Week 13 Reading Summary (HK)

Kwon, J. & Johnson, M. E. (2014). Proactive versus reactive security investments in the healthcare sector. MIS Quarterly, 38(2), 451-471.

The legislative mandates to disclose security breaches coupled with the detailed data available on security investments makes the healthcare sector a viable industry to consider the impact of proactive versus reactive security investments. Proactive investments are those conducted by the organization prior to an issue or breach. Conversely, reactive investments are those that occur after an incident to respond to said incident. Data from the Healthcare Information Management Systems Society from 2005-2009 was collected to allow for a Cox Proportional Hazard Model to be performed on a sample of 2,386 healthcare organizations. The analysis provided a perspective considering the learning opportunity benefits and the cost effectiveness of healthcare security investments.

Results indicated that proactive security investments are associated with lower security failure rates. This supports the notion that attackers’ abilities and threats evolve at such a rapid pace that it is important to learn from proactive initiatives. Proactive investments are also associated with smaller breaches and lower breach notification costs than reactive investments. This finding is contrary to literature stating that proactive investing results in overinvestment stemming from uncertainty. Results also indicate that security investments have more significant effects on external than internal failures. Regardless of investment type, effects are larger at the state level than the organization level indicating that security investments create positive externalities (i.e., they improve security for all parties involved). Results also indicate that voluntarily made proactive investments are associated with superior performance to those made by external pressure. With external regulatory mandates, the organization might be trying to meet the mandates rather than conducting a threat analysis themselves. Finally, though external regulatory requirements attenuate learning from proactive investments, the requirements are at least not hurtful in failure-induced learning from reactive investments. Effectively, results indicate that CIOs should further emphasize proactive initiatives rather than purely reacting.