Hospital Staff's Adherence to Information Security Policy: A Quest for the Antecedents of Deterrence Variables.
ABSTRACT: Information security has come to the forefront as an organizational priority since information systems are considered as some of the most important assets for achieving competitive advantages. Despite huge capital expenditures devoted to information security, the occurrence of security breaches is still very much on the rise. More studies are thus required to inform organizations with a better insight on how to adequately promote information security. To address this issue, this study investigates important factors influencing hospital staff's adherence to Information Security Policy (ISP). Deterrence theory is adopted as the theoretical underpinning, in which punishment severity and punishment certainty are recognized as the most significant predictors of ISP adherence. Further, this study attempts to identify the antecedents of punishment severity and punishment certainty by drawing from upper echelon theory and well-acknowledged international standards of IS security practices. A survey approach was used to collect 299 valid responses from a large Taiwanese healthcare system, and hypotheses were tested by applying partial least squares-based structural equation modeling. Our empirical results show that Security Education, Training, and Awareness (SETA) programs, combined with internal auditing effectiveness are significant predictors of punishment severity and punishment certainty, while top management support is not. Further, punishment severity and punishment certainty are significant predictors of hospital staff's ISP adherence intention. Our study highlights the importance of SETA programs and internal auditing for reinforcing hospital staff's perceptions on punishment concerning ISP violation, hospitals can thus propose better internal strategies to improve their staff's ISP compliance intention accordingly.
Project description:Economic theory suggests that the deterrence of deviant behavior is driven by a combination of <i>severity</i> and <i>certainty</i> of punishment. This paper presents the first controlled experiment to study a third important factor that has been mainly overlooked: the <i>swiftness</i> of formal sanctions. We consider two dimensions: the timing at which the uncertainty about whether one will be punished is dissolved and the timing at which the punishment is actually imposed, as well as the combination thereof. By varying these dimensions of delay systematically, we find a surprising non-monotonic relation with deterrence: either no delay (immediate resolution and immediate punishment) or maximum delay (both resolution and punishment as much as possible delayed) emerge as most effective at deterring deviant behavior and recidivism. Our results yield implications for the design of institutional policies aimed at mitigating misconduct and reducing recidivism.<h4>Supplementary information</h4>The online version contains supplementary material available at doi:10.1007/s11166-021-09352-x.
Project description:Organizations should measure their information security performance if they wish to take the right decisions and develop it in line with their security needs. Since the measurement of information security is generally underdeveloped in practice and many organizations find the existing recommendations too complex, the paper presents a solution in the form of a 10 by 10 information security performance measurement model. The model-ISP 10×10M is composed of ten critical success factors, 100 key performance indicators and 6 performance levels. Its content was devised on the basis of findings presented in the current research studies and standards, while its structure results from an empirical research conducted among information security professionals from Slovenia. Results of the study show that a high level of information security performance is mostly dependent on measures aimed at managing information risks, employees and information sources, while formal and environmental factors have a lesser impact. Experts believe that information security should evolve systematically, where it's recommended that beginning steps include technical, logical and physical security controls, while advanced activities should relate predominantly strategic management activities. By applying the proposed model, organizations are able to determine the actual level of information security performance based on the weighted indexing technique. In this manner they identify the measures they ought to develop in order to improve the current situation. The ISP 10×10M is a useful tool for conducting internal system evaluations and decision-making. It may also be applied to a larger sample of organizations in order to determine the general state-of-play for research purposes.
Project description:Deterrence by punishment aims to prevent a crime; however, it is not always successful. Restrictive deterrence explains the continuous criminal activities that occur despite deterrence; offenders enact various strategies to avoid detection, which is more typical among drug offenders given that they have a high frequency of offending and exposure to punishment. This systematic review provides an in-depth understanding of restrictive deterrence of drug offenders. Two prominent themes, “restrictive deterrence strategy” and “deterrability and restrictive deterrence,” depict drug offenders' restrictive deterrence and effectively fit within the certainty–severity framework of punishment. Future studies should investigate restrictive deterrence strategies in the after-arrest context, the facilitative effect of perception of risk on strategy development, and facilitators or inhibitors affecting the diffusion of restrictive deterrence strategies.
Project description:<h4>Objective</h4>To evaluate the effectiveness of internal auditing in hospital care focussed on improving patient safety.<h4>Design, setting and participants</h4>A before-and-after mixed-method evaluation study was carried out in eight departments of a university medical center in the Netherlands.<h4>Intervention(s)</h4>Internal auditing and feedback focussed on improving patient safety.<h4>Main outcome measure(s)</h4>The effect of internal auditing was assessed 15 months after the audit, using linear mixed models, on the patient, professional, team and departmental levels. The measurement methods were patient record review on adverse events (AEs), surveys regarding patient experiences, safety culture and team climate, analysis of administrative hospital data (standardized mortality rate, SMR) and safety walk rounds (SWRs) to observe frontline care processes on safety.<h4>Results</h4>The AE rate decreased from 36.1% to 31.3% and the preventable AE rate from 5.5% to 3.6%; however, the differences before and after auditing were not statistically significant. The patient-reported experience measures regarding patient safety improved slightly over time (P < 0.001). The SMR, patient safety culture and team climate remained unchanged after the internal audit. The SWRs showed that medication safety and information security were improved (P < 0.05).<h4>Conclusions</h4>Internal auditing was associated with improved patient experiences and observed safety on wards. No effects were found on adverse outcomes, safety culture and team climate 15 months after the internal audit.
Project description:In a previous publication the authors developed a privacy and security checklist to evaluate Voice over Internet Protocol (VoIP) videoconferencing software used between patients and therapists to provide telerehabilitation (TR) therapy. In this paper, the privacy and security checklist that was previously developed is used to perform a risk analysis of the top ten VoIP videoconferencing software to determine if their policies provide answers to the privacy and security checklist. Sixty percent of the companies claimed they do not listen into video-therapy calls unless maintenance is needed. Only 50% of the companies assessed use some form of encryption, and some did not specify what type of encryption was used. Seventy percent of the companies assessed did not specify any form of auditing on their servers. Statistically significant differences across company websites were found for sharing information outside of the country (p=0.010), encryption (p=0.006), and security evaluation (p=0.005). Healthcare providers considering use of VoIP software for TR services may consider using this privacy and security checklist before deciding to incorporate a VoIP software system for TR. Other videoconferencing software that is specific for TR with strong encryption, good access controls, and hardware that meets privacy and security standards should be considered for use with TR.
Project description:The severity of pneumonia in respiratory syncytial virus (RSV) infection is strongly related to host immune response and external factors such as bacteria and environmental chemicals. We investigated the effect of inactivated Streptococcus pneumoniae (ISP) as non-pathogenic particles on the severity of pneumonia in RSV-infected mice. Mice were intranasally exposed to ISP before RSV infection. On day 5 post-infection, we examined tissues, virus titer, and infiltrated cells in the lungs. The ISP did not cause significant histopathological effects in the lungs of RSV infected mice, but reduced virus titer. It also reduced the ratio of lymphocyte infiltration into the lungs and consequently the ratio of macrophage increased. In addition, we found that ISP increased RANTES level in bronchoalveolar lavage fluid from RSV-infected mice on day 1 post-infection, but reduced type I interferon levels. Thus, ISP did not exacerbate pneumonia in RSV infection, rather, it might mildly reduce the severity. We characterize and discuss the inherent activity of ISP as non-pathogenic particles inducing the role of RANTES on the pneumonia in RSV infection.
Project description:<h4>Background</h4>As the COVID-19 crisis endures and the virus continues to spread globally, the need for collecting epidemiological data and patient information also grows exponentially. The race against the clock to find a cure and a vaccine to the disease means researchers require storage of increasingly large and diverse types of information; for doctors following patients, recording symptoms and reactions to treatments, the need for storage flexibility is only surpassed by the necessity of storage security. The volume, variety, and variability of COVID-19 patient data requires storage in NoSQL database management systems (DBMSs). But with a multitude of existing NoSQL DBMSs, there is no straightforward way for institutions to select the most appropriate. And more importantly, they suffer from security flaws that would render them inappropriate for the storage of confidential patient data.<h4>Motivation</h4>This paper develops an innovative solution to remedy the aforementioned shortcomings. COVID-19 patients, as well as medical professionals, could be subjected to privacy-related risks, from abuse of their data to community bullying regarding their medical condition. Thus, in addition to being appropriately stored and analyzed, their data must imperatively be highly protected against misuse.<h4>Methods</h4>This paper begins by explaining the five most popular categories of NoSQL databases. It also introduces the most popular NoSQL DBMS types related to each one of them. Moreover, this paper presents a comparative study of the different types of NoSQL DBMS, according to their strengths and weaknesses. This paper then introduces an algorithm that would assist hospitals, and medical and scientific authorities to choose the most appropriate type for storing patients' information. This paper subsequently presents a set of functions, based on web services, offering a set of endpoints that include authentication, authorization, auditing, and encryption of information. These functions are powerful and effective, making them appropriate to store all the sensitive data related to patients.<h4>Results and contributions</h4>This paper presents an algorithm to select the most convenient NoSQL DBMS for COVID-19 patients, medical staff, and organizations data. In addition, the paper proposes innovative security solutions that eliminate the barriers to utilizing NoSQL DBMSs to store patients' data. The proposed solutions resolve several security problems including authentication, authorization, auditing, and encryption. After implementing these security solutions, the use of NoSQL DBMSs will become a much more appropriate, safer, and affordable solution to storing and analyzing patients' data, which would contribute greatly to the medical and research effort against COVID-19. This solution can be implemented for all types of NoSQL DBMSs; implementing it would result in highly securing patients' data, and protecting them from any downsides related to data leakage.
Project description:Excessive checking is reported in non-clinical populations and is a pervasive symptom in obsessive compulsive disorder (OCD). We implemented a free-operant task in humans, previously used in rats, wherein participants can "check" to reduce uncertainty. Participants can press an observing key to ascertain which of two main keys will, if pressed, currently lead to rewards. Over a series of experiments, we found that punishment robustly increased observing in non-clinical participants and that observing persisted long after punishment was removed. Moreover, participants appeared insensitive to the initial costs of checking, and a threefold increase in the effort required to observe served to deter participants only to a limited degree. We also assessed observing in OCD patients with no known comorbidities. The patients observed more than control participants and were abnormally insensitive to the introduction of punishment. These findings support the translational value of the task, with similar behaviours in humans and rodents. This paradigm may serve as a unifying platform, promoting interaction between different approaches to analyse adaptive and maladaptive certainty seeking behaviours. Specifically, we demonstrate how seemingly disparate theoretical and empirical approaches can be reconciled synergistically to promote a combined behavioural and cognitive account of certainty seeking.
Project description:<h4>Background</h4>Participation in on-the-land programs that encourage traditional cultural activities may improve health and well-being. The Income Security Program (ISP) - a financial incentive-based on-the-land program - for Eeyouch (Cree) hunters and trappers in Eeyou Istchee was created as a result of the 1975 James Bay and Northern Quebec Agreement to help mitigate the effects of hydroelectric development on the Cree people of northern Quebec, Canada. Beyond the ISP's financial incentives, little is known about the health measures of those who are eligible to participate in the ISP (i.e. spent ≥120 days on-the-land during the previous year). Therefore, this paper's objective was to assess the health measures of northern Quebec Cree, who were eligible for participation in the ISP.<h4>Methods</h4>Using participant data (n = 545) compiled from the Nituuchischaayihtitaau Aschii Multi-Community Environment-and-Health Study, we assessed 13 different health measures in generalized linear models with the independent variable being the eligibility to participate in the ISP.<h4>Results</h4>Participants in the present study who were eligible for the ISP had significantly higher levels of vigorous and moderate activity per week, and higher concentrations of omega-3 polyunsaturated fatty acids in the blood compared to those ineligible for the ISP (i.e. spent ≤119 days on-the-land during the previous year). Encouragingly, following model adjustment for age and sex, participants eligible for the ISP did not have higher blood concentrations of mercury than those who were not eligible for the ISP.<h4>Conclusions</h4>Our results suggest that the participants eligible for participation in the ISP are likely to be healthier than those who are ineligible to participate - and are promising for on-the-land programs for Indigenous peoples beyond a financial incentive - with no apparent higher risk of increasing contaminant body burden through traditional on-the-land-activities (e.g. fish consumption).
Project description:Depression is highly prevalent in people with HIV and has consistently been associated with poor antiretroviral therapy (ART) adherence. Integrating cognitive behavioural therapy (CBT) for depression with adherence counselling using the Life-Steps approach (CBT-AD) has an emerging evidence base. The aim of this study was to test the efficacy of CBT-AD.In this three-arm randomised controlled trial in HIV-positive adults with depression, we compared CBT-AD with information and supportive psychotherapy plus adherence counselling using the Life-Steps approach (ISP-AD), and with enhanced treatment as usual (ETAU) including Life-Steps adherence counselling only. Participants were recruited from three sites in New England, USA (two hospital settings and one community health centre). Patients were randomly assigned (2:2:1) to receive CBT-AD (one Life-Steps session plus 11 weekly integrated sessions lasting up to 1 h each), ISP-AD (one Life-Steps session plus 11 weekly integrated sessions lasting up to 1 h each), or ETAU (one Life-Steps session and five assessment visits roughly every 2 weeks), randomisation was done with allocation software, in pairs, and stratified by three variables: study site, whether or not participants had been prescribed antidepressant medication, and whether or not participants had a history of injection drug use. The primary outcome was ART adherence at the end of treatment (4 month assessment) assessed via electronic pill caps (Medication Event Monitoring System [MEMS]) with correction for pocketed doses, analysed by intention to treat.Patients were recruited from Feb 26, 2009, to June 21, 2012. Patients who were assigned to CBT-AD (94 randomly assigned, 83 completed assessment) had greater improvements in adherence (estimated difference 1·00 percentage point per visit, 95% CI 0·34 to 1·66, p=0·003) and depression (Center for Epidemiological Studies depression [CESD] score estimated difference -0·41, -0·66 to -0·16, p=0·001; Montgomery-Asberg depression rating scale [MADRS] score -4·69, -8·09 to -1·28, p=0·007; clinical global impression [CGI] score -0·66, -1·11 to -0·21, p=0·005) than did patients who had ETAU (49 assigned, 46 completed assessment) after treatment (4 months). No significant differences in adherence were noted between CBT-AD and ISP-AD (97 assigned, 87 completed assessment). No study-related adverse events were reported.Integrating evidenced-based treatment for depression with evidenced-based adherence counselling is helpful for individuals living with HIV/AIDS and depression. Future efforts should examine how to best disseminate effective psychosocial depression treatments such as CBT-AD to people living with HIV/AIDS and examine the cost-effectiveness of such approaches.National Institute of Mental Health, National Institute of Allergy and Infectious Diseases.