Abstract
German hospitals are required to comply with, and give due consideration to, the data protection laws and regulations that apply to their daily work. However, the data protection scandals that have occurred in Germany in recent years imply that this compliance on the part of hospital employees cannot be taken for granted. According to the literature available, psychological factors may account for this fact – in particular the variables of the theory of planned behaviour and the general deterrence theory. In keeping with these theories, this research has analysed the influences of the attitudes, subjective norms and perceived behavioural control on employees’ intentions to comply with data protection regulations. A survey was conducted among hospital employees in Germany to further identify the most significant factors influencing their intention to comply with data protection and the variance in intention between men and women. The results suggest that psychological factors such as attitude, subjective norms and perceived behaviour control are significantly influential and find significant differences between the genders in the intention to comply with data protection regulations. The results of this study demonstrate that there are practical implications that, if implemented, can lead to a higher standard of data protection compliance in hospitals in the future by taking the technical and organisational measures of awareness for data protection compliance into account.
Similar content being viewed by others
References
Ajzen I (1988) Attitudes, Personality, and Behavior. The Dorsey Press, Chicago, IL, pp 151–166.
Ajzen I (1991) Theory of planned behavior. Organizational Behavior and Human Decision Processes 50 (2), 179–211.
Ajzen I and Fishbein M (1980) Understanding Attitudes and Predicting Social Behavior. Prentice Hall, Inc, Englewood Cliffs, NJ.
Ajzen I and Madden TJ (1986) Prediction of goal directed behavior: attitude, intentions and perceived behavioral control. Journal of Experimental Social Psychology 22 (5), 453–474.
Akers R (1990) Rational choice, deterrence, and social learning theory in criminology: the path not taken. The Journal of Criminal Law and Criminology 81 (3), 653–676.
Al-Omari A, Deokar A, El-Gayar O, Walters J and Aleassa H (2013) Information security policy compliance: an empirical study of ethical ideology, In 46th Hawaii International Conference on System Sciences (HICSS 13) Hawaii.
Albrechtsen E (2007) A qualitative study of users’ view on information security. Computers & Security 26 (4), 276–289.
Altman I (1976) Privacy: a conceptual analysis. Environment and Behavior 8 (1), 7–29.
Anderson C (2005) Creating the conscientious cybercitizen: an examination of home computer user attitudes and intentions towards security, Tenth INFORMS Conference on Information Systems and Technology (CIST) San Francisco, CA.
Anderson C and Agarwal R (2010) Practicing safe computing: a multi-method empirical examination of home computer user security behavioral intentions. MIS Quarterly 34 (3), 613–643.
Annual HIMSS Leadership Survey (2013) Healthcare CIO results: final report. 14th, Available at: http://himss.files.cms-plus.com/HIMSSorg/Content/files/leadership_FINAL_REPORT_022813.pdf (accessed 10 May 2013).
Athlin L, Engström B and Enström I (1992) Information to patients following surgery for cancer (information till patienter efter operation för cancersjukdom). Vård i Norden 12 (1), 4–7.
Awad N and Ragowsky A (2008) Establishing trust in electronic commerce through online word of mouth: an examination across genders. Journal of Management Information Systems 24 (4), 101–121.
Bagozzi RP and Fornell C (1982) Theoretical concepts, measurements, and meaning. In A Second Generation of Multivariate Analysis (Fornell C, Ed), pp. 24–38, 1, Praeger, New York, NY.
Banisar D and Davies SG (1999) Global trends in privacy protection: an international survey of privacy, data protection, and surveillance laws and developments. John Marshall Journal of Computer & Information Law 18 (1), 1–111.
Bouchard L (1993) Patients’ satisfaction with the physical environment of an oncology clinic. Journal of Psychosocial Oncology 11 (1), 55–67.
Bulgurcu B (2008) The Antecedents of Information Security Policy Compliance, Master’s of Applied Science, The University of British Columbia, Vancouver.
Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3), 523–548.
Busch T (1995) Gender differences in self-efficacy and attitudes toward computers. Journal of Education Computing Research 12 (2), 147–158.
Chan M, Woon I and Kankanhalli A (2005) Perceptions of information security at the workplace: linking information security climate to compliant behavior. Journal of Information Privacy and Security 1 (3), 18–41.
Chin WW (1998) The partial least squares approach to structural equation modeling. In Modern Methods for Business Research (Marcoulides GA, Ed), pp 295–336, Mahwah, NJ: Lawrence Erlbaum Associates.
Chin WW and Marcolin B (1995) A holistic approach to construct validation in is research: examples of the interplay between theory and measurement, Administrative Sciences Association of Canada – 23rd Conference (Campeau D, Ed.), Windsor, Ontario.
Culnan M (2004) Bentley survey on consumers and internet security: summary of findings, available at : [WWW document] http://legacy.bentley.edu/events/iscw2004/survey_findings.pdf (accessed 19 May 2012).
D’Arcy J and Hovav A (2004) The role of individual characteristics on the effectiveness of IS security countermeasures, Tenth Americas Conference on Information Systems, New York.
Davis FD (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly 13 (3), 319–339.
Dinev T and Hu Q (2007) The centrality of awareness in the formation of user behavioral intention toward protective information technologies. Journal of the Association for Information Systems 8 (4), 386–408.
Eagly AH and Chaiken S (1993) The Psychology of Attitudes. Harcourt, Brace, Jovanovich, Fort Worth, TX.
Ehrlich I (1996) Crime, punishment, and the market for offenses. Journal of Economic Perspectives 10 (1), 43–67.
Federal Statistical Office Germany (2008) Gesundheit – Grunddaten der Krankenhäuser 2008, Fachserie 12 Reihe 6.1.1.
Fishbein M and Ajzen I (1975) Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research Massachusetts. Addison-Wesley Series in Social Psychology.
Foth M, Schusterschitz C and Flatscher-Thöni M (2012) Technology acceptance as an influence on hospital employees’ compliance with data protection standards in Germany. Journal of Public Health 20 (3), 253–268.
Gefen D and Straub DW (2005) A practical guide to factorial validity using PLS-graph: tutorial and annotated example. Communication of the Association for Information Systems 16 (2005), 91–209.
Gefen D and Straub D (1997) Gender difference in the perception and use of e-mail: an extension to the technology acceptance model. MIS Quarterly 21 (4), 389–400.
Gefen D, Straub DW and Boudreau MC (2000) Structural equation modeling and regression: guidelines for research practice. Communications of the Association for Information Systems 4 (2000), 1–77.
Goo J, Yim M and Kim DJ (2013) A path way to successful management of individual intention to security compliance: a role of organizational climate, 46th Hawaii International Conference on System Sciences (HICSS 13) Hawaii.
Hayn B (2005) Datenschutz: Anwendungsorientierte Aspekte – Anspruch und Wirklichkeit, am Beispiel des LKH-Univ.Klinikum Graz, Hall in Tirol: GW MSc 2003096.
Herath T and Rao HR (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems 18 (2), 106–125.
Hiroshi O and Zavodny M (2005) Gender differences in information technology usage: a U.S.-Japan comparison. Sociological Perspectives 48 (1), 105–133.
Hofstede G (1980) Culture’s Consequences: International Differences in Work-Related Values, Beverly Hills CA: Sage Publications.
Hsu S and Shih D (2009) The factors influencing individual’s behavior on privacy protection. WSEAS Transactions on Information Science and Applications 6 (9), 1591–1600.
Huber F, Herrmann A, Meyer F, Vogel J and Vollhardt K (2007) Kausalmodellierung mit partial Least Squares: Eine anwendungsorientierte Einführung. Gabler, Wiesbaden, p 104.
Humaidi N and Balakrishnan V (2013) Exploratory factor analysis of user’s compliance behaviour towards health information system’s security. Journal of Health & Medical Informatics 4 (2), 2–9.
Ifinedo P (2012) Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Computer & Security 31 (1), 83–95.
Kankanhalli A, Theo HH, Tan BC and Wei KK (2003) An integrative study of information systems security effectiveness. International Journal of Information Management 23 (2), 139–154.
Karahanna E, Straub DW and Chervany NL (1999) Information technology adoption across time: a cross-sectional comparison of pre-adoption and post-adoption beliefs. MIS Quarterly 23 (2), 183–213.
Knapp KJ, Marshall TE, Rainer RK and Ford FN (2005) Managerial dimensions in information security: a theoretical model of organizational effectiveness, A Research Report Prepared for the (ISC)2 Constituency, Palm Harbor, FL, and Auburn University, Auburn, AL.
Lebek B, Uffen J, Breitner MH, Neumann M and Hohler B (2013) Employees’ information security awareness and behavior: a literature review, 46th Hawaii International Conference on System Sciences (HICSS 13) Hawaii.
Legris P, Ingham J and Collerette P (2003) Why do people use information technology? A critical review of the technology acceptance model. Information & Management 40 (3), 191–204.
Likert R (1932) A technique for the measurement of attitudes. Archives of Psychology 22 (140), 1–55.
Mathieson K (1991) Predicting user intentions: comparing the technology acceptance model with the theory of planned behavior. Information Systems Research 2 (1991), 173–191.
Pahnila S, Siponen M and Mahmood A (2007) Employees’ behavior towards IS security policy compliance, 40th Hawaii International Conference on System Sciences (HICSS 07) Hawaii.
Peace AG, Galetta D and Thong J (2003) Software piracy in the workplace: a model and empirical test. Journal of Management Information Systems 20 (1), 153–177.
Peissl W (2003) Prinzipien des Datenschutzes und ihre Verwirklichung im medizinischen Bereich. Vortrag im Rahmen des Seminars ‘Datenschutz und Biomedizin’, 23–24 June, Universität Wien, http://www.oeaw.ac.at/ita/ebene5/WPgendatenWien.pdf.
Riemenschneider CK, Harrison D and Mykytyn PP (2003) Understanding IT adoption decisions in small business: integrating current theories. Information and Management 40 (4), 269–285.
Ringle CM, Sarstedt M and Straub DW (2012) A critical look at the use of PLS-SEM in mis quarterly. MIS Quarterly 36 (1), iii–xiv.
Rivis A and Sheeran P (2003) Descriptive norms as an additional predictor in the theory of planned behaviour. A meta-analysis. Current Psychology 22 (3), 218–233.
Sellin N and Keeves JP (1994) Path analysis with latent variables. In Educational Research, Methodology and Measurement: An International Handbook (Keeves JP, Ed), 2nd edn pp 4352–4359, Elsevier Publishers, London.
Shropshire J, Warkentin M, Johnston AC and Schmidt MB (2006) Personality and IT security: an application of the five-factor model, In Proceedings of 12th Americas Conference on Information Systems AMCIS Aug 4-6, 2006 Acapulco, Mexico, pp. 3443–3449.
Smith HJ, Dinev T and Xu H (2011) Information privacy research: an interdisciplinary review. MIS Quarterly 35 (4), 989–1015.
Statistisches Bundesamt Deutschland (2008) Gesundheit – Grunddaten der Krankenhäuser 2008, Fachserie 12 Reihe 6.1.1.
Straub DW (1989) Validating instruments in MIS research. MIS Quarterly 13 (2), 147–169.
Straub DW (1990) Effective IS security: an empirical study. Information Systems Research 1 (3), 255–276.
Straub DW and Welke RJ (1998) Coping with systems risk: security planning models for management decision-making. MIS Quarterly 22 (4), 441–469.
Symantec (2007) Symantec internet security threat report – trends for July – December 06, Volume 11 March, (available at [WWW document] http://www.symantec.com/content/en/us/about/media/ISTR_XI_Global_FINAL.pdf) (accessed 19 May 2012).
Taylor S and Todd PA (1995) Understanding information technology usage: a test of competing models. Information Systems Research 6 (3), 144–176.
Truman G and Baroudi J (1994) Gender Differences in the Information Systems Managerial Ranks: An Assessment of Potential Discriminatory Practices. MIS Quarterly 18 (2), 129–141.
Venkatesh V and Davis FD (2000) A theoretical extension of the technology acceptance model: four longitudinal field studies. Management Science 46 (2), 186–204.
Venkatesh V, Morris MG, Davis GB and Davis FD (2003) User acceptance of information technology: toward a unified view. MIS Quarterly 27 (3), 425–478.
Vroom C and Von Solms B (2004) Towards information security behavioural compliance. Computers & Security 23 (3), 191–198.
Westin AF (1967) Privacy and Freedom. Atheneum, New York.
Williams K and Hawkins R (1986) Perceptual research on general deterrence: a critical review. Law and Society Review 20 (4), 545–572.
Wold H (1982) Soft modeling: the basic design and some extensions. In Systems Under Indirect Observations: Part 2 (Joreskog KG and Wold H, Eds), pp 1–54, North-Holland, Amsterdam.
Würtenberger T (1999) Akzeptanz von Gesetzen. Kölner Zeitschrift für Soziologie und Sozialpsychologie 51 (39), 380–397.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Foth, M. Factors influencing the intention to comply with data protection regulations in hospitals: based on gender differences in behaviour and deterrence. Eur J Inf Syst 25, 91–109 (2016). https://doi.org/10.1057/ejis.2015.9
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/ejis.2015.9