THE IMPACT OF REWARD, PENALTY, SECURITY TRAINING PROGRAMS,

SOCIAL PRESSURES, AND JOB SATISFACTION ON SECURITY BEHAVIORS

AMONG HEALTHCARE WORKERS: A CORRELATIONAL STUDY

by

Charles A. Ogunnoiki

SHARDUL PANDYA, PhD, Faculty Mentor and Chair

W
SHARON GAGNON, PhD, Committee Member

SHAWON RAHMAN, PhD, Committee Member

IE

Todd C. Wilson, PhD, Dean,

EV

School of Business and Technology

PR

A Dissertation Presented in Partial Fulfillment

Of the Requirements for the Degree

Doctor of Philosophy

Capella University

July 2019




ProQuest Number: 22617155




All rights reserved

INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.

In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.



W

IE


EV
ProQuest 22617155

Published by ProQuest LLC (2019 ). Copyright of the Dissertation is held by the Author.


All rights reserved.
PR

This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.


ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
 © Charles A. Ogunnoiki, 2019

W
IE
EV
PR

iv
 Abstract

Securing an organization’s data is challenged by end-user complacency towards organizational

information system security. Organizations establish information systems security policies and

procedures that end-users are expected to adhere to in keeping data secure. Additionally,

organizations instigate motivating measures intended to encourage end-users compliance with

those policies. However, end-users fail to comply with information systems security policies and

procedures, thereby causing security breaches in organizations. Likewise, motivating end-user

compliance through various methods has become an accepted organizational practice. The

healthcare industry as the basis for this study, is unique in terms of its stringent information

security as well as regulatory compliance requirements. This quantitative correlational study

examines the relationship between end-user compliance with established information systems

security policies and procedures, motivational factors established by health care organizations to
W
assure such compliance. Residents of the United States working in the healthcare field whose job

functions require access to sensitive information as well as the use of information technology
IE
knowledge for their day-to-day professional activities were studied. The data sample was

randomly collected through SurveyMonkey from a population of healthcare employees in the

EV

United States based on specific inclusion and exclusion criteria. A Pearson r correlation

coefficient was applied in the study to examine the relationship, if any, between the motivational
PR

factors of reward, penalty, security training programs (SETA), social pressures, and job

satisfaction (IV) and end-user information security behavior (DV) of healthcare employees in the

United States. The results indicated no correlation between any of the predictor variables and the

outcome variable. In other words, healthcare employees’ information security behavior in the

United States is not dependent on reward for compliance, penalty for noncompliance, security

education, training, and awareness (SETA) programs, social pressures from colleagues, or job

satisfaction. The findings from this study are in contrast with previous findings in this domain on

the factors responsible for end-user security behavior. Implications of the findings, practitioner

v
insight resulting from the findings, and recommendations for further research based on these

findings are discussed.

W
IE
EV
PR

vi
 Dedication

This dissertation is dedicated to my loving and supportive parents, Edward Oladipupo

(Deceased) and Felicia, my sweet wife Oluwakemi, and my ever understanding children

Abayomi, Toluwalase, and Enoch. Dad, even though you are gone, but the values you instilled in

me forever lives. You taught me the importance of education, and I can still vividly remember

what you told me when I was leaving the shores of Nigeria, “remember the son of whom you

are.” Up till today, that echoes in my ears, and I will forever hold on to it. Mom, a jewel of

inestimable value, thanks for your ceaseless prayers, love, and care. Truly, you are a mother, and

I am proud to be called your son. Through both of you, this day “I STAND TALL.”

To my wife Oluwakemi, you are genuinely a prayer warrior, and I cannot thank you

enough for all your support through thick and thin. You gave me the courage not to give up when

I was almost at that point, thank you ….we did it. Abayomi, Toluwalase, and Enoch, I thank you
W
all for your understanding and relentless patience. This journey would not have been possible

without you all.

IE
I also dedicate this dissertation to my siblings Tope, Yinka, Lekan, and Seun. I will

forever be grateful and appreciative of their encouragement and support throughout my

EV

existence. I thank you all.

PR

vii
 Acknowledgments

I sincerely express my gratitude to my dissertation committee mentor and chair, Dr.

Shardul Pandya, whose attention and dedication to my progress and success helped to make the

final quarter of this journey seamless. Dr. Shardul, you came at a time when I was frustrated and

ready to throw in the towel, and you picked me up. You gave me hope and faith that the end of

the journey was nearer than I anticipated. Those words gave me the needed strength to continue

and complete the journey. Thank you. I also extend my profound gratitude to my committee

members, Dr. Sharon Gagnon, and Dr. Shawon Rahman for their guidance through the research

process.

I will always appreciate the unwavering support of Dr. Jonathan Gehrz, who provided

significant assistance towards the end of this program, I sincerely appreciate all your help.

Once again, thank you all. W

IE
EV
PR

viii
 Table of Contents

Acknowledgments................................................................................................ viii

List of Tables ........................................................................................................ xii

List of Figures ...................................................................................................... xiii

CHAPTER 1. INTRODUCTION ........................................................................................1

Background of the Problem .....................................................................................2

Statement of the Problem .........................................................................................4

Purpose of the Study ................................................................................................5

Significance of the Study .........................................................................................6

Research Questions ..................................................................................................9

Definition of Terms..................................................................................................9
W
Research Design.....................................................................................................12

Assumptions and Limitations ................................................................................14

IE
Assumptions ...................................................................................................14

Limitations ......................................................................................................14
EV

Organization of the Remainder of the Study .........................................................15

CHAPTER 2. LITERATURE REVIEW ...........................................................................16

PR

Introduction ............................................................................................................16

Methods of Searching ............................................................................................17

Theoretical Orientation for the Study ....................................................................17

Review of the Literature ........................................................................................19

General Deterrence Theory (GDT) ................................................................19

Prevailing State of Information Security Threats in Organizations ......................20

Information Computer Security-related Behaviors in the Healthcare Industry….22

ix
 Classification of End-Users Security Behaviors in the Health Care industry…....23

Motivations for Security Behavior.........................................................................37

Security Education, Training, and Awareness (SETA) Program ..........................40

Job Satisfaction ......................................................................................................41

Penalty (Punishment) .............................................................................................43

Social Pressures .....................................................................................................44

Reward ...................................................................................................................46

Summary ................................................................................................................47

CHAPTER 3. METHODOLOGY .....................................................................................49

Research Questions and Hypotheses .....................................................................49

Research Design and Methodology .......................................................................52

Target Population and Sample ...............................................................................53

W
Population .......................................................................................................53

Sample ............................................................................................................54
IE
Power Analysis ...............................................................................................55

Procedures ..............................................................................................................56
EV

Participant Selection .......................................................................................56

Protection of Participants ................................................................................56

PR

Data Collection ...............................................................................................56

Data Analysis ..................................................................................................58

Pilot Study ......................................................................................................59

Instruments .............................................................................................................59

Validity and Reliability of the Instrument ......................................................63

Ethical Considerations ...........................................................................................64

Summary ................................................................................................................65

CHAPTER 4. RESULTS ...................................................................................................67

Background ............................................................................................................67

x
 Data collection And Analysis ................................................................................69

Pilot Study Analysis ........................................................................................70

Description of the Sample......................................................................................74

Hypothesis Testing.................................................................................................86

Summary ................................................................................................................99

CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS ..................100

Summary of the Results .......................................................................................101

Discussion of the Results .....................................................................................102

Conclusions Based on the Results .......................................................................107

Limitations ...........................................................................................................110

Implications for Practice ......................................................................................110

Recommendations for Further Research ..............................................................111

W
Conclusion ...........................................................................................................112

REFERENCES ................................................................................................................114
IE
APPENDIX A. RESEARCH INSTRUMENT ...............................................................126

Demographics Questions .....................................................................................126

EV

APPENDIX B. RESEARCH INSTRUMENT ................................................................127

Security Questions ...............................................................................................127

PR

xi
 List of Tables

Table 1. Types and Measure of Variables……………………………………………………58

Table 2. Source of Instrument …....................................................................................…….61

Table 3. Demographic Characteristics of the Pilot Study Respondents …..............................72

Table 4. Correlation Matrix for Pilot Study Results ............................................................. 73

Table 5. Reliability Statistics for Overall Construct ............................................................. 74

Table 6. Reliability Statistics for Each Construct .................................................................. 74

Table 7. Demographic Characteristics of the Study Participants .......................................... 75

Table 8. Geographical Distribution of the Study Participants ............................................... 76

Table 9. Distribution of Reward Responses.......................................................................... 77

Table 10.Distribution of Severity of Penalty Responses ....................................................... 79

Table 11. Distribution of Certainty of Detection Responses ................................................. 79

W
Table 12. Distribution of Security Education, Training and Awareness
Program Responses .................................................................................................81
IE
Table 13. Distribution of Normative Belief Responses ....................................................... 82

Table 14. Distribution of Peer Behavior Responses .............................................................. 83

EV

Table 15. Distribution of Job Satisfaction Responses ........................................................... 84

Table 16. Distribution of End-User Security Behavior Responses........................................ 85

PR

Table 17. Bivariate Correlation of Reward and End-User Security Behaviors ..................... 87

Table 18. Bivariate Correlation of PunSev and End-User Security Behaviors ..................... 89

Table 19. Bivariate Correlation of DetCert and End-User Security Behaviors ..................... 90

Table 20. Bivariate Correlation of SETA and End-User Security Behaviors........................ 92

Table 21. Bivariate Correlation of NormBel and End-User Security Behaviors ................... 94

Table 22. Bivariate Correlation of PeerBeh and End-User Security Behaviors..….................95

Table 23. Bivariate Correlation of JobS and End-User Security Behaviors ........................... 97

Table 24. Summary of Hypothesis Testing............................................................................ 98

xii
 List of Figures

Figure 1. Conceptual Framework of the Study .................................................................19

Figure 2. Two-Factor Taxonomy of End-User Security Behaviors ...................................25

Figure 3. Scatterplot Diagram of Reward and End-User Security Behaviors ...................87

Figure 4. Scatterplot Diagram of PunSev and End-User Security Behaviors....................89

Figure 5. Scatterplot Diagram of DetCert and End-User Security Behaviors ...................90

Figure 6. Scatterplot Diagram of SETA and End-User Security Behaviors ......................92

Figure 7. Scatterplot Diagram of NormBel and End-User Security Behaviors .................94

Figure 8. Scatterplot Diagram of PeerBeh and End-User Security Behaviors ..................95

Figure 9. Scatterplot Diagram of JobS and End-User Security Behaviors ........................96

Figure 10. Revised Conceptual Model...............................................................................98

W
IE
EV
PR

xiii
 CHAPTER 1. INTRODUCTION

Information systems (IS), including computer and Internet-based information systems,

play a critical and increasingly significant role in business operations by creating competitive

advantage, providing capabilities to improve business efficiency, and being useful in the rapidly

changing marketplace. Organizations are operating locally and globally through an organized

combination of computer-based information resources that includes end-users, hardware,

software, communications network, data resources, and policies and procedures. Employees and

business partners expend great resource for IT (Öğütçü, Testik, & Chouseinoglou, 2016;

Tarafdar, D’Arcy, Turel & Gupta, 2015) to store, retrieve, transform, and disseminate
W
information quickly and flawlessly through this information resource (Rodriguez, Busco, &

Flores, 2015; Gwynne, 2017).

IE
However, organizational reliance on information systems (IS) has led to an increase in

breaches and compromising of confidential organizational information. Traditionally,

EV

organizations rely on logical controls. Firewalls for perimeter defense, intrusion detection

systems (IDS) and comprehensive monitoring systems to protect organizational information

PR

assets from security threats are examples of such controls (Bulgurcu, Cavusoglu, & Benbasat,

2010; Posey, Roberts & Lowry, 2015). Although the controls can improve information security,

but there has been an increase in information security breaches due to end-user non-compliance

with security measures (Cavusoglu, Cavusoglu, Son, & Benbasat, 2015; Öğütçü et al., 2016). In

other words, the controls are not sufficient in providing adequate protection for organizational IS

assets. For this reason, there has been a shift in paradigm in the approach towards protecting

organizational information assets (Vance, Siponen, & Pahnila, 2012; Posey, Roberts, & Lowry,

2015; Safa et al., 2015; Öğütçü et al., 2016).

1
 According to Ifinedo (2014), organizational end-users are at the forefront of information

security. A practical approach to safeguarding organizational information assets requires

organizations paying attention to their end-users’ information security behaviors. Due to the

increased understanding of the critical role of the end-users to IS security, there is a significant

increase in investment in the development of information security policies and procedures.

These policies and procedures assist in shaping end-users’ security behavior towards making a

deliberate decision in adhering to organizational security measures. However, cases of security

breaches due to internal threats continue to rise even with the development of information

security policies, since end-users often do not readily adhere to organizational information

security policies and procedures (Siponen, Mahmood, & Pahnila, 2014; Moody, Siponen, &

Pahnila, 2018).

The effectiveness of IS security in organizations is dependent on how much end-users

W
comply with organizational information security policies (Greene & D’Arcy, 2010; Ifinedo,

2014; Siponen et al., 2014; Safa, Von Solms, & Furnell, 2016). Öğütçü et al. (2016) also
IE
expressed that end-users’ noncompliant information security behavior leads to an information

asset vulnerability that could be exploited to cause potential security breaches in an organization.
EV

Information security breaches lead to potential financial losses for organizations, in addition to

significantly affecting the organization’s reputation (Safa & Ismail, 2013). Therefore, it is critical
PR

to understand the factors that motivate end-users to develop conscious security behaviors leading

to policy and procedure compliance. In this research, an integrative model based on reward,

penalty, security training programs, social pressures, and job satisfaction was developed to

predict end-user security behavior within organizations.

Background of the Problem

The growth in information technology and its adoption by organizations for business

improvement initiatives are posing security challenges (Ifinedo, 2012). Annually, between two

and three percent of financial losses in organizations is due to security breaches (Veiga & Eloff,

2010). Thus, organizations allocate a significant amount in their budget for hardware and

2
software security infrastructure. Öğütçü et al. (2016) noted that IT infrastructures (Firewalls,

intrusion detection systems, intrusion prevention systems, routers, softwares, etc.) are one of the

practical means of combating security threats in an organization. “Despite the significant

investment” (Öğütçü et al., 2016, pg. 84) in security infrastructure, however, security breaches

continue to pose significant problems (Ifinedo, 2014; Ngoqo & Flowerday, 2015).

While technologies are essential for securing and maintaining an organization’s

information assets, technologies alone are not enough. It is necessary to focus on the end- users'

role as well. End-users, either intentionally or unintentionally, are responsible for many of the

reported security incidents and breaches (Safa, Von Solms & Furnell, 2016; Soltanmohammadi,

Asadi, & Ithnin, 2013).

Organizations employ mechanisms to address end-user behavior, such as focusing on

molding or influencing security behaviors. These mechanisms involve the design and
W
development of information security policies and procedures that serve as guidelines

highlighting the roles and responsibilities of end-users towards the use of a company information
IE
system resource (Ifinedo, 2014; Moody et al. 2018).

However, the outcomes of implementing various security policies and procedures can be
EV

counterproductive, as it was reported, cases of end-user non-compliance with information

security policies continues to rise, leading to security breaches in organizations (Siponen et al.,
PR

2014; Ngoqo & Flowerday, 2015; Yoon, Hwang, & Kim, 2012; Lebek, Uffen, Breintner,

Neumann, & Hohler 2014). In encouraging end-user information security compliance,

organizations introduce various security awareness programs targeted explicitly at motivating

and enhancing security awareness behavior among end-users (Chen, Ramamurthy, & Wen, 2015,

Kim & Homan, 2012). Although these awareness programs sound promising, some research

studies reveal a contrary result due to their lack of proper implementation strategy (Haeussinger

& Kranz, 2013)

Hence, this research study is significant, as it investigates and identifies factors that

influence end-user security behaviors, which may facilitate the development of strategies for

3
promoting appropriate security behavior. The research problem focuses on identifying ways to

motivate end-users’ compliance behavior by examining the significance of reward, penalty,

security training programs (SETA), social pressures, and job satisfaction on end-users’

information security behavior. In limiting the scope of the study, the research will focus on the

United States Healthcare industry. Established within the body of this thesis were the rationales

for narrowing the study to this industry.

Statement of the Problem

The previous research literature on end-user information security behavior establishes the

importance of information security policies (ISP) in protecting company systems (Chen,

Ramamurthy & Wen, 2015; Ifinedo, 2012; Sommestad, Hallberg, Lundholm & Bengtsson,

2014). In addition, we are aware that achieving the benefit of ISP depends solely on end-users’

adherence to these rules (Padayachee, 2012; Siponen et al., 2014). However, we do not know
W
how to motivate end-users to adopt security-conscious behavior by adhering to ISP (Padayachee,

2012). Therefore, the problem statement will focus on identifying the factors that motivate the
IE
end-users to adopt security-conscious behavior.

Previous research on end-user information security behavior has established that

EV

information security policy (ISP) is required to protect an organization’s information system and

other proprietary data (Chen, Ramamurthy & Wen, 2015; Ifinedo, 2012; Sommestad, Hallberg,
PR

Lundholm & Bengtsson, 2014). Additionally, we are aware that achieving the benefit of ISP

depends solely on end-users’ adherence to these policies (Padayachee, 2012; Siponen et al.,

2014). Therefore, end-users need to be motivated to adhere to the policies and procedures

(Padayachee, 2012; Safa, Von Solms & Furnell, 2016). Different motivation factors have been

presented and established by various organizations (Acuna 2016, Al-Mukahal, & Alshare, 2015).

However, we do not know the extent to which motivational factors predict end-user information

security behaviors in the United States.

4
 Purpose of the Study

The purpose of this quantitative, non-experimental, and correlational research is to

examine the correlation of end-user security behaviors in adhering to security policy. The focus

of the study is also on determining the degree to which these factors predict end-user security

behaviors.

To limit the scope of the study within the confines of a doctoral dissertation, the

researcher will draw participants from the healthcare industry in the United States. In this

industry, employees who are privy to sensitive information are subject to security control

measures. These employees usually handle large volumes of confidential personal identifiable

information (PII) and are expected to uphold standards of integrity to protect the confidentiality,

integrity, and availability (CIA) of such data (Renaud & Goucher, 2012). Additionally, (a) the

healthcare industry is well known for its stringent security measures (Hovav & D’Arcy, 2012,
W
Burke,& Weill, 2018); and (b) the end-user security issues faced within this industry are on par

with other similar industries—such as finance and banking—where end-users within a working
IE
environment are responsible for maintaining and protecting customer centric sensitive

information (Cheng, Li, Li, Holm, & Zhai, 2013, Bélanger, Collignon, Enget &, Negangard,
EV

2017; Burke, & Weill, 2018).

Information security is an organizational issue and an end-user problem that requires the
PR

attention of management or business decision makers. According to Safa et al. (2016), the

organizational approach to securing valuable information assets should focus on end-user

behaviors, mainly since the security of valuable assets depends on the end-users’ security

behavior. Safa et al., 2016 further posit that end-users’ behavior may stem from how individuals

feel about their job conditions, leading to job satisfaction, a reward for compliance, punishments

for noncompliance, social pressures from peers and the environment, and security training

programs for awareness.

In this context, this research (a) identifies the influence of end-users’ perception of

reward, penalty, security training programs, social pressures, and job satisfaction on information

5
security behavior in the US healthcare industry, and (b) determines the degree to which these

factors predict end-user security behaviors among end-users in the healthcare industry.

Understanding these factors will provide insight into management and decision-making process

within the industry when developing techniques that will directly impact end-users’ behavior in

adhering to information system security policies.

Healthcare organizations rely on information technology for the transmission and

administration of information as well as serving as a secure depository of information to gain

competitive advantage and to survive in a global marketplace. Thus, ensuring confidentiality,

integrity, and availability of the data is essential (Posey et al., 2015). The outcomes of this study

can provide healthcare organizations and business decision makers with information needed to

develop and design effective security policies, programs, and procedures that align with end-

users’ perceptions and needs. Also, the advancement of knowledge relating to the healthcare
W
industry end-users’ information security behavior is significant due to the disruptive nature of

information technology when negatively used (Bélanger et al., 2017).

IE
In summary, this study examines factors influencing the end-users’ information security

behaviors in the healthcare industry, vis a vis their adherence to organizational information
EV

security policies and procedures. The healthcare industry was identified to limit the scope of this

doctoral dissertation because, as an industry, it is not fundamentally different from other

PR

industries faced with end-user information system security-related issues. The focus of the study

is to identify the best combination of reward, penalty, security education, training and awareness

programs (SETA), social pressures, and job satisfaction as predictors of end-users’ security

behavior in a healthcare organization. Finally, the result of this study can equip healthcare

organizations with strategies that better align end-users’ information security behavior with

business information security policies and procedures.

Significance of the Study

This research study is of interest to academic scholars in the field of Information Systems

Security, practicing managers in the field of information systems security in the US Healthcare

6
Industry, and decision makers in various organizations where end-user computer security

behavior must align with their business operations. Research work on end-user security behavior

and factors responsible for end-users’ acceptance of information security policies are

increasingly popular research topics in the field of IS and IT (Siponen, Mahmood, & Pahnila,

2014; Teh, Ahmed, & D'Arcy, 2015; Safa, Von Solms, & Furnell, 2016), which lends towards

the significance of this study. Besides, the success of any information security policy is

dependent on end-users’ security behaviors (Furnell & Rajendran, 2012; Yoon & Kim, 2013).

The outcome of this study will provide practitioners with a suggestion for the design and

consistent delivery of effective information security education and awareness program, which

could provide values for organizations on how to better protect their valuable information assets

through information security compliance. This study will analyze the motivational factors such

as reward, penalty, security training programs, social pressures, and job satisfaction that may
W
have an impact on end-users’ information security behavior and the relevance that end-users’

information security behavior has on the success of protecting patient health care record in the
IE
healthcare industry.

In recent years, the study of end-user information security behavior has garnered
EV

increasing academic and practitioners’ attention. To better understand this phenomenon,

researchers have drawn upon theories from different disciplines—such as criminology, social
PR

psychology, and organizational behavior—to model various theoretical viewpoints (Lebek,

Uffen, Breitner, Neumann, & Hohler, 2014) explaining factors leading to end-users' security

behavior. Examples of such research literature documented in this domain include, but not

limited to Bulgurcu et al. (2010), D’Arcy et al. (2009), Herath & Roa, (2009), Ifinedo (2012),

Yoon, et al., (2012) and Nasir & Arshah (2018). Although this exhibit the interdisciplinary

nature of information security, according to Abraham (2011), “it detracts in providing a holistic

view of end-user information security behavior” (p. 1). The reason as highlighted by the same

author is that these literatures tend to study end-user security behavior from a micro perspective,

with emphasis on individual factors only. Supporting this argument, Lebek et al. (2014) claim

7
that constructs adopted in information security research are mainly from the theory of planned

behavior (TPB), theory of reasoned action (TRA), general deterrence theory (GDT), protection

motivation theory (PMT), and the technology acceptance model (TAM). Also, these studies only

highlight individual factors leading to end-user compliance/non-compliance behaviors. However,

less attention has been accorded to examining other motivational factors that may influence end-

user security behavior (Lebek et al., 2014), especially environmental and interpersonal factors,

which this study embraces by studying the impact of reward; penalty; security education,

training, and awareness programs; social pressures; and job satisfaction on end-users’

information security behavior.

A large amount of research study in this domain has examined (D’Arcy., 2009) end-user

behavior towards information security in other disciplines, such as the banking industry, IT

organizations, and schools (e.g., Bulgurcu et al., 2010; D’Arcy et al., 2009; Herath & Roa, 2009;
W
Ifinedo, 2012; Yoon et al., 2012). However, research on studying the behavior towards

information security, with healthcare employees as the population is lacking (Bauer, Bernroider,
IE
& Chudzikowski, 2017). The healthcare industry is unique in that personnel employed in the

industry are required to adhere to HIPPA compliance regulations, but the individuals with access
EV

to sensitive information are themselves experts in their respective fields, such as medicine, and

have a professional interest in delivering the best in their respective crafts but not focused
PR

ensuring HIPPA compliance (Al-Mukahal, & Alshare, 2015; Bauer, Bernroider &

Chudzikowski, 2017). Thus, Information Security professionals employed in the healthcare

industry will benefit from the findings of this study.

This research effort addresses security training program, penalties, job satisfaction,

reward, and social pressures as motivational factors that could help business managers/owners

design strategies for motivating end-users in exhibiting security-conscious behavior leading to

information security policy compliance. Also, the findings of this study may provide the field of

Information Systems and the Organizational Behavior body of knowledge with empirical data for

future research.

8
 Furthermore, the outcomes of this study can advance the understanding of end-user

security behaviors by expanding on the work of Herath and Rao (2009a), by examining the

relationship between the independent variables (reward, penalty, security training programs,

social pressures, and job satisfaction) and the dependent variable (end-user information security

behaviors) in the US Healthcare industry. The understanding of this relationship can help shed

light across organizations within and outside the US Healthcare industry, including the IS body

of knowledge at large to develop more effective enforcement policy strategies.

Research Questions

Omnibus Research Question

To what extent does the motivational factors of reward, penalty, security education,

training and awareness (SETA) programs, social pressures, and job satisfaction predict end-user

information security behaviors among healthcare employees in the United States?

W
Research questions
IE
ResQ1. To what extent does reward predict end-user security behavior among healthcare

employees in the United States?

EV

ResQ2. To what extent does penalty predict end-user security behaviors among

healthcare employees in the United States?

PR

ResQ3. To what extent do security education, training and awareness (SETA) programs

predict end-user security among healthcare employees in the United States?

ResQ4. To what extent do social pressures predict end-user security behaviors among

healthcare employees in the United States?

ResQ5. To what extent does job satisfaction predict end-user security behaviors among

healthcare employees in the United States?

Definition of Terms

Availability: This means that authorized individuals are granted timely and uninterrupted

access to the system (Whitman & Mattord, 2014).

9
 Compliance: This is the act of conforming to or adhering to rules and regulations

specified in the organization’s information security policies and procedures.

Confidentiality: This offers a high level of assurance that information is only disclosed,

exposed or available to authorized individuals and systems. It ensures that authorized subjects

are granted the rights and privilege to objects based on a need to know (Whitman & Mattord,

2012).

Data Breach: An occurrence in which sensitive and confidential data are accessed

Compromised. The data may have been viewed or stolen either intentionally or unintentionally

by individuals who are authorized or unauthorized to do so.

End-Users: End-users are individuals who use information technology systems and

applications to perform their work.

End-Users’ information security behavior: “A set of core information security activities

W
that have to be adhered to by end-users, to maintain information security as defined by

information security policies” (Padayachee, 2012, p. 673). Examples of some types of

IE
information security behaviors are creating secure passwords, following data backup

conventions, following email policies, scanning activity, and protecting access to electronic files
EV

among others (Shropshire, Warkentin, & Sharma, 2015).

Information security: This concept has been broadly described as the management and
PR

protection of an individual’s or a company’s information data or data assets (Cheng et al., 2013).

Information security behaviors: Hayden (2009) explained that no single accepted

definition of information security behavior exists; nonetheless, some definitions of information

secure behavior have been offered in various literature. Definitions of information security

behaviors include, but are not limited to, password selection, data backup procedures, file access,

information sharing, and scanning activity (Shropshire et al., 2015). These behaviors also include

setting accounts to private, adding strangers as friends on social media sites, using friend service,

and using profile trackers (Henson, Reyns, & Fisher 2009). Also, writing down and sharing

passwords (Herath & Rao, 2009b) applying security patches and updates (Whitty, 2015),

10
unauthorized file sharing, device sharing (Hayden, 2009), and protection of laptops and external

storage devices, such as pen sticks, are other examples of information security behaviors

(Veltsos, 2012).

Information security awareness: Security awareness occurs when a user understands the

security policies, procedures, and practices and can apply them in the absence of guidance when

a potential security issue occurs.

Information security education training: This process instructs users about their

responsibility to uphold the organization’s information system and security policies, procedures,

and practices.

Information Security Policy: An IS policy specifies employee roles and responsibilities

to protect information resources (Bulgurcu et al., 2010).

Integrity: Nature of information that retains their veracity and can only be modified by
W
authorized subjects (Whitman & Mattord, 2014).

Job Satisfaction: This is an attitude exhibited by individuals towards their jobs based on
IE
their perceptions or their overall sense of well-being at work (Greene & D’Arcy, 2010; Aydogdu

& Asikgil, 2011).

EV

Penalties: The deterrence theory of penalties/punishment can be traced to the early works

of classical philosophers such as Thomas Hobbes (1588–1678), Cesare Beccaria (1738–1794),

PR

and Jeremy Bentham (1748–1832). The theory relies on three individual components: severity,

certainty, and celerity. The more severe a punishment, the more likely that a rationally

calculating human being will desist from criminal acts. To prevent crime, therefore, criminal law

must emphasize penalties to encourage citizens to obey the law. For this study, penalties are

investigated by two mechanisms, namely, perceived severity of the punishment / penalty and

perceived certainty of detection.

Reward: This is the incentive or compensation received for complying with security

policies and procedure. According to Welschen, Todorova, and Mills (2013), this is a direct

incentive from performing an activity. The incentives come in the forms of wages,

11
 compensation, bonuses, and praises, given to end-users for maintaining a certain level of

compliance behavior within the context of their job function.

Security Education, Training and Awareness (SETA) program: Improving

organizational information security by increasing end-users’ knowledge and awareness of

potential security risk, policies, and responsibilities. Furthermore, the program is aimed at

providing employees with the skills necessary to comply with organizational information

security procedures (Haeussinger & Kranz, 2013).

Social Pressure: This is exerting an influence on another individual’s behavior (Hanna,

Crittenden & Crittenden, 2013). According to Herath and Rao (2009a), the two sources of social

pressures that could influence end-user information security behavior are normative beliefs and

peer behavior. The normative beliefs refer to the anticipated social pressures to perform the

behavior in question (Ajzen, 1991). Peer behavior refers to adopting the other individuals’
W
behavior based on conversation and observation (Herath & Rao, 2009a), with the belief that the

behavior seems sensible and acceptable (Cheng et al., 2013). For this study, peer behavior
IE
describes co-peers information security compliance or non-compliance behaviors.

Threat: An object, subject, or any other entity that is pervasive and has the potential to
EV

disrupt or cause an undesirable outcome for an organization’s information assets (Whitman &

Mattord, 2014).
PR

Vulnerability: An identified weakness or loophole in a controlled environment, which

can be exploited, thereby rendering the system ineffective and insecure (Whitman & Mattord,

2012).

Research Design

This research adopted a quantitative, non-experimental, correlational, and cross-sectional

survey study that utilizes objective methodologies to determining research questions, population

and sampling, data collection, the method of analysis, and understanding and interpretation of the

results. This research design was appropriate based on the post-positivist orientation of the

researcher, that the world is objective (Creswell, 2009; Salkind, 2010), and thereby seek out facts

12

Reproduced with permission of copyright owner. Further reproduction prohibited without permission.