Professional Documents
Culture Documents
2, 2020
Abstract: Security breaches are very costly in the USA, followed very closely
by the Middle East. Shareholders and investors demand that their firms mitigate
all kinds of risks, and it is the responsibility of the BOD to gain and maintain
their confidence. In view of this scenario, MENA companies need to protect
their data, while the BODs need to embed a culture of cybersecurity in the firm.
The aim of this paper is to examine the relationship between information
technology governance (ITG) and the level of cybersecurity by MENA listed
firms. The study used a checklist to collect data from a sample of 94 firms
listed in the financial stock markets of the MENA countries for the year ended
2018. The study found that there is a significant and direct relationship between
ITG and the level of a firm’s cybersecurity. This indicates the importance of
appointing board members with IT knowledge and experience. This leads to
better decisions taken by the BODs when faced with cyber-threats and
challenges. In addition, IT expertise on the BODs can be important to
understand what the Heads of IT are doing on the inside and, thus being
knowledgeable enough to challenge their actions.
1 Introduction
Shareholders and potential investors expect that firms mitigate all forms of risks.
However, due to the advancement of the digital age, no company is safe from a security
breach. According to Reber (2016), this is where the attention of Boards of Directors
needs to focus. Since the rise of the internet, information has become a very valuable
asset, making it easily susceptible to hacking, denial of access or theft (Gordon et al.,
2010). Additionally, Reber (2016) claims that most global events have a cybersecurity
component now. More than 50 countries around the world have officially published
strategy documents defining their stance on information security breaches, cybercrimes,
and cybersecurity readiness (Solms and Niekerk, 2013).
The International Telecommunications Union (ITU) (2008) define cybersecurity as
the compilation of policies, procedures, security concepts, guidelines, risk management
approaches, training, best practices, assurance, and technologies that can be used to
safeguard the cyber environment and individual or organisational assets. Cybercrimes
and threats continue to evolve and become more sophisticated. Poor cybersecurity
policies lead to a disruption of business by endangering its clients’ information and
risking the exposure of its secrets to competitors and hackers. Ishiguro et al. (2006) argue
that cybersecurity breaches might have adverse effects on firm value. Investors might
hold the board accountable as they are ultimately responsible for the success of the rise or
fall of their companies.
As such, from a corporate governance stance, the role of the board of directors (BOD)
in managing cybersecurity has increased since the large data breaches of recent years.
Thus, making cybersecurity a central issue for governments, regulators, shareholders as
well as potential investors. Clark (2017) argued that it is fundamental that all board
members, irrespective of their technical background, participate in making sure the right
policies and procedures are in place and followed. Moreover, directors should focus on
strategy, policy, and management oversight including IT infrastructure, security training
for staff and the firms’ risk management plan.
Data breaches damage the image of a firm leading to a fall in its stock prices. A
survey by Osterman Research (2016) found that the main reason for cybersecurity being
a top priority of boards is the complexity of compliance regulations. About 33% of the
board members agreed that cybersecurity is mainly a technical issue which requires
technical experience. Another research by FTI Consulting (2016) found that cyber risks
topped the list of the main concerns which keep board members ‘up at night for the
second consecutive year’.
Another important governance issue currently faced by the modern organisation is
related to Information Technology Governance (ITG). Previous research shows that
information technology has a direct effect on corporate governance (Farhanghi et al.,
2013). According to the IT Governance Institute (ITGI) website, ITG is a subset of
corporate governance which focuses on information technology systems, and how their
performances are measured, and risks managed. McCollum (2006) claim that the
Sarbanes-Oxley Act of 2002 has alerted the BOD to their firm’s need to prioritise ITG.
Therefore, due to the critical need of ITG, Huff et al. (2005) demand that an IT expert
should be appointed on the board to provide various views based on practical experience
or the background they have in the field of information technology.
Security breaches and cyber-attacks are threefold in the MENA region when
compared to developed countries. According to Mooney and Thompson (2018), security
152 A.M.A.M. Al-Sartawi
breaches are very costly in the USA, followed closely by the Middle East. Additionally,
Mooney and Thompson (2018) show that Financial Services firms have the highest
number of data breaches when compared to other industries. In view of this scenario, this
paper aims to:
1 determine the extent of ITG by MENA financial services firms
2 investigate the relationship between the level of ITG and cybersecurity in the MENA
region.
To the researcher’s knowledge, there are negligible studies which investigate such an
issue, especially from a MENA region perspective. Thus from a theoretical perspective,
this paper aims to contribute to the literature on ITG and cybersecurity in the MENA
region. From a more practical perspective, this paper raises awareness on the importance
of cybersecurity oversight, cyber education and cyber insurance in the region. Therefore,
boards, governments and regulators can make informed decisions about cybersecurity, all
the while firms need to incorporate the issue into their board agendas.
2 Literature review
Digital infrastructures have become a major critical factor for the management and
normal functioning of firms. However, one of the biggest threats which often affect the
normal functioning of firms is cyber-attacks. Despite cyberspace offering virtually
infinite opportunities for business development, the digital dependency of the main
functions and activities of the business generates new risks and threats (Sharkov, 2016).
Security and data breaches often uncover poor governance practices and weak
management at the core of a firm and its BOD, while also affecting its revenues and
reputation (Mooney and Thompson, 2018). Hence to mitigate cyber risks, firms need to
secure their critical infrastructure, deter criminal behaviour, control content, foster
economic growth, and protect stakeholders’ interest in privacy.
Sharkov (2016) claims that the cybersecurity concept was ‘born in the nineties’ from
two complementary fields: ICT security and information security. Solms and
Van Niekerk (2013) differentiate between the ever-interchangeable cybersecurity and
information security. They argue that while information security is the protection of
information from possible harm resulting from various threats and vulnerabilities,
cybersecurity is more than that. Cybersecurity not only includes the protection of
cyberspace itself, but also the protection of those that function in cyberspace and any of
their assets that can be reached via cyberspace.
In recent years, the reputation of several high-profile companies has suffered due to
their failure in safeguarding their clients’ data from hackers (Newbound, 2016).
Particularly, financial services companies, which have been more prone to data breaches
(Clark, 2017; Mooney and Thompson, 2018). These scandals mean that cybersecurity
should become a standing item on boardroom agendas. The study further argues that
BOD should ensure they understand all security measures, procedures and policies that
their firm has in place; and failure to do so could result in personal liability. Similarly,
based on the Cheng and Groysberg (2017), board members fail to make the connection
between the continuous cybersecurity lapses and their own firm’s vulnerabilities to
cyber-threats. They suggest that BOD should take corrective actions such as holding
Information technology governance and cybersecurity at the board level 153
of results. The three main variables which were identified from the literature were firm
size, firm age and board size.
According to Gordon et al. (2018), it is important to control for firm size when
determining the level of cybersecurity activities and IT investments in such activities, so
as to produce more comparable results that focus on addressing the research questions.
Moreover, larger firms have more developed infrastructure and resources to implement
costly cybersecurity practices. Hence, they tend to have higher levels of cybersecurity
when compared to their smaller counterparts.
Similarly, firm age is used as a control variable to account for the varying ages of
firms in the study. Older firms have accumulated more information over the years when
compared to younger firms, and are at a higher risk of cyber-attacks and data breaches. In
addition, based on Marshall’s (1920) ‘principles of economics’, older firms are more
prone to inertia and bureaucratic tendencies that go along with age. Therefore, they might
be reluctant to make rapid adjustments to changing circumstances such as the birth of the
cyber society.
Finally, this study used board size as a control variable. A larger board has a range of
expertise to make better decisions for a firm as the CEO cannot dominate a bigger board
because the collective strength of its members is higher and can resist the irrational
decisions of a CEO (Zahra and Pearce, 1989). In the case of ITG, bigger boards might
bring higher IT skills and make it easier for the board to make informed decisions that
result in improving the level of cybersecurity.
3 Research methodology
In order to address the research questions, mainly the relationship between ITG and the
level of cybersecurity in the MENA region, the current study collected data from a
sample of 94 firms listed in the financial stock markets of the MENA for the year 2018.
To measure the level of cybersecurity, a checklist was developed (see Appendix) using a
number of different sources such as
1 the National Institute of Standards and Technology’s (NIST) cybersecurity
framework
2 the Federal Communications Commission’s cybersecurity planning guide.
When a firm check marked any item on the checklist the item received a score of 1, and 0
otherwise.
Data collection went through two phases. Phase one included collecting data from
several sources such as the firms’ official websites, strategy documents, governance or
policy documents, as well as the annual reports for the year ended December 2018.
However, as not all the information was available from the secondary sources, the
researcher sent emails soliciting the data required to complete the checklist. IT
specialists, IT security consultants, and IT security engineers were targeted, and their
emails were retrieved from the websites of the firms listed in the financial sectors. The
checklist was then sent to the targeted potential respondents at the end of January 2019.
Follow-up emails were sent, and by the end of March 2019, 94 responses were received.
Only the completed checklists were included in the study, while the rest of the firms were
discarded from the sample. Table 1 shows the distribution of the sample among the
selected MENA countries.
Information technology governance and cybersecurity at the board level 155
To test the hypothesis, the following regression model was developed using the level of
cybersecurity as a dependent variable, and ITG as an independent variable. The study
measures the level of ITG in the MENA firms by determining the percentage of the
members of the BOD who have an IT background or experience.
Additionally, the study used firm size, board size, and firm age as control variables.
This data was extracted from the annual reports and the websites of the sample firms.
Model:
CySeci 0 1 ITGi 2 L _ FSZ i 3 BD _ sizei 4 AGEi εi
Table 2 Study variables
4 Data analysis
Table 3 shows that the average level of cybersecurity among the six selected MENA
countries was 77.3 %, which is a moderate level of security. The UAE had the highest
level of cybersecurity (83.4%) among the sample countries, while Palestine had the
lowest level (69.4%). One reason for the high level of cybersecurity in the UAE is that
cybersecurity is the number one priority for firms in the UAE (Ryan, 2018). Based on the
‘Dubai Cyber Security Strategy’ (Dubai’s government website), the cybersecurity
strategy was developed to unify the efforts of government institutions and firms to make
Dubai the safest electronic city in the world.
Table 3 Level of cybersecurity among the six selected MENA countries
Table 4 reports the descriptive analysis of the independent, dependent and control
variables. It shows that the maximum level of ITG was 55% with a mean of 7.6%
indicating a low level of ITG. According to Valentine and Stewart (2013), there is a gap
between the need for ITG need and reality. With regards to the level of cybersecurity, the
MENA sample countries achieved a maximum level of 92%, with an overall mean of
76.3%., which is considered a moderate level.
Table 4 Descriptive statistics
The descriptive statistics for the control variables show that the mean of firm size, i.e.,
total assets, was 8.2 million, with a minimum of 93,638 and a maximum 214 million,
indicating large firms. The normality distributions of the total assets were skewed, so
natural logarithm was used in the regression analysis to reduce skewness and bring the
distribution of the variables nearer to normality. The average board size was 9 members,
while, firm age ranged from 3 to 195 with a mean of 45.
Two main tests were used to test validity, the Shapiro-Wilk test and the Variance
Inflation Factor (VIF). Shapiro-Wilk was used to test the normal distribution. Table 5
shows that the variables of this research generally are normally distributed, except for
Information technology governance and cybersecurity at the board level 157
firm size which had a significance level of 0.000. To bring the distribution of the
variables nearer to normality, as mentioned above, natural logarithm was used in the
regression analysis to reduce skewness.
Table 5 Normality test
Shapiro-Wilk test
Statistic df Sig.
ITG 2.627 94 0.474
CySec 1.711 94 0.482
L_FSZ 2.974 94 0.003
B_size 2.538 94 0.316
AGE 1.482 94 0.228
Additionally, the VIF test was used to check the data for multicollinearity. The results as
shown in Table 6 indicate that since no VIF score exceeded 10 for any variable in the
model, and as no Tolerance score was below 0.2, it was concluded that there is no issue
of multicollinearity.
Table 6 Collinearity test
Collinearity statistics
Model
Tolerance VIF
ITG 0.896 1.116
L_FSZ 0.877 1.140
B_size 0.964 1.037
AGE 0.935 1.070
Table 7 reports the findings of the regression analysis. The regression analysis indicates
that the model demonstrates the relationship between the variables in a statistically
appropriate way. According to the table, the model has an adjusted R2 of 0.174, which
shows that the model explains approximately 17.4% of the variation in the level of
cybersecurity amongst the MENA listed firms. Moreover, the probability of the F-
statistic with a significance 0.000 means that the ITG was significant in interpreting the
level of cybersecurity.
Table 7 Regression analysis
The main hypothesis of the study states that there is a relationship between ITG and the
level of cybersecurity by firms listed in the MENA stock markets. Table 7 shows that
there is a significant and direct relationship between study variables. We can, therefore,
assume that the higher the level of ITG on the board, the higher the level of
cybersecurity. This is in line with many of the previous studies which state the
158 A.M.A.M. Al-Sartawi
importance of IT literacy at the board level. As cybersecurity issues are directly related to
cybersecurity architecture, they are also a part of the IT architecture. This indicates that
board members with IT qualifications, knowledge and experience have a better
understanding of the challenges which their firms face and can hence make well-
informed decisions. Moreover, IT skills on the BOD can be important to understand what
the Heads of IT are doing on the inside and, thus being knowledgeable enough to
challenge their actions.
With regards to the control variables, the study found a significant and positive
relationship between the level of cybersecurity and firm size. As for the rest of the control
variables, the results show no relationship between board size, age and the level of
cybersecurity.
5 Conclusions
This study was conducted to investigate the relationship between the two fundamental
Corporate Governance topics, i.e., the level of ITG and the level of cybersecurity by
MENA listed firms. To address the research questions, the researcher collected data from
a sample of 94 firms listed in the financial stock markets of the MENA countries for the
year 2018. The countries included in the sample were Bahrain, UAE, Jordan, Palestine,
Egypt and Tunisia. The findings revealed that the UAE had the highest level of
cybersecurity (83.4 %) among the sample countries, while Palestine had the lowest level
(69.4%). Moreover, the results show that there is a significant and direct relationship
between the level of ITG and the level of cybersecurity, i.e., the higher the level of ITG
on the board, the higher the level of cybersecurity. This indicates the importance of
appointing board members with IT knowledge and experience, which might lead to
informed decision-making when faced with cyber-threats and challenges.
This paper contributes a new topic to the MENA region literature by combining two
significant areas, namely ITG and cybersecurity. The study would also be of interest to
the international investment community, regulators, policy-makers and governments in
the region. In addition, this paper offers a practical contribution that could be useful to
shareholders when appointing board members or forming technological/cyber
committees. Similarly, firms should have a proactive stance and insure themselves
against security breaches, to better manage cyber threats and any resulting legal liability
from data breaches. Moreover, as recommended by Reber (2016), it is a good idea for
firms to complete risk self-assessments annually to understand their cyber environments
and have a clear picture of their risk profile. This will prepare them to mitigate their risks
as boards must first have a clear picture of their firm’s risk profile. Along similar lines,
Clark (2017) argues that, although firms cannot prevent cyber-attacks completely, they
can develop the right plans and systems to block some attacks and mitigate the risks of
others.
While cyber-threats and the awareness of cyber-security are constantly evolving in
the MENA region, this paper recommends firms to develop effective cybersecurity
programs that address current regulatory compliance requirements and prepare for
emergency cyber responses. Furthermore, to address a gap in the MENA region
literature, this paper suggests conducting a study that further investigates the relationship
between the level of cybersecurity and firm performance in the form of market value,
earnings per share or profitability.
Information technology governance and cybersecurity at the board level 159
References
Alan, C. (2014) ‘The boardroom view on cyber security’, Corporate Board, Vol. 35, No. 208,
pp.11–15.
Andriole, S.J. (2009) ‘Boards of directors and technology governance: the surprising state of the
practice’, Communications of the Association for Information Systems, Vol. 24, No. 1, p.22.
Cheng, J.Y.J. and Groysberg, B. (2017) ‘Why boards aren’t dealing with cyberthreats’, Harvard
Business Review [online] https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats
(accessed 2 April 2019).
Clark, G. (2017) The Board’s Role in Cybersecurity [online] https://business.nasdaq.com/
marketinsite/2017/The-Boards-Role-in-Cybersecurity.html (accessed 14 April 2019).
Dramis, F.A. (2015) ‘Time for a board cyber/tech committee?’, Corporate Board, Vol. 36,
No. 213, pp.1–5.
Farhanghi, A.A., Abbaspour, A. and Ghassemi, R.A. (2013) ‘The effect of information technology
on organizational structure and firm performance: an analysis of consultant engineers firms
(CEF) in Iran’, Procedia-Social and Behavioral Sciences, No. 81, pp.644–649.
FTI Consulting (2016) FTI Consulting and NYSE Governance Services Study Identifies Key Risks
and Legal Trends for Publicly Traded Companies in 2016 [online]
https://www.fticonsulting.com/about/newsroom/press-releases/fti-consulting-and-nyse-
governance-services-study-identifies-key-risks-and-legal-trends-for-publicly-traded-
companies-in-2016 (accessed 27 March 2019).
Gordon, L.A., Loeb, M.P. and Sohail, T. (2010) ‘Market value of voluntary disclosures concerning
information security’, MIS Quarterly, Vol. 34, No. 3, pp.567–594.
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2018) ‘Empirical evidence on the
determinants of cybersecurity investments in private sector firms’, Journal of Information
Security, Vol. 9, No. 02, p.133.
Huff, S.L., Maher, P.M. and Munro, M.C. (2005) ‘Adding value: the case for adding IT savvy
directors to the board’, Ivey Business Journal, Vol. 70, No. 2, pp.1–5.
International Telecommunications Union (ITU) (2008) Series X: Data Networks, Open System
Communications and Security: Telecommunication Security: Overview of Cybersecurity,
ITU-TX.1205, Switzerland [online] https://www.itu.int/rec/T-REC-X.1205-200804-I
(accessed 12 May 2019).
Ishiguro, M., Tanaka, H., Matsuura, K. and Murase, I. (2006) ‘The effect of information security
incidents on corporate values in the Japanese stock market’, In International Workshop on the
Economics of Securing the Information Infrastructure (WESII).
Li, C., Peters, G.F., Richardson, V.J. and Watson, M.W. (2012) ‘The consequences of information
technology control weaknesses on management information systems: the case of
Sarbanes-Oxley internal control reports’, MIS Quarterly, Vol. 36, No. 1, pp.179–203.
Marshall, A. (1920) Principles of Economics, 8th ed., Macmillan, London.
McCollum, T. (2006) ‘Bridging the great divide’, Internal Auditor, No. 1, pp.49–53.
Mooney, A. and Thompson, J. (2018) Why the Focus is Shifting to Boards on Cyber Security?
[online] https://www.ft.com/content/c70caa94-2d88-3ece-b802-79e9bac2f32c (accessed 5
May 2019).
Newbound, D. (2016) ‘Why cyber security matters?’, Credit Control, Vol. 37, Nos. 3/4, pp.19–21,
3p.
Nicho, M. and Khan, S. (2017) ‘IT governance measurement tools and its application in
IT-business alignment’, Journal of International Technology and Information Management,
Vol. 26, No. 1, pp.81–111.
Nolan, R. and McFarlan, F.W. (2005) ‘Information technology and the board of directors’, Harvard
Business Review [online]
https://pdfs.semanticscholar.org/9149/ab6cb4c7fa9a3d39709f9ae75f804b0db5a4.pdf
(accessed 1 March 2019).
160 A.M.A.M. Al-Sartawi
Osterman Research (2016) ‘What’s driving boards of directors to make cyber security a top
priority?’, Bay Dynamics [online] https://baydynamics.com/content/uploads/2016/09/
BoardSecurityOstermanReport.pdf (accessed 13 May 2019).
Rau, K.G. (2004) ‘Effective governance of IT: design objectives, roles and relationships’,
Information Systems Management, Vol. 21, No. 4, pp.35–42.
Reber, G. (2016) ‘Best practices for board cyber security oversight’, Corporate Board, Vol. 37,
No. 220, pp.10–15.
Ribeiro, F. and Colauto, R. (2016) ‘The relationship between board interlocking and income
smoothing practices’, R. Cont. Fin. – USP, São Paulo, Vol. 27, No. 70, pp.55–66.
Ryan, P. (2018) Cyber Security is ‘Number One Priority’ for Companies in the UAE [online]
https://www.thenational.ae/uae/cyber-security-is-number-one-priority-for-companies-in-the-
uae-1.780836(accessed 2 April 2019).
Sharkov, G. (2016) ‘From cybersecurity to collaborative resiliency’, in Proceedings of the 2016
ACM Workshop on Automated Decision Making for Active Cyber Defense, pp.3–9, ACM.
Solms, R. and Van Niekerk, J. (2013) ‘From information security to cyber security’, Computers &
Security, No. 38, pp.97–102.
Valentine, E. and Stewart, G. (2013) ‘The emerging role of the board of directors in enterprise
business technology governance’, International Journal of Disclosure and Governance,
Vol. 10, No. 4, pp.346–362.
Zahra, S.A. and Pearce, J.A. (1989) ‘Boards of directors and corporate financial performance: a
review and integrative model’, Journal of Management, Vol. 15, No. 2, pp.291–334.
Information technology governance and cybersecurity at the board level 161
Appendix