Proactive versus reactive security investments in the healthcare sector

Research output: Journal Publications and ReviewsRGC 21 - Publication in refereed journalpeer-review

102 Scopus Citations
View graph of relations



Original languageEnglish
Pages (from-to)451-471
Journal / PublicationMIS Quarterly: Management Information Systems
Issue number2
Publication statusPublished - Jun 2014


This study identifies the effects of security investments that arise from previous failures or external regulatory pressure. Building on organizational learning theory, the study focuses on the healthcare sector where legislation mandates breach disclosure and detailed data on security investments are available. Using a Cox proportional hazard model, we demonstrate that proactive security investments are associated with lower security failure rates. Coupling that result with the economics of breach disclosure, we also show that proactive investments are more cost effective in healthcare security than reactive investments. Our results further indicate that this effect is amplified at the state level, supporting the argument that security investments create positive externalities. We also find that external pressure decreases the effect of proactive investments on security performance. This implies that proactive investments, voluntarily made, have more impact than those involuntarily made. Our findings suggest that security managers and policy makers should pay attention to the strategic and regulatory factors influencing security investment decisions.

Research Area(s)

  • Healthcare, Organizational learning, Proactive, Reactive, Security investment