Proactive vs. Reactive Security Investments in the Healthcare Sector Proactive vs. Reactive Security Investments in the Healthcare Sector

Building on organizational learning theory, we seek to identify the performance effects of security investments that arise from previous failures or external regulatory pressure. This study focuses on the healthcare sector where legislation mandates breach disclosure and detailed data on security investments are available. Using a Cox proportional hazard model, we demonstrate that proactive security investments are associated with lower security failure rates than reactive investments. Further, the results show that external pressure improves the security performance of healthcare organizations. However, external pressure decreases the positive effect of proactive investments on security performance. This implies that proactive investments, voluntarily made, have the greatest impact on security performance. Our findings suggest that security managers and policy makers should pay attention to the strategic and regulatory factors influencing security investment decisions. The implications for proactive and reactive learning with external regulatory pressure can likely be generalized to other industries.

[1]  North Dakota,et al.  Adoption of Electronic Health Records in , 2013 .

[2]  Günter Müller Budgeting process for information security expenditures , 2006, Wirtsch..

[3]  Shanling Li,et al.  Why Do Software Firms Fail? Capabilities, Competitive Actions, and Firm Survival in the Software Industry from 1995 to 2007 , 2010, Inf. Syst. Res..

[4]  K. Jamal,et al.  Privacy Rights on the Internet: Self-Regulation or Government Regulation? , 2006, Business Ethics Quarterly.

[5]  Xianggui Qu,et al.  Multivariate Data Analysis , 2007, Technometrics.

[6]  G. Hult,et al.  Innovation, Market Orientation, and Organizational Learning: An Integration and Empirical Examination , 1998 .

[7]  Sumit K. Majumdar,et al.  Rules Versus Discretion: The Productivity Consequences of Flexible Regulation , 2001 .

[8]  Charles H. Fine Quality Improvement and Learning in Productive Systems , 1986 .

[9]  P. V. Rao,et al.  Applied Survival Analysis: Regression Modeling of Time to Event Data , 2000 .

[10]  A. Marcus,et al.  On the Edge: Heeding the Warnings of Unusual Events , 1999 .

[11]  Maurizio Zollo,et al.  Deliberate Learning and the Evolution of Dynamic Capabilities , 2002 .

[12]  J. Papastavrou,et al.  Accounting for Endogeneity When Assessing Strategy Performance: Does Entry Mode Choice Affect Fdi Survival , 1998 .

[13]  James Buchan,et al.  Should I stay or should I go? , 2005, Nursing standard (Royal College of Nursing (Great Britain) : 1987).

[14]  Alessandro Acquisti,et al.  Do data breach disclosure laws reduce identity theft?: Do Data Breach Disclosure Laws Reduce Identity Theft? , 2011 .

[15]  Jackie Rees Ulmer,et al.  Market Reactions to Information Security Breach Announcements: An Empirical Analysis , 2007, Int. J. Electron. Commer..

[16]  Robin C. Meili,et al.  Can electronic medical record systems transform health care? Potential health benefits, savings, and costs. , 2005, Health affairs.

[17]  Tyler Moore,et al.  The iterated weakest link , 2010, IEEE Security & Privacy.

[18]  P. Attewell Technology Diffusion and Organizational Learning: The Case of Business Computing , 1992 .

[19]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[20]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[21]  Jackie Rees Ulmer,et al.  Reading the Disclosures with New Eyes: Bridging the Gap between Information Security Disclosures and Incidents , 2008, WEIS.

[22]  William Roberds,et al.  Data Breaches and Identity Theft , 2008, WEIS.

[23]  Richard L. Marcellus,et al.  Interactive process quality improvement , 1991 .

[24]  Mooweon Rhee,et al.  The Role of Volition in Organizational Learning: The Case of Automotive Product Recalls , 2004, Manag. Sci..

[25]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[26]  Xavier Martin,et al.  Learning, Knowledge Transfer, and Technology Implementation Performance: A Study of Time-to-Build in the Global Semiconductor Industry , 2008, Manag. Sci..

[27]  H. Raghav Rao,et al.  Knowledge Acquisition via Three Learning Processes in Enterprise Information Portals: Learning-by-Investment, Learning-by-Doing, and Learning-from-Others , 2005, MIS Q..

[28]  M. Lisa Yeo,et al.  Market Impact on IT Security Spending , 2013, Decis. Sci..

[29]  Kiran Karande,et al.  Recovery Voice and Satisfaction After Service Failure , 2007 .

[30]  Venkatesh Shankar,et al.  Proactive and Reactive Product Line Strategies: Asymmetries Between Market Leaders and Followers , 2006, Manag. Sci..

[31]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[32]  D. Mowery,et al.  Process Innovation and Learning by Doing in Semiconductor Manufacturing , 1998 .

[33]  J. V. Mieghem Investment Strategies for Flexible Resources , 1998 .

[34]  Daniel A. Levinthal,et al.  Exploration and Exploitation in Organizational Learning , 2007 .

[35]  Robert J. Kauffman,et al.  Opening the "Black Box" of Network Externalities in Network Adoption , 2000, Inf. Syst. Res..

[36]  W. Ocasio TOWARDS AN ATTENTION-BASED VIEW OF THE FIRM , 1997 .

[37]  Brian D. Johnson,et al.  Is the Magic Still There? The Use of the Heckman Two-Step Correction for Selection Bias in Criminology , 2007 .

[38]  Dan Zakay,et al.  Outcome value and early warning indications as determinants of willingness to learn from experience. , 2004, Experimental psychology.

[39]  David W. Hosmer,et al.  Applied Survival Analysis: Regression Modeling of Time-to-Event Data , 2008 .

[40]  J. Saari How Companies Respond to New Safety Regulations: A Canadian Investigation. , 1993 .

[41]  Hemantha S. B. Herath,et al.  Investments in Information Security: A Real Options Perspective with Bayesian Postaudit , 2008, J. Manag. Inf. Syst..

[42]  Sidney G. Winter,et al.  Attention allocation and input proportions , 1981 .

[43]  Robert J. Kauffman,et al.  Opening the 'Black Box' of Network Analysis in Network Adoption , 2000 .

[44]  Michael P. Gallaher,et al.  Private Sector Cyber Security Investment: An Empirical Analysis , 2006, WEIS.

[45]  S. Rajagopalan,et al.  Process Improvement, Quality, and Learning Effects , 1998 .

[46]  Jean-Noël Ezingeard,et al.  Perception of risk and the strategic impact of existing IT on information security strategy at board level , 2007, Online Inf. Rev..

[47]  Lorin M. Hitt,et al.  Self Selection and Information Role of Online Product Reviews , 2007, Inf. Syst. Res..

[48]  Elizabeth Olmsted Teisberg,et al.  An option valuation analysis of investment choices by a regulated firm , 1994 .

[49]  Christopher Ittner,et al.  An Empirical Examination of Dynamic Quality-Based Learning Models , 2001, Manag. Sci..

[50]  W. Greene,et al.  计量经济分析 = Econometric analysis , 2009 .

[51]  Alfred A. Marcus,et al.  When does the ISO 9000 quality assurance standard lead to performance improvement? Assimilation and going beyond , 2004, IEEE Transactions on Engineering Management.

[52]  Frank T. Rothaermel,et al.  Leveraging internal and external experience: exploration, exploitation, and R&D project performance , 2010 .

[53]  Susan Carlson Skalak House of Quality , 2002 .

[54]  Catherine Tucker,et al.  Privacy Protection and Technology Diffusion: The Case of Electronic Medical Records , 2009, Manag. Sci..

[55]  Thomas R. Gulledge,et al.  Investment in knowledge: a generalization of learning by experience , 1994 .

[56]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[57]  L. Jean Camp,et al.  Mitigating Inadvertent Insider Threats with Incentives , 2009, Financial Cryptography.

[58]  Simon P. Wilson,et al.  Calculating the reserve for a time and usage indexed warranty , 1997 .

[59]  D. Cox Regression Models and Life-Tables , 1972 .

[60]  M. Eric Johnson,et al.  Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..

[61]  Qing Hu,et al.  A Process Approach to Information Security: Lessons from Quality Management , 2006, AMCIS.

[62]  Roy Radner,et al.  On the allocation of effort , 1975 .

[63]  J. Heckman Sample selection bias as a specification error , 1979 .

[64]  C. Spohn,et al.  THE EFFECT OF IMPRISONMENT ON RECIDIVISM RATES OF FELONY OFFENDERS: A FOCUS ON DRUG OFFENDERS* , 2002 .

[65]  Anitesh Barua,et al.  Contracting Efficiency and New Firm Survival in Markets Enabled by Information Technology , 2011, Inf. Syst. Res..

[66]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[67]  M. Eric Johnson,et al.  Data Hemorrhages in the Health-Care Sector , 2009, Financial Cryptography.

[68]  J. Jaccard Interaction effects in logistic regression , 2001 .

[69]  Alfred A. Marcus,et al.  Implementing Externally Induced Innovations: A Comparison of Rule-Bound and Autonomous Approaches , 1988 .

[70]  William B. Frakes,et al.  Software reuse research: status and future , 2005, IEEE Transactions on Software Engineering.