Constructing Conceptual Model for Security Culture in Health Information Systems Security Effectiveness

  • Ahmad Bakhtiyari Shahri
  • Zuraini Ismail
  • Nor Zairah Ab. Rahim
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 206)


The security of information systems (IS) depends on many factors, however, numerous technical advances alone cannot always create a safe and secure environment. Security incidents related to patients’ data in healthcare organizations continue to increase due to human behaviors causes serious concerns. This study attempts the exploration of security culture in Health Information Systems (HIS). The scope of this paper is confined to the literature review on existing models on security culture. A conceptual model was constructed in identifying the antecedents that could influence security culture in HIS security effectiveness. We found that education and training, and communication may contribute towards a more effective implementation of security culture for HIS users. This in-progress work will then proceed to the next phase in evaluating the proposed model.


Security culture Security communication Security education and training Health information system Security effectiveness 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Colwill, C.: Human Factors in Information Security: The Insider Threat–Who Can You Trust These Days? Information Security Technical Report 14(4), 186–196 (2009)CrossRefGoogle Scholar
  2. 2.
    Ma, Q., Johnston, A.C., Pearson, J.M.: Information Security Management Objectives and Practices: A Parsimonious Framework. Information Management & Computer Security 16(3), 251–270 (2008)CrossRefGoogle Scholar
  3. 3.
    HIMSS Analytics: The 2010 HIMSS Analytics Report: Security of Patient Data. Technical Report (2010)Google Scholar
  4. 4.
    Winter, A., Haux, R., Ammenwerth, E., Brigl, B., Hellrung, N., Jahn, F.: Quality of Health Information Systems. Health Information Systems, 201–236 (2011)Google Scholar
  5. 5.
    Torres, J., Sarriegi, J., Santos, J., Serrano, N.: Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness. Information Security 4176, 530–545 (2006)CrossRefGoogle Scholar
  6. 6.
    Straub, D.W.: Effective IS Security. Information Systems Research 1(3), 255–276 (1990)CrossRefGoogle Scholar
  7. 7.
    Filho, E.L., Souza, J.H.P., Chaves, A.T., Hashimoto, G.T., Rosa, P.F.: The Impact of Corporate Culture in Security Policies – A Methodology. In: The Seventh International Conference on Networking and Services (ICNS 2011), Venice/Mestre, Italy, May 22-27, pp. 98–103 (2011)Google Scholar
  8. 8.
    OECD: OECD guidelines for the security of information systems and networks: towards a culture of security. Organisation for Economic Co-operation Development (2002)Google Scholar
  9. 9.
    Brady, J.W.: Securing Health Care: Assessing Factors That Affect HIPAA Security Compliance in Academic Medical Centers. In: 44th Hawaii International Conference on System Sciences, Kauai, HI, Kauai, HI, pp. 1–10. IEEE (2011)Google Scholar
  10. 10.
    Knapp, K.J., Marshall, T.E., Rainer Jr, R.K., Ford, F.N.: Information Security Effectiveness: Conceptualization and Validation of a Theory. International Journal of Information Security and Privacy (IJISP) 1(2), 37–60 (2007)CrossRefGoogle Scholar
  11. 11.
    Benhocine, A., Laouamer, L., Hadji, H.: Toward an Efficient Security: A New Methodology for Information Security. Journal of Economics and Administration 1(1) (2011)Google Scholar
  12. 12.
    Ball, D.M., Levy, Y., Lauderdale, F.: Emerging Educational Technology: Assessing the Factors that Influence Instructors’ Acceptance in Information Systems and Other Classrooms. Journal of Information Systems Education 19(4), 431–444 (2008)Google Scholar
  13. 13.
    Figg, W.C., Kam, H.J.: Medical Information Security. International Journal of Security (IJS) 5(1), 22 (2011)Google Scholar
  14. 14.
    Schlienger, T., Teufel, S.: Analyzing Information Security Culture: Increased Trust by an Appropriate Information Security Culture. In: 14th International Workshop on Database and Expert Systems Applications 2003, pp. 405–409 (2003)Google Scholar
  15. 15.
    Schlienger, T., Teufel, S.: Information Security Culture - From Analysis to Change. South African Computer Journal 7(31), 46–52 (2003)Google Scholar
  16. 16.
    Da Veiga, A., Eloff, J.: A Framework and Assessment Instrument for Information Security Culture. Computers & Security 29(2), 196–207 (2010)CrossRefGoogle Scholar
  17. 17.
    Appari, A., Johnson, M.E.: Information Security and Privacy in Healthcare: Current State of Research. International Journal of Internet and Enterprise Management 6(4), 279–314 (2010)CrossRefGoogle Scholar
  18. 18.
    Ennis, M.R.: Competency Models: A Review of The Literature and The Role of The Employment and Training Administration (ETA). US Department of Labor, 1–24 (2008)Google Scholar
  19. 19.
    Sardinha, F., Costa, C.J.: Training and Interface Features in Technology Acceptance. In: Proceedings of the 2011 Workshop on Open Source and Design of Communication 2011, pp. 55–60. ACM (2011)Google Scholar
  20. 20.
    Puhakainen, P., Siponen, M.: Improving Employees’ Compliance through Information Systems Security Training: An Action Research Study. MIS Quarterly 34(4), 757–778 (2010)Google Scholar
  21. 21.
    Moos, D.C., Azevedo, R.: Learning with Computer-Based Learning Environments: A Literature Review of Computer Self-Efficacy. Review of Educational Research 79(2), 576–600 (2009)CrossRefGoogle Scholar
  22. 22.
    Van Niekerk, J., Von Solms, R.: A Web-Based Portal for Information Security Education. In: Information Security South Africa (ISSA), Johannesburg, South Africa, July 10-12, 2002, pp. 1–10. ISSA (2007)Google Scholar
  23. 23.
    Van Niekerk, J., Von Solms, R.: An Holistic Framework for the Fostering of an Information Security Sub-Culture in Organizations. Information Security South Africa (ISSA), Johannesburg (2005)Google Scholar
  24. 24.
    Whitman, M.E., Mattord, H.J.: Principles of Information Security. Course Technology Ptr., Boston (2011)Google Scholar
  25. 25.
    Lineberry, S.: The Human Element: The Weakest Link in Information Security. Journal of Accountancy 204(5), 44 (2007)Google Scholar
  26. 26.
    Sennewald, C.A.: Effective Security Management. Butterworth-Heinemann (2011)Google Scholar
  27. 27.
    Gebrasilase, T., Lessa, L.F.: Information Security Culture in Public Hospitals: The Case of Hawassa Referral Hospital. The African Journal of Information Systems 3(3), 72–86 (2011)Google Scholar
  28. 28.
    Karjalainen, M.: Imroving Employees’ Information Systems (IS) Security Behavior. University of Oulu (2011)Google Scholar
  29. 29.
    Vroom, C., Von Solms, R.: Towards Information Security Behavioural Compliance. Computers & Security 23(3), 191–198 (2004)CrossRefGoogle Scholar
  30. 30.
    D’Arcy, J., Greene, G.: The Multifaceted Nature of Security Culture and Its Influence on End User Behavior. In: International Workshop on Information Systems Security Research 2009, pp. 145–157 (2009)Google Scholar
  31. 31.
    Pattinson, M.R., Anderson, G.: How Well Are Information Risks Being Communicated to Your Computer End-Users? Information Management & Computer Security 15(5), 362–371 (2007)CrossRefGoogle Scholar
  32. 32.
    Mussa, C.C.: A Prudent Access Control Behavioral Intention Model for the Healthcare Domain. Nova Southeastern University (2012)Google Scholar
  33. 33.
    Knapp, K.J., Marshall, T.E., Rainer, R., Ford, F.N.: Managerial Dimensions in Information Security: A Theoretical Model of Organizational Effectiveness. International Information Systems Security Certification Consortium (ISC) 2 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Ahmad Bakhtiyari Shahri
    • 1
  • Zuraini Ismail
    • 2
  • Nor Zairah Ab. Rahim
    • 2
  1. 1.Faculty of Computer Science and Information SystemsUniversiti Teknologi MalaysiaJohor BahruMalaysia
  2. 2.Advanced Informatics School (AIS)Universiti Teknologi MalaysiaKuala LumpurMalaysia

Personalised recommendations