Article

Information security climate and the assessment of information security risk among healthcare employees

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Since 2009, over 176 million patients in the United States have been adversely impacted by data breaches affecting Health Insurance Portability and Accountability Act-covered institutions. While the popular press often attributes data breaches to external hackers, most breaches are the result of employee carelessness and/or failure to comply with information security policies and procedures. To change employee behavior, we borrow from the organizational climate literature and introduce the Information Security Climate Index, developed and validated using two pilot samples. In this study, four categories of healthcare professionals (certified nursing assistants, dentists, pharmacists, and physician assistants) were surveyed. Likert-type items were used to assess the Information Security Climate Index, information security motivation, and information security behaviors. Study results indicated that the Information Security Climate Index was related to better employee information security motivation and information security behaviors. In addition, there were observed differences between occupational groups with pharmacists reporting a more favorable climate and behaviors than physician assistants.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Pullin [45], Sedlack [55] Apply a holistic, integrated approach to improve staff awareness, competence, and mitigation of threats Gordon et al [56] Implement cybersecurity training programs and cybersecurity awareness campaigns NHS Digital [57] Apply the NCSC's e Board Toolkit to raise board-level security awareness Alzahrani [58] Provide comprehensive employee training and education to enable the identification and assessment of risks Kessler et al [59] Implement a positive organizational climate to influence people's behavior ...
... However, there is not enough work on training programs tailored to the pandemic such as COVID-19-themed social engineering, although the world is realizing the importance of raising the awareness of COVID-19-related cyberattacks [58]. Existing research shows that positive organizational climate can influence people's behavior [59]. ...
... Moreover, a positive and empowering culture is also required (eg, by sharing the rate of people who did not click on phishing-negative emails during a training campaign). Experience can be borrowed from the organizational climate literature to positively influence people's behavior [59]. ...
Article
Background: Coronavirus disease (COVID19) has challenged the resilience of the healthcare information system (HIS), which has affected the ability to achieve the global sustainable goal of health and wellbeing. This research is motivated by the recent cyber-attacks that have happened to the hospitals, pharmaceutical companies, the US Department of Health and Human Services, the World Health Organization (WHO) and its partners, etc. Objective: The aim of this review was to identify the key cyber security challenges, cyber security solutions adopted by the health sector and the areas to be improved in order to counteract the heightened cyber-attacks such as phishing campaigns and ransomware attacks which have been adapted to exploit vulnerabilities in technology and people introduced through changes to working practices dealing with the current COVID19 pandemic. Methods: A scoping review was conducted through the searches of two major scientific databases (PubMed and Scopus) using the terms "(covid or healthcare) and cybersecurity". Reports, news articles, industrial white papers were also included only when they are related directly to previously published work, or they were the only available sources at the moment of manuscript preparation. Only articles in English in the last decade were included, i.e. 2011-2020, in order to focus on the current issues, challenges and solutions. Results: This scoping review identified 9 main challenges in cyber security, 11 key solutions that the healthcare organisations adopted to address these challenges, and 4 key areas that require to be strengthened in terms of the cyber security capacity in health sector. We also found that the most prominent and significant methods of cyber-attacks happened during COVID19 are related to phishing, ransomware, distributed denial of service attack and malware. Conclusions: This scoping review identified the most prominent and significant methods of cyber-attacks that impacted the health sector initially during the COVID 19 pandemic, the cyber security challenges, solutions as well as the areas that require further efforts in the community. This provides useful insights to the health sector to address their cybersecurity issues during the COVID 19 pandemic as well as other epidemics or pandemics that may materialise in the future.
... This access can be used as a fraudulent way by hackers to access information in the databases [17]. In addition to technology, hackers can also take advantage of staff loopholes and carelessness to collect data [19]. ...
... As highlighted by some papers, the solutions to improve cyber-risk management are the continuous training of employees [19], the use of performing technologies, the continuous process improvement [49], the implementation of risk management activities [48], the use of proactive and reactive risk assessment tools [52], and the stipulation of insurance policies to protect any damage to stakeholders and the health facilities [71]. The device defense systems (antimalware, security patches, and software) must be updated constantly. ...
... to explain criminal behavior reliant on computing and the online domain with particular characteristics and motivations such as being young, male, autistic and motivated by challenge [92] 1.2 to explain like most breaches are the result of employee carelessness and/or failure to comply with information security policies and procedures, but to external hackers, too [19] 1.1 to empirically test a proposed conceptual model, using integrated concepts from the Theory of Planned Behavior, the Information Security Policy Compliance Theory, and the aggregated Revealed Causal Map of EMR Resistance [36] 1.3 ...
Article
Full-text available
The current world challenges include issues such as infectious disease pandemics, environmental health risks, food safety, and crime prevention. Through this article, a special emphasis is given to one of the main challenges in the healthcare sector during the COVID-19 pandemic, the cyber risk. Since the beginning of the Covid-19 pandemic, the World Health Organization has detected a dramatic increase in the number of cyber-attacks. For instance, in Italy the COVID-19 emergency has heavily affected cybersecurity; from January to April 2020, the total of attacks, accidents, and violations of privacy to the detriment of companies and individuals has doubled. Using a systematic and rigorous approach, this paper aims to analyze the literature on the cyber risk in the healthcare sector to understand the real knowledge on this topic. The findings highlight the poor attention of the scientific community on this topic, except in the United States. The literature lacks research contributions to support cyber risk management in subject areas such as Business, Management and Accounting; Social Science; and Mathematics. This research outlines the need to empirically investigate the cyber risk, giving a practical solution to health facilities.
... This access can be used as a fraudulent way by hackers to access information in the databases [17]. In addition to technology, hackers can also take advantage of staff loopholes and carelessness to collect data [19]. ...
... As highlighted by some papers, the solutions to improve cyber-risk management are the continuous training of employees [19], the use of performing technologies, the continuous process improvement [49], the implementation of risk management activities [48], the use of proactive and reactive risk assessment tools [52], and the stipulation of insurance policies to protect any damage to stakeholders and the health facilities [71]. The device defense systems (antimalware, security patches, and software) must be updated constantly. ...
... to explain criminal behavior reliant on computing and the online domain with particular characteristics and motivations such as being young, male, autistic and motivated by challenge [92] 1.2 to explain like most breaches are the result of employee carelessness and/or failure to comply with information security policies and procedures, but to external hackers, too [19] 1.1 to empirically test a proposed conceptual model, using integrated concepts from the Theory of Planned Behavior, the Information Security Policy Compliance Theory, and the aggregated Revealed Causal Map of EMR Resistance [36] 1.3 ...
Preprint
Full-text available
The current world challenges include issues such as infectious disease pandemics, environmental health risks, food safety, and crime prevention. Through this article, a special emphasis is given to one of the main challenges in the healthcare sector during the COVID-19 pandemic, the cyber risk. Since the beginning of the Covid-19 pandemic, the World Health Organization has detected a dramatic increase in the number of cyber-attacks. For instance, in Italy the COVID-19 emergency has heavily affected cybersecurity; from January to April 2020, the total of attacks, accidents, and violations of privacy to the detriment of companies and individuals has doubled. Using a systematic and rigorous approach, this paper aims to analyze the literature on the cyber risk in the healthcare sector to understand the real knowledge on this topic. The findings highlight the poor attention of the scientific community on this topic, except in the United States. The literature lacks research contributions to support cyber risk management in subject areas such as Business, Management and Accounting; Social Science; and Mathematics. This research outlines the need to empirically investigate the cyber risk, giving a practical solution to health facilities. Keywords: cyber risk; cyber-attack; cybersecurity; computer security; COVID-19; coronavirus;information technology risk; risk management; risk assessment; health facilities; healthcare sector;systematic literature review; insurance
... However, ISP alone is not enough for ensuring the security of any organization. An organization must implement an effective information security policy compliance (ISPC) framework [11,12]. ...
... Researchers have shown a growing interest in creating an ISPC framework for organizations like those in the health sector [21]. Most of the studies were conducted in developed countries [11,[22][23][24]. Simultaneously, only a few of those studies were conducted in the context of developing countries like Malaysia. ...
... Organizations' management plays a vital role in strengthening climate-related to ISPC [28,33]. The organizational climate (OC) is defined in literature as a multi-dimensional construct that consists of multiple properties [11,28] and can affect the attitude of employees [34]. An effective organizational climate substantially affects employees' motivation to enhance an organization's policy compliance [35,36]. ...
Article
Full-text available
The advancement of information communication technology in healthcare institutions has increased information security breaches. Scholars and industry practitioners have reported that most security breaches are due to negligence towards organizational information security policy compliance (ISPC) by healthcare employees such as nurses. There is, however, a lack of understanding of the factors that ensure ISPC among nurses, especially in developing countries such as Malaysia. This paper develops and examines a research framework that draws upon the factors of organizational climate of information security (OCIS) and social bond theory to enhance ISPC among nurses. A questionnaire was adopted in which responses were obtained from 241 nurses employed in 30 hospitals in Malaysia. The findings from the study demonstrated that the ISPC among nurses is enhanced through OCIS factors. The influence on ISPC was even more significant when examined by the mediating effect of the social bond. It implies that influential OCIS factors reinforce social bonds among nurses and eventually increase the ISPC. For information security practitioners, the study findings emphasize the prevalence of socio-active information security culture in healthcare organizations to enhance ISP compliance among nurses.
... [15,16]. Terveydenhuollon tietosuojaloukkaukset aiheutuvat tietosuojaosaamisen puutteesta, sekä heikkouksista tietosuojakäyttäytymisessä, valvonnassa ja turvallisuustaidoissa [17][18][19]. ...
... Tietosuojaosaaminen ja tietoturvakäyttäytymisen toteutuminen ei ole riippuvaista vain yksilön käymistä koulutuksista, vaan toimintaympäristöllä ja kohdennetulla ohjeistuksella on merkittävä vaiku-tus tietosuojan toteutumiseen. Aikaisempien tutkimusten perusteella terveydenhuollon tietosuojaosaamisen tutkimus on painottunut työympäristön ja yksilön sisäisten kannustimien tarkasteluun, sekä tietosuojarikkeisiin vaikuttavien tekijöiden tunnistamiseen [17][18][19]. Tämä tutkimus vahvisti näkemystä tietosuojaosaamisen moniulotteisuudesta ja aiheen kansallisesta ja kansainvälisestä tutkimusaukosta. Terveydenhuollon henkilöstön tietosuojaosaamisen tutkimus on toistaiseksi rajoittunut tarkastelemaan vain yhtä osa-aluetta kerrallaan, ilman moniulotteista kokonaiskuvan hahmotusta. ...
Article
Full-text available
Terveydenhuollon henkilöstön tietosuojaosaamisen tutkimus on toistaiseksi rajoittunut tarkastelemaan vain yhtä osa-aluetta kerrallaan, ilman moniulotteista kokonaiskuvan hahmotusta. Terveydenhuollossa tietosuojaosaaminen toteutuu tietosuojakäyttäytymisenä. Tietosuojaosaaminen ilmenee kykynä käsitellä henkilötietoja hyvin. Tietosuojaosaamisen ytimessä toimii oikein toteutettu hyvä tiedonhallinta, oikein käsitellyt henkilötiedot ja hallitut tietovarannot. Varmistamalla tietosuojaosaaminen ja toimintatapojen oikea toteutus voidaan välttää pahimmat tietosuojariskit, sekä tehostaa organisaatioiden ja työntekijöiden toimintaa. Tämän tutkimuksen tarkoituksena on kuvata oppimisen teorian ulottuvuuksien ilmenemistä vankiterveydenhuollon ammattilaisten tietosuoja- ja tietoturvaosaamisessa. Tutkimuksessa hyödynnetään koko Vankiterveydenhuollon henkilöstölle tehtyä tietosuojaosaamista koskevaa poikkileikkaavaa kyselytutkimusta. Tutkimuksen tulokset kuvataan Knud Illeriksen oppimisen teorian ulottuvuuksia hyödyntäen. Tietosuoja- ja tietoturvaosaamisen merkitys vankiterveydenhuollossa korostuu, sillä vankiterveydenhuollossa potilas- ja henkilötietojen käsittelyä ohjaavat terveydenhuollon lainsäädännön lisäksi laki vankiterveydenhuollon yksiköstä, joka määrittää poikkeavuudet potilaan tietojenluovutukseen. Tutkimuksen tuloksista heijastuu terveydenhuollon henkilöstön tietosuojaosaamisen moniulotteisuus. Tietosuojaosaamisen ja tietoturvakäyttäytymisen toteutuminen terveydenhuollossa ei ole riippuvaista vain yksilön käymistä koulutuksista, vaan toimintaympäristöllä ja kohdennetulla ohjeistuksella on merkittävä vaikutus tietosuojan toteutumiseen. Aikaisempien tutkimusten perusteella terveydenhuollon tietosuojaosaamisen tutkiminen on painottunut työympäristön ja yksilön sisäisten kannustimien tarkasteluun, sekä tietosuojarikkeisiin vaikuttavien tekijöiden tunnistamiseen. Tämä tutkimus tukee näkemystä tietosuojaosaamisen moniulotteisuudesta ja aiheen kansallisesta ja kansainvälisestä tutkimusaukosta.
... According to Rafter (2020) in a report for Norton, a global company providing cyber security solutions to homeowners and businesses, employees are on the frontlines of InfoSec; however, they are the weakest links in InfoSec efforts (Gratian, et al., 2017;Vroom & von Solms, 2004). Employees indulge in risk-taking behavior that present a significant threat to InfoSec systems and controls when they exhibit poor information security behavior by not complying with the organization's policies and procedures (Ifinedo, 2014;Kessler et al., 2019); however, consistently, employees overestimated the probability that they could fall victim to InfoSec breaches (Herath & Rao, 2009). Lahcen et al. (2020) postulated, -People's biases and behaviors influence the interactions with software and technology…‖ (p. ...
... Since firms collect copious amounts of sensitive industry and customer data, it behooves organizational leaders to protect this information; yet, incredibly, organizations focus most of their security control efforts on external solutions even though longstanding evidence has shown that the behaviors of organizational insiders account for most data breaches (Choi et al., 2019;Colwill, 2009;Jeong et al., 2019;Uffen, Guhr, & Breitner, 2012); indeed, employees' noncompliance with internal InfoSec measures as well as deliberate acts of revenge and sabotage account for most security breaches (Peikari & Banazdeh, 2019). Forms of employee noncompliance are rooted in human behaviors, which include seemingly benign acts such as treating information security measures lightly, to more egregious behaviors that can include committing deliberately malicious acts against the organization (Besnard & Arief, 2004;Colwill, 2009;Shepherd & Kline, 2012;Shropshire et al., 2015;Kessler et al., 2019). ...
Article
Full-text available
The Big Five Factors Model (FFM) of personality traits theory was tested for its ability to explain employee information security behavior (EISB), when age, measured by generational cohort (GCOHORT), moderated the relationship between the independent variables (IVs) extraversion, agreeableness, conscientiousness, emotional stability, intellect (EACESI) and the dependent variable (DV), employees’ information security behavior (EISB) which is measured by file protection behavior (FPB). Three age groups defined GCOHORT: 52–70 years old (1946–1964, Baby Boomers), 36–51 yrs old (1965–1980, Generation X), and 18– 35 yrs. Old (1981–1998, Millennial). Results of hierarchical multiple regressions analyses revealed statistically significant relationships between overall personality traits, four individual factors of personality traits, and the DV (p < .05). However, contrary to expectations, GCOHORT did not moderate the relationship between any of the main IVs and the DV (p > .05). Recommendations for future research are offered.
... Motivated by this, we conducted our study based on the Malaysian healthcare context. Additionally, most of the designed frameworks for Malaysian healthcare organizations suffer from a lack of new technology adoption in healthcare sectors [25,26]. ...
... This study further suggests that economic qualities with an expectation of profitability had a substantial influence on BD preparedness. This corroborates [25] results. In other words, it was found that utilizing intention to adopt BD increases the expectation of higher profits more than when utilizing current BD and that this data influences the readiness of new technologies for healthcare preparation and intention to use. ...
Article
Full-text available
Big data is rapidly being seen as a new frontier for improving organizational performance. However, it is still in its early phases of implementation in developing countries’ healthcare organizations. As data-driven insights become critical competitive advantages, it is critical to ascertain which elements influence an organization's decision to adopt big data. The aim of this study is to propose and empirically test a theoretical framework based on Technology-Organization- Environment (TOE) factors to identify the level of reediness of big data adoption in developing countries healthcare organizations. The framework empirically tested with 302 Malaysian healthcare employees. The structural equation modeling used to analyze the collected data. The results of the study demonstrated that technology, organization, and environment factors can significantly contribute towards Big Data adoption in healthcare organizations. However, complexity of technology factors has shown less support to the notion. For technology practitioners this study showed how to enhance big data adoption in healthcare organizations through TOE factors.
... Additionally, we considered the intention to be the adoption of actions to protect oneself from threats [17]. Subfactors related to threat appraisal include intrinsic rewards, extrinsic rewards, severity, and vulnerability, according to the results of prior studies [5,12,[18][19][20][21][22][23][24], leading to the following hypothesis: Hypothesis 1 (H1). The threat appraisal of HIS by nurses will affect their intentions. ...
... Behavior is an act of protecting oneself [17]. Threat appraisal and coping appraisal result in the protection of motivation and changes in behavior through the process of intention, according to the results of prior studies linking these factors to HIS behavior [12,[22][23][24][28][29][30], leading to the following hypothesis: Hypothesis 3 (H3). The threat appraisal of HIS by nurses will affect their behavior. ...
Article
Full-text available
Background: Healthcare information includes sensitive data and, as such, must be secure; however, the risk of healthcare information leakage is increasing. Nurses manage healthcare information in hospitals; however, previous studies have either been conducted on medical workers from various other occupations or have not synthesized various factors. The purpose of this study was to create and prove a model of nurses' healthcare information security (HIS). The hypothetical model used in this study was constructed on the basis of the protection motivation theory (PMT) proposed by Rogers. Methods: A total of 252 questionnaires scored using a five-point Likert scale were analyzed, incorporating data from nurses who had been working for more than one month in general hospitals with more than 300 beds in South Korea. The survey was conducted over a total of 30 days, from 1 to 30 September 2019. Results: The results showed that coping appraisal significantly influence HIS intentions (estimate = -1.477, p < 0.01), whereas HIS intentions significantly influence HIS behavior (estimate = 0.515, p < 0.001). A moderating effect on the association between coping appraisal and HIS intentions was found in the group of nurses who had been working for <5 years (estimate = -1.820, p < 0.05). Moreover, a moderating effect on the association between HIS intentions and HIS behavior was found in the group of nurses who had been working for <5 years (estimate = 0.600, p < 0.001). Conclusion: The results of this study can be used to develop a management plan to strengthen nurses' HIS behavior and can be used by nursing managers as a basis for developing education programs.
... According to Rafter (2020) in a report for Norton, a global company providing cyber security solutions to homeowners and businesses, employees are on the frontlines of InfoSec; however, they are the weakest links in InfoSec efforts (Gratian, et al., 2017;Vroom & von Solms, 2004). Employees indulge in risk-taking behavior that present a significant threat to InfoSec systems and controls when they exhibit poor information security behavior by not complying with the organization's policies and procedures (Ifinedo, 2014;Kessler et al., 2019); however, consistently, employees overestimated the probability that they could fall victim to InfoSec breaches (Herath & Rao, 2009). Lahcen et al. (2020) postulated, -People's biases and behaviors influence the interactions with software and technology…‖ (p. ...
... Since firms collect copious amounts of sensitive industry and customer data, it behooves organizational leaders to protect this information; yet, incredibly, organizations focus most of their security control efforts on external solutions even though longstanding evidence has shown that the behaviors of organizational insiders account for most data breaches (Choi et al., 2019;Colwill, 2009;Jeong et al., 2019;Uffen, Guhr, & Breitner, 2012); indeed, employees' noncompliance with internal InfoSec measures as well as deliberate acts of revenge and sabotage account for most security breaches (Peikari & Banazdeh, 2019). Forms of employee noncompliance are rooted in human behaviors, which include seemingly benign acts such as treating information security measures lightly, to more egregious behaviors that can include committing deliberately malicious acts against the organization (Besnard & Arief, 2004;Colwill, 2009;Shepherd & Kline, 2012;Shropshire et al., 2015;Kessler et al., 2019). ...
Article
Full-text available
The Big Five Factors Model (FFM) of personality traits theory was tested for its ability to explain employee information security behavior (EISB), when age, measured by generational cohort (GCOHORT), moderated the relationship between the independent variables (IVs) extraversion, agreeableness, conscientiousness, emotional stability, intellect (EACESI) and the dependent variable (DV), employees' information security behavior (EISB) which is measured by file protection behavior (FPB). Three age groups defined GCOHORT: 52-70 years old (1946-1964, Baby Boomers), 36-51 yrs old (1965-1980, Generation X), and 18-35 yrs. Old (1981-1998, Millennial). Results of hierarchical multiple regressions analyses revealed statistically significant relationships between overall personality traits, four individual factors of personality traits, and the DV (p < .05). However, contrary to expectations, GCOHORT did not moderate the relationship between any of the main IVs and the DV (p > .05). Recommendations for future research are offered.
... S. R. Kessler et al. provided a survey on information security climate in healthcare sector. Authors categorized the professional of healthcare into four categories and conducted a survey for assessing the information security status in healthcare organizations [23]. The paper provides a path for researchers through its validated results. ...
Article
Full-text available
Growing concern about healthcare information security in the wake of alarmingly rising cyber-attacks is being given symmetrical priority by current researchers and cyber security experts. Intruders are penetrating symmetrical mechanisms of healthcare information security continuously. In the same league, the paper presents an overview on the current situation of healthcare information and presents a layered model of healthcare information management in organizations. The paper also evaluates the various factors that have a key contribution in healthcare information security breaches through a hybrid fuzzy-based symmetrical methodology of AHP-TOPSIS. Furthermore, for assessing the effect of the calculated results, the authors have tested the results on local hospital software of Varanasi. Tested results of the factors are validated through the comparison and sensitivity analysis in this study. Tabulated results of the proposed study propose a symmetrical mechanism as the most conversant technique which can be employed by the experts and researchers for preparing security guidelines and strategies.
... All Items were assessed along a 5-point Likert-type scale with 1 indicating "strongly disagree" and 5 indicating "strongly agree." The measure of perceived severity, perceived vulnerability and response efficacy were adapted from Li et al. [15]and Ifenido [8].The measure of information security climate and information security training werewas respectively adopted from Kessler et al. [21] and D'Arcy et al. [13]. ISSP compliance is adopted from Arcy & Teh (2019)' measure with a four-item scale [22]. ...
Article
Full-text available
It is widely agreed that information systems security police compliance plays a pivotal role in safeguarding organizational information security. This study empirically investigated organizational and individual factors in predicting employees’ ISSP compliance. With a survey data of 525 civil servants in China, results showed that organizational information security training and information security climate were significantly related to employees’ ISSP compliance. Specifically, information security climate had stronger effect on ISSP compliance than information security training. Furthermore, it was found that employees’ perceived severity, perceived vulnerability and response efficacy were positively related to employees’ ISSP compliance. We discussed the key implications of our findings for managers and researchers.
... For example, the end-user framework proposed in this manuscript (Fig. 1) is in many ways akin to Neal and Griffin's (2004) safety model that has obtained strong empirical support. Authors of information security climate instruments have noted the similarities between workplace safety and information security, and have in fact adapted safety scales into information security measures (Chan et al., 2005;Kessler, Pindek, Kleinman, Andel, & Spector, 2019). Conversely, occupational safety research can benefit from prior work conducted in the security realm. ...
Article
Full-text available
Cybersecurity is an ever-present problem for organizations, but organizational science has barely begun to enter the arena of cybersecurity research. As a result, the “human factor” in cybersecurity research is much less studied than its technological counterpart. The current manuscript serves as an introduction and invitation to cybersecurity research by organizational scientists. We define cybersecurity, provide definitions of key cybersecurity constructs relevant to employee behavior, illuminate the unique opportunities available to organizational scientists in the cybersecurity arena (e.g., publication venues that reach new audiences, novel sources of external funding), and provide overall conceptual frameworks of the antecedents of employees’ cybersecurity behavior. In so doing, we emphasize both end-users of cybersecurity in organizations and employees focused specifically on cybersecurity work. We provide an expansive agenda for future organizational science research on cybersecurity—and we describe the benefits such research can provide not only to cybersecurity but also to basic research in organizational science itself. We end by providing a list of potential objections to the proposed research along with our responses to these objections. It is our hope that the current manuscript will catalyze research at the interface of organizational science and cybersecurity.
... Although additional security functions such as passwords and record tracking are available for PHRs, in comparison with traditional paper records, storing PHRs in cloud servers causes patients to lose their control over their personal healthcare data. Moreover, cloud systems involve many threats to information privacy, such as the lack of strict and careful verification of user identity, insecure user interface for verification and authorization, abuse of cloud computing for illegal activities, malicious internal employees of cloud service providers, problems related to shared environments, data theft, and service theft [11]. However, HIPPA has not provided favorable legal restrictions on these threats. ...
Article
Full-text available
Personal health records (PHRs) have been developed into a type of patient-centered health information exchange model in recent years. It provides users powerful saving, reading, and sharing of medical data. Considering the fullness of current Cloud construction, complicated combination of hospital staff, differences of prioritization between hospital staff and patients, and varied levels of privacy regulation of people in groups or individuals, the difficulty of security exchange and information sharing will increase. Therefore, there is necessity of existence for one flexible and efficient group-oriented cryptosystem. We proposed a bilinear pairing-based group-oriented cryptosystem to overcame above situations. This proposal owns the following advantages: (I) The cryptosystem can simultaneously realize four decryption strategies, enabling receivers to designate appropriate decryptors according to the content of plaintext. (II) All group members need only one private key, which can be used for decryption regardless of the decryption modes. Therefore, errors resulting from the misuse of keys can be avoided, and the difficulty of key management can be reduced. (III) The system is required to disclose only six parameters, thus decreasing spatial complexity. (IV) Regardless of the encryption and decryption modes, receivers must perform encryption only one time, and the length of the ciphertext comprises only four parameters. Thus, the proposed cryptosystem computing (including environment setting and the processes of encryption and decryption) is highly efficient, with easy key management, low spatial complexity, and small amount of ciphertext being transmitted.
... Therefore, organizational climate approaches have been employed to highlight social aspects of the work environment, making certain characteristics more salient to employees, thus cueing a change toward desired behaviors. A successful example is the induction of information security climate in medical facilities [1]. Similarly, having a good patient safety culture can reduce medical errors, improve patient prognosis and reduce the length of hospital stay and related medical expenses [2]. ...
Article
Full-text available
Patient safety is the core goal of medical institutions. The present study focuses on the patient safety culture and staff well-being admit the COVID-19 pandemic. In a large metropolitan hospital group, 337 employees who had participated in the quality improvement interventions completed an anonymous questionnaire of patient safety culture and personal well-being. The multiple regression analyses indicated that managerial role, seniority, female gender and direct contact with a patient were significantly related to the positive attitude on overall or certain dimensions of safety culture. Multivariate analysis also found that dimensions of teamwork climate, safety climate, job satisfaction and stress recognition as patient safety culture predicted staff exhaustion. Finally, comparing with the available institutional historic data in 2018, the COVID group scored higher on the working condition dimension of patient safety culture, but lower on the stress recognition dimension. The COVID group also scored higher on exhaustion. In the post-pandemic era, there seems to be an improvement on certain aspect of the patient safety culture among hospital staff, and the improvement is more prevalent for managers. However, exhaustion is also a poignant problem for all employees. These findings can inform hospital decision-makers in planning and implementing future improvements of patient safety culture and promoting employee well-being and resilience. Our findings also reveal directions for future research.
... In recent years, security assessment research has mainly focused on artificial intelligence [9], medical subjects [10,11], infrastructure [12], power systems [13], coal mining [14], chemicals [15], etc. The industrial field focuses on assessing the system's functional safety or the static information security assessment for the design, and its security status is easily observerd [16,17]. ...
Article
Full-text available
Industrial control systems (ICS) are applied in many fields. Due to the development of cloud computing, artificial intelligence, and big data analysis inducing more cyberattacks, ICS always suffers from the risks. If the risks occur during system operations, corporate capital is endangered. It is crucial to assess the security of ICS dynamically. This paper proposes a dynamic assessment framework for industrial control system security (DAF-ICSS) based on machine learning and takes an industrial robot system as an example. The framework conducts security assessment from qualitative and quantitative perspectives, combining three assessment phases: static identification, dynamic monitoring, and security assessment. During the evaluation, we propose a weighted Hidden Markov Model (W-HMM) to dynamically establish the system’s security model with the algorithm of Baum–Welch. To verify the effectiveness of DAF-ICSS, we have compared it with two assessment methods to assess industrial robot security. The comparison result shows that the proposed DAF-ICSS can provide a more accurate assessment. The assessment reflects the system’s security state in a timely and intuitive manner. In addition, it can be used to analyze the security impact caused by the unknown types of ICS attacks since it infers the security state based on the explicit state of the system.
... Theoretically, our results align with extant research linking organizational climate with on-the-job behaviors [28][29][30] . However, by additionally demonstrating the impact of workplace COVID-19 climate on non-work sickness presenteeism, our study suggests an important linkage between workplace practices and public health. ...
Article
Full-text available
Objective: To test the role of workplace COVID-19 climate in shaping employee attitudes toward the CDC prevention guidelines and subsequent levels of work and non-work sickness presenteeism. Methods: Three waves of anonymous survey data were collected in October and December 2020 and February 2021. Participants were 304 employed adults in the U.S., of whom half were working onsite. Results: Time 1 workplace COVID-19 climate was positively associated with Time 2 employee attitudes towards the CDC prevention guidelines, which in turn predicted Time 3 levels of non-work and work sickness presenteeism. Conclusions: The workplace can shape employee attitudes toward the CDC COVID-19 prevention guidelines and their work and non-work sickness presenteeism, thus highlighting the important role companies have in reducing community spread of the novel coronavirus in work and non-work settings.
... Poor data and information security setup may hinder the establishment of sound infrastructure in the university libraries which may influence the effectiveness of mass digitisation projects and usefulness of access to the intellectual assets of the country. Concerns around protecting intellectual assets are widely noted by most recent studies not only in universities ( Bongiovanni, Renaud & Cairns, 2020 ), but in other fields of study such as healthcare ( Kessler, Pindek, Kleinman, Andel & Spector, 2020 ), local government authorities ( Ali, Shrestha, Chatfield & Murray, 2020 ), and small and medium enterprise (SME) sector ( Ozkan, Yigit, Spruit, Wondolleck & Verónica, 2020 ). ...
Article
Full-text available
Ever since the increased use of the internet in higher education, libraries have started mass digitisation programs to make their intellectual resources available on the World Wide Web. From the year 2000 onward, Pakistani universities’ libraries have been active in this mass digitisation projects. The purpose of this paper is to examine the data and information security measures taken by university libraries to safeguard the intellectual assets of their respective organisations. Researchers adopted a quantitative approach to conduct this study. Data were collected from 190 professional librarians around the country. The findings of the study revealed that majority of libraries are lagging in standardised measures to secure digital resources. It is hoped that the present study will help in suggesting appropriate standards of data and information security within universities’ libraries. Results can also be replicated in other developing countries to investigate data and information security in libraries.
... A literature review [25] concluded that a research gap regarding IS in a health care context necessitates further studies to determine what creates an ISC in organizations. Recent studies compared IS climates among four categories of health care professionals [26], but they did not conduct the comparison at an institutional level. This research aims to fill the gap in the empirical research concerning IS cultures in a health care context. ...
Article
Full-text available
Background Health information security (IS) breaches are increasing with the use of information technology for health care services, and a strong security culture is important for driving employees’ information asset protection behavior. Objective This study aimed to analyze differences in information security cultures (ISCs) across health care providers based on factors drawn from the ISC model. Methods We used twelve factors to measure the ISCs of health care providers. This research applied a survey method with the Kruskal–Wallis H Test and the Mann–Whitney U Test as data analysis techniques. We collected the data through a questionnaire distributed to 470 employees of health care facilities (i.e. hospitals, community health centers, and primary care clinics) in Indonesia. Results The results revealed the differences between health care provider types for 9 of the 12 security culture factors. Top management support, change management, and knowledge were the differentiating factors between all types of health care providers. Organizational culture and security compliance only differed in primary care clinics. Meanwhile, security behavior, soft issues and workplace independence, information security policies, training, and awareness only differed in hospitals. Conclusion The results indicated that each type of health care provider required different approaches to develop an ISC considering the above factors. They provided insight for top management to design suitable programs for cultivating ISCs in their institutions.
Article
Full-text available
Citation: Nifakos, S.; Chandramouli, K.; Nikolaou, C.K.; Papachristou, P.; Koch, S.; Panaousis, E.; Bonacina, S. Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review.
Article
Full-text available
Usability is key to achieve quality in software products. The client applications with a high score in usability might impact on the power consumption when they are run in a PC. For this reason, energy savings turn to be critical in green software systems. In this paper the relationship between the usability evaluations of the GUIs and the power consumption measurements of the main components of a PC were analysed. A set of 5 web-based personal health records (PHRs) were selected as a case study. The usability assessment was performed by an expert, employing the 14 principles of design by Alan Dix as heuristics. They were scored on a Likert scale after performing a collection of common tasks in the PHRs. At the same time, an equipment to measure the energy consumption of hard disk drive, graphics card, processor, monitor and power supply was used. Spearman’s index was studied for the correlations between the usability assessments and the power consumption measurements. As a results, some weak relationships were found. A total of 5 usability heuristics were observed to may influence energy consumption when they were considered in the implementation of the PHRs. These heuristics were the following ones: consistency, task migratability, observability, recoverability and responsiveness. Based on the results, the usability principles of design cannot always be related to lower energy consumption. Future research should focus on the tradeoffs between usability and power consumption of client applications when they are used in a computer.
Article
Objectives This study investigated information security behaviors of professionals working in the public health sector to guide policymakers toward focusing their investments in infrastructure and training on the most vulnerable segments. We sought to answer the following questions: (1) Are certain professional demographics more vulnerable to cybersecurity threats? (2) Do professionals in different institution types (i.e., hospitals vs. primary care clinics) exhibit different cybersecurity behaviors? (3) Can Internet usage behaviors by professionals be indicative of their cybersecurity awareness and the risk they introduce? Methods A cross-sectional, anonymous, paper-based survey was distributed among professionals working in public health care organizations in Kuwait. Data were collected about each professional's role, experience, work environment, cybersecurity practices, and understanding to calculate a cybersecurity score which indicates their level of compliance to good cybersecurity practices. We also asked about respondents' internet usage and used K-means cluster analysis to segment respondents into three groups based on their internet activities at work. Ordinary least squares regression assessed the association between the collected independent variables in question on the overall cybersecurity behavior. Results A total of 453/700 (64%) were responded to the survey. The results indicated that professionals with more work experience demonstrated higher compliance with good cybersecurity practices. Interestingly, nurses demonstrate higher cybersecurity aptitude relative to physicians. Professionals that were less inclined to use the internet for personal use during their work demonstrated higher cybersecurity aptitude. Conclusion Our findings provide some guidance regarding how to target health care professional training to mitigate cybersecurity risks. There is a need for ensuring that physicians receive adequate cybersecurity training, despite the opportunity costs and other issues competing for their attention. Additionally, classifying professionals based on their internet browsing patterns may identify individuals vulnerable to cybersecurity incidents better than more discrete indicators such as age or gender.
Article
Background A national ransomware attack on the Irish Health Service Executive left the Healthcare system bereft of access to IT systems, electronic patient records, and the national imaging system. Widespread disruption to internal and external referral pathways, and both trauma and elective Orthopaedic services occurred as a result. The purpose of this paper to discuss the challenges faced by Regional trauma units and adjustments made to overcome these. Methods Issues occurring as a result of the IT cybersecurity attack were discussed at regional level. Local and specialist centre adaptations were collated to identify effective modifications to established practice in the wake of the IT attack. Results The main areas affecting Orthopaedic regional practice were identified, including internal referrals, interhospital referrals to both regional and specialist centres, outpatient clinics, and elective practice. Strategies to overcome these were collated and shared between regional centres, including the use of secure messaging systems to safely transmit relevant clinical information between services, use of radiological hard copies, and integration of imaging resources to the outpatient department to expedite clinical review. Conclusion The national cyberattack necessitated rapid adaptations to overcome the challenges faced as a result of reduced clinical and radiological access. While the recent cyberattack highlights the vulnerability of electronic systems, and the need for vigilance including staff training on cybersecurity; Changes implemented by regional centres also illustrate the potential for further development and expansion of current clinical practices.
Article
Information is a vital asset needed by many organizations to function effectively. However, this asset can easily be compromised thus its protection is crucial to the efficacy of an organization. A common information security breach used is social engineering. Social engineering is the use of manipulative and deceptive techniques against the inherent nature of human beings to access sensitive and confidential information to achieve an illicit action or omission of action. Through a qualitative inquiry, this article investigated the perceptions of employees concerning social engineering in the workplace to extract practical lessons from local businesses located in Gauteng Province, South Africa.The findings confirm that human beings should be at the forefront of defense against social engineering attacks and advocates for a multi-inter-trans-disciplinary social engineering protection model to practically assist organizations in developing a healthy and effective information security culture.
Article
Full-text available
Objective of the study: Statistics shows a worrisome picture of challenges to be overcome by cybersecurity in the healthcare sector. Data evidence that the healthcare industry experiences four data breaches per week in the United States alone, making it the sector most often affected by digital security breaches. Thus, the current article aims to investigate risk management focusing on identifying requirements and best practices for healthcare data security systems.Methodology/approach: It is based on a systematic literature review. Studies on state-of-the-art data security systems were collected and interpreted through content analysis. Assertive keywords, source-selection criteria, interpretation of selected articles, and database analysis were used to form the investigated sample and to represent the broad applications of this study’s objective.Originality/Relevance: The current study contributes to define a set of minimum requirements and best practices that can be adopted to manage data security risks in the healthcare sector and medical devices.Main results: Results have pointed out that there is no fully effective way to prevent all violations by cybercriminals; however, cybersecurity must be part of management processes adopted by different organizations.Theoretical/methodological contributions: It is found that cybersecurity has a great importance for the healthcare sector, the information generated is rich in content and that cybersecurity is neglected in the sector, that is not able to deal with the reality of cyber threats in the industry 4.0 context.Social /management contributions: By the good risk management practices and the adoption of minimum security items, institutions can ensure that managers can prepare and respond efficiently to cyber risks.
Article
Full-text available
When considering an information security culture in an organisation, researchers have to consider the possibility of several information security subcultures that could be present in the organisation. This means that different geographical, ethnic or age groups of employees could have different assumptions, values and beliefs about the protection of information, resulting in unique information security subcultures. This research sets out to understand how dominant information security cultures and subcultures develop and how they can be influenced positively over time through targeted interventions. An empirical case study was conducted using a survey approach with a validated information security culture questionnaire to illustrate how to identify dominant information security cultures and subcultures. The survey was conducted at four intervals in the same organisation over a number of years to identify potential information security subcultures and to monitor the change, if targeted interventions for each are implemented. Using t-tests and ANOVA tests, a number of information security subcultures were identified, mostly evident across the organisation's office locations (which are separated geographically), as well as between employees that worked in the IT division compared to those who did not. The data indicates that the dominant information security culture and subcultures improved over time to a more positive information security culture after the implementation of targeted interventions. This illustrates how the identification and targeting of information security subcultures with customised interventions can influence the information security culture positively. By using information security interventions, organisations can target their high-risk subcultures and monitor the change over time through continuous assessment, thereby minimising the risk to information protection from a human perspective.
Article
Full-text available
Although there have been several attempts to address the conceptual ambiguities in the literature discussing organizational climate, organizational culture, and their interrelationship, there remains much confusion and a general lack of clarity about what these two constructs represent, as well as how they may interrelate. In order to provide some clarity, we provide a comprehensive review of both constructs and conclude with a model describing how organizational climate can be viewed as a bottom-up (i.e., flowing from employee perceptions) indicator of the underlying core values and assumptions that form the organization's culture. Recommendations for researchers seeking to investigate organizational climate and culture, as well as suggestions for future research, are discussed throughout the chapter.
Article
Full-text available
The human aspect, together with technology and process controls, needs to be considered as part of an information security programme. Current and former employees are still regarded as one of the root causes of information security incidents. One way of addressing the human aspect is to embed an information security culture where the interaction of employees with information assets contributes to the protection of these assets. In other words, it is critical to improve the information security culture in organisations such that the behaviour of employees is in compliance with information security and related information processing policies and regulatory requirements. This can be achieved by assessing, monitoring and influencing an information security culture. An information security culture can be assessed by using an approach such as an information security culture assessment (ISCA). The empirical data derived from an ISCA can be used to influence the information security culture by focussing on developmental areas, of which awareness and training programmes are a critical facet.
Article
Full-text available
The importance of understanding and promoting pro-environmental behaviour among individual consumers in modern Western Societies is generally accepted. Attitudes and attitude change are often examined to help reach this goal. But although attitudes are relatively good predictors of behaviour and are relatively easy to change they only help explain specific behaviours. More stable individual factors such as values and identities may affect a wider range of behaviours. In particular factors which are important to the self are likely to influence behaviour across contexts and situations. This paper examines the role of values and identities in explaining individual pro-environmental behaviours. Secondary analyses were conducted on data from three studies on UK residents, with a total of 2694 participants. Values and identities were good predictors of pro-environmental behaviour in each study and identities explain pro-environmental behaviours over and above specific attitudes. The link between values and behaviours was fully mediated by identities in two studies and partially mediated in one study supporting the idea that identities may be broader concepts which incorporate values. The findings lend support for the concept of identity campaigning to promote sustainable behaviour. Moreover, it suggests fruitful future research directions which should explore the development and maintenance of identities.
Article
Full-text available
Work climates exert an important influence on organizations and the people who work in them. For more than half a century, scholars have sought to understand their antecedents and consequences. However, in recent years, this literature has become fragmented and somewhat adrift. This article attempts to remedy this by reviewing existing research related to organizational work climates and providing a review and critique of the current state of knowledge. Furthermore, the authors seek to assemble the individual pieces into a unified lens capable of identifying overarching themes and challenges facing researchers. Finally, the authors turn this lens to the future, so as to provide a clearer view of some promising avenues for research opportunities and potential for reintegrating the field.
Article
Full-text available
SEM has potential advantages over linear regression models that make SEM a priori the methods of choice in analyzing path diagrams when these involve latent variables with multiple indicators. What SEM does is to integrate the measurements and the hypothesized causal paths into a simultaneous assessment. SEM can analyze many stages of independent and dependent variables, including, in the case of CBSEM, the error terms, into one unified model. This one unified measurement and structural model is then estimated, either together as in CBSEM or iteratively as in PLS, and the results are presented as one unified model in which the path estimates of both the measurement and the structural models are presented as a whole. CBSEM, in contrast, addresses the problem of measurement error by explicitly modeling measurement error variance/covariance structures and relying on a factor analytic measurement model.
Article
Full-text available
The purpose of this study was to examine relationships among individual values, trait boredom, job boredom, job characteristics, and CWB. Job boredom and trait boredom were expected to be positively related to CWB. Individual values and job characteristics were expected to moderate the relationship between boredom and different types of CWB. Completed online questionnaires were received from 211 participants, and 112 co-worker matches also submitted online surveys. The Schwartz Value Survey, Job Descriptive Index, Job Boredom Scale, and Boredom Proneness Scale were used to assess independent variables. The Counterproductive Work Behavior Checklist measured the dependent variable. Results were analyzed using correlation and moderated regression. Both trait boredom and job boredom showed large significant correlations with all forms of CWB. Additionally, co-worker reported job boredom showed significant correlations with some forms of CWB. Values showed small and mostly non-significant relationships with CWB and no moderating effects on the boredom/CWB relationship. Job characteristics showed relationships with some forms of CWB but did not interact with boredom in its effects on CWB. In general, moderating effects were not found in the relationships among boredom, values, job characteristics, and CWB. Theoretical and practical implications are discussed.
Article
Full-text available
Organizational climate and organizational culture theory and research are reviewed. The article is first framed with definitions of the constructs, and preliminary thoughts on their interrelationships are noted. Organizational climate is briefly defined as the meanings people attach to interrelated bundles of experiences they have at work. Organizational culture is briefly defined as the basic assumptions about the world and the values that guide life in organizations. A brief history of climate research is presented, followed by the major accomplishments in research on the topic with regard to levels issues, the foci of climate research, and studies of climate strength. A brief overview of the more recent study of organizational culture is then introduced, followed by samples of important thinking and research on the roles of leadership and national culture in understanding organizational culture and performance and culture as a moderator variable in research in organizational behavior. The final section of the article proposes an integration of climate and culture thinking and research and concludes with practical implications for the management of effective contemporary organizations. Throughout, recommendations are made for additional thinking and research. Expected final online publication date for the Annual Review of Psychology Volume 64 is November 30, 2012. Please see http://www.annualreviews.org/catalog/pubdates.aspx for revised estimates.
Article
Full-text available
Using data from a sample of 6,130 workers employed in 743 stores of a large, U.S. retail organization, this study assessed whether diversity climate moderated mean racial-ethnic differences in employee sales performance. Findings indicated Whites exhibited significantly higher sales performance than Hispanics but not Blacks, as moderated by diversity climate. As hypothesized, racial-ethnic disparities disfavoring Blacks and Hispanics were largest in stores with less supportive diversity climates and smallest in stores with highly pro-diversity climates. Financial analysis of these interactions revealed sizable increments in sales per hour in response to effective diversity management, with strong organizational bottom-line implications. Limitations of the study and future research needs are noted.
Article
Full-text available
Purpose – This paper aims to examine the influence of organization culture on the effectiveness of implementing information security management (ISM). Design/methodology/approach – Based on a literature review, a model of the relationship between organizational culture and ISM was formulated, and both organizational culture characteristics and ISM effectiveness were measured empirically to investigate how various organizational culture traits influenced ISM principles, by administrating questionnaires to respondents in organizations with significant use of information systems. Findings – Four regression models were derived to quantify the impacts of organizational culture traits on the effectiveness of implementing ISM. Whilst the control-oriented organizational culture traits, effectiveness and consistency, have strong effect on the ISM principles of confidentiality, integrity, availability and accountability, the flexibility-oriented organizational culture traits, cooperativeness and innovativeness, are not significantly associated with the ISM principles with one exception that cooperativeness is negatively related to confidentiality. Research limitations/implications – The sample is limited to the organizational factors in Taiwan. It is suggested to replicate this study in other countries to reconfirm the result before adopting its general implications. Owing to the highly intrusive nature of ISM surveys, a cautious approach with rapport and trust is a key success factor in conducting empirical studies on ISM. Practical implications – A culture conducive to information security practice is extremely important for organizations since the human dimension of information security cannot totally be solved by technical and management measures. For understanding and improving the organization behavior with regard to information security, enterprises may look into organizational culture and examine how it affects the effectiveness of implementing ISM. Originality/value – A research model was proposed to study the impacts of organizational factors on ISM, after a broad survey on related researches. The validated model and its corresponding study results can be referenced by enterprise managers and decision makers to make favorable tactics for achieving their goals of ISM – mitigating information security risks.
Article
Full-text available
Enterprises establish computer security policies to ensure the security of information resources; however, if employees and end-users of organisational information systems (IS) are not keen or are unwilling to follow security policies, then these efforts are in vain. Our study is informed by the literature on IS adoption, protection-motivation theory, deterrence theory, and organisational behaviour, and is motivated by the fundamental premise that the adoption of information security practices and policies is affected by organisational, environmental, and behavioural factors. We develop an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour. Furthermore, we evaluate the effect of organisational commitment on employee security compliance intentions. Finally, we empirically test the theoretical model with a data set representing the survey responses of 312 employees from 78 organisations. Our results suggest that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.
Article
Full-text available
This article attempts to investigate the various types of threats that exist in healthcare information systems (HIS). A study has been carried out in one of the government-supported hospitals in Malaysia.The hospital has been equipped with a Total Hospital Information System (THIS). The data collected were from three different departments, namely the Information Technology Department (ITD), the Medical Record Department (MRD), and the X-Ray Department, using in-depth structured interviews. The study identified 22 types of threats according to major threat categories based on ISO/IEC 27002 (ISO 27799:2008). The results show that the most critical threat for the THIS is power failure followed by acts of human error or failure and other technological factors. This research holds significant value in terms of providing a complete taxonomy of threat categories in HIS and also an important component in the risk analysis stage.
Article
Full-text available
Our purpose in this study was to meta-analytically address several theoretical and empirical issues regarding the relationships between safety climate and injuries. First, we distinguished between extant safety climate-->injury and injury-->safety climate relationships for both organizational and psychological safety climates. Second, we examined several potential moderators of these relationships. Meta-analyses revealed that injuries were more predictive of organizational safety climate than safety climate was predictive of injuries. Additionally, the injury-->safety climate relationship was stronger for organizational climate than for psychological climate. Moderator analyses revealed that the degree of content contamination in safety climate measures inflated effects, whereas measurement deficiency attenuated effects. Additionally, moderator analyses showed that as the time period over which injuries were assessed lengthened, the safety climate-->injury relationship was attenuated. Supplemental meta-analyses of specific safety climate dimensions also revealed that perceived management commitment to safety is the most robust predictor of occupational injuries. Contrary to expectations, the operationalization of injuries did not meaningfully moderate safety climate-injury relationships. Implications and recommendations for future research and practice are discussed.
Article
Full-text available
Recent conceptual and methodological advances in behavioral safety research afford an opportunity to integrate past and recent research findings. Building on theoretical models of worker performance and work climate, this study quantitatively integrates the safety literature by meta-analytically examining person- and situation-based antecedents of safety performance behaviors and safety outcomes (i.e., accidents and injuries). As anticipated, safety knowledge and safety motivation were most strongly related to safety performance behaviors, closely followed by psychological safety climate and group safety climate. With regard to accidents and injuries, however, group safety climate had the strongest association. In addition, tests of a meta-analytic path model provided support for the theoretical model that guided this overall investigation. The implications of these findings for advancing the study and management of workplace safety are discussed.
Article
Full-text available
A set of foundation issues that support employee work and service quality is conceptualized as a necessary but not sufficient cause of a climate for service, which in turn is proposed to be reflected in customer experiences. Climate for service rests on the foundation issues, but in addition it requires policies and practices that focus attention directly on service quality. Data were collected at multiple points in time from employees and customers of 134 branches of a bank and analyzed via structural equation modeling. Results indicated that the model in which the foundation issues yielded a climate for service, and climate for service in turn led to customer perceptions of service quality, fit the data well. However, subsequent cross-lagged analyses revealed the presence of a reciprocal effect for climate and customer perceptions. Implications of these results for theory and research are offered.
Article
Full-text available
Organizational climates have been investigated separately at organization and subunit levels. This article tests a multilevel model of safety climate, covering both levels of analysis. Results indicate that organization-level and group-level climates are globally aligned, and the effect of organization climate on safety behavior is fully mediated by group climate level. However, the data also revealed meaningful group-level variation in a single organization, attributable to supervisory discretion in implementing formal procedures associated with competing demands like safety versus productivity. Variables that limit supervisory discretion (i.e., organization climate strength and procedural formalization) reduce both between-groups climate variation and within-group variability (i.e., increased group climate strength), although effect sizes were smaller than those associated with cross-level climate relationships. Implications for climate theory are discussed.
Article
Full-text available
The authors measured perceptions of safety climate, motivation, and behavior at 2 time points and linked them to prior and subsequent levels of accidents over a 5-year period. A series of analyses examined the effects of top-down and bottom-up processes operating simultaneously over time. In terms of top-down effects, average levels of safety climate within groups at 1 point in time predicted subsequent changes in individual safety motivation. Individual safety motivation, in turn, was associated with subsequent changes in self-reported safety behavior. In terms of bottom-up effects, improvements in the average level of safety behavior within groups were associated with a subsequent reduction in accidents at the group level. The results contribute to an understanding of the factors influencing workplace safety and the levels and lags at which these effects operate.
Article
Safety climate represents the meaningfulness of safety and how safety is valued in an organization. The contributions of safety climate to organizational safety have been well documented. There is a dearth of empirical research, however, on specific safety climate interventions and their effectiveness. The present study aims at examining the trend of safety climate interventions and offering compiled information for designing and implementing evidence-based safety climate interventions. Our literature search yielded 384 titles that were inspected by three examiners. Using a stepwise process that allowed for assessment of interobserver agreement, 19 full articles were selected and reviewed. Results showed that 10 out of the 19 articles (52.6%) were based on a quasi-experimental pre- and postintervention design, whereas 42.1% (n = 8) studies were based on a mixed-design approach (including both between- and within-subject design). All interventions in these 19 studies involved either safety-/health-related communication or education/training. Improvement of safety leadership was also a common component of safety climate interventions. According to the socio-technical systems classification of intervention strategies, all studies were categorized as interventions focusing on improving organizational and managerial structure as well as the personnel subsystem; four of them also aimed at improving technological aspects of work, and five of them aimed at improving the physical work subsystem. In general, a vast majority of the studies (89.5%, n = 17) showed a statistically significant improvement in safety climate across their organizations postintervention. (PsycINFO Database Record
Article
A major stream of research within the field of information systems security examines the use of organizational policies that specify how users of information and technology resources should behave in order to prevent, detect, and respond to security incidents. However, this growing (and at times, conflicting) body of research has made it challenging for researchers and practitioners to comprehend the current state of knowledge on the formation, implementation, and effectiveness of security policies in organizations. Accordingly, the purpose of this paper is to synthesize what we know and what remains to be learned about organizational information security policies, with an eye toward a holistic understanding of this research stream and the identification of promising paths for future study. We review 114 influential security policy-related journal articles and identify five core relationships examined in the literature. Based on these relationships, we outline a research framework that synthesizes the construct linkages within the current literature. Building on our analysis of these results, we identify a series of gaps and draw on additional theoretical perspectives to propose a revised framework that can be used as a basis for future research.
Article
Given the importance of the health-care industry and the promise of health information systems, researchers are encouraged to build on the shoulders of giants as the saying goes. The health information systems field has a unique opportunity to learn from and extend the work that has already been done by the highly correlated information systems field. As a result, this research article presents a past, present and future meta-analysis of health information systems research in information systems journals over the 2000–2015 time period. Our analysis reviewed 126 articles on a variety of topics related to health information systems research published in the “Senior Scholars” list of the top eight ranked information systems academic journals. Across the selected information systems academic journals, our findings compare research methodologies applied, health information systems topic areas investigated and research trends. Interesting results emerge in the range and evolution of health information systems research and opportunities for health information systems researchers and practitioners to consider moving forward.
Article
A large number of information security breaches in the workplace result from employees’ failure to comply with organizational information security guidelines. Recent surveys report that 78% of computer attacks appear in the form of viruses embedded in email attachments. Employees who open e-mail attachments from unknown sources risk infecting their own computers as well as other computers sharing the same network. Therefore, more attention needs to be paid to learning why non-compliant behavior takes place so that appropriate measures for curbing the occurrence of such behavior can be found. With such motivation in mind, this study examines the effects of social contextual factors on employees’ compliance with organizational security policies. The research model is developed based on concepts adapted from safety climate literature that has been used to explain the safe behavior of employees in organizations. Data was collected from a sample of 140 employees from two large IT intensive organizations using a 28- item survey instrument and analyzed using structured equation modeling. Management practices, supervisory practices, and coworker’s socialization were found to be positively related to employees’ perception of information security climate in the organization. Perception of security climate and self-efficacy had positive impacts on compliant behavior. Implications of this study for research and practice are discussed.
Article
The personal health information of patients in the United States is not safe, and it needs to be. The vulnerability of health data is clear from the research letter by Liu and colleagues¹ in this issue of JAMA. Organizations for which the management of health information is regulated under the Health Insurance Portability and Accountability Act (HIPAA), which are so-called covered entities, must promptly report data breaches affecting more than 500 individuals to the US Department of Health and Human Services. Examining these reports for 2010 through 2013, the authors found 949 events affecting 29.1 million records, with increasing numbers of breaches over time. Two-thirds of data breaches involved electronic data, almost three-fifths theft, and nearly 10% (in 2013) hacking.
Article
Research problem: Although organizations have been exerting a significant effort to leverage policies and procedures to improve information security, their impact and effectiveness is under scrutiny as employees' compliance with information security procedures remains problematic. Research questions: (1) What is the role of information security climate (ISC) in cultivating individual's compliance with security policy? (2) Do individual affective and normative states mediate the effect of ISC to increase security policy compliance intention while thwarting employees' security avoidance? Literature review: Drawing upon Griffin and Neal's safety climate model, which states the effect of safety climate on individual safety behaviors that lead to specific performance outcomes, we develop an ISC model to empirically examine the efficacy of security climate in governing employee's policy compliance. The literature suggests that there could be practical reasons for employees not to observe the security policies and procedures. These go beyond the simple lack of use or negligence, and include rationalizing security violation, particularly in light of the fact that they are under pressure to get something done without delays in daily work. To empirically address such employee behavior, we employed the term, security avoidance in this study-an employee's deliberate intention to avoid security policies or procedures in daily work despite the need and opportunity to do so. Methodology: We surveyed IT users in South Korea about individuals' perception about various organizational/managerial information security practices in the work environment. Results and discussion: The results from 581 participants strongly support the fundamental proposition that the information security climate has a significant positive impact on employee's conformity with the security policy. The study also reveals that the security climate nurtures the employee's affective and cognitive states - hrough affective commitment and normative commitment. These, in turn, mediate the influence of security climate on employee policy compliance by facilitating rule adherence among employees while, at the same time, inspiring self-adjusted behaviors to neutralize their deliberate intents of negligence. Overall, the findings support our view that the creation of strong security climate is the adequate alternative to a sanction-based deterrence to employees' security policy compliance, which limits the presence of security avoidance. The implications to theory are the multidimensional nature of ISC construct and its linkage to a systematic view of individual level information security activities. The implications to practice are the ISC's favorable role of discouraging employee's security avoidance while inducing the security policy compliance intention at the same time, given the limit of sanctions.
Purpose – The purpose of this paper is to examine the influence of security-related and employment relationship factors on employees’ security compliance decisions. A major challenge for organizations is encouraging employee compliance with security policies, procedures and guidelines. Specifically, we predict that security culture, job satisfaction and perceived organizational support have a positive effect on employees’ security compliance intentions. Design/methodology/approach – This study used a survey approach for data collection. Data were collected using two online surveys that were administered at separate points in time. Findings – Our results provide empirical support for security culture as a driver of employees’ security compliance in the workplace. Another finding is that an employee’s feeling of job satisfaction influences his/her security compliance intention, although this relationship appears to be contingent on the employee’s position, tenure and industry. Surprisingly, we also found a negative relationship between perceived organizational support and security compliance intention. Originality/value – Our results provide one of the few empirical validations of security culture, and we recognize its multidimensional nature as conceptualized through top management commitment to security (TMCS), security communication and computer monitoring. We also extend security compliance research by considering the influence of employment relationship factors drawn from the organizational behavior literature.
Article
The purpose of this meta-analysis was to address unanswered questions regarding the associations between personality and workplace safety by (a) clarifying the magnitude and meaning of these associations with both broad and facet-level personality traits, (b) delineating how personality is associated with workplace safety, and (c) testing the relative importance of personality in comparison to perceptions of the social context of safety (i.e., safety climate) in predicting safety-related behavior. Our results revealed that whereas agreeableness and conscientiousness were negatively associated with unsafe behaviors, extraversion and neuroticism were positively associated with them. Of these traits, agreeableness accounted for the largest proportion of explained variance in safety-related behavior and openness to experience was unrelated. At the facet level, sensation seeking, altruism, anger, and impulsiveness were all meaningfully associated with safety-related behavior, though sensation seeking was the only facet that demonstrated a stronger relationship than its parent trait (i.e., extraversion). In addition, meta-analytic path modeling supported the theoretical expectation that personality’s associations with accidents are mediated by safety-related behavior. Finally, although safety climate perceptions accounted for the majority of explained variance in safety-related behavior, personality traits (i.e., agreeableness, conscientiousness, neuroticism) still accounted for a unique and substantive proportion of the explained variance. Taken together, these results substantiate the value of considering personality traits as key correlates of workplace safety.
Article
A theoretical model of safety leadership, which incorporated both transformational and active transactional leadership styles, was tested using meta‐analytic path analysis. The final model showed that transformational leadership had a positive association with both perceived safety climate and safety participation, with perceived safety climate partially mediating the effect of leadership on safety participation. Active transactional leadership had a positive association with perceived safety climate, safety participation and safety compliance. The effect of leadership on safety compliance was partially mediated by perceived safety climate and the effect on safety participation fully mediated by perceived safety climate. The findings suggest that active transactional leadership is important in ensuring compliance with rules and regulations, whereas transformational leadership is primarily associated with encouraging employee participation in safety. Therefore, in line with the augmentation hypothesis of leadership, a combination of both transformational and transactional styles appeared to be most beneficial for safety. Avenues for further research and practical implications in terms of leadership training and development are discussed. Practitioner PointsDeveloped and tested a model of safety leadership, which shows that both transformational and active transactional leadership styles are important aspects of effective safety leadership.Study has implications for practitioners who are involved with the design of leadership training and development programmes, as such programmes should be tailored to focus on a range of leader behaviours that encompass active transactional as well as transformational style.Findings suggest that leadership styles have a differential effect on safety compliance and safety participation – thus, training and development programmes should make specific links between leader behaviours and their subsequent influence on employee behaviour.
Article
Information technology has become an integral part of modern life. Today, the use of information permeates every aspect of both business and private lives. Most organizations need information systems to survive and prosper and thus need to be serious about protecting their information assets. Many of the processes needed to protect these information assets are, to a large extent, dependent on human cooperated behavior. Employees, whether intentionally or through negligence, often due to a lack of knowledge, are the greatest threat to information security. It has become widely accepted that the establishment of an organizational sub-culture of information security is key to managing the human factors involved in information security. This paper briefly examines the generic concept of corporate culture and then borrows from the management and economical sciences to present a conceptual model of information security culture. The presented model incorporates the concept of elasticity from the economical sciences in order to show how various variables in an information security culture influence each other. The purpose of the presented model is to facilitate conceptual thinking and argumentation about information security culture.
Article
The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result, the investigation of security culture should also have a management focus. This paper describes a framework of eight dimensions of culture. Each dimension is discussed in terms of how they relate specifically to security culture based on a number of previously published case studies. We believe that use of this framework in security culture research will reduce the inherent biases of researchers who tend to focus on only technical aspects of culture from an end-users perspective.
Article
Auditing has always played an important role in the business environment. With the introduction of information technology and the resulting security challenges that organizations face daily, it has become essential to ensure the security of the organization's information and other valuable assets. However, one aspect that auditing does not cover effectively is that of the behaviour of the employee, which is so crucial to any organization's security.The objective of this paper is to explore the potential problems concerning the attempt to audit the behaviour of the employee. It will be demonstrated that it is extremely difficult to audit human behaviour and so an alternative method to behavioural auditing needs to be found, where policing the employee is not necessary, but instead a softer, more informal approach is used to change the culture to a more information security conscious one.
Article
An organisation's approach to information security should focus on employee behaviour, as the organisation's success or failure effectively depends on the things that its employees do or fail to do. An information security-aware culture will minimise risks to information assets and specifically reduce the risk of employee misbehaviour and harmful interaction with information assets. Organisations require guidance in establishing an information security-aware or implementing an acceptable information security culture. They need to measure and report on the state of information security culture in the organisation. Various approaches exist to address the threats that employee behaviour could pose. However, these approaches do not focus specifically on the interaction between the behaviour of an employee and the culture in an organisation. Organisations therefore have need of a comprehensive framework to cultivate a security-aware culture. The objective of this paper is to propose a framework to cultivate an information security culture within an organisation and to illustrate how to use it. An empirical study is performed to aid in validating the proposed Information Security Culture Framework.
Article
Management normally sets company vision, rules and regulations through policies. These policies should provide guidance to employees and partners as to how they should act and behave to be in line with management's wishes. These policies need to be structured and organized effectively to cater for business and technological dynamics and advances. Having defined a series of company policies does not ensure that all employees will necessarily obey these policies. Ideally these policies must manifest in some company culture to ensure appropriate behaviour. This can only be achieved through a proper education process. This paper addresses exactly the process of integrating policies, education and culture.
Article
Sumario: What culture is and does -- The dimensions of culture -- How to study and interpret culture -- The role leadership in building culture -- The evolution of culture and leadership -- Learning cultures and learning leaders
Article
Despite the widespread use of self-report measures of both job-related stressors and strains, relatively few carefully developed scales for which validity data exist are available. In this article, we discuss 3 job stressor scales (Interpersonal Conflict at Work Scale, Organizational Constraints Scale, and Quantitative Workload Inventory) and 1 job strain scale (Physical Symptoms Inventory). Using meta-analysis, we combined the results of 18 studies to provide estimates of relations between our scales and other variables. Data showed moderate convergent validity for the 3 job stressor scales, suggesting some objectively to these self-reports. Norms for each scale are provided. The scales can be found at http://shell.cas.usf.edu/~pspector/scalepage.html
Article
This article presents and tests a group-level model of safety climate to supplement the available organization-level model. Climate perceptions in this case are related to supervisory safety practices rather than to company policies and procedures. The study included 53 work groups in a single manufacturing company. Safety climate perceptions, measured with a newly developed scale, revealed both within-group homogeneity and between-groups variation. Predictive validity was measured with a new outcome measure, microaccidents, that refers to behavior-dependent on-the-job minor injuries requiring medical attention. Climate perceptions significantly predicted microaccident records during the 5-month recording period that followed climate measurement, when the effects of group- and individual-level risk factors were controlled. The study establishes an empirical link between safety climate perceptions and objective injury data.
Article
The paper presents three intervention studies designed to modify supervisory monitoring and rewarding of subordinates' safety performance. Line supervisors received weekly feedback concerning the frequency of their safety-oriented interactions with subordinates, and used this to self-monitor progress toward designated improvement goals. Managers higher up in the organizational hierarchy received the same information, coupled with synchronous data concerning the frequency of workers' safety behaviors, and highlighting co-variation of supervisory action and workers' behavior. In all the companies involved, supervisory safety-oriented interaction increased significantly, resulting in significant changes in workers' safety behavior and safety climate scores. Continued improvement during the post-intervention period suggests the inclusion of workers' safety behavior as in-role supervisory responsibility. Applied and theoretical implications are discussed.
Cyber security: attack of the health hackers
  • K Scannell
  • G Chon
Scannell K and Chon G. Cyber security: attack of the health hackers, 2015, https://www.ft.com/content /f3cbda3e-a027-11e5-8613-08e211ea5317
Cost of data breach study: global analysis
  • Llc Ponemon Institute
Ponemon Institute, LLC. Cost of data breach study: global analysis, 2014, https://centurybizsolutions .net/wp-content/uploads/2014/12/IBM.pdf.
Climate and culture: an evolution of constructs
  • A E Reichers
  • B Schneider
Reichers AE and Schneider B. Climate and culture: an evolution of constructs. In: Schneider B (ed.) Organizational climate and culture. San Francisco, CA: Jossey-Bass, 1990, pp. 5-39.
Treat security like safety
  • M Baldi
  • S Gold
Baldi M and Gold S. Treat security like safety. Hydrocarb Process 2014; 93: 47-50.
Health data breaches on the rise
  • K Doyle
Doyle K. Health data breaches on the rise, 2015, https://www.reuters.com/article/us-health-data-security /health-data-breaches-on-the-rise-idUSKCN1M524J
Sixth annual benchmark study on privacy & security of healthcare data
  • Llc Ponemon Institute
Ponemon Institute, LLC. Sixth annual benchmark study on privacy & security of healthcare data, 2016, https://www.ponemon.org/local/upload/file/Sixth%20Annual%20Patient%20Privacy%20%26%20 Data%20Security%20Report%20FINAL%206.pdf
Wall of shame" hits new milestone for health data breaches
  • Kolbasuk Mcgee
Kolbasuk McGee M. "Wall of shame" hits new milestone for health data breaches. Data Breach Today, 2017, https://www.databreachtoday.com/wall-shame-hits-new-milestone-for-health-data-breaches-a-10184
Questionnaire measures of organizational culture
  • N M Ashkanasy
  • L E Broadfoot
  • S Falkus
Ashkanasy NM, Broadfoot LE and Falkus S. Questionnaire measures of organizational culture. In: Ashkanasy NM, Wilderom CP and Peterson MF (eds) Handbook of organizational culture and climate. Thousand Oaks, CA: SAGE, 2000, pp. 131-145.