The volume and severity of information security breaches encountered continues to increase as organizations, including healthcare organizations, struggle to identify more effective security policies and procedures. Publicly available guidelines such as GASSP or ISO17799 that are designed to facilitate development of effective security policies and procedures have been criticized for, among other things, inadequate attention to differences in organizational security needs (Baskerville & Siponen, 2002), and for inadequate attention to the social dimensions of security problems (Dhillon & Backhouse, 2001). In this contribution, we argue that the diversity of organizational security needs, as well as the need to recognize the social dimensions to security problems, will continue to grow as companies move away from employing unique, proprietary approaches to software and network development, in favor of adopting standards-based plug-and-play applications, and related standards-based methods and technologies designed to enable interorganizational as well as local systems interoperability.
Key Terms in this Chapter
Complex Systems: Systems that interweave components in such a way that they display variation without being random, and result in a structure that is more than the sum of its parts.
IT Standards: Generally agreed-upon activities, methods, functions, protocols, interfaces, systems, equipment, materials, services, processes, and products that have been introduced and employed, in efforts to reduce the labor costs associated with IT projects.
Emergent Use: The use of systems in ways not initially anticipated, stimulated by users improvising to add applications to the original system in order to support local practices. Emergent use can be planned or unplanned.
Reductionist Information Security Approaches: Security management strategies that apply solutions to small fractions of a system at a time (e.g., passwords to secure access to an application, firewalls to protect network traffic, and so on.).
Complexity Science: The study of complex systems, broadly defined.
Holistic Information Security Approaches: Security management strategies that encompass social as well as technical elements, and which are dynamic so that security issues are considered each time a new use is adopted, even if this use is not formally instigated.
Metapolicy: Establish how policies are going to be created in an ongoing way.