Some employees more likely to adhere to information security policies than others

October 06, 2020

Information security policies (ISP) that are not grounded in the realities of an employee's work responsibilities and priorities exposes organizations to higher risk for data breaches, according to new research from Binghamton University, State University of New York.

The study's findings, that subcultures within an organization influence whether employees violate ISP or not, have led researchers to recommend an overhaul of the design and implementation of ISP, and to work with employees to find ways to seamlessly fit ISP compliance into their day-to-day tasks.

"The frequency, scope and cost of data breaches have been increasing dramatically in recent years, and the majority of these cases happen because humans are the weakest link in the security chain. Non-compliance to ISP by employees is one of the important factors," said Sumantra Sarkar, associate professor of management information systems in Binghamton University's School of Management. "We wanted to understand why certain employees were more likely to comply with ISP than others in an organization."

Sarkar, with a research team consisting of Anthony Vance of Temple University, Balasubramaniam Ramesh of Georgia State University, Menelaos Demestihas of Wellstar Kennestone Hospital and Daniel Thomas Wu of Emory University School of Medicine, sought to determine how subcultures influence compliance, specifically within healthcare organizations.

"Every organization has a culture that is typically set by top management. But within that, you have subcultures among different professional groups in the organization," said Sarkar. "Each of these groups are trained in a different way and are responsible for different tasks."

Sarkar and his fellow researchers focused on ISP compliance within three subcultures found in a hospital setting - physicians, nurses and support staff.

The expansive study took years to complete, with one researcher embedding in a hospital for over two years to observe and analyze activities, as well as to conduct interviews and surveys with multiple employees.

Because patient data in a hospital is highly confidential, one area researchers focused on was the requirement for hospital employees to lock their electronic health record (EHR) workstation when not present.

"Physicians, who are dealing with emergency situations constantly were more likely to leave a workstation unlocked. They were more worried about the immediate care of a patient than the possible risk of a data breach," said Sarkar. "On the opposite end, support staff rarely kept workstations unlocked when they were away, as they felt they were more likely to be punished or fired should a data breach occur."

Researchers concluded that each subculture within an organization will respond differently to the organization-wide ISP, leaving organizations open to a higher possibility of data breaches.

Their recommendation - consult with each subculture while developing ISP.

"Information security professionals should have a better understanding of the day-to-day tasks of each professional group, and then find ways to seamlessly integrate ISP compliance within those job tasks," said Sarkar. "It is critical that we find ways to redesign ISP systems and processes in order to create less friction."

In the context of a hospital setting, Sarkar recommends touchless, proximity-based authentication mechanisms that could lock or unlock workstations when an employee approaches or leaves a workstation.

Researchers also found that most employees understand the value of ISP compliance, and realize the potential cost of a data breach. However, Sarkar believes that outdated ISP compliance measures have the potential to put employees in a conflict of priorities.

"There shouldn't be situations where physicians are putting the entire hospital at risk for a data breach because they are dealing with a patient who needs emergency care," he said. "We need to find ways to accommodate the responsibilities of different employees within an organization."
-end-
The study, "The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context," was published in Information Systems Research.

Binghamton University

Related Employees Articles from Brightsurf:

How initiatives empowering employees can backfire
Strategies meant to motivate people in the workplace may have unintended consequences -- depending on who's in charge.

Some employees more likely to adhere to information security policies than others
Information security policies (ISP) that are not grounded in the realities of an employee's work responsibilities and priorities exposes organizations to higher risk for data breaches, according to new research from Binghamton University, State University of New York.

Covert tobacco industry marketing tactics exposed by former employees
Tobacco companies use covert marketing tactics and exploit loopholes in Australian tobacco control laws to promote their products despite current tobacco advertising bans, finds new research from University of Sydney and Cancer Council NSW.

How employees' rankings disrupt cooperation and how managers can restore it
First prize is a Cadillac Eldorado, second prize a set of steak knives, third prize you're firedĀ».

Employees less upset at being replaced by robots than by other people
Generally speaking, most people find the idea of workers being replaced by robots or software worse than if the jobs are taken over by other workers.

Some LGBT employees feel less supported at federal agencies
Workplace inequality is visible when it involves gender and race, but less so with sexual identity and gender expression.

Workplace interventions may improve sleep habits and duration for employees
Simple workplace interventions, like educating employees about the importance of sleep and providing behavioral sleep strategies, may produce beneficial results, according to a new review.

To keep the creative juices flowing, employees should be receptive to criticism
Though most firms today embrace a culture of criticism, when supervisors and peers dispense negative feedback it can actually stunt the creative process, according to a new study co-authored by Yeun Joon Kim, a Ph.D. student at the University of Toronto's Rotman School of Management.

How a positive work environment leads to feelings of inclusion among employees
Fostering an inclusive work environment can lead to higher satisfaction, innovation, trust and retention among employees, according to new research from Binghamton University, State University of New York.

How susceptible are hospital employees to phishing attacks?
A multicenter study finds high click rate for simulated phishing emails, potential benefit in phishing awareness training.

Read More: Employees News and Employees Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.