Information Security Officers Perceptions of How to Implement Successful Information Security Programs in Health Sciences Center Environments
The purpose of this study was to explore the perceptions and experiences of information security officers about the factors they perceive affect the implementation of information security programs within health science centers. Of specific interest was how these programs are implemented in order to remediate risk to the institution as well as to comply with federal mandates. The study sought to identify information security officers’ experiences, perceptions, and processes they used to establish an information security program to ensure compliance in their organizations. The study was conducted through a social constructive lens as a qualitative, collective case study approach and included information security personnel from accredited health science centers in Texas as participants for this study. The conceptual framework in this study was a values-based approach that examines value conflicts in employees and information security officers. Data collection for this study included semi-structured interviews, regulatory documents and AV materials, field notes, and the researcher’s reflexive journal as data sources. Analysis included coding and theme identification via a comparative analysis and an evaluation of the interpretations to make determinations on analysis and reported the findings. The findings from the study pertained to the perception information security officers held when they implemented an information security program, and the most recurring theme was the use of security awareness and education for end users. Information security officers emphasized the importance of awareness and discussed how lack of education and awareness caused end user non-compliance. at their institution. Implications to higher education were as follows: 1) Emphasis on education and awareness as the most robust strategy did not result in a paradigm shift if the motivations of end users was not considered therefore, non-compliance will continue and the institution will fall back on strict compensating controls perpetuating the perception of information security as a roadblock, 2) Credential theft in higher education persists and can lead to costly data breaches that cyber insurance may not be able to resolve, 3) Institutions that prioritize technical controls over qualitative understanding run the risk of not being able to prevent cyber attacks from threat actors that are becoming more proficient in their methods. Recommendations for higher education are: 1) higher education and information security personnel need better working relationships and risk management partnerships, 2) Information security should improve program assessments to include qualitative measurements, 3) information security should develop multi-modal awareness to go beyond traditional methods, 4) information security should incorporate more proactive efforts to keep up with frameworks instead of maturing the program via external audits and assessments. Areas for future research exploration should be conducted in three areas. First, conduct a qualitative collective case study to explore the rationale behind end-users security compliance. Next, information security officers should work to understand how the pandemic restructured the information security landscape. Last, there needs to be better understanding of the impacts of innovation such as artificial intelligence and corresponding governance within a higher education environment.