MedISA Logo

MedISA

Medical Centre Employee Centered Information Security Awareness

Katalog

Im Rahmen der MedISA-Forschung wurden verschiedene Messinstrumente zur Erfassung der Information Security Awareness in einem Katalog zusammengestellt, die für weitere Forschungsarbeiten und praktische Anwendungen genutzt werden können.

Die zusammengestellten Instrumente bieten Hinweise auf Reliabilität und Validität, die wissenschaftlichen Gütekriterien sind jedoch von unterschiedlicher Qualität. Weitere Hinweise entnehmen Sie den dazugehörigen Publikationen.

Katalogtitles.catalogue | MedISA

Security Awareness Scale for Health Care Information Systems (SAS-HIPAA)

Autoren: Mishra, S., Leone, G. J., Caputo, D. J., Calabrisi, R. R.
Titel der Veröffentlichung: Security awareness for health care information systems: A HIPAA compliance perspective.
DOI: https://doi.org/10.48009/1_iis_2011_224-236
Jahr: 2011

Sprache der Items: Englisch
Anzahl an Items: 27
Reliabilität: nicht verfügbar
Validität: Inhaltsvalidität


Antwort Spezifikation: Five-point Likert scale (1 = Strongly agree, 2 = Agree, 3 = Tend to agree, 4 = Disagree, 5 = Strongly disagree). Note: The statistical composition of items depends on the research question. See publication for more details.

Item
In my organization, there is a predefined agreed upon plan for security and privacy compliance efforts.
There is a prevalent security culture where individuals look out for each other in my organization.
Creating security awareness is an ongoing process in my organization.
There is visible leadership about seriousness of security assurance efforts in my organization.
In my organization, there are adequate internal controls (policies, procedures, training, encryption, access restrictions) to provide security and privacy of health records.
Auditing is viewed as a necessary complimentary action to improve the security initiatives in my organization.
Security policies and procedures are easily accessible and comprehendible in my organization.
In my organization, there is an emphasis on establishing open communication channels about security issues without the fear of reprisal.
We emphasize having informal meetings and discussions about importance of managing security and privacy of the records in my organization.
In my organization, security controls (encryption, access control, password policy, segregation of duty) are viewed as a necessary component for security.
Access to the system is based on the role that I play in the organization.
Training about security measures is provided regularly to the staff/personnel in my organization.
In my organization, security policies and procedures are periodically reviewed to assess if the policies meet the changing organizational needs.
There exists a clear structure for disciplinary action in case of noncompliance with policies and procedures in my organization.
In my organization, there is an emphasis on establishing open communication channel about security issues without the fear of reprisal.
I am required to read the security policies frequently (Quarterly, bi-anually, annually) in my organization.
In my organization, I have frequent communication about social engineering issues and am aware of how such tactics can create vulnerability for our system.
In my organization, I understand what information I have access to and why?
I am required to access health information only through approved devices and software in the organization.
I am allowed to use removable storage media from outside on my machine in the organization.
In my organization, I am required to take permission to use social networking sites.
I am aware of the procedure about what to do when my system has malware in my organization.
Access to the system is based on the role that I play in the organization.
I am required to report any misuse of information (that I am in-charge of) or its inappropriate access.
I am aware of the password policy that I have to comply with, in my organization.
I frequently receive communication about acceptable security behavior in my organization.
In my organization, there is an ongoing effort on training and education of employees about security issues.