Understanding Organizational Response To Regulative Pressures

Published Date: 02 Nov 2017

Case of a Chinese Hospital

Abstract

Information security management (ISM) is an issue of growing concern to organizations as the information systems users. From an institutional perspective, this paper offers a case study of a Chinese hospital to understand the various methods for an organization to respond to regulative pressures during the ISM process. We observe that different regulative pressures can impact the ISM of an organization, but the organizational self-awareness of the importance of ISM for its development is vital to ensure success in ISM. Moreover, an organization’s responding strategy to regulative pressures is a result of compromise between its ISM targets and business objectives, and based on its power to bargain with different institutions.

Key words: China, information security management, institutional theory, organizational response, regulative pressures

1. Introduction

In recent decades, we have witnessed the broad application of information systems in the society, which poses strong concerns of information security. Information security failures cause significant financial losses and reputation damage to organizations. Efficient information security management (ISM) is critical for organizations to protect information and information systems from unauthorized access, disclosure, disruption, modification, or destruction (Cazemier, 2000). Evidence has shown most of information security failures arise from human and organizational factors (Chang and Ho, 2006). Particularly, Wood (1995) argues ISM is a multi-disciplinary issue and poor management causes security problems. Kramer et al. (2009) observe human errors should be main concerns for information security vulnerabilities. Siponen (2000) and Staub and Welke (1998) highlight information security awareness (ISA) is important to minimize misuse of information systems and misinterpretation of security rules by the end users. This paper considers organizational ignorance or incompliance to regulative pressures, which is found to be a cause of over half of information security failures (Stanton et al., 2005) but relevant research is rarely found. The research questions that we aim to answer are: in response to the institutional pressures during the ISM process, what strategies do organizations employ and why?

The institutional theory suits to our research purpose and thus is selected as our theoretical base of analysis. Our paper adds to the institutional literature of ISM research in two aspects. First, institutional perspective is proven useful in exposing the institutional pressures for ISM (Hu et al., 2007). We go further to explore how organizations might respond to different pressures in order to achieve their organizational security goals. Second, most people focus on one specific aspect of ISM. For example, Hsu (2009) consider the implementation of information systems security certification; Hsu et al. (2012) focus on ISM systems adoption and assimilation; Siponen and Vance (2010) investigate the problem of employee violations of organizational information security policy (ISP). We offer an integrative view of a complete ISM process through the institutional lens.

Our research design is case study (Yin, 2008). We will dissect the experience of ISM in a Chinese hospital. The present ISM research is conducted mainly in the context of developed countries. However, findings from this mainstream ISM research cannot readily be applied to the developing economies for such reasons as dissimilarity in economic, political and technological environment (Avgerou, 2008). In fact, developing countries are emerging to play an important role in global war on information security hence should be a research focus for information systems and ISM scholars (UNESCAP, 2007). China deserves specific research attention due to its huge size of economy and wide adoption of information systems. In recent years the Chinese government has made efforts to provide a secure environment for information systems operation. It has promoted information security to a high level of awareness, and listed ISM as one of the most critical issues in its efforts of national informatization. The Chinese government has made efforts to ensure that ISM is prioritized by different organizations especially the public sector. As an illustration, in 2003 the People’s Bank of China issued Decree No. 276, requiring each state-owned commercial bank investing at least 15% of its annual revenue on information security (Shen, 2003). However, in general ISM in China still lags far behind that in the developed countries. A recent survey finds that most of Chinese organizations fail to maintain a balance between information security and service levels (PWC, 2012). A Chinese case study allows us to understand the reality and challenges of ISM in public organizations in developing country contexts.

The rest of the paper is organized as follows. In section 2, we define ISM process, introduce institutional theory and its applications in ISM research, and develop our theoretical framework. In section 3, we lay out the research method. Section 4 is case study. In the last section, we discuss the research findings and implications, and conclude this paper.

2 The Development of Theoretical Framework

In this section, we develop our theoretical framework for the case study as shown in Figure 1. Two lines of knowledge form the basis of this framework i.e. the concept of ISM process and the institutional theory.

------------------------------------------------------------------------------------------------

Figure 1 Organizational response to regulative pressures in ISM process

-----------------------------------------------------------------------------------------------

2.1 ISM Process

ISM process involves a set of interrelated activities, which include strategy formation, goal setting, policy making, security awareness training, implementation of security mechanisms and policies, and evaluation, monitoring and improvement (ISO/IEC, 2005). ISM starts from setting a proper information security strategy, which should align with the business objectives. Further, a clear information security goal should be set (Ma et al., 2009). ISP provides a direction and support for organizational ISM (Knapp, et al., 2009). Information security awareness (ISA) is the alert stage of an ISM process (Straub and Welke, 1998), helping organizational staffs to comply with ISP in their daily work (Puhakainen and Siponen, 2010). Based on ISP enforcement, efficient implementation of information security mechanisms can take place to protect information assets from being threatened by different non-technical or technical forces. Information security monitoring is responsible for detecting unauthorized access to an organization’s information systems. Information security evaluation is about internal and external audits on the security performance. The evaluation results are the basis for security managers to monitor the ISM process and take proper actions to improve information security.

2.2 Institutional theory

The institutional theory examines the intertwined links between organizations and their social contexts. It assumes that organizations situate in a specific institutional environment composed of cognitive, normative, and regulative institutions (Scott, 2001). These institutions form and exert the so-called institutional pressures on organizations, and affect and constrain organizational behavior. In this paper, we focus on the regulative institutions and regulative pressures for ISM.

The formation of regulative pressures is based on the legal and government systems. Three kinds of regulative pressures are particularly relevant to ISM in Chinese organizations. First, laws and regulations are a set of rules made by the government or other authorities that constrain the behaviors of organizations and individuals (DiMaggio and Powell, 1983). Each social entity is obliged to comply with laws and regulations, and failing to do so will incur penalties (King et al., 1994). Specifically, like in other developing countries, China has a poor legal infrastructure. Its legal systems normally do not function efficiently and sometimes laws could not be enforced (Kshetri, 2007). Moreover, Chinese organizations are subject to restrictions of different levels of laws and regulations because of the relative inconsistency of its legal systems (Luo, 2003). For example, at the national level, on February 28, 2009, the Standing Committee of National People’s Congress issued the Criminal Law; at industrial level, on July 1st, 2009, the Ministry of Health issued the Decree No. 66 - Administrative Measures for Internet Medical and Health Information Services. In addition, each province has local regulations for healthcare information security.

Second, national information security policies are basic rules and overall plans for ensuring information security in the country (Ku, et al., 2009). It impacts organizational ISM practice (Meyer and Rowan, 1977). For instance, the 11th Five-Year-Plan (2006-2010) promulgated by the Standing Committee of the National People’s Congress on March 16, 2006 requires organizations to develop ISM and strengthen information security infrastructure. In the same year on May 8, the Communist Party of China Central Committee and the State Council issued the National Informatization Development Strategy 2006-2020, which urges organizations to improve ISM and adopt efficient organizational ISP.

Third, the government supervision can influence the ISM activities of an organization. Both national and local governments have the legal authority to intervene in the organizational operations in different ways, with supervision as a useful method (Campbell and Lindberg, 1990; Damsgaard, 1996; King et al., 1994). Government supervision on organizations is to monitor their enforcement on relevant laws, regulations and policies. Penalty will apply in cases of infringement (Hoffman, 1999).

Organizations respond to these three sorts of regulative pressures in various ways. Oliver (1991) identifies five organizational strategies in responding to institutional pressures: acquiescence, avoidance, compromise, defiance, and manipulation. Particularly, acquiescence strategy means organizations take institutional requirements for granted. In taking avoidance strategy, the organizations do not comply with institutional rules, but attempt to show symbolized acceptance of institutional pressures (Meyer and Rowan, 1977). Organizations may design an action plan under institutional pressures but not implement it. Sometimes for their own interests organizations may have to select a compromise strategy and try to "balance, pacify or bargain with" external pressures when organizational business objectives conflict with institutional expectations (Oliver, 1991: 153). The strategies of acquiescence, avoidance and compromise avoid a defiance to occur, which is another organizational strategy to respond to regulative pressures. Defiance occurs when institutional pressures is not well understood, and organizations will choose to ignore, challenge and attack institutional norms, values and requirements. The most resistant strategy in responding to institutional pressures is manipulation. When organizational interests have significant conflicts with institutional pressures, manipulation may take place, which means institutional rules are "localized or initialized or weakly promoted" (Oliver, 1991: 159). In this situation, organizations are more likely to persuade, influence, or control institutional expectations and make them align with their own interests.

2.3 Theoretical Framework

Our interest lies in disclosing organizational response by different measures to varied regulative pressures in ISM process. Accordingly, we form our framework by linking ISM process concept with institutional theory as shown in Figure 1. First, the ISM process consists of a series of subsequent activities including security strategy formation, security goal setting, ISP making, ISA training, implementation of security mechanisms and policies, and evaluation and improvement (ISO/IEC, 2005). Second, during the ISM process, organizations meet regulative pressures in three dimensions: laws and regulations, national policy and government supervision (Scott, 1995). Third, organizations will respond to different regulative pressures in the three dimensions by taking various strategic measures, which include acquiescence, compromise, avoidance, defiance, and manipulation (Oliver, 1991).

3 Research Methods

We adopt case study approach in our research, which suits to understand the "how" and "why" questions (Yin, 2008). A large state-owned hospital in China which we call Hospital A is selected as the research organization for us to explore how organizations respond to regulative pressures in the ISM process, and why in such particular ways. The framework in Figure 1 is used to structure the method of data collection. We need to have a full picture of the ISM process, the regulative forces, and organization’s response to the regulative forces in Hospital A. To do so, we first used emails to contact the case hospital to get familiar with its background and history of ISM development. Second, from March 2011 to February 2012, authors of this paper visited this hospital for four times, each time at least for two weeks. In each field trip we conducted interviews and made field observations. For example, in April 2011, the authors spent one month in Hospital A, observing daily information security problems emerged in different business departments and the solutions by the Information Centre to handle them. In total we have conducted 14 interviews, each being held in a private environment lasting about 45 minutes. Our interviewees are representatives of key stakeholders of ISM in Hospital A: ISP makers, security implementation and maintenance engineers, and information systems managers. Table 1 is a summary of interviewees with their responsibilities in the organization shown. In addition, we use archival documents of the case hospital and the government to identify types of regulative forces of information security in China, focus being put on these specifically relevant to Hospital A, and its responses. The relevant law documents are summarized in the Appendix.

---------------------------------------------------

Table 1 Interviews arrangement

--------------------------------------------------

The data is interpreted by referring to our framework (Figure 1). Particularly, we narrate the ISM process stages by stages. In each stage, we identify the regulative pressures which are categorized to three dimensions: law and regulation, national policy, and government supervision. We further find the strategies of organizational responses to specific regulative pressures, which include acquiescence, avoidance, compromise, defiance, and manipulation.

4 Hospital A’ Response to Regulative Pressures in ISM Process

Hospital A is one of the largest state-owned medical research centers and healthcare facilities in western China. It has 16 departments, including 67 divisions, and employs about 1200 staffs. The Information Centre is responsible for the operation of information systems and ISM. It is composed by five divisions: Network Centre, Software Centre, Hardware Centre, Database Centre and Patients Case Centre. The case study results of Hospital A are summarized in Table 2.

-----------------------------------------------------------------------------------------------------

Table 2 Organizational response to regulative forces in ISM process in Hospital A

----------------------------------------------------------------------------------------------------

4.1 Strategy formation

The information security strategy of an organization is its plan on information security goals, policies and actions (Beebe and Rao, 2010). It is a part of the organization’s overall business strategies (Peltier, 2002). The Chief Information Systems Office recalled for us that in the early stage of information systems development, which was in use from 2001, Hospital A did not consider ISM, but focused on constructing the infrastructure of information systems and ensuring it would function efficiently. On September 8, 2008, the local Province Health Bureau released Decree No. 136. It set the criteria for healthcare informatization, one of which was to require each hospital to form its ISM strategy. This decree also set the time for a field inspection on Hospital A. In response, since late 2008, ISM became a key concern of Hospital A in IS operation, and ISM strategy formation was put on the agenda of the top management. However, Hospital A adopted a defiance strategy to relevant government regulations and the national policy in drafting the information security strategy. The Chief Information Systems Officer told us:

‘In that time in China, information systems development just started. There were no laws or regulations to guide us in drafting our information security strategy. National policies, most importantly the 11th Five-Year-Plan, gave us rough idea about the content of an ISM strategy. In designing our strategy, we selected some concept in the policies which we think fitting to our ISM development. We also listed the main security threats that we may meet, and accordingly the measures to deal with them. I think this written document is in fact not a strategy but a work procedure. But it really helped us in our ISM process. We needed something to guide our staff to efficiently solve different security problems, rather than a principle which I think is what a strategy should expect to have’.

Thus, the information security strategy of Hospital A can be called a "problems-come-problems-solve" handbook. Hospital A acted as a "the firefighter" in ISM. It put emphasis on removing practical security threats in routine information systems operation, instead of treating ISM as of strategic importance. In responding to regulative pressures relevant to information security strategy formulation, Hospital A adopted an acquiescence strategy to government supervisions, and defiance strategy to regulations and national polices.

4.2 Goal setting

Information security goals define what is going to achieve in a fix-term time period in protecting confidentiality, integrity and availability of information (ISO/IEC, 2005). To succeed in ISM, an organization should customize its security goals and ensure they may fit to the organizational strategy (Ma, et al., 2009). Hospital A started to initiate its five-year goals in the end of 2008, right after its security strategy was formed. In designing the information security goals, Hospital A adopted a compromise strategy to security regulations, laws and national policies. Particularly, the information security goals of Hospital A reflected the requirements of the National Healthcare Informatization Development Policy 2003-2010 issued by the Ministry of Health on March 24, 2003, and Decree No. 147, Regulation on safety Protection of Computer Information Systems, issued by the State Council on February 28, 1994. Both legal documents stressed that organizations should ensure information security, the safe operation of information systems, and the provision of secured operating environment; and Article No. 3 in Decree No. 147 specifically stipulated the criteria that organizations should achieve in their ISM. However, according to the Chief Information Systems Officer and the Director of Information Centre, Hospital A only deliberately adopted parts of the regulations and national policies in setting its security goals, and excluded contents which were believed irrelevant to the healthcare organizations or unfeasible to implement.

The local healthcare authority sometimes raised new requirements on organizational ISM and required the hospitals to accordingly update their information security goals. The government would conduct inspections on organizations for their compliance to these requirements. Hospital A took an acquiescence strategy in dealing with government supervisions, even though it might feel some of its requirements unnecessary. For example, Hospital A in 2001 set its ISM goals as to avoid accidental database damage and ensure safe information systems operation. In 2008, the goals were re-written as to ensure Intranet operation and Internet connection, as required by the government that scheduled its inspection on this update.

4.3 Policy making

The ISP provides an organization with management direction, and ensures that its ISM is in agreement with internal business requirements and external institutional environment. In the narrow sense, ISP defines good and bad behaviors of information systems usage in terms of ISM (ISO/IEC, 2005). Internally, ISP making is restricted by organizational information security strategy and goals. When security strategy and goals change, ISP must be modified accordingly. Externally, in forming its ISP, an organization must consider relevant legal requirements. The government exerts control over an organization in its ISM and guide the organization in drafting its ISP through enacting laws, regulations, and policies (Karyda, et al., 2005; Knapp, et al., 2009).

In China, there are three types of legal framework in information security: mandatory laws and regulations, government guidelines, and judicial interpretations. An organization is more likely to comply with mandatory laws and obligatory government requirements than guidelines and criteria issued by the government. A lot of contents of the ISP of Hospital A can find roots in important laws. For example, Article No. 286, the Criminal Law issued by the Standing Committee of National People’s Congress on February 28, 2009, stipulates that individuals disabling public information systems operations shall be sentenced a fixed-term imprisonment. Accordingly, the ISP of Hospital A writes: anyone causing serious problems in information systems operation will be recorded a demerit or dismissed from the hospital; a violation of Article No. 286, Criminal Law will be prosecuted.

Hospital A adopted an acquiescence strategy to the government supervisions on ISP. According to the head of Hardware Centre, in September 2009 the local Healthcare Administration Bureau made a field inspection to Hospital A on its progress in healthcare informatization, for which the hospital had been given notice one year earlier through the Document No. 136 (2008). One focus of inspection was security in physical network and backbone infrastructure, which was required to be included in the ISP. The hospital had accordingly updated its ISP. As the Chief Information Systems Officer in Hospital A admitted: we did so as we did not want to be set as the bad example in ISM for peer hospitals, which meant we will be punished by our boss in our hospital.

Hospital A intended to ignore national policies in designing its ISP.The administrator in Development Division gave us an example. Hospital A believed the National Informatization Strategy 2006-2020 and the National Healthcare Informatization Development Policy 2003-2010 only offered basic principle and direction for organizational ISM but did not specify what should be included in an ISP. Thus, it chose an avoidance strategy to them, and did not refer to them in forming its ISP.

4.4 ISA training

An ISP will be effective only if individuals and organizations comply with it. Information security training can improve employees’ ISA thus their compliance with ISP (Puhakainen and Siponen, 2010; Straub and Welke, 1998). Knowledge of laws, regulations and national policies on ISM should be part of the fundamental contents of ISA training (NIST, 2003). However, Chinese information security laws and regulations rarely mentioned ISA, and the national security policies were regarded as an optional reference for organizational ISM. In organizing ISA activities, Hospital A selected a defiance strategy in response to regulations and national security policies. The ISA training program started in March 2009, six months before the scheduled local government’s healthcare informatization inspection. Hospital A only organized several simple lectures to the end-users. Top level managers were not involved in the training program, though they should be core training subjects for their medical background lacking knowledge on information systems and information security.

There was no self-awareness of the importance for ISA training in Hospital A, especially for its top level managers. The Chief Information Systems Officer admitted: "I personally don’t believe few security training classes could significantly improve the security awareness and change the security behaviors of our staff". Consequently, the training was inefficient, and the ISP compliance by the employees could not be achieved. In our interviews with some doctors and nurses who ever came to the training classrooms, we were frankly told the training was a waste of time. They insisted ISA training should focus on offering guidance of proper human behaviors that might avoid security threats to happen, rather than teaching technological issues.

An insider attack incident happened in mid 2009 right after the training could illustrate the consequence of the defiance strategy of Hospital A. Some neurologists reported information systems failure in their department, which was found a consequence of virus infection from using memory stick by a staff. It was found he knew nothing about computer virus and the consequence of virus attack. It was clear that the ISA training failed to achieve its mission; as such a level of awareness should be the basic contents of the training.

In Hospital A, ISA training was more about coping with government inspection. The Chief Information Systems Officer admitted that, told us:

‘It is the government requirement to organize ISA trainings. Without the 2009 government inspection, we would not have had ISA training at all. Most of the people coming to the training were from our center. Our doctors, nurses and administrators told us they were too busy with routine medical care to spare time for attending the trainings. Our curriculums were tailored as almost entirely on technologies like firewall protections and physical layer security’.

4.5 Implementation

Hospital A outsourced ISM implementation to several companies with certificates for offering computer security services issued by the Ministry of Public Security. In the beginning of 2005 when the hospital started to have its homepage and the Internet connection, it deployed a firewall to prevent outside attacks, following the requirement of Decree No. 147, Requirements on Safety Protection of Computer Information Systems, issued by the State Council on February 18, 1994, which stipulates the information security standard that organizations should achieve. In August 2007, to meet the requirement of Decree No. 136, Hospital A updated the firewall system and database security mechanism. In the end of 2008, to cope with the government inspection of healthcare informatization, it implemented secured patient information security management.

Our interviewees from Hospital A and its outsourcing companies involved in ISM implementation told us that in the selection of information security mechanisms they fully adhere to national security laws and regulations, for example Decree No. 51, Computer Virus Protection Measures for the Administration, issued by the Ministry of Public Security on April 26th, 2000, which stipulates that any organization should implement anti-virus protection measurements, and use authorized information systems security products and services. The Chief Information System Officer confirmed to us that network security, content security, disaster recovery management etc. were all implemented in compliance with relevant national laws and regulations. Relevant national policies, such as the 11th Five-Year-Plan, were used as guidance for ISM implementation in Hospital A satisfied the government in the supervisions.

4.6 Monitoring, evaluation and improvement

The monitoring process aims to trace ISM operation activities in the organizations (NIST, 2011). In China there are no regulations or laws specifically focusing on ISM monitoring. The national policies, particularly National Informatization Development Strategy 2006-2020, set compulsive target an organization to conduct ISM monitoring, evaluation and improvement, to which Hospital A adopted a compromise strategy. To government inspections, Hospital A adopted the acquiescence strategy. The director of Information Centre commented:

‘For a long time in history we did not have any monitoring measurements for information security. To cope with the government supervision scheduled in 2008, our president agreed to invest in security monitoring systems, and we have examined the security weaknesses and vulnerabilities of our information systems’.

Overseen by the Hospital Information Steering Committee, each year Hospital A carried out three types of self-evaluation, including three-month checking, half-year checking and annual checking. The checking subjects include network security, information integrity and availability, users’ operation behavior and server security, etc. This evaluation procedure was established as early as in September 2007, but was enforced much later, after the 2009 government supervision. The top management found such a routine checking might feed them with information of the current ISM status of the hospital, and helped them make informed decision on ISM. The vice head of the Information Steering Committee said:

‘The evaluation is based on laws, regulations, and national policies issued at different level. The Ministry of Healthcare Decree No. 66 is particularly useful. Accordingly, we have clarified the requirements on ISM and set rules for punishing different behavior mistakes. If a personal behavior has caused systems failure, the responsible staff will be fined 5000 RMB, and his division will be fined 50000 RMB.’ (the value of 1 RMB is about 0.1 GBP)

After the government supervision in September 2009, Hospital A made progress in improving its ISM. It formalized the ISA training methods. In the end of 2011, a new version of ISP was released, which clarified in more details the ISM procedures and security requirements. Some doctors and nurses whom we interviewed told us that Hospital A has put more efforts in ISM than before. The Chief Information Systems Officer confirmed this was to meet government requirements. Moreover, Hospital A chose to only meet some of requirements by the regulations and national policies, as the ISM improvement needs time.

5 Discussions and Conclusion

5.1 Theoretical findings and practical implications

The case study of ISM in Hospital A in China has important theoretical findings. The present literature recognizes that regulative pressures have significant influence on information security implementation (Hu et al., 2007). Instead of focusing on implementation stage, this paper considers the whole ISM process, and specifically examines the methods of organizational responses to regulative pressures in different stages, as shown in Table 2. The characteristics of Hospital A’s responses to regulative pressures can be understood by referring to the specific contexts of ISM in Chinese public organizations. We observe that the responsive strategies of Hospital A are largely limited to acquiescence and compromise, but other strategies are not used a lot. According to Oliver (1991), organizations may take the manipulation measure to respond to regulative pressures only when environment uncertainty is low. Hospital A as a public organization controlled by the government with a good public image is unlikely to challenge and manipulate regulative pressures during its ISM process. Moreover, we find defiance strategy occurred only when Hospital A was not aware of the existence of the relevant mandatory laws, regulations and policies, or when they were inefficient to help the hospital improve its ISM practices. For example, Hospital A chose defiance strategy to relevant laws, regulations and national policies in security strategy formation and ISA training, because Chinese information security laws and regulations only define "DONTS" and aim to restrict organizational ISM behaviours, while national policies fail to instruct organizations how to protect information security. Our findings are in line with Oliver (1991) that in an environment with low enforcement and inefficient diffusion of rules and norms, organizational defiance to them is likely to happen. Our case argues the importance of specified legal documents, and instructive national policies for ISM. This is particularly relevant for developing countries with poor legal systems and policy environments.

The present literature argues that strong top management support is vital for the success of an ISM initiative (Hsu et al., 2012; Hu et al., 2007). We further find that government supervisions significantly impact top managers’ ISM decisions. The government supervisions can take place at national or local levels (King, et al., 1994), through issuing policies, regulation and enforcing their implementation by inspections. Hospital A is a centralized public organization. Key decisions on ISM were made by Hospital Information Steering Committee and at the president level. Moreover, appointed by the government, the top management of Hospital A will be highly influenced by the government supervisions in making ISM decisions. We found in general government supervisions pushed top managers to focus on organizational ISM. The supervision on an initiative meant the serious attitude to its enforcement. Each relevant organization had to accept an acquiescence strategy and started to prioritize ISM investment to avoid punishment. Specifically, the local healthcare authority in the late 2008 announced that it would in September 2009 carry out a field inspection on ISM in Hospital A. This decision urged Hospital A to include ISM as an important part of its plan of information systems development.

According to Choobineh et al. (2007), ISM may fail if being treated as an afterthought matter. We find this evident in the ISA training experience in Hospital A. The hospital president did not realize the importance of ISM in systems development. The low self-awareness of the top manageent led to the selection of compromise and avoidance strategies. The ISA training was organized in the way of just to cope with the government supervision. Accordingly, very good paperwork was prepared for the delegation to read, but ISA training ws inefficient. We conclude that self-awareness by the top management on the important position of ISM in systems development is decisive for an organization to actively comply with regulative pressures. Moreover, self awareness level can be improved through efficient ISA training and education.

Lessons can be learnt from Hospital A’s experience by developing countries lacking necessary laws, regulations and national policies for ISM. They should recognize the important roles of such kinds of institutions in ISM, and make efforts to improve their legal environment for organizational ISM. Moreover, government supervisions on public organization are useful and necessary in developing countries as such organizations normally have a low self-awareness on information security and their goals of organizational development and ISM development often conflict. The governments should conduct regular inspections on these organizations to ensure the enforcement of available laws, regulations and policies by them.

5.2 Limitation and future research

This case study focuses on a public healthcare organization in China under intensive control of the government. In such kind of professional organizations, both top managers and end-users normally do not have much knowledge on information security, and their ISM is normally not in a good situation. Future research is needed to study other kinds of organizations in different industries having less influence from the government but with higher level of ISM awareness and achieving better ISM development. Moreover, our case study only considers the regulative dimension of institutional pressures. Normative and culture-cognitive pressures should be also considered in other research, which may impact organizational ISM process in different ways comparing with regulative pressures.

5.3 Conclusions

We find the institutional theory is useful to explain the organizational responses to regulative pressures in ISM process. ISM should be treated as a process consisting of sequential activities, in each stage different strategies being adopted. This case study demonstrates that different regulative pressures have various influences on organizational ISM. In terms of laws and regulations relevant to ISM, the stronger enforcement by government authorities, the fewer opportunities for organizational defiance and manipulation to them may occur. As regards to national policies, organizations intend to adopt a compromise strategy as they aim to offer guidance on direction rather than clear requirements on actions. The government supervisions are the most powerful regulative pressures. The higher pressure from specific government supervision on organizational ISM, the more attention it may receives.

We observe the self-awareness level of an organization significantly impact its responsive strategies to regulative pressures. We conclude the organizational strategies of responses to regulative pressures are a result of balancing the internal elements like organizational objectives, information systems performance, and the importance of information security and the strength of external regulative pressures. We argue the success of ISM hinges on the intensive but proper supervisions of the government on ISM when organizational self-awareness of the importance of ISM is low.

Reference

Avgerou, C. (2008) Information systems in developing countries: a critical research review, Journal of Information Technology, 23, 133–146.

Beebe, N. L. and Rao, V. S. (2010) Improving organisaitonal information security strategy via meso-level application of situtional crime prevention to the risk management process, Communications of the Association for Information Systems, 26:329-358

Campbell, J. L. and Linderg, L. N. (1990) Property rights and the organization of economic activity by the state, American Sociological Review, 55(5): 634-647

Cazemier, J. A., Overbeek, P. L. and Peters, L. M. (2000) Security Management (IT infrastructure Library Series), Stationery Office, UK

Chang, S. E. and Ho, C. B. (2006) Organizational factors to the effectiveness of implementing information security management, Industrial Management & Data Systems, 106(3): 345-361

Choobineh, J., Dhillon, G., Grimaila, M. R. and Rees, J. (2007) Management of information security: challenges and research directions, Communications of Association for Information Systems, 20(4): 958-971

Damsgaard, J. (1996) The diffusion of Electronic Data Interchange: An Institutional and Organizational Analysis of Alternative Diffusion Patterns. PhD thesis, Department of Computer Science, Aalborg University, Aalborg, Denmark

DiMaggio, P. J. and Powell, W. W. (1983) The iron cage revisited: Institutional isomorphism and collective rationality in organizational fields, American Sociological Review, 48:147-160

Hoffman, A. (1999) Institutional evolution and change: environmentalism and the US chemical industry, Academy of Management Journal, 42(4): 351-371

Hsu, C (2009) Frame misalignment: Interpreting the implementation of information systems security certification in an organization, European Journal of Information Systems, 18(2): 140-150

Hsu, C., Lee, J. N and Straub, D. W. (2012) Institutional Influences on Information Systems Security Innovations, Information Systems Research, 23(1): 1-22

Hu, Q., Hart, P. and Cooke, D. (2007) The role of external and internal influences on information system security - a neo-institutional perspective, Journal of Strategic Information System, 16(2): 153-172

ISO/IEC (2005) Information Technology - Security Techniques - Information Security Management Systems - Requirements, International Organization for Standardization/International Electrotechnical Commission, Geneva

Karyda, M., Kiountouzis, E. and Kokolakis, S. (2005) Information systems security policies: a contextual perspective, Computer & Security, 24: 246-260

King, J., Gurbaxani, V., Kraemer, K., McFarlan, F., Raman, F., and Yap, F. W. (1994) Institutional factors in information technology innovation, Information Systems Research, 5(2): 139-169

Knapp, K. J., Morris Jr., R. F., Marshall, T. E. and Byrd, T. A. (2009) Information security policy: an organizational-level process model, Computer & Security, 28:493-508

Kramer, S. Carayon, P. and Clem, J. (2009) Human and organizational factors in computer and information security: pathways to vulnerabilities, Computer & Security, 28(7): 509-520

Kshetri, N. (2007) Institutional factors affecting offshore business process and information technology outsourcing, Journal of International Management, 13(1): 38-56

Ku, C. Y., Chang, Y. W. and Yen, D. C. (2009) National security policy and its implementation: a case study in Taiwan, Telecommunications Policy, 33(7): 371-384

Luo, Y. D. (2003) Industrial dynamics and managerial networking in an emerging market: the case of China, Strategic Management Journal, 24(13): 1315-1327

Ma, Q. X., Schmidt, M. B. and Pearson, J. M. (2009) An integrated framework for information security management, Review of Business, 30(1): 58-70

Meyer, J. W. and Rowan, B. (1977) Institutionalize organizations: formal structure as myth and ceremony, American Journal of Sociology, 83(2): 340-363

NIST (2003) Building an Information Technology Security Awareness and Training Program, National Institute of Standards and Technology Special Publication 800-50, U.S. Department of Commerce, available at: csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

NIST (2011) Information Security Continuous Monitoring for Federal Information Systems and Organizations, National Institute of Standards and Technology Special Publication 800-137, U.S. Department of Commerce, available at csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf

Oliver, C. (1991) Strategic responses to institutional processes, Academy of Management Review, 16(1): 145-179

Peltier, T. R. (2002) Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management, CRC Press

PWC (2012) The Global State of Information Security, the Survey of Pricewaterhousecoopers, available at http://www.pwc.pl/en/publikacje/global-state-of-information-security-survey-2012.jhtml

Puhakainen, P. and Siponen, M. (2010) Improving employees’ compliance through information systems security training: an action research study, MIS Quarterly, 34(4): 757-778

Scott, W. R. (1995) Institutions and organizations, Sage: Thousand Oaks, CA, USA.

Scott, W. R. (2001) Institutions and organizations (2nd ed.), Sage: Thousand Oaks, CA, USA

Shen, C. (2003) Opinions on information security industrialization, Computer Security, 24(2):17-21

Siponen, M. T. (2000) A conceptual foundation for organizational information security awareness, Information Management & Computer Security, 8(1): 31-41

Siponen, M. T. and Vance, A. (2010) Neutralization: new insight into the problem of employee information systems security policy violations, MIS Quarterly, 34(3): 487-502

Stanton, J., Stam, K., Mastrangelo, P. and Jolton, J. (2005) Analysis of end user security behaviors, Computers and Security, 24(2): 124-133

Straub, D. W. J. and Welke, R. J. (1998) Coping with systems risk: security planning models for management decision making, MIS Quarterly, 22(4): 441-469

UNESCAP (2007) Information Security for Economic and Social Development, UN Economic and Social Commission for Asia and Pacific Report, online available at http://www.unescap.org/publications/detail.asp?id=1290, last retrieved January 31, 2013

Wood, C. C (1995) Information security problems as evidence of management failures, Computer Fraud & Security, 11: 14-16

Yin, R. K. (2008) Case study research: design and method (4th ed.), Sage: Thousand Oaks, London, New Delhi