Informing cybersecurity strategic commitment through top management perceptions: The role of institutional pressures

Abstract

Given the financial consequences of security breaches, security risk management has gained more attention in board rooms and garnered more involvement from top management. We undertake a study to understand the top managers’ role in cybersecurity strategy, specifically with cyberinsurance. This study draws from institutional and upper echelons theories to explain how top managers’ values and perceptions mediate the impact of external institutional pressures on the commitment to use cyberinsurance as a risk management strategy. We empirically test proposed hypotheses using data collected from executive-level managers of various firms and perform semi-structured interviews of six case sites as post hoc analysis. The results suggest that institutional pressures positively affect top managers’ perceptions of job security, breach risk, financial risk, transaction cost, and regulatory oversight. In turn, these perceptions influence their commitment to cyberinsurance. We find that values and perceptions of personal relevance have a significant impact on their strategic decisions. The findings emphasize the critical role that top management plays in mediating the influence of institutional pressures on cybersecurity strategy. Implications for research and practice, along with limitations and future directions, are discussed.