Since 2009, over 176 million patients in the United States have been adversely impacted by data breaches affecting Health Insurance Portability and Accountability Act–covered institutions. While the popular press often attributes data breaches to external hackers, most breaches are the result of employee carelessness and/or failure to comply with information security policies and procedures. To change employee behavior, we borrow from the organizational climate literature and introduce the Information Security Climate Index, developed and validated using two pilot samples. In this study, four categories of healthcare professionals (certified nursing assistants, dentists, pharmacists, and physician assistants) were surveyed. Likert-type items were used to assess the Information Security Climate Index, information security motivation, and information security behaviors. Study results indicated that the Information Security Climate Index was related to better employee information security motivation and information security behaviors. In addition, there were observed differences between occupational groups with pharmacists reporting a more favorable climate and behaviors than physician assistants.
U.S. Department of Health and Human Services Office for Civil Rights. Breach portal: notice to the secretary of HHS Breach of unsecured protected health information, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
BlumenthalDMcGrawD.Keeping personal health information safe: the importance of good data hygiene. JAMA2015; 313(14): 1424.
12.
HariedPClaybaughCDaiH.Evaluation of health information systems research in information systems research: a meta-analysis. Health Informatics J2019; 25(1):186–202.
13.
SchneiderBEhrhartMMaceyW.Organizational climate and culture. Annu Rev Psychol2013; 64: 361–388.
14.
VictorBCullenJ. A theory and measure of ethical climate in organizations. In: FrederickD (ed.) Research in corporate social performance and policy. Greenwich, CT: JAI Press, 1987, pp. 51–71.
15.
ZoharD.A group-level model of safety climate: testing the effect of group climate on microaccidents in manufacturing jobs. J Appl Psychol2000; 85(4): 587–596.
16.
McKayPAveryDMorrisM.Mean racial-ethnic differences in employee sales performance: the moderating role of diversity climate. Pers Psychol2008; 61: 349–374.
17.
SchneiderBWhiteSPaulMC.Linking service climate and customer perceptions of service quality: test of a causal model. J Appl Psychol1998; 83(2): 150–163.
18.
KuenziMSchminkeM.Assembling fragments into a lens: a review, critique, and proposed research agenda for the organizational work climate literature. J Manage2009; 48: 1075–1089.
19.
ChangSLinC.Exploring organizational culture for information security management. Ind Manage Data Syst2007; 107: 438–458.
20.
D’ArcyJGreeneG.Security culture and the employment relationship as drivers of employees’ security compliance. Inf Manag Comput Secur2014; 22: 474–489.
21.
RuighaverSMaynardSBChangS, et al. Organisational security culture: extending the end-user perspective. Comput Secur2007; 25: 56–62.
22.
Van NiekerkJVon SolmsR. Information security culture: a management perspective. Comput Secur2010; 29: 476–886.
23.
Von SolmsRVon SolmsB. From policies to culture. Comput Secur2004; 23: 275–279.
24.
VroomCVSC. Towards information security behavioural compliance. Comput Secur2004; 23: 191–198.
25.
ChanMWoonIKankanhalliA.Perceptions of information security in the workplace: linking information security climate to compliant behavior. J Inf Privacy Secur2005; 1: 18–41.
26.
GooJYimMKimD.A path to successful management of employee security compliance: an empirical study of information security climate. IEEE T Profess Commun2014; 57: 286–308.
27.
da VeigaAEloffJHP. A framework and assessment instrument for information security culture. Comput Secur2010; 29: 196–207.
28.
da VeigaAMartinsN. Improving the information security culture through monitoring and implementation actions illustrated through a case study. Comput Secur2015; 49: 162–176.
29.
da VeigaAMartinsN. Defining and identifying dominant information security cultures and subcultures. Comput Secur2017; 70: 72–94.
30.
CramWAProudfootJGD’ArcyJ.Organizational information security policies: a review and research framework. Eur J Inf Syst2017; 26: 605–641.
31.
ReichersAESchneiderB. Climate and culture: an evolution of constructs. In: SchneiderB (ed.) Organizational climate and culture. San Francisco, CA: Jossey-Bass, 1990, pp. 5–39.
32.
AshkanasyNMBroadfootLEFalkusS.Questionnaire measures of organizational culture. In: AshkanasyNMWilderomCPPetersonMF (eds) Handbook of organizational culture and climate. Thousand Oaks, CA: SAGE, 2000, pp. 131–145.
33.
ScheinEH.Organizational culture and leadership. 4th ed.San Francisco, CA: Jossey-Bass, 2010, p. 179.
34.
BruursemaK.How individual values and trait boredom interact with job characteristics and job boredom in their effects on counterproductive work behavior. Doctoral Dissertation, University of South Florida, Tampa, FL, 2007.
35.
GaterslebenBMurtaghMAbrahamseW.Values, identity and pro-environmental behavior. Contemp Soc Sci2014; 9: 374–392.
36.
ZoharDHofmannD.Organizational culture and climate. In: KozlowskiS (ed.) The Oxford handbook of organizational psychology. New York: Oxford University Press, 2012, pp. 643–666.
37.
ZoharDLuriaG.A multilevel model of safety climate: cross-level relationships between organization and group-level climates. J Appl Psychol2005; 90(4): 616–628.
38.
ZoharDLuriaG.The use of supervisory practices as leverage to improve safety behavior: a cross-level intervention model. J Safety Res2003; 34(5): 567–577.
39.
HerathTRaoHR.Protection motivation deterrence: a framework for security policy compliance in organisations. Eur J Inf Syst2009; 18: 106–125.
40.
NealAGriffinMA.A study of the lagged relationships among safety climate, safety motivation, safety behavior, and accidents at the individual and group levels. J Appl Psychol2006; 91(4): 946–953.
41.
BeusJDhananiLMcCordMA.A meta-analysis of personality and workplace safety: addressing unanswered questions. J Appl Psychol2015; 100(2): 481–498.
42.
BeusJMPayneSCBergmanME, et al. Safety climate and injuries: an examination of theoretical and empirical relationships. J Appl Psychol2010; 95(4): 713–727.
43.
ChristianMSBradleyJCWallaceJ, et al. Workplace safety: a meta-analysis of the roles of person and situation factors. J Appl Psychol2009; 94(5): 1103–1127.
44.
ClarkeS.Safety leadership: a meta-analytic review of transformational and transactional leadership styles as antecedents of safety behaviours. J Occup Organ Psychol2013; 86: 22–49.
45.
FosterNJ.Culture sets the tone for effective cyber security. RMA J2014; 97: 1–8.
46.
BaldiMGoldS.Treat security like safety. Hydrocarb Process2014; 93: 47–50.
47.
NealAGriffinMA.Safety climate and safety at work. In: BarlingJFroneMR (eds). The psychology of workplace safety. Washington, DC: American Psychological Association, 2004, pp. 15–34.
SpectorPEJexSM.Development of four self-report measures of job stressors and strain: interpersonal conflict at work scale, organizational constraints scale, quantitative workload inventory, and physical symptoms inventory. J Occup Health Psychol1998; 3(4): 356–367.
52.
DeVellisRF.Scale development theory and applications. Thousand Oaks: CA: SAGE, 1991.
53.
LeeJHuangYHCheungJH, et al. A systematic review of the safety climate intervention literature: past trends and future directions. J Occup Health Psychol2019; 24: 66–91.
Supplementary Material
Please find the following supplemental material available below.
For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.
For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.
