An Organizational Learning Perspective on Proactive vs. Reactive investment in Information Security

We present an empirical analysis of security investment in the healthcare sector to explore the impact of learning effects on breach performance. Employing organizational learning theory, we seek to identify how different types of security investment affect subsequent security failures. Our analysis is based on data from 2,386 healthcare organizations and benefits from data that have been gathered in a comparable manner across organizations and time. Using a Cox proportional hazard model for survival analysis, we find that proactive security investments are associated with longer intervals before subsequent breaches than reactive investments. Further, we find that external regulatory pressure can stimulate organizational learning and change. However, the interaction between external pressure and proactive investment reduces the positive effects of the investment. This implies that proactive investments, voluntarily made, have the greatest impact on security performance. Our findings suggest that security managers and policy makers should pay attention to the strategic and regulatory factors influencing security investment decisions. The implications for proactive and reactive learning with external regulatory pressure can be generalized to other industries.

[1]  Shanling Li,et al.  Why Do Software Firms Fail? Capabilities, Competitive Actions, and Firm Survival in the Software Industry from 1995 to 2007 , 2010, Inf. Syst. Res..

[2]  Hemantha S. B. Herath,et al.  Investments in Information Security: A Real Options Perspective with Bayesian Postaudit , 2008, J. Manag. Inf. Syst..

[3]  Erica L. Plambeck,et al.  Effects of E-Waste Regulation on New Product Introduction , 2009, Manag. Sci..

[4]  M. Eric Johnson,et al.  Data Hemorrhages in the Health-Care Sector , 2009, Financial Cryptography.

[5]  Luk N. Van Wassenhove,et al.  Knowledge Driven Quality Improvement , 1998 .

[6]  H. Raghav Rao,et al.  Knowledge Acquisition via Three Learning Processes in Enterprise Information Portals: Learning-by-Investment, Learning-by-Doing, and Learning-from-Others , 2005, MIS Q..

[7]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[8]  William B. Frakes,et al.  Software reuse research: status and future , 2005, IEEE Transactions on Software Engineering.

[9]  K. Jamal,et al.  Privacy Rights on the Internet: Self-Regulation or Government Regulation? , 2006, Business Ethics Quarterly.

[10]  Sumit K. Majumdar,et al.  Rules Versus Discretion: The Productivity Consequences of Flexible Regulation , 2001 .

[11]  Sidney G. Winter,et al.  Attention allocation and input proportions , 1981 .

[12]  Dan Zakay,et al.  Outcome value and early warning indications as determinants of willingness to learn from experience. , 2004, Experimental psychology.

[13]  L. Jean Camp,et al.  Mitigating Inadvertent Insider Threats with Incentives , 2009, Financial Cryptography.

[14]  Ross Anderson,et al.  Security in Clinical Information Systems , 1996 .

[15]  Christopher Ittner,et al.  An Empirical Examination of Dynamic Quality-Based Learning Models , 2001, Manag. Sci..

[16]  Maurizio Zollo,et al.  Deliberate Learning and the Evolution of Dynamic Capabilities , 2002 .

[17]  J. Saari How Companies Respond to New Safety Regulations: A Canadian Investigation. , 1993 .

[18]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[19]  Qing Hu,et al.  A Process Approach to Information Security: Lessons from Quality Management , 2006, AMCIS.

[20]  Venkatesh Shankar,et al.  Proactive and Reactive Product Line Strategies: Asymmetries Between Market Leaders and Followers , 2006, Manag. Sci..

[21]  Richard L. Marcellus,et al.  Interactive process quality improvement , 1991 .

[22]  Simon P. Wilson,et al.  Calculating the reserve for a time and usage indexed warranty , 1997 .

[23]  Robert J. Kauffman,et al.  Opening the "Black Box" of Network Externalities in Network Adoption , 2000, Inf. Syst. Res..

[24]  J. Jaccard Interaction effects in logistic regression , 2001 .

[25]  D.,et al.  Regression Models and Life-Tables , 2022 .

[26]  M. Eric Johnson,et al.  Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..

[27]  S. Rajagopalan,et al.  Process Improvement, Quality, and Learning Effects , 1998 .

[28]  John G. Lynch,et al.  Regulatory measurement and evaluation of telephone service quality , 1994 .

[29]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[30]  Ritu Agarwal,et al.  Adoption of Electronic Health Records in the Presence of Privacy Concerns: The Elaboration Likelihood Model and Individual Persuasion , 2009, MIS Q..

[31]  Paul Ati ' Ewell TECHNOLOGY DIFFUSION AND ORGANIZATIONAL LEARNING: THE CASE OF BUSINESS COMPUTING* , 1992 .

[32]  Jim McCrory,et al.  Managing Information Security. (Current Research) , 2002 .

[33]  Tyler Moore,et al.  The iterated weakest link , 2010, IEEE Security & Privacy.

[34]  David W. Hosmer,et al.  Applied Survival Analysis: Regression Modeling of Time-to-Event Data , 2008 .

[35]  Susan Carlson Skalak House of Quality , 2002 .

[36]  Charles H. Fine Quality Improvement and Learning in Productive Systems , 1986 .

[37]  Alfred A. Marcus,et al.  Implementing Externally Induced Innovations: A Comparison of Rule-Bound and Autonomous Approaches , 1988 .

[38]  Catherine Tucker,et al.  Privacy Protection and Technology Diffusion: The Case of Electronic Medical Records , 2009, Manag. Sci..

[39]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[40]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[41]  Michael P. Gallaher,et al.  Private Sector Cyber Security Investment: An Empirical Analysis , 2006, WEIS.

[42]  Daniel A. Levinthal,et al.  Exploration and Exploitation in Organizational Learning , 2007 .

[43]  Robin C. Meili,et al.  Can electronic medical record systems transform health care? Potential health benefits, savings, and costs. , 2005, Health affairs.

[44]  W. Ocasio TOWARDS AN ATTENTION-BASED VIEW OF THE FIRM , 1997 .

[45]  Mooweon Rhee,et al.  The Role of Volition in Organizational Learning: The Case of Automotive Product Recalls , 2004, Manag. Sci..

[46]  Xavier Martin,et al.  Learning, Knowledge Transfer, and Technology Implementation Performance: A Study of Time-to-Build in the Global Semiconductor Industry , 2008, Manag. Sci..

[47]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[48]  Xianggui Qu,et al.  Multivariate Data Analysis , 2007, Technometrics.

[49]  Edward P. Markowski,et al.  The service recovery paradox: justifiable theory or smoldering myth? , 2007 .

[50]  Roy Radner,et al.  On the allocation of effort , 1975 .