Value conflicts for information security management

A business's information is one of its most important assets, making the protection of information a strategic issue. In this paper, we investigate the tension between information security policies and information security practice through longitudinal case studies at two health care facilities. The management of information security is traditionally informed by a control-based compliance model, which assumes that human behavior needs to be controlled and regulated. We propose a different theoretical model: the value-based compliance model, assuming that multiple forms of rationality are employed in organizational actions at one time, causing potential value conflicts. This has strong strategic implications for the management of information security. We believe health care situations can be better managed using the assumptions of a value-based compliance model.

[1]  Richard Baskerville,et al.  Power and Practice in Information Systems Security Research , 2008, ICIS.

[2]  Paul Dourish,et al.  In the eye of the beholder: A visualization-based approach to information system security , 2005, Int. J. Hum. Comput. Stud..

[3]  Sebastiaan H. von Solms,et al.  Information Security - The Fourth Wave , 2006, Comput. Secur..

[4]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[5]  J. Fitzmaurice Economy and Society , 1998 .

[6]  Rashi Glazer,et al.  Measuring the Value of Information: The Information-Intensive Organization , 1993, IBM Syst. J..

[7]  Marc Willinger,et al.  Risk Aversion and the Value of Information , 1989 .

[8]  Gurpreet Dhillon,et al.  Information Systems Security Governance Research : A Behavioral Perspective , 2006 .

[9]  Nicholas Gaunt,et al.  Practical approaches to creating a security culture , 2000, Int. J. Medical Informatics.

[10]  Gurpreet Dhillon,et al.  Editorial: JSIS Security and Privacy Special Issue , 2007, J. Strateg. Inf. Syst..

[11]  Ken Friedman,et al.  Theory construction in design research: criteria: approaches, and methods , 2003 .

[12]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[13]  Jean-Noël Ezingeard,et al.  Anchoring information security governance research: sociological groundings and future directions , 2006 .

[14]  Craig B. Caldwell,et al.  Understanding Research on Values in Business , 1999 .

[15]  R. de Hoog,et al.  Measuring the economic value of information systems , 1996 .

[16]  D. Schoen,et al.  The Reflective Practitioner: How Professionals Think in Action , 1985 .

[17]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[18]  M. D. Myers,et al.  Qualitative Research in Business & Management , 2008 .

[19]  Charles Kumar Edwards A Framework for the Governance of Information Security , 2013 .

[20]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[21]  F. Sample Strategic information systems. , 1994, Medical group management journal.

[22]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[23]  G. Knolmayer,et al.  Security in Health Information Systems: An Exploratory Comparison of U.S. and Swiss Hospitals , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[24]  C. Wiseman Strategic Information Systems: Trends and Challenges over the Next Decade. , 1988 .

[25]  Izak Benbasat,et al.  The Case Research Strategy in Studies of Information Systems , 1987, MIS Q..

[26]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[27]  Ella Kolkowska A Value Perspective on Information System Security : Exploring IS security objectives, problems and value conflicts , 2009 .

[28]  Per Oscarson,et al.  Actual and Perceived Information Systems Security , 2007 .

[29]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[30]  Karin Hedström,et al.  Exploring the conceptual structure of security rationale , 2008 .

[31]  Rossouw von Solms,et al.  A framework for the governance of information security , 2004, Comput. Secur..

[32]  Gurpreet Dhillon,et al.  Organizational competence for harnessing IT: A case study , 2008, Inf. Manag..

[33]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[34]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[35]  Dipak Kalra,et al.  Inter-organizational future proof EHR systems: A review of the security and privacy related issues , 2009, Int. J. Medical Informatics.

[36]  Emmanuelle Vaast,et al.  Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare , 2007, J. Strateg. Inf. Syst..

[37]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[38]  Alan Borning,et al.  Value Sensitive Design and Information Systems , 2020, The Ethics of Information Technologies.

[39]  Patricia A. H. Williams When trust defies common security sense , 2008, Health Informatics J..

[40]  Rose-Mharie Åhlfeldt,et al.  Information Security in a Distributed Healthcare Domain : Exploring the Problems and Needs of Different Healthcare Providers , 2006 .

[41]  Patricia Mommens,et al.  Ethical Issues of Health Care in the Information Society , 1999 .

[42]  Simon de Lusignan,et al.  The roles of policy and professionalism in the protection of processed clinical data: A literature review , 2007, Int. J. Medical Informatics.

[43]  Donald A. Schön,et al.  Organizational Learning II: Theory, Method, and Practice , 1995 .

[44]  Gurpreet Dhillon,et al.  Principles of information systems security - text and cases , 2006 .

[45]  Albert R. Bakker Security in perspective; luxury or must? , 1998, Int. J. Medical Informatics.

[46]  Karin Hedström,et al.  The values of IT in elderly care , 2007, Inf. Technol. People.