Impact of Security Management Activities on Corporate Performance

1. Introduction

In 2024, an information security incident occurred that was considered the worst telecommunications hack in US history. The hacker group “Salt Typhoon,” believed to be linked to the Chinese government, breached several US telecommunications companies, including AT&T, Verizon, and T-Mobile. The hack included communications from the presidential campaign teams of Donald Trump and Kamala Harris, which ultimately became a national issue.

The private sector was no exception. In February 2024, Change Healthcare, a medical billing and insurance processing company, suffered a ransomware attack by the Russian hacker group ALPHV/BlackCat. This incident resulted in the leak of patient data for more than 100 million people. The leaked information included not only patient contact information but also financial and health information, forcing the company to pay a ransom of $22 million [2]. These security incidents have caused severe economic losses and significant national and societal reper-cussions. Consequently, security management strategies have become essential components of national institutions and corporate strategies [3]. Moreover, they are increasingly seen as sources of external competitiveness for organizations [4].

This study aims to integrate diverse academic and practical insights. It considers corporate security management activities as innovative elements of technology management and also offers recommendations for public institutions and corporations from a managerial perspective [6]. Additionally, it seeks to objectively verify the role of security management activities using real-world data. Specifically, this study examines whether these activities serve merely as passive risk management measures or as proactive strategic elements. It also explores their direct impact on corporate performance metrics, such as actual sales revenue [7].

With the efforts of international organizations and governments, the information security management system (ISMS) has become a widely adopted information security management tool. Government authorities actively recommend its implementation in most public institutions and corporations. This study also examines the role of ISMS in the relationship between security management activities and corporate performance [8,9].

Previous studies on information security have primarily focused on the inherent objectives of information protection. This focus has resulted in a limited measurement of direct correlations with corporate performance. Consequently, intuitive explanatory power regarding corporate outcomes has been insufficient [10]. However, this study accepts prior research suggesting that information security as a form of institutional regulation and managerial constraint can lead to innovative activities essential for corporate survival [11,12]. This study empirically verifies whether corporate security management activities serve as innovative managerial elements.

We utilized information security disclosure data from 545 sample companies available on a government portal, along with financial data collected by financial institutions. The sample includes companies with assets of over 300 billion won, categorized by industrial classification codes reported to the National Statistical Office.

Chapter 2 systematically reviews the literature on security management activities. Chapter 3 describes the research methods, including data collection and analysis techniques. Chapter 4 presents the research results, verifying the multiple regression analysis of independent variables with the simultaneous input of control variables. It also examines the interaction effects of the moderator variables for each independent variable. Chapter 5 discusses the research findings based on the interpretation of the results, and Chapter 6 summarizes the significance and limitations, offering implications for future research.

2. Literature Review and Hypothesis Setting

2.1. Security Management Activities

Information security refers to measures that protect an organization’s important structured or unstructured information from unauthorized access, leakage, use, or alteration. Although the official term used in the current national legal framework is “information protection,” businesses commonly use various terms such as “information security” or “IT security” [5].

In this study, we use the terms “information security” and “security management activities” from a management perspective. In other words, it involves developing and delivering products and services essential to business management through an understanding of IT. Simultaneously, this approach proactively prevents hidden security vulnerabilities and improves operational efficiency. Ultimately, it can be defined as part of a management strategy to gain a competitive advantage in the market. Recent cases of Chinese companies growing rapidly due to the leakage of important technical information from South Korea and Japan have been reported. These cases have highlighted the importance of security management activities [5].

Companies must implement security management strategies. Certain management resources must be invested to achieve efficient information security goals that align with management objectives [5,10,37]. This study defines information security activities that do not involve financial costs as non-financial security management activities. Financial security management activities involve financial costs.

2.2. Non-Financial Security Management Activities

2.2.1. Internal Security Management Activities and Corporate Performance

Managers carry out several security management activities internally, either due to legal obligation or corporate initiative, to ensure information security.

First, annual information security education is mandated for all organization members under Article 28 of the Personal Information Protection Act. Training requirements include six hours for CISOs, three for other executives, nine for IT staff, and at least six for other employees. The results must be reported to the Korean Internet and Security Agency (Ministry of Science and ICT).

Second, regular and ad hoc security audits and other self-inspection activities are conducted by executives, such as the CEO or CISO. These activities serve as the basis for recognition as a self-regulated security company by government authorities, such as the Financial Supervisory Service. From the company's perspective, this provides an opportunity to maintain internal security management while enhancing its external image as a security-conscious company.

Third, the activities of the Information Security Committee include reviewing and deciding on major security management actions. These actions involve the introduction of IT security equipment and disciplinary measures for security violations. This serves as the basis for external auditors to assess a company's security management level during ISMS certification or major audits.

These provide non-financial benefits, such as an enhanced external reputation, and offer managers valuable insights into internal security management through the Information Security Committee. This is a proactive security management activity that enables the swift resolution of security vulnerabilities and control of future risks through rapid decision-making [24].

Previous studies have supported the positive impact of internal security management activities on corporate performance. Son (2015) argued that managerial, technical, and physical security activities lower costs, improve the external image, and support management goals [10]. Shin (2021) found that security training and internal processes promote innovation and enhance the performance of manufacturing firms [67]. Furthermore, Jeon (2020) and Jang (2020) demonstrated that various security incidents that occur when internal security management activities break down can cause significant damage to corporate performance [17,18].

Ultimately, internal security management activities are expected to have a positive impact on corporate performance. Therefore, this study proposes the following hypothesis:

Hypothesis 1:

Internal security management activities have a positive impact on corporate performance.

2.2.2. External Security Management Activities and Corporate Performance

Companies may participate in external information security-related activities per the national security policies. These external activities include initiatives such as the Integrated Security Support Program for Critical Information and Communications Infrastructure. Another example is the Cyber Threat Information Analysis and Sharing System. Additionally, security threat response simulation exercises are hosted by agencies such as the Ministry of the Interior and Safety and the National Intelligence Service.

These activities go beyond mere participation in events or joining safety networks to prevent accidents. Collaborating with external security experts helps companies gain security insights and drive digital innovation [25]. Previous studies have reported that such external factors can lead to internal innovation and improved corporate performance [26,27].

Oh et al. (2024) explained that external factors can drive internal innovation linked to corporate performance. Similarly, Donaldson (2003) highlighted the innovative impact of external environmental conditions on organizations. Participation in external security activities helps institutions and companies demonstrate their IT security readiness. This, in turn, enhances the credibility of national security policy initiatives.

Thus, it is valuable to examine whether participation in external security management activities is driven by managerial intentions. It is also important to assess whether participation serves as an innovation factor that enhances corporate performance. Accordingly, this study proposes the following hypotheses:

Hypothesis 2:

External security management activities have a positive impact on corporate performance.

2.2.3. CISO's Work Independence and Corporate Performance

Under Article 45-3, Paragraph 3 of the Information and Communications Network Act, a CISO cannot perform other executive roles under certain conditions. In the case of financial institutions, specific regulations apply if total assets exceed 10 trillion won and the number of employees exceeds 1,000. According to the Electronic Financial Supervision Regulations, the CISO cannot hold the position of CIO in such cases.

A CISO is responsible for protecting IT systems and critical data from internal and external threats. However, if they are involved in developing and operating these systems, they may prioritize the interests of the CEO or shareholders over security. This could harm the interests of customers, business partners, and other stakeholders.

However, this may not apply to SMEs with agile cultures or to those unable to appoint a separate CISO due to their organizational characteristics. Some companies may expect greater operational efficiency if the CISO serves as a CIO or works within other technical departments. This efficiency may outweigh the security benefits of maintaining CISO’s operational independence [13,23].

Examining differences in CISO operations as innovation factors influencing performance is supported by prior studies on organizational structure innovation [26,27,28]. This implies that changes in the internal organizational structure during the process of adapting to situational changes can enhance organizational efficiency and productivity.

Thus, the status and role of the CISO are becoming increasingly important [30]. Security management outcomes achieved through independent operations can positively impact corporate performance through organizational efficiency and an enhanced external image [10,28,30].

For small and medium-sized ventures, combining the CISO and CIO roles is often necessary due to limited resources. Technology-focused companies may also prefer this structure, based on their organizational characteristics. It is important to assess whether this approach effectively drives organizational innovation from a managerial perspective [30,41]. Therefore, this study proposes the following hypotheses:

Hypothesis 3:

Having the CISO perform duties independently will have a positive impact on corporate performance.

Hypothesis 4:

Having the CISO also serve as CIO will have a positive impact on corporate performance.

2.3. Financial Security Management Activities

2.3.1. IT Investment Activities and Corporate Performance

Despite the IT Productivity Paradox [31], many researchers consider IT infrastructure an important innovation resource and strategic factor in corporate management [32,33]. The average IT investment ratio in Korea is 2%, which varies by industry: 1.5% in agriculture, 2.2% in manufacturing and finance, and 5.9% in information and communications, with some telecommunications firms exceeding 10% [34,35].

The digital business environment stimulates investment in the information technology (IT) sector, making it a strategic priority for companies. After the 2011 Nonghyup hacking incident, the government advised financial firms to allocate at least 5% of their staff to IT roles and invest 7% of their IT budgets in information security. [29].

Considering industry and company characteristics, investment ratios may differ depending on IT informatization requirements. However, given that 70% of the annual IT budget is allocated to personnel costs, an investment ratio of 3–5% of a company’s revenue is appropriate [36,37,38]. Ultimately, government regulations and market competition continue to drive IT demand [20,37], supporting corporate growth [19,42]. Thus, the following research hypothesis is established:

Hypothesis 5:

A higher investment ratio in the IT information technology sector will have a positive effect on corporate performance.

2.3.2. Information Security Sector Investment Activities and Corporate Performance

The information security sector faces emerging IT threats such as quantum computing, cloud growth, and artificial intelligence (AI), which require ongoing security upgrades that often overlap with those of broader IT system investments. [39,40]. Ultimately, managers must ensure that the IT and security departments work together through integrated IT governance to achieve business goals [39].

Previous studies suggest that adopting IT security technologies is an innovation that positively influences corporate performance [22,43,82]. Research shows that investments in information security can boost corporate performance, reflecting growing expectations for new technology adoption [82].

However, the investment ratio between the two sectors may vary depending on the business environment, and managers may make strategic choices appropriate to the situation. Managers make important decisions from a security management perspective [81]. Managers may decide to focus on investments in the information security sector, such as the introduction of security technology, and allocate relatively more resources.

This decision is based on the expectation that the anticipated benefits of information security investments outweigh the temporary costs incurred. Therefore, this study proposes the following hypothesis:

Hypothesis 6:

A higher proportion of investment in the information security sector will have a positive effect on corporate performance.

2.4. ISMS (Information Security Management System) Certification System

2.4.1. System Description

The British Standards Institution (BSI) introduced the ISMS concept through ISO (International Organization for Standardization) /IEC (International Electrotechnical Commission) 27001 in 2005. Since then, public institutions and companies have adopted certification as an international standard for systematic information security management [21,44,45,46].

In Korea, it was introduced in 2011, and the personal information protection sector was integrated in 2018, establishing the ISMS-P (Information Security Management System-Personal) certification system [45,46,47].

Notably, ISMS certification is used not only by private companies but also by public national institutions. For Critical Information Infrastructure Protection (CIIP), agencies such as the National Intelligence Service and the Ministry of Science and ICT apply a security-level management system. This evaluation system requires that the ISMS certification be operated and maintained for at least one year. Key areas include administration, broadcasting and communications, finance, energy, construction and transportation, social welfare, and insurance networks [47,48].

2.4.2. The Significance of the ISMS Certification System in Relation to Internal and External Security Management Activities and Corporate Performance

The ISMS certification system serves as an objective tool for measuring the outcomes of security-management activities. It allows the evaluation of both non-financial and financial security management activities based on management commitment. This assessment evaluates the effectiveness of these activities. It also examines their alignment with the company’s management objectives, such as management systems, information handling, IT system protection, and customer protection.

Identifying the role of information security management tools in linking internal and external security activities to corporate performance is crucial. This understanding can help companies focus on their management resources more effectively. [49,50,51].

Therefore, this study examines whether ISMS certification serves as a significant moderating variable. This study investigates the interaction effects between internal and external security management activities and corporate performance. Based on this, the following hypothesis is proposed:

Research Hypothesis 7-1

Obtaining or maintaining ISMS (P) and ISO/IEC certification will strengthen the positive effect of internal security management activities on corporate performance.

Research Hypothesis 7-2

Obtaining or maintaining ISMS (P) and ISO/IEC certification systems will strengthen the positive effect of external security management activities on corporate performance.

2.4.3. The Significance of ISMS Certification Systems in Relation to CISO Work Independence and Corporate Performance

The CISO uses the ISMS tool to assess security levels and advise top management, who can then address vulnerabilities and align security policies with business goals [17,28,45]. The ISMS objectively measures security levels and enhances efficiency, regardless of whether the CISO operates independently or concurrently serves as CIO or another executive [46]. If an organization aims to enhance its business performance by integrating its CIO role while ensuring security management, a careful strategy is required. In such cases, adopting an ISMS certification system can be an effective information security management tool [30,49].

Previous studies show that a CISO’s independence or dual role with the CIO can positively impact performance depending on company traits and strategies [13,28,30]. Therefore, it is important to examine the interaction between ISMS certification and CISO’s operational independence. This study sets the following research hypotheses based on variations in CISO operational structures:

Research Hypothesis 7-3

The acquisition or maintenance of ISMS(P) and ISO/IEC certification systems will strengthen the positive effects on corporate performance when the CISO performs duties independently without concurrent roles in other executive organizations.

Research Hypothesis 7-4

Obtaining or maintaining ISMS(P) and ISO/IEC certification will strengthen the positive effect on corporate performance when the CISO concurrently serves as the CIO, overseeing the IT organization.

2.4.4. The Significance of ISMS Certification in Relation to the Proportion of Investment in IT and Information Security and Corporate Performance

It has become difficult for companies to supply products and services without relying on IT. Depending on the company's characteristics or strategy, investments in security equipment or personnel may need to be increased. A representative industry is the financial sector [29].

Security equipment, personnel, and new technologies are part of IT systems and are closely tied to customer-facing products and services. Therefore, investment in both areas is essential to maintain corporate performance [19,32]. Technology adoption and IT system competitiveness for agile market responses are the key drivers of corporate competitiveness [33,80,82].

Competitiveness is linked directly to corporate performance. Production activities that use IT platforms are not limited to the IT industry. IT platforms serve as important management tools even in traditional manufacturing and other non-IT industries. They are essential not only for customer-facing activities but also for internal management [38].

From a security management perspective, the following key questions arise: Should continuous investment in the broader IT sector be prioritized? Alternatively, should concentrated investments in the information security sector take precedence?

Therefore, it is important to examine how an ISMS influences the impact of investment in these areas on corporate performance. Thus, the following research hypotheses are established:

Research Hypothesis 7-5

ISMS(P), obtaining or maintaining ISO/IEC certification will strengthen the positive effect on corporate performance as the investment ratio in the IT information technology sector increases.

Research Hypothesis 7-6

ISMS(P), obtaining or maintaining ISO/IEC certification will strengthen the positive effect on corporate performance as the investment ratio in the information security sector increases.

3. Materials and Methods

3.1. Research Model

This study aims to examine the relationship between corporate security management activities and corporate performance, as illustrated in Figure 1. It also aims to examine the moderating effect of information security management tools, such as the ISMS. Six independent variables and four control variables were defined to reflect differences in the general characteristics of the research sample. Additionally, two dependent variables—sales and operating profit—were identified to measure corporate performance.

3.2. Variables

This study measured the impact of corporate security management activities on corporate performance, focusing on managers. Unlike previous studies, this study identifies both non-financial and financial information security activities within managerial decision-making processes. Research variables were defined for this study based on previous studies. Table 1 lists the contents of the independent variables.

Table 2 presents the moderating and dependent variables to be tested, along with the independent and control variables, all of which were included simultaneously. Moderating variables, such as ISMS(P) and ISO/IEC certification status, are dummy variables. The control variables, reflecting general company characteristics, are dummy variables, similar to the independent variables. By contrast, the dependent variables, sales and operating profit, are continuous variables.

3.3. Analysis Method

In the first stage of the research analysis, a multiple regression analysis was conducted on the independent and control variables. In this study, the two dependent variables were analyzed separately, and the significance of the results was assessed. In other words, changes in sales (a growth indicator) and operating profit (a profitability indicator) were compared from the perspective of security management strategies.

Multiple regression analysis helps identify the relative magnitude and direction of each independent variable's influence on the dependent variable. It also reveals the interactions between the independent variables. This approach facilitates the analysis of complex and realistic research problems.

In particular, it is effective in confirming the pure influence of the main independent variable when the control variables that require control are included. For this purpose, IBM SPSS ver 30.0 was utilized [60,61,62].

In the second stage of the analysis, the presence or absence of an ISMS certification system was defined as a moderating variable. This study examined how the interaction between each independent variable and the moderating variable affected the dependent variables. As in multiple regression analysis, both dependent variables were verified using the same control variables for each independent variable. For this purpose, we used the Process macro ver 4.2 (Model 1) proposed by Hayes (2013) [16,63].

The statistical significance of the estimated regression coefficients was evaluated by considering the characteristics of the sample companies and the research objectives. Bootstrapping was conducted 5,000 times with a significant level set at 0.1. The 90% confidence intervals (LLCI and ULCI) were checked to determine whether they included zero.

3.4. Data Collection

Data on the sample companies were obtained from the “Information Security Disclosure Status” section of the Information Security Disclosure Comprehensive Portal (isds.kisa.or.kr). This portal is operated by the Korean Internet and Security Agency under the Ministry of Science and ICT. The dataset targeted 545 companies that disclosed their information between 2022 and 2024. The financial data for each company were obtained from the statistical data of the Samsung Securities Research Center.

One general characteristic of the sample companies is the “mandatory/voluntary” disclosure classification under an information security disclosure system. According to Article 13 of the Act on the Promotion of the Information Security Industry, companies that meet certain criteria are subject to mandatory reporting. These criteria include business sector, company revenue, and number of users. Such companies are required to report to the Korean Internet and Security Agency, a government-affiliated body.

By contrast, voluntary disclosure is available to all businesses that operate through information and communication networks. However, both mandatory and voluntary reporters must submit reports to the disclosure portal by June 30 of each year. Thus, the information security disclosure systems have a regulatory nature. This provides evidence that the research data obtained are objective and credible.

First, frequency analysis was conducted to understand the general characteristics of the research sample. The four variables representing the general characteristics of the research participants were disclosure type(voluntary or mandatory), industry type, IT industry status, and asset size. Table 3 lists the characteristics of the 545 companies in the research sample.

By confirming the general characteristics of the research participants, we found differences in the ratios between the variables. Therefore, we dummy-coded these variables and used them as control variables in the regression analysis. We also performed descriptive statistical analyses of the independent, moderator, and dependent variables. First, we calculated the frequencies and ratios of the independent variables and moderator variables, which were categorical variables, and the results of the analysis are shown in Table 4.

Next, we calculated the mean and standard deviation of the dependent variable, which was continuous. We then analyzed the skewness and kurtosis to assess whether the assumption of normality was satisfied. The assumption was considered met when the absolute value of skewness was less than 2 and the absolute value of kurtosis was less than 7, indicating that the data approximated a normal distribution [52]. The detailed analysis results are presented in Table 5.

The results of checking the skewness and kurtosis of sales and operating income, which measured as dependent variables, indicated that the normality assumption was not met. Therefore, in the actual research analysis, the data were transformed using a natural logarithm (ln). After applying a natural logarithm transformation, the skewness of sales and operating profits ranges from 0.013 to 0.194, satisfying the criterion of less than 2. The kurtosis ranged from 0.876 to 1.851, meeting the criterion of less than 7, thereby fulfilling the assumption of a normal data distribution [52].

Among the performance measurement indicators for corporate management, sales revenue is a widely used growth indicator. Sales revenue analysis is used to evaluate growth potential, innovation capacity, and the effectiveness of support policies of industries and companies [53,54,55]. Additionally, operating profit was used as an indicator to assess the quality of corporate growth, specifically profitability and sales revenue.

It is calculated by subtracting general administrative expenses, such as sales and labor costs, from the gross profit generated during the fiscal year. Operating profit is considered to be the performance metric most faithful to a company's fundamental business objectives [56]. It is widely used to measure performance in core areas of business management, such as R&D outcomes and financial analysis [57,58,59]. In this study, revenue and operating profit are used as dependent variables to verify the impact of security management activities on corporate performance.

4. Results

4.1. Verification Results of Research Hypotheses H1–H6

Table 6 presents the results of multiple regression analysis of sales revenue. First, in the analysis of the control variables related to a company's general characteristics, differences in autonomy/obligation, IT industry classification, and asset size were statistically significant. The analysis shows that companies with mandatory information security disclosure and those with larger asset sizes exhibit a positive (+) effect on sales revenue.

Among the independent variables, both internal and external security management activities had a statistically significant positive (+) effect. The other variables exhibited negative (-) effects. However, the results of the CISO + CIO dual role and IT investment ratio were also statistically significant, indicating research relevance despite the direction of the effect. Although the positive (+) effects were not confirmed, the observed negative (-) effects were statistically significant.

Based on the verification of the research hypotheses regarding sales revenue, H1 and H2 were accepted, while H3 through H6 were rejected.

Table 7 presents the results of the multiple regression analysis of the operating profit. Unlike with sales, the effect of the control variables was not statistically significant for IT industry classification. However, similar to the sales results, autonomy/obligation and asset size showed statistically significant correlations. Mandatory disclosure and larger asset size had a positive effect on operating profit, consistent with the sales findings.

The analysis of independent variables revealed that all were either statistically insignificant or showed effects contrary to the research hypotheses. However, similar to the sales analysis, the CISO + CIO dual role and IT investment ratio had statistically negative effects, contrary to the research hypotheses. These contrary effects differences were statistically significant.

These findings diverge from the conventional expectations, as was also observed in the sales results. This suggests that managers should adopt flexible security strategies tailored to their company’s characteristics and market conditions.

The results of the hypothesis testing for operating profit showed that H1 through H6 were rejected.

4.2. Results of the Moderating Effect Analysis for Research Hypothesis H7

4.2.1. Analysis of the Moderating Effects of ISMS (P) and ISO/IEC Certification Status on the Relationship Between Security Management Activities and Sales Revenue

Table 8 presents the results of the moderating effect analysis of the ISMS (P) and ISO/IEC certification system ownership on the relationship between security management activities and sales revenue. Unlike the previous multiple regression analysis, the independent variables were analyzed individually along with the control variables. Therefore, the findings for the same research variables varied slightly due to changes in the analytical model.

For the control variables, the same results were observed as those in the multiple regression analysis. The differences in autonomy/obligation, IT industry sector, and asset size are statistically significant for all six independent variables. Mandatory information security disclosure and larger asset size had a positive effect on sales revenue. In contrast, a negative effect was observed in the IT industry.

First, the F-test and R-squared (R²) values were examined to confirm the model fit for each independent variable. All six independent variables were statistically significant at the .001 level, with appropriate explanatory power. In particular, the R-squared (R²) statistic for the IT sector investment ratio is the highest at .708. All six regression models were statistically significant.

Individual regression coefficients were used to test the hypotheses based on the validated regression models. Internal security management activities (B = .312) had a statistically significant positive (+) effect at a .05 significance level. Companies that implement internal security management are expected to have higher sales than those that do not.

However, the interaction term with the moderating variable was not statistically significant. Therefore, the presence or absence of ISMS (P) and ISO/IEC certification does not moderate this relationship.

External security management activities are not statistically significant. In other words, they are expected to be unrelated to the sales revenue. Furthermore, the interaction term was also not statistically significant, confirming the absence of a moderating effect.

CISO’s sole responsibility was not statistically significant, but the interaction term with the moderator variable (B = .373) was statistically significant at the .05 level. In Hayes' (2017) process macro-analysis, the moderating effect in the research model is acknowledged if the effect of the interaction model is acknowledged [77,78,79]. In other words, the CISO alone is not a significant factor in influencing sales revenue. However, possessing ISMS(P) and ISO/IEC certifications is expected to have a reinforcing effect that positively moderates this relationship.

Further analysis is needed to understand how the interaction term, which was statistically significant, manifests itself. Therefore, the participants were divided into certified and non-certified groups. Significance was re-confirmed using a 90% confidence interval (LLCI, ULCI) from 5,000 bootstrapping iterations. Table 9 presents the results of the analysis.

The results showed that the effect of the CISO’s sole performance on sales revenue was relatively higher in companies that held ISMS (P) and ISO/IEC (B = .177) than in those that did not (B = -.196). However, the regression coefficients for all groups were not statistically significant because 0 was included in the 90% confidence interval of the bootstrapping method.

In other words, the moderating variable strengthens the relationship between the independent and dependent variables. However, because the influence of the independent variable was not significant, the effect could not be interpreted clearly [63,79]. Figure 2 presents the results of the analysis.

The CISO + CIO dual responsibility was not statistically significant. In other words, the dual roles of the CISO + CIO and sales revenue are expected to be unrelated. However, the interaction term (B=-0.468) was statistically significant at the .05 level. That is, the dual role of the CISO + CIO is not a variable that significantly affects sales revenue. However, the presence or absence of an ISMS(P) and ISO/IEC certification was found to have reinforcing effects in the same direction (negative).

Additionally, to confirm the significance of the interaction term, the sample group was divided based on the possession of certification systems. Bootstrapping was then performed 5,000 times to verify significance using a 90% confidence interval (LLCI, ULCI). Table 10 presents the results of this analysis.

The results show that companies with ISMS (P) and ISO/IEC (B = -0.548) had a greater relative impact than companies without them (B = -0.080). Furthermore, the regression coefficient of the group holding ISMS(P) and ISO/IEC was statistically significant, as it did not include zero within the 90% confidence interval of bootstrapping. Thus, the moderating variable strengthens the negative relationship between the independent and dependent variables. Although the directionality differs from the research hypotheses, it is significant. Figure 3 illustrates the results.

The proportion of investment in the IT sector (B = -2.340) had a statistically significant negative effect at the 0.001 level. Companies with an IT sector investment ratio of 3% or more relative to sales were expected to have lower sales than those with a lower ratio. Notably, the interaction term (B=1.364) was statistically significant at the .001 level.

In other words, the IT investment ratio had a significantly negative impact on sales. However, the presence or absence of ISMS(P) and ISO/IEC certification moderated this effect, reversing the relationship in a positive direction. Additionally, to confirm the significance of interaction term, the sample was divided, and 5,000 bootstrap resamples were conducted to generate 90% confidence intervals (LLCI and ULCI). Table 11 presents the results of this analysis.

The results showed that companies with ISMS (P) and ISO/IEC certification (B = -0.975) experienced a less negative effect than companies without such certifications (B = -2.340). Additionally, the regression coefficients of the two groups were statistically significant because the bootstrapping 90% confidence interval did not include 0. This indicates that the moderating variable had a positive (+) effect on mitigating the relationship between the independent and dependent variables. Figure 4 illustrates the results.

The investment ratio in the information security sector, however, was not statistically significant. In other words, it did not appear to be related to sales. The interaction term is not statistically significant, confirming the absence of a moderating effect.

The results of the hypothesis testing for the moderating effect on sales showed that H7-3 and H7-5 were accepted, while H7-1, 2, 4, and 6 were rejected.

4.2.2. Analysis of the Moderating Effect of ISMS (P) and ISO/IEC Certification Status on the Relationship Between Security Management Activities and Operating Profit

Table 12 presents the results of the analysis of the moderating effects of ISMS (P) and ISO/IEC certification status on the relationship between security management activities and operating profits. The analysis was conducted in the same manner as for sales revenue.

The control variables yielded different results compared to the analysis of sales revenue. The statistical significance of the differences in autonomy/obligation and asset size remained the same. However, among the independent variables, only the IT investment ratio was not statistically significant. This specifically relates to whether the company belongs to the IT industry.

However, as in the sales revenue analysis, all independent variables show a positive (+) effect on operating profit as the information security disclosure method becomes more mandatory and asset size increases. Similar to the sales results, this indicates a consistent positive trend. However, no correlation was found between the operating profits across different industries.

The F-test and R-squared (R²) values for all six independent variables were significant at the .001 level, confirming a good model fit and explanatory power. All six regression models were statistically significant. Hypothesis testing was performed by interpreting the individual regression coefficients based on the validated regression models.

Among the interaction terms between the six independent and moderator variables, only the IT sector investment ratio was statistically significant (B = 1.292, P < .01). The independent variable effect (B = -2.129) was also found to have a significant negative impact at the .001 significance level. This result is similar to the sales revenue findings. In other words, companies with an IT investment ratio of 3% or more relative to sales revenue are expected to have lower sales revenue than those without such an investment ratio.

However, it was confirmed that ISMS (P) and ISO/IEC certifications have a moderating effect that reverses this relationship to have a positive (+) effect on operating profit. Additionally, the significance of the interaction term was confirmed by dividing the sample group and conducting 5,000 bootstrapping runs to obtain 90% confidence intervals (LLCI and ULCI). Table 13 presents the results of this analysis.

Companies with ISMS(P) and ISO/IEC certification (B = -0.837) showed a relatively lower impact than companies without such certifications (B = -2.129). In addition, because the regression coefficients of the two groups did not include zero within the 90% confidence interval of bootstrapping, the results were statistically significant. In other words, the moderating variable had a positive (+) effect on mitigating the relationship between the independent and dependent variables. Figure 5 illustrates these results.

Among the moderating effects on operating profit, only H7-5 was accepted, whereas H7-1, 2, 3, 4, and 6 were rejected.

4.3. Summary Table of Research Hypothesis Verification Results

Table 14 summarizes the results of the verified research hypotheses. In the multiple regression analysis of sales, H1 and H2 were accepted. However, H4 and H5 were rejected because they showed results contrary to those of the research hypotheses, although both were statistically significant.

In the multiple regression analysis of operating profits, all research hypotheses were rejected. However, similar to sales revenue, H4 and H5 show results that are opposite to those of the research hypotheses, although they are also statistically significant.

In the moderating effect analysis of the ISMS (P) and ISO/IEC certification status on sales, H7-3 and H7-5 were adopted. However, H4 and the interaction term with the CISO + CIO dual role were rejected because they showed the opposite direction of the research hypothesis, but they were statistically significant.

In the moderating effect analysis of ISMS (P) and ISO/IEC certification status on operating profits, H7-5 was adopted.

5. Discussion

This study yielded five meaningful points for discussion.

First, although sales and operating profits share commonalities as dependent variables for verifying corporate performance, they are not identical. They produced different results in terms of independent and moderating variables and responses. This indicates that managers should adopt flexible strategic decisions when seeking to achieve management goals through security management activities.

Specifically, H1 (internal security management activities) and H2 (external security management activities) were adopted for sales, but were not supported for operating profits. This suggests that internal and external security management activities incur costs related to information security, which may negatively impact operating profits. However, the positive benefits gained from these activities, such as improved work efficiency and an enhanced external image, are relatively greater. As a result, the overall effect may be favorable for corporate performance.

Seo (2015) argues that corporate security activities can overcome cost issues arising from investment in management resources and improve operational efficiency and market competitiveness, ultimately increasing corporate profits [5]. Thus, corporate security activities should be accepted as part of an active management strategy.

Shin (2021) also confirmed that security activities in the manufacturing industry can lead to improved management performance by improving business processes in the production process [67]. Therefore, instead of focusing on the loss of management resources due to increased costs in the management sector caused by internal and external security management activities, a different perspective is required. It is important to consider that the benefits of corporate performance may also be greater.

Second, the perception that security management activities lead only to unnecessary investments in information security or increased management costs should be discarded. These activities should not be viewed as obstacles to management. Instead, they should be accepted as essential elements of management innovation.

Specifically, we did not confirm whether H7-3, the sole responsibility of the CISO, had any impact on sales. However, the interaction with information security management tools was found to have a statistically significant positive effect. This suggests a moderating role of these tools in enhancing relationships. This can be accepted as an example of how strict security management activities can act as innovation factors.

In addition, in a multiple regression analysis of the control variables, companies obligated to disclose information security showed a statistically significant positive effect on corporate performance. This is in comparison with companies that voluntarily disclose. These results further support this hypothesis.

Furthermore, Byun (2019) stated that personal information protection activities regulated by legal systems can enhance the competitiveness of IT companies [11]. Jung (2007) argued that government regulations paradoxically stimulate technological innovation in companies [12]. This demonstrates that information security, although regulated, has broader implications. It can also act as an innovative element that enhances corporate competitiveness through the improved operational efficiency resulting from regulatory compliance.

Third, in a growth-oriented management structure requiring significant strategic investment in IT, short-term financial performance may not fully reflect the benefits of security management activities. It is important to recognize that such benefits may take time to materialize. The results of multiple regression analysis of the control variables support this view. They showed that the positive effect on corporate performance is more pronounced in manufacturing industries and companies with larger asset sizes, whereas the negative effect is more noticeable in the IT industry.

Additionally, in the multiple regression analysis of the independent variables, H4 (when the CISO and CIO are combined) and H5 (when the investment ratio in the IT sector increases) also show a significant negative impact. In other words, management activities such as combining the CIO’s role with IT system operations or increasing direct investment levels in the IT sector have a negative impact on financial performance.

Contrary to the findings of this study, Alharbi and Gregg (2022) and Mithas and Rust (2016) state that increased investment in IT has a positive impact on corporate performance. Of course, these studies did not simply emphasize investment in IT. They emphasized the importance of harmony with IT security investments [80] and alignment with corporate management strategies [14].

However, even after setting aside the ongoing IT debate since Robert Solow's (1987) IT Productivity Paradox [31], the issue remains relevant. Managers' choices regarding the proportion of their investment in the IT sector should be flexible. These decisions must account for corporate characteristics and the business environment.

Lee, Shin, and Lee (2022) also revealed in their study on the introduction of 4th industrial revolution technologies and corporate productivity that the outcomes vary among companies. They note that the results of introducing new technologies such as IT may appear with a time lag [19].

Additionally, Winarno, Tjahjadi and Irwanto (2021), as well as Park, Koo, Ham and Lee (2006), presented similar findings. They showed that financial returns on resources invested in IT informationization and other growth foundations require a certain amount of time. These results partially support the findings of the present study.

Fourth, information security management tools, such as ISMS, should be flexibly considered for adoption by companies with a future growth-oriented management structure. Specifically, in the moderation effect analysis of ISMS(P) and ISO/IEC certification status on sales revenue, the adoption of information security management tools had a notable impact. The strategic use of tools such as the ISMS significantly strengthened the negative effect of H7-4 (CISO+CIO dual-role operation). This also mitigates the negative effect of H7-5 (IT investment ratio), shifting it in a positive direction.

Notably, the moderating effect of mitigating the negative impact of the proportion of IT investment on the IT department was also confirmed. Based on these findings, two security management strategies are proposed.

First, for small and medium-sized venture companies or technology-based firms, where R&D is a core management strategy, having a CISO + CIO dual role may be unavoidable. In such business environments, the timing of adopting information security management tools, such as an ISMS, should be flexibly applied based on the company’s situation. For example, when small-scale, R&D-focused IT-based technology companies need to launch products or services quickly, strict adoption of tools such as an ISMS may not be suitable. In such cases, these tools may hinder competitiveness in fast-paced environments.

Research on the effects of the CISO’s dual roles and the mutual effects between the CISO and the ISMS is an important area of interest in information security. Choi and Kim (2024) measured the correlation between the CISO’s dual roles and the adoption of information security management tools, such as ISMS [30]. Additionally, Ciekanowski et al. (2024) explored how the CISO's role within the organization affects ISMS. They concluded that the CISO's strategic operations help prevent cybersecurity incidents and secure sustainable competitive advantages [28].

However, this analysis has limitations when proposing security management strategies tailored to corporate characteristics. It is also difficult to use these findings as a basis for determining the timing of ISMS implementation or identifying the appropriate target group of companies.

The next proposed security management strategy is that, in a corporate environment where continuous investment in IT is required, the adoption of information security management tools, such as ISMS, should be actively considered. Even if continuous investment in IT results in short-term negative effects on external growth and adds to ongoing management burdens, these challenges should not discourage action. It is still advisable for managers to consistently implement security management activities. This includes the adoption of ISMS and other information security management tools.

This is particularly effective for large companies with sufficient financial capacity to withstand short-term financial burden. This is supported by the results of the multiple regression analysis on the control variables, which showed that the larger the asset size, the more significant the positive impact on sales and operating profits.

In particular, Ilmudeen and Bao (2018) [15] empirically demonstrated the full mediating effect of IT resource management capabilities on corporate performance. This finding indirectly supports the results of this study. This reinforces the moderating effect of information security management tools such as ISMS, which incorporate managerial elements related to IT resources [15].

Finally, this reflects the research results showing that the proportion of investment in information security is unrelated to corporate performance. New investments in information security technology or security equipment are expected to be integrated into IT information systems as subordinate components. Due to the technical characteristics of IT, these investments are often patched together, resulting in concurrent investments. This is because they coexist within the IT Governance environment, making it difficult to discern their individual effectiveness [39,80].

In a study by Shariffuddin and Mohamed (2020), which effectively explained the importance of IT Governance, it was confirmed that investments in IT and information security sectors cannot be separated [39]. Many previous studies have recognized the introduction of new security equipment or security technology as an element of innovation. They expect technological innovation to improve corporate performance [82].

However, it is now expected that this will be interpreted differently. Owing to changes in the IT environment, the IT sector cannot be separated from the information security sector.

6. Conclusions

This study verifies whether the security management activities implemented by managers in business practices affect the financial performance of companies, such as sales. In particular, this study confirms the moderating effect of information security management tools, such as the ISMS. It contributes academically by proposing practical policies and indirectly demonstrating that security management activities are elements of innovation.

6.1. Practical Implications

First, it can raise managers' awareness of the increased business risks posed by security incidents such as IT hacking and information leaks. Heightened awareness is crucial for proactive risk management. In addition, it can provide a decision-making guide for strategic security management activities tailored to each company’s characteristics and business environment.

Second, it provides a basis for reevaluating the role and strategic position of the CISO. This is important to realize the positive business benefits of security management activities. These benefits include improved operational efficiency and enhanced external trust.

Third, it can help raise awareness that the adoption and maintenance of information security management tools, such as ISMS, are necessary from a strategic management perspective.

6.2. Academic Implications

First, research on information security should not be limited to the prevention of cybersecurity incidents at the national or corporate levels. Managers should be accepted as essential elements of innovation, moving beyond the traditional concept of information security. Ultimately, this should be expanded to the concept of security management and incorporated into technology management.

Second, starting with this study, we can expect that research variables related to security management will continue to be developed, leading to the emergence of various follow-up studies.

6.3. Limitations of the Study and Future Research Directions

First, the latent variables influencing the relationship between corporate security management activities and financial performance are not clearly defined. This study mainly focused on an objective analysis. Consequently, there was insufficient consideration of the exploratory and qualitative components.

Second, while this study focused on a cross-sectional empirical analysis of its research objectives, measuring the longitudinal changes in each research variable could yield more robust results. In particular, observing IT investments over the long term could enrich the connections with prior studies.

Third, further subdivision of the sample companies is necessary to address the diverse research objectives more effectively. This allows for a more detailed and targeted analysis. In particular, securing additional research samples from small and medium-sized venture companies would be valuable. This would enable meaningful exploration of the security management activities of early stage firms with less than 300 billion KRW in revenue, which was not the focus of this study.