Upload
kirby
View
27
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Proactive vs. Reactive Security Investment in the Healthcare Sector. Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011. Healthcare Breaches. HHS new reporting rules have increased breach visibility. - PowerPoint PPT Presentation
Citation preview
WEIS 2011Dartmouth
Juhee Kwon and M. Eric JohnsonCenter for Digital Strategies
Tuck School of BusinessDartmouth College
WEIS 2011
Proactive vs. Reactive Security Investment in the Healthcare Sector
Healthcare Breachesβ’ HHS new reporting rules have increased breach visibility.
β’ HITECH mandates public posting of breaches involving more than 500 people.
β’ Over 100 announcements by the first anniversary (sept 2010).
Security InvestmentsSecurity investments are often triggered by β’ breaches β’ government regulations
InformationNetwork
Providers /PayersPatients Identity theft
Federal & state legislations
Negative public opinion & Momentary loss
Theoretical Background (1)
β’ Investment for performance improvement β’ from defects or external mandatesβ’ in organizational learning for performance improvement
β’ Organizational learning from the investmentsβ’ Whether defects trigger or not
(Ittner et al. 2001, Management Science)
β’ Learning is a function of both proactive investments and autonomous learning-by-doing rather than a function of reactive investments alone
Theoretical Background (2)
β’ Interaction with external mandatesβ’ Public attention can make organizations focus on the problem area.β’ Voluntary recalls result in more learning than involuntary recalls
β’ The effects of voluntary and involuntary recalls on subsequent recall rates (Haunschild et al. 2004, Management Science)
β’ Organizational learning in security investments
Research Questions
β’ How do proactive and reactive investments work for security improvement?
β’ How do external regulatory pressures impact security performance?
β’ Are there social incentives for security investments?
Hypotheses (1)β’ Proactive (H1) and Reactive(H2) investments reduce security
failuresβ’ Resources stimulate innovation & create opportunities for organizational
learning.β’ Proactive vs. Reactive (H3)
β’ Proactive investments require more analysis (to determine appropriate action) and a clear understanding of government and public expectations.
ProactiveInvestments
ExternalPressures
ReactiveInvestments
Security Failures
H1(β)
H2(β)
H3(Β±)H4(β)
H5(Β±)
H6(Β±)
Hypotheses (2)β’ The mixed effect of external pressure
β’ Increasing organizational attention on a problem area .β’ Creating defensive reactions.
β’ How does external pressure influence security failures (H4)?β’ How does external pressure influence the effects of proactive
(H5) or reactive (H6) investments?
ProactiveInvestments
ExternalPressures
ReactiveInvestments
Security Failures
H1(β)
H2(β)
H3(Β±)H4(Β±)
H5(Β±)
H6(Β±)
Data Collection
β’ 2,386 healthcare organizations from 2005 to 2009 from HIMSS Analyticsβ’
β’ Proactive vs. Reactiveβ’ 0, if an organization invests after any member of itβs group experiences a
breach; otherwise 1.β’ Control for EHR adoption, annual revenue, bed size, etc.
β’ Security investments
β’ 281 healthcare security breaches from HHS, ITRC, and Data Loss
Cox Proportional Hazard Model
β’ βtime to eventsβ to explore the effects of explanatory variablesβ’ hazard rate = failure rate (less than one decreases failures)
h π (π‘ )πππ‘ππ/h0 (π‘ )=ππ₯π [π½1 (πΌππ£ππ π‘ππππ‘ π )+ π½2 (ππππππ‘ππ£ππ )+π½3 (πΏππ€π )+π½4 (πΏππ€πΓππππππ‘ππ£ππ )+ π½5 (πΏππ€ πΓ πΌππ£ππ π‘ππππ‘ π)+ π½ππ π+πΏ1 (π ππ§ππ )+πΏ2 (πππππππππππ π )+πΏ3β² (ππ¦πππ )+π β² (πππππ )]h π (π‘ )πππ /h0 (π‘ )=ππ₯π[π½1 (πππ πΌ ππ£ππ π‘ππππ‘ π )+π½3 (πΏππ€π)+π½5 (πΏππ€πΓππππΌππ£ππ π‘ππππ‘ π )+π½ πππ+πΏ1 (π ππ§ππ )+πΏ2 (ππππππππππππ )+πΏ3β² (ππ¦πππ )+π β² (ππππ π )]
h π (π‘ )ππ/h0 (π‘ )=ππ₯π [π½1 (πππΌ ππ£ππ π‘ππππ‘ π)+π½3 (πΏππ€π )+π½5 (πΏππ€πΓππ πΌππ£ππ π‘ππππ‘ π )+π½π ππ+πΏ1 (π ππ§ππ )+πΏ2 (ππππππππππππ )+πΏ3β² (ππ¦πππ )+π β² (ππππ π)]
Endogeneityβ’ Endogeneity of Security Investment
β’ Those who proactively invest might have better security processes, management, or technological expertise than those who do not.
β’ Two-step econometric procedure (Heckman 1979)
β’ Endogenous Adoption of Regulationβ’ Due to a sudden rise in breachesβ’ Two-sample t-test (p-value > 0.1)
β’ the numbers of breaches in states before adoption of new regulation and in states without adoption.
Proactive or ReactiveInvestment
Hazard Rate(h(t))
tt-1Time line
The probability () that an organization has no breach
Breach or the end of the time line
Results at the organization level
Total Proactive Reactive
Hypotheses
Proactive Inv. -0.65***(0.13) 0.52 H1:Supported
Reactive Inv. 0.11(0.09) 1.12 H2:Not supported
Total Inv. -0.28***(0.02) 0.76
Proactive -1.01***(0.29) 0.36 H3:Supported
Law -1.07***(0.26) 0.34 -0.89***
(0.25) 0.41 -1.02***(0.24) 0.36 H4:Supported
SI Γ Law 0.16**(0.09) 1.17
PI Γ Law 0.237*(0.144) 1.27 H5: Supported
RIΓ Law -0.06(0.10) 0.94 H6: Not supported
Inverse Mills ratio -4.78**(2.41) 0.01 -4.401*
(2.407) 0.01 -1.28(2.28) 0.28
β’ Supporting the effect of proactive, but not reactive.β’ Regulation reduces failures, but also decreases the effect of investments.
Results at the state level
Total Proactive Reactive Hypotheses
Proactive Inv. -1.43***(0.23) 0.24 H1:Supported
Reactive Inv. -0.90***(0.20) 0.41 H2:Supported
Total Inv. -1.55***(0.22) 0.21
Proactive -2.56***(0.43) 0.08 H3:Supported
Law -1.72***(0.37) 0.18 -1.24**
(0.32) 0.29 -1.36***(0.30) 0.26 H4:Supported
SI Γ Law 0.22***(0.06) 1.25
PI Γ Law 0.35**(0.15) 1.41 H5:Supported
RIΓ Law 0.02(0.03) 1.02 H6:Not
Supported
Inverse Mills ratio -2.86*(1.57) 0.06 -1.10
(1.44) 0.33 -0.69 (1.45) 0.50
β’ Supporting both the effects of proactive and reactive.β’ Lower hazard rate at the state level than at the organization level.
Results
β’ Proactive investments are more effective at reducing security failures than reactive investments.
β’ When proactive investments were forced by an external requirement, the effect of proactive investment is diminished.
β’ Both proactive and reactive security investments have positive externalities.β’ one organization's security
investments help the others
Implications
β’ The regulatory value of carrot vs. stick β’ Due to positive externalities, incentives could be earmarked to
boost investment in security.β’ Regulatory requirements should not be prescriptive
β’ For example, regulation could mandate that a portion of the overall IT budget be dedicated to security, allowing organizations to decide on the types of security investment.
Further and Future Work
β’ External & Internal Failures β’ Results: external breaches have a significant association with
security investment, whereas internal breaches have no effect.β’ Why?
β’ Our investment data is focused on external threats.β’ Greater concern about a problem leads to more effort to resolve it.
β’ Future Workβ’ Examine security policies and training programs.β’ Consider the momentary size of security investments.β’ Consider the severity of breaches.