Title: Cloud Computing in Healthcare Industry – An Analysis and Implementation of Information Security Management Framework
Introduction
There are several dynamics that are being experienced in the information and communication technology. Such dynamics have led to the development of advanced computing applications such as cloud computing. As defined by the NIST, cloud computing can be generally defined as a model that allows for on-demand network access, enhances ubiquitous as well as convenient access to shared computing resources which can easily be accessed and released with minimal service provider intervention as well as minimal service management. NIST continues to state that, cloud computing can be deployed on four models (private cloud, public cloud, community cloud, and hybrid cloud) and three service levels (platform as a service, software as a service, and Infrastructure as a service). Additionally, NIST continues to posit that cloud computing is characterized with several characteristics which include the following; on-demand self-service, measured service, broad network access, rapid elasticity and resource polling (National Institute of Standards and Technology, 2016).
However, despite the advantages associated with cloud computing such as on-demand access, shared resources, minimal service provider intervention and convenience, little emphasis has been undertaken in determining how information system security management frameworks can be implemented in healthcare cloud computing systems with reference to the general deterrence theory. The purpose of this research paper will be to critically evaluate the application of the information systems management framework in the implementation of cloud computing in the healthcare industry based on the general deterrence theory. Moreover, the analysis will include a critical evaluation of the relationship between the theoretical aspect as well as the practical application of the general deterrence theory, the analysis of the current view on the deterrence theory and how the deterrence theory has been applied in enhancing effective cloud computing systems in the healthcare industry.
Literature review
Deterrence theory
Deterrence theory is based on the ideology that punishment will enhance compliance among individuals and deter individuals from engaging in any criminal activities (Piquero, Paternoster, Pogarsky & Loughran, 2011). The same analysis is also provided by Wilner, A. (2014) when they stated that deterrence theory is embedded in the fact that through punishment, individuals are able to avoid engaging in criminal activities. Moreover, according to Freeman, Armstrong, Truelove and Szogi (2015), deterrence theory encompasses the ideological concept that punishment reduces the ability of individuals to engage in non-compliance behaviour. Moreover, according to Siponen, Mahmood and Pahnila (2014), deterrence basically implies that individuals are able to reduce the likelihood of engaging in criminal behaviour due to fear of punishment.
Deterrence theory in information system management
Deterrence theory has been applied in information system in a number of ways. For instance, as postulated by D’Arcy and Herath (2011), states that information systems scientists have applied the use of deterrence theory in order to predict the behaviour of users that are either disruptive or support the security of information systems. Moreover, as postulated by Cheng, Li, Li, Holm and Zhai (2013), many information security incidents in organizations are as a result of employees violating the policies and guidelines regarding the use of information systems. In their study, Cheng et al (2013) stated that the use of deterrence mechanisms can to a large extent be used to reduce the employee violations of information system security policies. In another study, Hu, Xu, Dinev and Ling (2011) stated that international misuse of information systems is a major challenge facing organizations. However, the increased misuse of information systems can be reduced through the implementation of various deterrence measures that are characterized with strong severity of punishment (Hu et al, 2011). Additionally, according to Ifinedo (2012), deterrence enables employees to comply with the various information system security policies in an organization. The same analysis is also provided by Vance, Siponen and Pahnila (2012) when they stated that through deterrence, organizations can foster compliance among employees with regard to implementing and upholding information system policies in an organization. Additionally, Willison and Warkentin (2013) ratified the above sentiments when they stated application of deterrence theory in information system facilitates effective information system management through enforcing compliance among employees towards compliance with the organization information system policies. From the above literature analysis, it is evident that most of the literature sources identified points out to the fact that deterrence enhances compliance of employees to organizational information systems security policies.
Discussion
Part 1
The common view that has been advanced with regard to the relationship between theory and practice is that theory informs the practical application of the observed phenomena (Hatlevik, 2012). For example, according to Scott and Bhaskar (2015), theory entails coherent set of ideas that underpins an observed phenomenon, and sets out the principles and laws of the observed phenomena. On the other hand, practice is the pragmatic application of the theoretical ideas in actual operations. The above analysis of the relationship between theory and practice is that theory informs practice. Moreover, as postulated by Stott and Graven (2013), theory informs practice in the sense that the practice is based on the guidelines and set of rules that are stipulated in the theory. For instance, as postulated by Cho, Crenshaw and McCall (2013), the practical application of a theory should be grounded in the principles, ideologies and ideas that are stipulated in the theory. For example, in undertaking a research, one of the theoretical underpinnings that a researcher can employ is the positivist research theory MacCormick and Weinberger (2013). Under the positivist research theory, the researcher employs the use of scientific methods in investigating knowledge. This implies that, in practice, the researcher is obligated and confined to the use of scientific and quantitative methods in studying social behaviour. The above analysis implies that theory informs practice in the sense that it sets out the foundational framework on practice is implemented through setting out the guidelines, rules, and ideas to be followed and implemented (Morton & Sasse, 2012). The main issue associated with translating theory into practice is the divergent views regarding the understanding of the theoretical concepts and the divergence that is depicted in the contexts of application. According to Bradbury-Jones, Taylor and Herber (2014), there is divergence in the application of theories based on the practical context in which the theory is being applied. This divergence is attributed to the varied views regarding the interpretations of the theoretical concepts as well as the diversity that is depicted in practice which in turn limits the scope and application of the deterrence approach.
According to French, Green, O’Connor, McKenzie, Francis, Michie and Grimshaw (2012), there are several issues that are associated with translating theory into practice. For instance, one of the main issues associated with translating theory into practice is the “fit” issue. The “fit” issue defines and stipulates the level at which a theory fits well with practice. For instance, the “fit” issue raises fundamental issues such as how the deterrence theory can be applied to employees with disabilities in order to enhance compliance with information system security policies (French et al, 2012).
Part 2
There are divergent current views that have been propagated regarding the aspect of deterrence as an intervention to foster employee compliance with information system security in an organization. For example, as postulated by Willison and Warkentin (2013), states that deterrence can be used to enforce compliance among employees but in order to enforce effective deterrence, then, deterrence should not only be constricted to punitive measures aimed at enforcing compliance but also should consider other parameters such as the organizational context that led to employee non-compliance with information system security principles. Moreover, the same analysis is also provided by Cheng et al (2013). According to Cheng et al (2013), deterrence alone cannot be used to effectively understand and prohibit the violation of information system security policy by employees. Cheng et al (2013) continues to state that deterrence should be integrated with the social bond theories that are embedded in the social control perspectives. Cheng et al (2013) asserts that enforcing compliance for information system security policy among employees in an organization can be achieved through integrating deterrence and employee social bonding that exerts social pressure through co-worker behaviour and subjective norms. In another study, Loughran, Pogarsky, Piquero and Paternoster (2012) examined the functional form of the certainty effect as depicted in the deterrence theory. In their study, Loughran et al (2012) found out that deterrent is not an effective way in reducing the risk of offending among individuals. Loughran et al (2012) found out that perceived risks on deterred when it reached a certain threshold and that perceived sanction threats on the other hand had a non-trivial deterrent effect in the mid-range risk. The above analysis implies that deterrent alone does enforce compliance and that at some point; individuals continue to engage in non-compliance behaviour regardless of the deterrent measures in place. Moreover, in another study, Loughran, Paternoster and Thomas (2014) found out that individuals continued to engage in non-conformance and offending behaviour despite the deterrence risks associated with the criminal behaviour. Specifically, Loughran et al (2014) found out that there was a strong negative correlation between the willingness of an individual to offend and the perceived deterrence risk. Moreover, in another study, Rizzolli and Stanca (2012) evaluated the impacts of the judicial errors on deterrence. In their study Rizzolli and Stanca (2012), stated that deterrence is a multifaceted dimension that spans beyond the ideological concept of deterrence being used as a tool for reducing offending among individuals. For instance, in their study, Rizzolli and Stanca (2012) stated that type I errors (convicting an innocent person) have a strong impact on deterrence comparatively to type II errors (acquittal of a guilty individual). The above analysis by Rizzolli and Stanca (2012) implies that application of deterrence theory should be approached from a holistic manner that is void of any judgmental errors.
In another study, Cheng, Li, Zhai and Smyth (2014) evaluated the personal use of the internet at the work place from an integrated perspective. In their study, Cheng et al (2014) stated that deterrence theory alone cannot be effectively applied in understanding the non-compliance among employees. Cheng et al (2014) found out that integrating the neutralization theory with deterrence theory can be used to effectively enforce compliance among individuals and reduce risks of offending. In another study, Short (2013) evaluated the limits of the deterrence theory in the corporate governance spectrum. According to Short (2013) deterrence theory is limited in explaining corporate governance misconduct in the sense that it does not address non-compliance as a result of an individual subscribing to other value systems. Moreover, Short (2013) continues to state that deterrence theory is mainly biased towards explaining non-compliance behaviour as a result of material, self-interest and fails to address non-compliance as a result of an individual adherence to alternative set of values and norms.
Part 3
Various organizations have implemented information system security policies that are aimed to ensure effective use of information systems. However, effective use of information systems is largely hampered by the lack of effective implementation of deterrence theory in organizations. For instance, as postulated by Chen, Ramamurthy and Wen (2012), effective application of deterrence theory should include internal organizational controls and punitive measures that are aimed at enhancing compliance among employees. However, the application of the deterrence theory has largely emphasized on mitigating non-compliance from external sources. A good example is replicated in the Target case study. Target Company in the United States has an internal deterrence program in which any employee who breaches the company information systems security policies has to face disciplinary actions that will be determined by the company (Tipton & Choi, 2014). However, the application of the deterrence theory has been limited to ensuring compliance among internal employees without considering external threats. This points out to the issue of high level of diversity in the application of the deterrence theory. Additionally, Target Company does not have an internal deterrence mechanism to safeguard the company’s information system against external security threats (Pierce, 2015). This points out to the main issue of “fit” in the transition from theory to practice. The lack of external deterrence mechanisms at Target led to hackers gaining access to company’s confidential data and stealing credit card information of the customers. The above analysis implies that there is lack of uniformity in the application of the deterrence theory to enhance conformance among internal employees and external stakeholders and individuals.
In essence, the deterrence theory is limited as replicated in the Target Case study. For instance, the company was not obliged to take any punitive measures against the offenders but rather it was the function of the legislative wing to apply the law in enforcing deterrence among the external offenders. The above analysis underpins the ideological tenet that one major challenge associated with the application of theory to practice is the aspect of scope of application of the deterrent theory (Hovav & Gray, 2014). Moreover, after the Target Company security breach was unmasked, senior management employees at the company such as the Chief Executive Officer were sacked (Weiss & Miller, 2015) . The sacking of the CEO of the company raises fundamental questions to the application and scope of the deterrent theory. In essence, the CEO was not directly involved in the security breach but was later reprimanded for crimes offended by third party members.
Conclusion
In conclusion, from the above analysis, the deterrent theory can be used to effectively evaluate compliance and non-compliance in the implementation of information systems security management in cloud computing in the health care industry. This is underpinned by the fact that the deterrent theory is vested in the idea of enforcing compliance as a result of punishment for non-compliance. However, there are divergent contemporary views regarding the deterrent theory. For instance, the general contemporary view against deterrent theory is that it is limited in application and that effective application of the deterrent theory should be based on an integrated approach where the theory is combined with other theoretical approaches that foster compliance. Additionally, the limitation of the deterrence theory is depicted in the sense that it is mainly focused on explaining the non-compliance as a result of material self-interest as opposed to explaining non-compliance as a result of an individual subscribing to other value systems. Additionally, from the research that was undertaken, various organizations have not fully implemented deterrence from an organizational perspective in the sense that deterrence from an organizational perspective is limited to internal controls as opposed to extending to external controls.
Recommendations
From the above analysis, in order to effectively enhance compliance to an organization information security system based on the deterrence approach, the following recommendations can be applied:
i. Extend the application of the deterrence theory to external controls- in most cases, deterrent theories are limited in application in the sense that they define the punitive measures that can be undertaken against non-conformance among employees. However, it does not define the organizational punitive measures that can be undertaken on external sources of threats. This presents a major limitation in the application of the deterrent theory and there is dire need for organizations deterrent measures against external threats as well.
ii. Integrate the application of the deterrence theory with other theories – from the analysis undertaken, application of the deterrent theory alone is not sufficient in enhancing compliance with information systems security policies. There is dire need for organizations to integrate the deterrent theory with other relevant theories in order to enforce higher levels of compliance.
iii. Create an integrated deterrence approach with the deterrence legal system of a country – there is a variation in the deterrence practices of an organization with the legislative deterrence practices. For example, some employees at Target were sacked and banks had to sue the chief auditor at Target while the chief leader of the hacking process was jailed for five years with a fine of $300000 while on the other hand, the bank accumulated a loss of $20000 in replacing the credit and debit cards of the customers. The above analysis points out to the variations in the punitive measures from organizational and legal perspectives. Hence, there is need to harmonize organizational and legal deterrence systems.
iv. Effectively define the scope of the deterrence theory – From the analysis undertaken, it is evident that the application of deterrence lacks scope. Hence, there is dire need for organizations to effectively define the scope of application of deterrence measures in an organization.

 
References:
Piquero, A. R., Paternoster, R., Pogarsky, G., & Loughran, T. (2011). Elaborating the individual
difference component in deterrence theory. Annual Review of Law and Social Science, 7,
335-360.
D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security
literature: making sense of the disparate findings. European Journal of Information
Systems, 20(6), 643-658.
Cheng, L., Li, Y., Li, W., Holm, E., & Zhai, Q. (2013). Understanding the violation of IS
security policy in organizations: An integrated model based on social control and
deterrence theory. Computers & Security, 39, 447-459.
Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does deterrence work in reducing information
security policy abuse by employees?. Communications of the ACM, 54(6), 54-60.
Willison, R., & Warkentin, M. (2013). Beyond Deterrence: An Expanded View of Employee
Computer Abuse. MIS quarterly, 37(1), 1-20.
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: insights from
habit and protection motivation theory. Information & Management, 49(3), 190-198.
Ifinedo, P. (2012). Understanding information systems security policy compliance: An
integration of the theory of planned behavior and the protection motivation
theory. Computers & Security, 31(1), 83-95.
Loughran, T. A., Pogarsky, G., Piquero, A. R., & Paternoster, R. (2012). Re-examining the
functional form of the certainty effect in deterrence theory.Justice Quarterly, 29(5), 712-
741
Loughran, T. A., Paternoster, R., & Thomas, K. J. (2014). Incentivizing responses to self-report
questions in perceptual deterrence studies: an investigation of the validity of deterrence
theory using Bayesian truth serum.Journal of Quantitative Criminology, 30(4), 677-707.
Rizzolli, M., & Stanca, L. (2012). Judicial errors and crime deterrence: theory and experimental
evidence. Journal of Law and Economics, 55(2), 311-338.
Cheng, L., Li, W., Zhai, Q., & Smyth, R. (2014). Understanding personal use of the Internet at
work: An integrated model of neutralization techniques and general deterrence
theory. Computers in Human Behavior, 38, 220-228.
Short, J. L. (2013). Competing Normative Frameworks and the Limits of Deterrence Theory:
Comments on Baker and Griffith’s Ensuring Corporate Misconduct. Law & Social
Inquiry, 38(2), 493-511.
National Institute of Standards and Technology. (2016). The NIST Definition of Cloud
Computing. Retrieved 5 May, 2016, from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
Wilner, A. (2014). Contemporary Deterrence Theory and Counterterrorism: A Bridge Too
Far. NYUJ Int’l L. & Pol., 47, 439.
Freeman, J., Armstrong, K., Truelove, V., & Szogi, E. (2015). Left on the side of the road? A
review of deterrence-based theoretical developments in road safety.
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), 217-
224.
Hatlevik, I. K. R. (2012). The theory‐practice relationship: reflective skills and theoretical
knowledge as key factors in bridging the gap between theory and practice in initial
nursing education. Journal of Advanced Nursing, 68(4), 868-877.
Scott, D., & Bhaskar, R. (2015). Notes on a Theory of Education and Learning. In Roy
Bhaskar (pp. 61-74). Springer International Publishing.
Stott, D., & Graven, M. (2013). The dialectical relationship between theory and practice in the
design of an after-school mathematics club. pythagoras,34(1), 10-pages.
Cho, S., Crenshaw, K. W., & McCall, L. (2013). Toward a field of intersectionality studies:
Theory, applications, and praxis. Signs, 38(4), 785-810.
MacCormick, N., & Weinberger, O. (2013). An institutional theory of law: new approaches to
legal positivism (Vol. 3). Springer Science & Business Media.
Morton, A., & Sasse, M. A. (2012, September). Privacy is a process, not a PET: A theory for
effective privacy practice. In Proceedings of the 2012 workshop on New security
paradigms (pp. 87-104). ACM.
French, S. D., Green, S. E., O’Connor, D. A., McKenzie, J. E., Francis, J. J., Michie, S., … &
Grimshaw, J. M. (2012). Developing theory-informed behaviour change interventions to
implement evidence into practice: a systematic approach using the Theoretical Domains
Framework.Implementation Science, 7(1), 38.
Bradbury-Jones, C., Taylor, J., & Herber, O. (2014). How theory is used and articulated in
qualitative research: Development of a new typology. Social Science & Medicine, 120,
135-141.
Chen, Y., Ramamurthy, K., & Wen, K. W. (2012). Organizations’ Information Security Policy
Compliance: Stick or Carrot Approach?. Journal of Management Information
Systems, 29(3), 157-188.
Tipton, S., & Choi, Y. (2014). The Target Security Breach: A Case Study.
Hovav, A., & Gray, P. (2014). The ripple effect of an information security breach event: a
stakeholder analysis. Communications of the Association for Information
Systems, 34(50), 893-912.
Weiss, N. E., & Miller, R. S. (2015). The Target and Other Financial Data Breaches: Frequently
Asked Questions. Congressional Research Service.
Pierce, J. C. (2015). Shifting Data Breach Liability: A Congressional Approach. Wm. & Mary L.
Rev., 57, 975.