Inexpert Supervision: Field Evidence on Boards' Oversight of Cybersecurity.
Saved in:
| Authors: | Lowry, Michelle R.1 (AUTHOR) michellel@vt.edu, Vance, Anthony2 (AUTHOR) anthony@vance.name, Vance, Marshall D.1 (AUTHOR) mdvance@vt.edu |
|---|---|
| Source: | Management Science (INFORMS). Feb2026, Vol. 72 Issue 2, p783-804. 22p. |
| Subject Terms: | *Boards of directors, *Supervision, *Corporate directors, *Corporate governance, *Data protection, *Expertise, *Information assurance |
| Abstract: | We conduct a field study of boards' emerging responsibility to oversee cybersecurity risk, a setting in which few directors have expertise. We find that, although nonexpert directors may genuinely seek to provide diligent oversight, without expertise their efforts lack substance and therefore are mostly symbolic, even when they perform the same oversight activities as expert directors. We also explore why boards do not prioritize the appointment of cybersecurity experts and show that nonexpert directors do not perceive that their efforts are symbolic and insufficient. In contrast, expert directors perceive keenly the deficiency of their nonexpert counterparts and argue for the need for more cybersecurity experts on boards, and this viewpoint is shared by cybersecurity executives and consultants who support the board. Thus, we contribute to our understanding of when boards are likely to provide substantive versus symbolic oversight and inform the debate on the merits of board-level cybersecurity expertise. This paper was accepted by Ranjani Krishnan, accounting. Funding: This work was supported by a Security, Privacy, & Trust grant from the Pamplin College of Business and the Commonwealth Cyber Initiative of Virginia. Supplemental Material: The online appendix is available at https://doi.org/10.1287/mnsc.2023.04147. [ABSTRACT FROM AUTHOR] |
| Database: | Entrepreneurial Studies Source |
|
Full text is not displayed to guests.
Login for full access.
|
|
| Abstract: | We conduct a field study of boards' emerging responsibility to oversee cybersecurity risk, a setting in which few directors have expertise. We find that, although nonexpert directors may genuinely seek to provide diligent oversight, without expertise their efforts lack substance and therefore are mostly symbolic, even when they perform the same oversight activities as expert directors. We also explore why boards do not prioritize the appointment of cybersecurity experts and show that nonexpert directors do not perceive that their efforts are symbolic and insufficient. In contrast, expert directors perceive keenly the deficiency of their nonexpert counterparts and argue for the need for more cybersecurity experts on boards, and this viewpoint is shared by cybersecurity executives and consultants who support the board. Thus, we contribute to our understanding of when boards are likely to provide substantive versus symbolic oversight and inform the debate on the merits of board-level cybersecurity expertise. This paper was accepted by Ranjani Krishnan, accounting. Funding: This work was supported by a Security, Privacy, & Trust grant from the Pamplin College of Business and the Commonwealth Cyber Initiative of Virginia. Supplemental Material: The online appendix is available at https://doi.org/10.1287/mnsc.2023.04147. [ABSTRACT FROM AUTHOR] |
|---|---|
| ISSN: | 00251909 |
| DOI: | 10.1287/mnsc.2023.04147 |