Challenges in Addressing Information Security Compliance in Healthcare Research: The Human Factor
American Journal of Operations Management and Information Systems
Volume 5, Issue 2, June 2020, Pages: 25-28
Received: Jun. 24, 2020;
Accepted: Jul. 8, 2020;
Published: Jul. 28, 2020
Views 287 Downloads 106
Sweden De Matas, Office of Research Oversight, Department of Veterans Affairs, Washington DC, United States
Brendan Keegan, Office of Research Oversight, Department of Veterans Affairs, Washington DC, United States
This retrospective case report aimed to evaluate the impact of information security compliance in research programs across a large federal healthcare organization. The authors sought to discern whether the methodologies employed for promoting and ensuring compliance delivered the expected benefits and produced a more informed basis for employee decision-making. Data collected from compliance report assessments conducted at 103 federal research programs were reviewed and analyzed by clustering into three primary groupings (procedural, technological and behavioral). While noncompliance related to technological strategies was rare, moderate levels of procedural noncompliance was observed across most areas of analysis, and the highest rates of non-compliance identified in the behavioral category and observed across all areas of analysis, signifying the need for a more comprehensive approach to information security oversight and compliance strategies with specific consideration to those factors that impact human behavior.
Sweden De Matas,
Challenges in Addressing Information Security Compliance in Healthcare Research: The Human Factor, American Journal of Operations Management and Information Systems.
Vol. 5, No. 2,
2020, pp. 25-28.
Ransbotham, S., Mitra, S. (2009). Choice and Chance: A conceptual model of paths to information security compromise. Information Systems Research, 20: 1: 121-139.
Guest, G. Compliance cannot compel ethical behavior (2016). https://phys.org/news/2016-02-compliance-compel-ethical-behavior.html (accessed July 2017).
Griffith, S. J. Corporate governance in an era of compliance (2016). William & Mary Law Review, 57 (6).
Pahnila, S., Siponen, M., Mahmood, A. (2007). Employees’ Behavior towards IS Security Policy Compliance. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.106.7038&rep=rep1&type=pdf (accessed November 2017).
Haugh, T. (2017). The trouble with corporate compliance programs. MIT Sloan Management Fall Review.
Kayworth, T., Whitten D. (2010). Effective information security requires a balance of social and technology factors. MIS Quarterly Executive, 9: 163–75.
Bulgurcu, B., Cavusoglu, H., Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness," MIS Quarterly, 34: 523-548.
Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., Boss, R. W. (2009). If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. European Journal of Information Systems, 18: 151-164.
Werlinger, R., Hawkey, K., Beznosov, K. (2008). Human, organizational and technological challenges of implementing IT security in organizations, in Proceedings of the Second International Symposium on Human Aspects of Information Security & Assurance (HAISA), Plymouth, UK, 35-47.
Durgin, M. U. (2007). Understanding the Importance of and Implementing Internal Security Measures.
Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50 (2): 179-211.
Paternoster, R., Pogarsky, G. (2009). Rational choice, agency and thoughtfully reflective decision making: The short and long-term consequences of making good choices. Journal of Quantitative Criminology, 25 (2): 103-127.
Kahneman, D. (2003). Maps of bounded rationality: psychology for behavioral economics. American Economics Review, 93 (5): 1449-1450.
Haidt, J. (2013). The righteous mind: Why good people are divided by politics and religion. New York University, New York.
Puhakainen, P. (2006). A design theory for information security awareness (working paper). Faculty of Science, University of Oulu, Finland.
Willison, R. (2006). Understanding the perpetration of employee computer crime in the organizational context, Information and Organization, 16 (4): 304.
D’Arcy, J., Hovav, A., Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20 (1).
De Matas, S. S., & Keegan, B. P. (2018). An exploration of research information security data affecting organizational compliance. Data in Brief, 21.
Peterson, K. and McCleery, E. (2014). Evidence Brief: The effectiveness of mandatory computer-based trainings on government ethics, workplace harassment, or privacy and information security related topics. VA ESP Project #09-199.