Value conflicts for information security management Karin Hedström a,⇑ , Ella Kolkowska a,1 , Fredrik Karlsson a,b,1 , J.P. Allen c a Swedish Business School, Örebro University, 701 82 Örebro, Sweden b University of Skövde, 541 28 Skövde, Sweden c School of Business and Professional Studies, University of San Francisco, 2130 Fulton Street, MH 222, San Francisco, CA 94117-1045, USA article info Article history: Received 18 October 2010 Received in revised form 27 June 2011 Accepted 28 June 2011 Available online 30 July 2011 Keywords: Information systems security Information security Health care information systems Values Value conflicts Management of information security abstract A business’s information is one of its most important assets, making the protection of infor- mation a strategic issue. In this paper, we investigate the tension between information security policies and information security practice through longitudinal case studies at two health care facilities. The management of information security is traditionally informed by a control-based compliance model, which assumes that human behavior needs to be controlled and regulated. We propose a different theoretical model: the value-based compliance model, assuming that multiple forms of rationality are employed in organizational actions at one time, causing potential value conflicts. This has strong stra- tegic implications for the management of information security. We believe health care sit- uations can be better managed using the assumptions of a value-based compliance model. Ó 2011 Elsevier B.V. All rights reserved. 1. Introduction A business’s information is one of its most important assets. Extensive research has therefore emphasized the strategic value of information and information systems (Glazer, 1993; McFadzean et al., 2006; Nadiminti et al., 1996; VanWegen and deHoog, 1996). This together with the advance and complexity of networking technologies, which create opportunities for attacks and security breaches causing great financial losses, make information security an important strategic issue (Hu et al., 2007; Posthumus and von Solms, 2004; van Niekerk and von Solms, 2010). Indeed, the Journal of Strategic Information Systems had a special issue on security and privacy pointing at the strategic importance of information security (Dhillon et al., 2007). While the technical parts of information security often are integrated in corporate governance, little efforts has been made to address the non-technical issues as a strategic concern (Dhillon, 2007). At the same time, previous research shows that the majority of information security breaches are caused by incidents originating inside the organization (Nash and Greenwood, 2008; Stanton et al., 2005), where internal staff are identified as the most significant threat to information security (Gaunt, 2000; Williams, 2008). The behavioral and social aspects of information security are thus seen as critical for creating secure information systems in practice (e.g., Hu et al., 2007; Siponen et al., 2008; Stanton et al., 2005). Security policies and codes of conducts are frequently the main, or only, tool used by managers to guide and control employees’ security behaviors. The security policies and procedures of an organization embed underlying assumptions and beliefs about how to manage information security (von Solms and von Solms, 2004). In other words, security policies and regulations are expressions of values, as well as sets of instructions. Employees’ security behaviors are also expression 0963-8687/$ - see front matter Ó 2011 Elsevier B.V. All rights reserved. doi:10.1016/j.jsis.2011.06.001 ⇑ Corresponding author. Tel.: +46 19 30 12 41; fax: +46 19 33 25 46. E-mail addresses: karin.hedstrom@oru.se (K. Hedström), ella.kolkowska@oru.se (E. Kolkowska), Fredrik.karlsson@oru.se (F. Karlsson), jpallen@usfca.edu (J.P. Allen). 1 Tel.: +46 19 30 12 41; fax: +46 19 33 25 46. Journal of Strategic Information Systems 20 (2011) 373–384 Contents lists available at ScienceDirect Journal of Strategic Information Systems journal homepage: www.elsevier.com/locate/jsis