WEIS 2011Dartmouth

Juhee Kwon and M. Eric JohnsonCenter for Digital Strategies

Tuck School of BusinessDartmouth College

WEIS 2011

Proactive vs. Reactive Security Investment in the Healthcare Sector

Healthcare Breaches• HHS new reporting rules have increased breach visibility.

• HITECH mandates public posting of breaches involving more than 500 people.

• Over 100 announcements by the first anniversary (sept 2010).

Security InvestmentsSecurity investments are often triggered by • breaches • government regulations

InformationNetwork

Providers /PayersPatients Identity theft

Federal & state legislations

Negative public opinion & Momentary loss

Theoretical Background (1)

• Investment for performance improvement • from defects or external mandates• in organizational learning for performance improvement

• Organizational learning from the investments• Whether defects trigger or not

(Ittner et al. 2001, Management Science)

• Learning is a function of both proactive investments and autonomous learning-by-doing rather than a function of reactive investments alone

Theoretical Background (2)

• Interaction with external mandates• Public attention can make organizations focus on the problem area.• Voluntary recalls result in more learning than involuntary recalls

• The effects of voluntary and involuntary recalls on subsequent recall rates (Haunschild et al. 2004, Management Science)

• Organizational learning in security investments

Research Questions

• How do proactive and reactive investments work for security improvement?

• How do external regulatory pressures impact security performance?

• Are there social incentives for security investments?

Hypotheses (1)• Proactive (H1) and Reactive(H2) investments reduce security

failures• Resources stimulate innovation & create opportunities for organizational

learning.• Proactive vs. Reactive (H3)

• Proactive investments require more analysis (to determine appropriate action) and a clear understanding of government and public expectations.

ProactiveInvestments

ExternalPressures

ReactiveInvestments

Security Failures

H1(–)

H2(–)

H3(±)H4(–)

H5(±)

H6(±)

Hypotheses (2)• The mixed effect of external pressure

• Increasing organizational attention on a problem area .• Creating defensive reactions.

• How does external pressure influence security failures (H4)?• How does external pressure influence the effects of proactive

(H5) or reactive (H6) investments?

ProactiveInvestments

ExternalPressures

ReactiveInvestments

Security Failures

H1(–)

H2(–)

H3(±)H4(±)

H5(±)

H6(±)

Data Collection

• 2,386 healthcare organizations from 2005 to 2009 from HIMSS Analytics™

• Proactive vs. Reactive• 0, if an organization invests after any member of it’s group experiences a

breach; otherwise 1.• Control for EHR adoption, annual revenue, bed size, etc.

• Security investments

• 281 healthcare security breaches from HHS, ITRC, and Data Loss

Cox Proportional Hazard Model

• “time to events” to explore the effects of explanatory variables• hazard rate = failure rate (less than one decreases failures)

h 𝑖 (𝑡 )𝑇𝑜𝑡𝑎𝑙/h0 (𝑡 )=𝑒𝑥𝑝 [𝛽1 (𝐼𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖 )+ 𝛽2 (𝑃𝑟𝑜𝑎𝑐𝑡𝑖𝑣𝑒𝑖 )+𝛽3 (𝐿𝑎𝑤𝑖 )+𝛽4 (𝐿𝑎𝑤𝑖×𝑃𝑟𝑜𝑎𝑐𝑡𝑖𝑣𝑒𝑖 )+ 𝛽5 (𝐿𝑎𝑤 𝑖× 𝐼𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖)+ 𝛽𝜆𝜆 𝑖+𝛿1 (𝑠𝑖𝑧𝑒𝑖 )+𝛿2 (𝑃𝑒𝑟𝑓𝑜𝑟𝑚𝑎𝑛𝑐𝑒 𝑖 )+𝛿3′ (𝑇𝑦𝑝𝑒𝑖 )+𝜏 ′ (𝑌𝑒𝑎𝑟𝑖 )]h 𝑖 (𝑡 )𝑃𝑟𝑜 /h0 (𝑡 )=𝑒𝑥𝑝[𝛽1 (𝑃𝑟𝑜 𝐼 𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖 )+𝛽3 (𝐿𝑎𝑤𝑖)+𝛽5 (𝐿𝑎𝑤𝑖×𝑃𝑟𝑜𝐼𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖 )+𝛽 𝜆𝜆𝑖+𝛿1 (𝑠𝑖𝑧𝑒𝑖 )+𝛿2 (𝑃𝑒𝑟𝑓𝑜𝑟𝑚𝑎𝑛𝑐𝑒𝑖 )+𝛿3′ (𝑇𝑦𝑝𝑒𝑖 )+𝜏 ′ (𝑌𝑒𝑎𝑟 𝑖 )]

h 𝑖 (𝑡 )𝑟𝑒/h0 (𝑡 )=𝑒𝑥𝑝 [𝛽1 (𝑟𝑒𝐼 𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖)+𝛽3 (𝐿𝑎𝑤𝑖 )+𝛽5 (𝐿𝑎𝑤𝑖×𝑟𝑒 𝐼𝑛𝑣𝑒𝑠𝑡𝑚𝑒𝑛𝑡 𝑖 )+𝛽𝜆 𝜆𝑖+𝛿1 (𝑠𝑖𝑧𝑒𝑖 )+𝛿2 (𝑃𝑒𝑟𝑓𝑜𝑟𝑚𝑎𝑛𝑐𝑒𝑖 )+𝛿3′ (𝑇𝑦𝑝𝑒𝑖 )+𝜏 ′ (𝑌𝑒𝑎𝑟 𝑖)]

Endogeneity• Endogeneity of Security Investment

• Those who proactively invest might have better security processes, management, or technological expertise than those who do not.

• Two-step econometric procedure (Heckman 1979)

• Endogenous Adoption of Regulation• Due to a sudden rise in breaches• Two-sample t-test (p-value > 0.1)

• the numbers of breaches in states before adoption of new regulation and in states without adoption.

Proactive or ReactiveInvestment

Hazard Rate(h(t))

tt-1Time line

The probability () that an organization has no breach

Breach or the end of the time line

Results at the organization level

Total Proactive Reactive

Hypotheses

Proactive Inv. -0.65***(0.13) 0.52 H1:Supported

Reactive Inv. 0.11(0.09) 1.12 H2:Not supported

Total Inv. -0.28***(0.02) 0.76

Proactive -1.01***(0.29) 0.36 H3:Supported

Law -1.07***(0.26) 0.34 -0.89***

(0.25) 0.41 -1.02***(0.24) 0.36 H4:Supported

SI × Law 0.16**(0.09) 1.17

PI × Law 0.237*(0.144) 1.27 H5: Supported

RI× Law -0.06(0.10) 0.94 H6: Not supported

Inverse Mills ratio -4.78**(2.41) 0.01 -4.401*

(2.407) 0.01 -1.28(2.28) 0.28

• Supporting the effect of proactive, but not reactive.• Regulation reduces failures, but also decreases the effect of investments.

Results at the state level

Total Proactive Reactive Hypotheses

Proactive Inv. -1.43***(0.23) 0.24 H1:Supported

Reactive Inv. -0.90***(0.20) 0.41 H2:Supported

Total Inv. -1.55***(0.22) 0.21

Proactive -2.56***(0.43) 0.08 H3:Supported

Law -1.72***(0.37) 0.18 -1.24**

(0.32) 0.29 -1.36***(0.30) 0.26 H4:Supported

SI × Law 0.22***(0.06) 1.25

PI × Law 0.35**(0.15) 1.41 H5:Supported

RI× Law 0.02(0.03) 1.02 H6:Not

Supported

Inverse Mills ratio -2.86*(1.57) 0.06 -1.10

(1.44) 0.33 -0.69 (1.45) 0.50

• Supporting both the effects of proactive and reactive.• Lower hazard rate at the state level than at the organization level.

Results

• Proactive investments are more effective at reducing security failures than reactive investments.

• When proactive investments were forced by an external requirement, the effect of proactive investment is diminished.

• Both proactive and reactive security investments have positive externalities.• one organization's security

investments help the others

Implications

• The regulatory value of carrot vs. stick • Due to positive externalities, incentives could be earmarked to

boost investment in security.• Regulatory requirements should not be prescriptive

• For example, regulation could mandate that a portion of the overall IT budget be dedicated to security, allowing organizations to decide on the types of security investment.

Further and Future Work

• External & Internal Failures • Results: external breaches have a significant association with

security investment, whereas internal breaches have no effect.• Why?

• Our investment data is focused on external threats.• Greater concern about a problem leads to more effort to resolve it.

• Future Work• Examine security policies and training programs.• Consider the momentary size of security investments.• Consider the severity of breaches.