In a ‘trusting’ environment, everyone is responsible for information security

Aagedal JØ, Braber FD, Dimitrakos T, Gran BA, Raptis D, Stölen K. Model-based risk assessment to improve enterprise security. In: Paper presented at the proceedings of the sixth international enterprise distributed object computing conference (EDOC'02); 2002. Anderson RH. Research and development initiatives focused on preventing, detecting, and responding to insider misuse of critical defense information systems. In: Paper presented at the results of a three-day workshop, RAND, Santa Monica, CA; 1999. Anderson RH, Bozek T, Longstaff T, Meitzer W, Skroch M, Van Wyk K. Research on mitigating the insider threat to information systems – #2. In: Proceedings of a Workshop, RAND, Santa Monica, CA; August 2000. Bachman, 1998, Developing a common nursing practice model, Nursing Management, 29, 26, 10.1097/00006247-199801010-00006 Barber B, Louwerse K, Davey J. White paper on health care information security. ISHTAR White Paper Retrieved 19 January 2006, 1998; Available from: <http://ted.see.plymouth.ac.uk/ishtar/deliverables/white%20paper.html>. BBC News. Nearly 100 medical records ‘lost’ journal, 2008; Retrieved from: <http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7555165.stm>. Becker, 2007, Information governance in NHS's NPfIT: a case for policy specification, International Journal of Medical Informatics, 76, 432, 10.1016/j.ijmedinf.2006.09.008 Beresnevichiene, 2003 Bolton, 1999, A relationship between computerisation and quality in general practice, Australian Family Physician, 28, 962 Business Software Alliance. Information security governance: toward a framework for action. Retrieved 03 July 2006, 2003; Available from: <http://www.entrust.com/resources/whitepapers.cfm>. Coiera, 1998, Communication behaviours in a hospital setting: an observational study, British Medical Journal, 316, 673, 10.1136/bmj.316.7132.673 de Dombal, 1993, Medical decision making, clinical judgment, and decision analysis, 1 Dhillon, 2001, Computer crimes: theorizing about the enemy within, Computers and Security, 20, 715, 10.1016/S0167-4048(01)00813-6 Doherty, 2006, Aligning the information security policy with the strategic information systems plan, Computers and Security, 25, 55, 10.1016/j.cose.2005.09.009 erisk. Daiwa (case study). Retrieved 01 August 2008, 2001; Available from: <http://www.erisk.com/Learning/CaseStudies/Daiwa.asp>. erisk. Barings (case study). Retrieved 01 August 2008, 2005; Available from: <http://www.erisk.com/Learning/CaseStudies/Barings.asp>. Fox B. “Cooperative security”: a model for the new enterprise. Journal, 1998. Retrieved from: <citeseer.ist.psu.edu/316968.html>. Furnell, 2005, Why users cannot use security, Computers and Security, 24, 274, 10.1016/j.cose.2005.04.003 Furnell, 2006, The challenges of understanding and using security: a survey of end-users, Computers and Security, 25, 27, 10.1016/j.cose.2005.12.004 Hamilton, 2006 Harris S. Learning guide: information security governance guide. Retrieved 5 March 2008, 2006a; Available from: <http://searchsecurity.techtarget.com/general/0295582,sid14_gci1211236,00.html>. Harris S. Risk management strategies: key elements when building an information security program. Retrieved 5 March 2008, 2006b; Available from: <http://searchsecurity.techtarget.com/tip/0289483,sid14_gci1210562,00.html>. Hinde, 2003, The inside threat. (malicious insider), Computers aND Security, 22, 665 I3P. Human behavior, insider threat and awareness, Retrieved 13 August 2008, 2008; Available from: <http://www.thei3p.org/research/insider_threat.html>. IP Governance Task Force. Intellectual property & information security governance. Retrieved 13 February 2008, 2007; Available from: <http://onlinebrandrating.net/isgovernanceframework.pdf>. Johnston, 2008, Information privacy compliance in the healthcare industry, Information Management and Computer Security, 16, 5, 10.1108/09685220810862715 Leach, 2003, Improving user security behaviour, Computers and Security, 22, 685, 10.1016/S0167-4048(03)00007-5 Loe, 2000, A review of empirical studies assessing ethical decision making in business, Journal of Business Ethics, 25, 185, 10.1023/A:1006083612239 Magklaras, 2005, A preliminary model of end user sophistication for insider threat prediction in IT systems, Computers and Security, 24, 371, 10.1016/j.cose.2004.10.003 Masys, 2002, Giving patients access to their medical records via the internet: the PCASSO experience [research], Journal of the American Medical Informatics Association, 9, 181, 10.1197/jamia.M1005 McCollum, 2004, Low-tech users threaten financial sector systems (update), Internal Auditor, 61, 18 Mercuri, 2004, The HIPAApotamus in health care data security, Communications of the ACM, 47, 25, 10.1145/1005817.1005840 Meredith, 2005, Data protection and freedom of information, BMJ, 330, 490, 10.1136/bmj.330.7490.490 Moynihan, 2007, Data under surveillance: a government agency blends technology, audit, and investigative techniques to protect confidential information. (TECH FORUM) (Office of Internal Audit's Information Security Unit), Internal Auditor, 64, 29 Mulligan, 2001, Confidentiality in health records: evidence of current performance form a population survey in South Australia, Medical Journal of Australia, 174, 637, 10.5694/j.1326-5377.2001.tb143472.x National Threat Assessment Center. National Threat Assessment Center – insider threat study. Retrieved 13 August 2008, 2008; Available from: <http://www.ustreas.gov/usss/ntac_its.shtml>. Nixu. Security management consulting. Retrieved 5 March 2008, 2008; Available from: <http://www.nixu.com/is/smc/>. Peterson, 2002, Computer ethics: the influence of guidelines and universal moral beliefs, Information Technology and People, 15, 346, 10.1108/09593840210453124 Schultz, 2002, A framework for understanding and predicting insider attacks, Computers and Security, 21, 526, 10.1016/S0167-4048(02)01009-X 1988 Spil TAM, Stegwee RA, Teitink CJ. Business intelligence in healthcare organisations. In: Paper presented at the 35th Hawaii international conference on system sciences (HICSS-35'02), Hawaii; 2002. Stetson, 1997, Achieving effective medical information security: understanding the culture, Bulletin of the American Society for Information Science, 23, 17, 10.1002/bult.52 Straub, 1998, Coping with systems risk: security planning models for management decision making, MIS Quarterly, 22, 441, 10.2307/249551 Treacher, 1996, An overview of SEISMED, vol. 27, 4 Vanmeerbeek, 2004, Exploitation of electronic medical records data in primary health care. Resistances and solutions. Study in eight Walloon health care centres, Studies In Health Technology and Informatics, 110, 42 von Solms, 2005, Information security governance – compliance management vs operational management, Computers and Security, 24, 443, 10.1016/j.cose.2005.07.003 Whitman, 2004, In defense of the realm: understanding the threats to information security, International Journal of Information Management, 24, 43, 10.1016/j.ijinfomgt.2003.12.003 Williams, 2007, Information governance: a model for security in medical practice, Journals of Digital Forensics, Security and Law, 2, 57 Williams, 2007, Medical data security: are you informed or afraid?, International Journal of Information and Computer Security, 1, 414, 10.1504/IJICS.2007.015502 Williams, 2008, How addressing implementation issues can assist in medical information security governance, 116 Williams, 2008, When trust defies common security sense, Health Informatics Journal, 14, 211, 10.1177/1081180X08092831 Willison, 2006, Understanding the offender/environment dynamic for computer crimes, Information Technology and People, 19, 170, 10.1108/09593840610673810 Wood, 2002, An insider threat model for adversary simulation, 41