150 Int. J. Critical Infrastructures, Vol. 16, No.

2, 2020

Information technology governance and

cybersecurity at the board level

Abdalmuttaleb M.A. Musleh Al-Sartawi

Department of Accounting and Economics,
College of Business and Finance,
Ahlia University,
P.O. Box 10878, Kingdom of Bahrain
Email: amasartawi@hotmail.com

Abstract: Security breaches are very costly in the USA, followed very closely
by the Middle East. Shareholders and investors demand that their firms mitigate
all kinds of risks, and it is the responsibility of the BOD to gain and maintain
their confidence. In view of this scenario, MENA companies need to protect
their data, while the BODs need to embed a culture of cybersecurity in the firm.
The aim of this paper is to examine the relationship between information
technology governance (ITG) and the level of cybersecurity by MENA listed
firms. The study used a checklist to collect data from a sample of 94 firms
listed in the financial stock markets of the MENA countries for the year ended
2018. The study found that there is a significant and direct relationship between
ITG and the level of a firm’s cybersecurity. This indicates the importance of
appointing board members with IT knowledge and experience. This leads to
better decisions taken by the BODs when faced with cyber-threats and
challenges. In addition, IT expertise on the BODs can be important to
understand what the Heads of IT are doing on the inside and, thus being
knowledgeable enough to challenge their actions.

Keywords: cyber risk; cybersecurity; information technology governance;

ITG; board of directors; MENA countries.

Reference to this paper should be made as follows: Al-Sartawi, A.M.A.M.

(2020) ‘Information technology governance and cybersecurity at the board
level’, Int. J. Critical Infrastructures, Vol. 16, No. 2, pp.150–161.

Biographical notes: Abdalmuttaleb M.A. Musleh Al-Sartawi is the Chair of

Accounting and Economic Department, the Editor-in-Chief of the International
Journal of Electronic Banking (IJEBank). He received his PhD in Accounting,
from UBFS. He has presented and published many papers in regional and
international conferences and journals. He has chaired as well as served as a
member in various editorial boards and technical committees in international
refereed journals and conferences. He is a member of several international
organisations and associations such as the European Accountants Association
(EAA), the Bahrain Management Society, the Middle East Economic
Association (MEEA), the International Islamic Marketing Association (IIMA),
the Arab Academy for Banking and Financial Sciences, the Palestinian
Accounting Association, and the Palestinian Farmers Association.

Copyright © 2020 Inderscience Enterprises Ltd.

 Information technology governance and cybersecurity at the board level 151

1 Introduction

Shareholders and potential investors expect that firms mitigate all forms of risks.
However, due to the advancement of the digital age, no company is safe from a security
breach. According to Reber (2016), this is where the attention of Boards of Directors
needs to focus. Since the rise of the internet, information has become a very valuable
asset, making it easily susceptible to hacking, denial of access or theft (Gordon et al.,
2010). Additionally, Reber (2016) claims that most global events have a cybersecurity
component now. More than 50 countries around the world have officially published
strategy documents defining their stance on information security breaches, cybercrimes,
and cybersecurity readiness (Solms and Niekerk, 2013).
The International Telecommunications Union (ITU) (2008) define cybersecurity as
the compilation of policies, procedures, security concepts, guidelines, risk management
approaches, training, best practices, assurance, and technologies that can be used to
safeguard the cyber environment and individual or organisational assets. Cybercrimes
and threats continue to evolve and become more sophisticated. Poor cybersecurity
policies lead to a disruption of business by endangering its clients’ information and
risking the exposure of its secrets to competitors and hackers. Ishiguro et al. (2006) argue
that cybersecurity breaches might have adverse effects on firm value. Investors might
hold the board accountable as they are ultimately responsible for the success of the rise or
fall of their companies.
As such, from a corporate governance stance, the role of the board of directors (BOD)
in managing cybersecurity has increased since the large data breaches of recent years.
Thus, making cybersecurity a central issue for governments, regulators, shareholders as
well as potential investors. Clark (2017) argued that it is fundamental that all board
members, irrespective of their technical background, participate in making sure the right
policies and procedures are in place and followed. Moreover, directors should focus on
strategy, policy, and management oversight including IT infrastructure, security training
for staff and the firms’ risk management plan.
Data breaches damage the image of a firm leading to a fall in its stock prices. A
survey by Osterman Research (2016) found that the main reason for cybersecurity being
a top priority of boards is the complexity of compliance regulations. About 33% of the
board members agreed that cybersecurity is mainly a technical issue which requires
technical experience. Another research by FTI Consulting (2016) found that cyber risks
topped the list of the main concerns which keep board members ‘up at night for the
second consecutive year’.
Another important governance issue currently faced by the modern organisation is
related to Information Technology Governance (ITG). Previous research shows that
information technology has a direct effect on corporate governance (Farhanghi et al.,
2013). According to the IT Governance Institute (ITGI) website, ITG is a subset of
corporate governance which focuses on information technology systems, and how their
performances are measured, and risks managed. McCollum (2006) claim that the
Sarbanes-Oxley Act of 2002 has alerted the BOD to their firm’s need to prioritise ITG.
Therefore, due to the critical need of ITG, Huff et al. (2005) demand that an IT expert
should be appointed on the board to provide various views based on practical experience
or the background they have in the field of information technology.
Security breaches and cyber-attacks are threefold in the MENA region when
compared to developed countries. According to Mooney and Thompson (2018), security
152 A.M.A.M. Al-Sartawi

breaches are very costly in the USA, followed closely by the Middle East. Additionally,
Mooney and Thompson (2018) show that Financial Services firms have the highest
number of data breaches when compared to other industries. In view of this scenario, this
paper aims to:
1 determine the extent of ITG by MENA financial services firms
2 investigate the relationship between the level of ITG and cybersecurity in the MENA
region.
To the researcher’s knowledge, there are negligible studies which investigate such an
issue, especially from a MENA region perspective. Thus from a theoretical perspective,
this paper aims to contribute to the literature on ITG and cybersecurity in the MENA
region. From a more practical perspective, this paper raises awareness on the importance
of cybersecurity oversight, cyber education and cyber insurance in the region. Therefore,
boards, governments and regulators can make informed decisions about cybersecurity, all
the while firms need to incorporate the issue into their board agendas.

2 Literature review

Digital infrastructures have become a major critical factor for the management and
normal functioning of firms. However, one of the biggest threats which often affect the
normal functioning of firms is cyber-attacks. Despite cyberspace offering virtually
infinite opportunities for business development, the digital dependency of the main
functions and activities of the business generates new risks and threats (Sharkov, 2016).
Security and data breaches often uncover poor governance practices and weak
management at the core of a firm and its BOD, while also affecting its revenues and
reputation (Mooney and Thompson, 2018). Hence to mitigate cyber risks, firms need to
secure their critical infrastructure, deter criminal behaviour, control content, foster
economic growth, and protect stakeholders’ interest in privacy.
Sharkov (2016) claims that the cybersecurity concept was ‘born in the nineties’ from
two complementary fields: ICT security and information security. Solms and
Van Niekerk (2013) differentiate between the ever-interchangeable cybersecurity and
information security. They argue that while information security is the protection of
information from possible harm resulting from various threats and vulnerabilities,
cybersecurity is more than that. Cybersecurity not only includes the protection of
cyberspace itself, but also the protection of those that function in cyberspace and any of
their assets that can be reached via cyberspace.
In recent years, the reputation of several high-profile companies has suffered due to
their failure in safeguarding their clients’ data from hackers (Newbound, 2016).
Particularly, financial services companies, which have been more prone to data breaches
(Clark, 2017; Mooney and Thompson, 2018). These scandals mean that cybersecurity
should become a standing item on boardroom agendas. The study further argues that
BOD should ensure they understand all security measures, procedures and policies that
their firm has in place; and failure to do so could result in personal liability. Similarly,
based on the Cheng and Groysberg (2017), board members fail to make the connection
between the continuous cybersecurity lapses and their own firm’s vulnerabilities to
cyber-threats. They suggest that BOD should take corrective actions such as holding
 Information technology governance and cybersecurity at the board level 153

regular discussions of cybersecurity at board meetings. In addition, managers need to

bring in outside experts to conduct briefings. This study proposes a third solution: IT
governance.
Rau (2004) defines IT governance as the way senior management interacts and
communicates with IT leaders to ensure that technology investments enable the
achievement of business strategy in an effective and efficient manner. Likewise, Li et al.
(2012) describe IT governance as leadership, organisational structures, and control
processes which ensure that the IT is able to support and expand the company and
achieve its objectives. Nolan and McFarlan (2005) regard ITG as “a vital asset that
requires intense board-security and assistance”. Therefore, as ITG increases a firm’s
responsiveness to its stakeholders, it can be applied to cybersecurity governance at board
level.
Moreover, Nolan and McFarlan (2005), and Andriole (2009) recommend that an ITG
group of expert independent directors need to be appointed to the board due to economic
and regulatory matters related to the Sarbanes-Oxley compliance and corporate
governance. Thus, these directors are required to be experts in IT, and understand the
dynamic potential of information technology in changing the business environment. This
notion is supported by the resource dependence theory that states the importance of BOD
as a resource which allows firms to reach other external resources (Ribeiro and Colauto,
2016). Despite this need for an IT expert on the board, Valentine and Stewart (2013)
found that board level willingness to reduce the gap between awareness and action is very
low or non-existent. On the other hand, in the case of the MENA region, more
specifically the UAE, Nicho and Khan (2017) found that the objectivity of ITG is
well-defined and emphasised.
In 2014, the National Association of Corporate Directors published cybersecurity
guidelines which stated that BOD “must have access to experts in cybersecurity and
include the subject on their meeting agenda”. Alan (2014) states that the board needs to
have a full understanding of IT governance issues as ITG is an essential part of corporate
governance. The study further found that board members believe that fear of retribution
might discourage the IT department from fully disclosing details of cyber breaches to top
management. Therefore, the involvement of the board in ITG is of utmost importance.
Moreover, Alan (2014) found that many boards still lack the necessary knowledge and
qualifications to oversee cybersecurity effectively and that their firms had had no plans to
prioritise training due to budgetary constraints. The study concluded that a lack of
boardroom expertise may partly explain the reluctance of some companies to give up
outdated cybersecurity goals and evolve with the ever-evolving cybercrimes and threats.
Similarly, Dramis (2015) claim that today every firm has become a technology firm with
data, marketing, compliance, logistics and finance all dependent on digital support
structures. Hence, ITG in the form of a cyber/technological committee is crucial.
This study therefore hypothesises that:
H1 There is a relationship between the level of ITG and the level of cybersecurity.

2.1 Control variables

The researcher identified several control variables that may interplay with ITG in their
hypothesised effect on the level of cybersecurity. Control variables allow a determination
of the relative importance of different aspects of control, and hence prevent the skewness
154 A.M.A.M. Al-Sartawi

of results. The three main variables which were identified from the literature were firm
size, firm age and board size.
According to Gordon et al. (2018), it is important to control for firm size when
determining the level of cybersecurity activities and IT investments in such activities, so
as to produce more comparable results that focus on addressing the research questions.
Moreover, larger firms have more developed infrastructure and resources to implement
costly cybersecurity practices. Hence, they tend to have higher levels of cybersecurity
when compared to their smaller counterparts.
Similarly, firm age is used as a control variable to account for the varying ages of
firms in the study. Older firms have accumulated more information over the years when
compared to younger firms, and are at a higher risk of cyber-attacks and data breaches. In
addition, based on Marshall’s (1920) ‘principles of economics’, older firms are more
prone to inertia and bureaucratic tendencies that go along with age. Therefore, they might
be reluctant to make rapid adjustments to changing circumstances such as the birth of the
cyber society.
Finally, this study used board size as a control variable. A larger board has a range of
expertise to make better decisions for a firm as the CEO cannot dominate a bigger board
because the collective strength of its members is higher and can resist the irrational
decisions of a CEO (Zahra and Pearce, 1989). In the case of ITG, bigger boards might
bring higher IT skills and make it easier for the board to make informed decisions that
result in improving the level of cybersecurity.

3 Research methodology

In order to address the research questions, mainly the relationship between ITG and the
level of cybersecurity in the MENA region, the current study collected data from a
sample of 94 firms listed in the financial stock markets of the MENA for the year 2018.
To measure the level of cybersecurity, a checklist was developed (see Appendix) using a
number of different sources such as
1 the National Institute of Standards and Technology’s (NIST) cybersecurity
framework
2 the Federal Communications Commission’s cybersecurity planning guide.
When a firm check marked any item on the checklist the item received a score of 1, and 0
otherwise.
Data collection went through two phases. Phase one included collecting data from
several sources such as the firms’ official websites, strategy documents, governance or
policy documents, as well as the annual reports for the year ended December 2018.
However, as not all the information was available from the secondary sources, the
researcher sent emails soliciting the data required to complete the checklist. IT
specialists, IT security consultants, and IT security engineers were targeted, and their
emails were retrieved from the websites of the firms listed in the financial sectors. The
checklist was then sent to the targeted potential respondents at the end of January 2019.
Follow-up emails were sent, and by the end of March 2019, 94 responses were received.
Only the completed checklists were included in the study, while the rest of the firms were
discarded from the sample. Table 1 shows the distribution of the sample among the
selected MENA countries.
 Information technology governance and cybersecurity at the board level 155

Table 1 Distribution of sample among countries

Sectors Total Sample % Sectors Total Sample %

Bahrain UAE (Dubai)
Commercial 7 3 13.64 Banks 13 8 23.5
banks
Investment 10 4 18.18 Insurance 21 9 26.5
banks and financial
Insurance 5 0 0
Total sample 22 7 31.8 Total sample 34 17 50
Jordan Palestine
Banks 15 6 9.1 Financial 7 3 12.5
services
Insurance 20 7 10.6 Investment 10 3 12.5
Financial 31 12 18.2 Insurance 7 2 8.3
services
Total sample 66 25 37.9 Total sample 24 8 33.3
Egypt Tunisia
Financials 81 28 34.6 Financials 29 9 31
Total sample 81 28 34.6 Total sample 29 9 31
Total firms in the sample: 94 out of a total of 256 firms

To test the hypothesis, the following regression model was developed using the level of
cybersecurity as a dependent variable, and ITG as an independent variable. The study
measures the level of ITG in the MENA firms by determining the percentage of the
members of the BOD who have an IT background or experience.
Additionally, the study used firm size, board size, and firm age as control variables.
This data was extracted from the annual reports and the websites of the sample firms.
Model:
CySeci   0  1 ITGi   2 L _ FSZ i  3 BD _ sizei   4 AGEi  εi
Table 2 Study variables

Code Variable name Operationalisation

Dependent variable:
CySec Cybersecurity Total scored items by the company/Total
maximum scores
Independent variables:
ITG Directors with IT background The percentage of members who have IT
and experience % background and experience to the total board size
Control variables:
L_FSZ Firm size Natural logarithm of Total Assets
BD_size Board size Number of members on the board
AGE Firm age The difference between the establishing date of the
firm and the report date
εi Error
156 A.M.A.M. Al-Sartawi

4 Data analysis

Table 3 shows that the average level of cybersecurity among the six selected MENA
countries was 77.3 %, which is a moderate level of security. The UAE had the highest
level of cybersecurity (83.4%) among the sample countries, while Palestine had the
lowest level (69.4%). One reason for the high level of cybersecurity in the UAE is that
cybersecurity is the number one priority for firms in the UAE (Ryan, 2018). Based on the
‘Dubai Cyber Security Strategy’ (Dubai’s government website), the cybersecurity
strategy was developed to unify the efforts of government institutions and firms to make
Dubai the safest electronic city in the world.
Table 3 Level of cybersecurity among the six selected MENA countries

Country No. Mean S.D.

Bahrain 7 0.798 0.152
UAE 17 0.834 0.078
Jordan 25 0.726 0.174
Palestine 8 0.694 0.190
Egypt 28 0.810 0.082
Tunisia 9 0.777 0.134
Total 94 0.773 0.146

Table 4 reports the descriptive analysis of the independent, dependent and control
variables. It shows that the maximum level of ITG was 55% with a mean of 7.6%
indicating a low level of ITG. According to Valentine and Stewart (2013), there is a gap
between the need for ITG need and reality. With regards to the level of cybersecurity, the
MENA sample countries achieved a maximum level of 92%, with an overall mean of
76.3%., which is considered a moderate level.
Table 4 Descriptive statistics

Descriptive statistics continues variables

N Minimum Maximum Mean Std. deviation
ITG 94 0.00 0.58 0.074 0.10686
CySec 94 0.58 0.92 0.773 1.146
L_FSZ 94 93,638 214,755,236 8.2E37 4.467E3
B_size 94 5 13 8.72 1.27718
AGE 94 3 195 45.16 13.431

The descriptive statistics for the control variables show that the mean of firm size, i.e.,
total assets, was 8.2 million, with a minimum of 93,638 and a maximum 214 million,
indicating large firms. The normality distributions of the total assets were skewed, so
natural logarithm was used in the regression analysis to reduce skewness and bring the
distribution of the variables nearer to normality. The average board size was 9 members,
while, firm age ranged from 3 to 195 with a mean of 45.
Two main tests were used to test validity, the Shapiro-Wilk test and the Variance
Inflation Factor (VIF). Shapiro-Wilk was used to test the normal distribution. Table 5
shows that the variables of this research generally are normally distributed, except for
 Information technology governance and cybersecurity at the board level 157

firm size which had a significance level of 0.000. To bring the distribution of the
variables nearer to normality, as mentioned above, natural logarithm was used in the
regression analysis to reduce skewness.
Table 5 Normality test

Shapiro-Wilk test
Statistic df Sig.
ITG 2.627 94 0.474
CySec 1.711 94 0.482
L_FSZ 2.974 94 0.003
B_size 2.538 94 0.316
AGE 1.482 94 0.228

Additionally, the VIF test was used to check the data for multicollinearity. The results as
shown in Table 6 indicate that since no VIF score exceeded 10 for any variable in the
model, and as no Tolerance score was below 0.2, it was concluded that there is no issue
of multicollinearity.
Table 6 Collinearity test

Collinearity statistics
Model
Tolerance VIF
ITG 0.896 1.116
L_FSZ 0.877 1.140
B_size 0.964 1.037
AGE 0.935 1.070

Table 7 reports the findings of the regression analysis. The regression analysis indicates
that the model demonstrates the relationship between the variables in a statistically
appropriate way. According to the table, the model has an adjusted R2 of 0.174, which
shows that the model explains approximately 17.4% of the variation in the level of
cybersecurity amongst the MENA listed firms. Moreover, the probability of the F-
statistic with a significance 0.000 means that the ITG was significant in interpreting the
level of cybersecurity.
Table 7 Regression analysis

Beta T-test Sig. R² F Sig. (F)

Model (CySec) ITG 0.292 3.415 0.032 0.174 8.370 0.000
L_FSZ 0.342 6.692 0.018
B_size –0.045 –0.973 0.307
AGE 0.088 1.016 0.284

The main hypothesis of the study states that there is a relationship between ITG and the
level of cybersecurity by firms listed in the MENA stock markets. Table 7 shows that
there is a significant and direct relationship between study variables. We can, therefore,
assume that the higher the level of ITG on the board, the higher the level of
cybersecurity. This is in line with many of the previous studies which state the
158 A.M.A.M. Al-Sartawi

importance of IT literacy at the board level. As cybersecurity issues are directly related to
cybersecurity architecture, they are also a part of the IT architecture. This indicates that
board members with IT qualifications, knowledge and experience have a better
understanding of the challenges which their firms face and can hence make well-
informed decisions. Moreover, IT skills on the BOD can be important to understand what
the Heads of IT are doing on the inside and, thus being knowledgeable enough to
challenge their actions.
With regards to the control variables, the study found a significant and positive
relationship between the level of cybersecurity and firm size. As for the rest of the control
variables, the results show no relationship between board size, age and the level of
cybersecurity.

5 Conclusions

This study was conducted to investigate the relationship between the two fundamental
Corporate Governance topics, i.e., the level of ITG and the level of cybersecurity by
MENA listed firms. To address the research questions, the researcher collected data from
a sample of 94 firms listed in the financial stock markets of the MENA countries for the
year 2018. The countries included in the sample were Bahrain, UAE, Jordan, Palestine,
Egypt and Tunisia. The findings revealed that the UAE had the highest level of
cybersecurity (83.4 %) among the sample countries, while Palestine had the lowest level
(69.4%). Moreover, the results show that there is a significant and direct relationship
between the level of ITG and the level of cybersecurity, i.e., the higher the level of ITG
on the board, the higher the level of cybersecurity. This indicates the importance of
appointing board members with IT knowledge and experience, which might lead to
informed decision-making when faced with cyber-threats and challenges.
This paper contributes a new topic to the MENA region literature by combining two
significant areas, namely ITG and cybersecurity. The study would also be of interest to
the international investment community, regulators, policy-makers and governments in
the region. In addition, this paper offers a practical contribution that could be useful to
shareholders when appointing board members or forming technological/cyber
committees. Similarly, firms should have a proactive stance and insure themselves
against security breaches, to better manage cyber threats and any resulting legal liability
from data breaches. Moreover, as recommended by Reber (2016), it is a good idea for
firms to complete risk self-assessments annually to understand their cyber environments
and have a clear picture of their risk profile. This will prepare them to mitigate their risks
as boards must first have a clear picture of their firm’s risk profile. Along similar lines,
Clark (2017) argues that, although firms cannot prevent cyber-attacks completely, they
can develop the right plans and systems to block some attacks and mitigate the risks of
others.
While cyber-threats and the awareness of cyber-security are constantly evolving in
the MENA region, this paper recommends firms to develop effective cybersecurity
programs that address current regulatory compliance requirements and prepare for
emergency cyber responses. Furthermore, to address a gap in the MENA region
literature, this paper suggests conducting a study that further investigates the relationship
between the level of cybersecurity and firm performance in the form of market value,
earnings per share or profitability.
 Information technology governance and cybersecurity at the board level 159

References
Alan, C. (2014) ‘The boardroom view on cyber security’, Corporate Board, Vol. 35, No. 208,
pp.11–15.
Andriole, S.J. (2009) ‘Boards of directors and technology governance: the surprising state of the
practice’, Communications of the Association for Information Systems, Vol. 24, No. 1, p.22.
Cheng, J.Y.J. and Groysberg, B. (2017) ‘Why boards aren’t dealing with cyberthreats’, Harvard
Business Review [online] https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats
(accessed 2 April 2019).
Clark, G. (2017) The Board’s Role in Cybersecurity [online] https://business.nasdaq.com/
marketinsite/2017/The-Boards-Role-in-Cybersecurity.html (accessed 14 April 2019).
Dramis, F.A. (2015) ‘Time for a board cyber/tech committee?’, Corporate Board, Vol. 36,
No. 213, pp.1–5.
Farhanghi, A.A., Abbaspour, A. and Ghassemi, R.A. (2013) ‘The effect of information technology
on organizational structure and firm performance: an analysis of consultant engineers firms
(CEF) in Iran’, Procedia-Social and Behavioral Sciences, No. 81, pp.644–649.
FTI Consulting (2016) FTI Consulting and NYSE Governance Services Study Identifies Key Risks
and Legal Trends for Publicly Traded Companies in 2016 [online]
https://www.fticonsulting.com/about/newsroom/press-releases/fti-consulting-and-nyse-
governance-services-study-identifies-key-risks-and-legal-trends-for-publicly-traded-
companies-in-2016 (accessed 27 March 2019).
Gordon, L.A., Loeb, M.P. and Sohail, T. (2010) ‘Market value of voluntary disclosures concerning
information security’, MIS Quarterly, Vol. 34, No. 3, pp.567–594.
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2018) ‘Empirical evidence on the
determinants of cybersecurity investments in private sector firms’, Journal of Information
Security, Vol. 9, No. 02, p.133.
Huff, S.L., Maher, P.M. and Munro, M.C. (2005) ‘Adding value: the case for adding IT savvy
directors to the board’, Ivey Business Journal, Vol. 70, No. 2, pp.1–5.
International Telecommunications Union (ITU) (2008) Series X: Data Networks, Open System
Communications and Security: Telecommunication Security: Overview of Cybersecurity,
ITU-TX.1205, Switzerland [online] https://www.itu.int/rec/T-REC-X.1205-200804-I
(accessed 12 May 2019).
Ishiguro, M., Tanaka, H., Matsuura, K. and Murase, I. (2006) ‘The effect of information security
incidents on corporate values in the Japanese stock market’, In International Workshop on the
Economics of Securing the Information Infrastructure (WESII).
Li, C., Peters, G.F., Richardson, V.J. and Watson, M.W. (2012) ‘The consequences of information
technology control weaknesses on management information systems: the case of
Sarbanes-Oxley internal control reports’, MIS Quarterly, Vol. 36, No. 1, pp.179–203.
Marshall, A. (1920) Principles of Economics, 8th ed., Macmillan, London.
McCollum, T. (2006) ‘Bridging the great divide’, Internal Auditor, No. 1, pp.49–53.
Mooney, A. and Thompson, J. (2018) Why the Focus is Shifting to Boards on Cyber Security?
[online] https://www.ft.com/content/c70caa94-2d88-3ece-b802-79e9bac2f32c (accessed 5
May 2019).
Newbound, D. (2016) ‘Why cyber security matters?’, Credit Control, Vol. 37, Nos. 3/4, pp.19–21,
3p.
Nicho, M. and Khan, S. (2017) ‘IT governance measurement tools and its application in
IT-business alignment’, Journal of International Technology and Information Management,
Vol. 26, No. 1, pp.81–111.
Nolan, R. and McFarlan, F.W. (2005) ‘Information technology and the board of directors’, Harvard
Business Review [online]
https://pdfs.semanticscholar.org/9149/ab6cb4c7fa9a3d39709f9ae75f804b0db5a4.pdf
(accessed 1 March 2019).
160 A.M.A.M. Al-Sartawi

Osterman Research (2016) ‘What’s driving boards of directors to make cyber security a top
priority?’, Bay Dynamics [online] https://baydynamics.com/content/uploads/2016/09/
BoardSecurityOstermanReport.pdf (accessed 13 May 2019).
Rau, K.G. (2004) ‘Effective governance of IT: design objectives, roles and relationships’,
Information Systems Management, Vol. 21, No. 4, pp.35–42.
Reber, G. (2016) ‘Best practices for board cyber security oversight’, Corporate Board, Vol. 37,
No. 220, pp.10–15.
Ribeiro, F. and Colauto, R. (2016) ‘The relationship between board interlocking and income
smoothing practices’, R. Cont. Fin. – USP, São Paulo, Vol. 27, No. 70, pp.55–66.
Ryan, P. (2018) Cyber Security is ‘Number One Priority’ for Companies in the UAE [online]
https://www.thenational.ae/uae/cyber-security-is-number-one-priority-for-companies-in-the-
uae-1.780836(accessed 2 April 2019).
Sharkov, G. (2016) ‘From cybersecurity to collaborative resiliency’, in Proceedings of the 2016
ACM Workshop on Automated Decision Making for Active Cyber Defense, pp.3–9, ACM.
Solms, R. and Van Niekerk, J. (2013) ‘From information security to cyber security’, Computers &
Security, No. 38, pp.97–102.
Valentine, E. and Stewart, G. (2013) ‘The emerging role of the board of directors in enterprise
business technology governance’, International Journal of Disclosure and Governance,
Vol. 10, No. 4, pp.346–362.
Zahra, S.A. and Pearce, J.A. (1989) ‘Boards of directors and corporate financial performance: a
review and integrative model’, Journal of Management, Vol. 15, No. 2, pp.291–334.
 Information technology governance and cybersecurity at the board level
Appendix
Table A1 Cybersecurity level checklist
Cybersecurity level checklist
1 Cybersecurity is a precondition to 18
work and is considered in all business
decisions
2 Using a firewall software
3 Cybersecurity policies are
documented
4 Employees are trained on the
company’s network policy securities
5 Enforcing password protection
policies
6 Checking backup regularly to ensure
that it is functioning correctly
7 Anti-malware software installed on
all devices and the network
8 Have developed an incident response
plan (IRP)
9 Protocol to revoke access to
terminated employees
10 Using encryption software to protect
sensitive data
11 Using password-security software
12 Having cybersecurity insurance
13 There is a specific guidance on when
to disclose company activities using
social media, and what kinds of
details can be discussed in a public
forum
14 Holding regular workshops and
meetings on best cybersecurity
practices
15 Notice triggering information system
is in place
16 There is a clear strategic plan in place
for the protection of critical data and
essential services
17 Have created a mobile device action
plan
161
Background credentialing check on
employees are conducted before hiring them
19 Implementing network and cloud monitoring
20 Fault tolerant architecture is in place
21 Intrusion detection and prevention systems
are in place (IDS/IPS)
22 Implementing and managing access
agreements with employees (non-disclosure
agreements, acceptable use agreements,
access agreements)
23 Third-party personnel security processes are
in place
24 Assigning risk designation to organisational
positions
25 Performing regular internal vulnerability
audits or assessments
26 Using a spam email filter
27 Employees are able to recognise and avoid
phishing
28 Creating safe-use flash drive policies
29 E-mail retention and usage policies are in
place
30 Ensuring all smartphones, computers, laptops
are wiped clean before disposal
31 There is an employee internet usage policy
that is personal breaks to surf the web are be
limited to a reasonable amount of time and to
certain types of activities
32 Executives and managers are involved in
cybersecurity
33 Wi-Fi network is secured by setting up
wireless access point or router
34 Prioritising services based on analysis of the
potential impact if the services are disrupted