This study identifies the effects of security investments that arise from previous failures or external regulatory pressure. Building on organizational learning theory, the study focuses on the healthcare sector where legislation mandates breach disclosure and detailed data on security investments are available. Using a Cox proportional hazard model, we demonstrate that proactive security investments are associated with lower security failure rates. Coupling that result with the economics of breach disclosure, we also show that proactive investments are more cost effective in healthcare security than reactive investments. Our results further indicate that this effect is amplified at the state level, supporting the argument that security investments create positive externalities. We also find that external pressure decreases the effect of proactive investments on security performance. This implies that proactive investments, voluntarily made, have more impact than those involuntarily made. Our findings suggest that security managers and policy makers should pay attention to the strategic and regulatory factors influencing security investment decisions.
This study identifies how security performance and compliance influence each other and how security resources contribute to two security outcomes: data protection and regulatory compliance. Using simultaneous equation models and data from 243 hospitals, we find that the effects of security resources vary for data breaches and perceived compliance and that security operational maturity plays an important role in the outcomes. In operationally mature organizations, breach occurrences hurt compliance, but, surprisingly, compliance does not affect actual security. In operationally immature organizations, breach occurrences do not affect compliance, whereas compliance significantly improves actual security. The results imply that operationally mature organizations are more likely to be motivated by actual security than compliance, whereas operationally immature organizations are more likely to be motivated by compliance than actual security. Our findings provide policy insights on effective security programs in complex health-care environments.