Juhee Kwon

Proactive versus reactive security investments in the healthcare sector

This study identifies the effects of security investments that arise from previous failures or external regulatory pressure. Building on organizational learning theory, the study focuses on the healthcare sector where legislation mandates breach disclosure and detailed data on security investments are available. Using a Cox proportional hazard model, we demonstrate that proactive security investments are associated with lower security failure rates. Coupling that result with the economics of breach disclosure, we also show that proactive investments are more cost effective in healthcare security than reactive investments. Our results further indicate that this effect is amplified at the state level, supporting the argument that security investments create positive externalities. We also find that external pressure decreases the effect of proactive investments on security performance. This implies that proactive investments, voluntarily made, have more impact than those involuntarily made. Our findings suggest that security managers and policy makers should pay attention to the strategic and regulatory factors influencing security investment decisions.

The Association between Top Management Involvement and Compensation and Information Security Breaches

ABSTRACT:  This paper examines how an information technology (IT) executives position in a top management team and how his/her compensation are associated with the likelihood of information security breaches. Using a sample drawn from multiple sources in the period from 2003 to 2008, we show that an IT executives involvement in the top management team is negatively related to the possibility of information security breaches. We also find that the amount of behavior-based (i.e., salary) compensation and the pay differences of outcome-based (i.e., bonuses, stock awards, and stock options) compensation between IT and non-IT executives are negatively associated with the likelihood of information security breaches. Our findings shed light on how an IT executives status in the top management team and the composition of his/her compensation can be related to a firms IT governance mechanisms.

Health-Care Security Strategies for Data Protection and Regulatory Compliance

This study identifies how security performance and compliance influence each other and how security resources contribute to two security outcomes: data protection and regulatory compliance. Using simultaneous equation models and data from 243 hospitals, we find that the effects of security resources vary for data breaches and perceived compliance and that security operational maturity plays an important role in the outcomes. In operationally mature organizations, breach occurrences hurt compliance, but, surprisingly, compliance does not affect actual security. In operationally immature organizations, breach occurrences do not affect compliance, whereas compliance significantly improves actual security. The results imply that operationally mature organizations are more likely to be motivated by actual security than compliance, whereas operationally immature organizations are more likely to be motivated by compliance than actual security. Our findings provide policy insights on effective security programs in complex health-care environments.

Protecting Patient Data-The Economic Perspective of Healthcare Security

Despite the ambiguities of healthcare security costs and benefits, market mechanisms can nudge healthcare organizations toward effective proactive and voluntary security actions. However, the effectiveness of market mechanisms suffers from the economic forces of the imperfect US healthcare market. Thus, market-driven investments must be supplemented with regulator intervention across all types of healthcare organizations. However, such regulatory intervention should focus on reinforcing the economic impact of information security rather than simply trying to force specific behavior.

Healthcare Security Strategies for Regulatory Compliance and Data Security

Regulatory compliance and data security are important objectives for IT managers. Building on the resource-based view, this study examines the impact of IT security resources, functional capabilities, and managerial capabilities on regulatory compliance and data security. Using binomial and multinomial log it models, we analyze data from 250 healthcare organizations. The results show that IT security resources are positively associated with compliance and data security. Within functional capabilities, prevention capabilities improve both compliance and data security, and complement IT security resources. Functional audit capabilities are also associated with improved compliance but result in increased breaches, likely because such auditing helps organizations find, disclose and fix breach-related problems. Managerial capabilities (i.e., top management support, expertise, and data coordination) influence compliance more than data security. Our findings provide policy insight on effective security programs that harness IT resources, functional capabilities, and managerial capabilities.