Professional Documents
Culture Documents
Abstract
Background: Health information systems are innovative products designed to improve the delivery of effective
healthcare, but they are also vulnerable to breaches of information security, including unauthorised access, use, dis-
closure, disruption, modification or destruction, and duplication of passwords. Greater openness and multi-
connectedness between heterogeneous stakeholders within health networks increase the security risk. Objective:
The focus of this research was on the indirect effects of management support (MS) on user compliance behaviour (UCB)
towards information security policies (ISPs) among health professionals in selected Malaysian public hospitals. The aim was
to identify significant factors and provide a clearer understanding of the nature of compliance behaviour in the health
sector environment. Method: Using a survey design and stratified random sampling method, self-administered ques-
tionnaires were distributed to 454 healthcare professionals in three hospitals. Drawing on theories of planned beha-
viour, perceived behavioural control (self-efficacy (SE) and MS components) and the trust factor, an information system
security policies compliance model was developed to test three related constructs (MS, SE and perceived trust (PT))
and their relationship to UCB towards ISPs. Results: Results showed a 52.8% variation in UCB through significant
factors. Partial least squares structural equation modelling demonstrated that all factors were significant and that MS
had an indirect effect on UCB through both PT and SE among respondents to this study. Conclusion: The research
model based on the theory of planned behaviour in combination with other human and organisational factors has
made a useful contribution towards explaining compliance behaviour in relation to organisational ISPs, with trust
being the most significant factor. In adopting a multidimensional approach to management–user interactions via
multidisciplinary concepts and theories to evaluate the association between the integrated management–user values
and the nature of compliance towards ISPs among selected health professionals, this study has made a unique
contribution to the literature.
Keywords (MeSH)
hospital information systems; information management; information security; organisation and administration; self-effi-
cacy; trust; motivation; organizational management; health information management; information protection; data security
security failures due to user behaviour continuing to influenced by their superiors, who are also the leaders in
increase in spite of additional resources being invested in the organisation, such as director, manager and supervisor,
technology-based security solutions (Al-Omari et al., among others. Staff in organisations tend to do what they
2012). Narayana Samy et al. (2010) argued that human have been asked to do and to respect their superiors, which
error is a major threat to the security of the healthcare can have positive or negative effects (Leach, 2003). This is
industry. According to report by Symantec (2013), the supported by previous findings, which have indicated that
healthcare sector had the largest percentage of security superior behaviour has the greatest impact on employees’
incidents. Information security incidents in the healthcare information security behaviour (Huang and Chuang, 2007;
sector were due to lack of security awareness among Ifinedo, 2012). Leaders should demonstrate positive secu-
employees, poor security skills and poor security monitor- rity behaviour and encourage employees to comply with
ing and enforcement, as well as inappropriate information ISPs (Siponen et al., 2010). Thus, research suggests that
security behaviour (Da Veiga and Martins, 2015; Safa adequate security culture can be inculcated within
et al., 2016). Therefore, governments and the healthcare organisations.
industry management generally should consider and invest
not only in the technical aspects of security systems but
also in human resources.
Perceived behavioural control
From the perspective of TPB, PBC can be described as a
user’s perceptions of his or her own ability (Huang et al.,
Theoretical review
2011), which can be heightened through education and
ISPs compliance behaviour training provided by management. According to Taylor and
Guo (2013) defined ISP compliance behaviour as beha- Todd (1995), the PBC construct has two components: self-
viour that does not violate an organisation’s ISPs and efficacy (SE) and facilitating conditions.
adheres to a set of core information security activities as
recommended by the organisation (Padayachee, 2012). An Self-efficacy. SE is one of the factors thought to promote
organisation’s ISPs usually consist of several focus areas, compliance behaviour towards ISPs (Bulgurcu et al.,
such as password management, information handling, 2010). It can be developed through the ongoing acquisition
Internet use, email use, social network system use and inci- of knowledge (Chan et al., 2005). The SE construct origi-
dent reporting (Parsons et al., 2014). Information security nates from social cognitive theory (Johnston and Warken-
compliance behaviour might have an effect on the success tin, 2008) and determines how people feel, think and what
or failure of information security processes in organisa- motivates them to behave in certain ways, based on cogni-
tions, especially in the healthcare industry. Thus, it is tive, motivational, affective, social influence and selection
important for organisations to promote information secu- processes (Workman et al., 2008). The notion that SE can
rity behaviour and constrain unacceptable information be enhanced through training programmes provided by
security behaviour among employees (Woodhouse, management has been supported by researchers (e.g. Beas
2007). If employees’ compliance behaviour towards infor- and Salanova, 2006). SE towards information security
mation security is acceptable, security incidents could be compliance behaviour involves not only the proper use of
minimised and the effectiveness of ISPs increased. security countermeasure tools but also the security care
behaviours related to computer or Internet usage.
Theory of planned behaviour Facilitating conditions. Facilitating conditions, the second
The theory of planned behaviour (TPB) has been used by component of PBC, relate to facilities needed to ensure that
previous researchers to explain user behaviour in informa- employees engage in behaviours required of them by the
tion system studies (Uffen and Breitner, 2013). organisation (e.g. money, time, specialised resources)
TPB has been applied extensively to examine user (Taylor and Todd, 1995). Education and training pro-
acceptance of information system, which is designed to grammes can develop user information security awareness
predict human behaviour (Liao et al., 2007). This theory (Puhakainen, 2006) and enhance a user’s skills to use secu-
proposed by Ajzen (1985) postulates three conceptually rity tools (Koskosas et al., 2011), leading to improvement
independent determinant of intention: attitude, subjective in user compliance behaviour (UCB) with ISPs. Research-
norms (SNs) and perceived behavioural control (PBC). ers argue that it is vital for management to give full com-
Ajzen (1985) defined attitude as a ‘degree to which a mitment and support to their employees concerning the best
person has a favourable or unfavourable evaluation or practices in information security behaviour and that such
appraisal of the behaviour in question’ (p. 12). Meanwhile, top-level demonstration can influence user awareness of
SNs are determined by users’ perceptions of other people’s information security.
opinions in terms of whether or not he/she should adopt
appropriate behaviours (Huang and Chuang, 2007). Other
people’s opinions in this context are the opinions of super-
Trust in organisations
iors and colleagues. However, in this study, the researchers Brady (2011) suggested that trust in the organisation’s ISPs
have only highlighted superiors’ behaviour because can also improve compliance with ISPs among employees.
employees’ behaviour in organisations is most often Trust has received a variety of definitions. From the
Humaidi and Balakrishnan 3
that organisational policies and procedures are put into H2: SE has a direct effect on users’ compliance beha-
practice and providing security training and awareness pro- viour towards ISPs.
grammes (Knapp et al., 2009). According to Kankanhalli
et al. (2003), MS is considered as a form of guidance pro- MS, PT and UCB
vided during IS security planning and implementation.
Empirical studies have also demonstrated the impor- PT refers to users’ expected confidence on the implementa-
tance of MS. Johnston and Warkentin (2008) combined tion of security policies through managerial support. The
organisational and individual factors based on TPB and the perception of trust among users depends on the subjective
technology acceptance model to determine the compliance needs of the users and social constraints. If users have higher
intention behaviour of healthcare professionals in relation trust in the security system, they will likely use the security
to the Health Insurance Portability and Accountability Act system consistently, which, in turn, may reduce security
(HIPPA) in the United States. Findings showed that orga- incidents in the organisation (Bahtiyar and Çağlayan,
nisational support as well as SE played a role in healthcare 2013). This is also supported by Lippert and Davis (2006)
professionals’ compliance intention behaviour. Brady who stated that trust is an important element in the organisa-
(2011) showed that MS was a significant predictor of secu- tion as trust affects an employee’s willingness to adopt the
rity behaviour of healthcare professionals in the United security technology implemented in the organisation. With
States towards HIPPA. this in mind, it is believed that trust in organisations should
In the current study, SE was defined as an individu- be embedded between the employees and the hospital man-
al’s perception of his or her capability to protect infor- agement in the healthcare industry; thus, the employees will
mation (Johnston and Warkentin, 2008). SE can be be more committed to comply with the ISPs implemented in
enhanced through information security awareness pro- the healthcare industry, and security incidents can be
grammes and training that aim to introduce and provide decreased. Therefore, we form these hypotheses:
information about the importance of an information sys-
H3: MS has a direct effect on PT.
tem’s security and to increase users’ skills in using
security countermeasure (Torkzadeh and Van Dyke, H3(a): MS has an indirect effect on users’ compliance
2002). Users might become aware of information secu- behaviour towards ISPs through PT.
rity threats and have good knowledge about security-
H4: PT has a direct effect on users’ compliance beha-
countermeasures, but if their skills in dealing with these
viour towards ISPs.
threats are poor, they will be less likely to implement
preventive security measures (Workman et al., 2008).
Thus, management must educate employees on how to
Method
use security countermeasures properly and on why
maintaining security behaviour is effective in preventing Design of the study
information security threats. User skill in applying This study employed a survey design in conjunction with
security countermeasures is also believed to mediate the stratified random sampling and quantitative research meth-
effect of MS on compliance behaviour towards ISPs. ods to test relationships between three constructs via a
Thus, the following hypotheses were developed: measurement model and a structural (ISSPC) model devel-
oped for the purpose of the study. Previous literature was
H1: MS has a direct effect on SE. reviewed to assist in developing the ISSPC model and for
H1(a): MS has an indirect effect on user’s compliance testing research hypotheses. In Malaysia, HIS are divided
behaviour towards ISPs through SE. into three categories: total HIS (THIS), intermediate HIS
(IHIS) and basic HIS (BHIS). This study focused only on
public hospitals that fell into THIS category, as these HIS
SE has also been shown to support the positive acquisi- are more complete than IHIS and BHIS.
tion of skills among health professionals in dealing with Prior to commencement of the study, a hospital visit was
compliance behaviour towards ISPs (Beas and Salanova, organised, as well as a meeting between the researcher,
2006; Chan et al., 2005). Previous studies have indicated hospital management, clinical research centre (CRC) staff
that SE has a significant effect on an employee’s intention and IT staff to seek further clarification regarding the ratio-
to comply with the organisation’s ISPs (Bulgurcu et al., nale and status of THIS implementation in the selected
2010; Herath and Rao, 2009) and that compliant behaviour hospitals. Before data collection commenced, applications
towards ISPs can be promoted by increasing SE (Chan for required approvals were made to the public hospitals,
et al., 2005). This is also supported by Pahnila et al. Institute of Health Information System and Ministry of
(2007), who found that SE was significant in explaining Health (MOH). Procedures for data collection were defined
people’s adherence to information system security. as follows:
Employees are more likely to adopt their organisation’s
ISPs if they have the relevant competence and capability 1. meeting with CRC officers to get clear instructions
with regard to taking information security precautions and on conducting research in the hospitals;
to implementing preventative security measures (Ifinedo, 2. registration of research information in National
2012). Thus, the following hypothesis was constructed: Medical Research Register System (NMRR);
Humaidi and Balakrishnan 5
3. issuance of formal letters on research application to (number of employees in the selected groupings from these
hospitals’ management; three hospitals combined) was 7760. According to Singh
4. once approval letters have been received from the et al. (2006), when the overall population size is greater
selected hospitals, researchers upload these letters than 5000, a sample size of 400–500 is adequate. However,
into the NMRR system and forward the applications when considered in conjunction with the amount of error
to the Institute for Health Systems Research and the (which is expected to be within 5 percentage points, with
MOH; 95% certainty), a sample size calculator was used to deter-
5. approval of applications to be subjected to ethics mine the required sample size (Krejcie and Morgan, 1970),
review; which in this case was 367.
6. CRC officers at each hospital to provide the list of Formula to calculate the sample size needed for each
respondents; and hospital is as follows:
7. researcher proceeds with the data collection.
S ¼ ðsize of hospital population=total of populationÞ 367
ð1Þ
The research model
Formula to calculate the sample size needed from each
The ISSPC model developed for use in this study consisted category of employee is as follows:
of three exogenous constructs (independent variables): MS,
s1 ¼ ðtotal of employee=size of hospital populationÞ S
SE and PT. The MS construct was measured by means of
leadership behaviour and implementation of ISPs training ð2Þ
and education, while SE and PT were included as media- A total of 900 questionnaires were distributed through-
tors. The endogenous construct (dependent variable) in the out the selected hospitals between December 2012 and
study was UCB towards ISPs related to their use of HIS, as April 2013, inclusive. However, only 454 valid question-
shown in Figure 1. naires were returned. A further 421 questionnaires were
classified as non-responses, and 25 were rejected due to
Sampling method, participants and data collection missing values.
Once approval was obtained from IHIS and MOH, the final
questionnaires were distributed to respondents from Survey instrument
selected local hospitals, and quantitative data were col- The questionnaire was divided into three sections: Section
lected through a self-administered survey. A consisted of demographic questions such as age, HIS
The study aimed to sample all health professionals who experience, sex and occupation. Section B assessed the
were end users of HIS, with participants representing a health professional’s perceptions of MS for information
broad range of professions such as nurses, physicians, phar- security, SE and trust in relation to ISPs. Section C eval-
macists, radiologists, health administrators and doctors. All uated the attitudes of health professionals on UCB towards
health professionals who interacted with patients’ medical HIS security policies. Indicators used to measure MS were
records in the hospital were eligible for selection. Because adapted from Aaron (2006); Meillier et al. (1997) and Ng
participants in the study would not be drawn from one et al. (2009) for information security training; and Chang
homogeneous group of employees, stratified random sam- et al. (2012) for ISP implementation. Items used to measure
pling was used to determine the relevant sample size for SE were adapted from Ifinedo (2012) and PT from Chung
each subgroup, which would ensure an adequate number of and Kwon (2009). All indicators in sections B and C were
participants from each category of employees at the three measured using 5-point Likert-type scale, with anchors
selected government hospitals. The total population ranging from 1 (strongly disagree) to 5 (strongly agree).
6 Health Information Management Journal XX(X)
Table 1. Samples of participants by occupation from each of the three selected hospitals.
See Appendix 1 for a brief description of individual survey Table 2. Demographical profile of study participants.
items.
n ¼ 454
Before proceeding with the survey, the content validity
of the questionnaires was assessed. The questionnaire went Demographics Frequency Percentage
through a translation process to minimise possible variance
due to cultural and linguistic differences. A pilot study was Sex
Male 97 21.40
then conducted in which questionnaires were randomly
Female 357 78.60
distributed to 50 respondents, who were then excluded Age
from participating further in the study. The reliability of 40 years 394 86.70
the pilot-study questionnaire was assessed using Cron- >40 years 60 13.20
bach’s alpha coefficient. Reliability results for each con- Hospital
struct ranged from 0.713 to 0.917, all falling within the A 159 35.00
acceptable range described in the literature. B 166 36.60
C 129 28.40
Position/occupation
Data analysis Doctors 132 29.00
Support staff 278 61.30
Partial least squares structural equation modelling (PLS- Health administrators 44 9.70
SEM) was applied using SmartPLS version 2.0 (Ringle HIS usage experience
et al., 2005) to test the measurement model and the struc- <5 years 228 50.22
tural model developed for use in this study. PLS-SEM is >5 years 226 49.77
used to obtain determinate values for latent variables for
HIS: health information systems.
predictive purposes and to minimise the variance of depen-
dent variables. Thus, PLS-SEM matches the researcher’s to 0.961, which exceeded the recommended value of 0.7.
prediction-oriented objective, which does not require nor- The AVE for each construct ranged from 0.591 to 0.779,
mal data distribution (Christmas, 2005). which is greater than 0.5. Thus, the cut-off values ensured
that at least 50% or more of the variances in the constructs
Results could be explained by the set of indicators. The collected
Descriptive data data had previously been verified for its reliability by cal-
culating Cronbach’s alpha. The resulting values ranged
Demographic data relating to the participants in this study from 0.817 to 0.957, which was deemed acceptable. Results
are outlined in Tables 1 and 2. Table 1 shows the number of of the measurement model showed that all the seven con-
health administrators, doctors and other support staff across structs were valid measures based on their parameter esti-
each of the three selected hospitals who participated in the mates and statistical significance (Hair et al., 2013).
study, while Table 2 provides the demographic profile of To test discriminant validity, we examined the squared
all study participants. correlations between the measures of the potentially over-
lapping constructs. Results indicated that all diagonal val-
Measurement model ues in italics were higher than the values in rows and
columns, indicating adequate discriminant validity (see
Confirmatory factor analysis results (Table 3) showed that
Table 4). Thus, we were able to demonstrate that these
most indicators measuring a particular construct had load-
constructs did not overlap.
ing values of more than 0.7 on their respective constructs
except item code MS06 (0.696). However, the factor load-
ing of this item was close to 0.7 and was thus considered Structural model
acceptable (Hair et al., 2013). Results confirmed that the Results showed that 22.6% of variance in SE and 28% of
indicators were valid for their respective constructs. variance in PT were explained by the MS and that 52.8% of
As suggested by Hair et al. (2010), we examined com- variance in UCB of HIS security policies was explained by
posite reliability (CR) and average variance extracted SE and PT (see Figure 2).
(AVE) to assess the convergence validity, as shown in Results also showed that MS has the most significant
Table 4. The CRs for each construct ranged from 0.879 influence on PT (b ¼ 0.529, t-value ¼ 12.629), followed by
Humaidi and Balakrishnan 7
Figure 2. ISSPC model – standard path results. ISSPC: information system security policies compliance.
shown to be the most significant factor. Future research Chan M, Woon I and Kankanhalli A (2005) Perceptions of infor-
could focus on other elements of trust in greater detail. mation security in the workplace: linking information security
climate to compliant behavior. Journal of Information Privacy
Declaration of conflicting interests and Security 1(3): 18–41.
Chang AJ, Wu CY and Liu HW (2012) The effects of job satis-
The author(s) declared no potential conflicts of interest with
respect to the research, authorship, and/or publication of this faction and organization commitment on information security
article. policy adoption and compliance. Paper presented at the Man-
agement of Innovation and Technology (ICMIT), 2012 IEEE
International Conference on., 11–13 June 2012.
Funding
Christmas TH (2005) Using partial least squares approach to
The author(s) received no financial support for the research, predict factors that contribute to the impact of e-folios on
authorship, and/or publication of this article.
pre-service teachers’ learning. PhD Dissertation. Louisiana:
Louisiana State University.
References Chung N and Kwon SJ (2009) Effect of trust level on mobile
Aaron GA (2006) Transformational and transactional leadership: banking satisfaction: a multi-group analysis of information
association with attitudes toward evidence-based practice. system success instruments. Behaviour & Information Tech-
Psychiatric Services 57(8): 1162–1169. nology 28(6): 549–562.
Ahlan AR, Arshad Y and Lubis M (2011) Implication of human Crosby LA, Evans KA and Cowles D (1990) Relationship quality
attitude factors toward information security awareness in in services selling: an interpersonal influence perspective.
Malaysia Public University. Paper presented at International Journal of Marketing Theory and Practice 54(3): 68–82.
Conference on Innovation and Management, 12–15 July 2011, Da Veiga A and Eloff JHP (2010) A framework and assessment
Kuala Lumpur, Malaysia. instrument for information security culture. Computers and
Ajzen I (1985) From intentions to actions: a theory of planned Security 29: 196–207.
behavior. In: Kuhl J and Beckman J (eds), Action-Control: Da Veiga A and Martins N (2015) Improving the information
From Cognition to Behavior. Heidelberg: Springer, pp. 11–39. security culture through monitoring and implementations
Akhunzada A, Sookhak M, Anuar NB, et al. (2015) Man-at-the- actions illustrated through a case study. Computers & Security
end attacks: analysis, taxonomy, human aspects, motivation 49: 162–176.
and future directions. Journal of Network and Computer Guo KH (2013) Security-related behavior in using information
Applications 48: 44–57. systems in the workplace: a review and synthesis. Computers
Al-Omari A, El-Gayar O and Deokar A (2012) Information secu- & Security 32: 242–251.
rity policy compliance: the role of information security Hair JF, Black WC, Babin BJ, et al. (2010) Multivariate Data
awareness. Analysis: A Global Perspective. Upper Saddle River: Pearson
Al-Salihy W, Ann J and Sures R (2003) Effectiveness of infor- Prentice Hall.
mation systems security in IT organizations in Malaysia. Com- Hair JF, Ringle CM and Sarstedt M (2013) Partial least squares
munications, APCC 2003. In: The 9th Asia-Pacific Conference structural equation modeling: rigorous applications, better
on, Vol. 2. IEEE, 2003. results and higher acceptance. Long Range Planning 46:
Bahtiyar Ş and Çağlayan MU (2013) Trust assessment of security 1–12.
for e-health systems. Electronic Commerce Research and Herath T and Rao HR (2009) Encouraging information security
Applications 13(3): 164–177. behaviors in organizations: role of penalties, pressures and
Beas MI and Salanova M (2006) Self-efficacy beliefs, computer perceived effectiveness. Decision Support Systems 47:
training and psychological well-being among information and 154–165.
communication technology workers. Computers in Human Hogler R, Henle C and Gross M (2013). Ethical behavior and
Behavior 22: 1043–1058. regional environments: the effects of culture, values, and trust.
Brady JW (2010) An investigation of factors that affect HIPAA Employee Responsibilities and Rights Journal 25: 109–121.
security compliance in academic medical centers. Unpub- Hu Q, Dinev T, Hart P, et al. (2012) Managing employee com-
lished 3411810, Florida: Nova Southeastern University. pliance with information security policies: the critical role of
Brady JW (2011) Securing health care: assessing factors that top management and organizational culture. Decision Sciences
affect hipaa security compliance in academic medical centers. 43(4): 615–659.
Paper presented at the System Sciences (HICSS), 2011 44th Huang D-L, Rau P-LP, Salvendy G, et al. (2011) Factors affecting
Hawaii International Conference, Hawaii, 4–7 January 2011. perception of information security and their impacts on IT
Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information adoption and security practices. International Journal of
security policy compliance: an empirical study of rationality- Human-Computer Studies 69: 870–883.
based beliefs and information security awareness. MIS Quar- Huang E and Chuang MH (2007) Extending the theory of planned
terly 34: 523–548. behavior as a model to explain post-merger employee behavior
Celep C and Yilmazturk OE (2012) The relationship among orga- of IS use. Computers in Human Behavior 23: 240–257.
nizational trust, multidimensional organizational commitment Ifinedo P (2012) Understanding information systems security pol-
and perceived organizational support in educational organiza- icy compliance: an integration of the theory of planned beha-
tions. Procedia – Social and Behavioral Sciences, 46: vior and the protection motivation theory. Computers and
5763–5776. Security 31: 83–95.
10 Health Information Management Journal XX(X)
Johnston AC and Warkentin M (2008) Information privacy com- security questionnaire (HAIS-Q). Computers and Security 42:
pliance in the healthcare industry. Information Management 165–176.
and Computer Security 16: 5–19. Podsakoff PM and Organ DW (1986) Self-reports in organiza-
Kankanhalli A, Teo H-H, Tan BCY, et al. (2003) An integrative tional research: problems and prospects. Journal of Manage-
study of information systems security effectiveness. Interna- ment 12: 531–544.
tional Journal of Information Management 23: 139–154. Preacher KJ and Hayes AF (2004) SPSS and SAS procedures for
Kim DJ, Ferrin DL and Rao HR (2008) A trust-based consumer estimating indirect effects in simple mediation models. Beha-
decision-making model in electronic commerce: the role of vior Research Methods, Instruments, & Computers 36(4):
trust, perceived risk, and their antecedents. Decision Support 717–731.
Systems 44: 544–564. Puhakainen P and Ahonen R (2006) Design theory for information
Kim C, Tao W, Shin N, et al. (2010) An empirical study of security awareness.
customers’ perceptions of security and trust in e-payment sys- Rhee H-S, Kim C and Ryu YU (2009) Self-efficacy in infor-
tems. Electronic Commerce Research and Applications 9: mation security: its influence on end users’ information
84–95. security practice behavior. Computers and Security 28(8):
Knapp KJ, Franklin Morris R Jr, Marshall TE, et al. (2009) Infor- 816–826.
mation security policy: an organizational-level process model. Rhee YK (2010) Different effects of workers’ trust on work stress,
Computers & Security 28(7): 493–508. perceived stress, stress reaction, and job satisfaction between
Koskosas I, Kakulidis K and Siomos C (2011) Examining the Korean and Japanese workers. Safety and Health at Work 1:
linkage between information security and end-user trust. Inter- 87–97.
national Journal of Computer Science and Information Secu- Ringle CM, Wende S and Will S (2005) SmartPLS 2.0 (M3) Beta
rity 9: 21–31. [Online]. Available at: http://www.smartpls.de (accessed 20
Krejcie RV and Morgan DW (1970) Determining sample size for December 2014).
research activities. Educational and Psychological Measure- Safa NS, Von Solms R and Furnell S (2016) Information security
ment 30: 607–610. policy compliance behaviour model in organizations. Comput-
Leach J (2003) Improving user security behaviour. Computers ers & Security 56: 70–82.
and Security 22: 685–692. Shahnawaz MG and Goswami K (2011) Effect of psychological
Liao C, Chen J-L and Yen DC (2007) Theory of planning beha- contract violation on organizational commitment, trust and
vior (TPB) and customer satisfaction in the continued use of e- turnover intention in private and public sector Indian organi-
service: an integrated model. Computers in Human Behavior zations. Vision (09722629) 15: 209–217.
23: 2804–2822. Singh P, Fook CY and Sidhu GK (2006) A comprehensive Guide
Lippert SK and Davis M (2006) A conceptual model integrating to Writing a Research Proposal, Batu Caves, Selangor: Ven-
trust into planned change activities to enhance technology ton Publishing.
adoption behavior. Journal of Information Sciences 32: Siponen M, Mahmood MA and Pahnila S (2014) Employees’
434–448. adherence to information security policies: an exploratory
Madhavan P and Phillips RR (2010) Effects of computer self- field study. Information and Management 51: 217–224.
efficacy and system reliability on user interaction with deci- Siponen M, Pahnila S and Mahmood MA (2010) Compliance with
sion support systems. Computers in Human Behavior 26: information security policies: an empirical investigation. Com-
199–204. puter 43: 64–71.
Mcdermott AM, Conway E, Rousseau DM, et al. (2013) Promot- Six F and Sorge A (2008) Creating a high-trust organization: an
ing effective psychological contracts through leadership: the exploration into organizational policies that stimulate interper-
missing link between HR strategy and performance. Human sonal trust building. Journal of Management Studies 45:
Resource Management 52: 289–310. 857–884.
Meillier LK, Lund AB and Kok G (1997) Cues to action in the Symantec (2013) Internet Security Threat Report 2013 (Vol. 18).
process of changing lifestyle. Patient Education and Counsel- Tan HH and Lim AKH (2009) Trust in coworkers and trust in
ing 30: 37–51. organizations. Journal of Psychology 143: 45–66.
Narayana Samy G, Ahmad R and Ismail Z (2010) Security threats Taylor S and Todd P (1995) Decomposition and crossover effects
categories in healthcare information systems. Health Informa- in the theory of planned behavior: a study of consumer adop-
tion Journal 16: 201–209. tion intentions. International Journal of Research in Market-
Ng B-Y, Atreyi K and Yunjie X (2009) Studying users’ computer ing 12: 137–155.
security behavior: a health belief perspective. Decision Sup- Torkzadeh G and Van Dyke TP (2002) Effects of training on
port Systems 46: 815–825. Internet self-efficacy and computer user attitudes. Computers
Padayachee K (2012) Taxonomy of compliant information secu- in Human Behavior 18: 479–494.
rity behavior. Computers and Security 31: 673–680. Uffen J and Breitner MH (2013) Management of technical secu-
Pahnila S, Siponen M and Mahmood A (2007) Employees’ beha- rity measures: an empirical examination of personality traits
vior towards IS security policy compliance. System sciences, and behavioral intentions. System Sciences (HICSS), 2013
HICSS 2007. In: 40th Annual Hawaii International Confer- 46th Hawaii International Conference on. IEEE, 2013.
ence on. IEEE, 2007. Utami AF, Bangun YR and Lantu DC (2014) Understanding
Parsons K, Mccormac A, Butavicius M, et al. (2014) Determining the role of emotional intelligence and trust to the relation-
employee awareness using the human aspects of information ship between organizational politics and organizational
Humaidi and Balakrishnan 11
commitment. Procedia – Social and Behavioral Sciences Wood CC and Banks WW Jr (1993) Human error: an overlooked
115: 378–386. but significant information security problem. Computers and
Van Deursen N, Buchanan WJ and Duff A (2013) Monitoring Security 12(1): 51–60.
information security risks within health care. Computers & Woodhouse S (2007) Information security: end user behavior and
Security 37: 31–45. corporate culture. Computer and Information Technology. CIT
Williams PAH (2008) In a ‘trusting’ environment, everyone is 2007. In: 7th IEEE International Conference on. IEEE, 2007.
responsible for information security. Information Security Workman M, Bommer WH and Straub D (2008) Security lapses
Technical Report 13: 207–215. and the omission of information security measures: a threat
Williams PAH (2009) Capturing culture in medical information control model and empirical test. Computers in Human Beha-
security research. Methodological Innovations Online 4: 15–26. vior 24: 2799–2816.
Appendix 1
Descriptive analysis of each items used to measure independent variables and dependent variable
Independent variables
Dependent variable
MS: management support; SE: self-efficacy; HIS: health information systems; UCB: user compliance behaviour.