Evaluating Information Security Effectiveness with Health Professionals
This paper outlines an alternative view on the information security discipline. We argue that information security is, in general, viewed from a technological and means-end oriented perspective. Our approach can be seen as an initial attempt to approach information security in a broader, more holistic, sense. For this purpose, we approach information security from a health professional’s perspective. An instrument, The Information Security Employee’s Evaluation (ISEE), is presented to evaluate and discuss information security with health professionals. The ISEE instrument consists of seven dimensions: priority, responsibility, incident handling, functionality, communication, supervision and training and education. The ISEE instrument can be used to better understand health professional’s perception, needs and problems when dealing with information security in practice. Following the design science approach, the ISEE instrument was validated within a focus group of security experts and pilot tested as workshops across five hospital departments in two medical centers. Although the ISEE instrument has by no means the comprehensiveness of existing security standards, we do argue that the instrument can provide valuable insights for both practitioners and research communities.
KeywordsInformation security Evaluation Human perspective
Unable to display preview. Download preview PDF.
- 6.Gollman, D.: Computer Security, 1st edn. John Wiley & Sons (1999)Google Scholar
- 8.Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Quarterly 28(1), 75–105 (2004)Google Scholar
- 9.International Organization for Standardization. Information technology – security techniques – code of practice for information security management. Technical Report ISO/IEC 27002:2005 (2005)Google Scholar
- 10.Kraemer, S., Carayon, P.: Computer and information security culture: Findings from two studies. In: Human factors and the Ergonomics Environment, pp. 1483–1487. Human Factors and the Ergonomics Society, Orlando (2005)Google Scholar
- 12.OECD: Guidelines for the security of information systems and networks: Towards a culture of security. Technical report, Organization for Economic Cooperation and Development, Paris (2002)Google Scholar
- 13.Parker, D., Hudson, P.T.: HSE: Understanding your culture. Shell International Exploration and Production EP 2001 - 5124 (2001)Google Scholar
- 14.Pope, C., Mays, N., Kitzinger, J. (eds.): Qualitative research in health care, chapter Focus Groups, 3rd edn., pp. 21–31. Blackwell Publishing, Oxford (2006)Google Scholar
- 15.Reason, J.: The identification of latent organizational failures in complex systems. In: Wise, J.A., Hopkin, V.D., Stager, P. (eds.) Verification and Identification of Complex Systems: Human Factor Issues, pp. 223–237. Springer, New York (1993)Google Scholar
- 18.Stamp, M.: Information security: principles and practice, 2nd edn. John Wiley & Sons, Hoboken (2006)Google Scholar
- 19.University of Manchester and National Patient Safety Agency: Manchester Patient Safety Framework MaPSaF, http://www.nrls.npsa.nhs.uk
- 20.Westrum, R.: Cultures with requisite imagination. In: Wise, J.A., Hopkin, V.D., Stager, P. (eds.) Verification and Validation in Complex Man-machine Systems, pp. 401–416. Springer, New York (1993)Google Scholar