This retrospective case report aimed to evaluate the impact of information security compliance in research programs across a large federal healthcare organization. The authors sought to discern whether the methodologies employed for promoting and ensuring compliance delivered the expected benefits and produced a more informed basis for employee decision-making. Data collected from compliance report assessments conducted at 103 federal research programs were reviewed and analyzed by clustering into three primary groupings (procedural, technological and behavioral). While noncompliance related to technological strategies was rare, moderate levels of procedural noncompliance was observed across most areas of analysis, and the highest rates of non-compliance identified in the behavioral category and observed across all areas of analysis, signifying the need for a more comprehensive approach to information security oversight and compliance strategies with specific consideration to those factors that impact human behavior.
Published in | American Journal of Operations Management and Information Systems (Volume 5, Issue 2) |
DOI | 10.11648/j.ajomis.20200502.12 |
Page(s) | 25-28 |
Creative Commons |
This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited. |
Copyright |
Copyright © The Author(s), 2020. Published by Science Publishing Group |
Information Security, Research, Behavior, Compliance, Risk, Policy, Oversight
[1] | Ransbotham, S., Mitra, S. (2009). Choice and Chance: A conceptual model of paths to information security compromise. Information Systems Research, 20: 1: 121-139. |
[2] | Guest, G. Compliance cannot compel ethical behavior (2016). https://phys.org/news/2016-02-compliance-compel-ethical-behavior.html (accessed July 2017). |
[3] | Griffith, S. J. Corporate governance in an era of compliance (2016). William & Mary Law Review, 57 (6). |
[4] | Pahnila, S., Siponen, M., Mahmood, A. (2007). Employees’ Behavior towards IS Security Policy Compliance. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.106.7038&rep=rep1&type=pdf (accessed November 2017). |
[5] | Haugh, T. (2017). The trouble with corporate compliance programs. MIT Sloan Management Fall Review. |
[6] | Kayworth, T., Whitten D. (2010). Effective information security requires a balance of social and technology factors. MIS Quarterly Executive, 9: 163–75. |
[7] | Bulgurcu, B., Cavusoglu, H., Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness," MIS Quarterly, 34: 523-548. |
[8] | Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., Boss, R. W. (2009). If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. European Journal of Information Systems, 18: 151-164. |
[9] | Werlinger, R., Hawkey, K., Beznosov, K. (2008). Human, organizational and technological challenges of implementing IT security in organizations, in Proceedings of the Second International Symposium on Human Aspects of Information Security & Assurance (HAISA), Plymouth, UK, 35-47. |
[10] | Durgin, M. U. (2007). Understanding the Importance of and Implementing Internal Security Measures. |
[11] | Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50 (2): 179-211. |
[12] | Paternoster, R., Pogarsky, G. (2009). Rational choice, agency and thoughtfully reflective decision making: The short and long-term consequences of making good choices. Journal of Quantitative Criminology, 25 (2): 103-127. |
[13] | Kahneman, D. (2003). Maps of bounded rationality: psychology for behavioral economics. American Economics Review, 93 (5): 1449-1450. |
[14] | Haidt, J. (2013). The righteous mind: Why good people are divided by politics and religion. New York University, New York. |
[15] | Puhakainen, P. (2006). A design theory for information security awareness (working paper). Faculty of Science, University of Oulu, Finland. |
[16] | Willison, R. (2006). Understanding the perpetration of employee computer crime in the organizational context, Information and Organization, 16 (4): 304. |
[17] | D’Arcy, J., Hovav, A., Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20 (1). |
[18] | De Matas, S. S., & Keegan, B. P. (2018). An exploration of research information security data affecting organizational compliance. Data in Brief, 21. |
[19] | Peterson, K. and McCleery, E. (2014). Evidence Brief: The effectiveness of mandatory computer-based trainings on government ethics, workplace harassment, or privacy and information security related topics. VA ESP Project #09-199. |
APA Style
Sweden De Matas, Brendan Keegan. (2020). Challenges in Addressing Information Security Compliance in Healthcare Research: The Human Factor. American Journal of Operations Management and Information Systems, 5(2), 25-28. https://doi.org/10.11648/j.ajomis.20200502.12
ACS Style
Sweden De Matas; Brendan Keegan. Challenges in Addressing Information Security Compliance in Healthcare Research: The Human Factor. Am. J. Oper. Manag. Inf. Syst. 2020, 5(2), 25-28. doi: 10.11648/j.ajomis.20200502.12
AMA Style
Sweden De Matas, Brendan Keegan. Challenges in Addressing Information Security Compliance in Healthcare Research: The Human Factor. Am J Oper Manag Inf Syst. 2020;5(2):25-28. doi: 10.11648/j.ajomis.20200502.12
@article{10.11648/j.ajomis.20200502.12, author = {Sweden De Matas and Brendan Keegan}, title = {Challenges in Addressing Information Security Compliance in Healthcare Research: The Human Factor}, journal = {American Journal of Operations Management and Information Systems}, volume = {5}, number = {2}, pages = {25-28}, doi = {10.11648/j.ajomis.20200502.12}, url = {https://doi.org/10.11648/j.ajomis.20200502.12}, eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ajomis.20200502.12}, abstract = {This retrospective case report aimed to evaluate the impact of information security compliance in research programs across a large federal healthcare organization. The authors sought to discern whether the methodologies employed for promoting and ensuring compliance delivered the expected benefits and produced a more informed basis for employee decision-making. Data collected from compliance report assessments conducted at 103 federal research programs were reviewed and analyzed by clustering into three primary groupings (procedural, technological and behavioral). While noncompliance related to technological strategies was rare, moderate levels of procedural noncompliance was observed across most areas of analysis, and the highest rates of non-compliance identified in the behavioral category and observed across all areas of analysis, signifying the need for a more comprehensive approach to information security oversight and compliance strategies with specific consideration to those factors that impact human behavior.}, year = {2020} }
TY - JOUR T1 - Challenges in Addressing Information Security Compliance in Healthcare Research: The Human Factor AU - Sweden De Matas AU - Brendan Keegan Y1 - 2020/07/28 PY - 2020 N1 - https://doi.org/10.11648/j.ajomis.20200502.12 DO - 10.11648/j.ajomis.20200502.12 T2 - American Journal of Operations Management and Information Systems JF - American Journal of Operations Management and Information Systems JO - American Journal of Operations Management and Information Systems SP - 25 EP - 28 PB - Science Publishing Group SN - 2578-8310 UR - https://doi.org/10.11648/j.ajomis.20200502.12 AB - This retrospective case report aimed to evaluate the impact of information security compliance in research programs across a large federal healthcare organization. The authors sought to discern whether the methodologies employed for promoting and ensuring compliance delivered the expected benefits and produced a more informed basis for employee decision-making. Data collected from compliance report assessments conducted at 103 federal research programs were reviewed and analyzed by clustering into three primary groupings (procedural, technological and behavioral). While noncompliance related to technological strategies was rare, moderate levels of procedural noncompliance was observed across most areas of analysis, and the highest rates of non-compliance identified in the behavioral category and observed across all areas of analysis, signifying the need for a more comprehensive approach to information security oversight and compliance strategies with specific consideration to those factors that impact human behavior. VL - 5 IS - 2 ER -