Bridging the gap between organizational and user perspectives of security in the clinical domain

Abstract: Abstract:An understanding of 'communities of practice' can help to make sense of existing security and privacy issues within organisations; the same understanding can be used proactively to help bridge the gap between organisational and end-user perspectives on these matters. Findings from two studies within the health domain reveal contrasting perspectives on the 'enemy within' approach to organisational security. Ethnographic evaluations involving in-depth interviews, focus groups and observations with 93 pa… Show more

“…The interviewed experts explained the opinions differed as a result of varied levels of perceived ownership of tasks in terms of their capacity to complete assigned tasks. This explanation supported findings from Adams and Blandford (2005) and Posey et al (2014) that there would be discrepancies in the security experts and end-users' ownership of the security compliance activities, as well as their perceptions of the severity and likelihood of security threats.…”

“…Several studies have explored such perspectives. For instance, different perceptions of ownership over security issues amongst staff and managers were found to result in end-users' rejection of security controls by forcefully breaking into the computer room (Adams and Blandford 2005). Disagreements on the effectiveness of security controls and preferences between management and technical staff were also noted in Mouratidis et al (2008) where the management staff had doubts about the organisation's network security system in spite of the security team's confidence in the system's effectiveness.…”

“…Employees often perceive performing security practices as an adjunct task, which is secondary to their primary work duties. Hence, when there is a conflict between the need to perform security measures and primary tasks, end-users may ignore security requirements (Adams and Blandford 2005). The cost of compliance imposed on end-users has been identified as one of the key factors leading to non-compliance (Furnell andRajendran 2012, Leach 2003).…”

Information Security and People: A Conundrum for Compliance

“…The interviewed experts explained the opinions differed as a result of varied levels of perceived ownership of tasks in terms of their capacity to complete assigned tasks. This explanation supported findings from Adams and Blandford (2005) and Posey et al (2014) that there would be discrepancies in the security experts and end-users' ownership of the security compliance activities, as well as their perceptions of the severity and likelihood of security threats.…”

“…Several studies have explored such perspectives. For instance, different perceptions of ownership over security issues amongst staff and managers were found to result in end-users' rejection of security controls by forcefully breaking into the computer room (Adams and Blandford 2005). Disagreements on the effectiveness of security controls and preferences between management and technical staff were also noted in Mouratidis et al (2008) where the management staff had doubts about the organisation's network security system in spite of the security team's confidence in the system's effectiveness.…”

“…Employees often perceive performing security practices as an adjunct task, which is secondary to their primary work duties. Hence, when there is a conflict between the need to perform security measures and primary tasks, end-users may ignore security requirements (Adams and Blandford 2005). The cost of compliance imposed on end-users has been identified as one of the key factors leading to non-compliance (Furnell andRajendran 2012, Leach 2003).…”

Information Security and People: A Conundrum for Compliance

“…The authors propose a semiquantitative risk evaluation framework, suggesting to act upon each identified risk if the standard "C < LD" equation is satisfied. 10 To evaluate the components of this formula, a set of risk management questions are used, listed in Table 3.9.…”

“…Developing the "human" side of the policies should be a priority for the MIS and CSCW communities, as shown by the work by Adams and Blandford. Adams and Blandford discuss the effects of the introduction of access control systems to patient data within a health care settings [10]. They studied two hospitals through in-depth interviews, focus groups, and observations, and found that in one hospital, a user-centered approach resulted in a collaborative system that was accepted and used by the organization, but still clashed with existing working practices.…”

End-User Privacy in Human-Computer Interaction

Healthcare and Security: Understanding and Evaluating the Risks