Full Text

Introduction

Cyberattacks have been unprecedented in the recent years; of the ten top technology risks identified by the Institute of Internal Auditors (IIA), both cybersecurity and information security rank as the top two technology risk concerns facing firms (IIA, 2015a, 2015b). The Heritage Foundation (2015) reported an average of 160 successful cyberattacks per week in 2014, which was more than three times the 2010 average. The costs of cyberattacks are tremendous (Ponemon Institute, 2015), averaging $15.4 million for a company operating in the USA, This figure has more than doubled since 2010, and the number of data breaches is expected to continue to increase (DiPietro, 2013). It is estimated that cybercrime could cost businesses over $2 trillion by 2019 (Juniper Research, 2015), which is nearly four times the estimated 2015 expense. In view of these findings, we see that cybersecurity risk management is of paramount importance, and we can confidently assert as a generality that higher-quality cybersecurity is in the interests of firms everywhere.

Cybersecurity research has investigated behavioral aspects of technology users (Bulgurcu et al., 2013; D’Arcy et al., 2009; Johnston and Warkentin, 2010; Siponen and Vance, 2010; Spear and Barki, 2010). Researchers have also investigated security awareness (Herath and Rao, 2009; Puhakainen and Siponen, 2010; Willison and Warkentin, 2013) and market reactions to information security initiatives (Gordon et al., 2010). The relationship between the makeup of board technology committees in the context of security breaches has been studied (Higgs et al., 2016), similar to the effects of security incidents on firms and their reputations (Campbell et al., 2003; Cavusoglu et al., 2004; Goldstein et al., 2011; Wang et al., 2013). The relationship between security programs (Cavusoglu et al., 2009; Iheagwara, 2004; Kumar et al., 2008; Straub, 1990) and the optimal investment in security (Gordon and Loeb, 2002; Wang et al., 2008) has been studied as well. Less research has focused on information security governance (Dhillon et al., 2007; Hong et al., 2003; Mishar and Dhillon, 2006; Steinbart et al., 2016) and the important relationship between information security management and the internal audit function (IAF) (Steinbart et al., 2014a; 2014b; 2013; 2012).

Importance of security/cybersecurity audit

Even though the...