The COVID-19 pandemic impact on Information Security Policy compliance in regional healthcare. : An empirical study

Fält, Melker, Minierski, Bartlomiej

January 2022

Information Security (InfoSec) is a broad term used to describe the study of how to protect sensitive data from unauthorized access, modification, or deletion. InfoSec is commonly used within companies and organisations to facilitate the secure use of digital systems, taking its shape in the form of technical solutions as well as rules and guidelines defined in a so-called Information Security Policy (ISP). Subsequently, ISPs, which aim to mitigate the risks posed by the generally agreed upon weakest link, the human factor, is considered a crucial asset to maintaining security. The outbreak of the COVID-19 pandemic further solidifying its worth as an increase in attacks targeting humans, especially within the healthcare sector, can be seen. Research directed at ISPs is a much debated area which scientists from many different fields of study continuously lend their efforts. However, to the best of the authors' knowledge no recent studies can been seen that examines ISP Compliance (ISPC), with a focus on InfoSec awareness, from a Swedish regional healthcare employees’ perspective. Hence, this study seeks to provide an insight into this area, with the outbreak of the COVID-19 pandemic in mind. The research is based on a web-questionnaire survey created using information gained throughout several interviews with people working in the field of InfoSec. It seeks to examine healthcare employees' InfoSec awareness following the COVID-19 pandemic outbreak with regard  teleworking. It can be seen from the results that healthcare sector employees' were well aware of the InfoSec risks related to the changing work conditions following the outbreak of the COVID-19 pandemic.

Computer Science

Information Security Policy

Information Security Policy compliance

COVID-19 pandemic

Healthcare

Computer Sciences

Datavetenskap (datalogi)

The Impact of Awareness of Being Monitored on Internet Usage Policy Compliance: An Agency and Stewardship View

Summers, Nirmalee

14 August 2015

Internet usage has become a norm in most organizations where organizations have started monitoring employee, Internet usage, e-mail communications, social network usage and etc. With the increased Internet usage, Internet misuse by employees has increased the potential for security vulnerabilities for these organizations. Organizations have established various security countermeasures such as sanctions, incentives, and Internet usage policies in order to prevent Internet misuse and protect the organizational information assets. However, it is important for organizations to understand whether these Internet usage polices are effective in mitigating the threats towards Internet misuse. Therefore, this dissertation investigates the impact of different countermeasures such as sanctions, incentives and awareness of being monitored on Internet usage policy compliance. Furthermore, it investigates the impact of organizational stewardship culture consisting of collectivism and low power distance, on Internet usage policy compliance behavior. A research model was developed to test the influence of penalties (sanction severity, sanction certainty, sanction celerity), incentives, collectivism and power distance on Internet usage policy compliance intention. Furthermore, it investigates the impact of awareness of being monitored which has not received much attention from information security researchers. In order to test the hypothesized relationships in the research model, data was collected utilizing an online survey through an online survey panel provider, Amazon Mechanical Turk. The findings indicate that, sanction certainty, awareness of being monitored, collectivism and power distance have a significant influence on Internet usage policy compliance intention of the sample population. Additionally, when employees are aware that they are being monitored, it increases the effectiveness of sanction severity and celerity. This dissertation makes several contributions to research and practitioners. It contributes to research by investigating the impact of two contrasting theories where agency theory assumes that employees are motivated through extrinsic factors whereas stewardship theory assumes that they are motivated through intrinsic means (organizational stewardship culture). It contributes to practitioners as well by highlighting the importance of controls such as computer monitoring, swift punishments in protecting organizational assets. As the results suggest, apart from the controls, organizational stewardship culture can play an important role in mitigating some of these threats as well.

Information Security Policy Compliance

Internet Usage Policy Compliance

Sanction Celerity

Agency Theory

Stewardship Theory

Deterrence Theory

Sanction Severity

Sanction Certainty

Assessing information security compliant behaviour using the self-determination theory

Gangire, Yotamu

02 1900

Information security research shows that employees are a source of some of the security incidents in the organisation. This often results from failure to comply with the Information Security Policies (ISPs). The question is, therefore, how to improve information security behaviour of employees so that it complies with the ISPs. This study aims to contribute to the understanding of information security behaviour, especially how it can be improved, from an intrinsic motivation perspective. A review of the literature suggested that research in information security behaviour is still predominantly based on the extrinsic perspective, while the intrinsic perspective has not received as much attention. This resulted in the study being carried out from the perspective of the self-determination theory (SDT) since this theory has also not received as much attention in the study of information security behaviour. The study then proposed an information security compliant behaviour conceptual model based on the self-determination theory, (ISCBMSDT). Based on this model, a questionnaire, the ISCBMSDT questionnaire, was developed using the Human Aspects of Information Security Questionnaire and SDT. Using this questionnaire, a survey (n = 263) was carried out at a South African university and responses were received from the academic, administrative and operational staff. The following statistical analysis of the data was carried out: exploratory factor analysis, reliability analysis, analysis of variance (ANOVA), independent samples test (t-tests) and Pearson correlation analysis. The responses to the survey questions suggest that autonomy questions received positive perception followed by competence questions and relatedness questions. The correlation analysis results show the existence of a statistically significant relationship between competence and autonomy factors. Also, a partial significant relationship between autonomy and relatedness factors as well as between competence and relatedness factors was observed. The exploratory factor analysis that was performed on the questionnaire produced 11 factors. Cronbach alpha was then computed for the eleven factors and all were found to be above 0.7, thus suggesting that the questionnaire is valid and reliable. The results of the research study also suggest that competence and autonomy could be more important than relatedness in directing information security behaviour among employees. / School of Computing / M. Tech. (Information Technology)

Information security policies (ISP)

Information security policy compliance

Self-determination theory

Intrinsic motivation

005.80711

Information policy -- South Africa