Scott R. Boss

If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security

Information security has become increasingly important to organizations. Despite the prevalence of technical security measures, individual employees remain the key link – and frequently the weakest link – in corporate defenses. When individuals choose to disregard security policies and procedures, the organization is at risk. How, then, can organizations motivate their employees to follow security guidelines? Using an organizational control lens, we build a model to explain individual information security precaution-taking behavior. Specific hypotheses are developed and tested using a field survey. We examine elements of control and introduce the concept of ‘mandatoriness,’ which we define as the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organizational management. We find that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory. The perception of mandatoriness is effective in motivating individuals to take security precautions, thus if individuals believe that management watches, they will comply.

What do systems users have to fear? using fear appeals to engender threats and fear that motivate protective security behaviors

Because violations of information security (ISec) and privacy have become ubiquitous in both personal and work environments, academic attention to ISec and privacy has taken on paramount importance. Consequently, a key focus of ISec research has been discovering ways to motivate individuals to engage in more secure behaviors. Over time, the protection motivation theory (PMT) has become a leading theoretical foundation used in ISec research to help motivate individuals to change their security-related behaviors to protect themselves and their organizations. Our careful review of the foundation for PMT identified four opportunities for improving ISec PMT research. First, extant ISec studies do not use the full nomology of PMT constructs. Second, only one study uses fear-appeal manipulations, even though these are a core element of PMT. Third, virtually no ISec study models or measures fear. Fourth, whereas these studies have made excellent progress in predicting security intentions, none of them have addressed actual security behaviors. This article describes the theoretical foundation of these four opportunities for improvement. We tested the nomology of PMT, including manipulated fear appeals, in two different ISec contexts that model the modern theoretical treatment of PMT more closely than do extant ISec studies. The first data collection was a longitudinal study in the context of data backups. The second study was a short-term cross-sectional study in the context of anti-malware software. Our new model demonstrated better results and stronger fit than the existing models and confirms the efficacy of the four potential improvements we identified.

Factors associated with IT audits by the internal audit function

Responses from a large sample of 1029 chief audit executives (CAEs) from Australia, Canada, New Zealand, the UK/Ireland, and the US are used to estimate the proportion of time spent by the internal audit functions (IAFs) on information technology (IT) audits. The sample is also used to investigate explanatory and control variables that are associated with the extent of IT audits by the IAFs. The results show that the proportion of the IAF time spent on IT audits was only 7.97% in 2003, 10.61% in 2006, and was projected to be 13.40% in 2009, indicating an approximately 1% increase per year. Multivariate regression indicates that four variables; the certified information system auditor (CISA) certification, IAF age, training, and the number of organizational employees are significantly and positively associated with IT audits by the IAFs. Other common certifications such as CIA, CPA, and CMA are not positively associated with the proportion of IT audits. Also, while CAE experience, education level, and the country of residence did not affect the results, an IS/CS (information system/computer science) was significant and positive in two of the four models tested. Implications for additional research and practice are discussed.

Handoff processes, information quality and patient safety: A trans‐disciplinary literature review

Purpose – Key findings from recent and relevant studies on patient safety and clinical handoffs are summarized and analyzed. After briefly reviewing process management and accounting control theory, the aim of this paper is to discuss how these latter two disciplines can be combined to further improve patient safety in handoffs.Design/methodology/approach – A literature review on studies of patient safety, clinical processes and clinical handoffs was conducted in leading medical, quality, and information systems journals.Findings – This paper issues a call for research using a trans‐disciplinary methodology to shed new light on information quality issues in clinical handoff processes, which in turn should improve patient safety.Research limitations/implications – The literature review employed systematic, heuristic, iterative and practical criteria for identifying and selecting papers, trading off completeness for multi‐disciplinarity. No prior empirical patient safety studies combined process management ...

The Dark Side of Online Knowledge Sharing (Retracted)

ABSTRACT : Given the growing trend of electronic networks of practice and the growing propensity of individuals to rely on the Internet for problem solving, we examine whether programmers in a hypothetical situation would be likely to disclose confidential information through an online forum in attempt to solve a programming problem. We hypothesize and find in a survey of 187 programmers that online forum commitment and trust lead to greater online forum participation, which in turn predicts a higher likelihood of confidential information disclosure. We also find that programmers with greater awareness of security policies exhibit a lower likelihood of deciding to risk disclosing confidential information. The study contributes to extant literature by raising and exploring the potentially negative, dark side of knowledge sharing through electronic networks of practice.

Medication errors, handoff processes and information quality: A community hospital case study

Purpose – The purpose of this paper is to examine how clinical handoffs affect clinical information quality (IQ) and medication administration quality.Design/methodology/approach – A case study was conducted in a US hospital. The authors applied a business process management (BPM) perspective to analyze an end‐to‐end medication administration process and related handoffs, and accounting control theory (ACT) to examine the impact of handoffs on IQ and medication errors.Findings – The study reveals how handoffs can lead to medication errors (by passing information that is not complete, accurate, timely or valid) and can help reduce errors (by preventing, detecting and correcting information quality flaws or prior clinical mistakes).Research limitations/implications – The paper reports on one case study on one hospital unit. Future studies can investigate the impact of clinical IQ on patient safety across the multitude of health information technologies (e.g. computerized provider order entry (CPOE), electro...

Asymmetry in Identification of Multiplicity Errors in Conceptual Models of Business Processes

ABSTRACT Business rules can be represented by multiplicities in a Unified Modeling Language (UML) class diagram. Diagrams containing erroneous multiplicities may be implemented as an inefficient/ineffective database. System validators must be able to validate such diagrams, including multiplicities, to prevent the implementation of design errors. Prior research reveals conflicting evidence regarding the expected accuracy in validating minimum multiplicities, indicating a need for additional research to further our understanding. Ontology research claims that multiplicities that depict optional participation are ambiguous and lead to poorer understanding and accuracy compared to multiplicities that depict mandatory participation. However, other research has reported better accuracy validating multiplicities that depict optional participation compared to mandatory participation. We conducted an experiment to help resolve this apparent contradiction, and to explore whether any asymmetry exists in accuracy fo...

Handoffs and Medication Errors: A Community Hospital Case Study

In hospitals, a handoff occurs when responsibility for care of a patient is transferred to another caregiver, along with information about the patients condition, treatment plans, and orders. Prior studies report that flawed handoffs contribute to adverse events, but few studies have closely analyzed this from an information processing perspective. We report on a case study of medication administration processes and related information quality issues associated with handoffs in one hospital. Applying an interdisciplinary lens (informed by prior work on health care quality, process management, and accounting information systems) this case study reveals evidence that handoffs both contribute to process and data flaws and can help reveal and correct prior errors. Our findings highlight the importance of designing clinical systems and processes that systematically prevent threats to the validity, accuracy, completeness, and timeliness of clinical data and that use handoffs to detect and correct these four types of errors.