![Page 1: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/1.jpg)
WEIS 2011Dartmouth
Juhee Kwon and M. Eric JohnsonCenter for Digital Strategies
Tuck School of BusinessDartmouth College
WEIS 2011
Proactive vs. Reactive Security Investment in the Healthcare Sector
![Page 2: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/2.jpg)
Healthcare Breaches• HHS new reporting rules have increased breach visibility.
• HITECH mandates public posting of breaches involving more than 500 people.
• Over 100 announcements by the first anniversary (sept 2010).
![Page 3: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/3.jpg)
Security InvestmentsSecurity investments are often triggered by • breaches • government regulations
InformationNetwork
Providers /PayersPatients Identity theft
Federal & state legislations
Negative public opinion & Momentary loss
![Page 4: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/4.jpg)
Theoretical Background (1)
• Investment for performance improvement • from defects or external mandates• in organizational learning for performance improvement
• Organizational learning from the investments• Whether defects trigger or not
(Ittner et al. 2001, Management Science)
• Learning is a function of both proactive investments and autonomous learning-by-doing rather than a function of reactive investments alone
![Page 5: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/5.jpg)
Theoretical Background (2)
• Interaction with external mandates• Public attention can make organizations focus on the problem area.• Voluntary recalls result in more learning than involuntary recalls
• The effects of voluntary and involuntary recalls on subsequent recall rates (Haunschild et al. 2004, Management Science)
• Organizational learning in security investments
![Page 6: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/6.jpg)
Research Questions
• How do proactive and reactive investments work for security improvement?
• How do external regulatory pressures impact security performance?
• Are there social incentives for security investments?
![Page 7: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/7.jpg)
Hypotheses (1)• Proactive (H1) and Reactive(H2) investments reduce security
failures• Resources stimulate innovation & create opportunities for organizational
learning.• Proactive vs. Reactive (H3)
• Proactive investments require more analysis (to determine appropriate action) and a clear understanding of government and public expectations.
ProactiveInvestments
ExternalPressures
ReactiveInvestments
Security Failures
H1(–)
H2(–)
H3(±)H4(–)
H5(±)
H6(±)
![Page 8: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/8.jpg)
Hypotheses (2)• The mixed effect of external pressure
• Increasing organizational attention on a problem area .• Creating defensive reactions.
• How does external pressure influence security failures (H4)?• How does external pressure influence the effects of proactive
(H5) or reactive (H6) investments?
ProactiveInvestments
ExternalPressures
ReactiveInvestments
Security Failures
H1(–)
H2(–)
H3(±)H4(±)
H5(±)
H6(±)
![Page 9: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/9.jpg)
Data Collection
• 2,386 healthcare organizations from 2005 to 2009 from HIMSS Analytics™
• Proactive vs. Reactive• 0, if an organization invests after any member of it’s group experiences a
breach; otherwise 1.• Control for EHR adoption, annual revenue, bed size, etc.
• Security investments
• 281 healthcare security breaches from HHS, ITRC, and Data Loss
![Page 10: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/10.jpg)
Cox Proportional Hazard Model
• “time to events” to explore the effects of explanatory variables• hazard rate = failure rate (less than one decreases failures)
h 𝑖 (𝑡 )𝑇𝑜𝑡𝑎𝑙/h0 (𝑡 )=𝑒𝑥𝑝 [𝛽1 (𝐼𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖 )+ 𝛽2 (𝑃𝑟𝑜𝑎𝑐𝑡𝑖𝑣𝑒𝑖 )+𝛽3 (𝐿𝑎𝑤𝑖 )+𝛽4 (𝐿𝑎𝑤𝑖×𝑃𝑟𝑜𝑎𝑐𝑡𝑖𝑣𝑒𝑖 )+ 𝛽5 (𝐿𝑎𝑤 𝑖× 𝐼𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖)+ 𝛽𝜆𝜆 𝑖+𝛿1 (𝑠𝑖𝑧𝑒𝑖 )+𝛿2 (𝑃𝑒𝑟𝑓𝑜𝑟𝑚𝑎𝑛𝑐𝑒 𝑖 )+𝛿3′ (𝑇𝑦𝑝𝑒𝑖 )+𝜏 ′ (𝑌𝑒𝑎𝑟𝑖 )]h 𝑖 (𝑡 )𝑃𝑟𝑜 /h0 (𝑡 )=𝑒𝑥𝑝[𝛽1 (𝑃𝑟𝑜 𝐼 𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖 )+𝛽3 (𝐿𝑎𝑤𝑖)+𝛽5 (𝐿𝑎𝑤𝑖×𝑃𝑟𝑜𝐼𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖 )+𝛽 𝜆𝜆𝑖+𝛿1 (𝑠𝑖𝑧𝑒𝑖 )+𝛿2 (𝑃𝑒𝑟𝑓𝑜𝑟𝑚𝑎𝑛𝑐𝑒𝑖 )+𝛿3′ (𝑇𝑦𝑝𝑒𝑖 )+𝜏 ′ (𝑌𝑒𝑎𝑟 𝑖 )]
h 𝑖 (𝑡 )𝑟𝑒/h0 (𝑡 )=𝑒𝑥𝑝 [𝛽1 (𝑟𝑒𝐼 𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖)+𝛽3 (𝐿𝑎𝑤𝑖 )+𝛽5 (𝐿𝑎𝑤𝑖×𝑟𝑒 𝐼𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖 )+𝛽𝜆 𝜆𝑖+𝛿1 (𝑠𝑖𝑧𝑒𝑖 )+𝛿2 (𝑃𝑒𝑟𝑓𝑜𝑟𝑚𝑎𝑛𝑐𝑒𝑖 )+𝛿3′ (𝑇𝑦𝑝𝑒𝑖 )+𝜏 ′ (𝑌𝑒𝑎𝑟 𝑖)]
![Page 11: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/11.jpg)
Endogeneity• Endogeneity of Security Investment
• Those who proactively invest might have better security processes, management, or technological expertise than those who do not.
• Two-step econometric procedure (Heckman 1979)
• Endogenous Adoption of Regulation• Due to a sudden rise in breaches• Two-sample t-test (p-value > 0.1)
• the numbers of breaches in states before adoption of new regulation and in states without adoption.
Proactive or ReactiveInvestment
Hazard Rate(h(t))
tt-1Time line
The probability () that an organization has no breach
Breach or the end of the time line
![Page 12: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/12.jpg)
Results at the organization level
Total Proactive Reactive
Hypotheses
Proactive Inv. -0.65***(0.13) 0.52 H1:Supported
Reactive Inv. 0.11(0.09) 1.12 H2:Not supported
Total Inv. -0.28***(0.02) 0.76
Proactive -1.01***(0.29) 0.36 H3:Supported
Law -1.07***(0.26) 0.34 -0.89***
(0.25) 0.41 -1.02***(0.24) 0.36 H4:Supported
SI × Law 0.16**(0.09) 1.17
PI × Law 0.237*(0.144) 1.27 H5: Supported
RI× Law -0.06(0.10) 0.94 H6: Not supported
Inverse Mills ratio -4.78**(2.41) 0.01 -4.401*
(2.407) 0.01 -1.28(2.28) 0.28
• Supporting the effect of proactive, but not reactive.• Regulation reduces failures, but also decreases the effect of investments.
![Page 13: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/13.jpg)
Results at the state level
Total Proactive Reactive Hypotheses
Proactive Inv. -1.43***(0.23) 0.24 H1:Supported
Reactive Inv. -0.90***(0.20) 0.41 H2:Supported
Total Inv. -1.55***(0.22) 0.21
Proactive -2.56***(0.43) 0.08 H3:Supported
Law -1.72***(0.37) 0.18 -1.24**
(0.32) 0.29 -1.36***(0.30) 0.26 H4:Supported
SI × Law 0.22***(0.06) 1.25
PI × Law 0.35**(0.15) 1.41 H5:Supported
RI× Law 0.02(0.03) 1.02 H6:Not
Supported
Inverse Mills ratio -2.86*(1.57) 0.06 -1.10
(1.44) 0.33 -0.69 (1.45) 0.50
• Supporting both the effects of proactive and reactive.• Lower hazard rate at the state level than at the organization level.
![Page 14: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/14.jpg)
Results
• Proactive investments are more effective at reducing security failures than reactive investments.
• When proactive investments were forced by an external requirement, the effect of proactive investment is diminished.
• Both proactive and reactive security investments have positive externalities.• one organization's security
investments help the others
![Page 15: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/15.jpg)
Implications
• The regulatory value of carrot vs. stick • Due to positive externalities, incentives could be earmarked to
boost investment in security.• Regulatory requirements should not be prescriptive
• For example, regulation could mandate that a portion of the overall IT budget be dedicated to security, allowing organizations to decide on the types of security investment.
![Page 16: Juhee Kwon and M. Eric Johnson Center for Digital Strategies Tuck School of Business Dartmouth College WEIS 2011](https://reader035.vdocument.in/reader035/viewer/2022062815/568168ae550346895ddf6325/html5/thumbnails/16.jpg)
Further and Future Work
• External & Internal Failures • Results: external breaches have a significant association with
security investment, whereas internal breaches have no effect.• Why?
• Our investment data is focused on external threats.• Greater concern about a problem leads to more effort to resolve it.
• Future Work• Examine security policies and training programs.• Consider the momentary size of security investments.• Consider the severity of breaches.