The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context

Article

Sarkar, Sumantra; Vance, Anthony; Ramesh, Balasubramaniam; Demestihas, Menelaos; Wu, Daniel Thomas

State University of New York (SUNY) System; Binghamton University, SUNY; Pennsylvania Commonwealth System of Higher Education (PCSHE); Temple University; University System of Georgia; Georgia State University; Emory University

INFORMATION SYSTEMS RESEARCH

1047-7047

10.1287/isre.2020.0941

2020

1240-1259

In recent years, we have witnessed substantial increases in the frequency, scope, and cost of data breaches. Accordingly, information security researchers have sought to understand why employees comply with or violate information security policies (ISPs) designed to prevent security incidents. Research suggests that compliance is not uniform but rather depends on contextual and individual factors, such as national culture. Scholars have long recognized that organizational subculture may be equally influential. A key example is professional subcultures, within which members typically share similar education, training, values, and identity. Research shows that behavior can vary widely across professional subcultures, and thus a single approach to promoting ISP compliance may not be equally effective across these subcultures. However, it is presently unclear how subculture influences ISP compliance. To address this need, we adopt a mixed-methods design to examine differences in ISP violation behavior among different professional subcultures in a healthcare organization. We first conducted an exploratory qualitative study to identify different attitudes toward ISP violations among three prominent professional healthcare groups: physicians, nurses, and support staff. Then, using a combination of qualitative interviews, observational fieldwork, and a quantitative survey, we explored how professional group membership moderates (1) the influence of perceptions of sanctions on intentions to violate the ISP and (2) the effect of intentions to violate on actual ISP violation behaviors. Our findings highlight the substantial effect of professional subculture on ISP violations in organizations and provide insights for researchers and managers that may be used to improve overall ISP compliance.