The Three Lines Model in Cybersecurity Governance and Risk Management

A solid cybersecurity governance structure (inclusive of cyberrisk management) should entail clear accountability for cybersecurity and unequivocal authority for cyber decision making within an organization. It is useful to view cybersecurity governance through the prism of one of the most recognized normative models of governance and risk management: the Three Lines Model (formerly the Three Lines of Defense Model). The Three Lines of Defense Model established a layered approach to management: The first line is the frontline IT function accountable for the implementation of security controls; the second line is in charge of risk management policies, monitoring the first line’s controls and ensuring compliance (internally and externally); and the third line is the independent assurance and advice on the quality of overall cyberrisk governance provided by the internal audit function.

One of the criticisms of the traditional Three Lines of Defense Model was its focus on the defense side of cyberrisk management. It did not explicitly recognize the role of executive management and the board of directors in cyber governance, despite numerous high-profile legal disputes specifically targeting top-level leaders. In 2020, the updated and extended Three Lines Model was proposed with a view to address those flaws and explicitly acknowledge the role of the upper two layers.¹ The revised model effectively entails five lines of accountability: Executive management is the fourth line, in charge of managing the organization and allocating resources to cyberrisk management (in alignment with enterprise risk management [ERM]); and the board is the fifth line, in charge of endorsing an organization’s risk appetite and overseeing whether executive management’s actions align with risk tolerance.

While involving actors at all levels of the organizational hierarchy is a recurring theme, the model stands out as the benchmark for governance best practices. It provides an effective approach to summarizing the comprehensive organizational involvement recommended by both professional organizations and academics.

Based on observations of organizational practices, many enterprises have not adopted either the original Three Lines of Defense or the updated Three Lines Model. In a study by the Association of Chartered Certified Accountants (ACCA) and the Chartered Accountants Australia and New Zealand (CA ANZ), more than 60 percent of organizations placed the accountability for cybersecurity within the IT function.² Furthermore, only one-third of the large organizations surveyed considered cyberrisk management a responsibility of the C-suite. To help governance specialists and consultants understand how rigorously organizations should adopt the model and what model best suits their needs, a field research study addressing this question was recently conducted.³

The Research

The field research was conducted by researchers at the University of Queensland (Brisbane, Australia) during 2021-2022. The purpose of the study was to investigate the governance configurations that organizations adopt for managing cybersecurity and why it matters whether organizations adopt the updated Three Lines Model. A further aim was to identify the factors that impact the adoption of simple or complex governance configurations. The researchers examined the adoption of the Three Lines Model by considering how well the organizations defined and segregated the lines of accountability, the roles within those lines, and how engaged cybersecurity governance professionals in the participating organizations were. The research involved five multibillion-dollar organizations operating in different sectors, all of which faced significant exposure to cyberrisk. In each organization interviews were conducted with three to five key senior individuals who held responsibilities for delivering, managing, assuring and overseeing cyberrisk management, from the first line to the board members. The researchers conducted 24 semistructured interviews that followed a common theme while tailoring the questions to participants’ roles and responsibilities (figure 1).

Given the rapidly evolving cybersecurity landscape, extended audit cycles may not align with the urgency required to address emerging threats and vulnerabilities effectively.

Status Quo

The study shows that many organizations have only recently recognized the importance of well-defined and transparent structures in cybersecurity governance and risk management. Although boards and executive managers indicated greater familiarity with different accountability lines, they were not inclined to strictly follow the updated Three Lines Model. The model has been promoted mostly by external consultants who seem to have a key influence on the adopted governance configuration.

The researchers examined how organizations consciously strike a balance between what is an efficient model (given their size, exposure and risk appetite) and what makes their adopted governance model legitimate (i.e., perceived as corresponding to established practice).

Segregation and Organization of Roles
Except for the bank, none of the organizations segregated the implementation of controls from their monitoring. The responsibilities typical of the first and second lines were often divided among multiple individuals, functions and units, resulting in a granular and entangled structure. In many cases, the second line’s responsibility for monitoring controls and providing assurance was combined with operational tasks, resulting in a close integration of roles and functions. A partial explanation for this approach is that most organizations aim to deliver a holistic cybercapability efficiently and effectively. This approach leads them to avoid segregating the first two lines, often driven by the hyperdynamic nature of the cyber environment that brings frequent changes in cyberrisk management positions and expands the role of cybersecurity within organizations. Consequently, governance structures, accountability lines and reporting are often adjusted on the fly.

As a cybersecurity team manager explained during one interview, “Level one, level two, level three is probably a formula too slow to respond. That structure going up the chain—by the time it gets to someone who actually knows what they are doing, the opportunity is gone.”

A chief information security officer (CISO) made a similar observation in an interview, noting that “the Three Lines Model taxonomy does not suit cybersecurity. It does not provide sufficient categories to be able to measure results correctly and ensure that you have got the right remediation processes based on the category to drive a particular outcome. So, we are currently trying to align industry standard cybersecurity taxonomy with group risk.”

Boards need to acquire competencies and experience in the cyber, digital and IT areas to establish themselves as an independent line of accountability.

Furthermore, as a chief information officer (CIO) pointed out in an interview, the dynamic and swiftly evolving circumstances necessitated a prompt redefinition of roles: “When we set out on this journey, we set it out such that we were going to have a number of roles. Three years later, we have got totally different roles because the nature of the threat has changed, and where that threat is from, and what is required to face it. It is dynamic.”

Internal Audit
Although organizations are increasingly aware of the importance of maintaining the independence of the internal audit function, professionals in the first two lines at times perceive their role as relatively marginal in cybersecurity governance. This perception is mainly due to the extensive scope of cyberrisk management and the limitations in the timeliness of the work conducted by internal audit. As internal auditors typically review components of cyberrisk management annually, following a long-term audit schedule, audit cycles can last three to five years. This approach seems to hinder internal audit’s capacity to provide a comprehensive and timely assessment of the effectiveness of cyberrisk management. Given the rapidly evolving cybersecurity landscape, extended audit cycles may not align with the urgency required to address emerging threats and vulnerabilities effectively. This limitation impacts internal audit’s ability to deliver real-time insights and assurance to organizational stakeholders on the state of cyberrisk management effectiveness.

In terms of segregation of roles, although the first and second lines collaborate actively, the independence of internal auditors comes at the expense of their perceived relevance. In the research, internal auditors themselves acknowledged that cyberrisk management was not yet fully developed, which led to some critical tasks being duplicated and carried out separately by both the second and third lines. An example is conducting separate and disparate assessments of cyberrisk.

External Assurance Providers
At the same time, significant stakeholders in cybersecurity governance are external assurance providers. As one risk manager noted in an interview, “We hire external consultants. It is very difficult to benchmark performance against the industry because people do not share the data. … When an attack has occurred in the industry, we ask ourselves, ‘How does it apply to us?’”

External providers offer several advantages that complement the role of internal audit or the CISO. They possess valuable insights into the practices of other organizations within the same industry, thus providing a broader understanding of effective cybersecurity strategies and responses to common challenges. This cross-industry knowledge enables external providers to offer valuable benchmarking and best practice advice that enhances an organization’s cyberrisk management efforts.

Organizational structures and rapid environmental changes also influenced the perspectives of executive managers and board members interviewed. They placed less importance on the disclosure of material noncompliance with internally set systems and focused more on understanding emerging threats and industry developments to ensure their organization was staying ahead. This viewpoint highlights the value of external assurance providers, who possess knowledge of approaches used by other organizations in the industry.

Although the researchers’ interviewees acknowledged that technical controls were bottom-up driven, they maintained that governance, risk and compliance (GRC) functions needed to be orchestrated top-down.

Top Executives and Boards
The participating organizations recognized the importance of executives’ engagement in cyberrisk management; however, their understanding of cybersecurity was often at a high level, and they relied heavily on CIOs, CISOs and security specialists for detailed reports.

The researchers saw the bottom-up reporting approach as limiting the proactive involvement of executive management.

The study’s findings also indicate that boards have not fully embraced their role and accountability as the fifth line in cyber governance. Rather than constructively challenging cyberreports and providing independent views, boards were often passive recipients of such reports. To move beyond a token, box-ticking approach, boards need to acquire competencies and experience in the cyber, digital and IT areas to establish themselves as an independent line of accountability. Recently, regulatory bodies such as the US Securities and Exchange Commission have recognized the need for improved board involvement.⁴

Organizations often deviated from the Three Lines Model to achieve a more efficient configuration obtained by blending the first two lines.

Disparities in information and competency levels between cybersecurity specialists and executive management and boards were evident in cyberrisk management reporting. CISO and CIO interviewees indicated that they received minimal guidance from the top and only high-level requirements were set. Aware of the knowledge imbalance, they often followed a management by exception approach, escalating issues to the board only when necessary to avoid too-frequent alarms. Boards’ primary concerns relating to cybersecurity were comparing investment levels to peers and identifying emerging threats. The informal power derived from competency and information asymmetry often led to disproportionate reliance on a single individual in cyberrisk management.

Strengthening All Lines of Accountability in Cybersecurity Governance

Despite the relatively small sample utilized, the researchers confidently concluded that explicit adoption of the five lines of accountability in cyberrisk governance was uncommon. Organizations appeared to pursue two main objectives when making decisions about their cyber governance configuration: adhering to best practices and efficiently mitigating cyberrisk. When faced with uncertainty about the most optimal approach to cyberrisk management and governance, one of the primary reasons they adopted a specific cybersecurity governance approach was to establish legitimacy. This is crucial, as illegitimate governance practices may lead to additional cyberrisk, such as litigation, and damage to reputation. Further, the organizations often deviated from the Three Lines Model to achieve a more efficient configuration obtained by blending the first two lines. Lack of engagement is also a sign of nonadoption or ostensible adoption of the five lines (i.e., the expanded model including engagement by senior executives and the board). That has been observed particularly for the fourth and the fifth line. Some recommendations for organizations that want to bolster cyber governance accountability include:

• Evaluate adoption of the five lines of accountability—Organizations should assess the extent to which adopting the five lines of accountability is appropriate in their specific context. This assessment needs to balance the legitimacy of their cybersecurity governance and maximize the efficiency and effectiveness of their cyberrisk management. In other words, cyber governance needs to be proportionate to an organization’s exposure, risk appetite, complexity and size, and it needs to align with regulatory requirements.
• Consider segregation of lines—Although the Three Lines Model offers greater flexibility in configuring the lines, enabling more cooperative and integrated structures in comparison to the traditional Three Lines of Defense Model, it also places a stronger emphasis on the responsibilities of the relevant governance actors.
• Establish agility and efficiency as key drivers in configuring cybersecurity governance—In some cases, blending the first two lines might be more suitable because segregating them could slow down response times and lead to disproportionate costs relative to size. Cooperation between the second and third lines has been persistently found as increasing the effectiveness of cyberrisk management.⁵ Co-sourcing or outsourcing certain tasks, such as scanning the environment and identifying emerging threats, can also be strategic as a means of effectively sense-checking emergent dangers.
• Clarify accountability roles—To avoid duplication of tasks or gaps in the assurance function, it is essential to clarify accountability roles among different lines. Clear delineation of responsibilities ensures effective and efficient management of cyberrisk. For example, an assessment of cyberrisk can be jointly performed by the second and third lines, but an assurance plan that sets out who does what needs to be implemented.
• Increase engagement of executive management—Greater engagement by the fourth line of executive management would ensure buy-in from the roles in charge of resource allocation. Academic research robustly indicates that top leadership support increases the effectiveness of cyberrisk management.⁶ Executive management can ensure that other roles are involved ad hoc in cyberrisk management—for example, risk managers, accountants, lawyers and salespeople may have a role in cyberrisk assessment.
• Enhance professionalization of the boards—Strengthening the fifth line of accountability can lead to more holistic cyberrisk management and governance.⁷ From offering training to increase cyberawareness to creating specialized certifications for board members, stronger accountability measures can improve boards’ engagement and oversight when dealing with cybersecurity matters.

Overall, implementing these recommendations will help organizations optimize their cyber governance, enhance cyberrisk management practices and establish a robust framework to address emerging cyberthreats effectively.

Conclusion

This study highlights a significant gap in the adoption of the five lines of accountability in cyberrisk governance. Many organizations prioritize legitimacy and efficiency, often deviating from standard models by not using all five lines or by merging the first two lines for greater efficiency.

Organizations should assess the fit of the five lines based on specific organizational context. In some cases, merging lines can boost response times and cost-effectiveness. In addition, organizations should ensure distinct responsibilities in roles to avoid overlaps and gaps, increase involvement from executive management for better resource allocation and support, and enhance the fifth line (boards) through training and communication for holistic management.

Although the landscape of cyberrisk is complex, a balanced and agile approach to governance can equip organizations to effectively tackle emerging cyberthreats.

Endnotes

¹ The Institute of Internal Auditors (IIA), The IIA’s Three Lines Model, USA, July 2020, http://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf
² Association of Chartered Certified Accountants (ACCA), Certified Accountants Australia and New Zealand (CA ANZ), Macquarie Group Limited, Optus, Cyber and the CFO, UK, May 2019, http://www.charteredaccountantsanz.com/-/media/a82de353ba15474ead28028e53b5b416.ashx
³ Slapničar, S.; M. Axelsen; I. Bongiovanni; D. Stockdale; “A Pathway Model to Five Lines of Accountability in Cybersecurity Governance,” International Journal of Accounting Information Systems, vol. 51, December 2023, http://doi.org/10.1016/j.accinf.2023.100642
⁴ US Securities and Exchange Commission, “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” 26 July 2023, http://www.sec.gov/news/press-release/2023-139
⁵ Steinbart, P.; R. Raschke; G. Gal; W. Dilla; “The Influence of a Good relationship Between the Internal Audit and Information Security Functions on Information Security Outcomes,” Accounting, Organizations and Society, vol. 71, November 2018, http://doi.org/10.1016/j.aos.2018.04.005
⁶ Haislip, J.; G. Peters; V. Richardson; “The Effect of Auditor IT Expertise on Internal Controls,” International Journal of Accounting Information Systems, vol. 20, April 2016, http://doi.org/10.1016/j.accinf.2016.01.001; Slapničar, S.; T. Vuko; M. Čular; M. Drašček; “Effectiveness of Cybersecurity Audit,” International Journal of Accounting Information Systems, vol. 44, March 2022, http://doi.org/10.1016/j.accinf.2021.100548; Smith, T.; A. Tadesse; N. Vincent; “The Impact of CIO Characteristics on Data Breaches, International Journal of Accounting Information Systems, vol. 43, December 2021, http://doi.org/10.1016/j.accinf.2021.100532; Vincent, N.; J. Higgs; R. Pinsker; “Board and Management-Level Factors Affecting the Maturity of IT Risk Management Practices,” Journal of Information Systems, vol. 33, iss. 3, 1 September 2019, http://doi.org/10.2308/isys-52229
⁷ Gale, M.; I. Bongiovanni; S. Slapničar; “Governing Cybersecurity From the Boardroom: Challenges, Drivers, and Ways Ahead,” Computers & Security, vol. 121, October 2022, http://doi.org/10.1016/j.cose.2022.102840

Ivano Bongiovanni, PH.D

Is a lecturer on information security governance, leadership and policy at the University of Queensland Business School (Brisbane, Australia). Bongiovanni is a researcher, consultant, author and speaker with a background in risk and security whose work focuses on the managerial and business implications of cybersecurity. He is a graduate of the Australian Institute of Company Directors. His most recent publications include Women in Cyber: Exploring the Barriers, Redesigning the Profession, ”Designing a Financial Quantification Model for Cyber Risk: A Case Study in a Bank,” and ”Governing Cybersecurity From the Boardroom: Challenges, Drivers, and Ways Ahead.”

Sergeja Slapničar, PH.D., CPA

Is associate professor of accounting at the University of Queensland Business School (Brisbane, Australia). She researches accountability, performance measurement, cybersecurity risk management, assurance and governance. She is on the editorial board of the Journal of Management Control, the Journal of Accounting and Organizational Change and Behavioral Research in Accounting. She has extensive board experience, serving as a nonexecutive director in public-listed companies and Slovenian government agencies. Slapničar has trained more than 1,000 executive and nonexecutive directors in accounting, finance and cybersecurity risk management for various professional bodies, including ISACA. She also serves on the education committee of the Institute of Internal Auditors Australia.

Micheal Axelsen, PH.D., CPA

Is a senior lecturer (business information systems) and deputy director of teaching and learning (commerce) at the UQ Business School, University of Queensland (Brisbane, Australia). He is an experienced Information System professional and accountant with 15 years of experience in business consulting, including the evaluation of IS projects, IS audit and IT management and governance. His published research areas include the use of intelligent decision aids, information systems audit and IT governance. Axelsen chaired the IT and Management Centre of Excellence for CPA Australia. He is also a platinum-level member of ISACA.

David Stockdale, PH.D.

Is the chief information security officer at the University of Queensland (Brisbane, Australia). He has had a career spanning 40 years, working in electronics engineering, astrophysics, IT infrastructure and cybersecurity. Over the last seven years in his joint position as Director of AusCERT, he has been instrumental in further building the services that the second-oldest CERT in the world offers to its community of members. Within cybersecurity, he is an advocate for people, people, people, processes and technology, believing that along with good cybersecurity governance and emerging technologies, people are the main source of strength needed to address increasing cyberthreats.