Article

Health Information Management Journal

1–11
Indirect effect of management support ª The Author(s) 2017
Reprints and permission:

on users’ compliance behaviour towards sagepub.co.uk/journalsPermissions.nav

DOI: 10.1177/1833358317700255
journals.sagepub.com/home/himj
information security policies

Norshima Humaidi, PhD1,

Vimala Balakrishnan, PhD2

Abstract
Background: Health information systems are innovative products designed to improve the delivery of effective
healthcare, but they are also vulnerable to breaches of information security, including unauthorised access, use, dis-
closure, disruption, modification or destruction, and duplication of passwords. Greater openness and multi-
connectedness between heterogeneous stakeholders within health networks increase the security risk. Objective:
The focus of this research was on the indirect effects of management support (MS) on user compliance behaviour (UCB)
towards information security policies (ISPs) among health professionals in selected Malaysian public hospitals. The aim was
to identify significant factors and provide a clearer understanding of the nature of compliance behaviour in the health
sector environment. Method: Using a survey design and stratified random sampling method, self-administered ques-
tionnaires were distributed to 454 healthcare professionals in three hospitals. Drawing on theories of planned beha-
viour, perceived behavioural control (self-efficacy (SE) and MS components) and the trust factor, an information system
security policies compliance model was developed to test three related constructs (MS, SE and perceived trust (PT))
and their relationship to UCB towards ISPs. Results: Results showed a 52.8% variation in UCB through significant
factors. Partial least squares structural equation modelling demonstrated that all factors were significant and that MS
had an indirect effect on UCB through both PT and SE among respondents to this study. Conclusion: The research
model based on the theory of planned behaviour in combination with other human and organisational factors has
made a useful contribution towards explaining compliance behaviour in relation to organisational ISPs, with trust
being the most significant factor. In adopting a multidimensional approach to management–user interactions via
multidisciplinary concepts and theories to evaluate the association between the integrated management–user values
and the nature of compliance towards ISPs among selected health professionals, this study has made a unique
contribution to the literature.

Keywords (MeSH)
hospital information systems; information management; information security; organisation and administration; self-effi-
cacy; trust; motivation; organizational management; health information management; information protection; data security

Introduction controlling and managing information through implemen-

Setbacks in information security systems are more strongly
linked to human actions than physical failures (Narayana
Samy et al., 2010). No matter how good the security sys-
tem being implemented in an organisation, ultimately the
security rating will depend on appropriate user behaviour
(Rhee et al., 2009). Unacceptable user behaviour is often
referred to as human error (Al-Omari et al., 2012), which
can be defined as ‘a change in human performance which
causes a deviation from a desired success path, which then
leads to an undesired or unplanned result’ (Wood and
Banks Jr, 1993: 52). Many studies have found human error
to be a major issue in computer security (Akhunzada et al.,
2015; Narayana Samy et al., 2010). Human error can pose
a major security risk if an organisation is not capable of
tation of its information security policies (ISPs) (Ahlan
et al., 2011).
Many studies have reported on information security
incidents in organisations, with 80% of security failures
being attributable to user behaviour, with the rate of
1
Universiti Teknologi MARA, Malaysia
2
University of Malaya, Malaysia
Accepted for publication February 28, 2017.
Corresponding author:
Norshima Humaidi, PhD, Faculty of Business and Management, Universiti
Teknologi MARA, 42300 Puncak Alam Campus, Selangor, Malaysia.
Email: norshima958@salam.uitm.edu.my
2 Health Information Management Journal XX(X)
security failures due to user behaviour continuing to
increase in spite of additional resources being invested in
technology-based security solutions (Al-Omari et al.,
2012). Narayana Samy et al. (2010) argued that human
error is a major threat to the security of the healthcare
industry. According to report by Symantec (2013), the
healthcare sector had the largest percentage of security
incidents. Information security incidents in the healthcare
sector were due to lack of security awareness among
employees, poor security skills and poor security monitor-
ing and enforcement, as well as inappropriate information
security behaviour (Da Veiga and Martins, 2015; Safa
et al., 2016). Therefore, governments and the healthcare
industry management generally should consider and invest
not only in the technical aspects of security systems but
also in human resources.
Theoretical review
ISPs compliance behaviour
Guo (2013) defined ISP compliance behaviour as beha-
viour that does not violate an organisation’s ISPs and
adheres to a set of core information security activities as
recommended by the organisation (Padayachee, 2012). An
organisation’s ISPs usually consist of several focus areas,
such as password management, information handling,
Internet use, email use, social network system use and inci-
dent reporting (Parsons et al., 2014). Information security
compliance behaviour might have an effect on the success
or failure of information security processes in organisa-
tions, especially in the healthcare industry. Thus, it is
important for organisations to promote information secu-
rity behaviour and constrain unacceptable information
security behaviour among employees (Woodhouse,
2007). If employees’ compliance behaviour towards infor-
mation security is acceptable, security incidents could be
minimised and the effectiveness of ISPs increased.
Theory of planned behaviour
The theory of planned behaviour (TPB) has been used by
previous researchers to explain user behaviour in informa-
tion system studies (Uffen and Breitner, 2013).
TPB has been applied extensively to examine user
acceptance of information system, which is designed to
predict human behaviour (Liao et al., 2007). This theory
proposed by Ajzen (1985) postulates three conceptually
independent determinant of intention: attitude, subjective
norms (SNs) and perceived behavioural control (PBC).
Ajzen (1985) defined attitude as a ‘degree to which a
person has a favourable or unfavourable evaluation or
appraisal of the behaviour in question’ (p. 12). Meanwhile,
SNs are determined by users’ perceptions of other people’s
opinions in terms of whether or not he/she should adopt
appropriate behaviours (Huang and Chuang, 2007). Other
people’s opinions in this context are the opinions of super-
iors and colleagues. However, in this study, the researchers
have only highlighted superiors’ behaviour because
employees’ behaviour in organisations is most often
influenced by their superiors, who are also the leaders in
the organisation, such as director, manager and supervisor,
among others. Staff in organisations tend to do what they
have been asked to do and to respect their superiors, which
can have positive or negative effects (Leach, 2003). This is
supported by previous findings, which have indicated that
superior behaviour has the greatest impact on employees’
information security behaviour (Huang and Chuang, 2007;
Ifinedo, 2012). Leaders should demonstrate positive secu-
rity behaviour and encourage employees to comply with
ISPs (Siponen et al., 2010). Thus, research suggests that
adequate security culture can be inculcated within
organisations.
Perceived behavioural control
From the perspective of TPB, PBC can be described as a
user’s perceptions of his or her own ability (Huang et al.,
2011), which can be heightened through education and
training provided by management. According to Taylor and
Todd (1995), the PBC construct has two components: self-
efficacy (SE) and facilitating conditions.
Self-efficacy. SE is one of the factors thought to promote
compliance behaviour towards ISPs (Bulgurcu et al.,
2010). It can be developed through the ongoing acquisition
of knowledge (Chan et al., 2005). The SE construct origi-
nates from social cognitive theory (Johnston and Warken-
tin, 2008) and determines how people feel, think and what
motivates them to behave in certain ways, based on cogni-
tive, motivational, affective, social influence and selection
processes (Workman et al., 2008). The notion that SE can
be enhanced through training programmes provided by
management has been supported by researchers (e.g. Beas
and Salanova, 2006). SE towards information security
compliance behaviour involves not only the proper use of
security countermeasure tools but also the security care
behaviours related to computer or Internet usage.
Facilitating conditions. Facilitating conditions, the second
component of PBC, relate to facilities needed to ensure that
employees engage in behaviours required of them by the
organisation (e.g. money, time, specialised resources)
(Taylor and Todd, 1995). Education and training pro-
grammes can develop user information security awareness
(Puhakainen, 2006) and enhance a user’s skills to use secu-
rity tools (Koskosas et al., 2011), leading to improvement
in user compliance behaviour (UCB) with ISPs. Research-
ers argue that it is vital for management to give full com-
mitment and support to their employees concerning the best
practices in information security behaviour and that such
top-level demonstration can influence user awareness of
information security.
Trust in organisations
Brady (2011) suggested that trust in the organisation’s ISPs
can also improve compliance with ISPs among employees.
Trust has received a variety of definitions. From the
Humaidi and Balakrishnan 3

psychological viewpoint, trust is defined as the willingness The current research

of an individual (a trustor) to accept vulnerability to the
Although research has highlighted the importance of
action of another individual (a trustee) (McDermott et al.,
trust in connection with information security, the rela-
2013; Shahnawaz and Goswami, 2011), whereby an indi-
tionship between trust and compliance with ISPs has
vidual believes that he or she will not be taken advantage of
received little attention. To ensure that employees are
by other individuals (Six and Sorge, 2008). Trust has also
fully committed to complying with organisational rules
been defined as an individual’s confidence in other peo-
and policies to protect an organisation’s assets and data,
ple’s honesty and belief (Crosby et al., 1990). Rhee (2010)
it is essential that trust between employees and the orga-
classified trust as a three-dimensional construct: (a) social
nisation is maintained.
trust, reflected in social culture; (b) organisational trust,
In this study, TPB, PBC constructs (SE; facilitating
defined as the degree of trustfulness of an organisation
conditions) and perceived trust (PT) were used to
(reflecting the working rules and norms of work activities
develop a model for information system security policies
in organisations); and (c) trust in others, the trust relation-
compliance (ISSPC), to provide a detailed theory of
ship between co-workers and employers. According to Tan
human behaviour in respect of the ISPs in the Malaysian
and Lim (2009), trust in an organisation refers to an
healthcare environment. TPB was adapted to include SE
employee’s willingness to be vulnerable to their organisa-
and facilitating conditions (defined as management sup-
tion’s actions, and it has been shown to be a significant
port (MS) in this study). We focused on organisational
factor for motivating employee commitment and increasing
factors such as implementing security mechanisms,
organisational performance (Celep and Yilmazturk, 2012;
information security training and ISPs implementation,
Hogler et al., 2013). This finding was supported by Utami
while monitoring and educating employees to behave
et al. (2014), who underscored the importance for an orga-
appropriately towards information security were treated
nisation to gain the trust of employees in order to increase
as aspects of MS.
their commitment to work. Shahnawaz and Goswami
A number of previous studies have discussed behaviour
(2011) also argued that the trust factor is important in
towards information security in other areas such as the
building human relationships; in this case, the relationship
banking industry; however, to the best of our knowledge,
between employee and employer. If employees feel they
these studies have not assessed the indirect effect of MS
are treated well by their employer, they will work harder in
on health information systems (HIS) users’ compliance
return to achieve organisational goals, and their commit-
behaviour towards ISPs through SE and PT. Brady
ments to the organisation will also increase (Celep and
(2011) argued that trust in organisation ISPs can improve
Yilmazturk, 2012).
compliance behaviour among employees. However, with-
In information technology studies, trust has been found
out accurate knowledge about information security and
to be a basis of information security and privacy (Kim
confidence and skills in practicing information security
et al., 2008). The trust factor has been widely applied in
mechanisms, employees will not be able to utilise ISPs
e-commerce research, particularly for defining how users
appropriately. This research examined factors that influ-
feel on security issues and their willingness to adopt these
ence UCB and the mediation effects of SE and PT in
measures (Chung and Kwon, 2009). Empirical studies have
relation to MS and UCB and focused on the following
also reported that trust positively affects behaviour of con-
specific research questions:
sumers who intend to use online transaction (Kim et al.,
2010) and is a powerful predictor of information security RQ1: What factors influence UCB towards ISPs in
behaviour among employees (Williams, 2008). Malaysia’s healthcare industry?
In the healthcare environment, health professionals
must make a full commitment when dealing with health RQ2: Do the intervening factors mediate the relation-
data (Brady, 2010), especially when these data can be ship between MS and UCB towards ISPs in Malaysia’s
accessed through a network that is vulnerable and poses healthcare industry?
a risk to its security (Van Deursen et al., 2013). Possible
security risks include staff sharing passwords to access Hypotheses development
health data, leaving their computers without logging out,
and staff emailing health data to wrong addressees, thus
MS, SE and UCB
disclosing patient data to an unauthorised user. Potential MS has been described as users’ perception towards top
risks exist because of lack of understanding of security management’s commitment to protect information, one of
concepts among health professionals, and this fosters reli- the aspects in critical security components (Da Veiga and
ance on trust within the work environment instead of trust Eloff, 2010). Al-Salihy et al. (2003) referred to MS as a
in hospital security policies (Williams, 2009). Bearing commitment from the management in the organisation as
this in mind, it is believed that trust in organisations observed by employees. Full support from management in
should be embedded between employees and hospital any organisation is essential to ensure information system
management in the healthcare sector and that employees security effectiveness and to enable the creation of a secure
will be more committed to comply with ISPs implemented environment for information handling (Brady, 2011; Hu
in the healthcare sector and security incidents can be et al., 2012). Within the context of security, this commit-
decreased. ment refers to documenting organisation ISPs, ensuring
4 Health Information Management Journal XX(X)
that organisational policies and procedures are put into
practice and providing security training and awareness pro-
grammes (Knapp et al., 2009). According to Kankanhalli
et al. (2003), MS is considered as a form of guidance pro-
vided during IS security planning and implementation.
Empirical studies have also demonstrated the impor-
tance of MS. Johnston and Warkentin (2008) combined
organisational and individual factors based on TPB and the
technology acceptance model to determine the compliance
intention behaviour of healthcare professionals in relation
to the Health Insurance Portability and Accountability Act
(HIPPA) in the United States. Findings showed that orga-
nisational support as well as SE played a role in healthcare
professionals’ compliance intention behaviour. Brady
(2011) showed that MS was a significant predictor of secu-
rity behaviour of healthcare professionals in the United
States towards HIPPA.
In the current study, SE was defined as an individu-
al’s perception of his or her capability to protect infor-
mation (Johnston and Warkentin, 2008). SE can be
enhanced through information security awareness pro-
grammes and training that aim to introduce and provide
information about the importance of an information sys-
tem’s security and to increase users’ skills in using
security countermeasure (Torkzadeh and Van Dyke,
2002). Users might become aware of information secu-
rity threats and have good knowledge about security-
countermeasures, but if their skills in dealing with these
threats are poor, they will be less likely to implement
preventive security measures (Workman et al., 2008).
Thus, management must educate employees on how to
use security countermeasures properly and on why
maintaining security behaviour is effective in preventing
information security threats. User skill in applying
security countermeasures is also believed to mediate the
effect of MS on compliance behaviour towards ISPs.
Thus, the following hypotheses were developed:
H1: MS has a direct effect on SE.
H1(a): MS has an indirect effect on user’s compliance
behaviour towards ISPs through SE.
SE has also been shown to support the positive acquisi-
tion of skills among health professionals in dealing with
compliance behaviour towards ISPs (Beas and Salanova,
2006; Chan et al., 2005). Previous studies have indicated
that SE has a significant effect on an employee’s intention
to comply with the organisation’s ISPs (Bulgurcu et al.,
2010; Herath and Rao, 2009) and that compliant behaviour
towards ISPs can be promoted by increasing SE (Chan
et al., 2005). This is also supported by Pahnila et al.
(2007), who found that SE was significant in explaining
people’s adherence to information system security.
Employees are more likely to adopt their organisation’s
ISPs if they have the relevant competence and capability
with regard to taking information security precautions and
to implementing preventative security measures (Ifinedo,
2012). Thus, the following hypothesis was constructed:
H2: SE has a direct effect on users’ compliance beha-
viour towards ISPs.
MS, PT and UCB
PT refers to users’ expected confidence on the implementa-
tion of security policies through managerial support. The
perception of trust among users depends on the subjective
needs of the users and social constraints. If users have higher
trust in the security system, they will likely use the security
system consistently, which, in turn, may reduce security
incidents in the organisation (Bahtiyar and Çağlayan,
2013). This is also supported by Lippert and Davis (2006)
who stated that trust is an important element in the organisa-
tion as trust affects an employee’s willingness to adopt the
security technology implemented in the organisation. With
this in mind, it is believed that trust in organisations should
be embedded between the employees and the hospital man-
agement in the healthcare industry; thus, the employees will
be more committed to comply with the ISPs implemented in
the healthcare industry, and security incidents can be
decreased. Therefore, we form these hypotheses:
H3: MS has a direct effect on PT.
H3(a): MS has an indirect effect on users’ compliance
behaviour towards ISPs through PT.
H4: PT has a direct effect on users’ compliance beha-
viour towards ISPs.
Method
Design of the study
This study employed a survey design in conjunction with
stratified random sampling and quantitative research meth-
ods to test relationships between three constructs via a
measurement model and a structural (ISSPC) model devel-
oped for the purpose of the study. Previous literature was
reviewed to assist in developing the ISSPC model and for
testing research hypotheses. In Malaysia, HIS are divided
into three categories: total HIS (THIS), intermediate HIS
(IHIS) and basic HIS (BHIS). This study focused only on
public hospitals that fell into THIS category, as these HIS
are more complete than IHIS and BHIS.
Prior to commencement of the study, a hospital visit was
organised, as well as a meeting between the researcher,
hospital management, clinical research centre (CRC) staff
and IT staff to seek further clarification regarding the ratio-
nale and status of THIS implementation in the selected
hospitals. Before data collection commenced, applications
for required approvals were made to the public hospitals,
Institute of Health Information System and Ministry of
Health (MOH). Procedures for data collection were defined
as follows:
1. meeting with CRC officers to get clear instructions
on conducting research in the hospitals;
2. registration of research information in National
Medical Research Register System (NMRR);
Humaidi and Balakrishnan
Figure 1. ISSPC model. ISSPC: information system security policies compliance.
3. issuance of formal letters on research application to
hospitals’ management;
4. once approval letters have been received from the
selected hospitals, researchers upload these letters
into the NMRR system and forward the applications
to the Institute for Health Systems Research and the
MOH;
5. approval of applications to be subjected to ethics
review;
6. CRC officers at each hospital to provide the list of
respondents; and
7. researcher proceeds with the data collection.
The research model
The ISSPC model developed for use in this study consisted
of three exogenous constructs (independent variables): MS,
SE and PT. The MS construct was measured by means of
leadership behaviour and implementation of ISPs training
and education, while SE and PT were included as media-
tors. The endogenous construct (dependent variable) in the
study was UCB towards ISPs related to their use of HIS, as
shown in Figure 1.
Sampling method, participants and data collection
Once approval was obtained from IHIS and MOH, the final
questionnaires were distributed to respondents from
selected local hospitals, and quantitative data were col-
lected through a self-administered survey.
The study aimed to sample all health professionals who
were end users of HIS, with participants representing a
broad range of professions such as nurses, physicians, phar-
macists, radiologists, health administrators and doctors. All
health professionals who interacted with patients’ medical
records in the hospital were eligible for selection. Because
participants in the study would not be drawn from one
homogeneous group of employees, stratified random sam-
pling was used to determine the relevant sample size for
each subgroup, which would ensure an adequate number of
participants from each category of employees at the three
selected government hospitals. The total population
5
(number of employees in the selected groupings from these
three hospitals combined) was 7760. According to Singh
et al. (2006), when the overall population size is greater
than 5000, a sample size of 400–500 is adequate. However,
when considered in conjunction with the amount of error
(which is expected to be within 5 percentage points, with
95% certainty), a sample size calculator was used to deter-
mine the required sample size (Krejcie and Morgan, 1970),
which in this case was 367.
Formula to calculate the sample size needed for each
hospital is as follows:
S ¼ ðsize of hospital population=total of populationÞ  367
ð1Þ
Formula to calculate the sample size needed from each
category of employee is as follows:
s1 ¼ ðtotal of employee=size of hospital populationÞ  S
ð2Þ
A total of 900 questionnaires were distributed through-
out the selected hospitals between December 2012 and
April 2013, inclusive. However, only 454 valid question-
naires were returned. A further 421 questionnaires were
classified as non-responses, and 25 were rejected due to
missing values.
Survey instrument
The questionnaire was divided into three sections: Section
A consisted of demographic questions such as age, HIS
experience, sex and occupation. Section B assessed the
health professional’s perceptions of MS for information
security, SE and trust in relation to ISPs. Section C eval-
uated the attitudes of health professionals on UCB towards
HIS security policies. Indicators used to measure MS were
adapted from Aaron (2006); Meillier et al. (1997) and Ng
et al. (2009) for information security training; and Chang
et al. (2012) for ISP implementation. Items used to measure
SE were adapted from Ifinedo (2012) and PT from Chung
and Kwon (2009). All indicators in sections B and C were
measured using 5-point Likert-type scale, with anchors
ranging from 1 (strongly disagree) to 5 (strongly agree).
6 Health Information Management Journal XX(X)

Table 1. Samples of participants by occupation from each of the three selected hospitals.

Hospital A Hospital B Hospital C Target total

Health administrators (266/2937)  139 ¼ 13 (175/2487)  118 ¼ 8 (209/2336)  110 ¼ 10 31

Doctors (699/2937)  139 ¼ 33 (421/2487)  118 ¼ 20 (492/2336)  110 ¼ 23 76
Support staff (1972/2937)  139 ¼ 93 (1891/2487)  118 ¼ 90 (1635/2336)  110 ¼ 77 260
Total sample size needed (2937/7760)  367 ¼ 139 (2487/7760)  367 ¼ 118 (2336/7760)  367 ¼ 110 367
Questionnaires distributed 300 300 300 900
Responses after validation 159 166 129 454

See Appendix 1 for a brief description of individual survey Table 2. Demographical profile of study participants.
items.
n ¼ 454
Before proceeding with the survey, the content validity
of the questionnaires was assessed. The questionnaire went Demographics Frequency Percentage
through a translation process to minimise possible variance
due to cultural and linguistic differences. A pilot study was Sex
Male 97 21.40
then conducted in which questionnaires were randomly
Female 357 78.60
distributed to 50 respondents, who were then excluded Age
from participating further in the study. The reliability of 40 years 394 86.70
the pilot-study questionnaire was assessed using Cron- >40 years 60 13.20
bach’s alpha coefficient. Reliability results for each con- Hospital
struct ranged from 0.713 to 0.917, all falling within the A 159 35.00
acceptable range described in the literature. B 166 36.60
C 129 28.40
Position/occupation
Data analysis Doctors 132 29.00
Support staff 278 61.30
Partial least squares structural equation modelling (PLS- Health administrators 44 9.70
SEM) was applied using SmartPLS version 2.0 (Ringle HIS usage experience
et al., 2005) to test the measurement model and the struc- <5 years 228 50.22
tural model developed for use in this study. PLS-SEM is >5 years 226 49.77
used to obtain determinate values for latent variables for
HIS: health information systems.
predictive purposes and to minimise the variance of depen-
dent variables. Thus, PLS-SEM matches the researcher’s to 0.961, which exceeded the recommended value of 0.7.
prediction-oriented objective, which does not require nor- The AVE for each construct ranged from 0.591 to 0.779,
mal data distribution (Christmas, 2005). which is greater than 0.5. Thus, the cut-off values ensured
that at least 50% or more of the variances in the constructs
Results could be explained by the set of indicators. The collected
Descriptive data data had previously been verified for its reliability by cal-
culating Cronbach’s alpha. The resulting values ranged
Demographic data relating to the participants in this study from 0.817 to 0.957, which was deemed acceptable. Results
are outlined in Tables 1 and 2. Table 1 shows the number of of the measurement model showed that all the seven con-
health administrators, doctors and other support staff across structs were valid measures based on their parameter esti-
each of the three selected hospitals who participated in the mates and statistical significance (Hair et al., 2013).
study, while Table 2 provides the demographic profile of To test discriminant validity, we examined the squared
all study participants. correlations between the measures of the potentially over-
lapping constructs. Results indicated that all diagonal val-
Measurement model ues in italics were higher than the values in rows and
columns, indicating adequate discriminant validity (see
Confirmatory factor analysis results (Table 3) showed that
Table 4). Thus, we were able to demonstrate that these
most indicators measuring a particular construct had load-
constructs did not overlap.
ing values of more than 0.7 on their respective constructs
except item code MS06 (0.696). However, the factor load-
ing of this item was close to 0.7 and was thus considered Structural model
acceptable (Hair et al., 2013). Results confirmed that the Results showed that 22.6% of variance in SE and 28% of
indicators were valid for their respective constructs. variance in PT were explained by the MS and that 52.8% of
As suggested by Hair et al. (2010), we examined com- variance in UCB of HIS security policies was explained by
posite reliability (CR) and average variance extracted SE and PT (see Figure 2).
(AVE) to assess the convergence validity, as shown in Results also showed that MS has the most significant
Table 4. The CRs for each construct ranged from 0.879 influence on PT (b ¼ 0.529, t-value ¼ 12.629), followed by
Humaidi and Balakrishnan 7

Table 3. Factor loadings and cross loadings. Discussion

Constructs/items MS SE TRUST UCB This study introduced an ISSPC human behaviour model,
by positing the mediation effect of PT and SE within the
MS01 0.762 0.311 0.386 0.427
context of security management. This particular combina-
MS02 0.708 0.324 0.399 0.373
MS03 0.763 0.348 0.469 0.483 tion of behaviours has not received much attention from
MS04 0.786 0.333 0.393 0.402 scholars investigating HIS security policies compliance
MS05 0.744 0.330 0.403 0.394 behaviour among Malaysian health professionals. The
MS06 0.696 0.242 0.420 0.298 study has also filled a research gap between different con-
MS07 0.789 0.293 0.395 0.321 structs of MS and compliance behaviour. Although the
MS08 0.773 0.351 0.494 0.406 role of management has been used extensively to evaluate
MS09 0.782 0.359 0.376 0.402
MS10 0.797 0.395 0.421 0.400 links between employees’ behaviour and technological
MS11 0.779 0.358 0.375 0.369 effectiveness in the Malaysian culture, to the best of our
MS12 0.752 0.499 0.394 0.405 knowledge, none of these studies have focused specifi-
MS13 0.816 0.443 0.491 0.446 cally on the connection between MS and HIS security
MS14 0.764 0.358 0.390 0.402 effectiveness through compliance behaviour. This study
MS15 0.766 0.377 0.363 0.418 emphasised multiple aspects of MS (leadership behaviour,
MS16 0.792 0.388 0.332 0.380
cues-to-action and information system security training)
MS17 0.791 0.432 0.373 0.441
SE01 0.365 0.810 0.238 0.311 in evaluating patterns of compliance behaviour among
SE02 0.471 0.812 0.295 0.329 health professionals.
SE03 0.261 0.771 0.315 0.346 The analysis revealed that MS had the most significant
SE04 0.400 0.819 0.332 0.350 impact on health professionals’ trust in organisational secu-
TRUST1 0.476 0.352 0.843 0.576 rity policies. The effect of PT on health professionals’
TRUST2 0.446 0.285 0.882 0.595 behaviours towards HIS security policies was also a more
TRUST3 0.463 0.327 0.917 0.684
TRUST4 0.482 0.332 0.886 0.636
significant predictor than was SE, which is in line with
UCB1 0.440 0.338 0.663 0.838 results of previous studies (Williams, 2008). Thus, hospital
UCB2 0.422 0.339 0.632 0.867 management should ensure that ISPs are effectively docu-
UCB3 0.460 0.355 0.542 0.846 mented and distributed to all employees. ISP documents
UCB4 0.457 0.386 0.563 0.859 must be easy to understand and presented in simple lan-
MS: management support; SE: self-efficacy; UCB: user compliance behaviour.
guage in order for employees to feel confident with the
security guidelines, so that they are able to practise as
recommended by the Malaysia Ministry of Health. Previ-
Table 4. Convergence, reliability and discriminant validity.a
ous literature has also suggested that communication about
AVE CR R2 a MS TRUST SE UCB information security between management and employees
must be effective for it to influence employees’ trust (Kos-
MS 0.591 0.961 0.957 0.769
kosas et al., 2011). If trust is not established among health
PT 0.779 0.934 0.280 0.905 0.529 0.882
SE 0.645 0.879 0.226 0.817 0.475 0.367 0.803 professionals, the healthcare sector might face greater risks
UCB 0.727 0.914 0.528 0.875 0.521 0.707 0.415 0.853 of security incidents. Therefore, the culture to inculcate
trust in the organisation must be embedded within the orga-
MS: management support; SE: self-efficacy; UCB: user compliance
nisation before implementing the ISPs.
behaviour; AVE: average variance extracted; CR: composite reliability;
a: Cronbach’s alpha; PT: perceived trust. Management in Malaysian hospitals was also found to
a
TRUST ¼ PT. play a role in improving the security skills of their employ-
ees, which is in line with previous studies (Madhavan and
SE (b ¼ 0.475, t-value ¼ 10.222). PT had the most signif- Phillips, 2010; Siponen et al., 2014). HIS users believed
icant influence on UCB towards ISPs related to HIS uses that information security training and awareness pro-
(b ¼ 0.641, t-value ¼ 20.268). Direct effect of SE on UCB grammes were important. They also believed that good
towards ISPs was also significant (b ¼ 0.180, t-value ¼ training and effective security awareness programmes
4.496). Therefore, all hypotheses were supported, as shown could improve their attitudes and change their behaviour
in Table 5, and RQ1 was answered. in relation to information security and enhance their skills
Bootstrapping analysis showed that the indirect effect of in using information security tools. Hospital management
MS through SE (b ¼ 0.085) and PT (b ¼ 0.339) was sig- (e.g. hospital directors) plays an important role when it
nificant, with t-values of 3.662 and 9.959, respectively. As comes to solving problems caused by human error prior
suggested by Preacher and Hayes (2004), the indirect effects to developing policies related to information security. This
95% boot confidence interval ((SE: lower limit ¼ 0.040, suggests that organisations should invest more in informa-
upper limit ¼ 0.131) and (PT: lower limit ¼ 0.273, upper tion security education and training to ensure that optimal
limit ¼ 0.406)) did not straddle a 0 in between, indicating information security behaviour in hospitals is maintained.
there was a mediation effect. Thus, RQ2 was answered and The intervening variables (PT and SE) highlighted in
we were able to conclude that the mediation effects were this study mediated the effect on the relationship between
statistically significant, as shown in Table 5. the MS and UCB towards HIS security policies. To the best
8 Health Information Management Journal XX(X)

Figure 2. ISSPC model – standard path results. ISSPC: information system security policies compliance.

Table 5. Hypothesis testing. presentation of findings and enable results to be general-

ised across the healthcare section. It is also possible that
Standard Malaysian health professionals have perceptions towards
Hypotheses Relationship b error t-Value Results compliance with HIS security policies that are different
H1 MS ! PT 0.529 0.042 12.629a Accepted from those of health professionals in other countries, and
H2 MS ! SE 0.475 0.045 10.222a Accepted there may be other issues where Malaysian culture could
H3 PT ! UCB 0.642 0.034 20.268a Accepted be an influencing factor.
H4 SE ! UCB 0.180 0.042 4.496a Accepted Data collected for this study were in the form of self-
H1(a) MS ! PT ! UCB 0.339 0.034 9.959a Accepted reports, which may have resulted in common method var-
H1(b) MS ! SE ! UCB 0.085 0.023 3.662a Accepted iance, such as social desirability and the respondent’s
MS: management support; SE: self-efficacy; UCB: user compliance consistency motif (Podsakoff and Organ, 1986). Fortu-
behaviour; PT: perceived trust. nately, researchers in this study were able to verify that
a
p < 0.01. common method variance did not influence the data,
which were found to be acceptable. Unequal number of
males and females in the study sample was another limita-
of our knowledge, the mediation effect of PT has not been tion; we encountered some difficulties in persuading more
covered in previous studies that have examined UCB male participants to take part in the survey and prototype
towards HIS security policies and also included SE and the testing. We recommend that future research includes a
relationship between MS and UCB towards HIS security greater number of male participants and employs an
policies within the context of the Malaysian healthcare enhanced research technique to gather more data and
sector. Results of this study suggested that hospital manag- explore other factors in investigating UCB towards HIS
ers must first recognise the importance of information secu- security policies.
rity in order to create an organisational environment that is
conducive to achieving security goals. In addition, hospital Conclusions
management must communicate regularly with employees
and ensure that the hospital’s goals and career-promotion The PLS path analysis revealed that all constructs in the
criteria are clearly identified, so employees understand and ISSPC model affected users’ compliance behaviour toward
appreciate the opportunities afforded to them. HIS security policies either directly or indirectly. These
findings can contribute to future human behaviour in infor-
mation system studies and could be particularly useful to
Limitations policymakers in relation to improving strategic planning in
The study had several limitations. The sample included information security in organisations by emphasising man-
health professionals and Malaysian public hospitals only. agement and human factor issues, especially in healthcare
In addition, the procedure for obtaining permissions to sectors. Most organisations invest time and resources to
conduct a research project in Malaysian public hospitals establish and maintain strategic plans to ensure information
was extremely rigid and involved a lengthy approval pro- security but if employees are not willing to comply and
cess. This impacted on time available to recruit partici- exercise the appropriate information security behaviour,
pants for the study and limited the sample size. Future then their efforts will be in vain. While all combinations
studies could include larger samples of health profession- of TPB with human factors included in this study contrib-
als and a broader range of health institutions. Including uted towards an enhanced understanding of compliance
patients in the sample would facilitate a more systematic behaviour in relation to organisational ISPs, trust was
Humaidi and Balakrishnan
shown to be the most significant factor. Future research
could focus on other elements of trust in greater detail.
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with
respect to the research, authorship, and/or publication of this
article.
Funding
The author(s) received no financial support for the research,
authorship, and/or publication of this article.
References
Aaron GA (2006) Transformational and transactional leadership:
association with attitudes toward evidence-based practice.
Psychiatric Services 57(8): 1162–1169.
Ahlan AR, Arshad Y and Lubis M (2011) Implication of human
attitude factors toward information security awareness in
Malaysia Public University. Paper presented at International
Conference on Innovation and Management, 12–15 July 2011,
Kuala Lumpur, Malaysia.
Ajzen I (1985) From intentions to actions: a theory of planned
behavior. In: Kuhl J and Beckman J (eds), Action-Control:
From Cognition to Behavior. Heidelberg: Springer, pp. 11–39.
Akhunzada A, Sookhak M, Anuar NB, et al. (2015) Man-at-the-
end attacks: analysis, taxonomy, human aspects, motivation
and future directions. Journal of Network and Computer
Applications 48: 44–57.
Al-Omari A, El-Gayar O and Deokar A (2012) Information secu-
rity policy compliance: the role of information security
awareness.
Al-Salihy W, Ann J and Sures R (2003) Effectiveness of infor-
mation systems security in IT organizations in Malaysia. Com-
munications, APCC 2003. In: The 9th Asia-Pacific Conference
on, Vol. 2. IEEE, 2003.
Bahtiyar Ş and Çağlayan MU (2013) Trust assessment of security
for e-health systems. Electronic Commerce Research and
Applications 13(3): 164–177.
Beas MI and Salanova M (2006) Self-efficacy beliefs, computer
training and psychological well-being among information and
communication technology workers. Computers in Human
Behavior 22: 1043–1058.
Brady JW (2010) An investigation of factors that affect HIPAA
security compliance in academic medical centers. Unpub-
lished 3411810, Florida: Nova Southeastern University.
Brady JW (2011) Securing health care: assessing factors that
affect hipaa security compliance in academic medical centers.
Paper presented at the System Sciences (HICSS), 2011 44th
Hawaii International Conference, Hawaii, 4–7 January 2011.
Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information
security policy compliance: an empirical study of rationality-
based beliefs and information security awareness. MIS Quar-
terly 34: 523–548.
Celep C and Yilmazturk OE (2012) The relationship among orga-
nizational trust, multidimensional organizational commitment
and perceived organizational support in educational organiza-
tions. Procedia – Social and Behavioral Sciences, 46:
5763–5776.
9
Chan M, Woon I and Kankanhalli A (2005) Perceptions of infor-
mation security in the workplace: linking information security
climate to compliant behavior. Journal of Information Privacy
and Security 1(3): 18–41.
Chang AJ, Wu CY and Liu HW (2012) The effects of job satis-
faction and organization commitment on information security
policy adoption and compliance. Paper presented at the Man-
agement of Innovation and Technology (ICMIT), 2012 IEEE
International Conference on., 11–13 June 2012.
Christmas TH (2005) Using partial least squares approach to
predict factors that contribute to the impact of e-folios on
pre-service teachers’ learning. PhD Dissertation. Louisiana:
Louisiana State University.
Chung N and Kwon SJ (2009) Effect of trust level on mobile
banking satisfaction: a multi-group analysis of information
system success instruments. Behaviour & Information Tech-
nology 28(6): 549–562.
Crosby LA, Evans KA and Cowles D (1990) Relationship quality
in services selling: an interpersonal influence perspective.
Journal of Marketing Theory and Practice 54(3): 68–82.
Da Veiga A and Eloff JHP (2010) A framework and assessment
instrument for information security culture. Computers and
Security 29: 196–207.
Da Veiga A and Martins N (2015) Improving the information
security culture through monitoring and implementations
actions illustrated through a case study. Computers & Security
49: 162–176.
Guo KH (2013) Security-related behavior in using information
systems in the workplace: a review and synthesis. Computers
& Security 32: 242–251.
Hair JF, Black WC, Babin BJ, et al. (2010) Multivariate Data
Analysis: A Global Perspective. Upper Saddle River: Pearson
Prentice Hall.
Hair JF, Ringle CM and Sarstedt M (2013) Partial least squares
structural equation modeling: rigorous applications, better
results and higher acceptance. Long Range Planning 46:
1–12.
Herath T and Rao HR (2009) Encouraging information security
behaviors in organizations: role of penalties, pressures and
perceived effectiveness. Decision Support Systems 47:
154–165.
Hogler R, Henle C and Gross M (2013). Ethical behavior and
regional environments: the effects of culture, values, and trust.
Employee Responsibilities and Rights Journal 25: 109–121.
Hu Q, Dinev T, Hart P, et al. (2012) Managing employee com-
pliance with information security policies: the critical role of
top management and organizational culture. Decision Sciences
43(4): 615–659.
Huang D-L, Rau P-LP, Salvendy G, et al. (2011) Factors affecting
perception of information security and their impacts on IT
adoption and security practices. International Journal of
Human-Computer Studies 69: 870–883.
Huang E and Chuang MH (2007) Extending the theory of planned
behavior as a model to explain post-merger employee behavior
of IS use. Computers in Human Behavior 23: 240–257.
Ifinedo P (2012) Understanding information systems security pol-
icy compliance: an integration of the theory of planned beha-
vior and the protection motivation theory. Computers and
Security 31: 83–95.
10
Johnston AC and Warkentin M (2008) Information privacy com-
pliance in the healthcare industry. Information Management
and Computer Security 16: 5–19.
Kankanhalli A, Teo H-H, Tan BCY, et al. (2003) An integrative
study of information systems security effectiveness. Interna-
tional Journal of Information Management 23: 139–154.
Kim DJ, Ferrin DL and Rao HR (2008) A trust-based consumer
decision-making model in electronic commerce: the role of
trust, perceived risk, and their antecedents. Decision Support
Systems 44: 544–564.
Kim C, Tao W, Shin N, et al. (2010) An empirical study of
customers’ perceptions of security and trust in e-payment sys-
tems. Electronic Commerce Research and Applications 9:
84–95.
Knapp KJ, Franklin Morris R Jr, Marshall TE, et al. (2009) Infor-
mation security policy: an organizational-level process model.
Computers & Security 28(7): 493–508.
Koskosas I, Kakulidis K and Siomos C (2011) Examining the
linkage between information security and end-user trust. Inter-
national Journal of Computer Science and Information Secu-
rity 9: 21–31.
Krejcie RV and Morgan DW (1970) Determining sample size for
research activities. Educational and Psychological Measure-
ment 30: 607–610.
Leach J (2003) Improving user security behaviour. Computers
and Security 22: 685–692.
Liao C, Chen J-L and Yen DC (2007) Theory of planning beha-
vior (TPB) and customer satisfaction in the continued use of e-
service: an integrated model. Computers in Human Behavior
23: 2804–2822.
Lippert SK and Davis M (2006) A conceptual model integrating
trust into planned change activities to enhance technology
adoption behavior. Journal of Information Sciences 32:
434–448.
Madhavan P and Phillips RR (2010) Effects of computer self-
efficacy and system reliability on user interaction with deci-
sion support systems. Computers in Human Behavior 26:
199–204.
Mcdermott AM, Conway E, Rousseau DM, et al. (2013) Promot-
ing effective psychological contracts through leadership: the
missing link between HR strategy and performance. Human
Resource Management 52: 289–310.
Meillier LK, Lund AB and Kok G (1997) Cues to action in the
process of changing lifestyle. Patient Education and Counsel-
ing 30: 37–51.
Narayana Samy G, Ahmad R and Ismail Z (2010) Security threats
categories in healthcare information systems. Health Informa-
tion Journal 16: 201–209.
Ng B-Y, Atreyi K and Yunjie X (2009) Studying users’ computer
security behavior: a health belief perspective. Decision Sup-
port Systems 46: 815–825.
Padayachee K (2012) Taxonomy of compliant information secu-
rity behavior. Computers and Security 31: 673–680.
Pahnila S, Siponen M and Mahmood A (2007) Employees’ beha-
vior towards IS security policy compliance. System sciences,
HICSS 2007. In: 40th Annual Hawaii International Confer-
ence on. IEEE, 2007.
Parsons K, Mccormac A, Butavicius M, et al. (2014) Determining
employee awareness using the human aspects of information
Health Information Management Journal XX(X)
security questionnaire (HAIS-Q). Computers and Security 42:
165–176.
Podsakoff PM and Organ DW (1986) Self-reports in organiza-
tional research: problems and prospects. Journal of Manage-
ment 12: 531–544.
Preacher KJ and Hayes AF (2004) SPSS and SAS procedures for
estimating indirect effects in simple mediation models. Beha-
vior Research Methods, Instruments, & Computers 36(4):
717–731.
Puhakainen P and Ahonen R (2006) Design theory for information
security awareness.
Rhee H-S, Kim C and Ryu YU (2009) Self-efficacy in infor-
mation security: its influence on end users’ information
security practice behavior. Computers and Security 28(8):
816–826.
Rhee YK (2010) Different effects of workers’ trust on work stress,
perceived stress, stress reaction, and job satisfaction between
Korean and Japanese workers. Safety and Health at Work 1:
87–97.
Ringle CM, Wende S and Will S (2005) SmartPLS 2.0 (M3) Beta
[Online]. Available at: http://www.smartpls.de (accessed 20
December 2014).
Safa NS, Von Solms R and Furnell S (2016) Information security
policy compliance behaviour model in organizations. Comput-
ers & Security 56: 70–82.
Shahnawaz MG and Goswami K (2011) Effect of psychological
contract violation on organizational commitment, trust and
turnover intention in private and public sector Indian organi-
zations. Vision (09722629) 15: 209–217.
Singh P, Fook CY and Sidhu GK (2006) A comprehensive Guide
to Writing a Research Proposal, Batu Caves, Selangor: Ven-
ton Publishing.
Siponen M, Mahmood MA and Pahnila S (2014) Employees’
adherence to information security policies: an exploratory
field study. Information and Management 51: 217–224.
Siponen M, Pahnila S and Mahmood MA (2010) Compliance with
information security policies: an empirical investigation. Com-
puter 43: 64–71.
Six F and Sorge A (2008) Creating a high-trust organization: an
exploration into organizational policies that stimulate interper-
sonal trust building. Journal of Management Studies 45:
857–884.
Symantec (2013) Internet Security Threat Report 2013 (Vol. 18).
Tan HH and Lim AKH (2009) Trust in coworkers and trust in
organizations. Journal of Psychology 143: 45–66.
Taylor S and Todd P (1995) Decomposition and crossover effects
in the theory of planned behavior: a study of consumer adop-
tion intentions. International Journal of Research in Market-
ing 12: 137–155.
Torkzadeh G and Van Dyke TP (2002) Effects of training on
Internet self-efficacy and computer user attitudes. Computers
in Human Behavior 18: 479–494.
Uffen J and Breitner MH (2013) Management of technical secu-
rity measures: an empirical examination of personality traits
and behavioral intentions. System Sciences (HICSS), 2013
46th Hawaii International Conference on. IEEE, 2013.
Utami AF, Bangun YR and Lantu DC (2014) Understanding
the role of emotional intelligence and trust to the relation-
ship between organizational politics and organizational
Humaidi and Balakrishnan 11

commitment. Procedia – Social and Behavioral Sciences
115: 378–386.
Van Deursen N, Buchanan WJ and Duff A (2013) Monitoring
information security risks within health care. Computers &
Security 37: 31–45.
Williams PAH (2008) In a ‘trusting’ environment, everyone is
responsible for information security. Information Security
Technical Report 13: 207–215.
Williams PAH (2009) Capturing culture in medical information
security research. Methodological Innovations Online 4: 15–26.
Wood CC and Banks WW Jr (1993) Human error: an overlooked
but significant information security problem. Computers and
Security 12(1): 51–60.
Woodhouse S (2007) Information security: end user behavior and
corporate culture. Computer and Information Technology. CIT
2007. In: 7th IEEE International Conference on. IEEE, 2007.
Workman M, Bommer WH and Straub D (2008) Security lapses
and the omission of information security measures: a threat
control model and empirical test. Computers in Human Beha-
vior 24: 2799–2816.

Appendix 1
Descriptive analysis of each items used to measure independent variables and dependent variable

Independent variables

MS: leadership behaviour

MS01: The leader always seeks for improvements related to information security policies.
MS02: The leader takes serious action on those who do not comply with information security policies.
MS03: The leader always values the adoption of practising adequate information security behaviour.
MS: information system security training and policies implementation.
MS04: The management always provides specific training on information security regularly.
MS05: The leader encourages me to attend any information security training.
MS06: The information security training organised by the management is complete.
MS07: The information security training organised by the management is effective.
MS08: The management documents information security policies efficiently, so that I can understand them easily.
MS09: Information security policies are easy to access in my organisation.
MS10: The management updates me on changes related to information security policies.
MS11: There exists a clear structure for disciplinary action in the case of non-compliance with organisation’s information security policy.
MS12: The leader thinks my job performance will improve if I adopt appropriate information security behaviour.
MS13: Information security policies in my organisation help me to understand how to behave appropriately towards matters
related to information security.
MS14: Information security articles or newsletters are distributed to all employees in my organisation.
MS15: All employees in my organisation are always alerted of information security threats through messages/emails in my
organisation.
MS16: All employees in my organisation will always alerted of information security policies through messages/emails.
MS17: Management organises ongoing information security campaign to increase user’s security awareness.
Self-efficacy
SE01: I have the necessary skills to recognise many types of information security violations (didn’t change password, suspicious
email and didn’t update anti-virus regularly, etc.).
SE02: I have the necessary skills to protect my organisation’s data from information security violations.
SE03: I have the necessary skills to use information security tools if someone tells me what to do as I go along.
SE04: I have the necessary skills to implement the available preventive measures to avoid information security threats.
Perceived trust
TRUST1: I feel confident of my understanding of the information security policies in my organisation.
TRUST2: I feel confident when it comes to implementing information security policies in my organisation.
TRUST3: I feel confident practicing information security policies in my organisation.
TRUST4: I feel confident with the information security policies in my organisation.

Dependent variable

HIS security policies compliance behaviour

UCB1: I comply with information security policies when performing my daily works.
UCB2: I practise recommended information security behaviour as much as possible.
UCB3: I always recommend others to comply with information security policies.
UCB4: I assist others in complying with information security policies.

MS: management support; SE: self-efficacy; HIS: health information systems; UCB: user compliance behaviour.