Abstract
The security effectiveness based on users’ behaviors is becoming a top priority of Health Information System (HIS). In the first step of this study, through the review of previous studies ‘Self-efficacy in Information Security’ (SEIS) and ‘Security Competency’ (SCMP) were identified as the important factors to transforming HIS users to the first line of defense in the security. Subsequently, a conceptual model was proposed taking into mentioned factors for HIS security effectiveness. Then, this quantitative study used the structural equation modeling to examine the proposed model based on survey data collected from a sample of 263 HIS users from eight hospitals in Iran. The result shows that SEIS is one of the important factors to cultivate of good end users’ behaviors toward HIS security effectiveness. However SCMP appears a feasible alternative to providing SEIS. This study also confirms the mediation effects of SEIS on the relationship between SCMP and HIS security effectiveness. The results of this research paper can be used by HIS and IT managers to implement their information security process more effectively.
Similar content being viewed by others
References
Myler E., and Broadbent G., ISO 17799: Standard for security. Inf. Manag. J., 2006.
Health Information Systems, 27 07 2009. [Online]. Available: http://go.worldbank.org/XFTO56S8S0.
Sushma, M., Robert, M., and Chasalow, L., Information security effectiveness: a research framework. Issues in Inf. Syst. 7(1):246–255, 2011.
Straub, D.W., Effective IS security. Inf. Syst. Res. 1(3):255–276, 1990.
Dzazali, S., and Zolait, A.H., Assessment of information security maturity: an exploration study of Malaysian public service organizations. J. Sys. Inf. Technol. 14(1):2–2, 2012.
Pardue, J.H., and Patidar, P., Threats to healthcare date: a threat tree for risk assessment. Inf. Syst. 7(1):106–113, 2011.
Landry, J.P., Pardue, J.H., Johnsten, T., Campbell, M., and Patidar, P., A threat tree for health information security and privacy. In: 17th American Conference on Information Systems (AMCIS 2011), Detroit, 4–8 August, 2011.
Chu, A.M., and Chau, P.Y., Development and validation of instruments of information security deviant behavior. Decis. Support. Syst. 66:93–101, 2014.
Hagen, J.M., The contributions of information security culture and human relations to the improvement of situational awareness. In: Situational awareness in computer network defense: Principles, methods and applications. Cyril Onwubiko: UK, 2012
Appari, A., and Johnson, M.E., Information security and privacy in healthcare: current state of research. Int. J. Internet Entrep. Manag. 6(4):279–314, 2010.
Asai, T., and Fernando, S., Human-related problems in information security in Thai cross-cultural environments. Contemporary management. Restor. Dent. 7(2):117–142, 2011.
Ma, Q., Johnston, A.C., and Pearson, J.M., Information security management objectives and practices: a parsimonious framework. Inf. Manage. Comput. Secur. 16(3):251–270, 2008.
Sedlack, D.J., and Tejay, G.P.S., Improving information security through technological frames of reference. In: Southern association for information systems conference: Atlanta, GA, USA, 2011, pp 153–157.
Rhee, H.S., Kim, C., and Ryu, Y.U., Self-efficacy in information security: Its Influence on End Users’ information security practice behavior. Comput. Secur. 28(8):816–826, 2009.
Al-Omari, A., El-Gayar, O., and Deokar, A., Security policy compliance: user acceptance perspective. In: 45th Hawaii international conference on system sciences (HICSS). IEEE: USA, 2012, pp 3317–3326.
Doherty, N.F., Anastasakis, L., and Fulford, H., Reinforcing the security of corporate information resources: a critical review of the role of the acceptable use policy. Int. J. Inf. Manag. 31(3):201–209, 2011.
Chatterjee, S., Sarker, S., and Valacich, J.S., The behavioral roots of information systems security: exploring key factors related to unethical IT use. J. Manag. Inf. Syst. 31(4):49–87, 2015.
D’Arcy, J., and Hovav, A., Does one size fit all? Examining the differential effects of IS security countermeasures. J. Bus. Ethics. 89:59–71, 2009.
Knapp, K.J., Franklin Morris, R., Marshall, T.E., and Byrd, T.A., Information security policy: an organizational-level process model. Comput. Secur. 28(7):493–508, 2009.
Rindfleisch, T.C., Privacy, information technology, and health care. Commun. ACM. 40(8):92–100, 1997.
Martínez-Pérez, B., De La Torre-Díez, I., and López-Coronado, M., Privacy and Security in Mobile Health Apps: A Review and Recommendations. J. Med. Syst. 39(1):1–8, 2015.
Dimitropoulos, L., and Rizk, S., A state-based approach to privacy and security for interoperable health information exchange. Health Aff. 28(2):428–434, 2009.
Benhocine, A., Laouamer, L., and Hadji, H., Toward an efficient security: a new methodology for information security. J. Econ. Bus. 1(1), 2011.
Yoon, C., and Kim, H., Understanding computer security behavioral intention in the workplace: an empirical study of korean firms. Inf. Technol. 26(4):401–419, 2013.
Arshad, H., Teymoori, V., Nikooghadam, M., and Abbassi, H., On the Security of aTwo-Factor Authentication and Key Agreement Scheme for Telecare Medicine Information Systems. J. Med. Syst. 39(8):1–10, 2015.
Aydın, Ö.M., and Chouseinoglou, O., Fuzzy assessment of health information system users’ security awareness. J. Med. Syst. 37(6):1–13, 2013.
Wohn, D.Y., Solomon, J., Sarkar, D., Vaniea, K.E., Factors related to privacy concerns and protection behaviors regarding behavioral advertising. In: proceedings of the 33rd annual ACM conference extended abstracts on human factors in computing systems ACM, 2015, pp 1965–1970.
Bakhtiyari Shahri, A., and Ismail, Z., Human factors as the biggest threats to security of health information systems. Int. J. Commun. J. Comput. Inf. Technol. (IJCIT) 2(1), 2012.
Shahri, A.B., Ismail, Z., and Rahim, N.Z.A.B., Security effectiveness in health information system: through improving the human factors by education and training. Aust. J. Basic Appl. Sci. 6(12):226–233, 2012.
Stanton, J.M., Stam, K.R., Mastrangelo, P., and Jolton, J., Analysis of End User Security Behaviors. Comput. Secur. 24(2):124–133, 2005.
Sandoval, R., Information technology change and the effects on user behavior and cyber security. 2015.
Farzandipour, M., Sadoughi, F., Ahmadi, M., and Karimi, I., Security requirements and solutions in electronic health records: lessons learned from a comparative study. J. Med. Syst. 34(4):629–642, 2010.
Bandura, A., Social Foundations of Thought and Action: A Social Cognitive Theory. Prentice Hall: Englewood Cliffs, NJ, 1986.
Workman, M., Bommer, W.H., and Straub, D., Security lapses and the omission of information security measures: a threat control model and empirical test. Comput. Hum. Behav. 24(6):2799–2816, 2008.
Compeau, D.R., and Higgins, C.A., Computer self-efficacy: development of a measure and initial test. MIS Q. 19(2):189–211, 1995.
Ozer, E.M., and Bandura, A., Mechanisms governing empowerment effects: a self-efficacy analysis. J. Pers. Soc. Psychol. 58(3):472, 1990.
Bandura, A., Perceived self-efficacy in the exercise of control over AIDS infection. Eval. Program Plann. 13(1):9–17, 1990.
Davis, F.D., Bagozzi, R.P., and Warshaw, P.R., User acceptance of computer technology: a comparison of two theoretical models. Manag. Sci. 35(8):982–1003, 1989.
Lending, D., and Dillon, T.W., The Effects of Confidentiality on Nursing Self-Efficacy with Information Systems. Int. J. Health Inf. Manag. Int. J. Health Inf. Manag. Syst. Inf. 2(3):49–64, 2007. doi:10.4018/jhisi.2007070105.
Brady, J., An investigation of factors that affect hipaa security compliance in academic medical centers. 3411810, Nova Southeastern University: Florida, USA, 2010.
Kartal, A., and Özsoy, S.A., Validity and reliability study of the Turkish version of health belief model scale in diabetic patients. Int. J. Nurs. Stud. 44(8):1447–1458, 2007.
Ng, B.Y., Kankanhalli, A., and YC, X., Studying users’ computer security behavior: a health belief perspective. Decis. Support. Syst. 46(4):815–825, 2009.
Mussa, C.C., A prudent access control behavioral intention model for the healthcare domain. Nova Southeastern University, 2012.
Roca, J.C., Chiu, C.M., and Martínez, F.J., Understanding e-learning continuance intention: an extension of the technology acceptance model. Int. J. Hum. Comput. Sci. Stud. 64(8):683–696, 2006.
Crossler, R.E., and Bélanger, F., The effect of computer self-efficacy on security training effectiveness. In: 3rd annual conference on Information security curriculum development. ACM: Kennesaw, GA, 2006, pp 124–129
Enrici, I., Ancilli, M., and Lioy, A., A psychological approach to information technology security. In: 3rd conference on system interactions human, Torino, Italy, 13-15 may 2010. IEEE:459–466, 2010.
Liang, H., and Xue, Y., Understanding security behaviors in personal computer usage: a threat avoidance perspective. J. Assoc. Inf. Syst. 11(7):394–413, 2010.
Ennis, M.R., Competency models: a review of the literature and the role of the employment and training administration (ETA). US Department of Labor, 2008, pp 1–24.
Yeratziotis, A., Van Greunen, D., Pottas, D., Recommendations for usable security in online health social networks. In: 6th international conference on pervasive computing and applications (ICPCA), Port Elizabeth, 26-28 Oct. 2011. IEEE, 2011, pp 220–226.
Huang, D.L., Patrick Rau, P.L., and Salvendy, G., Perception of Information Security. Behav. Inform. Technol. 29(3):221–232, 2010. doi:10.1080/01449290701679361.
Carayon, P., Schoepke, J., Hoonakker, P., Haims, M.C., and Brunette, M., Evaluating Causes and Consequences of Turnover Intention among IT Workers: The Development of a Questionnaire Survey. Behav. Inform. Technol. 25(5):381–397, 2006.
Chan, M., Woon, I., and Kankanhalli, A., Perceptions of information security in the workplace: Linking information security climate to compliant behavior. J. Info. Priv. Sec. 1(3):18–41, 2005.
Taneja, A., Determinants of adverse usage of information systems assets: a study of antecedents of is exploit in organizations. The University of Texas at Arlington, 2007.
Lewis, B.R., Templeton, G.F., and Byrd, T.A., A methodology for construct development in MIS research. Eur. J. Inf. Syst. 14(4):388–400, 2005.
Hair, J., Black, W., Babin, B., Anderson, R., and Tatham, R., Multivariate data analysis. (7th). Prentice Hall: New Jersey, 2010.
Cronbach, L., Coefficient alpha and the internal structure of tests. Psychometrika. 16(3):297–334, 1951.
Iran Medical Research Portal (2012) http://www.research.ac.ir. Center of Iran Medical Research Information.
MOHME, Comprehensive health plan. Ministry of Health and Medical Education of Iran: Tehran, 2011.
MOHME, Framework for evaluation of performance hospital information system. Ministry of Health and Medical Education of Iran: Tehran, 2011.
Meyers, L., Gamst, G., and Guarino, A., Applied multivariate research: Design and interpretation. Sage Publications: London, 2005.
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Education & Training.
Rights and permissions
About this article
Cite this article
Shahri, A.B., Ismail, Z. & Mohanna, S. The Impact of the Security Competency on “Self-Efficacy in Information Security” for Effective Health Information Security in Iran. J Med Syst 40, 241 (2016). https://doi.org/10.1007/s10916-016-0591-5
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-016-0591-5