Information Security Investment and Healthcare Data Breaches
We are examining the impact of the types and timing of security investment on compliance and security performance. Using data on security investments and breaches, we find that proactive investment (before a breach) is more effective in reducing future breaches than reactive investment (investments made after a breach). This work is supported by the NSF.
In another study on security practices, we analyze survey data from 250 hospitals. We find that security resources and security capabilities are positively associated with compliance and security performance. Further, resources and capabilities complement each other, improving both compliance and performance. We also find that security audit capabilities are associated with increased breach disclosures, likely because such auditing helps organizations find, disclose and fix breach-related problems. Finally, we find that top management support and expertise are significantly linked to compliance and security performance. This work is supported by the NSF.