| Article ID | Journal | Published Year | Pages | File Type |
|---|---|---|---|---|
| 557833 | The Journal of Strategic Information Systems | 2011 | 12 Pages |
A business’s information is one of its most important assets, making the protection of information a strategic issue. In this paper, we investigate the tension between information security policies and information security practice through longitudinal case studies at two health care facilities. The management of information security is traditionally informed by a control-based compliance model, which assumes that human behavior needs to be controlled and regulated. We propose a different theoretical model: the value-based compliance model, assuming that multiple forms of rationality are employed in organizational actions at one time, causing potential value conflicts. This has strong strategic implications for the management of information security. We believe health care situations can be better managed using the assumptions of a value-based compliance model.
► Value conflicts can be used as a strategic tool for organizational development. ► Users’ information security practices is opportunities for reflection-in-action. ► A value-based compliance model can offer a better information security practice. ► We found seventeen areas of value conflicts in two longitudinal hospital studies.
