Description
Speaker: John D’Arcy, Professor in the Department of Accounting and Management Information Systems, Lerner College of Business and Economics, University of Delaware
Abstract: As cybersecurity becomes a critical board-level concern, public companies increasingly appoint Chief Information Officers (CIOs) from other firms to their boards to enhance organizational learning. Drawing on the board interlock literature, we examine two pathways through which such appointments influence a firm’s cybersecurity learning: (a) the receiver pathway, where a firm appoints a CIO from another company and gains external cybersecurity expertise; and (b) the sender pathway, where a firm’s own CIO serves on an outside board and potentially brings back valuable insights. We consider the conditions that enable or constrain learning in each pathway and how these affect a firm’s data breach risk. Leveraging a panel dataset of 17,227 CIO-firm-year-level observations (2005–2022), we find that sender firms—those whose CIOs serve on external boards—experience a significant increase in breach probability. In contrast, receiver firms—those appointing outside CIOs—see a significant decrease in breach probability. Further mechanism analyses show that these outcomes are shaped by heterogeneity in the cybersecurity practices of both sender and receiver firms. Sender firms face increased breach risk when the receiver firm lacks strong cybersecurity emphasis or has a breach history. This risk is mitigated if the sender firm has a Chief Information Security Officer (CISO) on its top management team. Receiver firms benefit when the sender firm emphasizes cybersecurity, but also when it has had a past breach. This latter finding diverges from typical contagion effects in the interlock literature, suggesting that negative cybersecurity events may serve as valuable learning opportunities. We attribute these asymmetric effects to the CIO’s unique role in interlocks. Unlike other executives, CIOs often act as deeply engaged educators and hands-on problem solvers in cybersecurity on the boards they join. Their focus on knowledge dissemination over acquisition, alongside their ongoing operational responsibilities within their home firm, appears to negate potential sender-side learning benefits. Our findings inform firms on their decisions about recruiting outside CIOs to their boards, permitting internal CIOs to join external boards, and guide policymakers aiming to strengthen cybersecurity expertise on corporate boards.
Biography: John D’Arcy is a Professor in the Department of Accounting and Management Information Systems, Lerner College of Business and Economics, University of Delaware. He is also a SWUFE-University of Delaware Joint Educational Institute (JEI) Research Fellow.
D’Arcy teaches undergraduate and graduate courses in cybersecurity and technology risk management. His research focuses on various aspects of cybersecurity management, including behavioral factors and firm-level causes and consequences of IT security failures, such as data breaches. Journals in which his research appears include MIS Quarterly, Information Systems Research, Journal of Management Information Systems, Journal of the Association for Information Systems, European Journal of Information Systems, and MIT Sloan Management Review, among others. His work and opinions have been cited by numerous popular press outlets, including ABC News, Business Week, The Wall Street Journal, and USA Today.
D’Arcy is currently a Senior Editor for MIS Quarterly. He was previously an Associate Editor for MIS Quarterly (2017-2021), Journal of the Association for Information Systems (2019-2023), and Decision Sciences (2014-2018). He received the Outstanding Associate Editor award from MIS Quarterly (2019) and Reviewer of the Year awards from both MIS Quarterly (2015) and Information Systems Research (2019). He also received the Outstanding PhD Alumni Award (2023) from the Fox School of Business, Temple University and is an Association for Information Systems (AIS) Distinguished Member – Cum Laude.
D'Arcy holds a Bachelor of Science in Finance and Business Logistics from Penn State University, a Master of Business Administration from LaSalle University, and a PhD in Business Administration (with a concentration in Management Information Systems) from Temple University. Prior to joining academia, he was employed by Ford Motor Company as a cost accountant and financial systems analyst.
Asymmetric Learning Effects of Chief Information Officer (CIO) Outside Board Appointments: Cybersecurity Implications for Sender and Receiver Firms
Location
Virtual
Category:
Campus Events Students
