Indirect effect of management support on users’ compliance behaviour towards information security policies

Humaidi, Norshima; Balakrishnan, Vimala

doi:10.1177/1833358317700255

Cited by 32 publications

(37 citation statements)

References 64 publications

(86 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Similar vulnerabilities in hospitals are also observed in other countries [13][14][15][16]. Specifically, pressure from the board of directors appears to be essential in creating substantive cyber resiliency, as research shows that hospital management support is essential for user compliance with information security policies, which in turn are written by health care IT security professionals [17,18].…”

Section: Introductionmentioning

confidence: 60%

Cybersecurity in Hospitals: A Systematic, Organizational Perspective

Jalali

Kaiser

2018

SSRN Journal

View full text Add to dashboard Cite

show abstract

Section: Introductionmentioning

confidence: 60%

Cybersecurity in Hospitals: A Systematic, Organizational Perspective

Jalali

Kaiser

2018

SSRN Journal

View full text Add to dashboard Cite

show abstract

“…Similar vulnerabilities in hospitals are also observed in other countries [13][14][15][16]. Specifically, pressure from the board of directors appears to be essential in creating substantive cyber-resiliency, as research shows that hospital management support is essential for user compliance with information security policies, which in turn are written by healthcare IT security professionals [17,18].…”

Section: Introductionmentioning

confidence: 67%

Cybersecurity in Hospitals: A Systematic, Organizational Perspective (Preprint)

Jalali¹,

Kaiser²

2018

Preprint

View full text Add to dashboard Cite

Background: Cybersecurity incidents are a growing threat to the healthcare industry in general and hospitals in particular. The healthcare industry has lagged behind other industries in protecting its main stakeholder (i.e., patients), and now hospitals must invest considerable capital and effort in protecting their systems. However, this is easier said than done, because hospitals are extraordinarily technology-saturated, complex organizations with high endpoint complexity, internal politics, and regulatory pressures. Objective: The purpose of this study was to develop a systematic and organizational perspective for studying: 1) the dynamics of cybersecurity capability development at hospitals; and 2) how these internal organizational dynamics interact to form a system of hospital cybersecurity in the U.S. Methods: We conducted interviews with hospital CIOs, CISOs, and healthcare cybersecurity experts, analyzed the interview data, and developed a system dynamics model that unravels the mechanisms by which hospitals build cybersecurity capabilities. We then use simulation analysis to examine how changes to variables within the model affect the likelihood of successful cyberattacks across both individual hospitals and a system of hospitals. Results: From the interviews, we discover several key variables that hospitals use to reduce the likelihood of cyber-criminal activity, including internal stakeholder alignment, pressures to improve cybersecurity capabilities, and endpoint complexity. Our simulation results show that the variable with the most dramatic impact on reducing cyber-attack at hospitals is endpoint complexity, followed by internal stakeholder alignment. While resource availability was important in fueling efforts to close cybersecurity capability gaps, low levels of resources could be compensated against by setting a high target level of cybersecurity. Furthermore, high variabilities in resource availability and endpoint complexity across a system of hospitals made the whole system more vulnerable to cyber-attacks. Conclusions: In order to enhance cybersecurity capabilities at hospitals, the main focus of CIOs and CISOs should be on reducing endpoint complexity and improving internal stakeholder alignment. In a large system of hospitals, if variabilities in endpoint complexity and resource availability are reduced, then the whole system is made less vulnerable. This provides some support to decisions made by smaller hospitals to outsource information security functions to larger organizations, and suggests that policies should raise the target floor of capabilities to a point that reduces the variability across the entire healthcare system. This study assists health care leaders to better understand the range of outcomes resulting from strategic decisions of cybersecurity capability development, so that they can better reduce the vulnerabilities that hospitals have today.

show abstract

“…40 Health care leaders and managers should also recognize the importance of information security and foster an environment that is conducive to achieving protecting the data of the organization, including patient information. 41 Future work should investigate the alignment of the information security programs at healthcare facilities and the existing national strategies, policies, regulations, and frameworks. 42 This alignment should also include the training of relevant stakeholders at every level, both inside and outside the healthcare system (e.g., insurance companies, law enforcement agencies, etc.).…”

Section: Recommendationsmentioning

confidence: 99%

Information Security Awareness and Behaviors of Health Care Professionals at Public Health Care Facilities

et al. 2021

View full text Add to dashboard Cite

Objectives This study investigated information security behaviors of professionals working in the public health sector to guide policymakers toward focusing their investments in infrastructure and training on the most vulnerable segments. We sought to answer the following questions: (1) Are certain professional demographics more vulnerable to cybersecurity threats? (2) Do professionals in different institution types (i.e., hospitals vs. primary care clinics) exhibit different cybersecurity behaviors? (3) Can Internet usage behaviors by professionals be indicative of their cybersecurity awareness and the risk they introduce? Methods A cross-sectional, anonymous, paper-based survey was distributed among professionals working in public health care organizations in Kuwait. Data were collected about each professional's role, experience, work environment, cybersecurity practices, and understanding to calculate a cybersecurity score which indicates their level of compliance to good cybersecurity practices. We also asked about respondents' internet usage and used K-means cluster analysis to segment respondents into three groups based on their internet activities at work. Ordinary least squares regression assessed the association between the collected independent variables in question on the overall cybersecurity behavior. Results A total of 453/700 (64%) were responded to the survey. The results indicated that professionals with more work experience demonstrated higher compliance with good cybersecurity practices. Interestingly, nurses demonstrate higher cybersecurity aptitude relative to physicians. Professionals that were less inclined to use the internet for personal use during their work demonstrated higher cybersecurity aptitude. Conclusion Our findings provide some guidance regarding how to target health care professional training to mitigate cybersecurity risks. There is a need for ensuring that physicians receive adequate cybersecurity training, despite the opportunity costs and other issues competing for their attention. Additionally, classifying professionals based on their internet browsing patterns may identify individuals vulnerable to cybersecurity incidents better than more discrete indicators such as age or gender.

show abstract

Indirect effect of management support on users’ compliance behaviour towards information security policies

Cited by 32 publications

References 64 publications

Cybersecurity in Hospitals: A Systematic, Organizational Perspective

Cybersecurity in Hospitals: A Systematic, Organizational Perspective

Cybersecurity in Hospitals: A Systematic, Organizational Perspective (Preprint)

Information Security Awareness and Behaviors of Health Care Professionals at Public Health Care Facilities

Contact Info

Product

Resources

About