The Role of the Organization in Promoting Information Security-Related Behavior Among Resident Physicians in Hospitals in Germany: Cross-Sectional Questionnaire Study.

Background: Nowadays, optimal patient care should be based on data-driven decisions. In the course of digitization, hospitals, in particular, are becoming complex organizations with an enormously high density of digital information. Ensuring information security is, therefore, essential and has become a major challenge. Researchers have shown that-in addition to technological and regulatory measures-it is also necessary for all employees to follow security policies and consciously use information technology (compliance), because noncompliance can lead to security breaches with far-reaching consequences for the organization. There is little empirical research on information security-related behavior in hospitals and its organizational antecedents.

Objective: This study aimed to explore the impact of specific job demands and resources on resident physicians' information security-related compliance in hospitals through the mediating role of work engagement and information security-related awareness.

Methods: We used a cross-sectional, survey-based study design to collect relevant data from our target population, namely resident physicians in hospitals. For data analysis, we applied structural equation modeling. Our research model consisted of a total of 7 job demands and resources as exogenous variables, 2 mediators, and information security-related compliance as the endogenous variable.

Results: Overall, data from 281 participating physicians were included in the analyses. Both mediators-work engagement and awareness-had a significant positive effect on information security-related compliance (β=.208, P=.001 vs β=.552, P<.001). Quality of leadership was found to be the only resource with a significant indirect effect on physicians' compliance, mediated by work engagement (β=.086, P=.03). Furthermore, awareness mediated the relationships between information security-related communication and information security-related compliance (β=.192, P<.001), as well as between further education and training and the endogenous variable (β=.096, P=.02). Contrary to our hypothesis, IT resources had a negative effect on compliance, mediated by awareness (β=-.114, P=.02).

Conclusions: This study provides new insights into how a high standard of information security compliance among resident physicians could be achieved through strengthening physicians' security work engagement and awareness. Hospital management is required to establish an information security culture that is informative and motivating and that raises awareness. Particular attention should be paid to the quality of leadership, further education and training, as well as clear communication.