Integration of Information Systems and Cybersecurity Countermeasures: An Exposure to Risk Perspective

This paper investigates the relationship between Information Systems (IS) integration and the use of cybersecurity countermeasures using an adapted exposure to risk perspective which considers both the probability of a risk through vulnerability points theory and the impact of the risk if it occurs. Based on an econometric analysis of a survey sample of 9,721 French firms, the study finds that higher degrees of system integration entail higher degrees of cybersecurity usage. Whereas previously it was thought that systems integration reduces the number of vulnerabilities and thus the need for cybersecurity countermeasures, we find that the more the system is integrated, the greater the use of self-protective cybersecurity countermeasures. We theorize that this finding comes from the elimination of many uncontrollable vulnerabilities and the presence of fewer, but controllable, vulnerability points. This finding holds both for internal and external integration but is stronger in the latter case. Moreover, results show that internal dynamism is positively correlated with cybersecurity countermeasures. Our reasoning applies to cybersecurity in terms of self-protective security measures but not necessarily to risk-transfer security measures.