The Role of Heuristics and Biases in Linux Server Administrators’ Information Security Policy Compliance at Healthcare Organizations

Information Security Policy (ISP) compliance is crucial to healthcare organizations due to the potential for data breaches. The healthcare industry relies heavily on Linux servers to house electronically Protected Health Information (ePHI) due to their inherited lower volume of known vulnerabilities. However, Linux Server Administrators appear to be more relaxed than other server administrators when it comes to ISP compliance. Prior research suggests that the use of cognitive heuristics and biases may negatively influence threat appraisal and coping appraisal, while ultimately impacting ISP compliance. Thus, the goal of our study was to empirically assess the effect of cognitive heuristics, biases, and knowledge-sharing level on actual ISP compliance measured based on actual security setting adjustments. Aside from the novel measure of actual ISP compliance, we developed a survey instrument based on prior validated instruments to measure cognitive heuristics and biases. A group of 42 Linux Server Administrators who oversee the servers at a major healthcare organization participated in our study. Additionally, an intervention in the form of hands-on cybersecurity training, periodic security update emails, and Linux-focused tabletop exercises was introduced. Our results indicated that information security knowledge-sharing significantly influenced both cognitive heuristics and biases. Conclusions and discussions are provided.