Inexpert Supervision: Field Evidence on Boards' Oversight of Cybersecurity.

Saved in:
Bibliographic Details
Authors: Lowry, Michelle R.1 (AUTHOR) michellel@vt.edu, Vance, Anthony2 (AUTHOR) anthony@vance.name, Vance, Marshall D.1 (AUTHOR) mdvance@vt.edu
Source: Management Science (INFORMS). Feb2026, Vol. 72 Issue 2, p783-804. 22p.
Subject Terms: *Boards of directors, *Supervision, *Corporate directors, *Corporate governance, *Data protection, *Expertise, *Information assurance
Abstract: We conduct a field study of boards' emerging responsibility to oversee cybersecurity risk, a setting in which few directors have expertise. We find that, although nonexpert directors may genuinely seek to provide diligent oversight, without expertise their efforts lack substance and therefore are mostly symbolic, even when they perform the same oversight activities as expert directors. We also explore why boards do not prioritize the appointment of cybersecurity experts and show that nonexpert directors do not perceive that their efforts are symbolic and insufficient. In contrast, expert directors perceive keenly the deficiency of their nonexpert counterparts and argue for the need for more cybersecurity experts on boards, and this viewpoint is shared by cybersecurity executives and consultants who support the board. Thus, we contribute to our understanding of when boards are likely to provide substantive versus symbolic oversight and inform the debate on the merits of board-level cybersecurity expertise. This paper was accepted by Ranjani Krishnan, accounting. Funding: This work was supported by a Security, Privacy, & Trust grant from the Pamplin College of Business and the Commonwealth Cyber Initiative of Virginia. Supplemental Material: The online appendix is available at https://doi.org/10.1287/mnsc.2023.04147. [ABSTRACT FROM AUTHOR]
Database: Entrepreneurial Studies Source
Full text is not displayed to guests.
FullText Links:
  – Type: pdflink
Text:
  Availability: 1
Header DbId: ent
DbLabel: Entrepreneurial Studies Source
An: 191433159
AccessLevel: 6
PubType: Academic Journal
PubTypeId: academicJournal
PreciseRelevancyScore: 0
IllustrationInfo
Items – Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Lowry%2C+Michelle+R%2E%22">Lowry, Michelle R.</searchLink><relatesTo>1</relatesTo> (AUTHOR)<i> michellel@vt.edu</i><br /><searchLink fieldCode="AR" term="%22Vance%2C+Anthony%22">Vance, Anthony</searchLink><relatesTo>2</relatesTo> (AUTHOR)<i> anthony@vance.name</i><br /><searchLink fieldCode="AR" term="%22Vance%2C+Marshall+D%2E%22">Vance, Marshall D.</searchLink><relatesTo>1</relatesTo> (AUTHOR)<i> mdvance@vt.edu</i>
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <searchLink fieldCode="JN" term="%22Management+Science+%28INFORMS%29%22">Management Science (INFORMS)</searchLink>. Feb2026, Vol. 72 Issue 2, p783-804. 22p.
– Name: Subject
  Label: Subject Terms
  Group: Su
  Data: *<searchLink fieldCode="DE" term="%22Boards+of+directors%22">Boards of directors</searchLink><br />*<searchLink fieldCode="DE" term="%22Supervision%22">Supervision</searchLink><br />*<searchLink fieldCode="DE" term="%22Corporate+directors%22">Corporate directors</searchLink><br />*<searchLink fieldCode="DE" term="%22Corporate+governance%22">Corporate governance</searchLink><br />*<searchLink fieldCode="DE" term="%22Data+protection%22">Data protection</searchLink><br />*<searchLink fieldCode="DE" term="%22Expertise%22">Expertise</searchLink><br />*<searchLink fieldCode="DE" term="%22Information+assurance%22">Information assurance</searchLink>
– Name: Abstract
  Label: Abstract
  Group: Ab
  Data: We conduct a field study of boards' emerging responsibility to oversee cybersecurity risk, a setting in which few directors have expertise. We find that, although nonexpert directors may genuinely seek to provide diligent oversight, without expertise their efforts lack substance and therefore are mostly symbolic, even when they perform the same oversight activities as expert directors. We also explore why boards do not prioritize the appointment of cybersecurity experts and show that nonexpert directors do not perceive that their efforts are symbolic and insufficient. In contrast, expert directors perceive keenly the deficiency of their nonexpert counterparts and argue for the need for more cybersecurity experts on boards, and this viewpoint is shared by cybersecurity executives and consultants who support the board. Thus, we contribute to our understanding of when boards are likely to provide substantive versus symbolic oversight and inform the debate on the merits of board-level cybersecurity expertise. This paper was accepted by Ranjani Krishnan, accounting. Funding: This work was supported by a Security, Privacy, & Trust grant from the Pamplin College of Business and the Commonwealth Cyber Initiative of Virginia. Supplemental Material: The online appendix is available at https://doi.org/10.1287/mnsc.2023.04147. [ABSTRACT FROM AUTHOR]
PLink https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=ent&AN=191433159
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.1287/mnsc.2023.04147
    Languages:
      – Code: eng
        Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 22
        StartPage: 783
    Subjects:
      – SubjectFull: Boards of directors
        Type: general
      – SubjectFull: Supervision
        Type: general
      – SubjectFull: Corporate directors
        Type: general
      – SubjectFull: Corporate governance
        Type: general
      – SubjectFull: Data protection
        Type: general
      – SubjectFull: Expertise
        Type: general
      – SubjectFull: Information assurance
        Type: general
    Titles:
      – TitleFull: Inexpert Supervision: Field Evidence on Boards' Oversight of Cybersecurity.
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Lowry, Michelle R.
      – PersonEntity:
          Name:
            NameFull: Vance, Anthony
      – PersonEntity:
          Name:
            NameFull: Vance, Marshall D.
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 02
              Text: Feb2026
              Type: published
              Y: 2026
          Identifiers:
            – Type: issn-print
              Value: 00251909
          Numbering:
            – Type: volume
              Value: 72
            – Type: issue
              Value: 2
          Titles:
            – TitleFull: Management Science (INFORMS)
              Type: main
ResultId 1