Paper Summary- Jack Tong

Angst, Corey, et al. “When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches.” MIS Quarterly, vol. 41, no. 3, 2017, pp. 893–916.

The authors explore an interesting question about how hospital factors determine the extent to which they are symbolic or substantive adopters of IT specific practices. Institutional theory distinguishes between symbolic and substantive adoption in order to account for the degree to which the activities of a firm are accurately reflected in the signals they communicate to relevant stakeholders. Substantive adoption represents one extreme, where signals are accurate representations of adopted practices and are tightly integrated with the organization’s core operation; where symbolic adoption is intended to enhance a firm’s external validation or legitimacy rather than achieve a specific technical benefit. Using data from three different sources, they create a panel of more than 5,000 U.S. hospitals and 938 breaches over 8 years. They use a growth mixture model approach to model the heterogeneity in likelihood of breach and they apply a two class solution in which hospitals that (1) belong to smaller health systems, (2) are older, (3) smaller in size, (4) for-profit, (5) nonacademic, (6) faith-based, and (7) less entrepreneurial with IT are classified as symbolic adopters. Their findings indicate that symbolic adoption diminishes the effectiveness of IT security investments, resulting in an increased likelihood of breach. Contrary to their theorizing, the use of more IT security is not directly responsible for reducing breaches, but instead, institutional factors create the conditions under which IT security investments can be more effective.