New research from Binghamton University holds that information security policies that aren’t based on the realities of an employee’s work responsibilities can expose an organization to a higher risk for data breaches.
Researchers wanted to understand why some employees are more likely than others to violate information security policies, because employee noncompliance is an important factor in data breaches, according to Sumantra Sarkar, a professor at the university’s school of management, one of the researchers.
The researchers sought to determine how subcultures influence compliance with information security policies, specifically within healthcare organizations.
Sarkar noted that physicians are more concerned about the immediate care of patients than the possible risk of a data breach, so they were more likely to leave a workstation unlocked, in violation of policy. But support staff are more likely to lock a workstation before leaving, because they thought they would be more likely to experience grave consequences, such as punishment or firing, in the event of a breach.
The researchers recommend consulting each of an organization’s subcultures while developing information security policies and finding ways to accommodate the responsibilities of different employees within an organization.
The study, “The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context,” was published in Information Systems Research.