Norshima, Humaidi (2016) An investigation of health information system security policies compliance behaviour / Norshima Humaidi. PhD thesis, University of Malaya.
Abstract
Health Information System (HIS) has a higher degree of vulnerability towards threats of information security such as unauthorized access, use, disclosure, disruption, modification or destruction and duplication of passwords. Human error is a major security threat to information system’s security and this is usually constituted by carelessness, ignorance and failure to comply with organization information security policies (ISPs). Using health professionals’ data from a quantitative survey, Partial Least Squares-Structural Equation Modelling (PLS-SEM) analysis was used to determine the factors that affect users’ compliance behaviour towards HIS security policies and HIS prototype was developed based on the significant factors. In addition, insights gained from interviews with a small sub-sample of health professionals, who were interviewed during prototype testing, were used to further examine compliance behaviour among health professionals. This study introduced a new human behaviour model, namely, Health Information System Security Policies Compliance (HISSPC) model by positing the mediation effect of factors in Health Belief Model (HBM) (Perceived Severity, Perceived Susceptibility and Perceived Benefit) and Self-Efficacy, while HIS experience as a moderating variable in the context of security management, which is largely unknown among scholars to investigate the relationship between management support and HIS security policies compliance behaviour among Malaysian health professionals. Theory of planned behavior (TPB) is adapted to measure user’s perception towards management support. Additionally, trust factor is also added in the HISSPC model to increase the understanding of human behavior in complying with HIS security policies. Exploratory factor analysis (EFA) revealed seven-factors: Management Support, Perceived Severity, Perceived Susceptibility, Perceived Benefit, Perceived Barrier, Self- iv Efficacy and Trust. Confirmatory factor analysis (CFA) testing shows that all the measurement items of each constructs were adequate in their validity individually based on their factor loading value. Moreover, each constructs are valid based on their parameter estimates and statistical significance. The quantitative research findings show that Management Support strongly influences Self-Efficacy compared to other information security awareness factors. Meanwhile, Trust was the most significant factor influencing HIS security policies compliance behaviour while Perceived Susceptibility did not appear significant. Perceived Severity, Perceived Benefit and Self-Efficacy were found to mediate the effect of Management Support on HIS security policies compliance behaviour. PLS-SEM has shown that Management Support is significant for low experience users while Perceived Susceptibility strongly influences high experience users to comply with HIS security policies. The qualitative research findings thru prototype testing found that all the factors in HISSPC model contributes to user’s compliance behaviour towards ISPs. In addition, most of the respondents are satisfied with the proposed system. This study utilizes the multidimensional approach of human-technical interactions to evaluate the relationship between the integrated social-technical values and actions of compliance towards HIS security policies among selected Malaysian health professionals. The study believes that the research findings can contribute to human behaviour in IS studies and are particularly beneficial to policy makers in improving organizations’ strategic plans in information security, especially in healthcare sectors. Most organizations spend time and resources to provide and establish strategic plans of information security; however, if employees are not willing to comply and practice information security behaviour appropriately, then these efforts are in vain.
Actions (For repository staff only : Login required)