Information security policies in the UK healthcare sector: a critical evaluation

All organisations must take active steps to maintain the security and integrity of their information resources, and nowhere is this strategy more critical than in hospitals where issues of information accuracy and patient confidentiality are paramount. Of all the tools at the information security manager's disposal, none is more widely valued and used than the information security policy. Much research therefore concentrates on the way in which information security policies contribute to the protection of systems from internal and external threats. Such work is legitimate and important, but it often fails to explore alternative views of security and related policies. Against this backdrop, this paper seeks to provide novel insights into the role and purpose of information security policies by reviewing them through a critical theoretical lens. It presents the results of a critical discourse analysis which looked for evidence of ideology and hegemony within a sample of information security policies from the UK's National Health Service. The findings support the contention that an alternative description of information security policies from a critical perspective provides better insights into existing problems than most mainstream work. The paper concludes by discussing the implications of the findings and future research avenues.

[1]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[2]  Margaret Volante Qualitative research. , 2008, Nurse researcher.

[3]  Pekka Nikander,et al.  Users and Trust in Cyberspace , 2000, Security Protocols Workshop.

[4]  Alistair Donaldson,et al.  Information governance - a view from the NHS , 2004, Int. J. Medical Informatics.

[5]  A. Feenberg The critical theory of technology , 1990 .

[6]  Ojelanki K. Ngwenyama,et al.  Communication Richness in Electronic Mail: Critical Social Theory and the Contextuality of Meaning , 1997, MIS Q..

[7]  James Backhouse,et al.  Circuits of Power in Creating de jure Standards: Shaping an International Information Systems Security Standard , 2006, MIS Q..

[8]  Wendy L. Cukier,et al.  Applying Habermas' Validity Claims as a Standard for Critical Discourse Analysis , 2004, Relevant Theory and Informed Practice.

[9]  Rosío Alvarez,et al.  Examining technology, structure and identity during an Enterprise System implementation , 2008, Inf. Syst. J..

[10]  Norman Fairclough,et al.  Critical Discourse Analysis and the Marketization of Public Discourse: The Universities , 1993 .

[11]  Geoff Walsham,et al.  Learning about being critical , 2005, Inf. Syst. J..

[12]  Dorothy E. Leidner,et al.  Studying Knowledge Management in Information Systems Resarch: Discourses and Theoretical Assumptions , 2002, MIS Q..

[13]  Helen Nissenbaum,et al.  Where Computer Security Meets National Security1 , 2005, Ethics and Information Technology.

[14]  Hugh Willmott,et al.  Studying Management Critically , 2003 .

[15]  Bernd Car Stahl Information Systems: Critical Perspectives (Routledge Studies in Ortganization and Systems) , 2008 .

[16]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[17]  D. Kellner Critical Theory , 2006 .

[18]  N. Fairclough,et al.  Discourse in Late Modernity: Rethinking Critical Discourse Analysis , 1999 .

[19]  Bruce Robinson,et al.  The mysterious case of the missing paradigm: a review of critical information systems research 1991–2001 , 2007, Inf. Syst. J..

[20]  N. Doherty,et al.  Aligning the information security policy with the strategic information systems plan , 2006, Comput. Secur..

[21]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[22]  Gurpreet Dhillon,et al.  Realizing benefits of an information security program , 2004 .

[23]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[24]  Neil F. Doherty,et al.  Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis , 2005, Inf. Resour. Manag. J..

[25]  Michael D. Myers,et al.  A Set of Principles for Conducting Critical Research in Information Systems , 2011, MIS Q..

[26]  Brian P. Bloomfield,et al.  INFORMATION TECHNOLOGY, CONTROL AND POWER: THE CENTRALIZATION AND DECENTRALIZATION DEBATE REVISITED* , 1992 .

[27]  Kathy McGrath,et al.  Doing critical research in information systems: a case of theory and practice not informing each other * , 2005, Inf. Syst. J..

[28]  Costas Lambrinoudakis,et al.  A security architecture for interconnecting health information systems , 2004, Int. J. Medical Informatics.

[29]  Rosío Alvarez,et al.  "It was a great system": Face-work and the discursive construction of technology during information systems development , 2001, Inf. Technol. People.

[30]  M. Foucault,et al.  Surveiller et punir: Naissance de la prison , 1977 .

[31]  Harold F. Tipton,et al.  Information Security Management , 2000 .

[32]  J. Habermas Theorie des kommunikativen Handelns , 1981 .

[33]  Trevor Wood-Harper,et al.  Deconstruction contexts in interpreting methodology , 1996, J. Inf. Technol..

[34]  Chrisanthi Avgerou Doing critical research in information systems: some further thoughts , 2005, Inf. Syst. J..

[35]  Neil F. Doherty,et al.  The information security policy unpacked: A critical study of the content of university policies , 2009, Int. J. Inf. Manag..

[36]  Teresa S. Waring,et al.  From Critical Theory into Information Systems Practice: A Case Study of a Payroll-Personnel System , 2004, Relevant Theory and Informed Practice.

[37]  Ryan T. Wright,et al.  Communications of the Association for Information Systems , 2010 .

[38]  Bernd Carsten Stahl,et al.  Responsibility for Information Assurance and Privacy: A Problem of Individual Ethics? , 2004, J. Organ. End User Comput..

[39]  Peter McLaren,et al.  Rethinking Critical Theory and Qualitative Research , 2011 .

[40]  Minh Q. Huynh,et al.  The critical social theory of Jürgen Habermas and its implications for IS research , 2004 .

[41]  Dubravka Cecez-Kecmanovic,et al.  Exploring the critical agenda in information systems research , 2008 .

[42]  Bill Doolin,et al.  Sociotechnical networks and information management in health care , 1999 .

[43]  Carl E. Landwehr,et al.  A security model for military message systems: retrospective , 1984, Seventeenth Annual Computer Security Applications Conference.

[44]  Mikko T. Siponen,et al.  Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods , 2005, Inf. Organ..

[45]  Prashant Palvia,et al.  Management Information Systems Research: What's There in a Methodology? , 2003, Commun. Assoc. Inf. Syst..

[46]  Rajiv Kohli,et al.  Informating the Clan: Controlling Physicians' Costs and Outcomes , 2004, MIS Q..

[47]  Steve Gold Securing the National Health Service , 2010 .

[48]  N. Fairclough Analysing Discourse: Textual Analysis for Social Research , 2003 .

[49]  Industrial Strategy Information security breaches survey , 2013 .

[50]  Steve Woolgar,et al.  The Machine at Work: Technology, Work and Organization , 1997 .

[51]  Richard Baskerville,et al.  Power and Practice in Information Systems Security Research , 2008, ICIS.

[52]  Alessandro Acquisti,et al.  Privacy and Security of Personal Information - Economic Incentives and Technological Solutions , 2004, Economics of Information Security.