IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v31y2020i4p1240-1259.html
   My bibliography  Save this article

The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context

Author

Listed:
  • Sumantra Sarkar

    (School of Management, Binghamton University, State University of New York, Binghamton, New York 13902)

  • Anthony Vance

    (Fox School of Business, Temple University, Philadelphia, Pennsylvania 19122)

  • Balasubramaniam Ramesh

    (Robinson College of Business, Georgia State University, Atlanta, Georgia 30303)

  • Menelaos Demestihas

    (Wellstar Kennestone Hospital, Marietta, Georgia 30060)

  • Daniel Thomas Wu

    (Emergency Medicine, Emory University Hospital, Emory University School of Medicine, Atlanta, Georgia 30303)

Abstract

In recent years, we have witnessed substantial increases in the frequency, scope, and cost of data breaches. Accordingly, information security researchers have sought to understand why employees comply with or violate information security policies (ISPs) designed to prevent security incidents. Research suggests that compliance is not uniform but rather depends on contextual and individual factors, such as national culture. Scholars have long recognized that organizational subculture may be equally influential. A key example is professional subcultures, within which members typically share similar education, training, values, and identity. Research shows that behavior can vary widely across professional subcultures, and thus a single approach to promoting ISP compliance may not be equally effective across these subcultures. However, it is presently unclear how subculture influences ISP compliance. To address this need, we adopt a mixed-methods design to examine differences in ISP violation behavior among different professional subcultures in a healthcare organization. We first conducted an exploratory qualitative study to identify different attitudes toward ISP violations among three prominent professional healthcare groups: physicians, nurses, and support staff. Then, using a combination of qualitative interviews, observational fieldwork, and a quantitative survey, we explored how professional group membership moderates (1) the influence of perceptions of sanctions on intentions to violate the ISP and (2) the effect of intentions to violate on actual ISP violation behaviors. Our findings highlight the substantial effect of professional subculture on ISP violations in organizations and provide insights for researchers and managers that may be used to improve overall ISP compliance.

Suggested Citation

  • Sumantra Sarkar & Anthony Vance & Balasubramaniam Ramesh & Menelaos Demestihas & Daniel Thomas Wu, 2020. "The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context," Information Systems Research, INFORMS, vol. 31(4), pages 1240-1259, December.
    • Handle: RePEc:inm:orisre:v:31:y:2020:i:4:p:1240-1259
    DOI: 10.1287/isre.2020.0941
    as

    Download full text from publisher

    File URL: https://doi.org/10.1287/isre.2020.0941
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.2020.0941?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Saonee Sarker & Manju Ahuja & Suprateek Sarker, 2018. "Work–Life Conflict of Globally Distributed Software Development Personnel: An Empirical Investigation Using Border Theory," Information Systems Research, INFORMS, vol. 29(1), pages 103-126, March.
    2. Abernethy, Margaret A. & Vagnoni, Emidia, 2004. "Power, organization design and managerial behaviour," Accounting, Organizations and Society, Elsevier, vol. 29(3-4), pages 207-225.
    3. Geert Hofstede, 1998. "Identifying Organizational Subcultures: An Empirical Approach," Journal of Management Studies, Wiley Blackwell, vol. 35(1), pages 1-12, January.
    4. Stephen R. Barley, 1990. "Images of Imaging: Notes on Doing Longitudinal Field Work," Organization Science, INFORMS, vol. 1(3), pages 220-247, August.
    5. Weber, James, 1992. "Scenarios in Business Ethics Research: Review, Critical Assessment, and Recommendations," Business Ethics Quarterly, Cambridge University Press, vol. 2(2), pages 137-160, April.
    6. John Mingers, 2001. "Combining IS Research Methods: Towards a Pluralist Methodology," Information Systems Research, INFORMS, vol. 12(3), pages 240-259, September.
    7. John D'Arcy & Anat Hovav & Dennis Galletta, 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, INFORMS, vol. 20(1), pages 79-98, March.
    8. Trevino, Linda Klebe, 1992. "Experimental Approaches to Studying Ethical-Unethical Behavior in Organizations," Business Ethics Quarterly, Cambridge University Press, vol. 2(2), pages 121-136, April.
    9. Paul S. Adler & Seok-Woo Kwon & Charles Heckscher, 2008. "Perspective---Professional Work: The Emergence of Collaborative Community," Organization Science, INFORMS, vol. 19(2), pages 359-376, April.
    10. Marie-Claude Boudreau & Daniel Robey, 2005. "Enacting Integrated Information Technology: A Human Agency Perspective," Organization Science, INFORMS, vol. 16(1), pages 3-18, February.
    11. Roopa Raman & Anandhi Bharadwaj, 2012. "Power Differentials and Performative Deviation Paths in Practice Transfer: The Case of Evidence-Based Medicine," Organization Science, INFORMS, vol. 23(6), pages 1593-1621, December.
    12. Detmar W. Straub, 1990. "Effective IS Security: An Empirical Study," Information Systems Research, INFORMS, vol. 1(3), pages 255-276, September.
    13. Saonee Sarker & Suprateek Sarker, 2009. "Exploring Agility in Distributed Information Systems Development Teams: An Interpretive Study in an Offshoring Context," Information Systems Research, INFORMS, vol. 20(3), pages 440-461, September.
    14. Schouten, John W & McAlexander, James H, 1995. "Subcultures of Consumptions: An Ethnography of the New Bikers," Journal of Consumer Research, Journal of Consumer Research Inc., vol. 22(1), pages 43-61, June.
    15. Chatterjee, Subimal & Gao, Xiang & Sarkar, Sumantra & Uzmanoglu, Cihan, 2019. "Reacting to the scope of a data breach: The differential role of fear and anger," Journal of Business Research, Elsevier, vol. 101(C), pages 183-193.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Zhou, Cheng & Chang, Qian, 2024. "Informational or emotional? Exploring the relative effects of chatbots’ self-recovery strategies on consumer satisfaction," Journal of Retailing and Consumer Services, Elsevier, vol. 78(C).
    2. Yang, Chaofan & Sun, Yongqiang & Shen, Xiao-Liang, 2022. "Beyond anger: A neutralization perspective of customer revenge," Journal of Business Research, Elsevier, vol. 146(C), pages 363-374.
    3. Uddin, Mohammad Rajib & Akter, Shahriar & Lee, Wai Jin Thomas, 2024. "Developing a data breach protection capability framework in retailing," International Journal of Production Economics, Elsevier, vol. 271(C).
    4. Ahmed Abbasi & David Dobolyi & Anthony Vance & Fatemeh Mariam Zahedi, 2021. "The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites," Information Systems Research, INFORMS, vol. 32(2), pages 410-436, June.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Yajiong Xue & Huigang Liang & Liansheng Wu, 2011. "Punishment, Justice, and Compliance in Mandatory IT Settings," Information Systems Research, INFORMS, vol. 22(2), pages 400-414, June.
    2. Li, Yuanxiang John & Hoffman, Elizabeth, 2023. "Designing an incentive mechanism for information security policy compliance: An experiment," Journal of Economic Behavior & Organization, Elsevier, vol. 212(C), pages 138-159.
    3. V. S. Prakash Attili & Saji K. Mathew & Vijayan Sugumaran, 2022. "Information Privacy Assimilation in IT Organizations," Information Systems Frontiers, Springer, vol. 24(5), pages 1497-1513, October.
    4. A. J. Burns & Clay Posey & James F. Courtney & Tom L. Roberts & Prabhashi Nanayakkara, 2017. "Organizational information security as a complex adaptive system: insights from three agent-based models," Information Systems Frontiers, Springer, vol. 19(3), pages 509-524, June.
    5. Silva, Leiser & Hsu, Carol & Backhouse, James & McDonnell, Aidan, 2016. "Resistance and power in a security certification scheme: the case of c:cure," LSE Research Online Documents on Economics 68348, London School of Economics and Political Science, LSE Library.
    6. Debabrata Dey & Abhijeet Ghoshal & Atanu Lahiri, 2022. "Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement," Management Science, INFORMS, vol. 68(4), pages 2914-2931, April.
    7. Jack Shih-Chieh Hsu & Sheng-Pao Shih & Yu Wen Hung & Paul Benjamin Lowry, 2015. "The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness," Information Systems Research, INFORMS, vol. 26(2), pages 282-300, June.
    8. Mengmeng Song & Joseph Ugrin & Man Li & Jinnan Wu & Shanshan Guo & Wenpei Zhang, 2021. "Do Deterrence Mechanisms Reduce Cyberloafing When It Is an Observed Workplace Norm? A Moderated Mediation Model," IJERPH, MDPI, vol. 18(13), pages 1-16, June.
    9. A. J. Burns & Clay Posey & James F. Courtney & Tom L. Roberts & Prabhashi Nanayakkara, 0. "Organizational information security as a complex adaptive system: insights from three agent-based models," Information Systems Frontiers, Springer, vol. 0, pages 1-16.
    10. Verena Wolf & Christian Bartelheimer & Daniel Beverungen, 2020. "Workarounds as Generative Mechanisms for Restructuring and Redesigning Organizations - Insights from a Multiple Case Study," Working Papers Dissertations 68, Paderborn University, Faculty of Business Administration and Economics.
    11. A. J. Burns & Tom L. Roberts & Clay Posey & Paul Benjamin Lowry & Bryan Fuller, 2023. "Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse," Information Systems Research, INFORMS, vol. 34(1), pages 342-362, March.
    12. Eun Hee Park & Jongwoo Kim & Lynn Wiles, 2023. "The role of collectivism and moderating effect of IT proficiency on intention to disclose protected health information," Information Technology and Management, Springer, vol. 24(2), pages 177-193, June.
    13. Huigang Liang & Yajiong Xue & Liansheng Wu, 2013. "Ensuring Employees' IT Compliance: Carrot or Stick?," Information Systems Research, INFORMS, vol. 24(2), pages 279-294, June.
    14. Deanna House, 2012. "Factors that Inhibit Globally Distributed Software Development Teams," International Journal of Business and Social Research, MIR Center for Socio-Economic Research, vol. 2(6), pages 135-153, November.
    15. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    16. Simon Trang & Benedikt Brendel, 2019. "A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research," Information Systems Frontiers, Springer, vol. 21(6), pages 1265-1284, December.
    17. Öbrand, Lars & Holmström, Jonny & Newman, Mike, 2018. "Navigating Rumsfeld's quadrants: A performative perspective on IT risk management," Technology in Society, Elsevier, vol. 53(C), pages 1-8.
    18. Patricia L. Moravec & Antino Kim & Alan R. Dennis, 2020. "Appealing to Sense and Sensibility: System 1 and System 2 Interventions for Fake News on Social Media," Information Systems Research, INFORMS, vol. 31(3), pages 987-1006, September.
    19. Jeffrey D. Wall & Prashant Palvia & John D’Arcy, 2022. "Theorizing the Behavioral Effects of Control Complementarity in Security Control Portfolios," Information Systems Frontiers, Springer, vol. 24(2), pages 637-658, April.
    20. Eunkyung Kweon & Hansol Lee & Sangmi Chai & Kyeongwon Yoo, 2021. "The Utility of Information Security Training and Education on Cybersecurity Incidents: An empirical evidence," Information Systems Frontiers, Springer, vol. 23(2), pages 361-373, April.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:31:y:2020:i:4:p:1240-1259. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.