In a 'trusting' environment, everyone is responsible for information security

Information Security Technical Report

Volumn 13, Issue 4, 2008, Pages 207-215

  Williams, Patricia A H ^a  

^a EDITH COWAN UNIVERSITY   (Australia)

Author keywords

Governance; Insider threats; Medical information security; Organisations; Security governance

Indexed keywords

BIOINFORMATICS; HEALTH RISKS;

GOVERNANCE; INSIDER THREATS; MEDICAL INFORMATION SECURITY; ORGANISATIONS; SECURITY GOVERNANCE;

SECURITY OF DATA;

EID: 57649095360     PISSN: 13634127     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.istr.2008.10.009     Document Type: Article

References (53)

1. Aagedal JØ, Braber FD, Dimitrakos T, Gran BA, Raptis D, Stölen K. Model-based risk assessment to improve enterprise security. In: Paper presented at the proceedings of the sixth international enterprise distributed object computing conference (EDOC'02); 2002.
2. Anderson RH. Research and development initiatives focused on preventing, detecting, and responding to insider misuse of critical defense information systems. In: Paper presented at the results of a three-day workshop, RAND, Santa Monica, CA; 1999.
3. Anderson RH, Bozek T, Longstaff T, Meitzer W, Skroch M, Van Wyk K. Research on mitigating the insider threat to information systems - #2. In: Proceedings of a Workshop, RAND, Santa Monica, CA; August 2000.
4. Bachman J.P., and Malloch K.M. Developing a common nursing practice model. Nursing Management 29 1 (1998) 26-27
5. Barber B, Louwerse K, Davey J. White paper on health care information security. ISHTAR White Paper Retrieved 19 January 2006, 1998; Available from: .
6. BBC News. Nearly 100 medical records 'lost' journal, 2008; Retrieved from: .
7. Becker M.Y. Information governance in NHS's NPfIT: a case for policy specification. International Journal of Medical Informatics 76 5-6 (2007) 432-437
8. Beresnevichiene Y. A role and context based security model (No. UCAM-CL-TR-558, ISSN 1476-2986) (2003), University of Cambridge Computer Laboratory, Cambridge
9. Bolton P., Douglas K., Booth B., and Miller G. A relationship between computerisation and quality in general practice. Australian Family Physician 28 9 (1999) 962-965
10. Business Software Alliance. Information security governance: toward a framework for action. Retrieved 03 July 2006, 2003; Available from: .
11. Coiera E., and Tombs V. Communication behaviours in a hospital setting: an observational study. British Medical Journal 316 7132 (1998) 673-676
12. de Dombal T. Medical decision making, clinical judgment, and decision analysis. In: Llewelyn H., and Hopkins A. (Eds). Analysing how we reach clinical decisions (1993), Royal College of Physicians of London, London 1-5
13. Dhillon G., and Moores S. Computer crimes: theorizing about the enemy within. Computers and Security 20 8 (2001) 715-723
14. Doherty N.F., and Fulford H. Aligning the information security policy with the strategic information systems plan. Computers and Security 25 1 (2006) 55-63
15. erisk. Daiwa (case study). Retrieved 01 August 2008, 2001; Available from: .
16. erisk. Barings (case study). Retrieved 01 August 2008, 2005; Available from: .
17. Fox B. "Cooperative security": a model for the new enterprise. Journal, 1998. Retrieved from: .
18. Furnell S.M. Why users cannot use security. Computers and Security 24 4 (2005) 274-279
19. Furnell S.M., Jusoh A., and Katsabas D. The challenges of understanding and using security: a survey of end-users. Computers and Security 25 1 (2006) 27-35
20. Hamilton S., and Micklethwait A. Greed and corporate failure: the lessons from recent disasters (2006), Palgrave MacMillan, Basingstoke, UK
21. Harris S. Learning guide: information security governance guide. Retrieved 5 March 2008, 2006a; Available from: .
22. Harris S. Risk management strategies: key elements when building an information security program. Retrieved 5 March 2008, 2006b; Available from: .
23. Hinde S. The inside threat. (malicious insider). Computers aND Security 22 8 (2003) 665 [662]
24. I3P. Human behavior, insider threat and awareness, Retrieved 13 August 2008, 2008; Available from: .
25. IP Governance Task Force. Intellectual property & information security governance. Retrieved 13 February 2008, 2007; Available from: .
26. Johnston A.C., and Warkentin M. Information privacy compliance in the healthcare industry. Information Management and Computer Security 16 1 (2008) 5-19
27. Leach J. Improving user security behaviour. Computers and Security 22 8 (2003) 685-692
28. Loe T.W., Ferell L., and Mansfield P. A review of empirical studies assessing ethical decision making in business. Journal of Business Ethics 25 3 (2000) 185-204
29. Magklaras G.B., and Furnell S.M. A preliminary model of end user sophistication for insider threat prediction in IT systems. Computers and Security 24 5 (2005) 371-380
30. Masys D.R., Baker D.B., Butros A., and Cowles K. Giving patients access to their medical records via the internet: the PCASSO experience [research]. Journal of the American Medical Informatics Association 9 2 (2002) 181-191
31. McCollum T. Low-tech users threaten financial sector systems (update). Internal Auditor 61 5 (2004) 18 [12]
32. Mercuri R.T. The HIPAApotamus in health care data security. Communications of the ACM 47 7 (2004) 25-28
33. Meredith B. Data protection and freedom of information. BMJ 330 7490 (2005) 490-491
34. Moynihan J.F. Data under surveillance: a government agency blends technology, audit, and investigative techniques to protect confidential information. (TECH FORUM) (Office of Internal Audit's Information Security Unit). Internal Auditor 64 2 (2007) 29 [23]
35. Mulligan E.C. Confidentiality in health records: evidence of current performance form a population survey in South Australia. Medical Journal of Australia 174 12 (2001) 637-640
36. National Threat Assessment Center. National Threat Assessment Center - insider threat study. Retrieved 13 August 2008, 2008; Available from: .
37. Nixu. Security management consulting. Retrieved 5 March 2008, 2008; Available from: .
38. Peterson D.K. Computer ethics: the influence of guidelines and universal moral beliefs. Information Technology and People 15 4 (2002) 346-361
39. Schultz E.E. A framework for understanding and predicting insider attacks. Computers and Security 21 6 (2002) 526-531
40. In: Scott J.E., and Hirschi T. (Eds). Controversial issues in crime and justice (1988), Sage Publications,, Newbury Park, California
41. Spil TAM, Stegwee RA, Teitink CJ. Business intelligence in healthcare organisations. In: Paper presented at the 35th Hawaii international conference on system sciences (HICSS-35'02), Hawaii; 2002.
42. Stetson D. Achieving effective medical information security: understanding the culture. Bulletin of the American Society for Information Science 23 3 (1997) 17-21
43. Straub D.W., and Welke R.J. Coping with systems risk: security planning models for management decision making. MIS Quarterly 22 4 (1998) 441-469
44. Treacher A., and Bleumer G. An overview of SEISMED. In: Barber B., Treacher A., and Louwerse K. (Eds). Towards security in medical telematics vol. 27 (1996), IOS Press, Amsterdam 4-8
45. Vanmeerbeek M. Exploitation of electronic medical records data in primary health care. Resistances and solutions. Study in eight Walloon health care centres. Studies In Health Technology and Informatics 110 (2004) 42-48
46. von Solms B. Information security governance - compliance management vs operational management. Computers and Security 24 6 (2005) 443-447
47. Whitman M.E. In defense of the realm: understanding the threats to information security. International Journal of Information Management 24 1 (2004) 43-57
48. Williams P.A.H. Information governance: a model for security in medical practice. Journals of Digital Forensics, Security and Law 2 1 (2007) 57-72
49. Williams P.A.H. Medical data security: are you informed or afraid?. International Journal of Information and Computer Security 1 4 (2007) 414-429
50. Williams P.A.H. How addressing implementation issues can assist in medical information security governance. In: Clarke N.L., and Furnell S.M. (Eds). Second international symposium on human aspects of information security and assurance (2008), Centre for Information Security & Network Research, University of Plymouth, Plymouth, UK 116-125
51. Williams P.A.H. When trust defies common security sense. Health Informatics Journal 14 3 (2008) 211-221
52. Willison R. Understanding the offender/environment dynamic for computer crimes. Information Technology and People 19 2 (2006) 170-186
53. Wood B. An insider threat model for adversary simulation. In: Anderson R.H., Bozek T., Longstaff T., Meitzer W., Skroch M., and Van Wyk K. (Eds). Research on mitigating the insider threat to information systems - #2 (2002), RAND 41-48