13 Value conflicts for information security management

Summary
Authors investigated the tension between information security policies that is traditionally
informed by control-based compliance model that assumes human behavior needs to be
controlled and regulated and information security practice assuming that multiple forms of
rationality are employed in organizational actions at one time thereby causing potential
value conflictsthrough longitudinal case studies at two health care facilities. The problem
seen was that with the advance and complexity of networking technologies came the potential
for cyber attacks and security breaches.
Purpose of paper
Authors proposed the creation of new conceptual and practical tools for managing the tension
between information security polices (put forth by organizations) and daily practice of
information use (by employees). The ultimate goal was to produce a new value-based
compliance model for information security management.
Methodology
The authors used a control-based compliance model incorporating human attitudes and
behavior patterns that could be regulated and controlled, to test its efficacy and real-time
ability. From this they mapped areas of conflict relating to goals and values underlying security
practice in a hospital setting. By showing examples of where practitioners chose not to comply
with policies and regulations, thus choosing health care values over information security
values, the researchers contributed toward a new view on the management of information
security.
Assumptions
Values, defined as prioritized concepts or beliefs about end states or behaviors that transcend
specific situations, are a foundational concept for organizational research. In past research, the
authors noted, the end users were seen as people problems and not as a source of
information to be drawn from. This attitude, it wa argued, needs to be changed as health care
professionals need to have timely access to accurate patient information. Too much security
limits immediate access to sensitive information needed by health care professionals.
Practitioners base their actions on different value rationalities when complying or not
complying with information security guidelines. Studies found that university employees
anchor their personal use of the work computer in the academic freedom value system. The
problem understood is who should have access to the data.
Focus of research
The study focused on interviewing health care staff. Questions included how staff accessed the
system, and how information retrieved was used. Responses were verified by observation of
the researchers and photographs taken of processes completed by staff. Analysis ended with
comparisons between actual and prescribed Information Security Actions (ISAs) at each clinic.
This identified value conflicts at that specific clinic.

Results
It was learned that most ISAs were not followed (e.g. Do not borrow passwords was actually
some passwords were written on the wall; this was seen as the result of the system having too
many passwords that required memorization). Health care professionals did not log off
therefore other users did not have to log on, leading to potential security breaches and an
invasion of patient privacy.
The overabundance of information also led to health care professionals not reading all
required documentation in the treatment of patients. This led to information not being
secured and even left on desks. Staff based its use on efficiency and immediacy. Many found
paper notes more effective than computer maintained records.
Conclusions
Information security management is often built on a top-down-approach, where information
security managers develop security measures (i.e., administrative routines or technical
controls) based on international standards such as ISO 27000-series (ISO/IEC, 2005), without
sufficient consideration for the daily work practice. As a solution, the authors suggested that
identification of value conflicts can be used as a strategic tool and an opportunity to reflect on
and improve healthcare practice.
A better understanding of the rationality of users actions would be helpful in designing and
implementing different security controls. Successful compliance research needs to move from
the current and rather limited focus on expected use and misuse of information systems, to a
focus on actual use and misuse.