":"59","key":"2025082212292029500_b10-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"9","DOI":"10.1016\/j.cose.2016.02.007","article-title":"Information system security commitment: A study of external influences on senior management","volume":"100","author":"Barton","year":"2016","journal-title":"Computers & Security"},{"issue":"6","key":"2025082212292029500_b11-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"508","DOI":"10.1016\/j.jaccpubpol.2018.10.003","article-title":"Cybersecurity awareness and market valuations","volume":"37","author":"Berkman","year":"2018","journal-title":"Journal of Accounting and Public Policy"},{"issue":"2","key":"2025082212292029500_b12-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"151","DOI":"10.1057\/ejis.2009.8","article-title":"If someone is watching, \u2019\u2019ll do what \u2019\u2019m asked: Mandatoriness, control, and information security","volume":"18","author":"Boss","year":"2009","journal-title":"European Journal of Information Systems"},{"issue":"3","key":"2025082212292029500_b13-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"499","DOI":"10.1287\/isre.1120.0468","article-title":"An empirical examination of the antecedents and consequences of contribution patterns in crowd-funded markets","volume":"24","author":"Burtch","year":"2013","journal-title":"Information Systems Research"},{"issue":"3","key":"2025082212292029500_b14-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"865","DOI":"10.2307\/41703484","article-title":"A knowledge-based model of radical innovation in small software firms","volume":"36","author":"Carlo","year":"2012","journal-title":"MIS Quarterly"},{"issue":"4","key":"2025082212292029500_b15-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"651","DOI":"10.1016\/j.dss.2010.08.017","article-title":"Firms\u2019 information security investment decisions: Stock market evidence of investor\u2019\u2019 behavior","volume":"50","author":"Chai","year":"2011","journal-title":"Decision Support Systems"},{"issue":"3","key":"2025082212292029500_b16-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"345","DOI":"10.1108\/02635570610653498","article-title":"Organizational factors to the effectiveness of implementing information security management","volume":"106","author":"Chang","year":"2006","journal-title":"Industrial Management & Data Systems"},{"issue":"4","key":"2025082212292029500_b17-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"1043","DOI":"10.2307\/41703497","article-title":"Information technology outsourcing, knowledge transfer, and firm productivity: An empirical analysis","volume":"36","author":"Chang","year":"2012","journal-title":"MIS Quarterly"},{"issue":"3","key":"2025082212292029500_b18-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"513","DOI":"10.1287\/isre.2015.0582","article-title":"IT-enabled broadcasting in social media: An empirical study of artists\u2019 activities and music sales","volume":"26","author":"Chen","year":"2015","journal-title":"Information Systems Research"},{"issue":"2","key":"2025082212292029500_b19-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"387","DOI":"10.2307\/23044049","article-title":"Correlated failures, diversification, and information security risk management","volume":"35","author":"Chen","year":"2011","journal-title":"MIS Quarterly"},{"issue":"1","key":"2025082212292029500_b20-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"145","DOI":"10.1287\/isre.2015.0608","article-title":"Cloud computing spot pricing dynamics: Latency and limits to arbitrage","volume":"27","author":"Cheng","year":"2016","journal-title":"Information Systems Research"},{"issue":"2","key":"2025082212292029500_b21-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"250","DOI":"10.1080\/17517575.2015.1041060","article-title":"Assimilation of enterprise technology upgrades: A factor-based study","volume":"11","author":"Claybaugh","year":"2017","journal-title":"Enterprise Information Systems"},{"key":"2025082212292029500_b22-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"91","DOI":"10.1057\/jit.2014.35","article-title":"Strategic IT alignment: Twenty-five years on","volume":"30","author":"Coltman","year":"2015","journal-title":"Journal of Information Technology"},{"issue":"4","key":"2025082212292029500_b23-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"521","DOI":"10.1111\/isj.12319","article-title":"When enough is enough: Investigating the antecedents and consequences of information security fatigue","volume":"31","author":"Cram","year":"2019","journal-title":"Information Systems Journal"},{"issue":"1","key":"2025082212292029500_b24-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"79","DOI":"10.1287\/isre.1070.0160","article-title":"User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach","volume":"20","author":"\u2019\u2019Arcy","year":"2009","journal-title":"Information Systems Research"},{"issue":"3","key":"2025082212292029500_b25-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"219","DOI":"10.1287\/isre.9.3.219","article-title":"Firm characteristics and investments in information technology: Scale and scope effects","volume":"9","author":"Dewan","year":"1998","journal-title":"Information Systems Research"},{"issue":"1","key":"2025082212292029500_b26-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"101","DOI":"10.25300\/MISQ\/2014\/38.1.05","article-title":"Social media, traditional media, and music sales","volume":"38","author":"Dewan","year":"2014","journal-title":"MIS Quarterly"},{"issue":"366a","key":"2025082212292029500_b27-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"427","DOI":"10.1080\/01621459.1979.10482531","article-title":"Distribution of the estimators for autoregressive time series with a unit root","volume":"74","author":"Dickey","year":"1979","journal-title":"Journal of the American Statistical Association"},{"key":"2025082212292029500_b28-11_rn_10_25300_misq_2022_15713","unstructured":"DiPietro, B.\n           (2018). Speed of tech change a threat to cybersecurity. The Wall Street Journal. https:\/\/blogs.wsj.com\/riskandcompliance\/2015\/03\/17\/speed-of-technological-change-is-a-threat-to-cybersecurity\/"},{"key":"2025082212292029500_b29-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"243","DOI":"10.1016\/S2212-5671(15)01106-5","article-title":"Information security: Risk, governance and implementation setback","volume":"28","author":"Fazlida","year":"2015","journal-title":"Procedia Economics and Finance"},{"issue":"5","key":"2025082212292029500_b30-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"410","DOI":"10.1108\/IMCS-07-2013-0053","article-title":"Current challenges in information security risk management","volume":"22","author":"Fenz","year":"2014","journal-title":"Information Management & Computer Security"},{"issue":"4","key":"2025082212292029500_b31-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"641","DOI":"10.1287\/mnsc.1040.0343","article-title":"The corporate digital divide: Determinants of internet adoption","volume":"51","author":"Forman","year":"2005","journal-title":"Management Science"},{"key":"2025082212292029500_b32-11_rn_10_25300_misq_2022_15713","unstructured":"Gelbstein, E.\n           (2016). IS audit basics: Auditing IS\/IT risk management, Part 1. ISACA Journal, 2, 1-3. https:\/\/www.isaca.org\/resources\/isaca-journal\/issues\/2016\/volume-2\/is-audit-basics-auditing-isit-risk-management-part-1"},{"key":"2025082212292029500_b33-11_rn_10_25300_misq_2022_15713","unstructured":"Gelbstein, E.\n           (2017). IS Audit basics: Preparing for auditing new risk. ISACA Journal, 1, 8-11. https:\/\/www.isaca.org\/resources\/isaca-journal\/issues\/2017\/volume-1\/is-audit-basics-preparing-for-auditing-new-risk-part-2"},{"key":"2025082212292029500_b34-11_rn_10_25300_misq_2022_15713","unstructured":"Glavach, D.\n           (2017). In\u2008IT Ops, separate security teams should be a thing of the past. TechBeacon. https:\/\/techbeacon.com\/it-ops-separate-security-teams-should-be-thing-past"},{"issue":"6","key":"2025082212292029500_b35-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"1325","DOI":"10.1007\/s10796-018-9836-9","article-title":"Levels of EMR adoption in US hospitals: An empirical examination of absorptive capacity, institutional pressures, top management beliefs, and participation","volume":"21","author":"Gopalakrishna-Remani","year":"2019","journal-title":"Information Systems Frontiers"},{"issue":"4","key":"2025082212292029500_b36-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"438","DOI":"10.1145\/581271.581274","article-title":"The economics of information security investment","volume":"5","author":"Gordon","year":"2002","journal-title":"ACM Transactions on Information and System Security"},{"issue":"5","key":"2025082212292029500_b37-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"503","DOI":"10.1016\/j.jaccpubpol.2006.07.005","article-title":"The impact of the sarbanes-Oxley Act on the corporate disclosures of information security activities","volume":"25","author":"Gordon","year":"2006","journal-title":"Journal of Accounting and Public Policy"},{"issue":"3","key":"2025082212292029500_b38-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"567","DOI":"10.2307\/25750692","article-title":"Market value of voluntary disclosures concerning information security","volume":"34","author":"Gordon","year":"2010","journal-title":"MIS Quarterly"},{"issue":"3","key":"2025082212292029500_b39-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"424","DOI":"10.2307\/1912791","article-title":"Investigating causal relations by econometric models and cross-spectral methods","volume":"3","author":"Granger","year":"1969","journal-title":"Econometrica: Journal of the Econometric Society"},{"key":"2025082212292029500_b40-11_rn_10_25300_misq_2022_15713","unstructured":"Greenberg, P.\n           (2013). Right to know: December 2008. State Legislatures Magazine. https:\/\/www.ncsl.org\/research\/telecommunications-and-information-technology\/sl-magazine-right-to-know.aspx"},{"issue":"2","key":"2025082212292029500_b41-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"683","DOI":"10.1080\/07421222.2018.1451962","article-title":"The role of corporate reputation and crisis response strategies in data breach management","volume":"35","author":"Gwebu","year":"2018","journal-title":"Journal of Management Information Systems"},{"issue":"1","key":"2025082212292029500_b42-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"2","DOI":"10.1080\/10580530.2015.1117842","article-title":"Impact of users\u2019 security awareness on desktop security behavior: A protection motivation theory perspective","volume":"33","author":"Hanus","year":"2016","journal-title":"Information Systems Management"},{"issue":"2","key":"2025082212292029500_b43-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"A9","DOI":"10.2308\/CIIA-2020-034","article-title":"Academic research on the role of corporate governance and IT expertise in addressing cybersecurity breaches: Implications for practice, policy and research","volume":"15","author":"Hartmann","year":"2021","journal-title":"Current Issues in Auditing"},{"issue":"6","key":"2025082212292029500_b44-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"1285","DOI":"10.1007\/s10796-019-09959-1","article-title":"Investigating the security divide between SME and large companies: How SME characteristics influence organizational IT security investments","volume":"21","author":"Heidt","year":"2019","journal-title":"Information Systems Frontiers"},{"issue":"2","key":"2025082212292029500_b45-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1145\/3400043.3400046","article-title":"Organizational adoption of information security solutions: An integrative lens based on innovation adoption and the technology-organization-environment framework","volume":"51","author":"Herath","year":"2020","journal-title":"The Data Base for Advances in Information Systems"},{"issue":"6","key":"2025082212292029500_b46-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"373","DOI":"10.1002\/smr.238","article-title":"Emergent maintenance of ERP: new roles and relationships","volume":"13","author":"Hirt","year":"2001","journal-title":"Journal of Software Maintenance and Evolution: Research and Practice"},{"issue":"3","key":"2025082212292029500_b47-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1109\/MSP.2010.55","article-title":"Toward risk assessment of large-impact and rare events","volume":"8","author":"Hole","year":"2010","journal-title":"IEEE Security & Privacy"},{"issue":"3","key":"2025082212292029500_b48-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"918","DOI":"10.1287\/isre.1110.0393","article-title":"Institutional influences on information systems security innovations","volume":"23","author":"Hsu","year":"2012","journal-title":"Information Systems Research"},{"issue":"2","key":"2025082212292029500_b49-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"140","DOI":"10.1057\/ejis.2009.7","article-title":"Frame misalignment: Interpreting the implementation of information systems security certification in an organization","volume":"18","author":"Hsu","year":"2009","journal-title":"European Journal of Information Systems"},{"issue":"4","key":"2025082212292029500_b50-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"377","DOI":"10.1108\/MAJ-07-2017-1595","article-title":"Factors associated with security\/cybersecurity audit by internal audit function","volume":"33","author":"Islam","year":"2018","journal-title":"Managerial Auditing Journal"},{"issue":"5","key":"2025082212292029500_b51-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"681","DOI":"10.1016\/j.im.2018.11.003","article-title":"Information security breaches and it security investments: Impacts on competitors","volume":"56","author":"Jeong","year":"2019","journal-title":"Information & Management"},{"issue":"3","key":"2025082212292029500_b52-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1109\/MSP.2007.59","article-title":"Embedding information security into the organization","volume":"5","author":"Johnson","year":"2007","journal-title":"IEEE Security & Privacy"},{"issue":"2","key":"2025082212292029500_b53-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1007\/s10796-007-9030-y","article-title":"Enterprise architecture analysis with extended influence diagrams","volume":"9","author":"Johnson","year":"2007","journal-title":"Information Systems Frontiers"},{"issue":"1","key":"2025082212292029500_b54-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"crossref","first-page":"126","DOI":"10.1145\/1435417.1435446","article-title":"Improved security through information security governance","volume":"52","author":"Johnston","year":"2009","journal-title":"Communications of the ACM"},{"issue":"4","key":"2025082212292029500_b55-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"360","DOI":"10.1108\/MAJ-02-2018-1804","article-title":"Cyber security assurance process from the internal audit perspective","volume":"33","author":"Kahyaoglu","year":"2018","journal-title":"Managerial Auditing Journal"},{"key":"2025082212292029500_b56-11_rn_10_25300_misq_2022_15713","unstructured":"Kark, K., Penn, J., & Dill, A. (2009). 2008 CISO priorities: The right objectives but the wrong focus. Forrester Research. https:\/\/www.mag-securs.com\/mag\/IMG\/pdf\/Forrester_2008_CISO_Priorities_The_right_Objectives_But_The_Wrong_Focus.pdf"},{"issue":"3","key":"2025082212292029500_b57-11_rn_10_25300_misq_2022_15713","first-page":"163","article-title":"Effective information security requires a balance of social and technology factors","volume":"9","author":"Kayworth","year":"2010","journal-title":"MIS Quarterly Executive"},{"issue":"2","key":"2025082212292029500_b58-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"299","DOI":"10.2307\/3250940","article-title":"A cross-cultural study on escalation of commitment behavior in software projects","volume":"24","author":"Keil","year":"2000","journal-title":"MIS Quarterly"},{"issue":"2","key":"2025082212292029500_b59-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"162","DOI":"10.1080\/07421222.2015.1063293","article-title":"Understanding members\u2019 active participation in online question-and-answer communities: A theory and empirical analysis","volume":"32","author":"Khansa","year":"2015","journal-title":"Journal of Management Information Systems"},{"issue":"2","key":"2025082212292029500_b60-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"347","DOI":"10.25300\/MISQ\/2019\/13758","article-title":"The \u201cexperts\u201d in the crowd: The role of experienced investors in a crowdfunding market","volume":"43","author":"Kim","year":"2018","journal-title":"MIS Quarterly"},{"issue":"1","key":"2025082212292029500_b61-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"133","DOI":"10.25300\/MISQ\/2016\/40.1.06","article-title":"When does repository kms use lift performance? The role of alternative knowledge sources and task environments","volume":"40","author":"Kim","year":"2016","journal-title":"MIS Quarterly"},{"issue":"7","key":"2025082212292029500_b62-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"509","DOI":"10.1016\/j.cose.2009.04.006","article-title":"Human and organizational factors in computer and information security: pathways to vulnerabilities","volume":"28","author":"Kraemer","year":"2009","journal-title":"Computers & Security"},{"issue":"2","key":"2025082212292029500_b63-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"451","DOI":"10.25300\/MISQ\/2014\/38.2.06","article-title":"Proactive versus reactive security investments in the healthcare sector","volume":"38","author":"Kwon","year":"2014","journal-title":"MIS Quarterly"},{"issue":"4","key":"2025082212292029500_b64-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"1043","DOI":"10.25300\/MISQ\/2018\/13580","article-title":"Meaningful healthcare security: Does meaningful-use attestation improve information security performance?","volume":"42","author":"Kwon","year":"2018","journal-title":"MIS Quarterly"},{"issue":"1","key":"2025082212292029500_b65-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"219","DOI":"10.2308\/isys-50339","article-title":"The association between top management involvement and compensation and information security breaches","volume":"27","author":"Kwon","year":"2012","journal-title":"Journal of Information Systems"},{"issue":"1","key":"2025082212292029500_b66-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"101","DOI":"10.2308\/isys-18-071","article-title":"Cybersecurity breaches and the role of information technology governance in audit committee charters","volume":"35","author":"Lankton","year":"2021","journal-title":"Journal of Information Systems"},{"issue":"2","key":"2025082212292029500_b67-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"177","DOI":"10.1057\/ejis.2009.11","article-title":"Threat or coping appraisal: determinants of SMB executives\u2019 decision to adopt anti-malware software","volume":"18","author":"Lee","year":"2009","journal-title":"European Journal of Information Systems"},{"issue":"1","key":"2025082212292029500_b68-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"151","DOI":"10.2308\/ajpt-52593","article-title":"Are external auditors concerned about cyber incidents? Evidence from audit fees","volume":"39","author":"Li","year":"2020","journal-title":"Auditing: A Journal of Practice and Theory"},{"issue":"1","key":"2025082212292029500_b69-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"222","DOI":"10.1080\/07421222.2021.1870390","article-title":"The roles of IT strategies and security investments in reducing organizational security breaches","volume":"38","author":"Li","year":"2021","journal-title":"Journal of Management Information Systems"},{"issue":"4","key":"2025082212292029500_b70-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"448","DOI":"10.1080\/17517575.2019.1605000","article-title":"Dying of a hundred good symptoms: Why good security can still fail-a literature review and analysis","volume":"15","author":"Loft","year":"2021","journal-title":"Enterprise Information Systems"},{"key":"2025082212292029500_b71-11_rn_10_25300_misq_2022_15713","unstructured":"Lovejoy, K.\n           (2020). How to manage cyber risk with a security by design approach. EY Global. https:\/\/www.ey.com\/en_gl\/consulting\/how-to-manage-cyber-risk-with-a-security-by-design-approach"},{"issue":"1","key":"2025082212292029500_b72-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1080\/07421222.2003.11045840","article-title":"A multidimensional commitment model of volitional systems adoption and usage behavior","volume":"22","author":"Malhotra","year":"2005","journal-title":"Journal of Management Information Systems"},{"issue":"1","key":"2025082212292029500_b73-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1145\/1066404.589459","article-title":"The essence of information assurance and its implications for the ADA community","volume":"23","author":"McEvilley","year":"2002","journal-title":"ACM SIGADA ADA Letters"},{"issue":"4","key":"2025082212292029500_b74-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"1188","DOI":"10.1080\/07421222.2018.1523605","article-title":"Effect of \u201cfollowing\u201d on contributions to open source communities","volume":"35","author":"Moqri","year":"2018","journal-title":"Journal of Management Information Systems"},{"key":"2025082212292029500_b75-11_rn_10_25300_misq_2022_15713","unstructured":"Morgan, S.\n           (2015). Is poor software development the biggest cyber threat? CSO Online. https:\/\/www.csoonline.com\/article\/2978858\/application-security\/is-poor-software-development-the-biggest-cyber-threat.html"},{"issue":"1","key":"2025082212292029500_b76-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"123","DOI":"10.1016\/j.im.2014.10.009","article-title":"A system dynamics model for information security management","volume":"52","author":"Nazareth","year":"2015","journal-title":"Information & Management"},{"key":"2025082212292029500_b77-11_rn_10_25300_misq_2022_15713","article-title":"On the benefits of senior executives\u2019 information security awareness","author":"Olt","year":"2019"},{"issue":"1","key":"2025082212292029500_b78-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"61","DOI":"10.1080\/08874417.2019.1703225","article-title":"BYOD policy compliance: Risks and strategies in organizations","volume":"62","author":"Palanisamy","year":"2022","journal-title":"Journal of Computer Information Systems"},{"issue":"1","key":"2025082212292029500_b79-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","DOI":"10.1016\/j.jsis.2022.101707","article-title":"Strategic roles of IT modernization and cloud migration in reducing cybersecurity risks of organizations: The case of U.S. federal government","volume":"31","author":"Pang","year":"2022","journal-title":"The Journal of Strategic Information Systems"},{"issue":"2","key":"2025082212292029500_b80-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"335","DOI":"10.1093\/biomet\/75.2.335","article-title":"Testing for a unit root in time series regression","volume":"75","author":"Phillips","year":"1988","journal-title":"Biometrika"},{"issue":"5","key":"2025082212292029500_b81-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"551","DOI":"10.1016\/j.im.2014.03.009","article-title":"Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders","volume":"51","author":"Posey","year":"2014","journal-title":"Information & Management"},{"issue":"2","key":"2025082212292029500_b82-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1287\/orsc.12.2.117.10115","article-title":"The assimilation of knowledge platforms in organizations: an empirical investigation","volume":"12","author":"Purvis","year":"2001","journal-title":"Organization Science"},{"issue":"1","key":"2025082212292029500_b83-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"121","DOI":"10.1287\/isre.1080.0174","article-title":"Choice and chance: A conceptual model of paths to information security compromise","volume":"20","author":"Ransbotham","year":"2009","journal-title":"Information Systems Research"},{"issue":"2","key":"2025082212292029500_b84-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1109\/TEM.2005.844925","article-title":"Organizational assimilation of complex technologies: An empirical study of component-based software development","volume":"52","author":"Ravichandran","year":"2005","journal-title":"IEEE Transactions on Engineering Management"},{"issue":"1","key":"2025082212292029500_b85-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1016\/j.cose.2006.10.008","article-title":"Organisational security culture: extending the end-user perspective","volume":"26","author":"Ruighaver","year":"2007","journal-title":"Computers & Security"},{"issue":"4","key":"2025082212292029500_b86-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"1240","DOI":"10.1287\/isre.2020.0941","article-title":"The influence of professional subculture on information security policy violations: A field study in a healthcare context","volume":"31","author":"Sarkar","year":"2020","journal-title":"Information Systems Research"},{"issue":"2","key":"2025082212292029500_b87-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1287\/stsc.2020.0106","article-title":"Learning from digital failures? The effectiveness of firms\u2019 divestiture and management turnover responses to data breaches","volume":"5","author":"Say","year":"2020","journal-title":"Strategy Science"},{"key":"2025082212292029500_b88-11_rn_10_25300_misq_2022_15713","volume-title":"Research methods for business: A skill building approach","author":"Sekaran","year":"2003"},{"issue":"2","key":"2025082212292029500_b89-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"314","DOI":"10.1080\/07421222.2015.1063315","article-title":"Estimating the contextual risk of data breach: an empirical approach","volume":"32","author":"Sen","year":"2015","journal-title":"Journal of Management Information Systems"},{"issue":"8","key":"2025082212292029500_b90-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"1023","DOI":"10.1016\/j.im.2017.02.007","article-title":"A new perspective on neutralization and deterrence: predicting shadow IT usage","volume":"54","author":"Silic","year":"2017","journal-title":"Information & Management"},{"issue":"1","key":"2025082212292029500_b91-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1080\/07421222.2019.1705512","article-title":"Using design-science based gamification to improve organizational security training and compliance","volume":"37","author":"Silic","year":"2020","journal-title":"Journal of Management Information Systems"},{"issue":"3","key":"2025082212292029500_b92-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"257","DOI":"10.1016\/S0378-7206(03)00023-5","article-title":"A taxonomy of players and activities across the ERP project life cycle","volume":"41","author":"Somers","year":"2004","journal-title":"Information & Management"},{"key":"2025082212292029500_b93-11_rn_10_25300_misq_2022_15713","article-title":"The role of top managers\u2019 it security awareness in organizational IT security management","author":"Sonnenschein","year":"2017"},{"issue":"2","key":"2025082212292029500_b94-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"215","DOI":"10.1016\/j.ijinfomgt.2015.11.009","article-title":"Information security management needs more holistic approach: A literature review","volume":"36","author":"Soomro","year":"2016","journal-title":"International Journal of Information Management"},{"issue":"3","key":"2025082212292029500_b95-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"503","DOI":"10.2307\/25750689","article-title":"User participation in information systems security risk management","volume":"34","author":"Spears","year":"2010","journal-title":"MIS Quarterly"},{"issue":"1","key":"2025082212292029500_b96-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"204","DOI":"10.1287\/isre.2018.0798","article-title":"Performance consequences of information technology investments: Implications of emphasizing new or current information technologies","volume":"30","author":"Steelman","year":"2019","journal-title":"Information Systems Research"},{"issue":"C","key":"2025082212292029500_b97-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1016\/j.aos.2018.04.005","article-title":"The influence of a good relationship between the internal audit and information security functions on information security outcomes","volume":"71","author":"Steinbart","year":"2018","journal-title":"Accounting, Organizations and Society"},{"issue":"4","key":"2025082212292029500_b98-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"441","DOI":"10.2307\/249551","article-title":"Coping with systems risk: Security planning models for management decision making","volume":"22","author":"Straub","year":"1998","journal-title":"MIS Quarterly"},{"issue":"4","key":"2025082212292029500_b99-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"109","DOI":"10.2753\/MIS0742-1222220405","article-title":"An information systems security risk assessment model under the Dempster-Shafer theory of belief functions","volume":"22","author":"Sun","year":"2006","journal-title":"Journal of Management Information Systems"},{"issue":"2","key":"2025082212292029500_b100-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"307","DOI":"10.1287\/isre.2014.0519","article-title":"Using personal communication technologies for commercial communications: A cross-country investigation of email and SMS","volume":"25","author":"Tan","year":"2014","journal-title":"Information Systems Research"},{"key":"2025082212292029500_b101-11_rn_10_25300_misq_2022_15713","article-title":"Data breaches in multihospital systems: antecedents and mitigation mechanisms","author":"Tanriverdi","year":"2020"},{"issue":"2","key":"2025082212292029500_b102-11_rn_10_25300_misq_2022_15713","article-title":"The dark side of information technology","volume":"56","author":"Tarafdar","year":"2015","journal-title":"MIT Sloan Management Review"},{"key":"2025082212292029500_b103-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"68","DOI":"10.1016\/j.cose.2018.08.007","article-title":"The impact of security awareness on information technology professionals\u2019 behavior","volume":"79","author":"Torten","year":"2018","journal-title":"Computers & Security"},{"issue":"4","key":"2025082212292029500_b104-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"476","DOI":"10.1016\/j.cose.2009.10.005","article-title":"Information security culture: A management perspective","volume":"29","author":"van Niekerk","year":"2010","journal-title":"Computers & Security"},{"issue":"4","key":"2025082212292029500_b105-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"566","DOI":"10.1002\/smj.2115","article-title":"Surviving bear hugs: Firm capability, large partner alliances, and growth","volume":"35","author":"Vandaie","year":"2014","journal-title":"Strategic Management Journal"},{"issue":"1","key":"2025082212292029500_b106-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"106","DOI":"10.1287\/isre.1070.0143","article-title":"A value-at-risk approach to information security investment","volume":"19","author":"Wang","year":"2008","journal-title":"Information Systems Research"},{"issue":"1","key":"2025082212292029500_b107-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"91","DOI":"10.25300\/MISQ\/2015\/39.1.05","article-title":"Insider Threats in a financial institution: Analysis of attack-proneness of information systems applications","volume":"39","author":"Wang","year":"2015","journal-title":"MIS Quarterly"},{"issue":"2","key":"2025082212292029500_b108-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"201","DOI":"10.1287\/isre.1120.0437","article-title":"The association between the disclosure and the realization of information security risk factors","volume":"24","author":"Wang","year":"2013","journal-title":"Information Systems Research"},{"key":"2025082212292029500_b109-11_rn_10_25300_misq_2022_15713","article-title":"Does cybersecurity slow down digitization? A quasi-experiment of security breach notification laws","author":"Zhang","year":"2019"},{"issue":"3","key":"2025082212292029500_b110-11_rn_10_25300_misq_2022_15713","doi-asserted-by":"publisher","first-page":"668","DOI":"10.1080\/07421222.2020.1790185","article-title":"Understanding security vulnerability awareness, firm incentives, and ICT development in Pan-Asia","volume":"37","author":"Zhuang","year":"2020","journal-title":"Journal of Management Information Systems"}],"container-title":["MIS Quarterly"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/misq.umn.edu\/misq\/article-pdf\/47\/1\/317\/8679\/11_rn_10_25300_misq_2022_15713.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/misq.umn.edu\/misq\/article-pdf\/47\/1\/317\/8679\/11_rn_10_25300_misq_2022_15713.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T16:29:32Z","timestamp":1755880172000},"score":1,"resource":{"primary":{"URL":"https:\/\/misq.umn.edu\/misq\/article\/47\/1\/317\/2201\/Where-is-IT-in-Information-Security-The"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,1]]},"references-count":110,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2023,3,1]]},"published-print":{"date-parts":[[2023,3,1]]}},"URL":"https:\/\/doi.org\/10.25300\/misq\/2022\/15713","relation":{},"ISSN":["0276-7783","2162-9730"],"issn-type":[{"value":"0276-7783","type":"print"},{"value":"2162-9730","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,3,1]]}}}